From 460945caf413de8e36c85c2d034e491a1d75e04a Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 17 Jul 2019 17:55:47 +0200 Subject: [PATCH] freeradius: manage the letsencrypt certificates and some basic configuration option. --- library/roles/freeradius/defaults/main.yml | 10 +++++ library/roles/freeradius/handlers/main.yml | 4 ++ library/roles/freeradius/tasks/main.yml | 43 +++++++++++++++++++ .../templates/freeradius-letsencrypt-acme.sh | 34 +++++++++++++++ 4 files changed, 91 insertions(+) create mode 100644 library/roles/freeradius/handlers/main.yml create mode 100644 library/roles/freeradius/templates/freeradius-letsencrypt-acme.sh diff --git a/library/roles/freeradius/defaults/main.yml b/library/roles/freeradius/defaults/main.yml index bdd5db75..ff580a23 100644 --- a/library/roles/freeradius/defaults/main.yml +++ b/library/roles/freeradius/defaults/main.yml @@ -1,5 +1,8 @@ --- freeradius_install: True +freeradius_version: 3.0 +freeradius_conf_dir: '/etc/freeradius/{{ freeradius_version }}' + freeradius_pkgs: - freeradius - freeradius-config @@ -23,3 +26,10 @@ freeradius_local_redis_support: '{{ freeradius_redis_module }}' freeradius_to_be_disabled_modules: [] freeradius_enabled_modules: [] + +freeradius_letsencrypt_managed: True +freeradius_pki_directory: /etc/pki/freeradius +freeradius_ca_file: /etc/ssl/certs/ca-certificates.crt +freeradius_tls_min_version: '1.0' +freeradius_tls_max_version: '1.2' + diff --git a/library/roles/freeradius/handlers/main.yml b/library/roles/freeradius/handlers/main.yml new file mode 100644 index 00000000..0afa6e5e --- /dev/null +++ b/library/roles/freeradius/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: restart freeradius + service: name=freeradius state=restarted + diff --git a/library/roles/freeradius/tasks/main.yml b/library/roles/freeradius/tasks/main.yml index 3fcf6392..4dd23cb0 100644 --- a/library/roles/freeradius/tasks/main.yml +++ b/library/roles/freeradius/tasks/main.yml @@ -5,14 +5,17 @@ - name: Install the additional freeradius packages apt: pkg={{ freeradius_additional_modules }} state=present cache_valid_time=3600 + notify: restart freeradius - name: Install the freeradius memcached module if needed apt: pkg=freeradius-memcached state=present cache_valid_time=3600 when: freeradius_memcache_module + notify: restart freeradius - name: Install the freeradius redis module if needed apt: pkg=freeradius-redis state=present cache_valid_time=3600 when: freeradius_redis_module + notify: restart freeradius tags: freeradius @@ -20,9 +23,49 @@ - name: Disable some modules file: dest=/etc/freeradius/3.0/mods-enabled/{{ item }} state=absent with_items: '{{ freeradius_to_be_disabled_modules }}' + notify: restart freeradius - name: Enable some modules file: src=/etc/freeradius/3.0/mods-available/{{ item }} dest=/etc/freeradius/3.0/mods-enabled/{{ item }} state=link with_items: '{{ freeradius_enabled_modules }}' + notify: restart freeradius tags: [ 'freeradius', 'freeradius_modules' ] + +- block: + - name: Create the freeradius pki directory if it does not yet exist + file: dest={{ freeradius_pki_directory }} state=directory owner=root group=freerad mode=0550 + + - name: Setup the freeradius private key if it is not in place already + copy: remote_src=yes src={{ letsencrypt_acme_certs_dir }}/privkey dest={{ freeradius_pki_directory }} owner=root group=freerad mode=0440 + + - name: Create the DH file + command: openssl dhparam -out {{ freeradius_pki_directory }}/dh 2048 + args: + creates: '{{ freeradius_pki_directory }}/dh' + + - name: Create the acme hooks directory if it does not yet exist + file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root + + - name: Install a script that fix the letsencrypt certificate for freeradius and then restarts the service + template: src=freeradius-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/freeradius owner=root group=root mode=4555 + + when: + - freeradius_letsencrypt_managed + - letsencrypt_acme_install + tags: [ 'freeradius', 'freeradius_letsencrypt', 'letsencrypt' ] + + +- block: + - name: Remove the letsencrypt certificate hook for freeradius + file: dest=/usr/lib/acme/hooks/postgresql state=absent + + when: + - not freeradius_letsencrypt_managed + tags: [ 'freeradius', 'freeradius_letsencrypt', 'letsencrypt' ] + +- block: + - name: Ensure that freeradius is started and enabled + service: name=freeradius state=started enabled=yes + + tags: freeradius diff --git a/library/roles/freeradius/templates/freeradius-letsencrypt-acme.sh b/library/roles/freeradius/templates/freeradius-letsencrypt-acme.sh new file mode 100644 index 00000000..184d6bdb --- /dev/null +++ b/library/roles/freeradius/templates/freeradius-letsencrypt-acme.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +H_NAME=$( hostname -f ) +LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks +LE_CERTS_DIR=/var/lib/acme/live/$H_NAME +LE_LOG_DIR=/var/log/letsencrypt +FREERADIUS_CERTDIR={{ freeradius_pki_directory }} +FREERADIUS_KEYFILE=$FREERADIUS_CERTDIR/privkey +DATE=$( date ) + +[ ! -d $FREERADIUS_CERTDIR ] && mkdir -p $FREERADIUS_CERTDIR +[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR +echo "$DATE" >> $LE_LOG_DIR/freeradius.log + +if [ -f /etc/default/letsencrypt ] ; then + . /etc/default/letsencrypt +else + echo "No letsencrypt default file" >> $LE_LOG_DIR/freeradius.log +fi + +echo "Copy the key file" >> $LE_LOG_DIR/freeradius.log +cp ${LE_CERTS_DIR}/privkey ${FREERADIUS_KEYFILE} +chmod 440 ${FREERADIUS_KEYFILE} +chown root:freerad ${FREERADIUS_KEYFILE} + +echo "Restart the freeradius service" >> $LE_LOG_DIR/freeradius.log +if [ -x /bin/systemctl ] ; then + systemctl restart freeradius >> $LE_LOG_DIR/freeradius.log 2>&1 +fi + +echo "Done." >> $LE_LOG_DIR/freeradius.log + +exit 0 +