[radius] update

group_vars/firewall.yml

@@ -0,0 +1,16 @@
+glob_service_firewall:
+  re2o:
+    hostname: "{{ query('ldap', 'ip', 're2o', 'adm') | ipv4 | first }}"
+    user: services
+    password: "{{ vault.re2o_service_password }}"
+  name: firewall
+  install_dir: /var/local/services/firewall
+  frequency: "*/2 * * * *"
+  options: -q
+  dependencies:
+    - python3-iso8601
+    - python3-jinja2
+    - python3-ldap
+  git:
+    remote: https://gitlab.adm.crans.org/nounous/firewall.git
+    version: cachan

group_vars/radius.yml

@@ -4,5 +4,24 @@ glob_freeradius:
   proxy_to: FEDEREZ
   infra_switch: "172.16.33.0/24"
   infra_bornes: "172.16.34.0/24"
-  secret_switch: "ploptotoswitch"
-  secret_bornes: "ploptotobornes"
+  secret_switch: "{{ vault.radius_secret.switch }}"
+  secret_bornes: "ploptotobornes"  # "{{ vault.radius_secret.bornes }}"
+  delegations:
+    - name: parangon
+      ipv4: 185.230.78.47
+      ipv6: 2a0c:700:12:0:67:e5ff:fee9:5
+      secret: '{{ vault.radius_secret.federez }}'
+      server: radius-wifi
+    - name: dodecagon
+      ipv4: 195.154.165.76
+      ipv6: 2001:bc8:273e::1
+      secret: '{{ vault.radius_secret.federez }}'
+      server: radius-wifi
+      
+loc_certbot:
+  - dns_rfc2136_server: '172.16.10.147'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+    mail: root@crans.org
+    certname: crans.org
+    domains: "crans.org"

host_vars/routeur-gulp.cachan-adm.crans.org

@@ -1,81 +0,0 @@
----
-loc_home_nounou:
-  ip: 172.17.10.9
-  mountpoint: /rpool/home
-
-loc_ldap:
-  servers:
-    - 172.17.10.9
-  base: 'dc=crans,dc=org'
-
-glob_ntp_client:
-  servers:
-    - terenez.cachan-adm.crans.org
-
-debian_mirror: http://172.17.10.202/debian
-
-interfaces:
-  cachan-adh: "ens22"
-
-loc_dhcp:
-  authoritative: True
-  global_options:
-    - { key: "interface-mtu", value: "1500" }
-  global_parameters: []
-  subnets:
-    - network: "185.230.76.0/26"
-      deny_unknown: True
-      vlan: "cachan-adh"
-      default_lease_time: "600"
-      max_lease_time: "7200"
-      routers: "185.230.76.62"
-      dns: ["185.230.76.62"]
-      domain_name: "adh.crans.org"
-      domain_search: "adh.crans.org"
-      options: []
-      lease_file: "/var/local/services/dhcp/generated/dhcp.cachan-adh.crans.org.list"
-#    - network: 100.65.0.0/16
-#      vlan: "federez"
-#      default_lease_time: "600"
-#      max_lease_time: "7200"
-#      routers: "100.65.0.99"
-#      dns: ["100.65.0.99"]
-#      domain_name: "federez.net"
-#      domain_search: "federez.net"
-#      ranges:
-#        - min: 100.65.1.0
-#          max: 100.65.255.254
-#      options: []
-
-loc_service_dhcp:
-  re2o:
-    hostname: "{{ query('ldap', 'ip', 're2o', 'adm') | ipv4 | first }}"
-    user: services
-    password: "{{ vault.re2o_service_password }}"
-  name: dhcp
-  install_dir: /var/local/services/dhcp
-  generated: yes
-  frequency: "*/2 * * * *"
-  options: -q
-  dependencies:
-    - python3-jinja2
-  git:
-    remote: https://gitlab.adm.crans.org/nounous/dhcp.git
-    version: cachan
-  config:
-    subnets:
-      cachan-adh.crans.org: 185.230.76.0/26
-
-glob_radvd:
-  subnets:
-    - name: cachan-adh
-      prefix: 2a0c:700:3012::/64
-      dnssl: adh.crans.org
-      dns:
-        - "{{ query('ldap', 'ip', 'routeur-gulp', 'cachan-adh') | ipv6 | first }}"
-#    - name: federez
-#      prefix: 2a0c:700:254::/64
-#      dnssl: federez.net
-#      dns:
-#        - 2a0c:700:254::ff:fe00:99fe
-

host_vars/routeur-gulp.cachan-adm.crans.org/radius.yml

@@ -0,0 +1,23 @@
+---
+loc_re2o:
+  owner: freerad
+  group: _nounou
+  version: master_freeradius_python3
+  settings_local_owner: freerad
+  settings_local_group: _nounou
+
+  django_secret_key: "{{ vault.re2o_django_secret_key }}"
+  aes_key: "{{ vault.re2o_aes_key }}"
+  admins:
+    - ('Root', 'root@crans.org')
+  allowed_hosts:
+    - 're2o.cachan-adm.crans.org'
+    - 'intranet.cachan-adm.crans.org'
+  from_email: "root@crans.org"
+  ldap:
+    master_password: "{{ vault.ldap_master_password }}"
+    uri: "ldap://re2o-ldap.cachan-adm.crans.org/"
+    dn: "cn=admin,dc=crans,dc=org"
+  database:
+      password: "{{ vault.re2o_db_password }}"
+      uri: "gulp.cachan-adm.crans.org"

plays/dns-recursive.yml

@@ -0,0 +1,6 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy recursive DNS cache server
+- hosts: dns_recursive
+  roles:
+    - bind-recursive

plays/freeradius.yml

@@ -1,11 +1,18 @@
 #!/usr/bin/env ansible-playbook
 ---
+# Deploy re2o
+#- hosts: re2o
+#  vars:
+#    re2o: "{{ glob_re2o | default({}) | combine(loc_re2o | default({})) }}"
+#  roles:
+#    - re2o
+
 # Deploy radius server
 - hosts: radius
   vars:
     certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
     freeradius: '{{ glob_freeradius | default({}) | combine(loc_freeradius | default({})) }}'
-    mirror: '{{ glob_mirror.name }}'
+    mirror: '{{ glob_mirror | default({}) | combine(loc_mirror | default({})) }}'
   roles:
-    - certbot
+#    - certbot
     - freeradius

roles/freeradius/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Add buster-backports to apt sources
   apt_repository:
-    repo: deb http://{{ mirror }}/debian buster-backports main
+    repo: deb http://{{ mirror.name }}/debian buster-backports main
     state: present
 
 - name: Pin freeradius from backports

roles/freeradius/templates/freeradius/3.0/clients.conf.j2

@@ -40,5 +40,20 @@ client bornes_v4 {
 	   ipaddr = {{ freeradius.infra_bornes }}
 	   secret = {{ freeradius.secret_bornes }}
 	   virtual_server = radius-wifi
-
 }
+
+{% for delegation in freeradius.delegations %}
+client {{ delegation.name }} {
+        secret = {{ delegation.secret }}
+        ipaddr = {{ delegation.ipv4 }}
+        virtual_server = {{ delegation.server }}
+}
+
+{% if delegation.ipv6 is defined %}
+client {{ delegation.name }} {
+        secret = {{ delegation.secret }}
+        ipaddr = {{ delegation.ipv6 }}
+        virtual_server = {{ delegation.server }}
+}
+{% endif %}
+{% endfor %}

roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2

@@ -196,12 +196,12 @@ eap {
 		#  In that case, this CA file should contain
 		#  *one* CA certificate.
 		#
-		# ca_file = ${certdir}/ca.crt
+		ca_file = /etc/ssl/certs/ca-certificates.crt
 
-	 	#  OpenSSL will automatically create certificate chains,
-	 	#  unless we tell it to not do that.  The problem is that
-	 	#  it sometimes gets the chains right from a certificate
-	 	#  signature view, but wrong from the clients view.
+		#  OpenSSL will automatically create certificate chains,
+		#  unless we tell it to not do that.  The problem is that
+		#  it sometimes gets the chains right from a certificate
+		#  signature view, but wrong from the clients view.
 		#
 		#  When setting "auto_chain = no", the server certificate
 		#  file MUST include the full certificate chain.
@@ -235,7 +235,7 @@ eap {
 		#  For DH cipher suites to work, you have to
 		#  run OpenSSL to create the DH file first:
 		#
-		#  	openssl dhparam -out certs/dh 2048
+		#	openssl dhparam -out certs/dh 2048
 		#
 		dh_file = ${certdir}/dh
 
@@ -363,7 +363,7 @@ eap {
 		#
 		#  The values must be in quotes.
 		#
-		tls_min_version = "1.2"
+		tls_min_version = "1.0"
 		tls_max_version = "1.2"
 
 
@@ -777,7 +777,7 @@ eap {
 		#  As of version 3.0.5, this configuration item
 		#  is deprecated.  Instead, you should use
 		#
-		# 	update outer.session-state {
+		#	update outer.session-state {
 		#		...
 		#
 		#	}
@@ -864,13 +864,13 @@ eap {
 		#  but *may* also cause other clients to stop
 		#  working.
 		#
-		send_error = yes
+		send_error = no
 
 		#  Server identifier to send back in the challenge.
 		#  This should generally be the host name of the
 		#  RADIUS server.  Or, some information to uniquely
 		#  identify it.
-#		identity = "FreeRADIUS"
+		identity = "FreeRadius"
 	}
 
 	## EAP-FAST