ViMaSter/ansible-infra
0
0
Fork 0
forked from CCCHH/ansible-infra
Code Pull requests Activity

Vendor Galaxy Roles and Collections

Browse source
This commit is contained in:
Stefan Bethke 2026-02-06 22:07:16 +01:00
commit 2aed20393f
3553 changed files with 387444 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

19
ansible_collections/debops/debops/roles/freeradius/COPYRIGHT Normal file
View file

@ -0,0 +1,19 @@
debops.freeradius - Manage FreeRADIUS service using Ansible
Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2018 DebOps <https://debops.org/>
SPDX-License-Identifier: GPL-3.0-only
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see https://www.gnu.org/licenses/.

368
ansible_collections/debops/debops/roles/freeradius/defaults/main.yml Normal file
View file

@ -0,0 +1,368 @@
---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
# .. Copyright (C) 2018 DebOps <https://debops.org/>
# .. SPDX-License-Identifier: GPL-3.0-only
# .. _freeradius__ref_defaults:
# debops.freeradius default variables
# ===================================
# .. contents:: Sections
# :local:
#
# .. include:: ../../../../includes/global.rst
# APT packages, FreeRADIUS version [[[
# ------------------------------------
# .. envvar:: freeradius__base_packages [[[
#
# List of essential APT packages to install for FreeRADIUS support.
freeradius__base_packages: [ 'freeradius', 'freeradius-utils' ]
# ]]]
# .. envvar:: freeradius__packages [[[
#
# List of additional APT packages to install with FreeRADIUS.
freeradius__packages: []
# ]]]
# .. envvar:: freeradius__version [[[
#
# The version of the installed FreeRADIUS package, gathered via Ansible local
# facts. This variable can be used in conditions to enable/disable parts of the
# configuration.
freeradius__version: '{{ ansible_local.freeradius.version | d("0.0.0") }}'
# ]]]
# ]]]
# UNIX environment [[[
# --------------------
# .. envvar:: freeradius__user [[[
#
# The UNIX system account which is used to manage FreeRADIUS service.
freeradius__user: 'freerad'
# ]]]
# .. envvar:: freeradius__group [[[
#
# The UNIX group which is used to manage FreeRADIUS service.
freeradius__group: 'freerad'
# ]]]
# .. envvar:: freeradius__conf_base_path [[[
#
# Absolute path to the base directory which contains the FreeRADIUS
# configuration files. You most likely don't have to change this.
freeradius__conf_base_path: '/etc/freeradius/3.0'
# ]]]
# ]]]
# Internal firewall and ports [[[
# -------------------------------
# These variables define the firewall configuration for internal FreeRADIUS
# communication, not intended for client endpoints.
# .. envvar:: freeradius__default_ports [[[
#
# List of TCP/UDP ports which are managed by default in the firewall, for
# internal communication. You can use port numbers or names from the
# :file:`/etc/services` database.
freeradius__default_ports: [ 'radius', 'radius-acct' ]
# ]]]
# .. envvar:: freeradius__ports [[[
#
# List of TCP/UDP ports for internal communication which will be managed on all
# hosts in the Ansible inventory.
freeradius__ports: []
# ]]]
# .. envvar:: freeradius__group_ports [[[
#
# List of TCP/UDP ports for internal communication which will be managed on
# hosts in a specific Ansible inventory group.
freeradius__group_ports: []
# ]]]
# .. envvar:: freeradius__host_ports [[[
#
# List of TCP/UDP ports for internal communication which will be managed on
# specific hosts in the Ansible inventory.
freeradius__host_ports: []
# ]]]
# .. envvar:: freeradius__accept_any [[[
#
# By default, internal firewall does not allow any connections from anywhere
# and you need to specify IP addresses or CIDR subnets to allow for
# communication to the FreeRADIUS service. If this variable is set to ``True``,
# the configuration will be "flipped" - the role will allow internal
# communication with FreeRADIUS from anywhere by default, and specifying IP
# addresses or subnets will restrict it to only these hosts/networks.
freeradius__accept_any: False
# ]]]
# .. envvar:: freeradius__allow [[[
#
# List of IP addresses or CIDR subnets which should be allowed to connect to
# internal FreeRADIUS service, defined on all hosts in the Ansible inventory.
freeradius__allow: []
# ]]]
# .. envvar:: freeradius__group_allow [[[
#
# List of IP addresses or CIDR subnets which should be allowed to connect to
# internal FreeRADIUS service, defined on hosts in a specific Ansible inventory
# group.
freeradius__group_allow: []
# ]]]
# .. envvar:: freeradius__host_allow [[[
#
# List of IP addresses or CIDR subnets which should be allowed to connect to
# internal FreeRADIUS service, defined on specific hosts in the Ansible
# inventory.
freeradius__host_allow: []
# ]]]
# ]]]
# Public firewall and ports [[[
# -----------------------------
# These variables define the firewall configuration for public FreeRADIUS
# services, like DHCP, intended for client endpoints.
# .. envvar:: freeradius__public_ports [[[
#
# List of TCP/UDP ports for public communication which will be managed on all
# hosts in the Ansible inventory.
freeradius__public_ports: []
# ]]]
# .. envvar:: freeradius__public_group_ports [[[
#
# List of TCP/UDP ports for public communication which will be managed on hosts
# in a specific Ansible inventory group.
freeradius__public_group_ports: []
# ]]]
# .. envvar:: freeradius__public_host_ports [[[
#
# List of TCP/UDP ports for public communication which will be managed on
# specific hosts in the Ansible inventory.
freeradius__public_host_ports: []
# ]]]
# .. envvar:: freeradius__public_accept_any [[[
#
# By default, if public TCP/UDP ports are specified, the firewall will accept
# connections from any IP addresses or CIDR subnets to these ports, and
# specifying hosts/networks in ``freeradius__public_*_allow`` variables will
# restrict the connections to only these IP addresses/subnets. If this variable
# is set to ``False``, the configuration will be "flipped" - the role will not
# allow connections from anywhere to specified TCP/UDP ports, and you will need
# to specify IP addresses/subnets that are allowed to connect.
freeradius__public_accept_any: True
# ]]]
# .. envvar:: freeradius__public_allow [[[
#
# List of IP addresses or CIDR subnets which should be allowed to connect to
# public FreeRADIUS service, defined on all hosts in the Ansible inventory.
freeradius__public_allow: []
# ]]]
# .. envvar:: freeradius__public_group_allow [[[
#
# List of IP addresses or CIDR subnets which should be allowed to connect to
# public FreeRADIUS service, defined on hosts in a specific Ansible inventory
# group.
freeradius__public_group_allow: []
# ]]]
# .. envvar:: freeradius__public_host_allow [[[
#
# List of IP addresses or CIDR subnets which should be allowed to connect to
# public FreeRADIUS service, defined on specific hosts in the Ansible
# inventory.
freeradius__public_host_allow: []
# ]]]
# ]]]
# FreeRADIUS configuration files [[[
# ----------------------------------
# These variables define the contents of the FreeRADIUS configuration files
# located in :file:`/etc/freeradius/` directory.
# See :ref:`freeradius__ref_configuration` for more details.
# .. envvar:: freeradius__default_configuration [[[
#
# The default FreeRADIUS configuration defined by the role.
freeradius__default_configuration:
# Enable FreeRADIUS control socket for the 'radmin' command to work correctly
- name: 'sites-enabled/control-socket'
link_src: '../sites-available/control-socket'
# ]]]
# .. envvar:: freeradius__configuration [[[
#
# Definition of FreeRADIUS configuration which should be managed on all hosts
# in the Ansible inventory.
freeradius__configuration: []
# ]]]
# .. envvar:: freeradius__group_configuration [[[
#
# Definition of FreeRADIUS configuration which should be managed on hosts
# in a specific Ansible inventory group.
freeradius__group_configuration: []
# ]]]
# .. envvar:: freeradius__host_configuration [[[
#
# Definition of FreeRADIUS configuration which should be managed on specific
# hosts in the Ansible inventory.
freeradius__host_configuration: []
# ]]]
# .. envvar:: freeradius__combined_configuration [[[
#
# The variable that combines all of the FreeRADIUS configuration lists and is
# used in the role tasks and templates.
freeradius__combined_configuration: '{{ freeradius__default_configuration
+ freeradius__configuration
+ freeradius__group_configuration
+ freeradius__host_configuration }}'
# ]]]
# ]]]
# Configuration for other Ansible roles [[[
# -----------------------------------------
# .. envvar:: freeradius__ferm__dependent_rules [[[
#
# Configuration for the :ref:`debops.ferm` Ansible role.
freeradius__ferm__dependent_rules:
- type: 'accept'
dport: '{{ freeradius__default_ports
+ freeradius__ports
+ freeradius__group_ports
+ freeradius__host_ports }}'
saddr: '{{ freeradius__allow
+ freeradius__group_allow
+ freeradius__host_allow }}'
protocols: [ 'tcp', 'udp' ]
accept_any: '{{ freeradius__accept_any }}'
weight: '50'
by_role: 'debops.freeradius'
name: 'radius_internal'
multiport: True
- type: 'accept'
dport: '{{ freeradius__public_ports
+ freeradius__public_group_ports
+ freeradius__public_host_ports }}'
saddr: '{{ freeradius__public_allow
+ freeradius__public_group_allow
+ freeradius__public_host_allow }}'
protocols: [ 'tcp', 'udp' ]
accept_any: '{{ freeradius__public_accept_any }}'
weight: '50'
by_role: 'debops.freeradius'
name: 'radius_public'
multiport: True
rule_state: '{{ "present"
if (freeradius__public_ports
+ freeradius__public_group_ports
+ freeradius__public_host_ports)
else "absent" }}'
# ]]]
# .. envvar:: freeradius__logrotate__dependent_config [[[
#
# Configuration for the :ref:`debops.logrotate` Ansible role.
freeradius__logrotate__dependent_config:
- filename: 'freeradius'
divert: True
log: '/var/log/freeradius/radius.log'
comment: 'The main server log'
options: |
daily
rotate 52
missingok
compress
delaycompress
notifempty
copytruncate
state: 'present'
- filename: 'freeradius-monitor'
logs:
- '/var/log/freeradius/checkrad.log'
- '/var/log/freeradius/radwatch.log'
comment: 'Session monitoring utilities'
options: |
daily
rotate 52
missingok
compress
delaycompress
notifempty
nocreate
state: 'present'
- filename: 'freeradius-session'
logs:
- '/var/log/freeradius/radutmp'
- '/var/log/freeradius/radwtmp'
comment: 'Session database modules'
options: |
daily
rotate 52
missingok
compress
delaycompress
notifempty
nocreate
state: 'present'
- filename: 'freeradius-sql'
log: '/var/log/freeradius/sqllog.sql'
comment: 'SQL log files'
options: |
daily
rotate 52
missingok
compress
delaycompress
notifempty
nocreate
state: 'present'
- filename: 'freeradius-detail'
log: '/var/log/freeradius/radacct/*/detail'
comment: |
There are different detail-rotating strategies you can use. One is
to write to a single detail file per IP and use the rotate config
below. Another is to write to a daily detail file per IP with:
detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
(or similar) in radiusd.conf, without rotation. If you go with the
second technique, you will need another cron job that removes old
detail files. You do not need to comment out the below for method #2.
options: |
weekly
rotate 260
missingok
compress
delaycompress
notifempty
nocreate
state: 'present'
# ]]]
# ]]]

31
ansible_collections/debops/debops/roles/freeradius/meta/main.yml Normal file
View file

@ -0,0 +1,31 @@
---
# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2018 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
# Ensure that custom Ansible plugins and modules included in the main DebOps
# collection are available to roles in other collections.
collections: [ 'debops.debops' ]
dependencies: []
galaxy_info:
author: 'Maciej Delmanowski'
description: 'Install and configure FreeRADIUS'
company: 'DebOps'
license: 'GPL-3.0-only'
min_ansible_version: '2.6.0'
platforms:
- name: Ubuntu
versions:
- bionic
- name: Debian
versions:
- stretch
- buster
galaxy_tags:
- radius
- authentication
- authorization
- networking

132
ansible_collections/debops/debops/roles/freeradius/tasks/main.yml Normal file
View file

@ -0,0 +1,132 @@
---
# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2018 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
- name: Import custom Ansible plugins
ansible.builtin.import_role:
name: 'ansible_plugins'
- name: Import DebOps global handlers
ansible.builtin.import_role:
name: 'global_handlers'
- name: Import DebOps secret role
ansible.builtin.import_role:
name: 'secret'
- name: Install FreeRADIUS packages
ansible.builtin.package:
name: '{{ item }}'
state: 'present'
loop: '{{ q("flattened", freeradius__base_packages
+ freeradius__packages) }}'
register: freeradius__register_packages
until: freeradius__register_packages is succeeded
- name: Enable FreeRADIUS service in systemd to start at boot time
ansible.builtin.systemd:
name: 'freeradius.service'
enabled: True
when: ansible_service_mgr == 'systemd'
- name: Make sure that Ansible local facts directory exists
ansible.builtin.file:
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
- name: Save FreeRADIUS local facts
ansible.builtin.template:
src: 'etc/ansible/facts.d/freeradius.fact.j2'
dest: '/etc/ansible/facts.d/freeradius.fact'
owner: 'root'
group: 'root'
mode: '0755'
notify: [ 'Refresh host facts' ]
tags: [ 'meta::facts' ]
- name: Update Ansible facts if they were modified
ansible.builtin.meta: 'flush_handlers'
- name: Get list of FreeRADIUS Conffiles
ansible.builtin.command: cat /var/lib/dpkg/info/freeradius-config.conffiles
register: freeradius__register_conffiles
changed_when: False
check_mode: False
- name: Add/remove diversion of FreeRADIUS configuration files
vars:
freeradius__var_divert_path: '{{ freeradius__conf_base_path + "/" + (item.filename | d(item.name)) }}'
freeradius__var_divert_divert: '{{ freeradius__conf_base_path + "/"
+ (item.divert_filename
| d((((item.filename | d(item.name)) | dirname + "/.")
if ((item.filename | d(item.name)) | dirname) else ".")
+ (item.filename | d(item.name)) | basename + ".dpkg-divert")) }}'
debops.debops.dpkg_divert:
path: '{{ freeradius__var_divert_path }}'
divert: '{{ freeradius__var_divert_divert }}'
state: '{{ item.state | d("present") }}'
delete: True
loop: '{{ freeradius__combined_configuration | debops.debops.parse_kv_items }}'
loop_control:
label: '{{ {"path": freeradius__var_divert_path,
"divert": freeradius__var_divert_divert,
"state": item.state | d("present")} }}'
notify: [ 'Check freeradius configuration and restart' ]
when: (item.name | d() and item.divert | d(False) | bool and
item.state | d('present') in ['present', 'absent'])
no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
- name: Create missing configuration directories
ansible.builtin.file:
path: '{{ (freeradius__conf_base_path + "/" + (item.filename | d(item.name))) | dirname }}'
state: 'directory'
owner: '{{ freeradius__user }}'
group: '{{ freeradius__group }}'
mode: '0755'
with_items: '{{ freeradius__combined_configuration | debops.debops.parse_kv_items }}'
loop_control:
label: '{{ {"path": ((freeradius__conf_base_path + "/" + (item.filename | d(item.name))) | dirname)} }}'
when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init'] and
(item.link_src | d() or item.options | d() or item.raw | d()))
no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
- name: Generate FreeRADIUS configuration files
ansible.builtin.template:
src: 'etc/freeradius/template.conf.j2'
dest: '{{ freeradius__conf_base_path + "/" + (item.filename | d(item.name)) }}'
owner: '{{ item.owner | d(freeradius__user) }}'
group: '{{ item.group | d(freeradius__group) }}'
mode: '{{ item.mode | d("0640") }}'
with_items: '{{ freeradius__combined_configuration | debops.debops.parse_kv_items }}'
notify: [ 'Check freeradius configuration and restart' ]
when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init'] and
not item.link_src | d() and (item.options | d() or item.raw | d()))
no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
- name: Create configuration file symlinks
ansible.builtin.file:
dest: '{{ freeradius__conf_base_path + "/" + (item.filename | d(item.name)) }}'
src: '{{ item.link_src }}'
state: 'link'
owner: '{{ item.owner | d(freeradius__user) }}'
group: '{{ item.group | d(freeradius__group) }}'
mode: '{{ item.mode | d("0640") }}'
with_items: '{{ freeradius__combined_configuration | debops.debops.parse_kv_items }}'
notify: [ 'Check freeradius configuration and restart' ]
when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init'] and
item.link_src | d())
no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
- name: Remove FreeRADIUS configuration files
ansible.builtin.file:
dest: '{{ freeradius__conf_base_path + "/" + (item.filename | d(item.name)) }}'
state: 'absent'
with_items: '{{ freeradius__combined_configuration | debops.debops.parse_kv_items }}'
notify: [ 'Check freeradius configuration and restart' ]
when: (item.name | d() and not item.divert | d(False) | bool and
item.state | d('present') == 'absent')
no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'

33
ansible_collections/debops/debops/roles/freeradius/templates/etc/ansible/facts.d/freeradius.fact.j2 Normal file
View file

@ -0,0 +1,33 @@
#!{{ ansible_python['executable'] }}
# -*- coding: utf-8 -*-
# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2018 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
# {{ ansible_managed }}
from __future__ import print_function
from json import dumps
import subprocess
import os
def cmd_exists(cmd):
return any(
os.access(os.path.join(path, cmd), os.X_OK)
for path in os.environ["PATH"].split(os.pathsep)
)
output = {'installed': cmd_exists('freeradius')}
try:
version_stdout = subprocess.check_output(
["dpkg-query", "-W", "-f=${Version}",
"freeradius"]).decode('utf-8').split('+')[0]
output['version'] = version_stdout
except Exception:
pass
print(dumps(output, sort_keys=True, indent=4))

34
ansible_collections/debops/debops/roles/freeradius/templates/etc/freeradius/template.conf.j2 Normal file
View file

@ -0,0 +1,34 @@
{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2018 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
#}
# {{ ansible_managed }}
{% if item.comment | d() %}
{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
{% endif %}
{% if item.raw | d() %}
{{ item.raw -}}
{% elif item.options | d() %}
{% for element in item.options %}
{% if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
{% if element.comment | d() %}
{{ element.comment | regex_replace('\n$','') | comment(prefix=('\n' if not loop.first else ''), postfix='') -}}
{% endif %}
{% if element.raw | d() %}
{% if not loop.last %}
{{ element.raw }}
{% else %}
{{ element.raw -}}
{% endif %}
{% elif element.value | d() %}
{% if not loop.last %}
{{ '{} = {}'.format(element.name, element.value) }}
{% else %}
{{ '{} = {}'.format(element.name, element.value) -}}
{% endif %}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}