aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/files
diff options
context:
space:
mode:
authorEmil Renner Berthing <esmil@labitat.dk>2021-01-19 21:58:10 +0100
committerEmil Renner Berthing <esmil@labitat.dk>2021-01-19 22:39:39 +0100
commitd43cdbc412d6548447d3d4c6238fc56c99e09d98 (patch)
tree8f5d9b7eabc3dfffaaa7be0088bae08777146aeb /roles/space_server/files
parent3da205a190c0b6f36a726d90afa4dc303ee84ffe (diff)
downloadlabitat-ansible-d43cdbc412d6548447d3d4c6238fc56c99e09d98.tar.gz
labitat-ansible-d43cdbc412d6548447d3d4c6238fc56c99e09d98.tar.xz
labitat-ansible-d43cdbc412d6548447d3d4c6238fc56c99e09d98.zip
space_server: radius: use letsencrypt certificate
Diffstat (limited to 'roles/space_server/files')
-rwxr-xr-xroles/space_server/files/radius/bootstrap28
-rwxr-xr-xroles/space_server/files/radius/certbot.sh15
-rw-r--r--roles/space_server/files/radius/mods-available/eap12
-rw-r--r--[-rwxr-xr-x]roles/space_server/files/radius/pythonpath.conf0
-rw-r--r--roles/space_server/files/radius/sites-available/labitat2
5 files changed, 50 insertions, 7 deletions
diff --git a/roles/space_server/files/radius/bootstrap b/roles/space_server/files/radius/bootstrap
new file mode 100755
index 0000000..376aa78
--- /dev/null
+++ b/roles/space_server/files/radius/bootstrap
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+certname=space.labitat.dk
+privkey="/etc/letsencrypt/live/$certname/privkey.pem"
+fullchain="/etc/letsencrypt/live/$certname/fullchain.pem"
+
+umask 027
+cd "$(dirname $0)"
+
+if [ ! -f dh ]; then
+ openssl dhparam -out dh 2048
+ chown root:radiusd dh
+ chmod 640 dh
+fi
+
+if ! diff -q "$privkey" privkey.pem >/dev/null 2>&1; then
+ install -m640 -o root -g radiusd "$privkey" privkey.pem
+fi
+
+if ! diff -q "$fullchain" fullchain.pem >/dev/null 2>&1; then
+ install -m640 -o root -g radiusd "$fullchain" fullchain.pem
+fi
+
+openssl verify -untrusted fullchain.pem fullchain.pem
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/files/radius/certbot.sh b/roles/space_server/files/radius/certbot.sh
new file mode 100755
index 0000000..f6749a8
--- /dev/null
+++ b/roles/space_server/files/radius/certbot.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+case "$RENEWED_LINEAGE" in
+*/space.labitat.dk)
+ install -m640 -o root -g radiusd \
+ "$RENEWED_LINEAGE/privkey.pem" \
+ "$RENEWED_LINEAGE/fullchain.pem" \
+ /etc/raddb/certs/
+ systemctl reload radiusd.service
+ ;;
+esac
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/files/radius/mods-available/eap b/roles/space_server/files/radius/mods-available/eap
index 2136414..938370c 100644
--- a/roles/space_server/files/radius/mods-available/eap
+++ b/roles/space_server/files/radius/mods-available/eap
@@ -181,8 +181,8 @@ eap {
# authenticate via EAP-TLS! This is likely not what you want.
#
tls-config tls-common {
- private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ # private_key_password = whatever
+ private_key_file = ${certdir}/privkey.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -218,7 +218,7 @@ eap {
# give advice which will work everywhere. Instead,
# we give general guidelines.
#
- certificate_file = ${certdir}/server.pem
+ certificate_file = ${certdir}/fullchain.pem
# Trusted Root CA list
#
@@ -231,7 +231,7 @@ eap {
# In that case, this CA file should contain
# *one* CA certificate.
#
- ca_file = ${cadir}/ca.pem
+ # ca_file = ${cadir}/ca.pem
# OpenSSL will automatically create certificate chains,
# unless we tell it to not do that. The problem is that
@@ -392,8 +392,8 @@ eap {
# tls_max_version.
#
# disable_tlsv1_2 = no
- disable_tlsv1_1 = yes
- disable_tlsv1 = yes
+ # disable_tlsv1_1 = yes
+ # disable_tlsv1 = yes
# Set min / max TLS version. Mainly for Debian
# "trusty", which disables older versions of TLS, and
diff --git a/roles/space_server/files/radius/pythonpath.conf b/roles/space_server/files/radius/pythonpath.conf
index 6a7f6ba..6a7f6ba 100755..100644
--- a/roles/space_server/files/radius/pythonpath.conf
+++ b/roles/space_server/files/radius/pythonpath.conf
diff --git a/roles/space_server/files/radius/sites-available/labitat b/roles/space_server/files/radius/sites-available/labitat
index 6deb993..8b514f8 100644
--- a/roles/space_server/files/radius/sites-available/labitat
+++ b/roles/space_server/files/radius/sites-available/labitat
@@ -15,7 +15,7 @@ server labitat {
authorize {
filter_username
preprocess
- auth_log
+ #auth_log
eap {
ok = return