From a7d67b1f870de592998bebf73cd27d73b23c8238 Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Tue, 11 Aug 2020 04:04:41 +0200
Subject: [PATCH] Role freeradius

---
 group_vars/all/vars.yaml                               |  1 +
 group_vars/freeradius.yml                              |  4 ----
 group_vars/radius.yml                                  |  8 ++++++++
 hosts                                                  |  3 +++
 plays/freeradius.yml                                   |  9 +++++++++
 roles/freeradius/tasks/main.yml                        | 10 +++++++++-
 .../apt/preferences.d/freeradius_python3.j2            |  0
 .../freeradius/3.0/clients.conf.j2                     |  0
 .../freeradius/3.0/mods-enabled/eap.j2                 |  6 +++---
 .../freeradius/3.0/mods-enabled/python3.j2             |  0
 .../freeradius/3.0/radiusd.conf.j2                     |  3 ++-
 .../freeradius/3.0/sites-enabled/default.j2            |  7 ++-----
 .../freeradius/3.0/sites-enabled/inner-tunnel.j2       |  4 ++--
 13 files changed, 39 insertions(+), 16 deletions(-)
 delete mode 100644 group_vars/freeradius.yml
 create mode 100644 group_vars/radius.yml
 create mode 100755 plays/freeradius.yml
 rename roles/freeradius/{template => templates}/apt/preferences.d/freeradius_python3.j2 (100%)
 rename roles/freeradius/{template => templates}/freeradius/3.0/clients.conf.j2 (100%)
 rename roles/freeradius/{template => templates}/freeradius/3.0/mods-enabled/eap.j2 (99%)
 rename roles/freeradius/{template => templates}/freeradius/3.0/mods-enabled/python3.j2 (100%)
 rename roles/freeradius/{template => templates}/freeradius/3.0/radiusd.conf.j2 (99%)
 rename roles/freeradius/{template => templates}/freeradius/3.0/sites-enabled/default.j2 (99%)
 rename roles/freeradius/{template => templates}/freeradius/3.0/sites-enabled/inner-tunnel.j2 (99%)

diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
index defee09c..f2276672 100644
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@@ -42,6 +42,7 @@ adm_subnet: 10.231.136.0/24
 #
 # # global server definitions
 glob_smtp: smtp.adm.crans.org
+glob_mirror: mirror.adm.crans.org
 
 glob_ldap:
   servers:
diff --git a/group_vars/freeradius.yml b/group_vars/freeradius.yml
deleted file mode 100644
index c51d5aa8..00000000
--- a/group_vars/freeradius.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-glob_freeradius:
-  realm: crans
-  proxy_to: FEDEREZ
diff --git a/group_vars/radius.yml b/group_vars/radius.yml
new file mode 100644
index 00000000..2ea7d95d
--- /dev/null
+++ b/group_vars/radius.yml
@@ -0,0 +1,8 @@
+---
+glob_freeradius:
+  realm: crans
+  proxy_to: FEDEREZ
+  infra_switch: "172.16.33.0/24"
+  infra_bornes: "172.16.34.0/24"
+  secret_switch: "ploptotoswitch"
+  secret_bornes: "ploptotobornes"
diff --git a/hosts b/hosts
index d1d3fb60..42571ba7 100644
--- a/hosts
+++ b/hosts
@@ -25,6 +25,9 @@
 # [test_vm]
 # re2o-test.adm.crans.org
 
+[radius]
+routeur-sam.adm.crans.org
+
 [re2o]
 re2o-newinfra.adm.crans.org
 routeur-sam.adm.crans.org
diff --git a/plays/freeradius.yml b/plays/freeradius.yml
new file mode 100755
index 00000000..f2c4e3d7
--- /dev/null
+++ b/plays/freeradius.yml
@@ -0,0 +1,9 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy radius server
+- hosts: radius
+  vars:
+    freeradius: '{{ glob_freeradius | default({}) | combine(loc_freeradius | default({})) }}'
+    mirror: '{{ glob_mirror }}'
+  roles:
+    - freeradius
diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml
index 40ba0ad3..f6b76b91 100644
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@@ -7,7 +7,7 @@
 - name: Pin freeradius from backports
   template:
     src: apt/preferences.d/freeradius_python3.j2
-    dest: /etc/apt/prefederences.d/freeradius_python3
+    dest: /etc/apt/preferences.d/freeradius_python3
 
 - name: Install freeradius
   apt:
@@ -43,8 +43,16 @@
   file:
     src: /var/www/re2o/freeradius_utils/auth.py
     dest: /etc/freeradius/3.0/auth.py
+    state: link
+    force: yes
   notify: Restart freeradius
 
+- name: Ensure ${certdir}/letsencrypt directory exists
+  file:
+    path: /etc/freeradius/3.0/certs/letsencrypt
+    state: directory
+    recurse: yes
+
 - name: Symlink radius certificates
   file:
     src: /etc/letsencrypt/live/crans.org/{{ item }}
diff --git a/roles/freeradius/template/apt/preferences.d/freeradius_python3.j2 b/roles/freeradius/templates/apt/preferences.d/freeradius_python3.j2
similarity index 100%
rename from roles/freeradius/template/apt/preferences.d/freeradius_python3.j2
rename to roles/freeradius/templates/apt/preferences.d/freeradius_python3.j2
diff --git a/roles/freeradius/template/freeradius/3.0/clients.conf.j2 b/roles/freeradius/templates/freeradius/3.0/clients.conf.j2
similarity index 100%
rename from roles/freeradius/template/freeradius/3.0/clients.conf.j2
rename to roles/freeradius/templates/freeradius/3.0/clients.conf.j2
diff --git a/roles/freeradius/template/freeradius/3.0/mods-enabled/eap.j2 b/roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2
similarity index 99%
rename from roles/freeradius/template/freeradius/3.0/mods-enabled/eap.j2
rename to roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2
index 880dd902..b615f9c8 100644
--- a/roles/freeradius/template/freeradius/3.0/mods-enabled/eap.j2
+++ b/roles/freeradius/templates/freeradius/3.0/mods-enabled/eap.j2
@@ -184,7 +184,7 @@ eap {
 		#  only the server certificate, but ALSO all
 		#  of the CA certificates used to sign the
 		#  server certificate.
-		certificate_file = ${certdir}/letsencrypt/privkey.pem
+		certificate_file = ${certdir}/letsencrypt/fullchain.pem
 
 		#  Trusted Root CA list
 		#
@@ -196,7 +196,7 @@ eap {
 		#  In that case, this CA file should contain
 		#  *one* CA certificate.
 		#
-		ca_file = ${certdir}/ca.crt
+		# ca_file = ${certdir}/ca.crt
 
 	 	#  OpenSSL will automatically create certificate chains,
 	 	#  unless we tell it to not do that.  The problem is that
@@ -363,7 +363,7 @@ eap {
 		#
 		#  The values must be in quotes.
 		#
-		tls_min_version = "1.0"
+		tls_min_version = "1.2"
 		tls_max_version = "1.2"
 
 
diff --git a/roles/freeradius/template/freeradius/3.0/mods-enabled/python3.j2 b/roles/freeradius/templates/freeradius/3.0/mods-enabled/python3.j2
similarity index 100%
rename from roles/freeradius/template/freeradius/3.0/mods-enabled/python3.j2
rename to roles/freeradius/templates/freeradius/3.0/mods-enabled/python3.j2
diff --git a/roles/freeradius/template/freeradius/3.0/radiusd.conf.j2 b/roles/freeradius/templates/freeradius/3.0/radiusd.conf.j2
similarity index 99%
rename from roles/freeradius/template/freeradius/3.0/radiusd.conf.j2
rename to roles/freeradius/templates/freeradius/3.0/radiusd.conf.j2
index a6ad1137..68305530 100644
--- a/roles/freeradius/template/freeradius/3.0/radiusd.conf.j2
+++ b/roles/freeradius/templates/freeradius/3.0/radiusd.conf.j2
@@ -373,9 +373,10 @@ log {
 	#  this expansion can be slow, and can negatively impact server
 	#  performance.
 	#
+{% raw %}
 	msg_goodpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
 	msg_badpass = "IP du Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}"
-
+{% endraw %}
 	#  The message when the user exceeds the Simultaneous-Use limit.
 	#
 	msg_denied = "You are already logged in - access denied"
diff --git a/roles/freeradius/template/freeradius/3.0/sites-enabled/default.j2 b/roles/freeradius/templates/freeradius/3.0/sites-enabled/default.j2
similarity index 99%
rename from roles/freeradius/template/freeradius/3.0/sites-enabled/default.j2
rename to roles/freeradius/templates/freeradius/3.0/sites-enabled/default.j2
index 77ef9cf3..415bc758 100644
--- a/roles/freeradius/template/freeradius/3.0/sites-enabled/default.j2
+++ b/roles/freeradius/templates/freeradius/3.0/sites-enabled/default.j2
@@ -479,11 +479,11 @@ preacct {
 	#
 	#  The start time is: NOW - delay - session_length
 	#
-
+{% raw %}
 #	update request {
 #	  	&FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
 #	}
-
+{% endraw %}
 
 	#
 	#  Ensure that we have a semi-unique identifier for every
@@ -626,9 +626,6 @@ post-auth {
 	#  The "session-state" attributes are not available here.
 	#
 	Post-Auth-Type REJECT {
-        # TO REMOVE ?
-		# log failed authentications in SQL, too.
-		-sql
 		attr_filter.access_reject
 
 		# Insert EAP-Failure message if the request was
diff --git a/roles/freeradius/template/freeradius/3.0/sites-enabled/inner-tunnel.j2 b/roles/freeradius/templates/freeradius/3.0/sites-enabled/inner-tunnel.j2
similarity index 99%
rename from roles/freeradius/template/freeradius/3.0/sites-enabled/inner-tunnel.j2
rename to roles/freeradius/templates/freeradius/3.0/sites-enabled/inner-tunnel.j2
index 28626115..2552a4fb 100644
--- a/roles/freeradius/template/freeradius/3.0/sites-enabled/inner-tunnel.j2
+++ b/roles/freeradius/templates/freeradius/3.0/sites-enabled/inner-tunnel.j2
@@ -228,7 +228,7 @@ post-auth {
 	#  After authenticating the user, do another SQL query.
 	#
 	#  See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf`
-	-sql
+	# -sql
 
 
 	#
@@ -271,7 +271,7 @@ post-auth {
 	#
 	Post-Auth-Type REJECT {
 		# log failed authentications in SQL, too.
-		-sql
+		# -sql
 		attr_filter.access_reject
 
 		#