feat: add radius role

roles/radius/tasks/certs.yml

@@ -0,0 +1,82 @@
+---
+- name: "Radius Certificates | PATCH | Install latest certbot"
+  ansible.builtin.dnf:
+    name: certbot
+    state: latest
+    update_cache: true
+  become: true
+
+- name: "Radius Certificates | AUDIT | Check for existing certificate expiry"
+  community.crypto.x509_certificate_info:
+    path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem"
+  register: radius_certs_existing_cert
+  ignore_errors: true
+  become: true
+
+- name: "Radius Certificates | AUDIT | Calculate days until expiry"
+  ansible.builtin.set_fact:
+    radius_certs_days_until_expiry: "{{ ((radius_certs_existing_cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - now()).days }}"
+  when: radius_certs_existing_cert.not_after is defined
+  become: true
+
+- name: "Radius Certificates | AUDIT | Print days until expiry"
+  ansible.builtin.debug:
+    msg: "{{ radius_certs_days_until_expiry }}"
+  when: radius_certs_existing_cert.not_after is defined
+  become: true
+
+- name: "Radius Certificates | PATCH | Request a new or renewed certificate"
+  when: (radius_certs_existing_cert.failed) or (radius_certs_days_until_expiry | int < 30)
+  become: true
+  block:
+    - name: "Radius Certificates | AUDIT | Check httpd"
+      ansible.builtin.systemd_service:
+        name: httpd
+      register: radius_certs_httpd_status
+
+    - name: "Radius Certificates | PATCH | Stop httpd"
+      ansible.builtin.systemd_service:
+        name: httpd
+        state: stopped
+      when: radius_certs_httpd_status.status.ActiveState == "active"
+
+    - name: "Radius Certificates | PATCH | Add http service to firewall"
+      ansible.posix.firewalld:
+        service: http
+        state: enabled
+
+    - name: "Radius Certificates | PATCH | Request new certificate"
+      ansible.builtin.command:
+        cmd: certbot certonly --standalone --preferred-challenges http --agree-tos -n -d {{ inventory_hostname }} --register-unsafely-without-email
+      when: radius_certs_existing_cert.failed
+
+    - name: "Radius Certificates | PATCH | Renew existing certificate"
+      ansible.builtin.command:
+        cmd: certbot renew
+      when: not radius_certs_existing_cert.failed
+
+    - name: "Radius Certificates | PATCH | Remove http service from firewall"
+      ansible.posix.firewalld:
+        service: http
+        state: disabled
+
+    - name: "Radius Certificates | PATCH | Start httpd"
+      ansible.builtin.systemd_service:
+        name: httpd
+        state: started
+      when: radius_certs_httpd_status.status.ActiveState == "active"
+
+- name: Radius | PATCH | Allow radiusd access to certificates
+  ansible.builtin.copy:
+    src: /etc/letsencrypt/live/{{ inventory_hostname }}/{{ item }}.pem
+    dest: /etc/raddb/{{ item }}.pem
+    remote_src: true
+    owner: radiusd
+    group: radiusd
+    mode: "0640"
+  become: true
+  notify: Restart radiusd
+  with_items:
+    - privkey
+    - cert
+    - chain

roles/radius/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+- name: Radius | PATCH | Obtain or freshen certificates
+  ansible.builtin.include_tasks:
+    file: certs.yml
+
+- name: Radius | PATCH | Install required packages
+  ansible.builtin.dnf:
+    name: freeradius
+    state: present
+  become: true
+
+- name: Radius | PATCH | Install FreeRADIUS configuration files
+  ansible.builtin.template:
+    src: etc/raddb/{{ item }}
+    dest: /etc/raddb/{{ item }}
+    owner: root
+    group: radiusd
+    mode: 0640
+  become: true
+  with_items:
+    - mods-available/eap
+    - mods-available/linelog
+    - sites-available/default
+    - mods-available/inner-eap
+    - sites-available/inner-tunnel
+    - clients.conf
+    - proxy.conf
+  notify:
+    - Restart radiusd
+
+- name: Radius | PATCH | Install rsyslog configuration
+  ansible.builtin.template:
+    src: etc/rsyslog.d/radiusd.conf
+    dest: /etc/rsyslog.d/radiusd.conf
+    owner: root
+    group: root
+    mode: 0644
+  become: true
+  notify:
+    - Reload rsyslog