From 0e396ce23b971d059504c3ff853cd8564ba4eb46 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Wed, 19 May 2021 14:31:15 +0200
Subject: [PATCH] [radius] update
---
group_vars/firewall.yml | 16 ++++
group_vars/radius.yml | 23 +++++-
host_vars/routeur-gulp.cachan-adm.crans.org | 81 -------------------
.../radius.yml | 23 ++++++
plays/dns-recursive.yml | 6 ++
plays/freeradius.yml | 11 ++-
roles/freeradius/tasks/main.yml | 2 +-
.../templates/freeradius/3.0/clients.conf.j2 | 15 ++++
.../freeradius/3.0/mods-enabled/eap.j2 | 20 ++---
9 files changed, 101 insertions(+), 96 deletions(-)
create mode 100644 group_vars/firewall.yml
delete mode 100644 host_vars/routeur-gulp.cachan-adm.crans.org
create mode 100644 host_vars/routeur-gulp.cachan-adm.crans.org/radius.yml
create mode 100755 plays/dns-recursive.yml
diff --git a/group_vars/firewall.yml b/group_vars/firewall.yml
new file mode 100644
index 00000000..483ade3a
--- /dev/null
+++ b/group_vars/firewall.yml
@@ -0,0 +1,16 @@
+glob_service_firewall:
+ re2o:
+ hostname: "{{ query('ldap', 'ip', 're2o', 'adm') | ipv4 | first }}"
+ user: services
+ password: "{{ vault.re2o_service_password }}"
+ name: firewall
+ install_dir: /var/local/services/firewall
+ frequency: "*/2 * * * *"
+ options: -q
+ dependencies:
+ - python3-iso8601
+ - python3-jinja2
+ - python3-ldap
+ git:
+ remote: https://gitlab.adm.crans.org/nounous/firewall.git
+ version: cachan
diff --git a/group_vars/radius.yml b/group_vars/radius.yml
index 2ea7d95d..b77f214b 100644
--- a/group_vars/radius.yml
+++ b/group_vars/radius.yml
@@ -4,5 +4,24 @@ glob_freeradius:
proxy_to: FEDEREZ
infra_switch: "172.16.33.0/24"
infra_bornes: "172.16.34.0/24"
- secret_switch: "ploptotoswitch"
- secret_bornes: "ploptotobornes"
+ secret_switch: "{{ vault.radius_secret.switch }}"
+ secret_bornes: "ploptotobornes" # "{{ vault.radius_secret.bornes }}"
+ delegations:
+ - name: parangon
+ ipv4: 185.230.78.47
+ ipv6: 2a0c:700:12:0:67:e5ff:fee9:5
+ secret: '{{ vault.radius_secret.federez }}'
+ server: radius-wifi
+ - name: dodecagon
+ ipv4: 195.154.165.76
+ ipv6: 2001:bc8:273e::1
+ secret: '{{ vault.radius_secret.federez }}'
+ server: radius-wifi
+
+loc_certbot:
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "crans.org"
diff --git a/host_vars/routeur-gulp.cachan-adm.crans.org b/host_vars/routeur-gulp.cachan-adm.crans.org
deleted file mode 100644
index cdb94c52..00000000
--- a/host_vars/routeur-gulp.cachan-adm.crans.org
+++ /dev/null
@@ -1,81 +0,0 @@
----
-loc_home_nounou:
- ip: 172.17.10.9
- mountpoint: /rpool/home
-
-loc_ldap:
- servers:
- - 172.17.10.9
- base: 'dc=crans,dc=org'
-
-glob_ntp_client:
- servers:
- - terenez.cachan-adm.crans.org
-
-debian_mirror: http://172.17.10.202/debian
-
-interfaces:
- cachan-adh: "ens22"
-
-loc_dhcp:
- authoritative: True
- global_options:
- - { key: "interface-mtu", value: "1500" }
- global_parameters: []
- subnets:
- - network: "185.230.76.0/26"
- deny_unknown: True
- vlan: "cachan-adh"
- default_lease_time: "600"
- max_lease_time: "7200"
- routers: "185.230.76.62"
- dns: ["185.230.76.62"]
- domain_name: "adh.crans.org"
- domain_search: "adh.crans.org"
- options: []
- lease_file: "/var/local/services/dhcp/generated/dhcp.cachan-adh.crans.org.list"
-# - network: 100.65.0.0/16
-# vlan: "federez"
-# default_lease_time: "600"
-# max_lease_time: "7200"
-# routers: "100.65.0.99"
-# dns: ["100.65.0.99"]
-# domain_name: "federez.net"
-# domain_search: "federez.net"
-# ranges:
-# - min: 100.65.1.0
-# max: 100.65.255.254
-# options: []
-
-loc_service_dhcp:
- re2o:
- hostname: "{{ query('ldap', 'ip', 're2o', 'adm') | ipv4 | first }}"
- user: services
- password: "{{ vault.re2o_service_password }}"
- name: dhcp
- install_dir: /var/local/services/dhcp
- generated: yes
- frequency: "*/2 * * * *"
- options: -q
- dependencies:
- - python3-jinja2
- git:
- remote: https://gitlab.adm.crans.org/nounous/dhcp.git
- version: cachan
- config:
- subnets:
- cachan-adh.crans.org: 185.230.76.0/26
-
-glob_radvd:
- subnets:
- - name: cachan-adh
- prefix: 2a0c:700:3012::/64
- dnssl: adh.crans.org
- dns:
- - "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-adh') | ipv6 | first }}"
-# - name: federez
-# prefix: 2a0c:700:254::/64
-# dnssl: federez.net
-# dns:
-# - 2a0c:700:254::ff:fe00:99fe
-
diff --git a/host_vars/routeur-gulp.cachan-adm.crans.org/radius.yml b/host_vars/routeur-gulp.cachan-adm.crans.org/radius.yml
new file mode 100644
index 00000000..17e0093f
--- /dev/null
+++ b/host_vars/routeur-gulp.cachan-adm.crans.org/radius.yml
@@ -0,0 +1,23 @@
+---
+loc_re2o:
+ owner: freerad
+ group: _nounou
+ version: master_freeradius_python3
+ settings_local_owner: freerad
+ settings_local_group: _nounou
+
+ django_secret_key: "{{ vault.re2o_django_secret_key }}"
+ aes_key: "{{ vault.re2o_aes_key }}"
+ admins:
+ - ('Root', 'root@crans.org')
+ allowed_hosts:
+ - 're2o.cachan-adm.crans.org'
+ - 'intranet.cachan-adm.crans.org'
+ from_email: "root@crans.org"
+ ldap:
+ master_password: "{{ vault.ldap_master_password }}"
+ uri: "ldap://re2o-ldap.cachan-adm.crans.org/"
+ dn: "cn=admin,dc=crans,dc=org"
+ database:
+ password: "{{ vault.re2o_db_password }}"
+ uri: "gulp.cachan-adm.crans.org"
diff --git a/plays/dns-recursive.yml b/plays/dns-recursive.yml
new file mode 100755
index 00000000..fdb08317
--- /dev/null
+++ b/plays/dns-recursive.yml
@@ -0,0 +1,6 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy recursive DNS cache server
+- hosts: dns_recursive
+ roles:
+ - bind-recursive
diff --git a/plays/freeradius.yml b/plays/freeradius.yml
index f356fe49..404a5392 100755
--- a/plays/freeradius.yml
+++ b/plays/freeradius.yml
@@ -1,11 +1,18 @@
#!/usr/bin/env ansible-playbook
---
+# Deploy re2o
+#- hosts: re2o
+# vars:
+# re2o: "{{ glob_re2o | default({}) | combine(loc_re2o | default({})) }}"
+# roles:
+# - re2o
+
# Deploy radius server
- hosts: radius
vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
freeradius: '{{ glob_freeradius | default({}) | combine(loc_freeradius | default({})) }}'
- mirror: '{{ glob_mirror.name }}'
+ mirror: '{{ glob_mirror | default({}) | combine(loc_mirror | default({})) }}'
roles:
- - certbot
+# - certbot
- freeradius
diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml
index f6b76b91..c38d55a2 100644
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@@ -1,7 +1,7 @@
---
- name: Add buster-backports to apt sources
apt_repository:
- repo: deb http://{{ mirror }}/debian buster-backports main
+ repo: deb http://{{ mirror.name }}/debian buster-backports main
state: present
- name: Pin freeradius from backports
diff --git a/roles/freeradius/templates/freeradius/3.0/clients.conf.j2 b/roles/freeradius/templates/freeradius/3.0/clients.conf.j2
index 8a2b8173..396eb6ef 100644
--- a/roles/freeradius/templates/freeradius/3.0/clients.conf.j2
+++ b/roles/freeradius/templates/freeradius/3.0/clients.conf.j2
@@ -40,5 +40,20 @@ client bornes_v4 {
ipaddr = {{ freeradius.infra_bornes }}
secret = {{ freeradius.secret_bornes }}
virtual_server = radius-wifi
+}
+
+{% for delegation in freeradius.delegations %}
+client {{ delegation.name }} {
+ secret = {{ delegation.secret }}
+ ipaddr = {{ delegation.ipv4 }}
+ virtual_server = {{ delegation.server }}
+}
+{% if delegation.ipv6 is defined %}
+client {{ delegation.name }} {
+ secret = {{ delegation.secret }}
+ ipaddr = {{ delegation.ipv6 }}
+ virtual_server = {{ delegation.server }}
}
+{% endif %}
+{% endfor %}
diff --git a/roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2 b/roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2
index b615f9c8..9be7d49d 100644
--- a/roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2
+++ b/roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2
@@ -196,12 +196,12 @@ eap {
# In that case, this CA file should contain
# *one* CA certificate.
#
- # ca_file = ${certdir}/ca.crt
+ ca_file = /etc/ssl/certs/ca-certificates.crt
- # OpenSSL will automatically create certificate chains,
- # unless we tell it to not do that. The problem is that
- # it sometimes gets the chains right from a certificate
- # signature view, but wrong from the clients view.
+ # OpenSSL will automatically create certificate chains,
+ # unless we tell it to not do that. The problem is that
+ # it sometimes gets the chains right from a certificate
+ # signature view, but wrong from the clients view.
#
# When setting "auto_chain = no", the server certificate
# file MUST include the full certificate chain.
@@ -235,7 +235,7 @@ eap {
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
- # openssl dhparam -out certs/dh 2048
+ # openssl dhparam -out certs/dh 2048
#
dh_file = ${certdir}/dh
@@ -363,7 +363,7 @@ eap {
#
# The values must be in quotes.
#
- tls_min_version = "1.2"
+ tls_min_version = "1.0"
tls_max_version = "1.2"
@@ -777,7 +777,7 @@ eap {
# As of version 3.0.5, this configuration item
# is deprecated. Instead, you should use
#
- # update outer.session-state {
+ # update outer.session-state {
# ...
#
# }
@@ -864,13 +864,13 @@ eap {
# but *may* also cause other clients to stop
# working.
#
- send_error = yes
+ send_error = no
# Server identifier to send back in the challenge.
# This should generally be the host name of the
# RADIUS server. Or, some information to uniquely
# identify it.
-# identity = "FreeRADIUS"
+ identity = "FreeRadius"
}
## EAP-FAST
--
GitLab