[feature] Added openwisp_radius installation

openwisp · Nov 29, 2020 · bec48bc · bec48bc
1 parent eff5a83
commit bec48bc
Show file tree

Hide file tree

Showing 16 changed files with 479 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -524,7 +524,7 @@ Below are listed all the variables you can customize (you may also want to take
     - openwisp.openwisp2
   vars:
     # openwisp-controler version
-    openwisp2_controller_version: "0.4"
+    openwisp2_controller_version: "0.7.post1"
     # optional openwisp2 modules
     openwisp2_network_topology: false
     openwisp2_network_topology_version: "0.4"

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,8 +1,10 @@
 openwisp2_python: python3
 ansible_python_interpreter: /usr/bin/python3
 openwisp2_network_topology: false
+openwisp2_radius: false
 openwisp2_controller_version: "0.7.post1"
 openwisp2_network_topology_version: "0.4"
+openwisp2_radius_version: "0.1"
 openwisp2_controller_pip: false
 openwisp2_users_pip: false
 openwisp2_utils_pip: false
@@ -11,6 +13,7 @@ openwisp2_django_x509_pip: false
 openwisp2_django_loci_pip: false
 openwisp2_netjsonconfig_pip: false
 openwisp2_network_topology_pip: false
+openwisp2_radius_pip: false
 openwisp2_extra_python_packages: [bpython]
 openwisp2_extra_django_apps: []
 openwisp2_extra_django_settings: {}
@@ -86,3 +89,24 @@ openwisp2_celery_worker_prefetch_multiplier: 1
 openwisp2_celery_task_acks_late: True
 openwisp2_django_celery_logging: False
 postfix_smtpd_relay_restrictions_override: "permit_sasl_authenticated, permit_mynetworks, check_relay_domains, reject_unauth_destination, reject"
+freeradius_dir: /etc/freeradius/3.0
+freeradius_mods_available_dir: "{{ freeradius_dir }}/mods-available"
+freeradius_mods_enabled_dir: "{{ freeradius_dir }}/mods-enabled"
+freeradius_sites_available_dir: "{{ freeradius_dir }}/sites-available"
+freeradius_sites_enabled_dir: "{{ freeradius_dir }}/sites-enabled"
+freeradius_sql:
+    driver: rlm_sql_postgresql
+    dialect: postgresql
+    host: localhost
+    port: 5432
+    dbname: freeradius
+    user: admin
+    password: admin
+freeradius_rest:
+    url: "https://{{ inventory_hostname }}/api/v1/freeradius"
+openwisp2_users_auth_api: true
+openwisp2_radius_sms_backend: "sendsms.backends.console.SmsBackend"
+openwisp2_radius_extra_nas_types: >
+    [('cisco', 'Cisco Router')]
+openwisp2_radius_sms_token_max_ip_daily: 25
+openwisp2_freeradius_allowed_hosts: ["127.0.0.1"]
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -14,3 +14,6 @@
 
 - name: start redis
   service: name=redis state=started
+
+- name: restart freeradius
+  service: name=freeradius state=restarted
diff --git a/molecule/resources/converge.yml b/molecule/resources/converge.yml
@@ -9,7 +9,9 @@
 
   pre_tasks:
     - name: Update apt cache
-      apt: update_cache=true cache_valid_time=600
+      apt:
+        update_cache: yes
+        cache_valid_time: 600
       when: ansible_os_family == 'Debian'
 
     - name: Remove the .dockerenv file

diff --git a/tasks/apt.yml b/tasks/apt.yml
@@ -1,5 +1,6 @@
 - name: Update APT package cache
-  apt: update_cache=yes
+  apt:
+    update_cache: yes
   changed_when: false
   retries: 5
   delay: 10
@@ -71,6 +72,17 @@
   until: result is success
   notify: reload systemd
 
+- name: Install cairo
+  when: openwisp2_radius
+  apt:
+    name:
+      - libcairo2
+      - libpango-1.0-0
+      - libpangocairo-1.0-0
+      - libgdk-pixbuf2.0-0
+      - shared-mime-info
+  tags: [openwisp2, radius]
+
 - name: Install mod-spatialite (may fail on older linux distros)
   when: openwisp2_database.engine == "django.contrib.gis.db.backends.spatialite"
   apt: name=libsqlite3-mod-spatialite

diff --git a/tasks/freeradius.yml b/tasks/freeradius.yml
@@ -0,0 +1,139 @@
+
+- name: Freeradius system packages
+  when: openwisp2_radius
+  apt:
+    name:
+      - freeradius
+      - freeradius-rest
+    state: latest
+  notify: restart freeradius
+
+# TODO: I want to use mysql too & default sqlite!
+- name: Freeradius system packages
+  when: openwisp2_radius and freeradius_sql.dialect == "postgresql"
+  apt:
+    name:
+      - postgresql
+      - freeradius-postgresql
+    state: latest
+
+- name: Create freeradius database
+  when: openwisp2_radius and freeradius_sql.dialect == "postgresql"
+  postgresql_db:
+    name: "{{ freeradius_sql.dbname }}"
+    state: present
+
+- name: Create freeradius database user
+  when: openwisp2_radius and freeradius_sql.dialect == "postgresql"
+  postgresql_user:
+    db: "{{ freeradius_sql.dbname }}"
+    name: "{{ freeradius_sql.user }}"
+    password: "{{ freeradius_sql.password }}"
+    priv: ALL
+
+- name: Radius configurations
+  when: openwisp2_radius
+  template:
+    src: freeradius/radiusd.conf.j2
+    dest: "{{ freeradius_dir }}/radiusd.conf"
+    mode: 0640
+    owner: freerad
+    group: freerad
+  notify: restart freeradius
+
+- name: Clients configuration
+  when: openwisp2_radius
+  template:
+    src: freeradius/clients.conf.j2
+    dest: "{{ freeradius_dir }}/site"
+    mode: 0640
+    owner: freerad
+    group: freerad
+  notify: restart freeradius
+
+- name: Remove unnecessary modules
+  when: openwisp2_radius
+  file:
+    dest: "{{ item }}"
+    state: absent
+  with_items:
+    - "{{ freeradius_mods_enabled_dir }}/eap"
+
+- name: SQL configuration
+  when: openwisp2_radius
+  template:
+    src: freeradius/sql.j2
+    dest: "{{ freeradius_mods_available_dir }}/sql"
+    mode: 0640
+    owner: freerad
+    group: freerad
+  notify: restart freeradius
+
+- name: Enable SQL module
+  when: openwisp2_radius
+  file:
+    src: "{{ freeradius_mods_available_dir }}/sql"
+    dest: "{{ freeradius_mods_enabled_dir }}/sql"
+    state: link
+    mode: 0640
+    owner: freerad
+    group: freerad
+
+- name: SQL Counter module
+  when: openwisp2_radius
+  template:
+    src: freeradius/sql_counter.j2
+    dest: "{{ freeradius_mods_available_dir }}/sql_counter"
+    mode: 0640
+    owner: freerad
+    group: freerad
+  notify: restart freeradius
+
+- name: Enable SQL Counter module
+  when: openwisp2_radius
+  file:
+    src: "{{ freeradius_mods_available_dir }}/sql_counter"
+    dest: "{{ freeradius_mods_enabled_dir }}/sql_counter"
+    state: link
+    mode: 0640
+    owner: freerad
+    group: freerad
+
+- name: REST configuration
+  when: openwisp2_radius
+  template:
+    src: freeradius/rest.j2
+    dest: "{{ freeradius_mods_available_dir }}/rest"
+    mode: 0640
+    owner: freerad
+    group: freerad
+  notify: restart freeradius
+
+- name: Enable REST module
+  when: openwisp2_radius
+  file:
+    src: "{{ freeradius_mods_available_dir }}/rest"
+    dest: "{{ freeradius_mods_enabled_dir }}/rest"
+    state: link
+    mode: 0640
+    owner: freerad
+    group: freerad
+
+- name: Remove default site
+  when: openwisp2_radius
+  file:
+    dest: "{{ item }}"
+    state: absent
+  with_items:
+    - "{{ freeradius_sites_enabled_dir }}/default"
+    - "{{ freeradius_sites_enabled_dir }}/inner-tunnel"
+
+- name: Site configuration
+  when: openwisp2_radius
+  template:
+    src: freeradius/site.j2
+    dest: "{{ freeradius_sites_enabled_dir }}/site"
+    mode: 0640
+    owner: freerad
+    group: freerad
+  notify: restart freeradius
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -22,6 +22,9 @@
 - import_tasks: django.yml
   tags: [openwisp2, django]
 
+- import_tasks: freeradius.yml
+  tags: [openwisp2, freeradius]
+
 - import_tasks: supervisor.yml
   tags: [openwisp2, supervisor]
 

diff --git a/tasks/pip.yml b/tasks/pip.yml
@@ -52,6 +52,13 @@
     - "{{ openwisp2_network_topology_pip }}"
   when: item is defined and item is string and openwisp2_network_topology
 
+- name: Add openwisp_radius to custom package list if set and enabled
+  set_fact:
+    openwisp2_python_packages: "{{ openwisp2_python_packages + [item] }}"
+  with_items:
+    - "{{ openwisp2_radius_pip }}"
+  when: item is defined and item is string and openwisp2_radius
+
 - name: Install cryptography from pip
   pip:
     name: cryptography
@@ -125,6 +132,20 @@
   register: result
   until: result is success
 
+- name: Install openwisp2_radius and its dependencies
+  when: openwisp2_radius
+  pip:
+    name: "openwisp-radius~={{ openwisp2_radius_version }}"
+    state: latest
+    virtualenv: "{{ virtualenv_path }}"
+    virtualenv_python: "{{ openwisp2_python }}"
+    virtualenv_site_packages: yes
+  notify: reload supervisor
+  retries: 5
+  delay: 10
+  register: result
+  until: result is success
+
 - name: Install extra python packages
   pip:
     name: "{{ openwisp2_extra_python_packages }}"

diff --git a/templates/freeradius/clients.conf.j2 b/templates/freeradius/clients.conf.j2
@@ -0,0 +1,7 @@
+# Freeradius Clients
+
+client radius_clients {
+	ipaddr     = {{ freeradius_clients_ip }}
+	secret     = {{ freeradius_clients_key }}
+	nas_type   = other
+}
diff --git a/templates/freeradius/radiusd.conf.j2 b/templates/freeradius/radiusd.conf.j2
@@ -0,0 +1,63 @@
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = /var/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = /var/log/radius/radacct
+name = radiusd
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${confdir}/certs
+cadir   = ${confdir}/certs
+run_dir = ${localstatedir}/run/${name}
+db_dir = ${raddbdir}
+libdir = /usr/lib/freeradius
+pidfile = ${run_dir}/${name}.pid
+correct_escapes = true
+max_request_time = 30
+cleanup_delay = 5
+max_requests = 16384
+hostname_lookups = no
+
+log {
+    destination = stdout
+    auth = yes
+    auth_badpass = yes
+    auth_goodpass = yes
+}
+
+checkrad = ${sbindir}/checkrad
+security {
+	user = root
+	group = root
+	allow_core_dumps = no
+	max_attributes = 200
+	reject_delay = 1
+	status_server = yes
+	allow_vulnerable_openssl = no
+}
+
+proxy_requests  = yes
+$INCLUDE proxy.conf
+$INCLUDE clients.conf
+thread pool {
+	start_servers = 5
+	max_servers = 32
+	min_spare_servers = 3
+	max_spare_servers = 10
+	max_requests_per_server = 0
+	auto_limit_acct = no
+}
+
+modules {
+	$INCLUDE mods-enabled/
+}
+
+instantiate {}
+
+policy {
+	$INCLUDE policy.d/
+}
+$INCLUDE sites-enabled/
diff --git a/templates/freeradius/rest.j2 b/templates/freeradius/rest.j2
@@ -0,0 +1,31 @@
+rest {
+    tls = {}
+    connect_uri = "{{ freeradius_rest.url }}"
+
+    authorize {
+        uri = "${..connect_uri}/authorize/"
+        method = 'post'
+        body = 'json'
+        data = '{"username": "%{User-Name}", "password": "%{User-Password}"}'
+        tls = ${..tls}
+    }
+
+    # this section can be left empty
+    authenticate {}
+
+    post-auth {
+        uri = "${..connect_uri}/postauth/"
+        method = 'post'
+        body = 'json'
+        data = '{"username": "%{User-Name}", "password": "%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": "%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}'
+        tls = ${..tls}
+    }
+
+    accounting {
+        uri = "${..connect_uri}/accounting/"
+        method = 'post'
+        body = 'json'
+        data = '{"status_type": "%{Acct-Status-Type}", "session_id": "%{Acct-Session-Id}", "unique_id": "%{Acct-Unique-Session-Id}", "username": "%{User-Name}", "realm": "%{Realm}", "nas_ip_address": "%{NAS-IP-Address}", "nas_port_id": "%{NAS-Port}", "nas_port_type": "%{NAS-Port-Type}", "session_time": "%{Acct-Session-Time}", "authentication": "%{Acct-Authentic}", "input_octets": "%{Acct-Input-Octets}", "output_octets": "%{Acct-Output-Octets}", "called_station_id": "%{Called-Station-Id}", "calling_station_id": "%{Calling-Station-Id}", "terminate_cause": "%{Acct-Terminate-Cause}", "service_type": "%{Service-Type}", "framed_protocol": "%{Framed-Protocol}", "framed_ip_address": "%{Framed-IP-Address}"}'
+        tls = ${..tls}
+    }
+}