--- # # configuration # - name: Configure radiusd copy: dest: '/etc/raddb/{{ item }}' src: 'radius/{{ item }}' owner: root group: radiusd mode: 0640 with_items: - radiusd.conf - mods-available/eap - mods-available/python3-assha - sites-available/labitat - sites-available/labitat-inner notify: - restart radiusd - name: Create assha python script copy: dest: '/etc/raddb/mods-config/python3/assha.py' src: 'radius/assha.py' owner: root group: root mode: 0755 notify: - restart radiusd - name: Configure radius clients template: dest: '/etc/raddb/clients.conf' src: radius/clients.conf.j2 owner: root group: radiusd mode: 0640 notify: - restart radiusd - name: Configure radius sites file: path: '/etc/raddb/sites-enabled/{{ item.name }}' src: "{{ (item.state == 'link')|ternary('../sites-available/' + item.name,omit) }}" state: '{{ item.state }}' owner: root group: radiusd follow: no force: yes with_items: - { name: default, state: absent } - { name: inner-tunnel, state: absent } - { name: labitat, state: link } - { name: labitat-inner, state: link } notify: - restart radiusd - name: Configure radius modules file: path: '/etc/raddb/mods-enabled/{{ item.name }}' src: "{{ (item.state == 'link')|ternary('../mods-available/' + item.name,omit) }}" state: '{{ item.state }}' owner: root group: radiusd follow: no force: yes with_items: - { name: files, state: absent } - { name: python3-assha, state: link } notify: - restart radiusd # # getusers.sh # - name: Create getusers script template: dest: '/etc/raddb/getusers.sh' src: radius/getusers.sh.j2 owner: root group: radiusd mode: 0750 - name: Create getusers service and timer copy: dest: '/etc/systemd/system/{{ item }}' src: 'radius/{{ item }}' owner: root group: root mode: 0644 with_items: - getusers.service - getusers.timer notify: - restart getusers - name: Enable getusers timer systemd: name: getusers.timer enabled: yes masked: no state: started when: not chroot - name: '- when in chroot' command: systemctl enable getusers.timer args: creates: '/etc/systemd/system/timers.target.wants/getusers.timer' when: chroot # # certificates # - name: Configure /etc/raddb/certs/passwords.mk replace: path: '/etc/raddb/certs/passwords.mk' regexp: '^CA_DEFAULT_DAYS( *= *).*$' replace: "CA_DEFAULT_DAYS\\1'3652'" tags: radius-certs - name: Configure /etc/raddb/certs/ca.cnf ini_file: path: '/etc/raddb/certs/ca.cnf' section: "{{ item.key.split('.',1)[0] }}" option: "{{ item.key.split('.',1)[1] }}" value: "{{ (item.value is string)|ternary(item.value,omit) }}" state: "{{ (item.value is string)|ternary('present','absent') }}" with_dict: ' CA_default .default_days': '3652' 'certificate_authority.countryName': 'DK' 'certificate_authority.stateOrProvinceName': 'Copenhagen' 'certificate_authority.localityName': 'Frederiksberg' 'certificate_authority.organizationName': 'Labitat' 'certificate_authority.emailAddress': 'noc@labitat.dk' 'certificate_authority.commonName': '"Labitat Network Infrastructure CA"' tags: radius-certs - name: Configure /etc/raddb/certs/server.cnf ini_file: path: '/etc/raddb/certs/server.cnf' section: "{{ item.key.split('.',1)[0] }}" option: "{{ item.key.split('.',1)[1] }}" value: "{{ (item.value is string)|ternary(item.value,omit) }}" state: "{{ (item.value is string)|ternary('present','absent') }}" with_dict: ' CA_default .default_days': '731' 'server.countryName': 'DK' 'server.stateOrProvinceName': 'Copenhagen' 'server.localityName': 'Frederiksberg' 'server.organizationName': 'Labitat' 'server.emailAddress': 'noc@labitat.dk' 'server.commonName': '"Labitat Radius Authentication 2020"' tags: radius-certs - name: Configure /etc/raddb/certs/inner-server.cnf ini_file: path: '/etc/raddb/certs/inner-server.cnf' section: "{{ item.key.split('.',1)[0] }}" option: "{{ item.key.split('.',1)[1] }}" value: "{{ (item.value is string)|ternary(item.value,omit) }}" state: "{{ (item.value is string)|ternary('present','absent') }}" with_dict: ' CA_default .default_days': '731' 'server.countryName': 'DK' 'server.stateOrProvinceName': 'Copenhagen' 'server.localityName': 'Frederiksberg' 'server.organizationName': 'Labitat' 'server.emailAddress': 'noc@labitat.dk' 'server.commonName': '"Labitat Radius Inner Server Certificate 2020"' tags: radius-certs - name: Configure /etc/raddb/certs/client.cnf ini_file: path: '/etc/raddb/certs/client.cnf' section: "{{ item.key.split('.',1)[0] }}" option: "{{ item.key.split('.',1)[1] }}" value: "{{ (item.value is string)|ternary(item.value,omit) }}" state: "{{ (item.value is string)|ternary('present','absent') }}" with_dict: ' CA_default .default_days': '365' 'client.countryName': 'DK' 'client.stateOrProvinceName': 'Copenhagen' 'client.localityName': 'Frederiksberg' 'client.organizationName': 'Labitat' tags: radius-certs # # radiusd.service # - name: Create service drop-in directory file: dest: '/etc/systemd/system/radiusd.service.d' state: directory owner: root group: root mode: 0755 - name: Start radiusd after networks are configured copy: dest: '/etc/systemd/system/radiusd.service.d/wait-online.conf' src: wait-online.conf owner: root group: root mode: 0644 - name: Set PYTHONPATH for radiusd copy: dest: '/etc/systemd/system/radiusd.service.d/pythonpath.conf' src: 'radius/pythonpath.conf' owner: root group: root mode: 0644 - name: Enable radiusd service systemd: name: radiusd.service enabled: yes masked: no state: started when: not chroot - name: '- when in chroot' command: systemctl enable radiusd.service args: creates: '/etc/systemd/system/multi-user.target.wants/radiusd.service' when: chroot # vim: set ts=2 sw=2 et: