Update module

main.tf

@@ -33,7 +33,7 @@ resource "unifi_port_profile" "port_profiles" {
   stormctrl_ucast_level          = each.value.stormctrl_ucast_level
   stormctrl_ucast_rate           = each.value.stormctrl_ucast_rate
   stp_port_mode                  = each.value.stp_port_mode
-  tagged_networkconf_ids         = each.value.tagged_networkconf_ids
+  tagged_vlan_mgmt               = each.value.tagged_vlan_mgmt
   voice_networkconf_id           = each.value.voice_networkconf_id
 
   site = var.site

modules/config/main.tf

@@ -22,6 +22,10 @@ resource "ssh_resource" "default" {
     }
   }
 
+  commands = var.commands
+
+  commands_after_file_changes = var.commands_after_file_changes
+
   // commands = [
   //   "/tmp/hello.sh"
   // ]

modules/config/variables.tf

@@ -5,6 +5,20 @@ variable "create_parents" {
   nullable    = false
 }
 
+variable "commands" {
+  description = "Commands to run on the server."
+  type        = list(string)
+  default     = []
+  nullable    = false
+}
+
+variable "commands_after_file_changes" {
+  description = "Commands to run when the files change."
+  type        = bool
+  default     = false
+  nullable    = false
+}
+
 variable "files" {
   description = "Configuration files to upload to the server."
   type = list(object({

modules/package/variables.tf

@@ -21,7 +21,6 @@ variable "ssh" {
     port        = number
     username    = string
     private_key = string
-    private_key = string
   })
   description = "The SSH connection details."
   nullable    = false

modules/wpa-supplicant/locals.tf

@@ -1,4 +1,55 @@
 locals {
+
+  data_dir    = "/data/wpa_supplicant"
+  conf_dir    = "/etc/wpa_supplicant/conf"
+  service_dir = "/etc/systemd/system/wpa_supplicant.service.d"
+
+  override_conf = "${local.service_dir}/override.conf"
+
+  onboot_dir = "/data/on_boot.d"
+
+  files = [
+    { # onboot -> /data/on_boot.d/0-att-bypass.sh
+      destination = "${local.data_dir}/0-att-bypass.sh"
+      content     = file("${path.module}/templates/0-att-bypass.sh")
+    },
+    { # onboot -> /etc/systemd/system/setup-att-bypass.service
+      destination = "${local.data_dir}/setup-att-bypass.service"
+      content     = file("${path.module}/templates/setup-att-bypass.service")
+    },
+    { # onboot -> /etc/systemd/system/wpa_supplicant.service.d/override.conf
+      destination = "${local.data_dir}/override.conf"
+      content     = templatefile("${path.module}/templates/override.conf", { wan_interface = var.wan_interface })
+    },
+    { # onboot -> /etc/wpa_supplicant/conf/wpa_supplicant.conf
+      destination = "${local.data_dir}/wpa_supplicant.conf"
+      content     = templatefile("${path.module}/templates/wpa_supplicant.conf", { mac_address = var.mac_address })
+    }, # onboot -> /etc/wpa_supplicant/conf/{CA.pem,Client.pem,PrivateKey.pem}
+    { destination = "${local.data_dir}/CA.pem", content = var.ca_cert },
+    { destination = "${local.data_dir}/Client.pem", content = var.client_cert },
+    { destination = "${local.data_dir}/PrivateKey.pem", content = var.private_key }
+  ]
+
+  destination_dirs = join(" ", [
+    local.onboot_dir,
+    local.conf_dir,
+    local.service_dir,
+    local.data_dir
+  ])
+
+  commands = [
+    "for d in ${local.destination_dirs}; do if [ ! -d $d ]; then mkdir -p $d; fi",
+    "for file in wpa_supplicant.conf CA.pem Client.pem PrivateKey.pem; do if [ ! -f ${local.conf_dir}/$file ]; then cp ${local.data_dir}/$file ${local.conf_dir}/$file; fi; done",
+    "if [ ! -f ${local.override_conf} ]; then cp ${local.data_dir}/override.conf ${local.service_dir}/override.conf; fi",
+    "if [ ! -f ${local.onboot_dir}/0-att-bypass.sh ]; then cp ${local.data_dir}/0-att-bypass.sh ${local.onboot_dir}/; fi",
+    "if [ ! -f /etc/systemd/system/setup-att-bypass.service ]; then cp ${local.data_dir}/setup-att-bypass.service /etc/systemd/system/setup-att-bypass.service; fi",
+    "systemctl daemon-reload",
+    "systemctl enable setup-att-bypass.service",
+    "systemctl start setup-att-bypass.service",
+    "systemctl enable wpa_supplicant.service",
+    "systemctl start wpa_supplicant.service"
+  ]
+
   packages = {
     libreadline8  = {}
     wpasupplicant = {}

modules/wpa-supplicant/main.tf

@@ -8,3 +8,34 @@ module "package" {
 
   ssh = var.ssh
 }
+
+module "config" {
+  source = "../config"
+
+  files = local.files
+
+  // commands_after_file_changes = [
+  //   "if [ ! -f /etc/wpa_supplicant/wpa_supplicant.conf ]; then cp ",
+  // ]
+
+  commands = local.commands
+
+  commands_after_file_changes = true
+
+  ssh = var.ssh
+
+  depends_on = [module.package]
+}
+
+# module "shell" {
+#   source = "../shell"
+#
+#   create = file("${path.module}/scripts/create.sh")
+#   read   = file("${path.module}/scripts/read.sh")
+#   update = file("${path.module}/scripts/update.sh")
+#   delete = file("${path.module}/scripts/delete.sh")
+#
+#   host     = var.ssh.host
+#   port     = var.ssh.port
+#   username = var.ssh.username
+# }

modules/wpa-supplicant/templates/0-att-bypass.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# This script installs wpa_supplicant if it's not installed.
+
+DATA_DIR="/data/wpa_supplicant"
+CONF_DIR="/etc/wpa_supplicant/conf"
+
+if ! dpkg -l wpasupplicant | grep ii >/dev/null; then
+    apt update
+    apt install -y libreadline8 wpasupplicant
+fi
+
+for file in CA.pem Client.pem PrivateKey.pem wpa_supplicant.conf; do
+    if [ ! -f "${CONF_DIR}/${file}" ]; then
+        cp "${DATA_DIR}/${file}" "${CONF_DIR}"
+    fi
+done
+
+SERVICE_DIR=/etc/systemd/system/wpa_supplicant.service.d
+
+ONBOOT_DIR=/data/on_boot.d
+
+if [ ! -d "$ONBOOT_DIR" ]; then
+    mkdir -p ${ONBOOT_DIR}
+fi
+
+if [ ! -d "$SERVICE_DIR" ]; then
+    mkdir -p "${SERVICE_DIR}"
+fi
+
+cp "${DATA_DIR}"/override.conf "${SERVICE_DIR}/override.conf"
+
+systemctl daemon-reload
+systemctl enable wpa_supplicant.service
+systemctl restart wpa_supplicant.service

modules/wpa-supplicant/templates/override.conf

@@ -0,0 +1,12 @@
+[Unit]
+Description=WPA supplicant
+Before=network.target
+After=dbus.service
+Wants=network.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+ExecStart=
+ExecStart=/sbin/wpa_supplicant -u -s -Dwired -i${wan_interface} -c/etc/wpa_supplicant/conf/wpa_supplicant.conf

modules/wpa-supplicant/templates/setup-att-bypass.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Setup ATT Bypass service
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/data/on_boot.d/0-att-bypass.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

modules/wpa-supplicant/templates/wpa_supplicant.conf

@@ -0,0 +1,13 @@
+eapol_version=1
+ap_scan=0
+fast_reauth=1
+network={
+        ca_cert="/etc/wpa_supplicant/conf/CA.pem"
+        client_cert="/etc/wpa_supplicant/conf/Client.pem"
+        eap=TLS
+        eapol_flags=0
+        identity="${mac_address}" # Internet (ONT) interface MAC address must match this value
+        key_mgmt=IEEE8021X
+        phase1="allow_canned_success=1"
+        private_key="/etc/wpa_supplicant/conf/PrivateKey.pem"
+}

modules/wpa-supplicant/variables.tf

@@ -1,8 +1,39 @@
+variable "mac_address" {
+  type        = string
+  description = "The MAC address of the ONT Device."
+  nullable    = false
+}
+
+variable "wan_interface" {
+  type        = string
+  description = "The WAN interface."
+  nullable    = false
+}
+
+variable "ca_cert" {
+  description = "The CA certificate."
+  type        = string
+  nullable    = false
+}
+
+variable "client_cert" {
+  description = "The Client certificate."
+  type        = string
+  nullable    = false
+}
+
+variable "private_key" {
+  description = "Private key."
+  type        = string
+  nullable    = false
+}
+
 variable "ssh" {
   type = object({
-    host     = string
-    port     = number
-    username = string
+    host        = string
+    port        = number
+    username    = string
+    private_key = string
   })
   description = "The SSH connection details."
   nullable    = false

variables.tf

@@ -39,7 +39,7 @@ variable "port_profiles" {
     stormctrl_ucast_level          = optional(number)       # The unknown unicast Storm Control level for the port profile. Can be between 0 and 100.
     stormctrl_ucast_rate           = optional(number)       # The unknown unicast Storm Control rate for the port profile. Can be between 0 and 14880000.
     stp_port_mode                  = optional(bool)         # Enable spanning tree protocol on the port profile. Defaults to true.
-    tagged_networkconf_ids         = optional(list(string)) # The IDs of networks to tag traffic with for the port profile.
+    tagged_vlan_mgmt               = optional(string)       # The IDs of networks to tag traffic with for the port profile.
     voice_networkconf_id           = optional(string)       # The ID of network to use as the voice network on the port profile.
   }))
   description = "Port profiles to add to the network."
@@ -215,11 +215,25 @@ variable "settings" {
   nullable    = false
 }
 
+variable "wpa_supplicant" {
+  description = "WPA supplicant configuration (Optional)."
+  type = object({
+    mac_address = string
+    ca_cert     = string
+    client_cert = string
+    private_key = string
+  })
+  default  = null
+  nullable = true
+}
+
 variable "ssh" {
   type = object({
     host        = string
     port        = number
     username    = string
     private_key = string
   })
+  nullable = true
+  default = null
 }