ansible/roles/radius/tasks/main.yml
2020-05-21 18:39:50 +02:00

205 lines
4.6 KiB
YAML

- name: Add backports repositories
apt_repository:
repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
loop:
- "deb"
- "deb-src"
- name: Ensure /var/www exists
file:
name: "/var/www"
state: directory
- name: Clone re2o repo
git:
repo: "https://gitlab.federez.net/re2o/re2o.git"
dest: "/var/www/re2o"
version: "master_freeradius_python3"
force: true
- name: Template local re2o settings
template:
src: "{{ item }}.j2"
dest: "/var/www/re2o/re2o/{{ item }}"
loop:
- settings_local.py
- local_routers.py
# What follows is a hideous abomination.
# Blame freeradius-python3 on backports.
- name: try to install freeradius-python3 (this will fail on post-install)
apt:
name: freeradius-python3
default_release: buster-backports
update_cache: yes
ignore_errors: yes
no_log: yes
- name: fix freeradius-python3 postinstall script
template:
src: freeradius-python3.postinst.j2
dest: /var/lib/dpkg/info/freeradius-python3.postinst
- name: reinstall broken backpage
apt:
name: freeradius-python3
default_release: buster-backports
force: yes
- name: Setup radius symlinks
file:
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
dest: "/etc/freeradius/3.0/{{ item.filename }}"
state: link
force: yes
loop:
- local_prefix: ""
filename: auth.py
- local_prefix: freeradius3/
filename: radiusd.conf
- local_prefix: freeradius3/
filename: mods-enabled/python
- local_prefix: freeradius3/
filename: mods-enabled/eap
- name: Configure freeradius
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
loop:
- clients.conf
- sites-enabled/default
- sites-enabled/inner-tunnel
- proxy.conf
- name: Install radius requirements (except freeradius-python3)
shell:
cmd: "{{ item }}"
chdir: /var/www/re2o/
loop:
- "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
- "pip3 install -r pip_requirements.txt"
# End of hideousness (hopefully).
- name: Configure log rotation
template:
src: "freeradius-logrotate.j2"
dest: "/etc/logrotate.d/freeradius"
# Database setup
- name: Install postgresql
apt:
name:
- postgresql
- postgresql-client
- name: Install postgresql ansible module requirement(s)
pip:
name: psycopg2
- name: Create read-only user
community.general.postgresql_user:
name: re2o_ro
password: "{{ radius_pg_re2o_ro_password }}"
become_user: postgres
- name: Create replication user
community.general.postgresql_user:
name: replication
password: "{{ radius_pg_replication_password }}"
become_user: postgres
- name: Create local DB
community.general.postgresql_db:
name: re2o
owner: replication
state: present
encoding: "UTF8"
lc_collate: 'fr_FR.UTF-8'
lc_ctype: 'fr_FR.UTF-8'
become_user: postgres
- name: Dump radius re2o PostgreSQL database schema from master
community.general.postgresql_db:
name: re2o
state: dump
target: /tmp/re2o-schema.sql
target_opts: '-s'
login_host: 10.128.0.12
login_user: replication
login_password: "{{ radius_pg_replication_password }}"
- name: Restore DB
tags:
- restore
community.general.postgresql_db:
name: re2o
state: restore
target: /tmp/re2o-schema.sql
target_opts: "-s"
login_host: localhost
login_user: replication
login_password: "{{ radius_pg_replication_password }}"
- name: Grant select permissions on all tables to read-only user
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: SELECT
objs: ALL_IN_SCHEMA
schema: public
roles: re2o_ro
become_user: postgres
- name: Grant usage permission on schema to read-only user
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: USAGE
objs: public
type: schema
roles: re2o_ro
become_user: postgres
- name: Set default privileges in schema
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: SELECT
schema: public
objs: TABLES
type: default_privs
roles: re2o_ro
become_user: postgres
- name: Set up subscription to main database
tags:
- sub
community.general.postgresql_subscription:
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
connparams:
host: re2o-db.adm.auro.re
user: replication
password: "{{ radius_pg_replication_password }}"
dbname: re2o
db: re2o
publications:
- re2o_pub
become_user: postgres