aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEmil Renner Berthing <esmil@labitat.dk>2020-02-29 14:09:39 +0100
committerEmil Renner Berthing <esmil@labitat.dk>2020-02-29 23:48:24 +0100
commitca467c55d8bbd633870c1fcaff0677bc2c6eaa9f (patch)
tree563ec89a5690de52204379dab46556b0926d7a39
parent543907b4fb61a529f81e0cbe86fd7e7d967b6d60 (diff)
downloadlabitat-ansible-ca467c55d8bbd633870c1fcaff0677bc2c6eaa9f.tar.gz
labitat-ansible-ca467c55d8bbd633870c1fcaff0677bc2c6eaa9f.tar.xz
labitat-ansible-ca467c55d8bbd633870c1fcaff0677bc2c6eaa9f.zip
space_server: update to Fedora 31
-rw-r--r--roles/fedora/defaults/main.yml1
-rwxr-xr-xroles/space_server/bootstrap.sh21
-rw-r--r--roles/space_server/files/bird.conf231
-rw-r--r--roles/space_server/files/bird/bird.conf7
-rw-r--r--roles/space_server/files/bird/bird6.conf7
-rw-r--r--roles/space_server/files/bird/filter.conf31
-rw-r--r--roles/space_server/files/bird/peers4.conf11
-rw-r--r--roles/space_server/files/bird/peers6.conf11
-rw-r--r--roles/space_server/files/bird/protocols.conf18
-rw-r--r--roles/space_server/files/bird/symbol4.conf7
-rw-r--r--roles/space_server/files/bird/symbol6.conf7
-rw-r--r--roles/space_server/files/bird/templates.conf18
-rw-r--r--roles/space_server/files/networkd/10-lo.network8
-rwxr-xr-xroles/space_server/files/radius/assha.py4
-rw-r--r--roles/space_server/files/radius/mods-available/python-assha17
-rw-r--r--roles/space_server/files/radius/mods-available/python3-assha15
-rwxr-xr-xroles/space_server/files/radius/pythonpath.conf2
-rw-r--r--roles/space_server/files/radius/sites-available/labitat-inner4
-rw-r--r--roles/space_server/handlers/main.yml5
-rw-r--r--roles/space_server/tasks/bird.yml60
-rw-r--r--roles/space_server/tasks/kernel.yml8
-rw-r--r--roles/space_server/tasks/radius.yml19
-rw-r--r--roles/space_server/vars/main.yml5
-rw-r--r--space.yml5
24 files changed, 302 insertions, 220 deletions
diff --git a/roles/fedora/defaults/main.yml b/roles/fedora/defaults/main.yml
index 2575da2..7ba53a1 100644
--- a/roles/fedora/defaults/main.yml
+++ b/roles/fedora/defaults/main.yml
@@ -37,7 +37,6 @@ dnf_packages_default:
'passwd': present
'vim-enhanced': present
'dnf-command(leaves)': present
- 'python-unversioned-command': present
dnf_packages_role: {}
sudo_group: 'wheel'
diff --git a/roles/space_server/bootstrap.sh b/roles/space_server/bootstrap.sh
index 218815e..44e47bd 100755
--- a/roles/space_server/bootstrap.sh
+++ b/roles/space_server/bootstrap.sh
@@ -36,12 +36,14 @@
# mount -o noatime,ssd,compress=lzo,subvol=/home /dev/sda2 /home
#
# Run this script
+# ./roles/space_server/bootstrap.sh
set -e
set -x
-release=29
+release=31
dest="/mnt/fedora$release"
+secrets='./secrets.yml'
if [[ -e "$dest" ]]; then
echo "Destination '$dest' already exists. Aborting." >&2
exit 1
@@ -58,7 +60,7 @@ dnf \
--disablerepo='*' \
--enablerepo=fedora \
--enablerepo=updates \
- install glibc-langpack-en dnf git ansible python-unversioned-command
+ install glibc-langpack-en systemd-udev dnf git ansible
for i in /var/lib/machines /var/lib/portables; do
if [[ -d "$dest$i" ]]; then
@@ -68,17 +70,22 @@ for i in /var/lib/machines /var/lib/portables; do
install -o root -g root -m755 -d "$dest$i"
done
+if [[ -f "$secrets" ]]; then
+ install -o root -g root -m600 "$secrets" "$dest/root/secrets.yml"
+fi
+
exec systemd-nspawn \
-D "$dest" \
- -M space \
+ -M space.labitat.dk \
-E ANSIBLE_FORCE_COLOR=1 \
--bind /boot \
--bind /home \
-- \
ansible-pull \
- -i space.labitat.dk, \
- -c local \
- -U 'https://github.com/labitat/labitat-ansible.git' \
- space.yml
+ -i space.labitat.dk, \
+ -c local \
+ -U 'https://github.com/labitat/labitat-ansible.git' \
+ -d /root/ansible \
+ space.yml
# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/files/bird.conf b/roles/space_server/files/bird.conf
new file mode 100644
index 0000000..acc191c
--- /dev/null
+++ b/roles/space_server/files/bird.conf
@@ -0,0 +1,231 @@
+#
+# BIRD 2 configuration for AS205235 Labitat
+#
+
+log syslog all;
+#debug protocols all;
+debug protocols { events, states };
+
+watchdog warning 5 s;
+watchdog timeout 30 s;
+
+timeformat base iso long;
+timeformat log iso long;
+timeformat protocol iso long;
+timeformat route iso long;
+
+router id 185.38.175.0;
+
+# functions and filters
+
+define local_asn = 205235;
+define fiberby_asn = 42541;
+define asbjorn_asn = 207727;
+
+define local_prefixes_v4 = [
+ 185.38.175.0/24,
+ 194.165.56.0/24,
+ 194.165.58.0/24
+];
+
+define local_prefixes_v6 = [
+ 2a01:4262:1ab::/48,
+ 2a10:2a80:ac::/48,
+ 2a10:2a80:1ab::/48
+];
+
+define asbjorn_prefixes_v4 = [
+ 194.165.56.0/24,
+ 194.165.58.0/24
+];
+
+define asbjorn_prefixes_v6 = [
+ 2a10:2a80:ac::/48,
+ 2a10:2a80:1ab::/48
+];
+
+# functions and filters
+
+function is_default_route() {
+ case net.type {
+ NET_IP4: if net = 0.0.0.0/0 then return true;
+ NET_IP6: if net = ::/0 then return true;
+ }
+ return false;
+}
+
+function is_customer_route() {
+ case net.type {
+ NET_IP4: if net ~ local_prefixes_v4 then return true;
+ NET_IP6: if net ~ local_prefixes_v6 then return true;
+ }
+ return false;
+}
+
+filter kernel_export {
+ if source !~ [ RTS_BGP, RTS_STATIC ] then reject;
+ if is_default_route() then accept;
+ if is_customer_route() then accept;
+ reject;
+}
+
+function honor_graceful_shutdown()
+{
+ # RFC 8326 Graceful BGP Session Shutdown
+ if (65535, 0) ~ bgp_community then {
+ bgp_local_pref = 0;
+ }
+}
+
+filter transit_import {
+ honor_graceful_shutdown();
+ accept;
+}
+
+filter transit_export {
+ if is_customer_route() then accept;
+ reject;
+}
+
+# generate local routes
+protocol static static4 {
+ ipv4;
+ route 185.38.175.0/24 unreachable;
+}
+
+protocol static static6 {
+ ipv6;
+ route 2a01:4262:1ab::/48 unreachable;
+}
+
+# customer import
+function customer_import(int peer_asn; prefix set peer_prefixes) {
+ if net !~ peer_prefixes then reject;
+ if bgp_path.first != peer_asn then reject;
+ accept;
+}
+
+# customer export functions
+function customer_export_default_only() {
+ if !is_default_route() then reject;
+ accept;
+}
+
+function customer_export_dfz() {
+ if source !~ [ RTS_BGP, RTS_STATIC ] then reject;
+ if is_default_route() then reject;
+ accept;
+}
+
+function customer_export_and_default() {
+ if is_default_route() then {
+ customer_export_default_only();
+ } else {
+ customer_export_dfz();
+ }
+}
+
+
+# define basic protocols
+protocol device {}
+
+protocol direct {
+ ipv4;
+ ipv6;
+}
+
+protocol kernel kernel4 {
+ ipv4 {
+ import none;
+ export filter kernel_export;
+ };
+ learn;
+ persist;
+ graceful restart;
+ merge paths;
+}
+
+protocol kernel kernel6 {
+ ipv6 {
+ import none;
+ export filter kernel_export;
+ };
+ learn;
+ persist;
+ graceful restart;
+ merge paths;
+}
+
+
+# templates
+template bgp bgp_customer {
+ default bgp_local_pref 150;
+}
+
+template bgp bgp_transit_v4 {
+ default bgp_local_pref 100;
+ ipv4 {
+ import limit off;
+ receive limit off;
+ import keep filtered on;
+ import filter transit_import;
+ export filter transit_export;
+ };
+}
+
+template bgp bgp_transit_v6 {
+ default bgp_local_pref 100;
+ ipv6 {
+ import limit off;
+ receive limit off;
+ import keep filtered on;
+ import filter transit_import;
+ export filter transit_export;
+ };
+}
+
+# Transit
+protocol bgp fiberby_tgc_v4 from bgp_transit_v4 {
+ local 193.106.167.41 as local_asn;
+ neighbor 193.106.167.40 as fiberby_asn;
+}
+
+protocol bgp fiberby_inx_v4 from bgp_transit_v4 {
+ local 193.106.167.43 as local_asn;
+ neighbor 193.106.167.42 as fiberby_asn;
+}
+
+protocol bgp fiberby_tgc_v6 from bgp_transit_v6 {
+ local 2a03:5440:1:2935:1ab:1::2 as local_asn;
+ neighbor 2a03:5440:1:2935:1ab:1::1 as fiberby_asn;
+}
+
+protocol bgp fiberby_inx_v6 from bgp_transit_v6 {
+ local 2a03:5440:1:2935:1ab:2::2 as local_asn;
+ neighbor 2a03:5440:1:2935:1ab:2::1 as fiberby_asn;
+}
+
+# BGP customer: asbjorn
+protocol bgp asbjorn_ipv4 from bgp_customer {
+ local 185.38.175.65 as local_asn;
+ neighbor 185.38.175.75 as asbjorn_asn;
+ ipv4 {
+ import limit 10 action block;
+ receive limit 20 action disable;
+ import keep filtered on;
+ import filter { customer_import(asbjorn_asn, asbjorn_prefixes_v4); };
+ export filter { customer_export_default_only(); };
+ };
+}
+
+protocol bgp asbjorn_ipv6 from bgp_customer {
+ local 2a01:4262:1ab:20::1 as local_asn;
+ neighbor 2a01:4262:1ab:20::75 as asbjorn_asn;
+ ipv6 {
+ import limit 10 action block;
+ receive limit 20 action disable;
+ import keep filtered on;
+ import filter { customer_import(asbjorn_asn, asbjorn_prefixes_v6); };
+ export filter { customer_export_default_only(); };
+ };
+}
diff --git a/roles/space_server/files/bird/bird.conf b/roles/space_server/files/bird/bird.conf
deleted file mode 100644
index 2ae72f0..0000000
--- a/roles/space_server/files/bird/bird.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-router id 185.38.175.0;
-
-include "bird/symbol4.conf";
-include "bird/filter.conf";
-include "bird/protocols.conf";
-include "bird/templates.conf";
-include "bird/peers4.conf";
diff --git a/roles/space_server/files/bird/bird6.conf b/roles/space_server/files/bird/bird6.conf
deleted file mode 100644
index 91b5405..0000000
--- a/roles/space_server/files/bird/bird6.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-router id 185.38.175.0;
-
-include "bird/symbol6.conf";
-include "bird/filter.conf";
-include "bird/protocols.conf";
-include "bird/templates.conf";
-include "bird/peers6.conf";
diff --git a/roles/space_server/files/bird/filter.conf b/roles/space_server/files/bird/filter.conf
deleted file mode 100644
index 3edc053..0000000
--- a/roles/space_server/files/bird/filter.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-function accept_default_route()
-{
- if net = DEFAULT_ROUTE then {
- accept;
- }
-}
-
-function accept_prefixes(prefix set prefixes)
-{
- if net ~ prefixes then {
- accept;
- }
-}
-
-filter fallback_filter {
- reject "WARNING!! no filter set, all routes will be rejected";
-}
-
-filter transit_import
-{
- accept_default_route();
-
- reject;
-}
-
-filter transit_export
-{
- accept_prefixes(LABITAT_PREFIXES);
-
- reject;
-}
diff --git a/roles/space_server/files/bird/peers4.conf b/roles/space_server/files/bird/peers4.conf
deleted file mode 100644
index ac4fa69..0000000
--- a/roles/space_server/files/bird/peers4.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-template bgp fiberby from bgp_transit {
-}
-
-protocol bgp fiberby_tgc from fiberby {
- preference 90;
- neighbor 193.106.167.40 as 42541;
-}
-
-protocol bgp fiberby_inx from fiberby {
- neighbor 193.106.167.42 as 42541;
-}
diff --git a/roles/space_server/files/bird/peers6.conf b/roles/space_server/files/bird/peers6.conf
deleted file mode 100644
index a78d8c6..0000000
--- a/roles/space_server/files/bird/peers6.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-template bgp fiberby from bgp_transit {
-}
-
-protocol bgp fiberby_tgc from fiberby {
- preference 90;
- neighbor 2a03:5440:1:2935:1ab:1::1 as 42541;
-}
-
-protocol bgp fiberby_inx from fiberby {
- neighbor 2a03:5440:1:2935:1ab:2::1 as 42541;
-}
diff --git a/roles/space_server/files/bird/protocols.conf b/roles/space_server/files/bird/protocols.conf
deleted file mode 100644
index f5cc85f..0000000
--- a/roles/space_server/files/bird/protocols.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-protocol device {
- scan time 10;
-}
-
-protocol direct {
-}
-
-protocol kernel {
- metric 64;
- learn;
- persist;
- scan time 20;
- import all;
- export filter {
- krt_prefsrc = PREFSRC;
- accept;
- };
-}
diff --git a/roles/space_server/files/bird/symbol4.conf b/roles/space_server/files/bird/symbol4.conf
deleted file mode 100644
index a23c865..0000000
--- a/roles/space_server/files/bird/symbol4.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-define DEFAULT_ROUTE = 0.0.0.0/0;
-
-define LABITAT_PREFIXES = [
- 185.38.175.0/24
-];
-
-define PREFSRC = 185.38.175.0;
diff --git a/roles/space_server/files/bird/symbol6.conf b/roles/space_server/files/bird/symbol6.conf
deleted file mode 100644
index fd142c9..0000000
--- a/roles/space_server/files/bird/symbol6.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-define DEFAULT_ROUTE = ::/0;
-
-define LABITAT_PREFIXES = [
- 2a01:4262:1ab::/48
-];
-
-define PREFSRC = 2a01:4262:1ab::;
diff --git a/roles/space_server/files/bird/templates.conf b/roles/space_server/files/bird/templates.conf
deleted file mode 100644
index 4334bd8..0000000
--- a/roles/space_server/files/bird/templates.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-template bgp bgp_peer {
- local as 205235;
- import keep filtered;
- import filter fallback_filter;
- export filter fallback_filter;
- import limit 1000 action block;
- receive limit 1500 action disable;
- export limit 100 action block;
- hold time 60;
-}
-
-template bgp bgp_transit from bgp_peer {
- preference 100;
- import limit off;
- receive limit off;
- import filter transit_import;
- export filter transit_export;
-}
diff --git a/roles/space_server/files/networkd/10-lo.network b/roles/space_server/files/networkd/10-lo.network
index 6457f55..ce9fdbe 100644
--- a/roles/space_server/files/networkd/10-lo.network
+++ b/roles/space_server/files/networkd/10-lo.network
@@ -5,11 +5,3 @@ Name=lo
Address=185.38.175.0/32
Address=185.38.175.1/32
Address=2a01:4262:1ab::/128
-
-[Route]
-Type=unreachable
-Destination=185.38.175.0/24
-
-[Route]
-Type=unreachable
-Destination=2a01:4262:1ab::/48
diff --git a/roles/space_server/files/radius/assha.py b/roles/space_server/files/radius/assha.py
index e34c382..6d81be1 100755
--- a/roles/space_server/files/radius/assha.py
+++ b/roles/space_server/files/radius/assha.py
@@ -10,7 +10,7 @@ REXP = re.compile('^([^ ]+) ASSHA-Password := "(.*)"$')
def authorize(p):
#radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***')
reply = ( ('Reply-Message', 'Welcome to Labitat!'), )
- config = ( ('Auth-Type', 'python'), )
+ config = ( ('Auth-Type', 'python3'), )
return (radiusd.RLM_MODULE_OK, reply, config)
def load_users():
@@ -30,7 +30,7 @@ def check_pwd(user, pw):
assha = users[user]
crypted = assha[:40]
salt = assha[40:]
- h = hashlib.sha1('--%s--%s--' % (salt, pw)).hexdigest()
+ h = hashlib.sha1('--{}--{}--'.format(salt, pw).encode('utf-8')).hexdigest()
return h == crypted
def authenticate(p):
diff --git a/roles/space_server/files/radius/mods-available/python-assha b/roles/space_server/files/radius/mods-available/python-assha
deleted file mode 100644
index fa48e01..0000000
--- a/roles/space_server/files/radius/mods-available/python-assha
+++ /dev/null
@@ -1,17 +0,0 @@
-python {
- python_path="/usr/lib/python27.zip:/usr/lib64/python2.7:/usr/lib64/python2.7/plat-linux2:/usr/lib64/python2.7/lib-tk:/usr/lib64/python2.7/lib-old:/usr/lib64/python2.7/lib-dynload:/usr/lib64/python2.7/site-packages:/usr/lib/python2.7/site-packages:/etc/raddb/mods-config/python/"
-
- module = assha
-
- #mod_instantiate = ${.module}
- #func_instantiate = instantiate
-
- #mod_detach = ${.module}
- #func_detach = instantiate
-
- mod_authorize = ${.module}
- func_authorize = authorize
-
- mod_authenticate = ${.module}
- func_authenticate = authenticate
-}
diff --git a/roles/space_server/files/radius/mods-available/python3-assha b/roles/space_server/files/radius/mods-available/python3-assha
new file mode 100644
index 0000000..af3cf8c
--- /dev/null
+++ b/roles/space_server/files/radius/mods-available/python3-assha
@@ -0,0 +1,15 @@
+python3 {
+ module = assha
+
+ #mod_instantiate = ${.module}
+ #func_instantiate = instantiate
+
+ #mod_detach = ${.module}
+ #func_detach = instantiate
+
+ mod_authorize = ${.module}
+ func_authorize = authorize
+
+ mod_authenticate = ${.module}
+ func_authenticate = authenticate
+}
diff --git a/roles/space_server/files/radius/pythonpath.conf b/roles/space_server/files/radius/pythonpath.conf
new file mode 100755
index 0000000..6a7f6ba
--- /dev/null
+++ b/roles/space_server/files/radius/pythonpath.conf
@@ -0,0 +1,2 @@
+[Service]
+Environment=PYTHONPATH='/etc/raddb/mods-config/python3'
diff --git a/roles/space_server/files/radius/sites-available/labitat-inner b/roles/space_server/files/radius/sites-available/labitat-inner
index 8c099fc..d3ef9c2 100644
--- a/roles/space_server/files/radius/sites-available/labitat-inner
+++ b/roles/space_server/files/radius/sites-available/labitat-inner
@@ -13,7 +13,7 @@ server labitat-inner {
ok = return
}
- python
+ python3
expiration
logintime
pap
@@ -24,7 +24,7 @@ server labitat-inner {
pap
}
- python
+ python3
eap
}
diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml
index 3a92a46..0ae6ef4 100644
--- a/roles/space_server/handlers/main.yml
+++ b/roles/space_server/handlers/main.yml
@@ -13,11 +13,8 @@
- name: restart bird
systemd:
- name: '{{ item }}.service'
+ name: bird.service
state: restarted
- with_items:
- - bird
- - bird6
when: not chroot
- name: restart dhcpd
diff --git a/roles/space_server/tasks/bird.yml b/roles/space_server/tasks/bird.yml
index 4ce01eb..c81176d 100644
--- a/roles/space_server/tasks/bird.yml
+++ b/roles/space_server/tasks/bird.yml
@@ -1,68 +1,22 @@
---
-- name: Make sure /etc/bird exists
- file:
- dest: '/etc/bird'
- state: directory
- owner: root
- group: root
- mode: 0755
-- name: Create bird configuration
- copy:
- dest: '/etc/bird/'
- src: '{{ item }}'
- owner: root
- group: root
- mode: 0644
- with_fileglob: 'bird/*'
- loop_control:
- label: '/etc/bird/{{ item|basename }}'
- notify:
- - restart bird
-
-- name: Create bird.conf and bird6.conf symlinks
- file:
- path: '/etc/{{ item }}.conf'
- src: 'bird/{{ item }}.conf'
- state: link
- force: yes
- with_items:
- - bird
- - bird6
-
-# bird6 wants the link to have a link-local address
-# when starting, so wait for it
-- name: Create bird6 service drop-in directory
- file:
- dest: '/etc/systemd/system/bird6.service.d'
- state: directory
- owner: root
- group: root
- mode: 0755
-- name: Start bird6 after networks are configured
+- name: Create /etc/bird.conf
copy:
- dest: '/etc/systemd/system/bird6.service.d/wait-online.conf'
- src: wait-online.conf
+ dest: '/etc/bird.conf'
+ src: 'bird.conf'
owner: root
group: root
mode: 0644
+ notify: restart bird
-- name: Enable bird and bird6
+- name: Enable bird.service
systemd:
- name: '{{ item }}.service'
+ name: 'bird.service'
enabled: yes
masked: no
state: started
- with_items:
- - bird
- - bird6
when: not chroot
- name: '- when in chroot'
- command: 'systemctl enable {{ item }}.service'
- args:
- creates: '/etc/systemd/system/multi-user.target.wants/{{ item }}.service'
- with_items:
- - bird
- - bird6
+ command: 'systemctl enable bird.service'
when: chroot
# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/kernel.yml b/roles/space_server/tasks/kernel.yml
index 9354850..db4e5d2 100644
--- a/roles/space_server/tasks/kernel.yml
+++ b/roles/space_server/tasks/kernel.yml
@@ -1,4 +1,12 @@
---
+- name: Make sure /boot/<machine-id> exists
+ file:
+ path: '/boot/{{ ansible_machine_id }}'
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+
- name: Make sure /etc/kernel/install.d exists
file:
path: '{{ item }}'
diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml
index a3f4183..2747d31 100644
--- a/roles/space_server/tasks/radius.yml
+++ b/roles/space_server/tasks/radius.yml
@@ -9,7 +9,7 @@
with_items:
- radiusd.conf
- mods-available/eap
- - mods-available/python-assha
+ - mods-available/python3-assha
- sites-available/labitat
- sites-available/labitat-inner
notify:
@@ -17,7 +17,7 @@
- name: Create assha python script
copy:
- dest: '/etc/raddb/mods-config/python/assha.py'
+ dest: '/etc/raddb/mods-config/python3/assha.py'
src: 'radius/assha.py'
owner: root
group: root
@@ -42,6 +42,7 @@
state: '{{ item.state }}'
owner: root
group: radiusd
+ follow: no
force: yes
with_items:
- { name: default, state: absent }
@@ -58,11 +59,11 @@
state: '{{ item.state }}'
owner: root
group: radiusd
+ follow: no
force: yes
with_items:
- - { name: files, state: absent }
- - { name: python, state: absent }
- - { name: python-assha, state: link }
+ - { name: files, state: absent }
+ - { name: python3-assha, state: link }
notify:
- restart radiusd
@@ -116,6 +117,14 @@
group: root
mode: 0644
+- name: Set PYTHONPATH for radiusd
+ copy:
+ dest: '/etc/systemd/system/radiusd.service.d/pythonpath.conf'
+ src: 'radius/pythonpath.conf'
+ owner: root
+ group: root
+ mode: 0644
+
- name: Enable radiusd service
systemd:
name: radiusd.service
diff --git a/roles/space_server/vars/main.yml b/roles/space_server/vars/main.yml
index 65c14a7..ed39f54 100644
--- a/roles/space_server/vars/main.yml
+++ b/roles/space_server/vars/main.yml
@@ -10,7 +10,6 @@ locale_default:
dnf_conf_role:
'main.install_weak_deps': 'False'
- 'main.best': 'True'
'main.deltarpm': 'False'
dnf_packages_role:
@@ -23,15 +22,15 @@ dnf_packages_role:
'htop': present
'man-db': present
'syslinux': present
+ 'systemd-udev': present
'systemd-container': present
'sudo': present
'nftables': present
'openssh-server': present
'openssh-clients': present
'bird': present
- 'bird6': present
'dhcp-server': present
- 'freeradius-python': present # pulls in radiusd
+ 'python3-freeradius': present # pulls in radiusd
'curl': present
'diffutils': present
'bind': present
diff --git a/space.yml b/space.yml
index cb935c9..5474cfa 100644
--- a/space.yml
+++ b/space.yml
@@ -6,7 +6,10 @@
chroot: "{{ ansible_connection == 'chroot' or 'container' in ansible_env }}"
tags: always
- name: Load secrets
- include_vars: 'secrets.yml'
+ include_vars: '{{ item }}'
+ with_first_found:
+ - secrets.yml
+ - /root/secrets.yml
ignore_errors: yes
tags: always
roles: