From ea843e2f47476f98344d5db5204c7a60504a2a3b Mon Sep 17 00:00:00 2001
From: Jeltz <jeltz@auro.re>
Date: Thu, 1 Sep 2022 03:39:02 +0200
Subject: [PATCH] freeradius: minimal config for attr_filter

---
 roles/freeradius/defaults/main.yml                    |  2 +-
 roles/freeradius/tasks/main.yml                       |  2 ++
 .../templates/mods-available/attr_filter.j2           | 11 +++++++++++
 .../mods-config/attr_filter/access_challenge.j2       | 10 ++++++++++
 .../mods-config/attr_filter/access_reject.j2          | 10 ++++++++++
 5 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 roles/freeradius/templates/mods-available/attr_filter.j2
 create mode 100644 roles/freeradius/templates/mods-config/attr_filter/access_challenge.j2
 create mode 100644 roles/freeradius/templates/mods-config/attr_filter/access_reject.j2

diff --git a/roles/freeradius/defaults/main.yml b/roles/freeradius/defaults/main.yml
index 43f13d3..5479944 100644
--- a/roles/freeradius/defaults/main.yml
+++ b/roles/freeradius/defaults/main.yml
@@ -4,7 +4,7 @@ radiusd__status_server: true
 radiusd__clients: {}
 radiusd__enabled_modules_minimal:
   - always
-  - attr_filter # TODO
+  - attr_filter
   - cache_eap # TODO
   - detail # TODO
   - detail.log # TODO
diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml
index 754cd7a..1467cf2 100644
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@@ -52,6 +52,8 @@
     - mods-available/always
     - mods-available/eap
     - mods-available/eap_inner
+    - mods-config/attr_filter/access_challenge
+    - mods-config/attr_filter/access_reject
   notify:
     - Restart freeradius
 
diff --git a/roles/freeradius/templates/mods-available/attr_filter.j2 b/roles/freeradius/templates/mods-available/attr_filter.j2
new file mode 100644
index 0000000..03232a3
--- /dev/null
+++ b/roles/freeradius/templates/mods-available/attr_filter.j2
@@ -0,0 +1,11 @@
+{{ ansible_managed | comment }}
+
+attr_filter attr_filter.access_reject {
+    key = "%{User-Name}"
+    filename = ${modconfdir}/${.:name}/access_reject
+}
+
+attr_filter attr_filter.access_challenge {
+    key = "%{User-Name}"
+    filename = ${modconfdir}/${.:name}/access_challenge
+}
diff --git a/roles/freeradius/templates/mods-config/attr_filter/access_challenge.j2 b/roles/freeradius/templates/mods-config/attr_filter/access_challenge.j2
new file mode 100644
index 0000000..0a6ec70
--- /dev/null
+++ b/roles/freeradius/templates/mods-config/attr_filter/access_challenge.j2
@@ -0,0 +1,10 @@
+{{ ansible_managed | comment }}
+
+DEFAULT
+	EAP-Message =* ANY,
+	State =* ANY,
+	Message-Authenticator =* ANY,
+	Reply-Message =* ANY,
+	Proxy-State =* ANY,
+	Session-Timeout =* ANY,
+	Idle-Timeout =* ANY
diff --git a/roles/freeradius/templates/mods-config/attr_filter/access_reject.j2 b/roles/freeradius/templates/mods-config/attr_filter/access_reject.j2
new file mode 100644
index 0000000..842fd42
--- /dev/null
+++ b/roles/freeradius/templates/mods-config/attr_filter/access_reject.j2
@@ -0,0 +1,10 @@
+{{ ansible_managed | comment }}
+
+DEFAULT
+	EAP-Message =* ANY,
+	State =* ANY,
+	Message-Authenticator =* ANY,
+	Error-Cause =* ANY,
+	Reply-Message =* ANY,
+	MS-CHAP-Error =* ANY,
+	Proxy-State =* ANY