Merge remote-tracking branch 'upstream/main' into pp-main

.fixtures.yml

@@ -5,4 +5,4 @@ fixtures:
     logrotate: "puppet/logrotate"
     rsyslog: "saz/rsyslog"
     stdlib: "puppetlabs/stdlib"
-    systemd: "camptocamp/systemd"
+    systemd: "puppet/systemd"

.github/workflows/publish.yml

@@ -1,23 +1,22 @@
 name: Build and publish to Puppet Forge
 
 on:
- push:
-  tags:
-      - v[0-9]+.[0-9]+.[0-9]+
+  release:
+    types: [published]
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
     - name: Get latest tag
       id: vars
-      run: echo ::set-output name=tag::${GITHUB_REF:10}
+      run: echo "{tag}=${GITHUB_REF:10}" >> $GITHUB_OUTPUT
     - name: Clone repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         ref: ${{ steps.vars.outputs.tag }}
     - name: Build and publish module
-      uses: barnumbirr/action-forge-publish@v2.8.0
+      uses: barnumbirr/action-forge-publish@v2.15.0
       env:
        FORGE_API_KEY: ${{ secrets.FORGE_API_KEY }}
        REPOSITORY_URL: https://forgeapi.puppet.com/v3/releases

.github/workflows/test.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Clone repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Run unit tests
       uses: puppets-epic-show-theatre/action-pdk-test-unit@v1
@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Clone repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Run PDK validate
       uses: puppets-epic-show-theatre/action-pdk-validate@v1

CHANGELOG.md

@@ -1,5 +1,7 @@
 ## Changelog
 
+Please refer to the [GitHub releases page](https://github.com/djjudas21/puppet-freeradius/releases) for the changelog for 4.0.0 and onwards
+
 ### 3.9.2+dpx3
   * Bugfix: Fix spec test for client definition
   * Merge Upstream changes from main for stdlib 9.x support

README.md

@@ -138,6 +138,9 @@ Add a syslog rule (using the `saz/rsyslog` module). Default: `false`.
 ##### `log_auth`
 Log authentication requests (yes/no). Default: `no`.
 
+##### `allow_vulnerable_openssl`
+Allow the server to start with versions of OpenSSL known to have critical vulnerabilities. (yes/no). Default: `yes`.
+
 ##### `package_ensure`
 Choose whether the package is just installed and left (`installed`), or updated every Puppet run (`latest`). Default: `installed`
 
@@ -167,7 +170,7 @@ The shared secret for the status server. Required.
 The port to listen for status requests on. Default: `18121`
 
 ##### `listen`
-The address to listen on. Defaults to listen on all addresses but you could set this to `$::ipaddress` or `127.0.0.1`.  Default: `*`
+The address to listen on. Defaults to listen on all addresses but you could set this to `$facts['networking]['ip']` or `127.0.0.1`.  Default: `*`
 
 ```puppet
   # Enable status server

manifests/attr.pp

@@ -6,27 +6,24 @@
   Optional[String] $prefix               = 'filter',
   Optional[Freeradius::Boolean] $relaxed = undef,
 ) {
-  $fr_package          = $::freeradius::params::fr_package
-  $fr_service          = $::freeradius::params::fr_service
-  $fr_basepath         = $::freeradius::params::fr_basepath
   $fr_group            = $::freeradius::params::fr_group
   $fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath
-  $fr_modulepath       = $::freeradius::params::fr_modulepath
 
   # Install the attribute filter snippet
-  file { "${fr_moduleconfigpath}/attr_filter/${name}":
+  file { "freeradius attr_filter/${name}":
     ensure  => $ensure,
+    path    => "${fr_moduleconfigpath}/attr_filter/${name}",
     mode    => '0640',
     owner   => 'root',
     group   => $fr_group,
     source  => $source,
-    require => [Package[$fr_package], Group[$fr_group]],
-    notify  => Service[$fr_service],
+    require => [Package['freeradius'], Group['radiusd']],
+    notify  => Service['radiusd'],
   }
 
   # Reference all attribute snippets in one file
-  concat::fragment { "attr-${name}":
-    target  => "${fr_basepath}/mods-available/attr_filter",
+  concat::fragment { "freeradius attr-${name}":
+    target  => 'freeradius mods-available/attr_filter',
     content => template('freeradius/attr.erb'),
     order   => 20,
   }

manifests/blank.pp

@@ -1,21 +1,20 @@
 # Blank unneeded config files to reduce complexity
 define freeradius::blank {
-  $fr_package  = $::freeradius::params::fr_package
-  $fr_service  = $::freeradius::params::fr_service
   $fr_basepath = $::freeradius::params::fr_basepath
   $fr_group    = $::freeradius::params::fr_group
 
-  file { "${fr_basepath}/${name}":
+  file { "freeradius ${name}":
+    path    => "${fr_basepath}/${name}",
     mode    => '0644',
     owner   => 'root',
     group   => $fr_group,
-    require => [File[$fr_basepath], Package[$fr_package], Group[$fr_group]],
-    notify  => Service[$fr_service],
+    require => [File['freeradius raddb'], Package['freeradius'], Group['radiusd']],
+    notify  => Service['radiusd'],
     content => @(BLANK/L),
-      # This file is intentionally left blank to reduce complexity. \
-      Blanking it but leaving it present is safer than deleting it, \
-      since the package manager will replace some files if they are \
-      deleted, leading to unexpected behaviour!
-      |-BLANK
+               # This file is intentionally left blank to reduce complexity. \
+               Blanking it but leaving it present is safer than deleting it, \
+               since the package manager will replace some files if they are \
+               deleted, leading to unexpected behaviour!
+               |-BLANK
   }
 }

manifests/cert.pp

@@ -5,8 +5,6 @@
   Optional[String] $type     = 'key',
   Freeradius::Ensure $ensure = present,
 ) {
-  $fr_package  = $::freeradius::params::fr_package
-  $fr_service  = $::freeradius::params::fr_service
   $fr_basepath = $::freeradius::params::fr_basepath
   $fr_group    = $::freeradius::params::fr_group
 
@@ -16,15 +14,16 @@
     default => '0644',
   }
 
-  file { "${fr_basepath}/certs/${name}":
+  file { "freeradius certs/${name}":
     ensure    => $ensure,
+    path      => "${fr_basepath}/certs/${name}",
     mode      => $permission,
     owner     => 'root',
     group     => $fr_group,
     source    => $source,
     content   => $content,
     show_diff => false,
-    require   => [File["${fr_basepath}/certs"], Package[$fr_package], Group[$fr_group]],
-    notify    => Service[$fr_service],
+    require   => [File['freeradius certs'], Package['freeradius'], Group['radiusd']],
+    notify    => Service['radiusd'],
   }
 }

manifests/client.pp

@@ -37,19 +37,18 @@
   Variant[Array, Hash, String] $attributes           = [],
   Optional[String] $huntgroups                       = undef,
 ) {
-  $fr_package  = $::freeradius::params::fr_package
-  $fr_service  = $::freeradius::params::fr_service
   $fr_basepath = $::freeradius::params::fr_basepath
   $fr_group    = $::freeradius::params::fr_group
 
-  file { "${fr_basepath}/clients.d/${name}.conf":
+  file { "freeradius clients.d/${name}.conf":
     ensure  => $ensure,
+    path    => "${fr_basepath}/clients.d/${name}.conf",
     mode    => '0640',
     owner   => 'root',
     group   => $fr_group,
     content => template('freeradius/client.conf.erb'),
-    require => [File["${fr_basepath}/clients.d"], Group[$fr_group]],
-    notify  => Service[$fr_service],
+    require => [File['freeradius clients.d'], Group['radiusd']],
+    notify  => Service['radiusd'],
   }
 
   if ($firewall and $ensure == 'present') {
@@ -62,17 +61,18 @@
     if $port {
       if $ip {
         firewall { "100 ${name} ${port_description} v4":
-          proto  => 'udp',
-          dport  => $port,
-          action => 'accept',
-          source => $ip,
+          proto    => 'udp',
+          dport    => $port,
+          jump     => 'ACCEPT',
+          protocol => 'IPv4',
+          source   => $ip,
         }
       } elsif $ip6 {
         firewall { "100 ${name} ${port_description} v6":
           proto    => 'udp',
           dport    => $port,
-          action   => 'accept',
-          provider => 'ip6tables',
+          jump     => 'ACCEPT',
+          protocol => 'IPv6',
           source   => $ip6,
         }
       }

manifests/config.pp

@@ -4,19 +4,18 @@
   Optional[String] $content  = undef,
   Freeradius::Ensure $ensure = present,
 ) {
-  $fr_package          = $::freeradius::params::fr_package
-  $fr_service          = $::freeradius::params::fr_service
   $fr_group            = $::freeradius::params::fr_group
   $fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath
 
-  file { "${fr_moduleconfigpath}/${name}":
+  file { "freeradius mods-config/${name}":
     ensure  => $ensure,
+    path    => "${fr_moduleconfigpath}/${name}",
     mode    => '0640',
     owner   => 'root',
     group   => $fr_group,
     source  => $source,
     content => $content,
-    require => [Package[$fr_package], Group[$fr_group]],
-    notify  => Service[$fr_service],
+    require => [Package['freeradius'], Group['radiusd']],
+    notify  => Service['radiusd'],
   }
 }

manifests/dictionary.pp

@@ -5,8 +5,6 @@
   Optional[Integer] $order   = 50,
   Freeradius::Ensure $ensure = 'present',
 ) {
-  $fr_package  = $::freeradius::params::fr_package
-  $fr_service  = $::freeradius::params::fr_service
   $fr_basepath = $::freeradius::params::fr_basepath
   $fr_group    = $::freeradius::params::fr_group
 
@@ -15,26 +13,27 @@
   }
 
   # Install dictionary in dictionary.d
-  file { "${fr_basepath}/dictionary.d/dictionary.${name}":
+  file { "freeradius dictionary.d/dictionary.${name}":
     ensure  => $ensure,
+    path    => "${fr_basepath}/dictionary.d/dictionary.${name}",
     mode    => '0644',
     owner   => 'root',
     group   => $fr_group,
     source  => $source,
     content => $content,
-    require => [File["${fr_basepath}/dictionary.d"], Package[$fr_package], Group[$fr_group]],
-    notify  => Service[$fr_service],
+    require => [File['freeradius dictionary.d'], Package['freeradius'], Group['radiusd']],
+    notify  => Service['radiusd'],
   }
 
   # Reference policy.d in the global includes file
   # If no order priority is given, assume 50
 
   if ($ensure == 'present') {
     concat::fragment { "dictionary.${name}":
-      target  => "${fr_basepath}/dictionary",
+      target  => 'freeradius dictionary',
       content => "\$INCLUDE ${fr_basepath}/dictionary.d/dictionary.${name}",
       order   => $order,
-      require => File["${fr_basepath}/dictionary.d/dictionary.${name}"],
+      require => File["freeradius dictionary.d/dictionary.${name}"],
     }
   }
 }

manifests/home_server.pp

@@ -20,11 +20,9 @@
   Optional[String] $virtual_server                       = undef,
   Optional[Integer] $zombie_period                       = undef,
 ) {
-  $fr_basepath = $::freeradius::params::fr_basepath
-
   # Configure config fragment for this home server
   concat::fragment { "homeserver-${name}":
-    target  => "${fr_basepath}/proxy.conf",
+    target  => 'freeradius proxy.conf',
     content => template('freeradius/home_server.erb'),
     order   => 10,
   }

manifests/home_server_pool.pp

@@ -5,11 +5,9 @@
   Optional[String] $virtual_server = undef,
   Optional[String] $fallback       = undef,
 ) {
-  $fr_basepath = $::freeradius::params::fr_basepath
-
   # Configure config fragment for this home server
   concat::fragment { "homeserverpool-${name}":
-    target  => "${fr_basepath}/proxy.conf",
+    target  => 'freeradius proxy.conf',
     content => template('freeradius/home_server_pool.erb'),
     order   => 20,
   }

manifests/huntgroup.pp

@@ -5,13 +5,10 @@
   Optional[Array[String]] $conditions       = [],
   Optional[Variant[String, Integer]] $order = 50,
 ) {
-  $fr_basepath = $::freeradius::params::fr_basepath
-  $fr_service  = $::freeradius::params::fr_service
-
   concat::fragment { "huntgroup.${title}":
-    target  => "${fr_basepath}/mods-config/preprocess/huntgroups",
+    target  => 'freeradius mods-config/preprocess/huntgroups',
     content => template('freeradius/huntgroup.erb'),
     order   => $order,
-    notify  => Service[$fr_service],
+    notify  => Service['radiusd'],
   }
 }