1
0
forked from infra/ansible
infra/roles/radius/tasks/main.yml

88 lines
2.3 KiB
YAML

---
- name: Install radius server
apt: name={{item}} state=latest
tags: radius
with_items:
- freeradius
- freeradius-ldap
- name: Create configuration directories
file: path={{item}} state=directory owner=freerad group=freerad
tags: radius
with_items:
- /etc/raddb
- /etc/raddb/certs
- /etc/raddb/modules
- /etc/raddb/sites-enabled
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/raddb/certs/srv.key -out /etc/raddb/certs/srv.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/raddb/certs/srv.crt
tags: radius
notify: Restart freeradius
- name: Ensure correct certificate permissions
file: path=/etc/raddb/certs/srv.key owner=freerad mode=0400
tags: radius
notify: Restart freeradius
- name: Create DH parameters
command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }}
tags: radius
notify: Restart freeradius
with_items:
- /etc/raddb/certs/dh
- name: Set radiusd options
copy: src=default/freeradius dest=/etc/default/freeradius
tags: radius
notify: Restart freeradius
- name: Configure radius server
copy: src={{item}} dest=/etc/{{item}} owner=root group=freerad
tags: radius
notify: Restart freeradius
with_items:
- raddb/acct_users
- raddb/attrs
- raddb/attrs.access_challenge
- raddb/attrs.access_reject
- raddb/attrs.accounting_response
- raddb/attrs.pre-proxy
- raddb/clients.conf
- raddb/dictionary
- raddb/eap.conf
- raddb/hints
- raddb/huntgroups
- raddb/ldap.attrmap
- raddb/policy.conf
- raddb/proxy.conf
- raddb/radiusd.conf
- raddb/preproxy_users
- raddb/users
- raddb/modules/acct_unique
- raddb/modules/attr_filter
- raddb/modules/chap
- raddb/modules/detail
- raddb/modules/digest
- raddb/modules/exec
- raddb/modules/expr
- raddb/modules/expiration
- raddb/modules/files
- raddb/modules/ldap
- raddb/modules/logintime
- raddb/modules/mschap
- raddb/modules/pap
- raddb/modules/preprocess
- raddb/modules/pap
- raddb/modules/radutmp
- raddb/modules/realm
- raddb/modules/unix
- raddb/sites-enabled/control-socket
- raddb/sites-enabled/default
- raddb/sites-enabled/inner-tunnel
- name: Start the radius server
service: name=freeradius state=started enabled=yes
tags: radius