forked from ISTI-ansible-roles/ansible-roles
Merge branch 'master' of adellam/ansible-roles into master
This commit is contained in:
commit
39b3116d51
|
@ -1,5 +1,8 @@
|
||||||
---
|
---
|
||||||
freeradius_install: True
|
freeradius_install: True
|
||||||
|
freeradius_version: 3.0
|
||||||
|
freeradius_conf_dir: '/etc/freeradius/{{ freeradius_version }}'
|
||||||
|
|
||||||
freeradius_pkgs:
|
freeradius_pkgs:
|
||||||
- freeradius
|
- freeradius
|
||||||
- freeradius-config
|
- freeradius-config
|
||||||
|
@ -23,3 +26,10 @@ freeradius_local_redis_support: '{{ freeradius_redis_module }}'
|
||||||
freeradius_to_be_disabled_modules: []
|
freeradius_to_be_disabled_modules: []
|
||||||
|
|
||||||
freeradius_enabled_modules: []
|
freeradius_enabled_modules: []
|
||||||
|
|
||||||
|
freeradius_letsencrypt_managed: True
|
||||||
|
freeradius_pki_directory: /etc/pki/freeradius
|
||||||
|
freeradius_ca_file: /etc/ssl/certs/ca-certificates.crt
|
||||||
|
freeradius_tls_min_version: '1.0'
|
||||||
|
freeradius_tls_max_version: '1.2'
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
- name: restart freeradius
|
||||||
|
service: name=freeradius state=restarted
|
||||||
|
|
|
@ -5,14 +5,17 @@
|
||||||
|
|
||||||
- name: Install the additional freeradius packages
|
- name: Install the additional freeradius packages
|
||||||
apt: pkg={{ freeradius_additional_modules }} state=present cache_valid_time=3600
|
apt: pkg={{ freeradius_additional_modules }} state=present cache_valid_time=3600
|
||||||
|
notify: restart freeradius
|
||||||
|
|
||||||
- name: Install the freeradius memcached module if needed
|
- name: Install the freeradius memcached module if needed
|
||||||
apt: pkg=freeradius-memcached state=present cache_valid_time=3600
|
apt: pkg=freeradius-memcached state=present cache_valid_time=3600
|
||||||
when: freeradius_memcache_module
|
when: freeradius_memcache_module
|
||||||
|
notify: restart freeradius
|
||||||
|
|
||||||
- name: Install the freeradius redis module if needed
|
- name: Install the freeradius redis module if needed
|
||||||
apt: pkg=freeradius-redis state=present cache_valid_time=3600
|
apt: pkg=freeradius-redis state=present cache_valid_time=3600
|
||||||
when: freeradius_redis_module
|
when: freeradius_redis_module
|
||||||
|
notify: restart freeradius
|
||||||
|
|
||||||
tags: freeradius
|
tags: freeradius
|
||||||
|
|
||||||
|
@ -20,9 +23,49 @@
|
||||||
- name: Disable some modules
|
- name: Disable some modules
|
||||||
file: dest=/etc/freeradius/3.0/mods-enabled/{{ item }} state=absent
|
file: dest=/etc/freeradius/3.0/mods-enabled/{{ item }} state=absent
|
||||||
with_items: '{{ freeradius_to_be_disabled_modules }}'
|
with_items: '{{ freeradius_to_be_disabled_modules }}'
|
||||||
|
notify: restart freeradius
|
||||||
|
|
||||||
- name: Enable some modules
|
- name: Enable some modules
|
||||||
file: src=/etc/freeradius/3.0/mods-available/{{ item }} dest=/etc/freeradius/3.0/mods-enabled/{{ item }} state=link
|
file: src=/etc/freeradius/3.0/mods-available/{{ item }} dest=/etc/freeradius/3.0/mods-enabled/{{ item }} state=link
|
||||||
with_items: '{{ freeradius_enabled_modules }}'
|
with_items: '{{ freeradius_enabled_modules }}'
|
||||||
|
notify: restart freeradius
|
||||||
|
|
||||||
tags: [ 'freeradius', 'freeradius_modules' ]
|
tags: [ 'freeradius', 'freeradius_modules' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Create the freeradius pki directory if it does not yet exist
|
||||||
|
file: dest={{ freeradius_pki_directory }} state=directory owner=root group=freerad mode=0550
|
||||||
|
|
||||||
|
- name: Setup the freeradius private key if it is not in place already
|
||||||
|
copy: remote_src=yes src={{ letsencrypt_acme_certs_dir }}/privkey dest={{ freeradius_pki_directory }} owner=root group=freerad mode=0440
|
||||||
|
|
||||||
|
- name: Create the DH file
|
||||||
|
command: openssl dhparam -out {{ freeradius_pki_directory }}/dh 2048
|
||||||
|
args:
|
||||||
|
creates: '{{ freeradius_pki_directory }}/dh'
|
||||||
|
|
||||||
|
- name: Create the acme hooks directory if it does not yet exist
|
||||||
|
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||||
|
|
||||||
|
- name: Install a script that fix the letsencrypt certificate for freeradius and then restarts the service
|
||||||
|
template: src=freeradius-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/freeradius owner=root group=root mode=4555
|
||||||
|
|
||||||
|
when:
|
||||||
|
- freeradius_letsencrypt_managed
|
||||||
|
- letsencrypt_acme_install
|
||||||
|
tags: [ 'freeradius', 'freeradius_letsencrypt', 'letsencrypt' ]
|
||||||
|
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Remove the letsencrypt certificate hook for freeradius
|
||||||
|
file: dest=/usr/lib/acme/hooks/postgresql state=absent
|
||||||
|
|
||||||
|
when:
|
||||||
|
- not freeradius_letsencrypt_managed
|
||||||
|
tags: [ 'freeradius', 'freeradius_letsencrypt', 'letsencrypt' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Ensure that freeradius is started and enabled
|
||||||
|
service: name=freeradius state=started enabled=yes
|
||||||
|
|
||||||
|
tags: freeradius
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
H_NAME=$( hostname -f )
|
||||||
|
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
|
||||||
|
LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
|
||||||
|
LE_LOG_DIR=/var/log/letsencrypt
|
||||||
|
FREERADIUS_CERTDIR={{ freeradius_pki_directory }}
|
||||||
|
FREERADIUS_KEYFILE=$FREERADIUS_CERTDIR/privkey
|
||||||
|
DATE=$( date )
|
||||||
|
|
||||||
|
[ ! -d $FREERADIUS_CERTDIR ] && mkdir -p $FREERADIUS_CERTDIR
|
||||||
|
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||||
|
echo "$DATE" >> $LE_LOG_DIR/freeradius.log
|
||||||
|
|
||||||
|
if [ -f /etc/default/letsencrypt ] ; then
|
||||||
|
. /etc/default/letsencrypt
|
||||||
|
else
|
||||||
|
echo "No letsencrypt default file" >> $LE_LOG_DIR/freeradius.log
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Copy the key file" >> $LE_LOG_DIR/freeradius.log
|
||||||
|
cp ${LE_CERTS_DIR}/privkey ${FREERADIUS_KEYFILE}
|
||||||
|
chmod 440 ${FREERADIUS_KEYFILE}
|
||||||
|
chown root:freerad ${FREERADIUS_KEYFILE}
|
||||||
|
|
||||||
|
echo "Restart the freeradius service" >> $LE_LOG_DIR/freeradius.log
|
||||||
|
if [ -x /bin/systemctl ] ; then
|
||||||
|
systemctl restart freeradius >> $LE_LOG_DIR/freeradius.log 2>&1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Done." >> $LE_LOG_DIR/freeradius.log
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
Loading…
Reference in New Issue