From: Julien Cristau Date: Mon, 26 Feb 2018 20:06:07 +0000 (+0100) Subject: Attempt to pull in some of the freeradius config from rtc.d.o X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=de1dd4d8772fa333b988dea81d390495acc11834;p=mirror%2Fdsa-puppet.git Attempt to pull in some of the freeradius config from rtc.d.o --- diff --git a/modules/roles/files/rtc/freeradius-mod-passwd-rtc b/modules/roles/files/rtc/freeradius-mod-passwd-rtc new file mode 100644 index 000000000..acf01dc30 --- /dev/null +++ b/modules/roles/files/rtc/freeradius-mod-passwd-rtc @@ -0,0 +1,7 @@ +passwd rtc_users { + filename = /var/local/rtc-passwords.freerad + format = "*User-Name:Digest-HA1:" + hashsize = 1000 + ignorenislike = no + allowmultiplekeys = no +} diff --git a/modules/roles/manifests/rtc.pp b/modules/roles/manifests/rtc.pp index b488e45ea..f90b25641 100644 --- a/modules/roles/manifests/rtc.pp +++ b/modules/roles/manifests/rtc.pp @@ -97,4 +97,38 @@ class roles::rtc { service { 'repro': ensure => running, } + + package { 'freeradius': + ensure => installed, + } + service { 'freeradius': + ensure => running, + } + $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password") + file { '/etc/freeradius/3.0/sites-available/rtc.debian.org': + content => template('modules/roles/rtc/freeradius-rtc.erb'), + mode => '0440', + group => freerad, + } + file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org': + ensure => link, + target => '../sites-available/rtc.debian.org', + } + file { '/etc/freeradius/3.0/mods-available/passwd_rtc': + source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd', + mode => '0440', + group => freerad, + } + file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc': + ensure => link, + target => '../mods-available/passwd_rtc', + } + file { '/etc/repro/radius-servers': + content => @(EOF), + localhost/localhost ${radius_password} + | EOF + mode => '0440', + group => repro, + notify => Service['repro'], + } } diff --git a/modules/roles/templates/rtc/freeradius-rtc.erb b/modules/roles/templates/rtc/freeradius-rtc.erb new file mode 100644 index 000000000..b066cfb1a --- /dev/null +++ b/modules/roles/templates/rtc/freeradius-rtc.erb @@ -0,0 +1,45 @@ +server rtc.debian.org { + listen { + ipaddr = 127.0.0.1 + port = 0 + type = auth + } + + authorize { + rtc_users + digest + } + + authenticate { + digest + } + + preacct { + } + + accounting { + } + + session { + } + + post-auth { + update reply { + Reply-Message = "thanks for using rtc.debian.org" + } + Post-Auth-Type REJECT { + attr_filter.access_reject + } + } + + pre-proxy { + } + + post-proxy { + } + + client localhost { + ipaddr = 127.0.0.1 + secret = <%= @radius_password %> + } +}