---
#
# configuration
#
- name: Configure radiusd
  copy:
    dest: '/etc/raddb/{{ item }}'
    src: 'radius/{{ item }}'
    owner: root
    group: radiusd
    mode: 0640
  with_items:
  - radiusd.conf
  - mods-available/eap
  - mods-available/python3-assha
  - sites-available/labitat
  - sites-available/labitat-inner
  notify:
  - restart radiusd

- name: Create assha python script
  copy:
    dest: '/etc/raddb/mods-config/python3/assha.py'
    src: 'radius/assha.py'
    owner: root
    group: root
    mode: 0755
  notify:
  - restart radiusd

- name: Configure radius clients
  template:
    dest: '/etc/raddb/clients.conf'
    src: radius/clients.conf.j2
    owner: root
    group: radiusd
    mode: 0640
  notify:
  - restart radiusd

- name: Configure radius sites
  file:
    path: '/etc/raddb/sites-enabled/{{ item.name }}'
    src: "{{ (item.state == 'link')|ternary('../sites-available/' + item.name,omit) }}"
    state: '{{ item.state }}'
    owner: root
    group: radiusd
    follow: no
    force: yes
  with_items:
  - { name: default,       state: absent }
  - { name: inner-tunnel,  state: absent }
  - { name: labitat,       state: link }
  - { name: labitat-inner, state: link }
  notify:
  - restart radiusd

- name: Configure radius modules
  file:
    path: '/etc/raddb/mods-enabled/{{ item.name }}'
    src: "{{ (item.state == 'link')|ternary('../mods-available/' + item.name,omit) }}"
    state: '{{ item.state }}'
    owner: root
    group: radiusd
    follow: no
    force: yes
  with_items:
  - { name: files,         state: absent }
  - { name: python3-assha, state: link }
  notify:
  - restart radiusd

#
# getusers.sh
#
- name: Create getusers script
  template:
    dest: '/etc/raddb/getusers.sh'
    src: radius/getusers.sh.j2
    owner: root
    group: radiusd
    mode: 0750

- name: Create getusers service and timer
  copy:
    dest: '/etc/systemd/system/{{ item }}'
    src: 'radius/{{ item }}'
    owner: root
    group: root
    mode: 0644
  with_items:
  - getusers.service
  - getusers.timer
  notify:
  - restart getusers

- name: Enable getusers timer
  systemd:
    name: getusers.timer
    enabled: yes
    masked: no
    state: started
  when: not chroot
- name: '- when in chroot'
  command: systemctl enable getusers.timer
  args:
    creates: '/etc/systemd/system/timers.target.wants/getusers.timer'
  when: chroot

#
# certificates
#
- name: Create our certificates bootstrap script
  copy:
    dest: '/etc/raddb/certs/bootstrap'
    src: 'radius/bootstrap'
    owner: root
    group: radiusd
    mode: 0750

- name: Add certbot deploy hook
  copy:
    dest: '/etc/letsencrypt/renewal-hooks/deploy/radius.sh'
    src: 'radius/certbot.sh'
    owner: root
    group: root
    mode: 0755

#
# radiusd.service
#
- name: Create service drop-in directory
  file:
    dest: '/etc/systemd/system/radiusd.service.d'
    state: directory
    owner: root
    group: root
    mode: 0755

- name: Start radiusd after networks are configured
  copy:
    dest: '/etc/systemd/system/radiusd.service.d/wait-online.conf'
    src: wait-online.conf
    owner: root
    group: root
    mode: 0644

- name: Set PYTHONPATH for radiusd
  copy:
    dest: '/etc/systemd/system/radiusd.service.d/pythonpath.conf'
    src: 'radius/pythonpath.conf'
    owner: root
    group: root
    mode: 0644

- name: Enable radiusd service
  systemd:
    name: radiusd.service
    enabled: yes
    masked: no
    state: started
  when: not chroot
- name: '- when in chroot'
  command: systemctl enable radiusd.service
  args:
    creates: '/etc/systemd/system/multi-user.target.wants/radiusd.service'
  when: chroot

# vim: set ts=2 sw=2 et: