aboutsummaryrefslogblamecommitdiffstats
path: root/roles/space_server/tasks/radius.yml
blob: 614d1b76de77ab8a3e0cd9566c7b6745ba062bb2 (plain) (tree)
1
2
3
4
5
6
7
8
   


               

                         
                                 
                            



                  

                      
                                

                                 
         
                   


                                  
                                                   






                          

                                
                                   
                               



                  
                   



                                                    
                                                                                       


                             
              









                                          
       
                                                   
                                                                                      
                             

                  
              
              
             

                                          
         
                   
 


             

                              
                                  
                              


                  
 

                                         
                                          
                            


               
             

                    
         
                    






                             

                          


                                                                     
              
 














































































                                                                             



                                                 


               
 

                                                   
                                                                  
                         


               
 







                                                                 





                              

                          


                                                                          
              

                        
---
#
# configuration
#
- name: Configure radiusd
  copy:
    dest: '/etc/raddb/{{ item }}'
    src: 'radius/{{ item }}'
    owner: root
    group: radiusd
    mode: 0640
  with_items:
  - radiusd.conf
  - mods-available/eap
  - mods-available/python3-assha
  - sites-available/labitat
  - sites-available/labitat-inner
  notify:
  - restart radiusd

- name: Create assha python script
  copy:
    dest: '/etc/raddb/mods-config/python3/assha.py'
    src: 'radius/assha.py'
    owner: root
    group: root
    mode: 0755
  notify:
  - restart radiusd

- name: Configure radius clients
  template:
    dest: '/etc/raddb/clients.conf'
    src: radius/clients.conf.j2
    owner: root
    group: radiusd
    mode: 0640
  notify:
  - restart radiusd

- name: Configure radius sites
  file:
    path: '/etc/raddb/sites-enabled/{{ item.name }}'
    src: "{{ (item.state == 'link')|ternary('../sites-available/' + item.name,omit) }}"
    state: '{{ item.state }}'
    owner: root
    group: radiusd
    follow: no
    force: yes
  with_items:
  - { name: default,       state: absent }
  - { name: inner-tunnel,  state: absent }
  - { name: labitat,       state: link }
  - { name: labitat-inner, state: link }
  notify:
  - restart radiusd

- name: Configure radius modules
  file:
    path: '/etc/raddb/mods-enabled/{{ item.name }}'
    src: "{{ (item.state == 'link')|ternary('../mods-available/' + item.name,omit) }}"
    state: '{{ item.state }}'
    owner: root
    group: radiusd
    follow: no
    force: yes
  with_items:
  - { name: files,         state: absent }
  - { name: python3-assha, state: link }
  notify:
  - restart radiusd

#
# getusers.sh
#
- name: Create getusers script
  template:
    dest: '/etc/raddb/getusers.sh'
    src: radius/getusers.sh.j2
    owner: root
    group: radiusd
    mode: 0750

- name: Create getusers service and timer
  copy:
    dest: '/etc/systemd/system/{{ item }}'
    src: 'radius/{{ item }}'
    owner: root
    group: root
    mode: 0644
  with_items:
  - getusers.service
  - getusers.timer
  notify:
  - restart getusers

- name: Enable getusers timer
  systemd:
    name: getusers.timer
    enabled: yes
    masked: no
    state: started
  when: not chroot
- name: '- when in chroot'
  command: systemctl enable getusers.timer
  args:
    creates: '/etc/systemd/system/timers.target.wants/getusers.timer'
  when: chroot

#
# certificates
#
- name: Configure /etc/raddb/certs/passwords.mk
  replace:
    path: '/etc/raddb/certs/passwords.mk'
    regexp: '^CA_DEFAULT_DAYS( *= *).*$'
    replace: "CA_DEFAULT_DAYS\\1'3652'"
  tags: radius-certs

- name: Configure /etc/raddb/certs/ca.cnf
  ini_file:
    path: '/etc/raddb/certs/ca.cnf'
    section: "{{ item.key.split('.',1)[0] }}"
    option:  "{{ item.key.split('.',1)[1] }}"
    value:   "{{ (item.value is string)|ternary(item.value,omit) }}"
    state:   "{{ (item.value is string)|ternary('present','absent') }}"
  with_dict:
    ' CA_default .default_days': '3652'
    'certificate_authority.countryName': 'DK'
    'certificate_authority.stateOrProvinceName': 'Copenhagen'
    'certificate_authority.localityName': 'Frederiksberg'
    'certificate_authority.organizationName': 'Labitat'
    'certificate_authority.emailAddress': 'noc@labitat.dk'
    'certificate_authority.commonName': '"Labitat Network Infrastructure CA"'
  tags: radius-certs

- name: Configure /etc/raddb/certs/server.cnf
  ini_file:
    path: '/etc/raddb/certs/server.cnf'
    section: "{{ item.key.split('.',1)[0] }}"
    option:  "{{ item.key.split('.',1)[1] }}"
    value:   "{{ (item.value is string)|ternary(item.value,omit) }}"
    state:   "{{ (item.value is string)|ternary('present','absent') }}"
  with_dict:
    ' CA_default .default_days': '731'
    'server.countryName': 'DK'
    'server.stateOrProvinceName': 'Copenhagen'
    'server.localityName': 'Frederiksberg'
    'server.organizationName': 'Labitat'
    'server.emailAddress': 'noc@labitat.dk'
    'server.commonName': '"Labitat Radius Authentication 2020"'
  tags: radius-certs

- name: Configure /etc/raddb/certs/inner-server.cnf
  ini_file:
    path: '/etc/raddb/certs/inner-server.cnf'
    section: "{{ item.key.split('.',1)[0] }}"
    option:  "{{ item.key.split('.',1)[1] }}"
    value:   "{{ (item.value is string)|ternary(item.value,omit) }}"
    state:   "{{ (item.value is string)|ternary('present','absent') }}"
  with_dict:
    ' CA_default .default_days': '731'
    'server.countryName': 'DK'
    'server.stateOrProvinceName': 'Copenhagen'
    'server.localityName': 'Frederiksberg'
    'server.organizationName': 'Labitat'
    'server.emailAddress': 'noc@labitat.dk'
    'server.commonName': '"Labitat Radius Inner Server Certificate 2020"'
  tags: radius-certs

- name: Configure /etc/raddb/certs/client.cnf
  ini_file:
    path: '/etc/raddb/certs/client.cnf'
    section: "{{ item.key.split('.',1)[0] }}"
    option:  "{{ item.key.split('.',1)[1] }}"
    value:   "{{ (item.value is string)|ternary(item.value,omit) }}"
    state:   "{{ (item.value is string)|ternary('present','absent') }}"
  with_dict:
    ' CA_default .default_days': '365'
    'client.countryName': 'DK'
    'client.stateOrProvinceName': 'Copenhagen'
    'client.localityName': 'Frederiksberg'
    'client.organizationName': 'Labitat'
  tags: radius-certs

#
# radiusd.service
#
- name: Create service drop-in directory
  file:
    dest: '/etc/systemd/system/radiusd.service.d'
    state: directory
    owner: root
    group: root
    mode: 0755

- name: Start radiusd after networks are configured
  copy:
    dest: '/etc/systemd/system/radiusd.service.d/wait-online.conf'
    src: wait-online.conf
    owner: root
    group: root
    mode: 0644

- name: Set PYTHONPATH for radiusd
  copy:
    dest: '/etc/systemd/system/radiusd.service.d/pythonpath.conf'
    src: 'radius/pythonpath.conf'
    owner: root
    group: root
    mode: 0644

- name: Enable radiusd service
  systemd:
    name: radiusd.service
    enabled: yes
    masked: no
    state: started
  when: not chroot
- name: '- when in chroot'
  command: systemctl enable radiusd.service
  args:
    creates: '/etc/systemd/system/multi-user.target.wants/radiusd.service'
  when: chroot

# vim: set ts=2 sw=2 et: