ansible/roles/radius/tasks/main.yml
2021-04-12 10:01:39 +02:00

263 lines
6.1 KiB
YAML

---
- name: Add backports repositories
apt_repository:
repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
loop:
- "deb"
- "deb-src"
- name: Ensure /var/www exists
file:
name: "/var/www"
state: directory
mode: 0755
- name: Clone re2o repo
git:
repo: "https://gitlab.federez.net/re2o/re2o.git"
dest: "/var/www/re2o"
version: "dev"
force: true
- name: Template local re2o settings
template:
src: "{{ item }}.j2"
dest: "/var/www/re2o/re2o/{{ item }}"
mode: 0644
loop:
- settings_local.py
- local_routers.py
# What follows is a hideous abomination.
# Blame freeradius-python3 on backports.
- name: try to install freeradius-python3 (this will fail on post-install)
apt:
name: freeradius-python3
default_release: buster-backports
update_cache: true
ignore_errors: true
- name: fix freeradius-python3 postinstall script
template:
src: freeradius-python3.postinst.j2
dest: /var/lib/dpkg/info/freeradius-python3.postinst
mode: 0644
- name: reinstall broken package (this might fail too, for different reasons)
apt:
name: freeradius-python3
default_release: buster-backports
force: true
ignore_errors: true
- name: Setup radius symlinks
file:
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
dest: "/etc/freeradius/3.0/{{ item.filename }}"
state: link
force: true
loop:
- local_prefix: ""
filename: auth.py
- local_prefix: freeradius3/
filename: radiusd.conf
- local_prefix: freeradius3/
filename: mods-enabled/python
- local_prefix: freeradius3/
filename: mods-enabled/eap
- name: Configure freeradius
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
mode: 0640
owner: freerad
loop:
- sites-enabled/default
- sites-enabled/inner-tunnel
- name: Install Basic Clients/Proxy Files freeradius
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
mode: 0640
owner: freerad
loop:
- clients.conf
- proxy.conf
when: "'aurore_vm' not in group_names"
- name: Install Clients FedeRez Radius-Aurore
template:
src: proxy-federez.conf.j2
dest: /etc/freeradius/3.0/proxy.conf
mode: 0640
owner: freerad
when: "'aurore_vm' in group_names"
- name: Install Proxy FedeRez Radius-Aurore
template:
src: clients-federez.conf.j2
dest: /etc/freeradius/3.0/clients.conf
mode: 0640
owner: freerad
when: "'aurore_vm' in group_names"
- name: Install radius requirements (except freeradius-python3)
shell:
cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
chdir: /var/www/re2o/
- name: Install PyPi requirements for radius
command: "pip3 install -r /var/www/re2o/pip_requirements.txt"
# End of hideousness (hopefully).
- name: Configure log rotation
template:
src: "freeradius-logrotate.j2"
dest: "/etc/logrotate.d/freeradius"
mode: 0644
# Database setup
- name: Install postgresql
apt:
name:
- postgresql
- postgresql-client-11=11.7-0+deb10u1
force: true
- name: Install postgresql ansible module requirement(s)
pip:
name: psycopg2
- name: Create read-only user
community.general.postgresql_user:
name: re2o_ro
password: "{{ radius_pg_re2o_ro_password }}"
become_user: postgres
- name: Create replication user
community.general.postgresql_user:
name: replication
password: "{{ radius_pg_replication_password }}"
become_user: postgres
- name: Nuking - Stop freeradius
systemd:
name: freeradius
state: stopped
when: nuke_radius|default(false)
- name: Nuking - Remove old subscription if it exists
community.general.postgresql_subscription:
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
db: re2o
state: absent
become_user: postgres
when: nuke_radius|default(false)
ignore_errors: true
- name: Nuking - Destroy old local DB if it exists
community.general.postgresql_db:
name: re2o
state: absent
become_user: postgres
when: nuke_radius|default(false)
- name: Create local DB
community.general.postgresql_db:
name: re2o
owner: replication
state: present
encoding: "UTF8"
lc_collate: 'fr_FR.UTF-8'
lc_ctype: 'fr_FR.UTF-8'
become_user: postgres
- name: Dump radius re2o PostgreSQL database schema from master
community.general.postgresql_db:
name: re2o
state: dump
target: /tmp/re2o-schema.sql
target_opts: '-s'
login_host: 10.128.0.22
login_user: replication
login_password: "{{ radius_pg_replication_password }}"
- name: Restore DB
tags:
- restore
community.general.postgresql_db:
name: re2o
state: restore
target: /tmp/re2o-schema.sql
target_opts: "-s"
login_host: localhost
login_user: replication
login_password: "{{ radius_pg_replication_password }}"
- name: Grant select permissions on all tables to read-only user
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: SELECT
objs: ALL_IN_SCHEMA
schema: public
roles: re2o_ro
become_user: postgres
- name: Grant usage permission on schema to read-only user
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: USAGE
objs: public
type: schema
roles: re2o_ro
become_user: postgres
- name: Set default privileges in schema
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: SELECT
schema: public
objs: TABLES
type: default_privs
roles: re2o_ro
become_user: postgres
- name: Set up subscription to main database
tags:
- sub
community.general.postgresql_subscription:
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
connparams:
host: re2o-db.adm.auro.re
user: replication
password: "{{ radius_pg_replication_password }}"
dbname: re2o
db: re2o
publications:
- re2o_pub
become_user: postgres
- name: Restart freeradius, ensure enabled
systemd:
name: freeradius
enabled: true
state: restarted
daemon_reload: true