radius: initial setup

2020-05-16 21:43:23 +02:00 · 2020-05-16 21:43:23 +02:00 · 266b0dde6f
commit 266b0dde6f
parent 8355546131
10 changed files with 1045 additions and 139 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -13,6 +13,7 @@ ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
 ldap_matrix_bind_dn: "cn=matrix,ou=service-users,{{ ldap_base }}"
 ldap_matrix_password: "{{ vault_ldap_matrix_password }}"
 ldap_replica_password: "{{ vault_ldap_replica_password }}"
+ldap_admin_password: "{{ vault_ldap_admin_password }}"
 ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"

 # Databases
@ -49,7 +50,19 @@ dns_host_suffix_backup: 153
 backup_dns_servers:
  - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)

-
+# Misc
 mtu: 1400

+
+# Keepalived
 keepalived_password: "{{ vault_keepalived_password[apartment_block] }}"
+
+
+# Re2o config
+re2o_secret_key: "{{ vault_re2o_secret_key }}"
+re2o_db_password: "{{ vault_re2o_db_password }}"
+re2o_aes_key: "{{ vault_re2o_aes_key }}"
+
+# Radius
+radius_secret_wifi: "{{ vault_radius_secrets.wifi }}"
+radius_secret_wired: "{{ vault_radius_secrets.wired[apartment_block] }}"
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,139 +1,161 @@
 $ANSIBLE_VAULT;1.1;AES256
-37633237643762656366393132393038636634373839633762363931353431633834663235356136
-6534646138363864353633323363313032333262383630370a303839306464396439666133383961
-32333933633933373932313535663464393066303836396136393433623966373565396636356633
-6265323735376234310a383263346434333333366262363538383265626363663338326133396634
-61386365363663313061303038313862363363356261326366356363316236643236386566333962
-66663864613866313932666362396235373965343833326531653931643061386662393162363763
-35363439636630366337343638393964636235303934666333313330656663353163663561353263
-35653631323835613463366339306663343933393138663032363265336361613162633538346566
-66643436363130366630396539303463366537323465656663333138373039313434313063663633
-34343438363663376530623334353832373564316364613039306133643335386534656565646663
-35303330623137343430613331326530333531303362343433633534316565306462623663653439
-32623834386663623232363237373461366165303039353362656431633463623830643734396236
-30303731343632313066376631373065323730623839333535636662326136356537333837653335
-30633530633733356335393661343265646637393564653535643265626335613134323430356565
-65643933363137646638393530316463396339333461633063633765343938333966313835656137
-36346366386333643631353630343533343839376263366631346566306563366431666434356236
-37376536666638336230303630393364363936616666366561336262393833366538653132363361
-63333161343839383163313566653832386134663430623338636230663736333064306636643138
-63656533343634643737633234373134656665663964333464373264633763346664376139333530
-31633639346538353439623964653661633863373733353837356231373832643831313138643263
-66316461363666363635636361343835346533393431643132653537323535343163363639396335
-38373762613961336530313963653437643032343032626536633638646137646439346362336564
-61353463306238643062623532616539646239313761356434653965343165376134326437623539
-33313164656262386436653537366436333563613731323262323932323839623338303236363935
-35396265656161663339653538383735616264633931326633636264323434623030626434626361
-65393766383434353463636534353332636338353332306237363338373566383636306366613838
-33363639316330346237663031616330366130306231663634353266373735343434626136353730
-61366166333761323535323435336461646461366632353233303639656639313434393133616564
-35616436393863356266303138373765323037663764383731373362373234353866383139613264
-37303138666337303461313065353866313864353834383336613031623866313338376533656265
-33393138363536613930396631666439336535636336633837623739326166363139343434353662
-66613761396266363030333537626637633365653339356534616266353338633163326633333262
-36323962653863663738613536663838613037356662643866363033383963363465663830353361
-61356464656562373036303834336639643937363134396437356130326634336230323562666136
-35616532626235363737633938363362373430643935333133386539326530333061396463333234
-65356663323463303136643035666138636366363961356165653930396534663038613435383731
-31306638303837646464333164353832626637313537653430313465303061353266373563663261
-63393031336362313935393963303431366666366535333238326334373563343634646238373164
-30333132656230326436306131313264653639343531313333303535346433356533383664666239
-61666666373135306536356439643531343031623134303335383132383330646437663135376232
-35623366323630323762633730303330353839356332653435363962383738346636633632346235
-37343336386361653033626638393939383763323065663135653530613461653438653762626466
-35383139363435393863333032393963303638303936616534373639646564363930653539643937
-35653566353262303266303966313062306438653665353464653465373761343135656433666132
-32623438336330306363623666336133656563653837363766316465386138373234656631333338
-62663866363632643236656530656266653033396438636431653361646538623336626563316638
-30323532356634356538653534643535306135393037323632666538393734653063653234396638
-39623363323233333738336364383663653461356362363334343365343432643531376633323061
-65623530376438646564633236393738333635396230666234363062663839366263373431666637
-30616261313830383962633034376136336432623333663164396335613932656135613830653366
-33633464356366653837386432613037376532373264633737363263613835376536633530663735
-63336636613937623435303830663231353364313435363366666332623339303934643830363835
-38363666633435323732646265343630646531326333653838366531663037383665636632333539
-38613235656566326666363566356130616335643361623262353934646630326430373733386132
-64366165306664383337353837653363313661616463346132333536613232313761666235643663
-36383764336435316138383161353666383530633039373935613665316130353665393334666633
-66363339393266376364306137303335376231396264643231396361366663383335623737636263
-34333464396434343263383938376433393963646337363665623364343065323638666663353462
-31633134326566303930383831366364616365663363666564666532393561303231383063353665
-32333862313531316135363034653137636265653530373761366239366136346236353238323331
-38393834666139666331343166623261393264373330326264636363346564313333316564396530
-37656635666239323439373239396635366661326139623031626130643834663834383765303630
-65646661653030613237663137643639366337313261356231323536346632633961613333336236
-35343033616536306430383533656232343635666234653331373638306264353733663064626137
-63396235653830326438623131316663376266373738383130383536383637343035386532373739
-33323333663164613437323637323333643864353630623361363631386166353737313835643937
-30336234363639666635633931383238646532313864326439656662636432646563316563313337
-33313432333636343161306139323565653434333663613639373834316432643438373936636461
-38616263313335333339346239613464373336616337323766643337633936653031346462353932
-64303865363164663533343464663838313364316664346539623961656630333464633236333135
-33643966343234666138363930363436373433643730616134653361363738316662373136303562
-63646662643132353236643161626331343636623164376532353734363861663865666262376232
-32323533383435386464376134643066653533366430626662343238633432326363393061643466
-38343265626366656638386634636637346366316430636530646334303938653062376236366462
-61346436303032363933366137663863353638363564643231353030303264336132653332623164
-65316165316435326631313763616530656265333735613039343939333134663234633732316265
-36303133303639383738636365393935323562343135633232366637303935663166303335643539
-37353030323466633834363137353233663433623831336161323365376330323839666263306135
-30313762663537393936626361623031623961313932656666313062303462613331643463313863
-61333834313633356233306565366136643832626639663138353865316134653462663331653431
-32336237353663303231346137366239366362313863386131363139346661363331336235336132
-36393636353362616263663830363239643261303334626138353233666338633062646239396363
-34643763663031613365303561376462646262386534386536666532343361366136623132393035
-35383561653864326230316436393334306133353937633363313365336564393234633334383232
-36626133626130326663646162363238316461373034646634346135353337343737393936373438
-33373931383638376632626633626666396536386237376331646131633566613464663762663933
-36313964393461323839366562313537373533366561396130313731623831313638303664333634
-39313364663432313130376163306166363162623163636437633934346662383337396164363239
-37643536363531653236396539306663303265373537376334656635303162383239303262316431
-33313433663038306666383738313630366235323936656562376338366332653366363665623936
-39356237303563623634666335616436376638373464333338643666376563353033356562366566
-38303333306430386539306664666234633433383935396635396534646465336438616431653438
-62616465343161376464663065343930646435643137376331323637363566613736333664643936
-65323363323565343761613865316432643537323661633732326230626435646363613635313161
-31303836336234663834633137343533653438386362623236333864663563646365653036626561
-32333261383435363763656238303438363035656538383037643339353131636162303762363039
-37363864653665313861663235353963383938353065306561313536646562396430636363623132
-36646562663436343331656236383031363764336638323263646562663634343932303431376465
-34336636613836386238373764343030363163366232356536313966643938316533353338323464
-61353033396334633536373834613735396665383861313064626239336439376166633066636664
-37306235386632343835666264653165656164373031653337333533656531353936396339613066
-63366131356131313736613762626235656565373537646566313438393833643234666238383330
-66313038386566356632613833623734616233343732333431316666376636386262666336323936
-38636134353261666666623466313330303834646362336134656163313766376432636437623237
-32376264363361613163306439623965363763356161363030363262386565386438646564613533
-33356331333137663935326338313336653233303235353339363164666639623234613165616166
-35656235356634653638646134356230646236656264333134656138323662623363363565343035
-30326563313566346335393738623237316431326538363434353436356139653965663762613437
-39346232333938303065393561303134626333393666306134326636353430353736383739643539
-63373063316633383765663236366235353035656639326638346661313136613530666461633764
-33646262393733316263633064396139656661343634326336653932373335306331303938633935
-31623661633231633265656166363662396133666231623230393761313966353932326135396134
-34663636353535623963666463386431376166633130343834393934323461303934363066386565
-37386563396335363430383135656437316635623764386631333665646563373735666333613633
-32303430663066336334383533643434326566343861323932326131313032316636643135363166
-66386361623266616536363365663131326537333762373538653238646334303138333636326530
-32643833333331633435646331363764633835666537356665663130656138613661383762323630
-39366531333964656633313130373733373631313936663961386162333564343866616238383863
-63326134336534346233316134643136393564363431373563323233393938653063383131303561
-39383733306566646563363137373662653935623366666363383837373031613036306637313330
-31366434303432373432646333326462336133343762393730346534633934363565323766363234
-66653836663832316632613436313030393161303031363932353562623437336335393463643335
-63636435323034373637323235663665346166346235356662626465383538616166653138653933
-65633065613938623234363362336332376366336236313731656462643531366634663664333939
-39313730313365363332613532623762303330386632303136383961616438616237386432653234
-32636463303235323930306463316234343262393363383430373961646264643930386131623930
-64613430303236393830666531303430653638363838396464373863383766386365653435366564
-35626462613533323735323537373236666233663935343763623465393039386664333561623363
-66383866326331613136303864333339393134613563613664633039316535636531363339396439
-38653732336139313235333932383337313838653934663563613966633634313538653262393130
-35383866326463636634393062376633316363613338656663323336616538383938646166323333
-39643739663232363631653637306266653939363835366637613261613837313664643731373063
-64613561366663386566656230306139386265633238383230613966376265383136663039356365
-30383963373663323430633036616164306639306134306632656137663065666364626435613034
-63623534326562336262393036336432653566306234663762633232383365353936646236383430
-62303331343635616131623065353465396534653439303535623165373461343464643734643565
-36356133306434346461616462343139616533386266653932613762303835636663326265323863
-3561656265306635653232343032396139336135373232616637
+33396439643732346636636465616537313231333032616436323166633235663131343961373834
+6365316236333532313361323063373130643031386131610a343036393035633431656434323466
+30333836636565323163613631386663313934633264373734366438626636313137393233623835
+3930643831626164330a396233393834623635363864656466393236313837663739303065353437
+38356539306333663062656439333938306433343632633861363430346631386238353462393334
+61366263383062353136363632323330336637616538333866386534656662646639383335653931
+33393166656166343166356334623266373533653938313064393533363331636365343161373665
+62336466386536356637383663333661303135663835623432306231373034373435353562636265
+31326561626665376566633066346366613364333135366363623030613131353833336135306464
+66306133373634393431313866343464616633393165353830373436666136396633396131363763
+39306162666437346138373132323132376237346137643861363235646134616132653235326362
+32626135613530643766333930613164663935356332626232616330373237633835313231373066
+66323431366332663965393239623337646666613566363132383232643235363237316437653261
+63653361663038653764633266356433323234323132336232636337303763323736316662386638
+34326233376465303561643830646635353965623331633934393639313236373236343836366532
+30613964343835353130386533623262633261373831616635643861373133333237663666646334
+64636139323038353265333336626233346266353637343232383930376330643831633030643664
+61356231653135363664363063383331666137336433613966343839623161393135643738333537
+61363164623539353634353932363762336165643961333931316338343036336435356533616433
+30396335643634333366383233623034373164303564643639323030333461323965306638653063
+31383161336531376231626332343436353635663466396134313530383563306566626566643964
+35323465623562346439363036623139303932663539396662356336666362666463616432633162
+31393231323963356538336436653032323462623462366130323963636136666131646636333532
+32613136373162383037646137663230343536336161666132383964666239303663356430303361
+66653963326135643963393931356231666666376466326135353261356265653230633935376235
+32356330383163623132386363623239643531313163373539646166383964663661393663633465
+39346666353062643964316532313363336562373035306635383138666336616239633932383437
+63396138376138636561336539333564393033393466633066303138616136316638373138356161
+39666632666339373836343363653530633130643733386339633536636135373365643363373032
+64633837656235363137633364313662363134306330376537326634353731346463643832396534
+64386361326635663032663464343432626237643365333330613466656163313930343266616139
+36393036353864316661343066653237333737643038396538666139643034396636643765366163
+30646366343636343364336639653436383038353637623131373738306566623033633863333634
+61363861306463353130393130613232643134313765363033646330666662353961343664316438
+36396339376366393236326432663434366634333935386662373538306236343938333563376263
+65346637346433366637336532656337393730303934653835313839656535353731333737656162
+65356531663737663164336338333336613230623836363435326132643131326534393634326261
+32663564646536663338623035653138373835306530316536316664663039383032366465303363
+38626138386164366332613933363434363132383336626430356331376239373031633262366532
+62646435653932636264323164636465366138636631313538346530306163373466393866383266
+30643739316336373462326138313666643263333463373764323832383230366465376539623937
+62363536333238363735306563333731663862653932393565663034636238643434633161626632
+33326164366336343734653234363930616634643933306264656138396631646135343437303462
+39343237663262303933393865346165353934356662376136633636343636626634343666343134
+37346166373963356638666338353438323831613538313961643339663230626565306261376665
+32613438303964656161653535313436643662393032396532303738653662343762323538366133
+32323036393530316630316261323731393865323433383961316664623435363130646239666132
+31623935663637373763356562613964636338343666393833386634356465333866643831393531
+38343261663636333336366539306366636137346131316161383661666431353235313536646538
+39663866376336633739356337633461613261316435393063653633336636333738656631313032
+62323130396164636431343961643237646533396639373863396333653936663964623337363063
+32366162343635333132636239363039326565383262633163336436613430323039356439613964
+39376563353663373637313035393839646633343963356433316333323732613035303432646338
+62306639316139306531393236656265383836653436646136326666336137623936366630346332
+33303465623537653461363437373036343439656134333930393862306339653161633365333335
+63643937393761363463333637623039643265366462356632343263393434326435346634613736
+38323561613134363330636562336264633465363762393736333934353237633162393238353961
+65303634333331333537356134616539653462363035316330303338663430303536643230313133
+64653739656233616131653731343733616661626662636139393039633636666132346230333966
+34353831383036313663396339326237323038633231306230663563643562363030613332633362
+38383463393961373635356539633839646337666132393034343264333739346432326333383432
+32663030663739666237333435643734333663383238636130636135666561343961613861323666
+33623637366232316430643331643863666261636266383030653263383766353861306631343934
+62663761663366353763623966313035343330316563623238626537396439373235663862626565
+35356234383534653231396632306137373037643531303434393433353134326532313332326538
+66343236396636356231353234346438613866353763303136366137616338326532353039306639
+34613234356664333339363134646532666631623132663462316562326266316365623738623663
+32363562376234313038616530373335363935313135636466336237356632336537623538346433
+33643563343936623836356238613139623730343236663464626262323330653362616238356137
+64343563653863326638643834623665393333313262353732626638373634643633613836623164
+63396136643066616133346131313833303064343534353963386638363462316435646637623232
+32633332356263383533626635316231393865336636353430383365333131316633666164306138
+33363330303464386563353436646562623337656633333963333431353837313362653931613033
+37383330643730616432333538356430626462303730343430336465623938613732383138646330
+39363161323665643333383461333730323734613134386461636339653431323033663434643364
+38383762306139313465613461323436306137336463383439633230353266333137656330633237
+62306230363031353361333462393136396234663231356434393438326533363434376537376266
+66323364313934616232393931616234666166616532663865316538346536326266326133613635
+62373839343639313861316539643461663161386435323161613436353433616230633734316239
+35373332353539666636303934396661663831313935616262323639633561636433663135626633
+61313730356664316262353832336334616330393431346363373265626661336332313135666639
+31646134613635643765353833633231623034316163663031376366353430373230666466633536
+34393132313738336163363035663435666262633161373336343932383366633765646366313132
+66623933343362636633376339303363383165373336313134613330386530616335363263643166
+32333162633035376562303332633732636530616432326234636236323434366164656437666464
+63666536663261373565366437326636333232623934363033653837626230323934666138626462
+66663639316630326662336263343365303630366234383530646139363936653866373162323435
+35333139353831643232666533333065386130666137653931336638623137616639653533656562
+32386431373865393561353537396632653239623839306234643938643261383730346431376234
+32643030353537333665363232383562646662656131346433653065613763613532313461636663
+37363565633864626136646663363334633239376537353066373466306431366132633931346464
+66653164356134323834366364643637343833396666373039383861663435343238353462396438
+33386131393839346663653433633333653564663665343265363831343937396436646262653738
+33633761343362343762376239333963306264326333366437636661616233383737636234346538
+35383861646332656664353339386331646236663036383033663262353336323634323365623661
+36376561643864303832386634623032356563306138333532623434633166646130313239343539
+66663566366636323835633661636331383066303131626132306332323430333333323734626433
+66303839346261386364316530373736373362323339376462363130643964666638383935346330
+33313830343965353338643139663834373863336636383730323662363836653536366433666166
+61623265656431303661346664646135373438386335303437333734613761663031353235623062
+36656432666266333161346238356532373464353835336561366138653031623264616563353836
+61353731396361343939616437313532303766333962363536666139663064626636306239313962
+65306336333739346435353636303534366635303362363631383264306435383662323930393230
+30623134356439613436643861343036363366336332623665306239623234386435346337323930
+61343061393961663133333764333362346137636132636532396135643839633863386638346330
+34653131656332376538613039333066366232663432353666633334613331393863333236656662
+34646630616263356363613162646533623336623164643561333934343565373936326135323230
+38366335336562653861643732653930623461616366343239303862313339383031346630656538
+65363865623666306436303165373734646464303637333939666262363163343230376161373734
+37636433663139616261386534386466633862373739636262386631333334336238333862636335
+33386530393762626161303331633735363039373636346432626236336635323232313661623234
+66366637316439393465373066383864336638326533346438343162336161663436323031643235
+65633735613538666133353962646134353430633037663761353464313230336332323035386539
+39323363633863383861356162333137643433653135323433366636383966363137376339383131
+63356230333434643738383938396535313561356236656532376435623933343236636136353666
+37376434393664386438626661663431396430343431633435343436636665366138623632613665
+35373433613065666436313266373332313731633534386161383437386432353138636265346563
+39643862623936623636326664636365313765653666393433386631373162623332653139313133
+61376534313835666165313762653061633236353832633161313533376630636131666465313338
+39356530346332623633343536333130346230363233386435346239353535316561623331613533
+34623235336563613939333739643331343832353631333436653361623934626234343464613232
+36303263363530396334373438653166343661346531363764353233366464666263646161653432
+64313236653735323664323965366563316166623362393032396262636339306562643964653932
+36643534346235383066326331313338333366343335393038633137663836313831313632386464
+36626136666665623262373762643233653036383839666130623866313236393265306534343562
+38346261353663383730346666626131313766643233323865626437643633326438303735353663
+31373665343363666236326661336534333534363666396665396437656266386331303563323666
+37326336663562353835313062646538323735336466626461333836366435313835636462356163
+64636437346562343463643338353730303932623732396232396133366130626539663738313361
+62373133396233366636653032306637303735373838346432653637303663616631323162373361
+36623565306364343330376538336534323964633034383765616666636438316466663662623263
+65666636666236353630633037393038373338373536336165623264306135656635383464353938
+32343131316330616139663864383938386437333662323463626636383964623264343737363738
+38613232663539656266343561653465356431393765643062336236653664626133353234383163
+35346235343935386130376135363535316539313164613732643631623439653962313839386637
+32613532666265346633336435346464656666346335656235373962633965626264343035633961
+66666231383164313239373033373361343038373436346537353536303338613035366330393039
+31613638353037616338376630356630306230376564306532343838323236316137356130386665
+62353166633038643032393530373461386465663935666430386238656637633265356362393237
+63356464373734623561643863386431643266313139353033663162386361626133303064663563
+64623537323734666665393537343963613036383331363262663933313365613866316366663730
+62613466303836383861323563356362333333653564303938366235626362623965336438313932
+38383164303232323166643533393738663536336666656433313537316264643930303634333637
+30636231326462376562646636363136393761383665626663303133313336613766613366626436
+64333466353461356631326433366634653338303362363230613863623735363934623133666430
+64376637336635613838396235633164343933333237323133313632656464343039323763353663
+37343133646633663762656331396362346635343463646236656330346363633533316531636566
+37303662393034386263643563363564363663356635636236396638656136306664366363616165
+62333366626433336461623032353831346662643934346430636535306439363839356132316466
+36393164633030386538653135323461663632646266653663613366353339363437663537373931
+63393135646539353162376635663833653462653964356135623138653137343431643339316239
+64653734353631646661373833353436636134383038623539666662666439343039663230643133
+31303262396164383439613063306462666662346464663235343637363565393238663138613862
+63313064376336363637663832343134333236323466323662666334356232323537663734623466
+32323766616663356435613737396639366635636663346535653534666431323966623463333039
+64353365353031653136383561353439383266323365353361653530313933383130646539326337
+32383266346433613264643939396364656633313766383333336132393936666433346263386264
+38613034396430323235366564636365346563383935626330626130326236623361326161396363
+65323635323361623864643864346633343239626438306131303039393362363764646432366332
+34333931623535633439
--- a/network.yml
+++ b/network.yml
@ -27,6 +27,12 @@
    - router


+# Radius (backup only for now)
+- hosts: radius-edc-backup.adm.auro.re
+  roles:
+    - radius
+
+
 # WIP: Deploy authoritative DNS servers
 # - hosts: authoritative_dns
 #   vars:
--- a/roles/radius/tasks/main.yml
+++ b/roles/radius/tasks/main.yml
@ -0,0 +1,80 @@
+- name: Add backports repositories
+  apt_repository:
+    repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
+  loop:
+    - "deb"
+    - "deb-src"
+
+- name: Ensure /var/www exists
+  file:
+    name: "/var/www"
+    state: directory 
+
+- name: Clone re2o repo
+  git:
+    repo: "https://gitlab.federez.net/re2o/re2o.git"
+    dest: "/var/www/re2o"
+    version: "master_freeradius_python3"
+    force: true
+
+- name: Template local settings
+  template:
+    src: settings_local.py.j2
+    dest: "/var/www/re2o/re2o/settings_local.py"
+
+
+
+# What follows is a hideous abomination.
+# Blame freeradius-python3 on backports.
+
+- name: try to install freeradius-python3 (this will fail on post-install)
+  apt:
+    name: freeradius-python3
+  ignore_errors: yes
+  no_log: yes
+
+- name: fix freeradius-python3 postinstall script
+  template:
+    src: freeradius-python3.postinst.j2
+    dest: /var/lib/dpkg/info/freeradius-python3.postinst
+
+- name: Setup radius symlinks
+  file:
+    src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
+    dest: "/etc/freeradius/3.0/{{ item.filename }}"
+    state: link
+    force: yes
+  loop:
+    - local_prefix: ""
+      filename: auth.py
+    - local_prefix: freeradius3/
+      filename: radiusd.conf
+    - local_prefix: freeradius3/
+      filename: mods-enabled/python
+    - local_prefix: freeradius3/
+      filename: mods-enabled/eap
+
+- name: Configure radius clients.conf
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/freeradius/3.0/{{ item }}"
+  loop:
+    - clients.conf
+    - sites-enabled/default
+    - sites-enabled/inner-tunnel
+
+- name: reinstall broken backpage
+  apt:
+    name: freeradius-python3
+    force: yes
+
+- name: Install radius requirements (except freeradius-python3)
+  shell:
+    cmd: "{{ item }}"
+    chdir: /var/www/re2o/
+  loop:
+    - "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
+    - "pip3 install -r pip_requirements.txt"
+
+
+# End of hideousness (hopefully).
--- a/roles/radius/templates/clients.conf.j2
+++ b/roles/radius/templates/clients.conf.j2
@ -0,0 +1,18 @@
+client radius-filaire {
+   ipaddr  = 10.130.{{ apartment_block_id }}.0
+   netmask = 24
+   secret  = {{ radius_secret_wired }}
+   require_message_authenticator = no
+   nastype = other
+   virtual_server = radius-filaire
+}
+
+
+client aurore-wifi {
+   ipaddr = 10.{{ subnet_ids.ap }}.0.0
+   netmask = 16
+   secret = {{ radius_secret_wifi }}
+   require_message_authenticator = no
+   nastype = other
+   virtual_server = radius-wifi
+}
--- a/roles/radius/templates/freeradius-python3.postinst.j2
+++ b/roles/radius/templates/freeradius-python3.postinst.j2
@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+  configure)
+    invoke-rc.d freeradius restart
+    ;;
+esac
+
+
+
+exit 0
--- a/roles/radius/templates/proxy.conf.j2
+++ b/roles/radius/templates/proxy.conf.j2
@ -0,0 +1,53 @@
+# -*- mode: conf-unix; coding: utf-8 -*-
+proxy server {
+    default_fallback = no
+}
+
+
+realm LOCAL {
+
+}
+
+realm NULL {
+
+}
+
+#Proxy FedeRez #####
+
+realm AUROREFEDEREZ {
+        auth_pool = aurore_central_radius_servers
+#       nostrip
+}
+
+home_server radius_aurore_v4 {
+        type = auth
+        ipaddr = 10.128.0.251
+        port = 1812
+        secret = aaVVvNUYD/MgE
+        require_message_authenticator =yes
+        response_window = 20
+        zombie_period = 40
+        revive_interval = 120
+        status_check = status-server
+        check_interval = 30
+        num_answers_to_alive = 3
+}
+
+#home_server _v6 {
+#        type = auth
+#        ipaddr =
+#        port = 1812
+#        secret =
+#        require_message_authenticator =yes
+#        response_window = 20
+#        zombie_period = 40
+#        revive_interval = 120
+#        status_check = status-server
+#        check_interval = 30
+#        num_answers_to_alive = 3
+#}
+
+home_server_pool aurore_central_radius_servers {
+    type = fail-over
+    home_server = radius_aurore_v4
+}
--- a/roles/radius/templates/settings_local.py.j2
+++ b/roles/radius/templates/settings_local.py.j2
@ -0,0 +1,116 @@
+# coding: utf-8
+# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
+# se veut agnostique au réseau considéré, de manière à être installable en
+# quelques clics.
+#
+# Copyright © 2017  Gabriel Détraz
+# Copyright © 2017  Goulven Kermarec
+# Copyright © 2017  Augustin Lemesle
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+"""re2o.settings_locale
+The file with all the available options for a locale configuration of re2o
+"""
+
+from __future__ import unicode_literals
+
+# A secret key used by the server.
+SECRET_KEY = "{{ re2o_secret_key }}"
+
+# The password to access the project database
+DB_PASSWORD = "{{ re2o_db_password }}"
+
+# AES key for secret key encryption.
+# The length must be a multiple of 16
+AES_KEY = "{{ re2o_aes_key }}"
+
+# Should the server run in debug mode ?
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = False
+
+# A list of admins of the services. Receive mails when an error occurs
+ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'), ('Gabriel Detraz', 'detraz@crans.org')]
+
+# The list of hostname the server will respond to.
+ALLOWED_HOSTS = ['radius-pacaterie.adm.auro.re']
+
+# The time zone the server is runned in
+TIME_ZONE = 'Europe/Paris'
+
+# The storage systems parameters to use
+DATABASES = {
+    'default': {  # The DB
+        'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        'NAME': 're2o',
+        'USER': 're2o',
+        'PASSWORD': DB_PASSWORD,
+        'HOST': 're2o-db.adm.auro.re',
+        'TEST': {
+            'CHARSET': 'utf8',
+            'COLLATION': 'utf8_general_ci'
+        }
+    },
+    'ldap': {  # The LDAP
+        'ENGINE': 'ldapdb.backends.ldap',
+        'NAME': 'ldap://10.128.0.11/',
+        'USER': 'cn=admin,dc=auro,dc=re',
+        'TLS': False,
+        'PASSWORD': '{{ ldap_admin_password }}',
+    }
+}
+
+# Security settings for secure https
+# Activate once https is correctly configured
+SECURE_CONTENT_TYPE_NOSNIFF = False
+SECURE_BROWSER_XSS_FILTER = False
+SESSION_COOKIE_SECURE = False
+CSRF_COOKIE_SECURE = False
+CSRF_COOKIE_HTTPONLY = False
+X_FRAME_OPTIONS = 'DENY'
+SESSION_COOKIE_AGE = 60 * 60 * 3
+
+# The path where your organization logo is stored
+LOGO_PATH = "static_files/logo.png"
+
+# The mail configuration for Re2o to send mails
+SERVER_EMAIL = 'no-reply@auro.re'  # The mail address to use
+EMAIL_HOST = 'localhost'           # The host to use
+EMAIL_PORT = 25             # The port to use
+
+# Settings of the LDAP structure
+LDAP = {
+    'base_user_dn': 'cn=Utilisateurs,dc=auro,dc=re',
+    'base_userservice_dn': 'ou=service-users,dc=auro,dc=re',
+    'base_usergroup_dn': 'ou=posix,ou=groups,dc=auro,dc=re',
+    'base_userservicegroup_dn': 'ou=services,ou=groups,dc=auro,dc=re',
+    'user_gid': 100,
+    }
+
+# A range of UID to use. Used in linux environement
+UID_RANGES = {
+    'users': [21001, 30000],
+    'service-users': [20000, 21000],
+}
+
+# A range of GID to use. Used in linux environement
+GID_RANGES = {
+    'posix': [501, 600],
+}
+
+# Some optionnal Re2o Apps
+OPTIONNAL_APPS_RE2O = ()
+
+# Some Django apps you want to add in you local project
+OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ()
--- a/roles/radius/templates/sites-enabled/default.j2
+++ b/roles/radius/templates/sites-enabled/default.j2
@ -0,0 +1,239 @@
+######################################################################
+#
+#	As of 2.0.0, FreeRADIUS supports virtual hosts using the
+#	"server" section, and configuration directives.
+#
+#	Virtual hosts should be put into the "sites-available"
+#	directory.  Soft links should be created in the "sites-enabled"
+#	directory to these files.  This is done in a normal installation.
+#
+#	If you are using 802.1X (EAP) authentication, please see also
+#	the "inner-tunnel" virtual server.  You will likely have to edit
+#	that, too, for authentication to work.
+#
+#	$Id: 083407596aa5074d665adac9606e7de655b634aa $
+#
+######################################################################
+#
+#	Read "man radiusd" before editing this file.  See the section
+#	titled DEBUGGING.  It outlines a method where you can quickly
+#	obtain the configuration you want, without running into
+#	trouble.  See also "man unlang", which documents the format
+#	of this file.
+#
+#	This configuration is designed to work in the widest possible
+#	set of circumstances, with the widest possible number of
+#	authentication methods.  This means that in general, you should
+#	need to make very few changes to this file.
+#
+#	The best way to configure the server for your local system
+#	is to CAREFULLY edit this file.  Most attempts to make large
+#	edits to this file will BREAK THE SERVER.  Any edits should
+#	be small, and tested by running the server with "radiusd -X".
+#	Once the edits have been verified to work, save a copy of these
+#	configuration files somewhere.  (e.g. as a "tar" file).  Then,
+#	make more edits, and test, as above.
+#
+#	There are many "commented out" references to modules such
+#	as ldap, sql, etc.  These references serve as place-holders.
+#	If you need the functionality of that module, then configure
+#	it in radiusd.conf, and un-comment the references to it in
+#	this file.  In most cases, those small changes will result
+#	in the server being able to connect to the DB, and to
+#	authenticate users.
+#
+######################################################################
+
+server default {
+listen {
+	type = auth
+	ipaddr = *
+	port = 0
+
+	limit {
+	      max_connections = 16
+	      lifetime = 0
+	      idle_timeout = 30
+	}
+}
+
+listen {
+	ipaddr = *
+	port = 0
+	type = acct
+
+	limit {
+	}
+}
+
+# IPv6 versions of the above - read their full config to understand options
+listen {
+	type = auth
+	ipv6addr = ::	# any.  ::1 == localhost
+	port = 0
+	limit {
+	      max_connections = 16
+	      lifetime = 0
+	      idle_timeout = 30
+	}
+}
+
+listen {
+	ipv6addr = ::
+	port = 0
+	type = acct
+
+	limit {
+	}
+}
+}
+
+server radius-wifi {
+authorize {
+        rewrite_calling_station_id
+
+        if (User-Name =~ /^(.*)@(.*)/){
+            if (User-Name !~ /^(.*)@(.*)auro(.*)/){
+                update control{
+                    Proxy-To-Realm := 'AUROREFEDEREZ'
+                }
+            }
+
+            if ("%{request:User-Name}" =~ /^(.*)@(.*)auro(.*)/){
+                update request{
+                    Stripped-User-Name := "%{1}"
+                }
+            }
+        }
+
+	filter_username
+
+	preprocess
+
+	suffix
+
+	eap {
+		ok = return
+	}
+
+	expiration
+	logintime
+
+	pap
+
+}
+
+authenticate {
+	Auth-Type PAP {
+		pap
+	}
+
+	Auth-Type CHAP {
+		chap
+	}
+
+	Auth-Type MS-CHAP {
+		mschap
+	}
+
+	mschap
+
+	digest
+
+	eap
+}
+
+
+preacct {
+	preprocess
+
+	acct_unique
+
+	suffix
+	files
+}
+
+accounting {
+
+	detail
+
+	unix
+	exec
+
+}
+
+session {
+}
+
+post-auth {
+	update {
+		&reply: += &session-state:
+	}
+
+	exec
+
+
+	remove_reply_message_if_eap
+
+	Post-Auth-Type REJECT {
+		-sql
+		attr_filter.access_reject
+
+		eap
+
+		remove_reply_message_if_eap
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+}
+
+
+
+server radius-filaire{
+    authorize{
+
+            re2o
+            expiration
+            logintime
+            pap
+    }
+    authenticate{
+        Auth-Type PAP{
+            pap
+        }
+        Auth-Type CHAP{
+            chap
+        }
+        Auth-Type MS-CHAP{
+            mschap
+        }
+        digest
+        eap
+
+    }
+    preacct{
+        preprocess
+        acct_unique
+        suffix
+        files
+    }
+    accounting{
+    }
+    session{
+    }
+    post-auth{
+       re2o
+       exec
+    }
+    pre-proxy{
+    }
+    post-proxy{
+        eap
+    }
+}
--- a/roles/radius/templates/sites-enabled/inner-tunnel.j2
+++ b/roles/radius/templates/sites-enabled/inner-tunnel.j2
@ -0,0 +1,345 @@
+# -*- text -*-
+######################################################################
+#
+#	This is a virtual server that handles *only* inner tunnel
+#	requests for EAP-TTLS and PEAP types.
+#
+#	$Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $
+#
+######################################################################
+
+server inner-tunnel {
+
+#
+#  This next section is here to allow testing of the "inner-tunnel"
+#  authentication methods, independently from the "default" server.
+#  It is listening on "localhost", so that it can only be used from
+#  the same machine.
+#
+#	$ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
+#
+#  If it works, you have configured the inner tunnel correctly.  To check
+#  if PEAP will work, use:
+#
+#	$ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
+#
+#  If that works, PEAP should work.  If that command doesn't work, then
+#
+#	FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
+#
+#  Do NOT do any PEAP tests.  It won't help.  Instead, concentrate
+#  on fixing the inner tunnel configuration.  DO NOTHING ELSE.
+#
+listen {
+       ipaddr = 127.0.0.1
+       port = 18120
+       type = auth
+}
+
+
+#  Authorization. First preprocess (hints and huntgroups files),
+#  then realms, and finally look in the "users" file.
+#
+#  The order of the realm modules will determine the order that
+#  we try to find a matching realm.
+#
+#  Make *sure* that 'preprocess' comes before any realm if you
+#  need to setup hints for the remote radius server
+authorize {
+        if ("%{request:User-Name}" =~ /^(.*)@auro(.*)/){
+                update request{
+                    Stripped-User-Name := "%{1}"
+                }
+        }
+	#
+	#  Take a User-Name, and perform some checks on it, for spaces and other
+	#  invalid characters.  If the User-Name appears invalid, reject the
+	#  request.
+	#
+	#  See policy.d/filter for the definition of the filter_username policy.
+	#
+	filter_username
+
+        re2o
+
+	#
+	#  Do checks on outer / inner User-Name, so that users
+	#  can't spoof us by using incompatible identities
+	#
+#	filter_inner_identity
+
+	#
+	#  The chap module will set 'Auth-Type := CHAP' if we are
+	#  handling a CHAP request and Auth-Type has not already been set
+	chap
+
+	#
+	#  If the users are logging in with an MS-CHAP-Challenge
+	#  attribute for authentication, the mschap module will find
+	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
+	#  to the request, which will cause the server to then use
+	#  the mschap module for authentication.
+	mschap
+
+	#
+	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
+	#  using the system API's to get the password.  If you want
+	#  to read /etc/passwd or /etc/shadow directly, see the
+	#  passwd module, above.
+	#
+#	unix
+
+	#
+	#  Look for IPASS style 'realm/', and if not found, look for
+	#  '@realm', and decide whether or not to proxy, based on
+	#  that.
+#	IPASS
+
+	#
+	#  If you are using multiple kinds of realms, you probably
+	#  want to set "ignore_null = yes" for all of them.
+	#  Otherwise, when the first style of realm doesn't match,
+	#  the other styles won't be checked.
+	#
+	#  Note that proxying the inner tunnel authentication means
+	#  that the user MAY use one identity in the outer session
+	#  (e.g. "anonymous", and a different one here
+	#  (e.g. "user@example.com").  The inner session will then be
+	#  proxied elsewhere for authentication.  If you are not
+	#  careful, this means that the user can cause you to forward
+	#  the authentication to another RADIUS server, and have the
+	#  accounting logs *not* sent to the other server.  This makes
+	#  it difficult to bill people for their network activity.
+	#
+	suffix
+#	ntdomain
+
+	#
+	#  The "suffix" module takes care of stripping the domain
+	#  (e.g. "@example.com") from the User-Name attribute, and the
+	#  next few lines ensure that the request is not proxied.
+	#
+	#  If you want the inner tunnel request to be proxied, delete
+	#  the next few lines.
+	#
+	update control {
+		&Proxy-To-Realm := LOCAL
+	}
+
+	#
+	#  This module takes care of EAP-MSCHAPv2 authentication.
+	#
+	#  It also sets the EAP-Type attribute in the request
+	#  attribute list to the EAP type from the packet.
+	#
+	#  The example below uses module failover to avoid querying all
+	#  of the following modules if the EAP module returns "ok".
+	#  Therefore, your LDAP and/or SQL servers will not be queried
+	#  for the many packets that go back and forth to set up TTLS
+	#  or PEAP.  The load on those servers will therefore be reduced.
+	#
+	eap {
+		ok = return
+	}
+
+	#
+	#  Read the 'users' file
+	#files
+
+	#
+	#  Look in an SQL database.  The schema of the database
+	#  is meant to mirror the "users" file.
+	#
+	#  See "Authorization Queries" in sql.conf
+	#-sql
+
+	#
+	#  If you are using /etc/smbpasswd, and are also doing
+	#  mschap authentication, the un-comment this line, and
+	#  enable the "smbpasswd" module.
+#	smbpasswd
+
+	#
+	#  The ldap module reads passwords from the LDAP database.
+	#-ldap
+
+	#
+	#  Enforce daily limits on time spent logged in.
+#	daily
+
+	expiration
+	logintime
+
+	#
+	#  If no other module has claimed responsibility for
+	#  authentication, then try to use PAP.  This allows the
+	#  other modules listed above to add a "known good" password
+	#  to the request, and to do nothing else.  The PAP module
+	#  will then see that password, and use it to do PAP
+	#  authentication.
+	#
+	#  This module should be listed last, so that the other modules
+	#  get a chance to set Auth-Type for themselves.
+	#
+	pap
+}
+
+
+#  Authentication.
+#
+#
+#  This section lists which modules are available for authentication.
+#  Note that it does NOT mean 'try each module in order'.  It means
+#  that a module from the 'authorize' section adds a configuration
+#  attribute 'Auth-Type := FOO'.  That authentication type is then
+#  used to pick the appropriate module from the list below.
+#
+
+#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
+#  will figure it out on its own, and will do the right thing.  The
+#  most common side effect of erroneously setting the Auth-Type
+#  attribute is that one authentication method will work, but the
+#  others will not.
+#
+#  The common reasons to set the Auth-Type attribute by hand
+#  is to either forcibly reject the user, or forcibly accept him.
+#
+authenticate {
+	#
+	#  PAP authentication, when a back-end database listed
+	#  in the 'authorize' section supplies a password.  The
+	#  password can be clear-text, or encrypted.
+	Auth-Type PAP {
+		pap
+	}
+
+	#
+	#  Most people want CHAP authentication
+	#  A back-end database listed in the 'authorize' section
+	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
+	#  won't work.
+	Auth-Type CHAP {
+		chap
+	}
+
+	#
+	#  MSCHAP authentication.
+	Auth-Type MS-CHAP {
+		mschap
+	}
+
+	#
+	#  For old names, too.
+	#
+	mschap
+
+	#
+	#  Allow EAP authentication.
+	eap
+}
+
+######################################################################
+#
+#	There are no accounting requests inside of EAP-TTLS or PEAP
+#	tunnels.
+#
+######################################################################
+
+
+#  Session database, used for checking Simultaneous-Use. Either the radutmp
+#  or rlm_sql module can handle this.
+#  The rlm_sql module is *much* faster
+session {
+	radutmp
+
+	#
+	#  See "Simultaneous Use Checking Queries" in sql.conf
+#	sql
+}
+
+
+#  Post-Authentication
+#  Once we KNOW that the user has been authenticated, there are
+#  additional steps we can take.
+#
+#  Note that the last packet of the inner-tunnel authentication
+#  MAY NOT BE the last packet of the outer session.  So updating
+#  the outer reply MIGHT work, and sometimes MIGHT NOT.  The
+#  exact functionality depends on both the inner and outer
+#  authentication methods.
+#
+#  If you need to send a reply attribute in the outer session,
+#  the ONLY safe way is to set "use_tunneled_reply = yes", and
+#  then update the inner-tunnel reply.
+post-auth {
+        re2o
+
+	Post-Auth-Type REJECT {
+		# log failed authentications in SQL, too.
+		-sql
+		attr_filter.access_reject
+
+		#
+		#  Let the outer session know which module failed, and why.
+		#
+		update outer.session-state {
+			&Module-Failure-Message := &request:Module-Failure-Message
+		}
+	}
+}
+
+#
+#  When the server decides to proxy a request to a home server,
+#  the proxied request is first passed through the pre-proxy
+#  stage.  This stage can re-write the request, or decide to
+#  cancel the proxy.
+#
+#  Only a few modules currently have this method.
+#
+pre-proxy {
+	#  Uncomment the following line if you want to change attributes
+	#  as defined in the preproxy_users file.
+#	files
+
+	#  Uncomment the following line if you want to filter requests
+	#  sent to remote servers based on the rules defined in the
+	#  'attrs.pre-proxy' file.
+#	attr_filter.pre-proxy
+
+	#  If you want to have a log of packets proxied to a home
+	#  server, un-comment the following line, and the
+	#  'detail pre_proxy_log' section, above.
+#	pre_proxy_log
+}
+
+#
+#  When the server receives a reply to a request it proxied
+#  to a home server, the request may be massaged here, in the
+#  post-proxy stage.
+#
+post-proxy {
+
+	#  If you want to have a log of replies from a home server,
+	#  un-comment the following line, and the 'detail post_proxy_log'
+	#  section, above.
+#	post_proxy_log
+
+	#  Uncomment the following line if you want to filter replies from
+	#  remote proxies based on the rules defined in the 'attrs' file.
+#	attr_filter.post-proxy
+
+	#
+	#  If you are proxying LEAP, you MUST configure the EAP
+	#  module, and you MUST list it here, in the post-proxy
+	#  stage.
+	#
+	#  You MUST also use the 'nostrip' option in the 'realm'
+	#  configuration.  Otherwise, the User-Name attribute
+	#  in the proxied request will not match the user name
+	#  hidden inside of the EAP packet, and the end server will
+	#  reject the EAP request.
+	#
+	eap
+}
+
+} # inner-tunnel server block