114 lines
2.7 KiB
YAML
114 lines
2.7 KiB
YAML
- name: load radius secrets
|
|
include_vars: vault/radius
|
|
|
|
- name: ensure freeradius is installed
|
|
package:
|
|
name=freeradius
|
|
state=present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure freeradius is configured
|
|
template:
|
|
src=radiusd.conf.j2
|
|
dest=/etc/raddb/radiusd.conf
|
|
mode=0640
|
|
owner=root
|
|
group=radiusd
|
|
notify: restart radiusd
|
|
- name: ensure freeradius default site is configured
|
|
template:
|
|
src=default.site.radiusd.conf.j2
|
|
dest=/etc/raddb/sites-available/default
|
|
mode=0640
|
|
owner=root
|
|
group=radiusd
|
|
notify: restart radiusd
|
|
|
|
- name: ensure freeradius eap module is configured
|
|
template:
|
|
src=eap.mod.radiusd.conf.j2
|
|
dest=/etc/raddb/mods-available/eap
|
|
mode=0640
|
|
owner=root
|
|
group=radiusd
|
|
notify: restart radiusd
|
|
|
|
- name: ensure unused modules are disabled
|
|
command:
|
|
rm -vf
|
|
{% for mod in radiusd_disable_modules %}
|
|
/etc/raddb/mods-enabled/{{ mod }}
|
|
{% endfor %}
|
|
removes=/etc/raddb/mods-enabled/{{ radiusd_disable_modules[-1] }}
|
|
notify: restart radiusd
|
|
- name: ensure unused sites are disabled
|
|
command:
|
|
rm -vf
|
|
{% for site in radiusd_disable_sites %}
|
|
/etc/raddb/sites-enabled/{{ site }}
|
|
{% endfor %}
|
|
removes=/etc/raddb/sites-enabled/{{ radiusd_disable_sites[-1] }}
|
|
notify: restart radiusd
|
|
|
|
- name: ensure server certificate is installed
|
|
copy:
|
|
src={{ item }}
|
|
dest=/etc/raddb/certs/{{ item|basename }}
|
|
mode=0640
|
|
owner=root
|
|
group=radiusd
|
|
with_fileglob: 'certs/{{ inventory_hostname }}/server.*'
|
|
- name: ensure client ca certificate is installed
|
|
copy:
|
|
src=certs/{{ inventory_hostname }}/ca.crt
|
|
dest=/etc/raddb/certs/ca.crt
|
|
mode=0640
|
|
owner=root
|
|
group=radiusd
|
|
- name: ensure dh paramaters are generated
|
|
command:
|
|
openssl dhparam -out /etc/raddb/certs/dhparam {{ radiusd_dhparm_size }}
|
|
creates=/etc/raddb/certs/dhparam
|
|
- name: ensure dh parameters file permissions are correct
|
|
file:
|
|
path=/etc/raddb/certs/dhparam
|
|
mode=0640
|
|
owner=root
|
|
group=radiusd
|
|
- name: ensure example certificates are removed
|
|
command:
|
|
rm -vf
|
|
{% for file in radiusd_example_cert_files %}
|
|
/etc/raddb/certs/{{ file }}
|
|
{% endfor %}
|
|
removes=/etc/raddb/certs/{{ radiusd_example_cert_files[-1] }}
|
|
|
|
- name: ensure freeradius clients are configured
|
|
template:
|
|
src=clients.conf.j2
|
|
dest=/etc/raddb/clients.conf
|
|
mode=0640
|
|
owner=root
|
|
group=radiusd
|
|
notify: restart radiusd
|
|
|
|
- name: ensure freeradius starts at boot
|
|
service:
|
|
name=radiusd
|
|
enabled=yes
|
|
- name: ensure freeradius is running
|
|
service:
|
|
name=radiusd
|
|
state=started
|
|
|
|
- name: ensure radius is allowed in the firewall
|
|
firewalld:
|
|
service=radius
|
|
permanent=no
|
|
immediate=yes
|
|
state=enabled
|
|
notify: save firewalld configuration
|
|
tags:
|
|
- firewalld
|