---
- name: Add buster-backports to apt sources
  apt_repository:
    repo: deb {{ debian_mirror }} buster-backports main
    state: present

- name: Pin freeradius from backports
  template:
    src: apt/preferences.d/freeradius_python3.j2
    dest: /etc/apt/preferences.d/freeradius_python3

- name: Install freeradius
  apt:
    update_cache: true
    install_recommends: false
    name:
      - freeradius
      - freeradius-common
      - freeradius-utils
      - freeradius-python3
      - libfreeradius3
  register: apt_result
  retries: 3
  until: apt_result is succeeded

- name: Deploy freeradius configuration
  template:
    src: "freeradius/3.0/{{ item }}.j2"
    dest: "/etc/freeradius/3.0/{{ item }}"
    owner: freerad
    group: freerad
    mode: '0640'
  loop:
    - radiusd.conf
    - clients.conf
    - sites-enabled/default
    - sites-enabled/inner-tunnel
    - mods-enabled/eap
    - mods-enabled/python3
  notify: Restart freeradius

- name: Bring auth.py from re2o
  file:
    src: /var/www/re2o/freeradius_utils/auth.py
    dest: /etc/freeradius/3.0/auth.py
    state: link
    force: true
  notify: Restart freeradius

- name: Ensure ${certdir}/letsencrypt directory exists
  file:
    path: /etc/freeradius/3.0/certs/letsencrypt
    state: directory
    recurse: true

- name: Symlink radius certificates
  file:
    src: /etc/letsencrypt/live/crans.org/{{ item }}
    dest: /etc/freeradius/3.0/certs/letsencrypt/{{ item }}
    state: link
    force: true
  loop:
    - fullchain.pem
    - privkey.pem

- name: Set permissions on certificates
  file:
    path: /etc/letsencrypt/{{ item }}
    group: freerad
    mode: '0755'
    recurse: true
  loop:
    - live
    - archive