Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feature] Added openwisp_radius installation #223

Closed
wants to merge 38 commits into from
Closed
Show file tree
Hide file tree
Changes from 32 commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
b1333c0
[feature] Added openwisp_radius installation
atb00ker Nov 29, 2020
4640bdc
Commented out mysql and postgres install.
nemesifier Dec 23, 2020
c36f1c8
Do not remove eap
nemesifier Dec 23, 2020
e989b1d
Do not modify clients (we'll configure sql module to read from DB)
nemesifier Dec 23, 2020
761a006
Avoid modifying the main radius config file since it shouldn't be needed
nemesifier Dec 23, 2020
055e443
Added possibility of turning off installation of freeradius
nemesifier Dec 23, 2020
ad13152
Add way to disable radius URLs if deployd on a different VM
nemesifier Dec 23, 2020
761327e
Simplified sql configuration
nemesifier Dec 23, 2020
31940d3
SQL: added read_clients = yes
nemesifier Dec 23, 2020
b6f9b3d
django-freeradius > openwisp-radius
nemesifier Dec 23, 2020
03156ab
Moved OPENWISP_USERS_AUTH_API out of the if openwisp_radius block
nemesifier Dec 23, 2020
a1e154e
Removed redundant urls
nemesifier Dec 23, 2020
c4b956b
Fixed redundant PRIVATE_STORAGE_ROOT definition
nemesifier Dec 24, 2020
21b2720
[chores] Install libpq-dev if using postgres
nemesifier Dec 24, 2020
c65d2bd
[feature] Added openwisp_radius installation
atb00ker Nov 29, 2020
fed2967
[radius] Removed database setup + minor
atb00ker Jan 1, 2021
6136f07
[chores] Import freeradius.yml only when openwisp2_radius is true
nemesifier Jan 7, 2021
6ea3bbe
[fix] Schedule openwisp-radius tasks only if radius enabled
nemesifier Jan 8, 2021
797e868
[radius] Removed database setup + minor
atb00ker Jan 1, 2021
69fad3e
[freeradius] Fix eap error
atb00ker Jan 9, 2021
37703eb
[fix] Fixed SQL parameters: host > server, user > login
nemesifier Jan 20, 2021
1332b1d
[chores] Added missing modules in authorize section
nemesifier Jan 20, 2021
c98e6c1
[chores] Fixed indentation of sql module
nemesifier Jan 20, 2021
b63c337
[fix] Fixed sql counter
nemesifier Jan 20, 2021
325ac68
[fix] Added patched postgresql counters
nemesifier Jan 21, 2021
7db00ab
[chores] Minor improvements
nemesifier Jan 21, 2021
f7f3468
[chores] Removed duplicated noresetcounter
nemesifier Jan 22, 2021
9c6ff64
[change] Adjusted interval of cron tasks
nemesifier Feb 5, 2021
3b035c5
[chores] Allow disabling openwisp_radius.tasks.delete_old_radacct
nemesifier Feb 5, 2021
1255daf
[chores] Added more notes to variables
nemesifier Feb 5, 2021
6680a18
[openwisp-radius] Add test to ensure freeradius is working
atb00ker Feb 8, 2021
ef14796
[chores] Added basic inner-tunnel
nemesifier Apr 24, 2021
8c0bbc8
[freeradius] Fixed problems prohibiting start
atb00ker Apr 28, 2021
9ab2950
Merge branch 'master' into openwisp_radius
nemesifier Jun 29, 2021
cd2eb08
Merge branch 'master' into openwisp_radius
nemesifier Aug 13, 2021
8bebc28
[fix] Added safe_characters to freeradius SQL conf
nemesifier Aug 13, 2021
2b717b1
Merge branch 'master' into openwisp_radius
nemesifier Sep 17, 2021
88c9acc
Merge branch 'master' into openwisp_radius
nemesifier Sep 17, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 3 additions & 5 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,12 @@ jobs:
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Set default python version
run: sudo update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.8 2

- name: Install python dependencies
run: |
pip install molecule[docker,ansible] yamllint ansible-lint docker openwisp-utils[qa]
sudo python3 -m pip install molecule[docker] yamllint ansible ansible-lint docker openwisp-utils[qa]

- name: QA checks
run: |
Expand Down
95 changes: 93 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -483,6 +483,49 @@ you will update the above playbook as follows:
OPENWISP_FIRMWARE_UPGRADER_API: true
```

Enabling the radius module
--------------------------

To enable the radius module you need to set `openwisp2_radius` to `true` in
your `playbook.yml` file. Here's a short summary of how to do this:

**Step 1**: [Install ansible](#install-ansible)

**Step 2**: [Install this role](#install-this-role)

**Step 3**: [Create inventory file](#create-inventory-file)

**Step 4**: Create a playbook file with following contents:

```yaml
- hosts: openwisp2
become: "{{ become | default('yes') }}"
roles:
- openwisp.openwisp2
vars:
openwisp2_radius: true
openwisp2_freeradius_install: true
# set to false when you don't want to register openwisp-radius
# API endpoints.
openwisp2_radius_urls: true
```

**Note:** `openwisp2_freeradius_install` option provides a basic configuration of freeradius for openwisp,
it sets up the [radius user token mechanism](https://openwisp-radius.readthedocs.io/en/latest/user/api.html#radius-user-token-recommended) if you want to use another mechanism or manage your freeradius separately,
please disable this option by setting it to `false`.

**Step 5**: [Run the playbook](#run-the-playbook)

When the playbook is done running, if you got no errors you can login at:

https://openwisp2.mydomain.com/admin
username: admin
password: admin

atb00ker marked this conversation as resolved.
Show resolved Hide resolved
**Note:** for more information regarding radius configuration options,
look for the word "radius" in the
[Role variables](#role-variables) section of this document.

Troubleshooting
===============

Expand Down Expand Up @@ -579,12 +622,22 @@ Below are listed all the variables you can customize (you may also want to take
- openwisp.openwisp2
vars:
# openwisp-controler version
openwisp2_controller_version: "0.4"
openwisp2_controller_version: "0.8.2"
# optional openwisp2 modules
openwisp2_network_topology: false
openwisp2_network_topology_version: "0.4"
openwisp2_network_topology_version: "0.5.1"
openwisp2_firmware_upgrader: false
openwisp2_firmware_upgrader_version: "0.1"
openwisp2_radius_version: "0.2.1"
# Enable the modules you want to use
openwisp2_network_topology: false
openwisp2_firmware_upgrader: false
openwisp2_radius: false
# when openwisp2_radius_urls is set to false, the radius module
# is setup but it's urls are not added, which means API and social
# views cannot be used, this is helpful if you have an external
# radius instance.
openwisp2_radius_urls: "{{ openwisp2_radius }}"
# you may replace the values of these variables with any URL
# supported by pip (the python package installer)
# use these to install forks, branches or development versions
Expand All @@ -598,6 +651,7 @@ Below are listed all the variables you can customize (you may also want to take
openwisp2_netjsonconfig_pip: false
openwisp2_network_topology_pip: false
openwisp2_firmware_upgrader_pip: false
openwisp2_radius_pip: false
# customize the app_path
openwisp2_path: /opt/openwisp2
# It is recommended that you change the value of this variable if you intend to use
Expand Down Expand Up @@ -761,6 +815,43 @@ Below are listed all the variables you can customize (you may also want to take
postfix_smtpd_relay_restrictions_override: permit_mynetworks
# allows overriding the default duration for keeping notifications
openwisp2_notifications_delete_old_notifications: 10
openwisp2_users_auth_api: true
# used for SMS verification, the default is a dummy SMS backend
# which prints to standard output and hence does nothing
# one of the available providers from django-sendsms can be
# used or alternatively, you can write a backend class for your
# favorite SMS API gateway
openwisp2_radius_sms_backend: "sendsms.backends.console.SmsBackend"
openwisp2_radius_sms_token_max_ip_daily: 25
openwisp2_radius_delete_old_users: 365
openwisp2_radius_cleanup_stale_radacct: 365
openwisp2_radius_delete_old_postauth: 365
# days for which the radius accounting sessions (radacct) are retained,
# 0 means sessions are kept forever.
# we highly suggest to set this number according
# to the privacy regulation of your jurisdiction
openwisp2_radius_delete_old_radacct: 365
openwisp2_radius_allowed_hosts: ["127.0.0.1"]
# this role provides a default configuration of freeradius
# if you manage freeradius on a different machine or you need different configurations
# you can disable this default behavior
openwisp2_freeradius_install: true
# Set an account to expire T seconds after first login.
# This variable sets the value of T.
freeradius_expire_attr_after_seconds: 86400
freeradius_dir: /etc/freeradius/3.0
freeradius_mods_available_dir: "{{ freeradius_dir }}/mods-available"
freeradius_mods_enabled_dir: "{{ freeradius_dir }}/mods-enabled"
freeradius_sites_available_dir: "{{ freeradius_dir }}/sites-available"
freeradius_sites_enabled_dir: "{{ freeradius_dir }}/sites-enabled"
freeradius_rest:
url: "https://{{ inventory_hostname }}/api/v1/freeradius"
cron_delete_old_notifications: "'hour': 0, 'minute': 0"
cron_deactivate_expired_users: "'hour': 0, 'minute': 5"
cron_delete_old_users: "'hour': 0, 'minute': 10"
cron_cleanup_stale_radacct: "'hour': 0, 'minute': 20"
cron_delete_old_postauth: "'hour': 0, 'minute': 30"
cron_delete_old_radacct: "'hour': 1, 'minute': 30"
```

Support
Expand Down
41 changes: 41 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,12 @@ openwisp2_python: python3
ansible_python_interpreter: /usr/bin/python3
openwisp2_network_topology: false
openwisp2_firmware_upgrader: false
openwisp2_radius: false
openwisp2_radius_urls: "{{ openwisp2_radius }}"
openwisp2_controller_version: "0.8.2"
openwisp2_network_topology_version: "0.5.1"
openwisp2_firmware_upgrader_version: "0.1"
openwisp2_radius_version: "0.2.1"
openwisp2_controller_pip: false
openwisp2_notifications_pip: false
openwisp2_users_pip: false
Expand All @@ -16,6 +19,7 @@ openwisp2_django_loci_pip: false
openwisp2_netjsonconfig_pip: false
openwisp2_network_topology_pip: false
openwisp2_firmware_upgrader_pip: false
openwisp2_radius_pip: false
openwisp2_extra_python_packages: [bpython]
openwisp2_extra_django_apps: []
openwisp2_extra_django_settings: {}
Expand Down Expand Up @@ -106,3 +110,40 @@ openwisp2_celery_broker_max_tries: 10
openwisp2_django_celery_logging: false
openwisp2_postfix_install: true
postfix_smtpd_relay_restrictions_override: "permit_sasl_authenticated, permit_mynetworks, check_relay_domains, reject_unauth_destination, reject"
openwisp2_users_auth_api: true
openwisp2_radius_sms_backend: "sendsms.backends.console.SmsBackend"
nemesifier marked this conversation as resolved.
Show resolved Hide resolved
openwisp2_radius_sms_token_max_ip_daily: 25
openwisp2_radius_delete_old_users: 365
openwisp2_radius_cleanup_stale_radacct: 365
openwisp2_radius_delete_old_postauth: 365
openwisp2_radius_delete_old_radacct: 365
openwisp2_radius_allowed_hosts: ["127.0.0.1"]
openwisp2_freeradius_install: true
freeradius_dir: /etc/freeradius/3.0
freeradius_mods_available_dir: "{{ freeradius_dir }}/mods-available"
freeradius_mods_enabled_dir: "{{ freeradius_dir }}/mods-enabled"
freeradius_mods_config_dir: "{{ freeradius_dir }}/mods-config"
freeradius_sites_available_dir: "{{ freeradius_dir }}/sites-available"
freeradius_sites_enabled_dir: "{{ freeradius_dir }}/sites-enabled"
freeradius_db_map:
django.contrib.gis.db.backends.spatialite:
driver: rlm_sql_sqlite
dialect: sqlite
django.contrib.gis.db.backends.postgis:
driver: rlm_sql_postgresql
dialect: postgresql
django.contrib.gis.db.backends.mysql:
driver: rlm_sql_mysql
dialect: mysql
freeradius_sql:
driver: "{{ freeradius_db_map[openwisp2_database.engine].driver }}"
dialect: "{{ freeradius_db_map[openwisp2_database.engine].dialect }}"
freeradius_rest:
url: "https://{{ inventory_hostname }}/api/v1/freeradius"
freeradius_expire_attr_after_seconds: 86400
cron_delete_old_notifications: "'hour': 0, 'minute': 0"
cron_deactivate_expired_users: "'hour': 0, 'minute': 5"
cron_delete_old_users: "'hour': 0, 'minute': 10"
cron_cleanup_stale_radacct: "'hour': 0, 'minute': 20"
cron_delete_old_postauth: "'hour': 0, 'minute': 30"
cron_delete_old_radacct: "'hour': 1, 'minute': 30"
8 changes: 8 additions & 0 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,11 @@
service:
name: redis
state: started

- name: update-ca-certificates
command: /usr/sbin/update-ca-certificates

- name: restart freeradius
service:
name: freeradius
state: started
7 changes: 6 additions & 1 deletion molecule/resources/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,15 @@
vars:
openwisp2_network_topology: true
openwisp2_firmware_upgrader: true
openwisp2_radius: true
# TODO: test help when openwisp-radius 0.3.0 is released!
# openwisp2_radius_allowed_hosts: ["0.0.0.0/0"]

pre_tasks:
- name: Update apt cache
apt: update_cache=true cache_valid_time=600
apt:
update_cache: true
cache_valid_time: 600
when: ansible_os_family == 'Debian'
atb00ker marked this conversation as resolved.
Show resolved Hide resolved

- name: Remove the .dockerenv file
Expand Down
19 changes: 19 additions & 0 deletions molecule/resources/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,3 +64,22 @@
- name: Show OpenWisp log
debug:
var: openwisp_log

- name: Check Freeradius
# TODO: This test should work when openwisp-radius 0.3.0 is released!
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This remains a blocker to merge this PR.
We would need to release the next version of openwisp-radius to enable testing here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes we're getting near to that 👍

# block:
# - name: Get radius-token for admin user
# uri:
# url: "https://{{ inventory_hostname }}/api/v1/default/account/token/"
# validate_certs: false
# method: POST
# body_format: form-urlencoded
# body:
# username: admin
# password: admin
# - name: Check if freeradius is running
# command: radtest admin admin localhost 0 testing123
# register: freeradius_status
# failed_when: '"Received Access-Accept" not in freeradius_status.stdout'
debug:
msg: "This test should work when openwisp-radius 0.3.0 is released!"
20 changes: 20 additions & 0 deletions tasks/apt.yml
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,26 @@
until: result is success
notify: reload systemd

- name: Install postgresql client drivers
when: openwisp2_database.engine == "django.contrib.gis.db.backends.postgis"
apt:
name: libpq-dev
retries: 5
delay: 10
register: result
until: result is success

- name: Install cairo
when: openwisp2_radius
apt:
name:
- libcairo2
- libpango-1.0-0
- libpangocairo-1.0-0
- libgdk-pixbuf2.0-0
- shared-mime-info
tags: [openwisp2, radius]

- name: Install mod-spatialite (may fail on older linux distros)
when: openwisp2_database.engine == "django.contrib.gis.db.backends.spatialite"
apt: name=libsqlite3-mod-spatialite
Expand Down
3 changes: 3 additions & 0 deletions tasks/django.yml
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,9 @@
group: "{{ www_group }}"
mode: 0640

- name: start redis for migration
meta: flush_handlers

- name: migrate
notify: reload supervisor
become: true
Expand Down
Loading