aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEmil Renner Berthing <esmil@labitat.dk>2020-03-01 16:22:18 +0100
committerEmil Renner Berthing <esmil@labitat.dk>2020-03-01 16:22:18 +0100
commit353660e965d11a0ac74f0196d7246f14fd834386 (patch)
tree673bca10f024e671a580d7a021b95c58ea41406e
parentca467c55d8bbd633870c1fcaff0677bc2c6eaa9f (diff)
downloadlabitat-ansible-353660e965d11a0ac74f0196d7246f14fd834386.tar.gz
labitat-ansible-353660e965d11a0ac74f0196d7246f14fd834386.tar.xz
labitat-ansible-353660e965d11a0ac74f0196d7246f14fd834386.zip
space_server: radius: configure certificates
-rw-r--r--roles/space_server/tasks/radius.yml85
1 files changed, 85 insertions, 0 deletions
diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml
index 2747d31..614d1b7 100644
--- a/roles/space_server/tasks/radius.yml
+++ b/roles/space_server/tasks/radius.yml
@@ -1,4 +1,7 @@
---
+#
+# configuration
+#
- name: Configure radiusd
copy:
dest: '/etc/raddb/{{ item }}'
@@ -67,6 +70,9 @@
notify:
- restart radiusd
+#
+# getusers.sh
+#
- name: Create getusers script
template:
dest: '/etc/raddb/getusers.sh'
@@ -101,6 +107,85 @@
creates: '/etc/systemd/system/timers.target.wants/getusers.timer'
when: chroot
+#
+# certificates
+#
+- name: Configure /etc/raddb/certs/passwords.mk
+ replace:
+ path: '/etc/raddb/certs/passwords.mk'
+ regexp: '^CA_DEFAULT_DAYS( *= *).*$'
+ replace: "CA_DEFAULT_DAYS\\1'3652'"
+ tags: radius-certs
+
+- name: Configure /etc/raddb/certs/ca.cnf
+ ini_file:
+ path: '/etc/raddb/certs/ca.cnf'
+ section: "{{ item.key.split('.',1)[0] }}"
+ option: "{{ item.key.split('.',1)[1] }}"
+ value: "{{ (item.value is string)|ternary(item.value,omit) }}"
+ state: "{{ (item.value is string)|ternary('present','absent') }}"
+ with_dict:
+ ' CA_default .default_days': '3652'
+ 'certificate_authority.countryName': 'DK'
+ 'certificate_authority.stateOrProvinceName': 'Copenhagen'
+ 'certificate_authority.localityName': 'Frederiksberg'
+ 'certificate_authority.organizationName': 'Labitat'
+ 'certificate_authority.emailAddress': 'noc@labitat.dk'
+ 'certificate_authority.commonName': '"Labitat Network Infrastructure CA"'
+ tags: radius-certs
+
+- name: Configure /etc/raddb/certs/server.cnf
+ ini_file:
+ path: '/etc/raddb/certs/server.cnf'
+ section: "{{ item.key.split('.',1)[0] }}"
+ option: "{{ item.key.split('.',1)[1] }}"
+ value: "{{ (item.value is string)|ternary(item.value,omit) }}"
+ state: "{{ (item.value is string)|ternary('present','absent') }}"
+ with_dict:
+ ' CA_default .default_days': '731'
+ 'server.countryName': 'DK'
+ 'server.stateOrProvinceName': 'Copenhagen'
+ 'server.localityName': 'Frederiksberg'
+ 'server.organizationName': 'Labitat'
+ 'server.emailAddress': 'noc@labitat.dk'
+ 'server.commonName': '"Labitat Radius Authentication 2020"'
+ tags: radius-certs
+
+- name: Configure /etc/raddb/certs/inner-server.cnf
+ ini_file:
+ path: '/etc/raddb/certs/inner-server.cnf'
+ section: "{{ item.key.split('.',1)[0] }}"
+ option: "{{ item.key.split('.',1)[1] }}"
+ value: "{{ (item.value is string)|ternary(item.value,omit) }}"
+ state: "{{ (item.value is string)|ternary('present','absent') }}"
+ with_dict:
+ ' CA_default .default_days': '731'
+ 'server.countryName': 'DK'
+ 'server.stateOrProvinceName': 'Copenhagen'
+ 'server.localityName': 'Frederiksberg'
+ 'server.organizationName': 'Labitat'
+ 'server.emailAddress': 'noc@labitat.dk'
+ 'server.commonName': '"Labitat Radius Inner Server Certificate 2020"'
+ tags: radius-certs
+
+- name: Configure /etc/raddb/certs/client.cnf
+ ini_file:
+ path: '/etc/raddb/certs/client.cnf'
+ section: "{{ item.key.split('.',1)[0] }}"
+ option: "{{ item.key.split('.',1)[1] }}"
+ value: "{{ (item.value is string)|ternary(item.value,omit) }}"
+ state: "{{ (item.value is string)|ternary('present','absent') }}"
+ with_dict:
+ ' CA_default .default_days': '365'
+ 'client.countryName': 'DK'
+ 'client.stateOrProvinceName': 'Copenhagen'
+ 'client.localityName': 'Frederiksberg'
+ 'client.organizationName': 'Labitat'
+ tags: radius-certs
+
+#
+# radiusd.service
+#
- name: Create service drop-in directory
file:
dest: '/etc/systemd/system/radiusd.service.d'