debops.freeradius default variables

APT packages, FreeRADIUS version

freeradius__base_packages

List of essential APT packages to install for FreeRADIUS support.

freeradius__base_packages: [ 'freeradius', 'freeradius-utils' ]
freeradius__packages

List of additional APT packages to install with FreeRADIUS.

freeradius__packages: []
freeradius__version

The version of the installed FreeRADIUS package, gathered via Ansible local facts. This variable can be used in conditions to enable/disable parts of the configuration.

freeradius__version: '{{ ansible_local.freeradius.version | d("0.0.0") }}'

UNIX environment

freeradius__user

The UNIX system account which is used to manage FreeRADIUS service.

freeradius__user: 'freerad'
freeradius__group

The UNIX group which is used to manage FreeRADIUS service.

freeradius__group: 'freerad'
freeradius__conf_base_path

Absolute path to the base directory which contains the FreeRADIUS configuration files. You most likely don't have to change this.

freeradius__conf_base_path: '/etc/freeradius/3.0'

Internal firewall and ports

These variables define the firewall configuration for internal FreeRADIUS communication, not intended for client endpoints.

freeradius__default_ports

List of TCP/UDP ports which are managed by default in the firewall, for internal communication. You can use port numbers or names from the /etc/services database.

freeradius__default_ports: [ 'radius', 'radius-acct' ]
freeradius__ports

List of TCP/UDP ports for internal communication which will be managed on all hosts in the Ansible inventory.

freeradius__ports: []
freeradius__group_ports

List of TCP/UDP ports for internal communication which will be managed on hosts in a specific Ansible inventory group.

freeradius__group_ports: []
freeradius__host_ports

List of TCP/UDP ports for internal communication which will be managed on specific hosts in the Ansible inventory.

freeradius__host_ports: []
freeradius__accept_any

By default, internal firewall does not allow any connections from anywhere and you need to specify IP addresses or CIDR subnets to allow for communication to the FreeRADIUS service. If this variable is set to True, the configuration will be "flipped" - the role will allow internal communication with FreeRADIUS from anywhere by default, and specifying IP addresses or subnets will restrict it to only these hosts/networks.

freeradius__accept_any: False
freeradius__allow

List of IP addresses or CIDR subnets which should be allowed to connect to internal FreeRADIUS service, defined on all hosts in the Ansible inventory.

freeradius__allow: []
freeradius__group_allow

List of IP addresses or CIDR subnets which should be allowed to connect to internal FreeRADIUS service, defined on hosts in a specific Ansible inventory group.

freeradius__group_allow: []
freeradius__host_allow

List of IP addresses or CIDR subnets which should be allowed to connect to internal FreeRADIUS service, defined on specific hosts in the Ansible inventory.

freeradius__host_allow: []

Public firewall and ports

These variables define the firewall configuration for public FreeRADIUS services, like DHCP, intended for client endpoints.

freeradius__public_ports

List of TCP/UDP ports for public communication which will be managed on all hosts in the Ansible inventory.

freeradius__public_ports: []
freeradius__public_group_ports

List of TCP/UDP ports for public communication which will be managed on hosts in a specific Ansible inventory group.

freeradius__public_group_ports: []
freeradius__public_host_ports

List of TCP/UDP ports for public communication which will be managed on specific hosts in the Ansible inventory.

freeradius__public_host_ports: []
freeradius__public_accept_any

By default, if public TCP/UDP ports are specified, the firewall will accept connections from any IP addresses or CIDR subnets to these ports, and specifying hosts/networks in freeradius__public_*_allow variables will restrict the connections to only these IP addresses/subnets. If this variable is set to False, the configuration will be "flipped" - the role will not allow connections from anywhere to specified TCP/UDP ports, and you will need to specify IP addresses/subnets that are allowed to connect.

freeradius__public_accept_any: True
freeradius__public_allow

List of IP addresses or CIDR subnets which should be allowed to connect to public FreeRADIUS service, defined on all hosts in the Ansible inventory.

freeradius__public_allow: []
freeradius__public_group_allow

List of IP addresses or CIDR subnets which should be allowed to connect to public FreeRADIUS service, defined on hosts in a specific Ansible inventory group.

freeradius__public_group_allow: []
freeradius__public_host_allow

List of IP addresses or CIDR subnets which should be allowed to connect to public FreeRADIUS service, defined on specific hosts in the Ansible inventory.

freeradius__public_host_allow: []

FreeRADIUS configuration files

These variables define the contents of the FreeRADIUS configuration files located in /etc/freeradius/ directory. See freeradius__configuration for more details.

freeradius__default_configuration

The default FreeRADIUS configuration defined by the role.

freeradius__default_configuration:

  # Enable FreeRADIUS control socket for the 'radmin' command to work correctly
  - name: 'sites-enabled/control-socket'
    link_src: '../sites-available/control-socket'
freeradius__configuration

Definition of FreeRADIUS configuration which should be managed on all hosts in the Ansible inventory.

freeradius__configuration: []
freeradius__group_configuration

Definition of FreeRADIUS configuration which should be managed on hosts in a specific Ansible inventory group.

freeradius__group_configuration: []
freeradius__host_configuration

Definition of FreeRADIUS configuration which should be managed on specific hosts in the Ansible inventory.

freeradius__host_configuration: []
freeradius__combined_configuration

The variable that combines all of the FreeRADIUS configuration lists and is used in the role tasks and templates.

freeradius__combined_configuration: '{{ freeradius__default_configuration
                                        + freeradius__configuration
                                        + freeradius__group_configuration
                                        + freeradius__host_configuration }}'

Configuration for other Ansible roles

freeradius__ferm__dependent_rules

Configuration for the debops.ferm Ansible role.

freeradius__ferm__dependent_rules:

  - type: 'accept'
    dport: '{{ freeradius__default_ports
               + freeradius__ports
               + freeradius__group_ports
               + freeradius__host_ports }}'
    saddr: '{{ freeradius__allow
               + freeradius__group_allow
               + freeradius__host_allow }}'
    protocols: [ 'tcp', 'udp' ]
    accept_any: '{{ freeradius__accept_any }}'
    weight: '50'
    by_role: 'debops.freeradius'
    name: 'radius_internal'
    multiport: True

  - type: 'accept'
    dport: '{{ freeradius__public_ports
               + freeradius__public_group_ports
               + freeradius__public_host_ports }}'
    saddr: '{{ freeradius__public_allow
               + freeradius__public_group_allow
               + freeradius__public_host_allow }}'
    protocols: [ 'tcp', 'udp' ]
    accept_any: '{{ freeradius__public_accept_any }}'
    weight: '50'
    by_role: 'debops.freeradius'
    name: 'radius_public'
    multiport: True
    rule_state: '{{ "present"
                    if (freeradius__public_ports
                        + freeradius__public_group_ports
                        + freeradius__public_host_ports)
                    else "absent" }}'
freeradius__logrotate__dependent_config

Configuration for the debops.logrotate Ansible role.

freeradius__logrotate__dependent_config:

  - filename: 'freeradius'
    divert: True
    log: '/var/log/freeradius/radius.log'
    comment: 'The main server log'
    options: |
      daily
      rotate 52
      missingok
      compress
      delaycompress
      notifempty
      copytruncate
    state: 'present'

  - filename: 'freeradius-monitor'
    logs:
      - '/var/log/freeradius/checkrad.log'
      - '/var/log/freeradius/radwatch.log'
    comment: 'Session monitoring utilities'
    options: |
      daily
      rotate 52
      missingok
      compress
      delaycompress
      notifempty
      nocreate
    state: 'present'

  - filename: 'freeradius-session'
    logs:
      - '/var/log/freeradius/radutmp'
      - '/var/log/freeradius/radwtmp'
    comment: 'Session database modules'
    options: |
      daily
      rotate 52
      missingok
      compress
      delaycompress
      notifempty
      nocreate
    state: 'present'

  - filename: 'freeradius-sql'
    log: '/var/log/freeradius/sqllog.sql'
    comment: 'SQL log files'
    options: |
      daily
      rotate 52
      missingok
      compress
      delaycompress
      notifempty
      nocreate
    state: 'present'

  - filename: 'freeradius-detail'
    log: '/var/log/freeradius/radacct/*/detail'
    comment: |
      There are different detail-rotating strategies you can use.  One is
      to write to a single detail file per IP and use the rotate config
      below.  Another is to write to a daily detail file per IP with:
          detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
      (or similar) in radiusd.conf, without rotation.  If you go with the
      second technique, you will need another cron job that removes old
      detail files.  You do not need to comment out the below for method #2.
    options: |
      weekly
      rotate 260
      missingok
      compress
      delaycompress
      notifempty
      nocreate
    state: 'present'