From a1c90272b5da024ba25ec3c3ef53048995fa9cba Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 19 Sep 2019 19:22:17 -0500
Subject: [PATCH] roles/freeradius: Set dhparam permissions

The `dhparam` file used by FreeRadius needs to be readable by the
*radiusd* group.
---
 roles/freeradius/tasks/main.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml
index ec78671..d6eab4f 100644
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@@ -70,6 +70,12 @@
   command:
     openssl dhparam -out /etc/raddb/certs/dhparam {{ radiusd_dhparm_size }}
     creates=/etc/raddb/certs/dhparam
+- name: ensure dh parameters file permissions are correct
+  file:
+    path=/etc/raddb/certs/dhparam
+    mode=0640
+    owner=root
+    group=radiusd
 - name: ensure example certificates are removed
   command:
     rm -vf