- name: load radius secrets include_vars: vault/radius - name: ensure freeradius is installed package: name=freeradius state=present tags: - install - name: ensure freeradius is configured template: src=radiusd.conf.j2 dest=/etc/raddb/radiusd.conf mode=0640 owner=root group=radiusd notify: restart radiusd - name: ensure freeradius default site is configured template: src=default.site.radiusd.conf.j2 dest=/etc/raddb/sites-available/default mode=0640 owner=root group=radiusd notify: restart radiusd - name: ensure freeradius eap module is configured template: src=eap.mod.radiusd.conf.j2 dest=/etc/raddb/mods-available/eap mode=0640 owner=root group=radiusd notify: restart radiusd - name: ensure unused modules are disabled file: name=/etc/raddb/mods-enabled/{{ item }} state=absent with_items: '{{ radiusd_disable_modules }}' notify: restart radiusd - name: ensure unused sites are disabled file: name=/etc/raddb/sites-enabled/{{ item }} state=absent with_items: '{{ radiusd_disable_sites }}' notify: restart radiusd - name: ensure server certificate is installed copy: src={{ item }} dest=/etc/raddb/certs/{{ item|basename }} mode=0640 owner=root group=radiusd with_fileglob: 'certs/{{ inventory_hostname }}/server.*' - name: ensure client ca certificate is installed copy: src=certs/{{ inventory_hostname }}/ca.crt dest=/etc/raddb/certs/ca.crt mode=0640 owner=root group=radiusd - name: ensure dh paramaters are generated command: openssl dhparam -out /etc/raddb/certs/dhparam {{ radiusd_dhparm_size }} creates=/etc/raddb/certs/dhparam - name: ensure example certificates are removed file: path=/etc/raddb/certs/{{ item }} state=absent with_items: '{{ radiusd_example_cert_files }}' - name: ensure freeradius clients are configured template: src=clients.conf.j2 dest=/etc/raddb/clients.conf mode=0640 owner=root group=radiusd notify: restart radiusd - name: ensure radius is allowed in the firewall firewalld: service=radius permanent=no immediate=yes state=enabled notify: save firewalld configuration tags: - firewalld