Attempt to pull in some of the freeradius config from rtc.d.o

diff --git a/modules/roles/files/rtc/freeradius-mod-passwd-rtc b/modules/roles/files/rtc/freeradius-mod-passwd-rtc
new file mode 100644 (file)
index 0000000..acf01dc
--- /dev/null
+++ b/modules/roles/files/rtc/freeradius-mod-passwd-rtc
@@ -0,0 +1,7 @@
+passwd rtc_users {
+       filename = /var/local/rtc-passwords.freerad
+       format = "*User-Name:Digest-HA1:"
+       hashsize = 1000
+       ignorenislike = no
+       allowmultiplekeys = no
+}

diff --git a/modules/roles/manifests/rtc.pp b/modules/roles/manifests/rtc.pp
index b488e45..f90b256 100644 (file)
--- a/modules/roles/manifests/rtc.pp
+++ b/modules/roles/manifests/rtc.pp
@@ -97,4 +97,38 @@ class roles::rtc {
        service { 'repro':
                ensure  => running,
        }
+
+       package { 'freeradius':
+               ensure  => installed,
+       }
+       service { 'freeradius':
+               ensure  => running,
+       }
+       $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password")
+       file { '/etc/freeradius/3.0/sites-available/rtc.debian.org':
+               content => template('modules/roles/rtc/freeradius-rtc.erb'),
+               mode    => '0440',
+               group   => freerad,
+       }
+       file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org':
+               ensure  => link,
+               target  => '../sites-available/rtc.debian.org',
+       }
+       file { '/etc/freeradius/3.0/mods-available/passwd_rtc':
+               source  => 'puppet:///modules/roles/rtc/freeradius-mod-passwd',
+               mode    => '0440',
+               group   => freerad,
+       }
+       file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc':
+               ensure  => link,
+               target  => '../mods-available/passwd_rtc',
+       }
+       file { '/etc/repro/radius-servers':
+               content => @(EOF),
+                       localhost/localhost ${radius_password}
+                       | EOF
+               mode    => '0440',
+               group   => repro,
+               notify  => Service['repro'],
+       }
 }

diff --git a/modules/roles/templates/rtc/freeradius-rtc.erb b/modules/roles/templates/rtc/freeradius-rtc.erb
new file mode 100644 (file)
index 0000000..b066cfb
--- /dev/null
+++ b/modules/roles/templates/rtc/freeradius-rtc.erb
@@ -0,0 +1,45 @@
+server rtc.debian.org {
+  listen {
+    ipaddr = 127.0.0.1
+    port = 0
+    type = auth
+  }
+
+  authorize {
+    rtc_users
+    digest
+  }
+
+  authenticate {
+    digest
+  }
+
+  preacct {
+  }
+
+  accounting {
+  }
+
+  session {
+  }
+
+  post-auth {
+    update reply {
+      Reply-Message = "thanks for using rtc.debian.org"
+    }
+    Post-Auth-Type REJECT {
+      attr_filter.access_reject
+    }
+  }
+
+  pre-proxy {
+  }
+
+  post-proxy {
+  }
+
+  client localhost {
+    ipaddr = 127.0.0.1
+    secret = <%= @radius_password %>
+  }
+}