dustin/configpolicy
1
1
Fork 0
Code Issues Releases Activity
Files
f14683aaacdc5c3268aef420abfde682e8de3a0e
configpolicy/roles/freeradius/tasks/main.yml
Dustin C. Hatch 4deb17be94 roles/freeradius: Optimize defaults cleanup 
Using `state=absent` with the `file` module in a `with_items` loop to
delete the "default" module and site configuration files and the example
certificates is incredibly slow. Especially on the Raspberry Pi, it can
take several minutes to apply this role, even when there are no changes
to make. Using the `command` module and running `rm` to remove these
files, while not as idempotent, is significantly faster. The main
drawback is that each item in the list is not checked, so new items to
remove have to be added to the end of the list instead of in
alphabetical order.
2018-05-06 18:39:39 -05:00

99 lines
2.4 KiB
YAML
Raw Blame History

- name: load radius secrets
include_vars: vault/radius
- name: ensure freeradius is installed
package:
name=freeradius
state=present
tags:
- install
- name: ensure freeradius is configured
template:
src=radiusd.conf.j2
dest=/etc/raddb/radiusd.conf
mode=0640
owner=root
group=radiusd
notify: restart radiusd
- name: ensure freeradius default site is configured
template:
src=default.site.radiusd.conf.j2
dest=/etc/raddb/sites-available/default
mode=0640
owner=root
group=radiusd
notify: restart radiusd
- name: ensure freeradius eap module is configured
template:
src=eap.mod.radiusd.conf.j2
dest=/etc/raddb/mods-available/eap
mode=0640
owner=root
group=radiusd
notify: restart radiusd
- name: ensure unused modules are disabled
command:
rm -vf
{% for mod in radiusd_disable_modules %}
/etc/raddb/mods-enabled/{{ mod }}
{% endfor %}
removes=/etc/raddb/mods-enabled/{{ radiusd_disable_modules[-1] }}
notify: restart radiusd
- name: ensure unused sites are disabled
command:
rm -vf
{% for site in radiusd_disable_sites %}
/etc/raddb/sites-enabled/{{ site }}
{% endfor %}
removes=/etc/raddb/sites-enabled/{{ radiusd_disable_sites[-1] }}
notify: restart radiusd
- name: ensure server certificate is installed
copy:
src={{ item }}
dest=/etc/raddb/certs/{{ item|basename }}
mode=0640
owner=root
group=radiusd
with_fileglob: 'certs/{{ inventory_hostname }}/server.*'
- name: ensure client ca certificate is installed
copy:
src=certs/{{ inventory_hostname }}/ca.crt
dest=/etc/raddb/certs/ca.crt
mode=0640
owner=root
group=radiusd
- name: ensure dh paramaters are generated
command:
openssl dhparam -out /etc/raddb/certs/dhparam {{ radiusd_dhparm_size }}
creates=/etc/raddb/certs/dhparam
- name: ensure example certificates are removed
command:
rm -vf
{% for file in radiusd_example_cert_files %}
/etc/raddb/certs/{{ file }}
{% endfor %}
removes=/etc/raddb/certs/{{ radiusd_example_cert_files[-1] }}
- name: ensure freeradius clients are configured
template:
src=clients.conf.j2
dest=/etc/raddb/clients.conf
mode=0640
owner=root
group=radiusd
notify: restart radiusd
- name: ensure radius is allowed in the firewall
firewalld:
service=radius
permanent=no
immediate=yes
state=enabled
notify: save firewalld configuration
tags:
- firewalld
Reference in New Issue View Git Blame Copy Permalink