forked from infra/ansible
raduis: use LE certificate via dns
This commit is contained in:
parent
d1a3fb6902
commit
50cab2429d
@ -11,3 +11,5 @@ name_servers:
|
||||
ntp_servers:
|
||||
- 172.23.1.60
|
||||
- 172.23.2.3
|
||||
|
||||
radius_cn: radius.binary.kitchen
|
||||
|
@ -1,4 +1,6 @@
|
||||
---
|
||||
|
||||
radius_hostname: radius2.binary.kitchen
|
||||
|
||||
slapd_hostname: ldap2.binary.kitchen
|
||||
slapd_role: slave
|
||||
|
@ -8,5 +8,7 @@ ntp_servers:
|
||||
ntp_peers:
|
||||
- 172.23.1.60
|
||||
|
||||
radius_hostname: radius1.binary.kitchen
|
||||
|
||||
slapd_hostname: ldap1.binary.kitchen
|
||||
slapd_role: slave
|
||||
|
@ -79,7 +79,7 @@ eap {
|
||||
group = 19
|
||||
|
||||
#
|
||||
server_id = radius@radius1.binary.kitchen
|
||||
server_id = radius@radius.binary.kitchen
|
||||
|
||||
# This has the same meaning as for TLS.
|
||||
fragment_size = 1020
|
||||
|
@ -1,4 +1,7 @@
|
||||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /opt/acertmgr/acertmgr.py
|
||||
|
||||
- name: Restart freeradius
|
||||
service: name=freeradius state=restarted
|
||||
|
4
roles/radius/meta/main.yml
Normal file
4
roles/radius/meta/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
|
||||
dependencies:
|
||||
- { role: acertmgr }
|
@ -11,6 +11,17 @@
|
||||
file: path=/etc/freeradius/3.0/certs/srv.key owner=freerad mode=0400
|
||||
notify: Restart freeradius
|
||||
|
||||
- name: Request nsupdate key for certificate
|
||||
include_role: name=acme-dnskey-generate
|
||||
vars:
|
||||
acme_dnskey_san_domains:
|
||||
- "{{ radius_hostname }}"
|
||||
- "{{ radius_cn }}"
|
||||
|
||||
- name: Configure certificate manager for radius
|
||||
template: src=certs.j2 dest=/etc/acme/domains.d/{{ radius_hostname }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Create DH parameters
|
||||
command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }}
|
||||
with_items:
|
||||
|
18
roles/radius/templates/certs.j2
Normal file
18
roles/radius/templates/certs.j2
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
|
||||
{{ radius_cn }} {{ radius_hostname }}:
|
||||
- mode: dns.nsupdate
|
||||
nsupdate_server: {{ acme_dnskey_server }}
|
||||
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||
- path: /etc/freeradius/3.0/certs/srv.key
|
||||
user: freerad
|
||||
group: freerad
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service freeradius restart'
|
||||
- path: /etc/freeradius/3.0/certs/srv.crt
|
||||
user: freerad
|
||||
group: freerad
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service freeradius restart'
|
Loading…
Reference in New Issue
Block a user