aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Jonas Gunz <himself@jonasgunz.de> 2022-07-19 00:29:05 +0200
committerGravatar Jonas Gunz <himself@jonasgunz.de> 2022-07-19 00:29:05 +0200
commit216bc43ef7a270925ac597806c06030354ba9149 (patch)
treefa0c6f50f5797b70debd4955599430c9e29a70a3
parentff374a7a4fe2191e494e75d02e3307efa23f4168 (diff)
downloadansible_collection-216bc43ef7a270925ac597806c06030354ba9149.tar.gz
freeradius
-rw-r--r--galaxy.yml2
-rw-r--r--roles/freeradius/README.md23
-rw-r--r--roles/freeradius/defaults/main.yml17
-rw-r--r--roles/freeradius/handlers/main.yml6
-rw-r--r--roles/freeradius/tasks/main.yml58
-rw-r--r--roles/freeradius/templates/clients.conf.j29
-rw-r--r--roles/freeradius/templates/ldap.j220
7 files changed, 134 insertions, 1 deletions
diff --git a/galaxy.yml b/galaxy.yml
index 3f8eb5f..d7a0865 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,6 +1,6 @@
namespace: kompetenzbolzen
name: stuff
-version: 0.14.1
+version: 0.15.0
readme: README.md
authors:
- Jonas Gunz <himself@jonasgunz.de>
diff --git a/roles/freeradius/README.md b/roles/freeradius/README.md
new file mode 100644
index 0000000..8b67265
--- /dev/null
+++ b/roles/freeradius/README.md
@@ -0,0 +1,23 @@
+# freeradius
+
+freeradius with LDAP backend
+
+```yaml
+---
+radius:
+ ldap:
+ server: 'ldap://ldap.example.com'
+ bind_user: 'uid=user,dc=example,dc=com'
+ bind_pwd: 'Password'
+ user_base: 'ou=users,dc=example,dc=com'
+ user_filter: '(uid=%{User-Name})'
+ clients:
+ - name: example
+ ip: '1.1.1.1'
+ secret: 'supersecret'
+ cert:
+ privkey: '/etc/ssl/private/ssl-cert-snakeoil.key'
+ cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ ca: '/etc/ssl/certs/ca-certificates.crt'
+
+```
diff --git a/roles/freeradius/defaults/main.yml b/roles/freeradius/defaults/main.yml
new file mode 100644
index 0000000..cc5dab5
--- /dev/null
+++ b/roles/freeradius/defaults/main.yml
@@ -0,0 +1,17 @@
+---
+radius:
+ ldap:
+ server: 'ldap://ldap.example.com'
+ bind_user: 'uid=user,dc=example,dc=com'
+ bind_pwd: 'Password'
+ user_base: 'ou=users,dc=example,dc=com'
+ user_filter: '(uid=%{User-Name})'
+ clients:
+ - name: asdfasdf
+ ip: '1.1.1.1'
+ secret: 'supersecret'
+ cert:
+ privkey: '/etc/ssl/private/ssl-cert-snakeoil.key'
+ cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ ca: '/etc/ssl/certs/ca-certificates.crt'
+
diff --git a/roles/freeradius/handlers/main.yml b/roles/freeradius/handlers/main.yml
new file mode 100644
index 0000000..3a1e909
--- /dev/null
+++ b/roles/freeradius/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: freeradius
+ systemd:
+ name: freeradius
+ state: restarted
+ become: yes
diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml
new file mode 100644
index 0000000..0144a25
--- /dev/null
+++ b/roles/freeradius/tasks/main.yml
@@ -0,0 +1,58 @@
+---
+- name: Install packages
+ apt:
+ name:
+ - freeradius
+ - freeradius-ldap
+ become: yes
+
+- name: Install config
+ template:
+ src: ldap.j2
+ dest: /etc/freeradius/3.0/mods-available/ldap
+ become: yes
+ notify: freeradius
+
+- name: Install clients
+ template:
+ src: clients.conf.j2
+ dest: /etc/freeradius/3.0/clients.ansible.conf
+ become: yes
+ notify: freeradius
+
+- name: Clients
+ lineinfile:
+ path: /etc/freeradius/3.0/radiusd.conf
+ search_string: '$INCLUDE clients.ansible.conf'
+ line: '$INCLUDE clients.ansible.conf'
+ insertafter: '$INCLUDE clients.conf'
+ become: yes
+ notify: freeradius
+
+- name: Enable LDAP Authentication
+ file:
+ src: '/etc/freeradius/3.0/mods-available/ldap'
+ dest: '/etc/freeradius/3.0/mods-enabled/ldap'
+ state: 'link'
+ become: yes
+ notify: freeradius
+
+- name: Set EAP Certificate
+ lineinfile:
+ path: /etc/freeradius/3.0/mods-available/eap
+ search_string: '{{ item["s"] }}'
+ line: '{{ item["l"] }}'
+ insertafter: 'tls-config tls-common'
+ become: yes
+ notify: freeradius
+ loop:
+ - s: 'private_key_password'
+ l: '# private_key_password = notset'
+ - s: 'private_key_file ='
+ l: 'private_key_file = {{ radius.cert.privkey }}'
+ - s: 'certificate_file ='
+ l: 'certificate_file = {{ radius.cert.cert }}'
+ - s: 'ca_file ='
+ l: 'ca_file = {{ radius.cert.ca }}'
+ - s: 'check_crl ='
+ l: 'check_crl = no'
diff --git a/roles/freeradius/templates/clients.conf.j2 b/roles/freeradius/templates/clients.conf.j2
new file mode 100644
index 0000000..edd03d3
--- /dev/null
+++ b/roles/freeradius/templates/clients.conf.j2
@@ -0,0 +1,9 @@
+# vi: ft=conf
+
+{% for item in radius.clients %}
+client {{ item.name }} {
+ ipaddr = {{ item.ip }}
+ secret = {{ item.secret }}
+}
+
+{% endfor %}
diff --git a/roles/freeradius/templates/ldap.j2 b/roles/freeradius/templates/ldap.j2
new file mode 100644
index 0000000..d7e10da
--- /dev/null
+++ b/roles/freeradius/templates/ldap.j2
@@ -0,0 +1,20 @@
+# vi: ft=conf
+# This file is managed by Ansible. Manual changes will be reverted.
+
+ldap {
+ server = "{{ radius.ldap.server }}"
+ identity = "{{ radius.ldap.bind_user }}"
+ password = "{{ radius.ldap.bind_pwd }}"
+ user {
+ base_dn = "{{ radius.ldap.user_base }}"
+ filter = "{{ radius.ldap.user_filter }}"
+ }
+ sasl {
+ # This block needs to exist, but can be empty.
+ # SASL mechanism
+ #mech = 'PLAIN'
+ }
+ update {
+ control:Password-With-Header += 'userPassword'
+ }
+}