configpolicy/roles/freeradius/tasks/main.yml

- name: load radius secrets
  include_vars: vault/radius

- name: ensure freeradius is installed
  package:
    name=freeradius
    state=present
  tags:
  - install

- name: ensure freeradius is configured
  template:
    src=radiusd.conf.j2
    dest=/etc/raddb/radiusd.conf
    mode=0640
    owner=root
    group=radiusd
  notify: restart radiusd
- name: ensure freeradius default site is configured
  template:
    src=default.site.radiusd.conf.j2
    dest=/etc/raddb/sites-available/default
    mode=0640
    owner=root
    group=radiusd
  notify: restart radiusd

- name: ensure freeradius eap module is configured
  template:
    src=eap.mod.radiusd.conf.j2
    dest=/etc/raddb/mods-available/eap
    mode=0640
    owner=root
    group=radiusd
  notify: restart radiusd

- name: ensure unused modules are disabled
  command:
    rm -vf
    {% for mod in radiusd_disable_modules %}
    /etc/raddb/mods-enabled/{{ mod }}
    {% endfor %}
    removes=/etc/raddb/mods-enabled/{{ radiusd_disable_modules[-1] }}
  notify: restart radiusd
- name: ensure unused sites are disabled
  command:
    rm -vf
    {% for site in radiusd_disable_sites %}
    /etc/raddb/sites-enabled/{{ site }}
    {% endfor %}
    removes=/etc/raddb/sites-enabled/{{ radiusd_disable_sites[-1] }}
  notify: restart radiusd

- name: ensure server certificate is installed
  copy:
    src={{ item }}
    dest=/etc/raddb/certs/{{ item|basename }}
    mode=0640
    owner=root
    group=radiusd
  with_fileglob: 'certs/{{ inventory_hostname }}/server.*'
- name: ensure client ca certificate is installed
  copy:
    src=certs/{{ inventory_hostname }}/ca.crt
    dest=/etc/raddb/certs/ca.crt
    mode=0640
    owner=root
    group=radiusd
- name: ensure dh paramaters are generated
  command:
    openssl dhparam -out /etc/raddb/certs/dhparam {{ radiusd_dhparm_size }}
    creates=/etc/raddb/certs/dhparam
- name: ensure example certificates are removed
  command:
    rm -vf
    {% for file in radiusd_example_cert_files %}
    /etc/raddb/certs/{{ file }}
    {% endfor %}
    removes=/etc/raddb/certs/{{ radiusd_example_cert_files[-1] }}

- name: ensure freeradius clients are configured
  template:
    src=clients.conf.j2
    dest=/etc/raddb/clients.conf
    mode=0640
    owner=root
    group=radiusd
  notify: restart radiusd

- name: ensure radius is allowed in the firewall
  firewalld:
    service=radius
    permanent=no
    immediate=yes
    state=enabled
  notify: save firewalld configuration
  tags:
  - firewalld