From d43cdbc412d6548447d3d4c6238fc56c99e09d98 Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Tue, 19 Jan 2021 21:58:10 +0100
Subject: space_server: radius: use letsencrypt certificate

---
 roles/space_server/files/radius/bootstrap          | 28 +++++++
 roles/space_server/files/radius/certbot.sh         | 15 ++++
 roles/space_server/files/radius/mods-available/eap | 12 +--
 roles/space_server/files/radius/pythonpath.conf    |  0
 .../files/radius/sites-available/labitat           |  2 +-
 roles/space_server/tasks/radius.yml                | 85 ++++------------------
 6 files changed, 64 insertions(+), 78 deletions(-)
 create mode 100755 roles/space_server/files/radius/bootstrap
 create mode 100755 roles/space_server/files/radius/certbot.sh
 mode change 100755 => 100644 roles/space_server/files/radius/pythonpath.conf

diff --git a/roles/space_server/files/radius/bootstrap b/roles/space_server/files/radius/bootstrap
new file mode 100755
index 0000000..376aa78
--- /dev/null
+++ b/roles/space_server/files/radius/bootstrap
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+certname=space.labitat.dk
+privkey="/etc/letsencrypt/live/$certname/privkey.pem"
+fullchain="/etc/letsencrypt/live/$certname/fullchain.pem"
+
+umask 027
+cd "$(dirname $0)"
+
+if [ ! -f dh ]; then
+  openssl dhparam -out dh 2048
+  chown root:radiusd dh
+  chmod 640 dh
+fi
+
+if ! diff -q "$privkey" privkey.pem >/dev/null 2>&1; then
+  install -m640 -o root -g radiusd "$privkey" privkey.pem
+fi
+
+if ! diff -q "$fullchain" fullchain.pem >/dev/null 2>&1; then
+  install -m640 -o root -g radiusd "$fullchain" fullchain.pem
+fi
+
+openssl verify -untrusted fullchain.pem fullchain.pem
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/files/radius/certbot.sh b/roles/space_server/files/radius/certbot.sh
new file mode 100755
index 0000000..f6749a8
--- /dev/null
+++ b/roles/space_server/files/radius/certbot.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+case "$RENEWED_LINEAGE" in
+*/space.labitat.dk)
+  install -m640 -o root -g radiusd \
+    "$RENEWED_LINEAGE/privkey.pem" \
+    "$RENEWED_LINEAGE/fullchain.pem" \
+    /etc/raddb/certs/
+  systemctl reload radiusd.service
+  ;;
+esac
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/files/radius/mods-available/eap b/roles/space_server/files/radius/mods-available/eap
index 2136414..938370c 100644
--- a/roles/space_server/files/radius/mods-available/eap
+++ b/roles/space_server/files/radius/mods-available/eap
@@ -181,8 +181,8 @@ eap {
 	#  authenticate via EAP-TLS!  This is likely not what you want.
 	#
 	tls-config tls-common {
-		private_key_password = whatever
-		private_key_file = ${certdir}/server.pem
+	#	private_key_password = whatever
+		private_key_file = ${certdir}/privkey.pem
 
 		#  If Private key & Certificate are located in
 		#  the same file, then private_key_file &
@@ -218,7 +218,7 @@ eap {
 		#  give advice which will work everywhere.  Instead,
 		#  we give general guidelines.
 		#
-		certificate_file = ${certdir}/server.pem
+		certificate_file = ${certdir}/fullchain.pem
 
 		#  Trusted Root CA list
 		#
@@ -231,7 +231,7 @@ eap {
 		#  In that case, this CA file should contain
 		#  *one* CA certificate.
 		#
-		ca_file = ${cadir}/ca.pem
+	#	ca_file = ${cadir}/ca.pem
 
 	 	#  OpenSSL will automatically create certificate chains,
 	 	#  unless we tell it to not do that.  The problem is that
@@ -392,8 +392,8 @@ eap {
 		#  tls_max_version.
 		#
 	#	disable_tlsv1_2 = no
-		disable_tlsv1_1 = yes
-		disable_tlsv1 = yes
+	#	disable_tlsv1_1 = yes
+	#	disable_tlsv1 = yes
 
 		#  Set min / max TLS version.  Mainly for Debian
 		#  "trusty", which disables older versions of TLS, and
diff --git a/roles/space_server/files/radius/pythonpath.conf b/roles/space_server/files/radius/pythonpath.conf
old mode 100755
new mode 100644
diff --git a/roles/space_server/files/radius/sites-available/labitat b/roles/space_server/files/radius/sites-available/labitat
index 6deb993..8b514f8 100644
--- a/roles/space_server/files/radius/sites-available/labitat
+++ b/roles/space_server/files/radius/sites-available/labitat
@@ -15,7 +15,7 @@ server labitat {
 	authorize {
 		filter_username
 		preprocess
-		auth_log
+		#auth_log
 
 		eap {
 			ok = return
diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml
index 614d1b7..7ea88b1 100644
--- a/roles/space_server/tasks/radius.yml
+++ b/roles/space_server/tasks/radius.yml
@@ -110,78 +110,21 @@
 #
 # certificates
 #
-- name: Configure /etc/raddb/certs/passwords.mk
-  replace:
-    path: '/etc/raddb/certs/passwords.mk'
-    regexp: '^CA_DEFAULT_DAYS( *= *).*$'
-    replace: "CA_DEFAULT_DAYS\\1'3652'"
-  tags: radius-certs
-
-- name: Configure /etc/raddb/certs/ca.cnf
-  ini_file:
-    path: '/etc/raddb/certs/ca.cnf'
-    section: "{{ item.key.split('.',1)[0] }}"
-    option:  "{{ item.key.split('.',1)[1] }}"
-    value:   "{{ (item.value is string)|ternary(item.value,omit) }}"
-    state:   "{{ (item.value is string)|ternary('present','absent') }}"
-  with_dict:
-    ' CA_default .default_days': '3652'
-    'certificate_authority.countryName': 'DK'
-    'certificate_authority.stateOrProvinceName': 'Copenhagen'
-    'certificate_authority.localityName': 'Frederiksberg'
-    'certificate_authority.organizationName': 'Labitat'
-    'certificate_authority.emailAddress': 'noc@labitat.dk'
-    'certificate_authority.commonName': '"Labitat Network Infrastructure CA"'
-  tags: radius-certs
-
-- name: Configure /etc/raddb/certs/server.cnf
-  ini_file:
-    path: '/etc/raddb/certs/server.cnf'
-    section: "{{ item.key.split('.',1)[0] }}"
-    option:  "{{ item.key.split('.',1)[1] }}"
-    value:   "{{ (item.value is string)|ternary(item.value,omit) }}"
-    state:   "{{ (item.value is string)|ternary('present','absent') }}"
-  with_dict:
-    ' CA_default .default_days': '731'
-    'server.countryName': 'DK'
-    'server.stateOrProvinceName': 'Copenhagen'
-    'server.localityName': 'Frederiksberg'
-    'server.organizationName': 'Labitat'
-    'server.emailAddress': 'noc@labitat.dk'
-    'server.commonName': '"Labitat Radius Authentication 2020"'
-  tags: radius-certs
-
-- name: Configure /etc/raddb/certs/inner-server.cnf
-  ini_file:
-    path: '/etc/raddb/certs/inner-server.cnf'
-    section: "{{ item.key.split('.',1)[0] }}"
-    option:  "{{ item.key.split('.',1)[1] }}"
-    value:   "{{ (item.value is string)|ternary(item.value,omit) }}"
-    state:   "{{ (item.value is string)|ternary('present','absent') }}"
-  with_dict:
-    ' CA_default .default_days': '731'
-    'server.countryName': 'DK'
-    'server.stateOrProvinceName': 'Copenhagen'
-    'server.localityName': 'Frederiksberg'
-    'server.organizationName': 'Labitat'
-    'server.emailAddress': 'noc@labitat.dk'
-    'server.commonName': '"Labitat Radius Inner Server Certificate 2020"'
-  tags: radius-certs
+- name: Create our certificates bootstrap script
+  copy:
+    dest: '/etc/raddb/certs/bootstrap'
+    src: 'radius/bootstrap'
+    owner: root
+    group: radiusd
+    mode: 0750
 
-- name: Configure /etc/raddb/certs/client.cnf
-  ini_file:
-    path: '/etc/raddb/certs/client.cnf'
-    section: "{{ item.key.split('.',1)[0] }}"
-    option:  "{{ item.key.split('.',1)[1] }}"
-    value:   "{{ (item.value is string)|ternary(item.value,omit) }}"
-    state:   "{{ (item.value is string)|ternary('present','absent') }}"
-  with_dict:
-    ' CA_default .default_days': '365'
-    'client.countryName': 'DK'
-    'client.stateOrProvinceName': 'Copenhagen'
-    'client.localityName': 'Frederiksberg'
-    'client.organizationName': 'Labitat'
-  tags: radius-certs
+- name: Add certbot deploy hook
+  copy:
+    dest: '/etc/letsencrypt/renewal-hooks/deploy/radius.sh'
+    src: 'radius/certbot.sh'
+    owner: root
+    group: root
+    mode: 0755
 
 #
 # radiusd.service
-- 
cgit v1.2.1