diff --git a/group_vars/kitchen b/group_vars/kitchen index cf08144..ea56987 100644 --- a/group_vars/kitchen +++ b/group_vars/kitchen @@ -11,3 +11,5 @@ name_servers: ntp_servers: - 172.23.1.60 - 172.23.2.3 + +radius_cn: radius.binary.kitchen diff --git a/host_vars/aveta.binary.kitchen b/host_vars/aveta.binary.kitchen index 9c4caff..ded3e7e 100644 --- a/host_vars/aveta.binary.kitchen +++ b/host_vars/aveta.binary.kitchen @@ -1,4 +1,6 @@ --- +radius_hostname: radius2.binary.kitchen + slapd_hostname: ldap2.binary.kitchen slapd_role: slave diff --git a/host_vars/bacon.binary.kitchen b/host_vars/bacon.binary.kitchen index a10e7db..1de01b2 100644 --- a/host_vars/bacon.binary.kitchen +++ b/host_vars/bacon.binary.kitchen @@ -8,5 +8,7 @@ ntp_servers: ntp_peers: - 172.23.1.60 +radius_hostname: radius1.binary.kitchen + slapd_hostname: ldap1.binary.kitchen slapd_role: slave diff --git a/roles/radius/files/mods-available/eap b/roles/radius/files/mods-available/eap index 4ab7a3f..aa892be 100644 --- a/roles/radius/files/mods-available/eap +++ b/roles/radius/files/mods-available/eap @@ -79,7 +79,7 @@ eap { group = 19 # - server_id = radius@radius1.binary.kitchen + server_id = radius@radius.binary.kitchen # This has the same meaning as for TLS. fragment_size = 1020 diff --git a/roles/radius/handlers/main.yml b/roles/radius/handlers/main.yml index 67a1019..9206ceb 100644 --- a/roles/radius/handlers/main.yml +++ b/roles/radius/handlers/main.yml @@ -1,4 +1,7 @@ --- +- name: Run acertmgr + command: /opt/acertmgr/acertmgr.py + - name: Restart freeradius service: name=freeradius state=restarted diff --git a/roles/radius/meta/main.yml b/roles/radius/meta/main.yml new file mode 100644 index 0000000..a456842 --- /dev/null +++ b/roles/radius/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: +- { role: acertmgr } diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 6e20ed0..61b430c 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -11,6 +11,17 @@ file: path=/etc/freeradius/3.0/certs/srv.key owner=freerad mode=0400 notify: Restart freeradius +- name: Request nsupdate key for certificate + include_role: name=acme-dnskey-generate + vars: + acme_dnskey_san_domains: + - "{{ radius_hostname }}" + - "{{ radius_cn }}" + +- name: Configure certificate manager for radius + template: src=certs.j2 dest=/etc/acme/domains.d/{{ radius_hostname }}.conf + notify: Run acertmgr + - name: Create DH parameters command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }} with_items: diff --git a/roles/radius/templates/certs.j2 b/roles/radius/templates/certs.j2 new file mode 100644 index 0000000..56bba69 --- /dev/null +++ b/roles/radius/templates/certs.j2 @@ -0,0 +1,18 @@ +--- + +{{ radius_cn }} {{ radius_hostname }}: +- mode: dns.nsupdate + nsupdate_server: {{ acme_dnskey_server }} + nsupdate_keyfile: {{ acme_dnskey_file }} +- path: /etc/freeradius/3.0/certs/srv.key + user: freerad + group: freerad + perm: '400' + format: key + action: '/usr/sbin/service freeradius restart' +- path: /etc/freeradius/3.0/certs/srv.crt + user: freerad + group: freerad + perm: '400' + format: crt,ca + action: '/usr/sbin/service freeradius restart'