---
#  WPA-Enterprise (EAP-TLS) - (re-)enroll certificate on client
- name: Create private key for client certificate
  community.crypto.openssl_privatekey:
    path: /etc/ssl/private/{{ wlan_ssid }}.key

- name: Check if a certificate is already issued to client
  ansible.builtin.stat:
    path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
  register: cert_already_issued
  delegate_to: radius_server

- name: Revoke already existing client certificate
  community.crypto.x509_crl:
    path: "/etc/freeradius/3.0/certs/ca.crl"
    privatekey_path: "/etc/freeradius/3.0/certs/ca.key"
    privatekey_passphrase: "{{ wlan_eap_ca.password }}"
    crl_mode: "update"
    issuer:
      C: "{{ wlan_eap_ca.C }}"
      ST: "{{ wlan_eap_ca.ST }}"
      L: "{{ wlan_eap_ca.L }}"
      O: "{{ wlan_eap_ca.O }}"
      emailAddress: "{{ wlan_eap_ca.emailAddress }}"
      CN: "{{ wlan_eap_ca.CN }}"
    last_update: "+0s"
    next_update: "+365d"
    revoked_certificates:
      - path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
        revocation_date: "{{ ansible_date_time.iso8601_basic_short | replace('T', '') }}Z"
        reason: "unspecified"
  delegate_to: radius_server
  when: cert_already_issued.stat.exists

- name: Create CSR for client certificate
  community.crypto.openssl_csr_pipe:
    common_name: "{{ ansible_hostname }}"
    country_name: "{{ wlan_eap_ca.C }}"
    state_or_province_name: "{{ wlan_eap_ca.ST }}"
    locality_name: "{{ wlan_eap_ca.L }}"
    organization_name: "{{ wlan_eap_ca.O }}"
    privatekey_path: /etc/ssl/private/{{ wlan_ssid }}.key
    email_address: "{{ wlan_eap_ca.emailAddress }}"
  register: csr

- name: Sign CSR on Radius
  community.crypto.x509_certificate_pipe:
    csr_content: "{{ csr.csr }}"
    provider: ownca
    ownca_path: /etc/freeradius/3.0/certs/ca.pem
    ownca_privatekey_path: /etc/freeradius/3.0/certs/ca.key
    ownca_privatekey_passphrase: "{{ wlan_eap_ca.password }}"
    ownca_not_after: +1825d # 5 Years
  delegate_to: radius_server
  register: certificate

- name: Create issued-Notice folder on radius-server
  ansible.builtin.file:
    dest: "/etc/freeradius/3.0/certs/issued"
    state: directory
    mode: '0755'
  delegate_to: radius_server

- name: Copy client certificate to radius-server
  ansible.builtin.copy:
    dest: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
    mode: "0644"
    content: "{{ certificate.certificate }}"
  delegate_to: radius_server

- name: Write certificate to client
  ansible.builtin.copy:
    dest: /etc/ssl/certs/{{ wlan_ssid }}.crt
    mode: '0644'
    content: "{{ certificate.certificate }}"

- name: Check if NetworkManager config exists {{ wlan_ssid }}
  ansible.builtin.stat:
    path: /etc/NetworkManager/system-connections/{{ wlan_ssid }}.nmconnection
  register: nm_connection

- name: Create or modify connection via nmcli {{ wlan_ssid }}
  ansible.builtin.command: >
    nmcli c {% if nm_connection.stat.exists %} modify {{ wlan_ssid }} {% else %} add {% endif %}
    type wifi
    ifname {{ ansible_interfaces | select('search', 'wl.+') | first }}
    con-name "{{ wlan_ssid }}"
    connection.permissions ""
    802-11-wireless.ssid "{{ wlan_ssid }}"
    802-11-wireless-security.key-mgmt wpa-eap
    802-1x.eap tls
    802-1x.identity {{ ansible_hostname }}
    802-1x.client-cert /etc/ssl/certs/{{ wlan_ssid }}.crt
    802-1x.private-key /etc/ssl/private/{{ wlan_ssid }}.key
    802-1x.private-key-password dummy
  changed_when: false

# Temporary fix used to migrate from IWD to WPA-Supplicant - Will be removed later
- name: Enable wpa-supplicant
  ansible.builtin.systemd:
    name: wpa_supplicant.service
    enabled: true

- name: Disable iwd
  ansible.builtin.systemd:
    name: iwd.service
    enabled: false

- name: Remove deprecated NetworkManager config
  ansible.builtin.blockinfile:
    path: /etc/NetworkManager/NetworkManager.conf
    state: absent