Refactor lmn_wlan role

- Consolidate `lmn_wlan`, `lmn_wlan_nm`, and `lmn_wlan_8021x` into single `lmn_wlan` role. - Implement a check for the availability of the radius-server during the EAP-TLS rollout. - Enhance variable support with a standardized naming schema: - Mode selection via `wlan` variable (`none`, `psk`, `eap-tls`). - EAP-TLS CA configuration (CA information, email address, CA password). - Introduce a switch to force the (re-)issue of existing certificates. - PSK configuration through `wlan_ssid` and `wlan_password`. - Add a check to verify if the radius certificate is revoked. - Ensure required packages and services are only installed and configured if the `wifi` variable is set.
2025-03-20 16:37:04 +01:00 · 2025-03-20 16:37:04 +01:00 · a68aaeb81c
commit a68aaeb81c
parent 9f1c60eefd
9 changed files with 561 additions and 538 deletions
--- a/roles/lmn_wlan/defaults/main.yaml
+++ b/roles/lmn_wlan/defaults/main.yaml
@ -0,0 +1,13 @@
+---
+wlan: none
+wlan_force_issue: false
+wlan_ssid: "Linux-Wlan"
+wlan_password: "VerySecurePassw0rd"
+wlan_eap_ca:
+  C: "DE"
+  ST: "Baden-Wuerttemberg"
+  L: "Reutlingen"
+  O: "Linuxschule"
+  emailAddress: "admin@example.com"
+  CN: "Radius Certificate Authority"
+  password: "OtherVerySecurePassw0rd"
--- a/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
+++ b/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
@ -0,0 +1,53 @@
+---
+#  WPA-Enterprise (EAP-TLS) - Check if certificate needs to be re-enrolled
+- name: Check if certificate is already active on client
+  ansible.builtin.stat:
+    path: "/etc/ssl/certs/{{ wlan_ssid }}.crt"
+  register: cert_client_active
+
+- name: Extract serial from certificate
+  ansible.builtin.command: 'openssl x509 -noout -serial -in /etc/ssl/certs/{{ wlan_ssid }}.crt'
+  changed_when: false
+  register: cert_serial
+  when: cert_client_active.stat.exists
+
+- name: Download crl from radius-server
+  ansible.builtin.get_url:
+    force: true
+    mode: "0644"
+    url: "http://radius.steinbeis.schule/radius-ca.crl"
+    dest: /tmp/radius-ca.crl
+  when: cert_client_active.stat.exists
+
+- name: Get radius-server ca crl
+  community.crypto.x509_crl_info:
+    path: /tmp/radius-ca.crl
+    list_revoked_certificates: true
+  register: radius_crl
+  when: cert_client_active.stat.exists
+
+- name: Check if radius-server is reachable
+  ansible.builtin.command: echo "Test if radius-server is reachable"
+  delegate_to: radius_server
+  register: radius_reachable
+  changed_when: false
+  ignore_unreachable: true
+
+- name: Inform that radius_server is unreachable
+  ansible.builtin.debug:
+    msg:
+      - "Couldn't access radius_server. Possible reasons"
+      - "* server not reachable"
+      - "* no matching ssh-key"
+  changed_when: true
+  when: radius_reachable.unreachable is defined and radius_reachable.unreachable
+
+- name: Issue radius certificate
+  ansible.builtin.include_tasks: eap-tls_issue-certificate.yaml
+  when:
+  - radius_reachable.unreachable is not defined or not radius_reachable.unreachable
+  - |
+    ( not cert_client_active.stat.exists ) or
+    (cert_serial.stdout | replace('serial=','') | int(base=16) ) in ( radius_crl.revoked_certificates | map(attribute='serial_number') | list ) or
+    wlan_force_issue
+
--- a/roles/lmn_wlan/tasks/eap-tls_issue-certificate.yaml
+++ b/roles/lmn_wlan/tasks/eap-tls_issue-certificate.yaml
@ -0,0 +1,96 @@
+---
+#  WPA-Enterprise (EAP-TLS) - (re-)enroll certificate on client
+- name: Create private key for client certificate
+  community.crypto.openssl_privatekey:
+    path: /etc/ssl/private/{{ wlan_ssid }}.key
+
+- name: Check if a certificate is already issued to client
+  ansible.builtin.stat:
+    path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
+  register: cert_already_issued
+  delegate_to: radius_server
+
+- name: Revoke already existing client certificate
+  community.crypto.x509_crl:
+    path: "/etc/freeradius/3.0/certs/ca.crl"
+    privatekey_path: "/etc/freeradius/3.0/certs/ca.key"
+    privatekey_passphrase: "{{ wlan_eap_ca.password }}"
+    crl_mode: "update"
+    issuer:
+      C: "{{ wlan_eap_ca.C }}"
+      ST: "{{ wlan_eap_ca.ST }}"
+      L: "{{ wlan_eap_ca.L }}"
+      O: "{{ wlan_eap_ca.O }}"
+      emailAddress: "{{ wlan_eap_ca.emailAddress }}"
+      CN: "{{ wlan_eap_ca.CN }}"
+    last_update: "+0s"
+    next_update: "+365d"
+    revoked_certificates:
+      - path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
+        revocation_date: "{{ ansible_date_time.iso8601_basic_short | replace('T', '') }}Z"
+        reason: "unspecified"
+  delegate_to: radius_server
+  when: cert_already_issued.stat.exists
+
+- name: Create CSR for client certificate
+  community.crypto.openssl_csr_pipe:
+    common_name: "{{ ansible_hostname }}"
+    country_name: "{{ wlan_eap_ca.C }}"
+    state_or_province_name: "{{ wlan_eap_ca.ST }}"
+    locality_name: "{{ wlan_eap_ca.L }}"
+    organization_name: "{{ wlan_eap_ca.O }}"
+    privatekey_path: /etc/ssl/private/{{ wlan_ssid }}.key
+    email_address: "{{ wlan_eap_ca.emailAddress }}"
+  register: csr
+
+- name: Sign CSR on Radius
+  community.crypto.x509_certificate_pipe:
+    csr_content: "{{ csr.csr }}"
+    provider: ownca
+    ownca_path: /etc/freeradius/3.0/certs/ca.pem
+    ownca_privatekey_path: /etc/freeradius/3.0/certs/ca.key
+    ownca_privatekey_passphrase: "{{ wlan_eap_ca.password }}"
+    ownca_not_after: +1825d # 5 Years
+  delegate_to: radius_server
+  register: certificate
+
+- name: Create issued-Notice folder on radius-server
+  ansible.builtin.file:
+    dest: "/etc/freeradius/3.0/certs/issued"
+    state: directory
+    mode: '0755'
+  delegate_to: radius_server
+
+- name: Copy client certificate to radius-server
+  ansible.builtin.copy:
+    dest: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
+    mode: "0644"
+    content: "{{ certificate.certificate }}"
+  delegate_to: radius_server
+
+- name: Write certificate to client
+  ansible.builtin.copy:
+    dest: /etc/ssl/certs/{{ wlan_ssid }}.crt
+    mode: '0644'
+    content: "{{ certificate.certificate }}"
+
+- name: Check if NetworkManager config exists {{ wlan_ssid }}
+  ansible.builtin.stat:
+    path: /etc/NetworkManager/system-connections/{{ wlan_ssid }}.nmconnection
+  register: nm_connection
+
+- name: Create or modify connection via nmcli {{ wlan_ssid }}
+  ansible.builtin.command: >
+    nmcli c {% if nm_connection.stat.exists %} modify {{ wlan_ssid }} {% else %} add {% endif %}
+    type wifi
+    ifname {{ ansible_interfaces | select('search', 'wl.+') | first }}
+    con-name "{{ wlan_ssid }}"
+    connection.permissions ""
+    802-11-wireless.ssid "{{ wlan_ssid }}"
+    802-11-wireless-security.key-mgmt wpa-eap
+    802-1x.eap tls
+    802-1x.identity {{ ansible_hostname }}
+    802-1x.client-cert /etc/ssl/certs/{{ wlan_ssid }}.crt
+    802-1x.private-key /etc/ssl/private/{{ wlan_ssid }}.key
+    802-1x.private-key-password dummy
+  changed_when: false
--- a/roles/lmn_wlan/tasks/main.yaml
+++ b/roles/lmn_wlan/tasks/main.yaml
@ -1,4 +1,5 @@
 ---
+# Setup requirements
 - name: Install packages related to wifi
  ansible.builtin.apt:
    name:
@ -28,3 +29,14 @@
    enabled: true
    daemon_reload: true
  when: "'teacherlaptop' not in group_names"
+
+# lmn_wlan - Initial configuration based on the WLAN variable
+# When WLAN type is set to PSK
+- name: Configure WPA-PSK
+  ansible.builtin.include_tasks: wpa-psk.yaml
+  when: wlan == 'psk'
+
+# When WLAN type is set to EAP-TLS (802.1x)
+- name: Configure WPA-Enterprise (EAP-TLS)
+  ansible.builtin.include_tasks: eap-tls_check-certificate.yaml
+  when: wlan == 'eap-tls'
--- a/roles/lmn_wlan/tasks/wpa-psk.yaml
+++ b/roles/lmn_wlan/tasks/wpa-psk.yaml
@ -0,0 +1,25 @@
+---
+# WPA-PSK - Configure SSID on client
+- name: Configure WLAN for devices
+  community.general.nmcli:
+    conn_name: "{{ wlan_ssid }}"
+    type: wifi
+    ssid: "{{ wlan_ssid }}"
+    ifname: "{{ ansible_interfaces | select('search', 'wl.+') | first }}"
+    wifi_sec:
+      key-mgmt: wpa-psk
+      psk: "{{ wlan_password }}"
+    autoconnect: true
+    state: present
+  when: |
+    not run_in_installer|default(false)|bool and
+    ansible_interfaces | select('search', 'wl.+') | first is defined
+
+- name: Provide WLAN config during installation
+  ansible.builtin.template:
+    src: ssid.nmconnection.j2
+    dest: "/etc/NetworkManager/system-connections/{{ wlan_ssid }}.nmconnection"
+    mode: '0600'
+  when: |
+    run_in_installer|default(false)|bool and
+    ansible_interfaces | select('search', 'wl.+') | first is defined
--- a/roles/lmn_wlan/templates/ssid.nmconnection.j2
+++ b/roles/lmn_wlan/templates/ssid.nmconnection.j2
@ -0,0 +1,21 @@
+[connection]
+id=FVS-devices
+type=wifi
+interface-name={{ ansible_interfaces | select('search', 'wl.+') | first }}
+
+[wifi]
+mode=infrastructure
+ssid=FVS-devices
+
+[wifi-security]
+key-mgmt=wpa-psk
+psk={{ wifipasswd }}
+
+[ipv4]
+method=auto
+
+[ipv6]
+addr-gen-mode=default
+method=auto
+
+[proxy]