init.pp 6.4 KB
Newer Older
1
# Base class to install FreeRADIUS
2
3
class freeradius (
  $control_socket = false,
4
5
6
  $fr_service = $fr_service,
) inherits freeradius::params {

7
  include samba
8

9
  file { 'radiusd.conf':
10
    name    => "$fr_basepath/radiusd.conf",
11
12
13
14
    mode    => '0640',
    owner   => 'root',
    group   => 'radiusd',
    source  => 'puppet:///modules/freeradius/radiusd.conf',
15
16
    require => Package[$fr_package],
    notify  => Service[$fr_service],
17
  }
18

19
20
  # Create various directories
  file { [
21
22
23
24
25
26
27
28
    "$fr_basepath/clients.d",
    "$fr_basepath/statusclients.d",
    "$fr_basepath",
    "$fr_basepath/instantiate",
    "$fr_basepath/conf.d",
    "$fr_basepath/attr.d",
    "$fr_basepath/users.d",
    "$fr_basepath/policy.d",
29
    "$fr_basepath/dictionary.d",
30
31
    "$fr_basepath/scripts",
    "$fr_basepath/certs",
32
  ]:
33
34
35
36
    ensure  => directory,
    mode    => '0750',
    owner   => 'root',
    group   => 'radiusd',
37
38
    require => Package[$fr_package],
    notify  => Service[$fr_service],
39
40
41
42
  }

  # Set up concat policy file, as there is only one global policy
  # We also add standard header and footer
43
  concat { "$fr_basepath/policy.conf":
44
45
46
47
48
    owner => 'root',
    group => 'radiusd',
    mode  => '0640',
  }
  concat::fragment { 'policy_header':
49
    target  => "$fr_basepath/policy.conf",
50
51
52
53
    content => "policy {\n",
    order   => 10,
  }
  concat::fragment { 'policy_footer':
54
    target  => "$fr_basepath/policy.conf",
55
56
57
58
    content => "}\n",
    order   => '99',
  }

59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
  # Install a slightly tweaked stock dictionary that includes
  # our custom dictionaries
  concat { "$fr_basepath/dictionary":
    owner => 'root',
    group => 'radiusd',
    mode  => '0640',
  }
  concat::fragment { 'dictionary_header':
    target  => "$fr_basepath/dictionary",
    source  => 'puppet:///modules/freeradius/dictionary.header',
    order   => 10,
  }
  concat::fragment { 'dictionary_footer':
    target  => "$fr_basepath/dictionary",
    source  => 'puppet:///modules/freeradius/dictionary.footer',
    order   => 90,
  }

77
  # Install FreeRADIUS packages from ResNet repo, which is newer than stock CentOS 
78
79
80
81
82
  package { 'freeradius':
    name   => $fr_package,
    ensure => installed,
  }

83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
  package { [ 
    'freeradius-mysql',
    'freeradius-perl',
    'freeradius-utils',
  ]:
    ensure  => installed,
    require => Yumrepo['resnet'],
  }

  package { 'wpa_supplicant':
    ensure => installed,
  }

  # radiusd always tests its config before restarting the service, to avoid outage. If the config is not valid, the service
  # won't get restarted, and the puppet run will fail.
  service { 'radiusd':
    ensure     => running,
100
    name       => $fr_service,
101
102
103
104
    require    => [
      Exec['radiusd-config-test'],
      File['radiusd.conf'],
      User['radiusd'],
105
      Package[$fr_package],
106
107
108
109
110
111
112
113
114
115
116
117
118
      Service['winbind']
    ],
    enable     => true,
    hasstatus  => true,
    hasrestart => true,
  }

  # We don't want to create the radiusd user, just add it to the wbpriv group
  user { 'radiusd':
    ensure  => present,
    uid     => '95',
    gid     => 'radiusd',
    groups  => 'wbpriv',
119
    require => Package[$fr_package, 'samba-winbind'],
120
121
122
  }

  # Install a few modules required on all FR installations
123
  freeradius::module  { 'always':
124
125
    source  => 'puppet:///modules/freeradius/modules/always',
  }
126
  freeradius::module { 'detail':
127
128
    source  => 'puppet:///modules/freeradius/modules/detail',
  }
129
  freeradius::module { 'detail.log':
130
131
132
    source  => 'puppet:///modules/freeradius/modules/detail.log',
  }

133
 ::freeradius::module { 'logtosyslog':
134
135
   source => 'puppet:///modules/freeradius/modules/logtosyslog',
 }
136
 ::freeradius::module { 'logtofile':
137
138
139
140
141
142
143
144
145
146
147
   source => 'puppet:///modules/freeradius/modules/logtofile',
 }
 
  # Syslog rules
  syslog::rule { 'radiusd-log':
    command => "if \$programname == \'radiusd\' then /var/log/radius/radius.log\n&~",
    order   => '12',
  }


  # Install a couple of virtual servers needed on all FR installations
148
149
150
151
  if $control_socket == true {
    freeradius::site { 'control-socket':
      source  => 'puppet:///modules/freeradius/sites-enabled/control-socket',
    }
152
153
154
155
156
157
158
159
  }

  # Make the radius log dir traversable
  file { [
    '/var/log/radius',
    '/var/log/radius/radacct',
  ]:
    mode    => '0750',
160
    require => Package[$fr_package],
161
162
163
164
165
166
167
168
169
170
171
172
173
174
  }

  file { '/var/log/radius/radius.log':
    owner   => 'radiusd',
    group   => 'radiusd',
    seltype => 'radiusd_log_t',
  }

  # Updated logrotate file to include radiusd-*.log
  file { '/etc/logrotate.d/radiusd':
    mode    => '0640',
    owner   => 'root',
    group   => 'radiusd',
    source  => 'puppet:///modules/freeradius/radiusd.logrotate',
175
    require => Package[$fr_package],
176
177
178
179
  }

  # Generate global SSL parameters
  exec { 'dh':
180
181
    command => "openssl dhparam -out $fr_basepath/certs/dh 1024",
    creates => "$fr_basepath/certs/dh",
182
183
184
185
186
    path    => '/usr/bin',
  }

  # Generate global SSL parameters
  exec { 'random':
187
188
    command => "dd if=/dev/urandom of=$fr_basepath/certs/random count=10 >/dev/null 2>&1",
    creates => "$fr_basepath/certs/random",
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
    path    => '/bin',
  }

  # This exec tests the radius config and fails if it's bad
  # It isn't run every time puppet runs, but only when freeradius is to be restarted
  exec { 'radiusd-config-test':
    command     => '/usr/bin/sudo /usr/sbin/radiusd -XC | /bin/grep \'Configuration appears to be OK.\' | /usr/bin/wc -l',
    returns     => 0,
    refreshonly => true,
    logoutput   => on_failure,
  }

  # Blank a couple of default files that will break our config. This is more effective than deleting them
  # as they won't get overwritten when FR is upgraded from RPM, whereas missing files are replaced.
  file { [
204
205
206
207
    "$fr_basepath/sites-available/default",
    "$fr_basepath/sites-available/inner-tunnel",
    "$fr_basepath/proxy.conf",
    "$fr_basepath/clients.conf",
208
209
  ]:
    content => "# FILE INTENTIONALLY BLANK\n",
Jonathan Gazeley's avatar
Jonathan Gazeley committed
210
211
212
    mode    => '0644',
    owner   => 'root',
    group   => 'radiusd',
213
214
    require => Package[$fr_package],
    notify  => Service[$fr_service],
215
216
217
218
219
  }

  # Delete *.rpmnew and *.rpmsave files from the radius config dir because
  # radiusd stupidly reads these files in, and they break the config
  exec { 'delete-radius-rpmnew':
220
221
    command => "/bin/find $fr_basepath -name *.rpmnew -delete",
    onlyif  => "/bin/find $fr_basepath -name *.rpmnew | /bin/grep rpmnew",
222
223
  }
  exec { 'delete-radius-rpmsave':
224
225
    command => "/bin/find $fr_basepath -name *.rpmsave -delete",
    onlyif  => "/bin/find $fr_basepath -name *.rpmsave | /bin/grep rpmsave",
226
  }
227
}