- name: Add backports repositories apt_repository: repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free" loop: - "deb" - "deb-src" - name: Ensure /var/www exists file: name: "/var/www" state: directory - name: Clone re2o repo git: repo: "https://gitlab.federez.net/re2o/re2o.git" dest: "/var/www/re2o" version: "master_freeradius_python3" force: true - name: Template local re2o settings template: src: "{{ item }}.j2" dest: "/var/www/re2o/re2o/{{ item }}" loop: - settings_local.py - local_routers.py # What follows is a hideous abomination. # Blame freeradius-python3 on backports. - name: try to install freeradius-python3 (this will fail on post-install) apt: name: freeradius-python3 default_release: buster-backports update_cache: yes ignore_errors: yes - name: fix freeradius-python3 postinstall script template: src: freeradius-python3.postinst.j2 dest: /var/lib/dpkg/info/freeradius-python3.postinst - name: reinstall broken package (this might fail too, for different reasons) apt: name: freeradius-python3 default_release: buster-backports force: yes ignore_errors: yes - name: Setup radius symlinks file: src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}" dest: "/etc/freeradius/3.0/{{ item.filename }}" state: link force: yes loop: - local_prefix: "" filename: auth.py - local_prefix: freeradius3/ filename: radiusd.conf - local_prefix: freeradius3/ filename: mods-enabled/python - local_prefix: freeradius3/ filename: mods-enabled/eap - name: Configure freeradius template: src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" loop: - clients.conf - sites-enabled/default - sites-enabled/inner-tunnel - proxy.conf - name: Install radius requirements (except freeradius-python3) shell: cmd: "{{ item }}" chdir: /var/www/re2o/ loop: - "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install" - "pip3 install -r pip_requirements.txt" # End of hideousness (hopefully). - name: Configure log rotation template: src: "freeradius-logrotate.j2" dest: "/etc/logrotate.d/freeradius" # Database setup - name: Install postgresql apt: name: - postgresql - postgresql-client - name: Install postgresql ansible module requirement(s) pip: name: psycopg2 - name: Create read-only user community.general.postgresql_user: name: re2o_ro password: "{{ radius_pg_re2o_ro_password }}" become_user: postgres - name: Create replication user community.general.postgresql_user: name: replication password: "{{ radius_pg_replication_password }}" become_user: postgres - name: Create local DB community.general.postgresql_db: name: re2o owner: replication state: present encoding: "UTF8" lc_collate: 'fr_FR.UTF-8' lc_ctype: 'fr_FR.UTF-8' become_user: postgres - name: Dump radius re2o PostgreSQL database schema from master community.general.postgresql_db: name: re2o state: dump target: /tmp/re2o-schema.sql target_opts: '-s' login_host: 10.128.0.12 login_user: replication login_password: "{{ radius_pg_replication_password }}" - name: Restore DB tags: - restore community.general.postgresql_db: name: re2o state: restore target: /tmp/re2o-schema.sql target_opts: "-s" login_host: localhost login_user: replication login_password: "{{ radius_pg_replication_password }}" - name: Grant select permissions on all tables to read-only user tags: - perms community.general.postgresql_privs: database: re2o privs: SELECT objs: ALL_IN_SCHEMA schema: public roles: re2o_ro become_user: postgres - name: Grant usage permission on schema to read-only user tags: - perms community.general.postgresql_privs: database: re2o privs: USAGE objs: public type: schema roles: re2o_ro become_user: postgres - name: Set default privileges in schema tags: - perms community.general.postgresql_privs: database: re2o privs: SELECT schema: public objs: TABLES type: default_privs roles: re2o_ro become_user: postgres - name: Set up subscription to main database tags: - sub community.general.postgresql_subscription: name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" connparams: host: re2o-db.adm.auro.re user: replication password: "{{ radius_pg_replication_password }}" dbname: re2o db: re2o publications: - re2o_pub become_user: postgres - name: Restart freeradius, ensure enabled systemd: name: freeradius enabled: yes state: restarted daemon_reload: yes