forked from ISTI-ansible-roles/ansible-roles
freeradius: manage the letsencrypt certificates and some basic configuration option.
This commit is contained in:
parent
4f08e78d87
commit
460945caf4
|
|
@ -1,5 +1,8 @@
|
|||
---
|
||||
freeradius_install: True
|
||||
freeradius_version: 3.0
|
||||
freeradius_conf_dir: '/etc/freeradius/{{ freeradius_version }}'
|
||||
|
||||
freeradius_pkgs:
|
||||
- freeradius
|
||||
- freeradius-config
|
||||
|
|
@ -23,3 +26,10 @@ freeradius_local_redis_support: '{{ freeradius_redis_module }}'
|
|||
freeradius_to_be_disabled_modules: []
|
||||
|
||||
freeradius_enabled_modules: []
|
||||
|
||||
freeradius_letsencrypt_managed: True
|
||||
freeradius_pki_directory: /etc/pki/freeradius
|
||||
freeradius_ca_file: /etc/ssl/certs/ca-certificates.crt
|
||||
freeradius_tls_min_version: '1.0'
|
||||
freeradius_tls_max_version: '1.2'
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: restart freeradius
|
||||
service: name=freeradius state=restarted
|
||||
|
||||
|
|
@ -5,14 +5,17 @@
|
|||
|
||||
- name: Install the additional freeradius packages
|
||||
apt: pkg={{ freeradius_additional_modules }} state=present cache_valid_time=3600
|
||||
notify: restart freeradius
|
||||
|
||||
- name: Install the freeradius memcached module if needed
|
||||
apt: pkg=freeradius-memcached state=present cache_valid_time=3600
|
||||
when: freeradius_memcache_module
|
||||
notify: restart freeradius
|
||||
|
||||
- name: Install the freeradius redis module if needed
|
||||
apt: pkg=freeradius-redis state=present cache_valid_time=3600
|
||||
when: freeradius_redis_module
|
||||
notify: restart freeradius
|
||||
|
||||
tags: freeradius
|
||||
|
||||
|
|
@ -20,9 +23,49 @@
|
|||
- name: Disable some modules
|
||||
file: dest=/etc/freeradius/3.0/mods-enabled/{{ item }} state=absent
|
||||
with_items: '{{ freeradius_to_be_disabled_modules }}'
|
||||
notify: restart freeradius
|
||||
|
||||
- name: Enable some modules
|
||||
file: src=/etc/freeradius/3.0/mods-available/{{ item }} dest=/etc/freeradius/3.0/mods-enabled/{{ item }} state=link
|
||||
with_items: '{{ freeradius_enabled_modules }}'
|
||||
notify: restart freeradius
|
||||
|
||||
tags: [ 'freeradius', 'freeradius_modules' ]
|
||||
|
||||
- block:
|
||||
- name: Create the freeradius pki directory if it does not yet exist
|
||||
file: dest={{ freeradius_pki_directory }} state=directory owner=root group=freerad mode=0550
|
||||
|
||||
- name: Setup the freeradius private key if it is not in place already
|
||||
copy: remote_src=yes src={{ letsencrypt_acme_certs_dir }}/privkey dest={{ freeradius_pki_directory }} owner=root group=freerad mode=0440
|
||||
|
||||
- name: Create the DH file
|
||||
command: openssl dhparam -out {{ freeradius_pki_directory }}/dh 2048
|
||||
args:
|
||||
creates: '{{ freeradius_pki_directory }}/dh'
|
||||
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for freeradius and then restarts the service
|
||||
template: src=freeradius-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/freeradius owner=root group=root mode=4555
|
||||
|
||||
when:
|
||||
- freeradius_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: [ 'freeradius', 'freeradius_letsencrypt', 'letsencrypt' ]
|
||||
|
||||
|
||||
- block:
|
||||
- name: Remove the letsencrypt certificate hook for freeradius
|
||||
file: dest=/usr/lib/acme/hooks/postgresql state=absent
|
||||
|
||||
when:
|
||||
- not freeradius_letsencrypt_managed
|
||||
tags: [ 'freeradius', 'freeradius_letsencrypt', 'letsencrypt' ]
|
||||
|
||||
- block:
|
||||
- name: Ensure that freeradius is started and enabled
|
||||
service: name=freeradius state=started enabled=yes
|
||||
|
||||
tags: freeradius
|
||||
|
|
|
|||
|
|
@ -0,0 +1,34 @@
|
|||
#!/bin/bash
|
||||
|
||||
H_NAME=$( hostname -f )
|
||||
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
|
||||
LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
|
||||
LE_LOG_DIR=/var/log/letsencrypt
|
||||
FREERADIUS_CERTDIR={{ freeradius_pki_directory }}
|
||||
FREERADIUS_KEYFILE=$FREERADIUS_CERTDIR/privkey
|
||||
DATE=$( date )
|
||||
|
||||
[ ! -d $FREERADIUS_CERTDIR ] && mkdir -p $FREERADIUS_CERTDIR
|
||||
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||
echo "$DATE" >> $LE_LOG_DIR/freeradius.log
|
||||
|
||||
if [ -f /etc/default/letsencrypt ] ; then
|
||||
. /etc/default/letsencrypt
|
||||
else
|
||||
echo "No letsencrypt default file" >> $LE_LOG_DIR/freeradius.log
|
||||
fi
|
||||
|
||||
echo "Copy the key file" >> $LE_LOG_DIR/freeradius.log
|
||||
cp ${LE_CERTS_DIR}/privkey ${FREERADIUS_KEYFILE}
|
||||
chmod 440 ${FREERADIUS_KEYFILE}
|
||||
chown root:freerad ${FREERADIUS_KEYFILE}
|
||||
|
||||
echo "Restart the freeradius service" >> $LE_LOG_DIR/freeradius.log
|
||||
if [ -x /bin/systemctl ] ; then
|
||||
systemctl restart freeradius >> $LE_LOG_DIR/freeradius.log 2>&1
|
||||
fi
|
||||
|
||||
echo "Done." >> $LE_LOG_DIR/freeradius.log
|
||||
|
||||
exit 0
|
||||
|
||||
Loading…
Reference in New Issue