261 lines
6 KiB
YAML
261 lines
6 KiB
YAML
---
|
|
- name: Add backports repositories
|
|
apt_repository:
|
|
repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
|
|
loop:
|
|
- "deb"
|
|
- "deb-src"
|
|
|
|
- name: Ensure /var/www exists
|
|
file:
|
|
name: "/var/www"
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: Clone re2o repo
|
|
git:
|
|
repo: "https://gitlab.federez.net/re2o/re2o.git"
|
|
dest: "/var/www/re2o"
|
|
version: "dev"
|
|
force: true
|
|
|
|
- name: Template local re2o settings
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/var/www/re2o/re2o/{{ item }}"
|
|
mode: 0644
|
|
loop:
|
|
- settings_local.py
|
|
- local_routers.py
|
|
|
|
# What follows is a hideous abomination.
|
|
# Blame freeradius-python3 on backports.
|
|
|
|
- name: try to install freeradius-python3 (this will fail on post-install)
|
|
apt:
|
|
name: freeradius-python3
|
|
default_release: buster-backports
|
|
update_cache: true
|
|
ignore_errors: true
|
|
|
|
- name: fix freeradius-python3 postinstall script
|
|
template:
|
|
src: freeradius-python3.postinst.j2
|
|
dest: /var/lib/dpkg/info/freeradius-python3.postinst
|
|
mode: 0644
|
|
|
|
- name: reinstall broken package (this might fail too, for different reasons)
|
|
apt:
|
|
name: freeradius-python3
|
|
default_release: buster-backports
|
|
force: true
|
|
ignore_errors: true
|
|
|
|
- name: Setup radius symlinks
|
|
file:
|
|
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
|
|
dest: "/etc/freeradius/3.0/{{ item.filename }}"
|
|
state: link
|
|
force: true
|
|
loop:
|
|
- local_prefix: ""
|
|
filename: auth.py
|
|
- local_prefix: freeradius3/
|
|
filename: radiusd.conf
|
|
- local_prefix: freeradius3/
|
|
filename: mods-enabled/python
|
|
- local_prefix: freeradius3/
|
|
filename: mods-enabled/eap
|
|
|
|
- name: Configure freeradius
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/etc/freeradius/3.0/{{ item }}"
|
|
mode: 0640
|
|
loop:
|
|
- sites-enabled/default
|
|
- sites-enabled/inner-tunnel
|
|
|
|
- name: Install Basic Clients/Proxy Files freeradius
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/etc/freeradius/3.0/{{ item }}"
|
|
mode: 0640
|
|
loop:
|
|
- clients.conf
|
|
- proxy.conf
|
|
when: "'aurore_vm' not in group_names"
|
|
|
|
- name: Install Clients FedeRez Radius-Aurore
|
|
template:
|
|
src: proxy-federez.conf.j2
|
|
dest: /etc/freeradius/3.0/proxy.conf
|
|
mode: 0640
|
|
owner: freerad
|
|
when: "'aurore_vm' in group_names"
|
|
|
|
- name: Install Proxy FedeRez Radius-Aurore
|
|
template:
|
|
src: clients-federez.conf.j2
|
|
dest: /etc/freeradius/3.0/clients.conf
|
|
mode: 0640
|
|
owner: freerad
|
|
when: "'aurore_vm' in group_names"
|
|
|
|
- name: Install radius requirements (except freeradius-python3)
|
|
command:
|
|
cmd: "{{ item }}"
|
|
chdir: /var/www/re2o/
|
|
loop:
|
|
- "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
|
|
- "pip3 install -r pip_requirements.txt"
|
|
|
|
|
|
# End of hideousness (hopefully).
|
|
|
|
- name: Configure log rotation
|
|
template:
|
|
src: "freeradius-logrotate.j2"
|
|
dest: "/etc/logrotate.d/freeradius"
|
|
mode: 0644
|
|
|
|
|
|
# Database setup
|
|
|
|
|
|
- name: Install postgresql
|
|
apt:
|
|
name:
|
|
- postgresql
|
|
- postgresql-client
|
|
|
|
- name: Install postgresql ansible module requirement(s)
|
|
pip:
|
|
name: psycopg2
|
|
|
|
- name: Create read-only user
|
|
community.general.postgresql_user:
|
|
name: re2o_ro
|
|
password: "{{ radius_pg_re2o_ro_password }}"
|
|
become_user: postgres
|
|
|
|
- name: Create replication user
|
|
community.general.postgresql_user:
|
|
name: replication
|
|
password: "{{ radius_pg_replication_password }}"
|
|
become_user: postgres
|
|
|
|
|
|
- name: Nuking - Stop freeradius
|
|
systemd:
|
|
name: freeradius
|
|
state: stopped
|
|
when: nuke_radius|default(false)
|
|
|
|
- name: Nuking - Remove old subscription if it exists
|
|
community.general.postgresql_subscription:
|
|
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
|
|
db: re2o
|
|
state: absent
|
|
become_user: postgres
|
|
when: nuke_radius|default(false)
|
|
ignore_errors: true
|
|
|
|
- name: Nuking - Destroy old local DB if it exists
|
|
community.general.postgresql_db:
|
|
name: re2o
|
|
state: absent
|
|
become_user: postgres
|
|
when: nuke_radius|default(false)
|
|
|
|
- name: Create local DB
|
|
community.general.postgresql_db:
|
|
name: re2o
|
|
owner: replication
|
|
state: present
|
|
encoding: "UTF8"
|
|
lc_collate: 'fr_FR.UTF-8'
|
|
lc_ctype: 'fr_FR.UTF-8'
|
|
become_user: postgres
|
|
|
|
- name: Dump radius re2o PostgreSQL database schema from master
|
|
community.general.postgresql_db:
|
|
name: re2o
|
|
state: dump
|
|
target: /tmp/re2o-schema.sql
|
|
target_opts: '-s'
|
|
login_host: 10.128.0.22
|
|
login_user: replication
|
|
login_password: "{{ radius_pg_replication_password }}"
|
|
|
|
|
|
- name: Restore DB
|
|
tags:
|
|
- restore
|
|
community.general.postgresql_db:
|
|
name: re2o
|
|
state: restore
|
|
target: /tmp/re2o-schema.sql
|
|
target_opts: "-s"
|
|
login_host: localhost
|
|
login_user: replication
|
|
login_password: "{{ radius_pg_replication_password }}"
|
|
|
|
|
|
- name: Grant select permissions on all tables to read-only user
|
|
tags:
|
|
- perms
|
|
community.general.postgresql_privs:
|
|
database: re2o
|
|
privs: SELECT
|
|
objs: ALL_IN_SCHEMA
|
|
schema: public
|
|
roles: re2o_ro
|
|
become_user: postgres
|
|
|
|
- name: Grant usage permission on schema to read-only user
|
|
tags:
|
|
- perms
|
|
community.general.postgresql_privs:
|
|
database: re2o
|
|
privs: USAGE
|
|
objs: public
|
|
type: schema
|
|
roles: re2o_ro
|
|
become_user: postgres
|
|
|
|
- name: Set default privileges in schema
|
|
tags:
|
|
- perms
|
|
community.general.postgresql_privs:
|
|
database: re2o
|
|
privs: SELECT
|
|
schema: public
|
|
objs: TABLES
|
|
type: default_privs
|
|
roles: re2o_ro
|
|
become_user: postgres
|
|
|
|
|
|
- name: Set up subscription to main database
|
|
tags:
|
|
- sub
|
|
community.general.postgresql_subscription:
|
|
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
|
|
connparams:
|
|
host: re2o-db.adm.auro.re
|
|
user: replication
|
|
password: "{{ radius_pg_replication_password }}"
|
|
dbname: re2o
|
|
db: re2o
|
|
publications:
|
|
- re2o_pub
|
|
become_user: postgres
|
|
|
|
|
|
- name: Restart freeradius, ensure enabled
|
|
systemd:
|
|
name: freeradius
|
|
enabled: true
|
|
state: restarted
|
|
daemon_reload: true
|