---

- name: Install radius server
  apt: name={{item}} state=latest
  tags: radius
  with_items:
   - freeradius
   - freeradius-ldap

- name: Create configuration directories
  file: path={{item}} state=directory owner=freerad group=freerad
  tags: radius
  with_items:
  - /etc/raddb
  - /etc/raddb/certs
  - /etc/raddb/modules
  - /etc/raddb/sites-enabled

- name: Ensure certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/raddb/certs/srv.key -out /etc/raddb/certs/srv.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/raddb/certs/srv.crt
  tags: radius
  notify: Restart freeradius

- name: Ensure correct certificate permissions
  file: path=/etc/raddb/certs/srv.key owner=freerad mode=0400
  tags: radius
  notify: Restart freeradius

- name: Create DH parameters
  command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }}
  tags: radius
  notify: Restart freeradius
  with_items:
  - /etc/raddb/certs/dh

- name: Set radiusd options
  copy: src=default/freeradius dest=/etc/default/freeradius
  tags: radius
  notify: Restart freeradius

- name: Configure radius server
  copy: src={{item}} dest=/etc/{{item}} owner=root group=freerad
  tags: radius
  notify: Restart freeradius
  with_items:
   - raddb/acct_users
   - raddb/attrs
   - raddb/attrs.access_challenge
   - raddb/attrs.access_reject
   - raddb/attrs.accounting_response
   - raddb/attrs.pre-proxy
   - raddb/clients.conf
   - raddb/dictionary
   - raddb/eap.conf
   - raddb/hints
   - raddb/huntgroups
   - raddb/ldap.attrmap
   - raddb/policy.conf
   - raddb/proxy.conf
   - raddb/radiusd.conf
   - raddb/preproxy_users
   - raddb/users
   - raddb/modules/acct_unique
   - raddb/modules/attr_filter
   - raddb/modules/chap
   - raddb/modules/detail
   - raddb/modules/digest
   - raddb/modules/exec
   - raddb/modules/expr
   - raddb/modules/expiration
   - raddb/modules/files
   - raddb/modules/ldap
   - raddb/modules/logintime
   - raddb/modules/mschap
   - raddb/modules/pap
   - raddb/modules/preprocess
   - raddb/modules/pap
   - raddb/modules/radutmp
   - raddb/modules/realm
   - raddb/modules/unix
   - raddb/sites-enabled/control-socket
   - raddb/sites-enabled/default
   - raddb/sites-enabled/inner-tunnel

- name: Start the radius server
  service: name=freeradius state=started enabled=yes
  tags: radius