diff --git a/playbooks/freeradius.yml b/playbooks/freeradius.yml new file mode 100755 index 0000000..60c2a47 --- /dev/null +++ b/playbooks/freeradius.yml @@ -0,0 +1,15 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: + - radius-1.isp.infra.auro.re + vars: + radiusd__clients: + wifi-ap-v4: + addr: 10.102.0.0/16 + secret: abcdef + wifi-ap-v6: + addr: 2a09:6840:102::/56 + secret: abcdef + roles: + - freeradius +... diff --git a/playbooks/radius.yml b/playbooks/radius.yml deleted file mode 100755 index b48765e..0000000 --- a/playbooks/radius.yml +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -# Deploy Radius -- hosts: radius-*.adm.auro.re - vars: - update_motd: - unbound: FreeRADIUS est déployé. - roles: - - radius - - update_motd diff --git a/roles/freeradius/defaults/main.yml b/roles/freeradius/defaults/main.yml new file mode 100644 index 0000000..fd21d56 --- /dev/null +++ b/roles/freeradius/defaults/main.yml @@ -0,0 +1,28 @@ +--- +radiusd__max_attributes: 200 +radiusd__status_server: true +radiusd__clients: {} +radiusd__enabled_modules_minimal: + - always + - attr_filter # TODO + - cache_eap # TODO + - detail # TODO + - detail.log # TODO + - digest # TODO + - dynamic_clients # TODO + - eap # TODO + - expiration # TODO + - expr # TODO + - files # TODO + - linelog # TODO + - logintime # TODO + - mschap # TODO + - passwd # TODO + - preprocess # TODO + - radutmp # TODO + - realm # TODO + - sradutmp # TODO + - unpack # TODO + - utf8 +radiusd__enabled_modules: [] +... diff --git a/roles/freeradius/handlers/main.yml b/roles/freeradius/handlers/main.yml new file mode 100644 index 0000000..f86cd09 --- /dev/null +++ b/roles/freeradius/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart freeradius + systemd: + name: freeradius.service + state: restarted +... diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml new file mode 100644 index 0000000..2bce692 --- /dev/null +++ b/roles/freeradius/tasks/main.yml @@ -0,0 +1,78 @@ +--- +- name: Install freeradius + apt: + name: freeradius + install_recommends: false + +- name: Remove unused files + file: + path: "/etc/freeradius/3.0/{{ item }}" + state: absent + loop: + - templates.conf + - trigger.conf + - README.rst + - panic.gdb + - experimental.conf + - certs/ca.cnf + - certs/bootstrap + - certs/client.cnf + - certs/inner-server.cnf + - certs/server.cnf + - certs/README + - certs/Makefile + - certs/xpextensions + +- name: Enumerate available modules + find: + paths: /etc/freeradius/3.0/mods-available + register: available_modules + +- name: Disable modules + file: + path: "/etc/freeradius/3.0/mods-enabled/{{ item }}" + state: absent + loop: "{{ available_modules.files + | map(attribute='path') + | map('basename') + | difference(radiusd__enabled_modules_minimal + | union(radiusd__enabled_modules)) }}" + notify: + - Restart freeradius + +- name: Enable modules + file: + src: "/etc/freeradius/3.0/mods-available/{{ item }}" + dest: "/etc/freeradius/3.0/mods-enabled/{{ item }}" + state: link + owner: root + group: freerad + mode: u=rw,g=r,o= + loop: "{{ radiusd__enabled_modules_minimal + | union(radiusd__enabled_modules) }}" + notify: + - Restart freeradius + +- name: Configure freeradius + template: + src: "{{ item }}.j2" + dest: "/etc/freeradius/3.0/{{ item }}" + owner: root + group: freerad + mode: u=rw,g=r,o= + loop: + - radiusd.conf + #- proxy.conf + - clients.conf + - dictionary + - mods-available/utf8 + - mods-available/always + notify: + - Restart freeradius + +- name: Enable and start freeradius + systemd: + name: freeradius.service + state: started + enabled: true +... diff --git a/roles/freeradius/templates/clients.conf.j2 b/roles/freeradius/templates/clients.conf.j2 new file mode 100644 index 0000000..f43116b --- /dev/null +++ b/roles/freeradius/templates/clients.conf.j2 @@ -0,0 +1,20 @@ +{{ ansible_managed | comment }} + +{% for name, client in radiusd__clients.items() %} +client {{ name }} { +{% if client.addr | ansible.utils.ipv6 %} + ipaddrv6 = {{ client.addr | ansible.utils.ipv6("address") }} +{% else %} + ipaddr = {{ client.addr | ansible.utils.ipv4("address") }} +{% endif %} + netmask = {{ client.addr | ansible.utils.ipaddr("prefix") }} + proto = * + require_message_authenticator = yes + nastype = other + secret = {{ client.secret }} +{% if client.virtual_server is defined %} + virtual_server = {{ client.virtual_server }} +{% endif %} +} + +{% endfor %} diff --git a/roles/freeradius/templates/dictionary.j2 b/roles/freeradius/templates/dictionary.j2 new file mode 100644 index 0000000..5c02948 --- /dev/null +++ b/roles/freeradius/templates/dictionary.j2 @@ -0,0 +1 @@ +{{ ansible_managed | comment }} diff --git a/roles/freeradius/templates/mods-available/always.j2 b/roles/freeradius/templates/mods-available/always.j2 new file mode 100644 index 0000000..45d6807 --- /dev/null +++ b/roles/freeradius/templates/mods-available/always.j2 @@ -0,0 +1,37 @@ +{{ ansible_managed | comment }} + +always reject { + rcode = reject +} + +always fail { + rcode = fail +} + +always ok { + rcode = ok +} + +always handled { + rcode = handled +} + +always invalid { + rcode = invalid +} + +always userlock { + rcode = userlock +} + +always notfound { + rcode = notfound +} + +always noop { + rcode = noop +} + +always updated { + rcode = updated +} diff --git a/roles/freeradius/templates/mods-available/utf8.j2 b/roles/freeradius/templates/mods-available/utf8.j2 new file mode 100644 index 0000000..5627d16 --- /dev/null +++ b/roles/freeradius/templates/mods-available/utf8.j2 @@ -0,0 +1,4 @@ +{{ ansible_managed | comment }} + +utf8 { +} diff --git a/roles/freeradius/templates/proxy.conf.j2 b/roles/freeradius/templates/proxy.conf.j2 new file mode 100644 index 0000000..d67ab1c --- /dev/null +++ b/roles/freeradius/templates/proxy.conf.j2 @@ -0,0 +1,23 @@ +{{ ansible_managed | comment }} + +proxy server { + default_fallback = no + dynamic = no +} + +{% for name, hs in radiusd__home_servers.items %} +home_server {{ name }} { + type = auth + ipaddr = {{ hs.addr }} + port = {{ hs.port | int }} +} +{% endfor %} + +{% for name, realm in radiusd__realms.items() %} +realm {{ name }} { + auth_pool = auth_pool +} +{% endfor %} + +realm LOCAL { +} diff --git a/roles/freeradius/templates/radiusd.conf.j2 b/roles/freeradius/templates/radiusd.conf.j2 new file mode 100644 index 0000000..8ef77ae --- /dev/null +++ b/roles/freeradius/templates/radiusd.conf.j2 @@ -0,0 +1,66 @@ +{{ ansible_managed | comment }} + +prefix = /usr +exec_prefix = /usr +sysconfigdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = /var/log/freeradius +raddbdir = /etc/freeradius/3.0 +radacctdir = ${logdir}/radacct +name = freeradius +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${confdir}/certs +cadir = ${confdir}/certs +run_dir = ${localstatedir}/run/${name} +db_dir = ${raddbdir} +libdir = /usr/lib/freeradius +pidfile = ${run_dir}/${name}.pid +checkrad = ${sbindir}/checkrad + +max_request_time = 30 +cleanup_delay = 5 +max_requests = 16384 +hostname_lookups = no +correct_escapes = true + +log { + destination = syslog + syslog_facility = daemon + auth = yes +} + +security { + user = freerad + group = freerad + allow_core_dumps = no + max_attributes = {{ radiusd__max_attributes | int }} + status_server = {{ radiusd__status_server | ternary("yes", "no") }} +} + +proxy_requests = yes + +$INCLUDE proxy.conf + +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 + auto_limit_acct = no +} + +modules { + $INCLUDE mods-enabled/ +} + +instantiate { +} + +policy { + $INCLUDE policy.d/ +} + +$INCLUDE sites-enabled/ diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml deleted file mode 100644 index bafb166..0000000 --- a/roles/radius/tasks/main.yml +++ /dev/null @@ -1,263 +0,0 @@ ---- -- name: Add backports repositories - apt_repository: - repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free" - loop: - - "deb" - - "deb-src" - -- name: Ensure /var/www exists - file: - name: "/var/www" - state: directory - mode: 0755 - -- name: Clone re2o repo - git: - repo: "https://gitlab.federez.net/re2o/re2o.git" - dest: "/var/www/re2o" - version: "dev" - force: true - -- name: Template local re2o settings - template: - src: "{{ item }}.j2" - dest: "/var/www/re2o/re2o/{{ item }}" - mode: 0644 - loop: - - settings_local.py - - local_routers.py - -# What follows is a hideous abomination. -# Blame freeradius-python3 on backports. - -- name: try to install freeradius-python3 (this will fail on post-install) - apt: - name: freeradius-python3 - default_release: buster-backports - update_cache: true - ignore_errors: true - -- name: fix freeradius-python3 postinstall script - template: - src: freeradius-python3.postinst.j2 - dest: /var/lib/dpkg/info/freeradius-python3.postinst - mode: 0644 - -- name: reinstall broken package (this might fail too, for different reasons) - apt: - name: freeradius-python3 - default_release: buster-backports - force: true - ignore_errors: true - -- name: Setup radius symlinks - file: - src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}" - dest: "/etc/freeradius/3.0/{{ item.filename }}" - state: link - force: true - loop: - - local_prefix: "" - filename: auth.py - - local_prefix: freeradius3/ - filename: radiusd.conf - - local_prefix: freeradius3/ - filename: mods-enabled/python - - local_prefix: freeradius3/ - filename: mods-enabled/eap - -- name: Configure freeradius - template: - src: "{{ item }}.j2" - dest: "/etc/freeradius/3.0/{{ item }}" - mode: 0640 - owner: freerad - loop: - - sites-enabled/default - - sites-enabled/inner-tunnel - -- name: Install Basic Clients/Proxy Files freeradius - template: - src: "{{ item }}.j2" - dest: "/etc/freeradius/3.0/{{ item }}" - mode: 0640 - owner: freerad - loop: - - clients.conf - - proxy.conf - when: "'aurore_vm' not in group_names" - -- name: Install Clients FedeRez Radius-Aurore - template: - src: proxy-federez.conf.j2 - dest: /etc/freeradius/3.0/proxy.conf - mode: 0640 - owner: freerad - when: "'aurore_vm' in group_names" - -- name: Install Proxy FedeRez Radius-Aurore - template: - src: clients-federez.conf.j2 - dest: /etc/freeradius/3.0/clients.conf - mode: 0640 - owner: freerad - when: "'aurore_vm' in group_names" - -- name: Install radius requirements (except freeradius-python3) - shell: - cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install" - chdir: /var/www/re2o/ - -- name: Install PyPi requirements for radius - command: "pip3 install -r /var/www/re2o/pip_requirements.txt" - -# End of hideousness (hopefully). - -- name: Configure log rotation - template: - src: "freeradius-logrotate.j2" - dest: "/etc/logrotate.d/freeradius" - mode: 0644 - - -# Database setup - - -- name: Install postgresql - apt: - name: - - postgresql - - postgresql-client-11=11.7-0+deb10u1 - force: true - -- name: Install postgresql ansible module requirement(s) - pip: - name: psycopg2 - -- name: Create read-only user - community.general.postgresql_user: - name: re2o_ro - password: "{{ radius_pg_re2o_ro_password }}" - become_user: postgres - -- name: Create replication user - community.general.postgresql_user: - name: replication - password: "{{ radius_pg_replication_password }}" - become_user: postgres - - -- name: Nuking - Stop freeradius - systemd: - name: freeradius - state: stopped - when: nuke_radius|default(false) - -- name: Nuking - Remove old subscription if it exists - community.general.postgresql_subscription: - name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" - db: re2o - state: absent - become_user: postgres - when: nuke_radius|default(false) - ignore_errors: true - -- name: Nuking - Destroy old local DB if it exists - community.general.postgresql_db: - name: re2o - state: absent - become_user: postgres - when: nuke_radius|default(false) - -- name: Create local DB - community.general.postgresql_db: - name: re2o - owner: replication - state: present - encoding: "UTF8" - lc_collate: 'fr_FR.UTF-8' - lc_ctype: 'fr_FR.UTF-8' - become_user: postgres - -- name: Dump radius re2o PostgreSQL database schema from master - community.general.postgresql_db: - name: re2o - state: dump - target: /tmp/re2o-schema.sql - target_opts: '-s' - login_host: 10.128.0.22 - login_user: replication - login_password: "{{ radius_pg_replication_password }}" - - -- name: Restore DB - tags: - - restore - community.general.postgresql_db: - name: re2o - state: restore - target: /tmp/re2o-schema.sql - target_opts: "-s" - login_host: localhost - login_user: replication - login_password: "{{ radius_pg_replication_password }}" - - -- name: Grant select permissions on all tables to read-only user - tags: - - perms - community.general.postgresql_privs: - database: re2o - privs: SELECT - objs: ALL_IN_SCHEMA - schema: public - roles: re2o_ro - become_user: postgres - -- name: Grant usage permission on schema to read-only user - tags: - - perms - community.general.postgresql_privs: - database: re2o - privs: USAGE - objs: public - type: schema - roles: re2o_ro - become_user: postgres - -- name: Set default privileges in schema - tags: - - perms - community.general.postgresql_privs: - database: re2o - privs: SELECT - schema: public - objs: TABLES - type: default_privs - roles: re2o_ro - become_user: postgres - - -- name: Set up subscription to main database - tags: - - sub - community.general.postgresql_subscription: - name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" - connparams: - host: re2o-db.adm.auro.re - user: replication - password: "{{ radius_pg_replication_password }}" - dbname: re2o - db: re2o - publications: - - re2o_pub - become_user: postgres - - -- name: Restart freeradius, ensure enabled - systemd: - name: freeradius - enabled: true - state: restarted - daemon_reload: true diff --git a/roles/radius/templates/clients-federez.conf.j2 b/roles/radius/templates/clients-federez.conf.j2 deleted file mode 100644 index 2a71e05..0000000 --- a/roles/radius/templates/clients-federez.conf.j2 +++ /dev/null @@ -1,22 +0,0 @@ -client radius-aurore { - ipaddr = 10.128.0.0 - netmask = 16 - secret = {{ radius_secret_aurore }} - require_message_authenticator = no - nastype = other - virtual_server = radius-wifi -} - -# Parangon (federez) -client parangon { - ipaddr = 185.230.78.47 - secret = {{ radius_secret_federez }} - virtual_server = radius-wifi -} - -# Dodecagon (federez) -client dodecagon { - ipaddr = 195.154.165.76 - secret = {{ radius_secret_federez }} - virtual_server = radius-wifi -} diff --git a/roles/radius/templates/clients.conf.j2 b/roles/radius/templates/clients.conf.j2 deleted file mode 100644 index 6909978..0000000 --- a/roles/radius/templates/clients.conf.j2 +++ /dev/null @@ -1,18 +0,0 @@ -client radius-filaire { - ipaddr = 10.130.{{ apartment_block_id }}.0 - netmask = 24 - secret = {{ radius_secret_wired }} - require_message_authenticator = no - nastype = other - virtual_server = radius-filaire -} - - -client aurore-wifi { - ipaddr = 10.{{ subnet_ids.ap }}.0.0 - netmask = 16 - secret = {{ radius_secret_wifi }} - require_message_authenticator = no - nastype = other - virtual_server = radius-wifi -} diff --git a/roles/radius/templates/freeradius-logrotate.j2 b/roles/radius/templates/freeradius-logrotate.j2 deleted file mode 100644 index 91d5df4..0000000 --- a/roles/radius/templates/freeradius-logrotate.j2 +++ /dev/null @@ -1,50 +0,0 @@ -# The main server log -/var/log/freeradius/radius.log { - # common options - daily - rotate 365 - missingok - compress - delaycompress - notifempty - - copytruncate -} - -# (in order) -# Session monitoring utilities -# Session database modules -# SQL log files -/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log -/var/log/freeradius/radutmp /var/log/freeradius/radwtmp -/var/log/freeradius/sqllog.sql -{ - # common options - daily - rotate 365 - missingok - compress - delaycompress - notifempty - - nocreate -} - -# There are different detail-rotating strategies you can use. One is -# to write to a single detail file per IP and use the rotate config -# below. Another is to write to a daily detail file per IP with: -# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail -# (or similar) in radiusd.conf, without rotation. If you go with the -# second technique, you will need another cron job that removes old -# detail files. You do not need to comment out the below for method #2. -/var/log/freeradius/radacct/*/detail { - # common options - daily - rotate 365 - missingok - compress - delaycompress - notifempty - - nocreate -} diff --git a/roles/radius/templates/freeradius-python3.postinst.j2 b/roles/radius/templates/freeradius-python3.postinst.j2 deleted file mode 100644 index 058ec38..0000000 --- a/roles/radius/templates/freeradius-python3.postinst.j2 +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -# vim:ts=2:sw=2:et - -set -e - -case "$1" in - configure) - invoke-rc.d freeradius restart - ;; -esac - - - -exit 0 diff --git a/roles/radius/templates/local_routers.py.j2 b/roles/radius/templates/local_routers.py.j2 deleted file mode 100644 index 0367f2c..0000000 --- a/roles/radius/templates/local_routers.py.j2 +++ /dev/null @@ -1,28 +0,0 @@ -class DbRouter(object): - """ - A router to control all database operations on models in the - auth application. - """ - def db_for_read(self, model, **hints): - """ - Attempts to read remote models go to local database. - """ - return 'local' - - def db_for_write(self, model, **hints): - """ - Attempts to write remote models go to the remote database. - """ - return 'default' - - def allow_relation(self, obj1, obj2, **hints): - """ - Allow relations involving the remote database - """ - return True - - def allow_migrate(self, db, app_label, model_name=None, **hints): - """ - Allow migrations on the remote database - """ - return True diff --git a/roles/radius/templates/proxy-federez.conf.j2 b/roles/radius/templates/proxy-federez.conf.j2 deleted file mode 100644 index d3b9efe..0000000 --- a/roles/radius/templates/proxy-federez.conf.j2 +++ /dev/null @@ -1,87 +0,0 @@ -# -*- mode: conf-unix; coding: utf-8 -*- -proxy server { - default_fallback = no -} - - -realm LOCAL { - -} - -realm NULL { - -} - -#Proxy FedeRez ##### - -realm AUROREFEDEREZ { - auth_pool = federez_radius_servers -# nostrip -} - -home_server parangon_v4 { - type = auth - ipaddr = 185.230.78.47 - port = 1812 - secret = {{ radius_secret_federez }} - require_message_authenticator =yes - response_window = 20 - zombie_period = 40 - revive_interval = 120 - status_check = status-server - check_interval = 30 - num_answers_to_alive = 3 -} - -home_server parangon_v6 { - type = auth - ipaddr = 2a0c:700:0:23:67:e5ff:fee9:5 - port = 1812 - secret = {{ radius_secret_federez }} - require_message_authenticator =yes - response_window = 20 - zombie_period = 40 - revive_interval = 120 - status_check = status-server - check_interval = 30 - num_answers_to_alive = 3 -} - -home_server dodecagon_v4 { - type = auth - ipaddr = 195.154.165.76 - port = 1812 - secret = {{ radius_secret_federez }} - require_message_authenticator =yes - response_window = 20 - zombie_period = 40 - revive_interval = 120 - status_check = status-server - check_interval = 30 - num_answers_to_alive = 3 -} - -home_server dodecagon_v6 { - type = auth - ipaddr = 2001:bc8:273e::1 - port = 1812 - secret = {{ radius_secret_federez }} - require_message_authenticator =yes - response_window = 20 - zombie_period = 40 - revive_interval = 120 - status_check = status-server - check_interval = 30 - num_answers_to_alive = 3 -} - -home_server_pool federez_radius_servers { - type = fail-over - home_server = parangon_v4 - home_server = dodecagon_v4 - home_server = dodecagon_v6 - home_server = parangon_v6 -} - - - diff --git a/roles/radius/templates/proxy.conf.j2 b/roles/radius/templates/proxy.conf.j2 deleted file mode 100644 index 737d4c2..0000000 --- a/roles/radius/templates/proxy.conf.j2 +++ /dev/null @@ -1,54 +0,0 @@ -# -*- mode: conf-unix; coding: utf-8 -*- -proxy server { - default_fallback = no -} - - -realm LOCAL { - -} - -realm NULL { - -} - -#Proxy FedeRez ##### - -realm AUROREFEDEREZ { - auth_pool = aurore_central_radius_servers -# nostrip -} - -home_server radius_aurore_v4 { - type = auth - ipaddr = 10.128.0.251 - port = 1812 - secret = {{ radius_secret_aurore }} - require_message_authenticator =yes - response_window = 20 - zombie_period = 40 - revive_interval = 120 - status_check = status-server - check_interval = 30 - num_answers_to_alive = 3 -} - -home_server radius_aurore_v6 { - type = auth - ipaddr = 2a09:6840:128::251 - port = 1812 - secret = {{ radius_secret_aurore }} - require_message_authenticator =yes - response_window = 20 - zombie_period = 40 - revive_interval = 120 - status_check = status-server - check_interval = 30 - num_answers_to_alive = 3 -} - -home_server_pool aurore_central_radius_servers { - type = fail-over - home_server = radius_aurore_v4 - home_server = radius_aurore_v6 -} diff --git a/roles/radius/templates/settings_local.py.j2 b/roles/radius/templates/settings_local.py.j2 deleted file mode 100644 index 3fc63c8..0000000 --- a/roles/radius/templates/settings_local.py.j2 +++ /dev/null @@ -1,129 +0,0 @@ -# coding: utf-8 -# Re2o est un logiciel d'administration développé initiallement au rezometz. Il -# se veut agnostique au réseau considéré, de manière à être installable en -# quelques clics. -# -# Copyright © 2017 Gabriel Détraz -# Copyright © 2017 Goulven Kermarec -# Copyright © 2017 Augustin Lemesle -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -"""re2o.settings_locale -The file with all the available options for a locale configuration of re2o -""" - -from __future__ import unicode_literals - -# A secret key used by the server. -SECRET_KEY = "{{ re2o_secret_key }}" - -# The password to access the project database -DB_PASSWORD = "{{ re2o_db_password }}" - -# AES key for secret key encryption. -# The length must be a multiple of 16 -AES_KEY = "{{ re2o_aes_key }}" - -# Should the server run in debug mode ? -# SECURITY WARNING: don't run with debug turned on in production! -DEBUG = False - -# A list of admins of the services. Receive mails when an error occurs -ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'),] - -# The list of hostname the server will respond to. -ALLOWED_HOSTS = ['{{ inventory_hostname }}'] - -# The time zone the server is runned in -TIME_ZONE = 'Europe/Paris' - -# The storage systems parameters to use -DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.postgresql_psycopg2', - 'NAME': 're2o', - 'USER': 're2o', - 'PASSWORD': DB_PASSWORD, - 'HOST': 're2o-db.adm.auro.re', - 'TEST': { - 'CHARSET': 'utf8', - 'COLLATION': 'utf8_general_ci' - } - }, - 'local': { - 'ENGINE': 'django.db.backends.postgresql_psycopg2', - 'NAME': 're2o', - 'USER': 're2o_ro', - 'PASSWORD': "{{ radius_pg_re2o_ro_password }}", - 'HOST': 'localhost', - 'TEST': { - 'CHARSET': 'utf8', - 'COLLATION': 'utf8_general_ci' - } - }, - 'ldap': { - 'ENGINE': 'ldapdb.backends.ldap', - 'NAME': 'ldap://10.128.0.21/', - 'USER': 'cn=admin,dc=auro,dc=re', - 'TLS': False, - 'PASSWORD': '{{ ldap_admin_password }}', - } -} - -# Security settings for secure https -# Activate once https is correctly configured -SECURE_CONTENT_TYPE_NOSNIFF = False -SECURE_BROWSER_XSS_FILTER = False -SESSION_COOKIE_SECURE = False -CSRF_COOKIE_SECURE = False -CSRF_COOKIE_HTTPONLY = False -X_FRAME_OPTIONS = 'DENY' -SESSION_COOKIE_AGE = 60 * 60 * 3 - -# The path where your organization logo is stored -LOGO_PATH = "static_files/logo.png" - -# The mail configuration for Re2o to send mails -SERVER_EMAIL = 'no-reply@auro.re' # The mail address to use -EMAIL_HOST = 'localhost' # The host to use -EMAIL_PORT = 25 # The port to use - -# Settings of the LDAP structure -LDAP = { - 'base_user_dn': 'cn=Utilisateurs,dc=auro,dc=re', - 'base_userservice_dn': 'ou=service-users,dc=auro,dc=re', - 'base_usergroup_dn': 'ou=posix,ou=groups,dc=auro,dc=re', - 'base_userservicegroup_dn': 'ou=services,ou=groups,dc=auro,dc=re', - 'user_gid': 100, - } - -# A range of UID to use. Used in linux environement -UID_RANGES = { - 'users': [21001, 30000], - 'service-users': [20000, 21000], -} - -# A range of GID to use. Used in linux environement -GID_RANGES = { - 'posix': [501, 600], -} - -# Some optionnal Re2o Apps -OPTIONNAL_APPS_RE2O = () - -# Some Django apps you want to add in you local project -OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + () - -LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"] diff --git a/roles/radius/templates/sites-enabled/default.j2 b/roles/radius/templates/sites-enabled/default.j2 deleted file mode 100644 index a406559..0000000 --- a/roles/radius/templates/sites-enabled/default.j2 +++ /dev/null @@ -1,239 +0,0 @@ -###################################################################### -# -# As of 2.0.0, FreeRADIUS supports virtual hosts using the -# "server" section, and configuration directives. -# -# Virtual hosts should be put into the "sites-available" -# directory. Soft links should be created in the "sites-enabled" -# directory to these files. This is done in a normal installation. -# -# If you are using 802.1X (EAP) authentication, please see also -# the "inner-tunnel" virtual server. You will likely have to edit -# that, too, for authentication to work. -# -# $Id: 083407596aa5074d665adac9606e7de655b634aa $ -# -###################################################################### -# -# Read "man radiusd" before editing this file. See the section -# titled DEBUGGING. It outlines a method where you can quickly -# obtain the configuration you want, without running into -# trouble. See also "man unlang", which documents the format -# of this file. -# -# This configuration is designed to work in the widest possible -# set of circumstances, with the widest possible number of -# authentication methods. This means that in general, you should -# need to make very few changes to this file. -# -# The best way to configure the server for your local system -# is to CAREFULLY edit this file. Most attempts to make large -# edits to this file will BREAK THE SERVER. Any edits should -# be small, and tested by running the server with "radiusd -X". -# Once the edits have been verified to work, save a copy of these -# configuration files somewhere. (e.g. as a "tar" file). Then, -# make more edits, and test, as above. -# -# There are many "commented out" references to modules such -# as ldap, sql, etc. These references serve as place-holders. -# If you need the functionality of that module, then configure -# it in radiusd.conf, and un-comment the references to it in -# this file. In most cases, those small changes will result -# in the server being able to connect to the DB, and to -# authenticate users. -# -###################################################################### - -server default { -listen { - type = auth - ipaddr = * - port = 0 - - limit { - max_connections = 16 - lifetime = 0 - idle_timeout = 30 - } -} - -listen { - ipaddr = * - port = 0 - type = acct - - limit { - } -} - -# IPv6 versions of the above - read their full config to understand options -listen { - type = auth - ipv6addr = :: # any. ::1 == localhost - port = 0 - limit { - max_connections = 16 - lifetime = 0 - idle_timeout = 30 - } -} - -listen { - ipv6addr = :: - port = 0 - type = acct - - limit { - } -} -} - -server radius-wifi { -authorize { - rewrite_calling_station_id - - if (User-Name =~ /^(.*)@(.*)/){ - if (User-Name !~ /^(.*)@(.*)auro(.*)/){ - update control{ - Proxy-To-Realm := 'AUROREFEDEREZ' - } - } - - if ("%{request:User-Name}" =~ /^(.*)@(.*)auro(.*)/){ - update request{ - Stripped-User-Name := "%{1}" - } - } - } - - filter_username - - preprocess - - suffix - - eap { - ok = return - } - - expiration - logintime - - pap - -} - -authenticate { - Auth-Type PAP { - pap - } - - Auth-Type CHAP { - chap - } - - Auth-Type MS-CHAP { - mschap - } - - mschap - - digest - - eap -} - - -preacct { - preprocess - - acct_unique - - suffix - files -} - -accounting { - - detail - - unix - exec - -} - -session { -} - -post-auth { - update { - &reply: += &session-state: - } - - exec - - - remove_reply_message_if_eap - - Post-Auth-Type REJECT { - -sql - attr_filter.access_reject - - eap - - remove_reply_message_if_eap - } -} - -pre-proxy { -} - -post-proxy { - eap -} -} - - - -server radius-filaire{ - authorize{ - - re2o - expiration - logintime - pap - } - authenticate{ - Auth-Type PAP{ - pap - } - Auth-Type CHAP{ - chap - } - Auth-Type MS-CHAP{ - mschap - } - digest - eap - - } - preacct{ - preprocess - acct_unique - suffix - files - } - accounting{ - } - session{ - } - post-auth{ - re2o - exec - } - pre-proxy{ - } - post-proxy{ - eap - } -} diff --git a/roles/radius/templates/sites-enabled/inner-tunnel.j2 b/roles/radius/templates/sites-enabled/inner-tunnel.j2 deleted file mode 100644 index ee6e929..0000000 --- a/roles/radius/templates/sites-enabled/inner-tunnel.j2 +++ /dev/null @@ -1,345 +0,0 @@ -# -*- text -*- -###################################################################### -# -# This is a virtual server that handles *only* inner tunnel -# requests for EAP-TTLS and PEAP types. -# -# $Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $ -# -###################################################################### - -server inner-tunnel { - -# -# This next section is here to allow testing of the "inner-tunnel" -# authentication methods, independently from the "default" server. -# It is listening on "localhost", so that it can only be used from -# the same machine. -# -# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 -# -# If it works, you have configured the inner tunnel correctly. To check -# if PEAP will work, use: -# -# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 -# -# If that works, PEAP should work. If that command doesn't work, then -# -# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS. -# -# Do NOT do any PEAP tests. It won't help. Instead, concentrate -# on fixing the inner tunnel configuration. DO NOTHING ELSE. -# -listen { - ipaddr = 127.0.0.1 - port = 18120 - type = auth -} - - -# Authorization. First preprocess (hints and huntgroups files), -# then realms, and finally look in the "users" file. -# -# The order of the realm modules will determine the order that -# we try to find a matching realm. -# -# Make *sure* that 'preprocess' comes before any realm if you -# need to setup hints for the remote radius server -authorize { - if ("%{request:User-Name}" =~ /^(.*)@auro(.*)/){ - update request{ - Stripped-User-Name := "%{1}" - } - } - # - # Take a User-Name, and perform some checks on it, for spaces and other - # invalid characters. If the User-Name appears invalid, reject the - # request. - # - # See policy.d/filter for the definition of the filter_username policy. - # - filter_username - - re2o - - # - # Do checks on outer / inner User-Name, so that users - # can't spoof us by using incompatible identities - # -# filter_inner_identity - - # - # The chap module will set 'Auth-Type := CHAP' if we are - # handling a CHAP request and Auth-Type has not already been set - chap - - # - # If the users are logging in with an MS-CHAP-Challenge - # attribute for authentication, the mschap module will find - # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' - # to the request, which will cause the server to then use - # the mschap module for authentication. - mschap - - # - # Pull crypt'd passwords from /etc/passwd or /etc/shadow, - # using the system API's to get the password. If you want - # to read /etc/passwd or /etc/shadow directly, see the - # passwd module, above. - # -# unix - - # - # Look for IPASS style 'realm/', and if not found, look for - # '@realm', and decide whether or not to proxy, based on - # that. -# IPASS - - # - # If you are using multiple kinds of realms, you probably - # want to set "ignore_null = yes" for all of them. - # Otherwise, when the first style of realm doesn't match, - # the other styles won't be checked. - # - # Note that proxying the inner tunnel authentication means - # that the user MAY use one identity in the outer session - # (e.g. "anonymous", and a different one here - # (e.g. "user@example.com"). The inner session will then be - # proxied elsewhere for authentication. If you are not - # careful, this means that the user can cause you to forward - # the authentication to another RADIUS server, and have the - # accounting logs *not* sent to the other server. This makes - # it difficult to bill people for their network activity. - # - suffix -# ntdomain - - # - # The "suffix" module takes care of stripping the domain - # (e.g. "@example.com") from the User-Name attribute, and the - # next few lines ensure that the request is not proxied. - # - # If you want the inner tunnel request to be proxied, delete - # the next few lines. - # - update control { - &Proxy-To-Realm := LOCAL - } - - # - # This module takes care of EAP-MSCHAPv2 authentication. - # - # It also sets the EAP-Type attribute in the request - # attribute list to the EAP type from the packet. - # - # The example below uses module failover to avoid querying all - # of the following modules if the EAP module returns "ok". - # Therefore, your LDAP and/or SQL servers will not be queried - # for the many packets that go back and forth to set up TTLS - # or PEAP. The load on those servers will therefore be reduced. - # - eap { - ok = return - } - - # - # Read the 'users' file - #files - - # - # Look in an SQL database. The schema of the database - # is meant to mirror the "users" file. - # - # See "Authorization Queries" in sql.conf - #-sql - - # - # If you are using /etc/smbpasswd, and are also doing - # mschap authentication, the un-comment this line, and - # enable the "smbpasswd" module. -# smbpasswd - - # - # The ldap module reads passwords from the LDAP database. - #-ldap - - # - # Enforce daily limits on time spent logged in. -# daily - - expiration - logintime - - # - # If no other module has claimed responsibility for - # authentication, then try to use PAP. This allows the - # other modules listed above to add a "known good" password - # to the request, and to do nothing else. The PAP module - # will then see that password, and use it to do PAP - # authentication. - # - # This module should be listed last, so that the other modules - # get a chance to set Auth-Type for themselves. - # - pap -} - - -# Authentication. -# -# -# This section lists which modules are available for authentication. -# Note that it does NOT mean 'try each module in order'. It means -# that a module from the 'authorize' section adds a configuration -# attribute 'Auth-Type := FOO'. That authentication type is then -# used to pick the appropriate module from the list below. -# - -# In general, you SHOULD NOT set the Auth-Type attribute. The server -# will figure it out on its own, and will do the right thing. The -# most common side effect of erroneously setting the Auth-Type -# attribute is that one authentication method will work, but the -# others will not. -# -# The common reasons to set the Auth-Type attribute by hand -# is to either forcibly reject the user, or forcibly accept him. -# -authenticate { - # - # PAP authentication, when a back-end database listed - # in the 'authorize' section supplies a password. The - # password can be clear-text, or encrypted. - Auth-Type PAP { - pap - } - - # - # Most people want CHAP authentication - # A back-end database listed in the 'authorize' section - # MUST supply a CLEAR TEXT password. Encrypted passwords - # won't work. - Auth-Type CHAP { - chap - } - - # - # MSCHAP authentication. - Auth-Type MS-CHAP { - mschap - } - - # - # For old names, too. - # - mschap - - # - # Allow EAP authentication. - eap -} - -###################################################################### -# -# There are no accounting requests inside of EAP-TTLS or PEAP -# tunnels. -# -###################################################################### - - -# Session database, used for checking Simultaneous-Use. Either the radutmp -# or rlm_sql module can handle this. -# The rlm_sql module is *much* faster -session { - radutmp - - # - # See "Simultaneous Use Checking Queries" in sql.conf -# sql -} - - -# Post-Authentication -# Once we KNOW that the user has been authenticated, there are -# additional steps we can take. -# -# Note that the last packet of the inner-tunnel authentication -# MAY NOT BE the last packet of the outer session. So updating -# the outer reply MIGHT work, and sometimes MIGHT NOT. The -# exact functionality depends on both the inner and outer -# authentication methods. -# -# If you need to send a reply attribute in the outer session, -# the ONLY safe way is to set "use_tunneled_reply = yes", and -# then update the inner-tunnel reply. -post-auth { - re2o - - Post-Auth-Type REJECT { - # log failed authentications in SQL, too. - -sql - attr_filter.access_reject - - # - # Let the outer session know which module failed, and why. - # - update outer.session-state { - &Module-Failure-Message := &request:Module-Failure-Message - } - } -} - -# -# When the server decides to proxy a request to a home server, -# the proxied request is first passed through the pre-proxy -# stage. This stage can re-write the request, or decide to -# cancel the proxy. -# -# Only a few modules currently have this method. -# -pre-proxy { - # Uncomment the following line if you want to change attributes - # as defined in the preproxy_users file. -# files - - # Uncomment the following line if you want to filter requests - # sent to remote servers based on the rules defined in the - # 'attrs.pre-proxy' file. -# attr_filter.pre-proxy - - # If you want to have a log of packets proxied to a home - # server, un-comment the following line, and the - # 'detail pre_proxy_log' section, above. -# pre_proxy_log -} - -# -# When the server receives a reply to a request it proxied -# to a home server, the request may be massaged here, in the -# post-proxy stage. -# -post-proxy { - - # If you want to have a log of replies from a home server, - # un-comment the following line, and the 'detail post_proxy_log' - # section, above. -# post_proxy_log - - # Uncomment the following line if you want to filter replies from - # remote proxies based on the rules defined in the 'attrs' file. -# attr_filter.post-proxy - - # - # If you are proxying LEAP, you MUST configure the EAP - # module, and you MUST list it here, in the post-proxy - # stage. - # - # You MUST also use the 'nostrip' option in the 'realm' - # configuration. Otherwise, the User-Name attribute - # in the proxied request will not match the user name - # hidden inside of the EAP packet, and the end server will - # reject the EAP request. - # - eap -} - -} # inner-tunnel server block