add radius-client role

15990bfe · Lars Beckers · 8961c3ff · 15990bfe · 15990bfe · 15990bfe
Commit 15990bfe authored Jul 03, 2018 by Lars Beckers
--- a/radius-client/defaults/main.yml
+++ b/radius-client/defaults/main.yml
+---
+
+radius_certs_dir: "{{ inventory_dir }}/files/radius-certs/"
--- a/radius-client/handlers/main.yml
+++ b/radius-client/handlers/main.yml
+---
+
+- name: reload systemd service files
+  command: systemctl daemon-reload
+
+- name: restart wpasupplicant@eth0
+  service: name=wpa_supplicant-wired@eth0 state=restarted
+
+- name: restart wpasupplicant@eth1
+  service: name=wpa_supplicant-wired@eth1 state=restarted
+
+- name: restart wpasupplicant@enp0s25
+  service: name=wpa_supplicant-wired@enp0s25 state=restarted
+
--- a/radius-client/tasks/main.yml
+++ b/radius-client/tasks/main.yml
+---
+
+- name: ensure wpasupplicant is installed
+  apt:
+    name: wpasupplicant
+    state: present
+  tags:
+    - 8021x
+ 
+- name: copy host certificate
+  copy:
+    src: "{{ radius_certs_dir }}/{{ inventory_hostname }}.{{ item }}"
+    dest: "/etc/wpa_supplicant/{{ inventory_hostname }}.{{ item }}"
+    owner: root
+    group: root
+    mode: 0400
+  with_items:
+    - pem
+    - key
+  tags:
+    - 8021x
+
+- name: configure wpasupplicant
+  template:
+    src: wpa_supplicant.j2
+    dest: "/etc/wpa_supplicant/wpa_supplicant-wired-{{ ansible_default_ipv4.interface }}.conf"
+    owner: root
+    group: root
+    mode: 0640
+  notify:
+    - "restart wpasupplicant@{{ ansible_default_ipv4.interface }}"
+  tags:
+    - 8021x
+
+- name: ensure a wired wpasupplicant service is available
+  template:
+    src: wpa_supplicant-wired@.service.j2
+    dest: /etc/systemd/system/wpa_supplicant-wired@.service
+  notify:
+    - reload systemd service files
+    - "restart wpasupplicant@{{ ansible_default_ipv4.interface }}"
+  tags:
+    - 8021x
+
+- meta: flush_handlers
+
+- name: ensure wpasupplicant is enabled and running
+  service:
+    name: "wpa_supplicant-wired@{{ ansible_default_ipv4.interface }}"
+    state: started
+    enabled: yes
+  tags:
+    - 8021x
+
--- a/radius-client/templates/wpa_supplicant-wired@.service
+++ b/radius-client/templates/wpa_supplicant-wired@.service
+[Unit]
+Description=WPA supplicant daemon (interface- and wired driver-specific version)
+Requires=sys-subsystem-net-devices-%i.device
+After=sys-subsystem-net-devices-%i.device
+Before=network.target
+Wants=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-%I.conf -Dwired -i%I
+
+[Install]
+Alias=multi-user.target.wants/wpa_supplicant-wired@%i.service
--- a/radius-client/templates/wpa_supplicant.j2
+++ b/radius-client/templates/wpa_supplicant.j2
+ctrl_interface=/var/run/wpa_supplicant
+
+ctrl_interface_group=0
+
+eapol_version=2
+
+ap_scan=0
+
+network={
+	key_mgmt=IEEE8021X
+	eap=TLS
+	identity="{{ inventory_hostname }}@ssl.asta.rwth-aachen.de"
+	ca_cert="/etc/ssl/certs/asta_ca.pem"
+	client_cert="/etc/wpa_supplicant/{{ inventory_hostname }}.pem"
+	private_key="/etc/wpa_supplicant/{{ inventory_hostname }}.key"
+}
+