---
#
# configuration
#
- name: Configure radiusd
copy:
dest: '/etc/raddb/{{ item }}'
src: 'radius/{{ item }}'
owner: root
group: radiusd
mode: 0640
with_items:
- radiusd.conf
- mods-available/eap
- mods-available/python3-assha
- sites-available/labitat
- sites-available/labitat-inner
notify:
- restart radiusd
- name: Create assha python script
copy:
dest: '/etc/raddb/mods-config/python3/assha.py'
src: 'radius/assha.py'
owner: root
group: root
mode: 0755
notify:
- restart radiusd
- name: Configure radius clients
template:
dest: '/etc/raddb/clients.conf'
src: radius/clients.conf.j2
owner: root
group: radiusd
mode: 0640
notify:
- restart radiusd
- name: Configure radius sites
file:
path: '/etc/raddb/sites-enabled/{{ item.name }}'
src: "{{ (item.state == 'link')|ternary('../sites-available/' + item.name,omit) }}"
state: '{{ item.state }}'
owner: root
group: radiusd
follow: no
force: yes
with_items:
- { name: default, state: absent }
- { name: inner-tunnel, state: absent }
- { name: labitat, state: link }
- { name: labitat-inner, state: link }
notify:
- restart radiusd
- name: Configure radius modules
file:
path: '/etc/raddb/mods-enabled/{{ item.name }}'
src: "{{ (item.state == 'link')|ternary('../mods-available/' + item.name,omit) }}"
state: '{{ item.state }}'
owner: root
group: radiusd
follow: no
force: yes
with_items:
- { name: files, state: absent }
- { name: python3-assha, state: link }
notify:
- restart radiusd
#
# getusers.sh
#
- name: Create getusers script
template:
dest: '/etc/raddb/getusers.sh'
src: radius/getusers.sh.j2
owner: root
group: radiusd
mode: 0750
- name: Create getusers service and timer
copy:
dest: '/etc/systemd/system/{{ item }}'
src: 'radius/{{ item }}'
owner: root
group: root
mode: 0644
with_items:
- getusers.service
- getusers.timer
notify:
- restart getusers
- name: Enable getusers timer
systemd:
name: getusers.timer
enabled: yes
masked: no
state: started
when: not chroot
- name: '- when in chroot'
command: systemctl enable getusers.timer
args:
creates: '/etc/systemd/system/timers.target.wants/getusers.timer'
when: chroot
#
# certificates
#
- name: Configure /etc/raddb/certs/passwords.mk
replace:
path: '/etc/raddb/certs/passwords.mk'
regexp: '^CA_DEFAULT_DAYS( *= *).*$'
replace: "CA_DEFAULT_DAYS\\1'3652'"
tags: radius-certs
- name: Configure /etc/raddb/certs/ca.cnf
ini_file:
path: '/etc/raddb/certs/ca.cnf'
section: "{{ item.key.split('.',1)[0] }}"
option: "{{ item.key.split('.',1)[1] }}"
value: "{{ (item.value is string)|ternary(item.value,omit) }}"
state: "{{ (item.value is string)|ternary('present','absent') }}"
with_dict:
' CA_default .default_days': '3652'
'certificate_authority.countryName': 'DK'
'certificate_authority.stateOrProvinceName': 'Copenhagen'
'certificate_authority.localityName': 'Frederiksberg'
'certificate_authority.organizationName': 'Labitat'
'certificate_authority.emailAddress': 'noc@labitat.dk'
'certificate_authority.commonName': '"Labitat Network Infrastructure CA"'
tags: radius-certs
- name: Configure /etc/raddb/certs/server.cnf
ini_file:
path: '/etc/raddb/certs/server.cnf'
section: "{{ item.key.split('.',1)[0] }}"
option: "{{ item.key.split('.',1)[1] }}"
value: "{{ (item.value is string)|ternary(item.value,omit) }}"
state: "{{ (item.value is string)|ternary('present','absent') }}"
with_dict:
' CA_default .default_days': '731'
'server.countryName': 'DK'
'server.stateOrProvinceName': 'Copenhagen'
'server.localityName': 'Frederiksberg'
'server.organizationName': 'Labitat'
'server.emailAddress': 'noc@labitat.dk'
'server.commonName': '"Labitat Radius Authentication 2020"'
tags: radius-certs
- name: Configure /etc/raddb/certs/inner-server.cnf
ini_file:
path: '/etc/raddb/certs/inner-server.cnf'
section: "{{ item.key.split('.',1)[0] }}"
option: "{{ item.key.split('.',1)[1] }}"
value: "{{ (item.value is string)|ternary(item.value,omit) }}"
state: "{{ (item.value is string)|ternary('present','absent') }}"
with_dict:
' CA_default .default_days': '731'
'server.countryName': 'DK'
'server.stateOrProvinceName': 'Copenhagen'
'server.localityName': 'Frederiksberg'
'server.organizationName': 'Labitat'
'server.emailAddress': 'noc@labitat.dk'
'server.commonName': '"Labitat Radius Inner Server Certificate 2020"'
tags: radius-certs
- name: Configure /etc/raddb/certs/client.cnf
ini_file:
path: '/etc/raddb/certs/client.cnf'
section: "{{ item.key.split('.',1)[0] }}"
option: "{{ item.key.split('.',1)[1] }}"
value: "{{ (item.value is string)|ternary(item.value,omit) }}"
state: "{{ (item.value is string)|ternary('present','absent') }}"
with_dict:
' CA_default .default_days': '365'
'client.countryName': 'DK'
'client.stateOrProvinceName': 'Copenhagen'
'client.localityName': 'Frederiksberg'
'client.organizationName': 'Labitat'
tags: radius-certs
#
# radiusd.service
#
- name: Create service drop-in directory
file:
dest: '/etc/systemd/system/radiusd.service.d'
state: directory
owner: root
group: root
mode: 0755
- name: Start radiusd after networks are configured
copy:
dest: '/etc/systemd/system/radiusd.service.d/wait-online.conf'
src: wait-online.conf
owner: root
group: root
mode: 0644
- name: Set PYTHONPATH for radiusd
copy:
dest: '/etc/systemd/system/radiusd.service.d/pythonpath.conf'
src: 'radius/pythonpath.conf'
owner: root
group: root
mode: 0644
- name: Enable radiusd service
systemd:
name: radiusd.service
enabled: yes
masked: no
state: started
when: not chroot
- name: '- when in chroot'
command: systemctl enable radiusd.service
args:
creates: '/etc/systemd/system/multi-user.target.wants/radiusd.service'
when: chroot
# vim: set ts=2 sw=2 et: