--- - name: Add backports repositories apt_repository: repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free" loop: - "deb" - "deb-src" when: - ansible_lsb.codename == 'buster' - name: Ensure /var/www exists file: name: "/var/www" state: directory mode: 0755 - name: Clone re2o repo git: repo: "https://gitlab.federez.net/re2o/re2o.git" dest: "/var/www/re2o" version: "dev" force: true - name: Template local re2o settings template: src: "{{ item }}.j2" dest: "/var/www/re2o/re2o/{{ item }}" mode: 0644 loop: - settings_local.py - local_routers.py # What follows is a hideous abomination. # Blame freeradius-python3 on backports. - name: try to install freeradius-python3 (this will fail on post-install) apt: name: freeradius-python3 update_cache: true ignore_errors: true - name: fix freeradius-python3 postinstall script template: src: freeradius-python3.postinst.j2 dest: /var/lib/dpkg/info/freeradius-python3.postinst mode: 0644 - name: reinstall broken package (this might fail too, for different reasons) apt: name: freeradius-python3 force: true ignore_errors: true - name: Setup radius symlinks file: src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}" dest: "/etc/freeradius/3.0/{{ item.filename }}" state: link force: true loop: - local_prefix: "" filename: auth.py - local_prefix: freeradius3/ filename: radiusd.conf - local_prefix: freeradius3/ filename: mods-enabled/python - local_prefix: freeradius3/ filename: mods-enabled/eap - name: Configure freeradius template: src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" mode: 0640 owner: freerad loop: - sites-enabled/default - sites-enabled/inner-tunnel - name: Install Basic Clients/Proxy Files freeradius template: src: "{{ item }}.j2" dest: "/etc/freeradius/3.0/{{ item }}" mode: 0640 owner: freerad loop: - clients.conf - proxy.conf when: "'aurore_vm' not in group_names" - name: Install Clients FedeRez Radius-Aurore template: src: proxy-federez.conf.j2 dest: /etc/freeradius/3.0/proxy.conf mode: 0640 owner: freerad when: "'aurore_vm' in group_names" - name: Install Proxy FedeRez Radius-Aurore template: src: clients-federez.conf.j2 dest: /etc/freeradius/3.0/clients.conf mode: 0640 owner: freerad when: "'aurore_vm' in group_names" - name: Install radius requirements (except freeradius-python3) shell: cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install" chdir: /var/www/re2o/ - name: Install PyPi requirements for radius command: "pip3 install -r /var/www/re2o/pip_requirements.txt" # End of hideousness (hopefully). - name: Configure log rotation template: src: "freeradius-logrotate.j2" dest: "/etc/logrotate.d/freeradius" mode: 0644 # Database setup - name: Install postgresql apt: name: - postgresql - postgresql-client - name: Install postgresql ansible module requirement(s) pip: name: psycopg2 - name: Create read-only user community.general.postgresql_user: name: re2o_ro password: "{{ radius_pg_re2o_ro_password }}" become_user: postgres - name: Create replication user community.general.postgresql_user: name: replication password: "{{ radius_pg_replication_password }}" become_user: postgres - name: Nuking - Stop freeradius systemd: name: freeradius state: stopped when: nuke_radius|default(false) - name: Nuking - Remove old subscription if it exists community.general.postgresql_subscription: name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" db: re2o state: absent become_user: postgres when: nuke_radius|default(false) ignore_errors: true - name: Nuking - Destroy old local DB if it exists community.general.postgresql_db: name: re2o state: absent become_user: postgres when: nuke_radius|default(false) - name: Create local DB community.general.postgresql_db: name: re2o owner: replication state: present encoding: "UTF8" lc_collate: 'fr_FR.UTF-8' lc_ctype: 'fr_FR.UTF-8' become_user: postgres - name: Dump radius re2o PostgreSQL database schema from master community.general.postgresql_db: name: re2o state: dump target: /tmp/re2o-schema.sql target_opts: '-s' login_host: 10.128.0.22 login_user: replication login_password: "{{ radius_pg_replication_password }}" - name: Restore DB tags: - restore community.general.postgresql_db: name: re2o state: restore target: /tmp/re2o-schema.sql target_opts: "-s" login_host: localhost login_user: replication login_password: "{{ radius_pg_replication_password }}" - name: Grant select permissions on all tables to read-only user tags: - perms community.general.postgresql_privs: database: re2o privs: SELECT objs: ALL_IN_SCHEMA schema: public roles: re2o_ro become_user: postgres - name: Grant usage permission on schema to read-only user tags: - perms community.general.postgresql_privs: database: re2o privs: USAGE objs: public type: schema roles: re2o_ro become_user: postgres - name: Set default privileges in schema tags: - perms community.general.postgresql_privs: database: re2o privs: SELECT schema: public objs: TABLES type: default_privs roles: re2o_ro become_user: postgres - name: Set up subscription to main database tags: - sub community.general.postgresql_subscription: name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" connparams: host: re2o-db.adm.auro.re user: replication password: "{{ radius_pg_replication_password }}" dbname: re2o db: re2o publications: - re2o_pub become_user: postgres - name: Install freeradius re2o with Python3.X template: src: python_re2o.j2 dest: /etc/freeradius/3.0/mods-enabled/python mode: 0640 owner: freerad - name: Restart freeradius, ensure enabled systemd: name: freeradius enabled: true state: restarted daemon_reload: true