#!/bin/sh

# radius_clients=client1
# radius_client1_address='192.168.1.0/24'
# radius_client1_secret='s3cret'

: ${radius_clients=''}

freeradius_user=freeradius
freeradius_conf_dir=/usr/local/etc/raddb
freeradius_tls_cert="${freeradius_conf_dir}/freeradius.crt"
freeradius_tls_key="${freeradius_conf_dir}/freeradius.key"
freeradius_cache_dir=/var/cache/radiusd
freeradius_tlscache_dir="${freeradius_cache_dir}/tlscache"

# Install packages.
pkg install -y freeradius3

freeradius_version=$(pkg info freeradius3 | awk '$1 == "Version" { print $3 }')

# Generate configuration.
install_directory -m 0755 "${freeradius_conf_dir}/certs"
install_template -o "$freeradius_user" -g "$freeradius_user" -m 0640 \
  "${freeradius_conf_dir}/radiusd.conf" \
  "${freeradius_conf_dir}/mods-available/eap" \
  "${freeradius_conf_dir}/mods-available/ldap" \
  "${freeradius_conf_dir}/sites-available/inner-tunnel" \
  "${freeradius_conf_dir}/clients.conf"
ln -snfv '../mods-available/ldap' "${freeradius_conf_dir}/mods-enabled/ldap"
ln -snfv '../sites-available/inner-tunnel' "${freeradius_conf_dir}/sites-enabled/inner-tunnel"

# Copy TLS certificate for freeradius.
install_certificate     -g "$freeradius_user" freeradius "$freeradius_tls_cert"
install_certificate_key -g "$freeradius_user" freeradius "$freeradius_tls_key"

# Create cache directories.
install_directory -o "$freeradius_user" -g "$freeradius_user" -m 700 \
  "$freeradius_cache_dir" \
  "$freeradius_tlscache_dir"

# Clean up tlscache with cron job.
install_template -m 0644 /etc/cron.d/freeradius

# Enable and start daemons.
sysrc -v radiusd_enable=YES
service radiusd restart

# Create wifi access role.
ldap_add "cn=${wifi_access_role},${roles_basedn}" <<EOF
objectClass: groupOfMembers
cn: ${wifi_access_role}
EOF