From cf0217634b3abc5cdea16af231ee614457010f4b Mon Sep 17 00:00:00 2001 From: appkins Date: Wed, 31 Jul 2024 03:18:50 -0500 Subject: [PATCH] Update module --- main.tf | 2 +- modules/config/main.tf | 4 ++ modules/config/variables.tf | 14 +++++ modules/package/variables.tf | 1 - modules/wpa-supplicant/locals.tf | 51 +++++++++++++++++++ modules/wpa-supplicant/main.tf | 31 +++++++++++ .../wpa-supplicant/templates/0-att-bypass.sh | 34 +++++++++++++ .../wpa-supplicant/templates/override.conf | 12 +++++ .../templates/setup-att-bypass.service | 12 +++++ .../templates/wpa_supplicant.conf | 13 +++++ modules/wpa-supplicant/variables.tf | 37 ++++++++++++-- variables.tf | 16 +++++- 12 files changed, 221 insertions(+), 6 deletions(-) create mode 100644 modules/wpa-supplicant/templates/0-att-bypass.sh create mode 100644 modules/wpa-supplicant/templates/override.conf create mode 100644 modules/wpa-supplicant/templates/setup-att-bypass.service create mode 100644 modules/wpa-supplicant/templates/wpa_supplicant.conf diff --git a/main.tf b/main.tf index bc9a5a6..ebb0619 100644 --- a/main.tf +++ b/main.tf @@ -33,7 +33,7 @@ resource "unifi_port_profile" "port_profiles" { stormctrl_ucast_level = each.value.stormctrl_ucast_level stormctrl_ucast_rate = each.value.stormctrl_ucast_rate stp_port_mode = each.value.stp_port_mode - tagged_networkconf_ids = each.value.tagged_networkconf_ids + tagged_vlan_mgmt = each.value.tagged_vlan_mgmt voice_networkconf_id = each.value.voice_networkconf_id site = var.site diff --git a/modules/config/main.tf b/modules/config/main.tf index 5264d78..d883583 100644 --- a/modules/config/main.tf +++ b/modules/config/main.tf @@ -22,6 +22,10 @@ resource "ssh_resource" "default" { } } + commands = var.commands + + commands_after_file_changes = var.commands_after_file_changes + // commands = [ // "/tmp/hello.sh" // ] diff --git a/modules/config/variables.tf b/modules/config/variables.tf index 1755a4a..9ea3348 100644 --- a/modules/config/variables.tf +++ b/modules/config/variables.tf @@ -5,6 +5,20 @@ variable "create_parents" { nullable = false } +variable "commands" { + description = "Commands to run on the server." + type = list(string) + default = [] + nullable = false +} + +variable "commands_after_file_changes" { + description = "Commands to run when the files change." + type = bool + default = false + nullable = false +} + variable "files" { description = "Configuration files to upload to the server." type = list(object({ diff --git a/modules/package/variables.tf b/modules/package/variables.tf index f5f4d4e..4a03fcc 100644 --- a/modules/package/variables.tf +++ b/modules/package/variables.tf @@ -21,7 +21,6 @@ variable "ssh" { port = number username = string private_key = string - private_key = string }) description = "The SSH connection details." nullable = false diff --git a/modules/wpa-supplicant/locals.tf b/modules/wpa-supplicant/locals.tf index 20b884d..1cee0f6 100644 --- a/modules/wpa-supplicant/locals.tf +++ b/modules/wpa-supplicant/locals.tf @@ -1,4 +1,55 @@ locals { + + data_dir = "/data/wpa_supplicant" + conf_dir = "/etc/wpa_supplicant/conf" + service_dir = "/etc/systemd/system/wpa_supplicant.service.d" + + override_conf = "${local.service_dir}/override.conf" + + onboot_dir = "/data/on_boot.d" + + files = [ + { # onboot -> /data/on_boot.d/0-att-bypass.sh + destination = "${local.data_dir}/0-att-bypass.sh" + content = file("${path.module}/templates/0-att-bypass.sh") + }, + { # onboot -> /etc/systemd/system/setup-att-bypass.service + destination = "${local.data_dir}/setup-att-bypass.service" + content = file("${path.module}/templates/setup-att-bypass.service") + }, + { # onboot -> /etc/systemd/system/wpa_supplicant.service.d/override.conf + destination = "${local.data_dir}/override.conf" + content = templatefile("${path.module}/templates/override.conf", { wan_interface = var.wan_interface }) + }, + { # onboot -> /etc/wpa_supplicant/conf/wpa_supplicant.conf + destination = "${local.data_dir}/wpa_supplicant.conf" + content = templatefile("${path.module}/templates/wpa_supplicant.conf", { mac_address = var.mac_address }) + }, # onboot -> /etc/wpa_supplicant/conf/{CA.pem,Client.pem,PrivateKey.pem} + { destination = "${local.data_dir}/CA.pem", content = var.ca_cert }, + { destination = "${local.data_dir}/Client.pem", content = var.client_cert }, + { destination = "${local.data_dir}/PrivateKey.pem", content = var.private_key } + ] + + destination_dirs = join(" ", [ + local.onboot_dir, + local.conf_dir, + local.service_dir, + local.data_dir + ]) + + commands = [ + "for d in ${local.destination_dirs}; do if [ ! -d $d ]; then mkdir -p $d; fi", + "for file in wpa_supplicant.conf CA.pem Client.pem PrivateKey.pem; do if [ ! -f ${local.conf_dir}/$file ]; then cp ${local.data_dir}/$file ${local.conf_dir}/$file; fi; done", + "if [ ! -f ${local.override_conf} ]; then cp ${local.data_dir}/override.conf ${local.service_dir}/override.conf; fi", + "if [ ! -f ${local.onboot_dir}/0-att-bypass.sh ]; then cp ${local.data_dir}/0-att-bypass.sh ${local.onboot_dir}/; fi", + "if [ ! -f /etc/systemd/system/setup-att-bypass.service ]; then cp ${local.data_dir}/setup-att-bypass.service /etc/systemd/system/setup-att-bypass.service; fi", + "systemctl daemon-reload", + "systemctl enable setup-att-bypass.service", + "systemctl start setup-att-bypass.service", + "systemctl enable wpa_supplicant.service", + "systemctl start wpa_supplicant.service" + ] + packages = { libreadline8 = {} wpasupplicant = {} diff --git a/modules/wpa-supplicant/main.tf b/modules/wpa-supplicant/main.tf index 6fa2a48..42ad6aa 100644 --- a/modules/wpa-supplicant/main.tf +++ b/modules/wpa-supplicant/main.tf @@ -8,3 +8,34 @@ module "package" { ssh = var.ssh } + +module "config" { + source = "../config" + + files = local.files + + // commands_after_file_changes = [ + // "if [ ! -f /etc/wpa_supplicant/wpa_supplicant.conf ]; then cp ", + // ] + + commands = local.commands + + commands_after_file_changes = true + + ssh = var.ssh + + depends_on = [module.package] +} + +# module "shell" { +# source = "../shell" +# +# create = file("${path.module}/scripts/create.sh") +# read = file("${path.module}/scripts/read.sh") +# update = file("${path.module}/scripts/update.sh") +# delete = file("${path.module}/scripts/delete.sh") +# +# host = var.ssh.host +# port = var.ssh.port +# username = var.ssh.username +# } diff --git a/modules/wpa-supplicant/templates/0-att-bypass.sh b/modules/wpa-supplicant/templates/0-att-bypass.sh new file mode 100644 index 0000000..8eb1ac8 --- /dev/null +++ b/modules/wpa-supplicant/templates/0-att-bypass.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# This script installs wpa_supplicant if it's not installed. + +DATA_DIR="/data/wpa_supplicant" +CONF_DIR="/etc/wpa_supplicant/conf" + +if ! dpkg -l wpasupplicant | grep ii >/dev/null; then + apt update + apt install -y libreadline8 wpasupplicant +fi + +for file in CA.pem Client.pem PrivateKey.pem wpa_supplicant.conf; do + if [ ! -f "${CONF_DIR}/${file}" ]; then + cp "${DATA_DIR}/${file}" "${CONF_DIR}" + fi +done + +SERVICE_DIR=/etc/systemd/system/wpa_supplicant.service.d + +ONBOOT_DIR=/data/on_boot.d + +if [ ! -d "$ONBOOT_DIR" ]; then + mkdir -p ${ONBOOT_DIR} +fi + +if [ ! -d "$SERVICE_DIR" ]; then + mkdir -p "${SERVICE_DIR}" +fi + +cp "${DATA_DIR}"/override.conf "${SERVICE_DIR}/override.conf" + +systemctl daemon-reload +systemctl enable wpa_supplicant.service +systemctl restart wpa_supplicant.service diff --git a/modules/wpa-supplicant/templates/override.conf b/modules/wpa-supplicant/templates/override.conf new file mode 100644 index 0000000..e6a5139 --- /dev/null +++ b/modules/wpa-supplicant/templates/override.conf @@ -0,0 +1,12 @@ +[Unit] +Description=WPA supplicant +Before=network.target +After=dbus.service +Wants=network.target + +[Install] +WantedBy=multi-user.target + +[Service] +ExecStart= +ExecStart=/sbin/wpa_supplicant -u -s -Dwired -i${wan_interface} -c/etc/wpa_supplicant/conf/wpa_supplicant.conf diff --git a/modules/wpa-supplicant/templates/setup-att-bypass.service b/modules/wpa-supplicant/templates/setup-att-bypass.service new file mode 100644 index 0000000..e3d9081 --- /dev/null +++ b/modules/wpa-supplicant/templates/setup-att-bypass.service @@ -0,0 +1,12 @@ +[Unit] +Description=Setup ATT Bypass service +Wants=network-online.target +After=network-online.target + +[Service] +Type=oneshot +ExecStart=/data/on_boot.d/0-att-bypass.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/modules/wpa-supplicant/templates/wpa_supplicant.conf b/modules/wpa-supplicant/templates/wpa_supplicant.conf new file mode 100644 index 0000000..76d2bc2 --- /dev/null +++ b/modules/wpa-supplicant/templates/wpa_supplicant.conf @@ -0,0 +1,13 @@ +eapol_version=1 +ap_scan=0 +fast_reauth=1 +network={ + ca_cert="/etc/wpa_supplicant/conf/CA.pem" + client_cert="/etc/wpa_supplicant/conf/Client.pem" + eap=TLS + eapol_flags=0 + identity="${mac_address}" # Internet (ONT) interface MAC address must match this value + key_mgmt=IEEE8021X + phase1="allow_canned_success=1" + private_key="/etc/wpa_supplicant/conf/PrivateKey.pem" +} diff --git a/modules/wpa-supplicant/variables.tf b/modules/wpa-supplicant/variables.tf index c9eb32e..62fe39e 100644 --- a/modules/wpa-supplicant/variables.tf +++ b/modules/wpa-supplicant/variables.tf @@ -1,8 +1,39 @@ +variable "mac_address" { + type = string + description = "The MAC address of the ONT Device." + nullable = false +} + +variable "wan_interface" { + type = string + description = "The WAN interface." + nullable = false +} + +variable "ca_cert" { + description = "The CA certificate." + type = string + nullable = false +} + +variable "client_cert" { + description = "The Client certificate." + type = string + nullable = false +} + +variable "private_key" { + description = "Private key." + type = string + nullable = false +} + variable "ssh" { type = object({ - host = string - port = number - username = string + host = string + port = number + username = string + private_key = string }) description = "The SSH connection details." nullable = false diff --git a/variables.tf b/variables.tf index 77358a6..3777a8b 100644 --- a/variables.tf +++ b/variables.tf @@ -39,7 +39,7 @@ variable "port_profiles" { stormctrl_ucast_level = optional(number) # The unknown unicast Storm Control level for the port profile. Can be between 0 and 100. stormctrl_ucast_rate = optional(number) # The unknown unicast Storm Control rate for the port profile. Can be between 0 and 14880000. stp_port_mode = optional(bool) # Enable spanning tree protocol on the port profile. Defaults to true. - tagged_networkconf_ids = optional(list(string)) # The IDs of networks to tag traffic with for the port profile. + tagged_vlan_mgmt = optional(string) # The IDs of networks to tag traffic with for the port profile. voice_networkconf_id = optional(string) # The ID of network to use as the voice network on the port profile. })) description = "Port profiles to add to the network." @@ -215,6 +215,18 @@ variable "settings" { nullable = false } +variable "wpa_supplicant" { + description = "WPA supplicant configuration (Optional)." + type = object({ + mac_address = string + ca_cert = string + client_cert = string + private_key = string + }) + default = null + nullable = true +} + variable "ssh" { type = object({ host = string @@ -222,4 +234,6 @@ variable "ssh" { username = string private_key = string }) + nullable = true + default = null }