nix: Wi-Fi configuration

It's, uh, a bit ugly.
But let's try to make it work for now, improve later.
Apparently my wpa_supplicant config file was visible for everyone
already, so that's not a regression :D

config/automatrop/roles/system/files/wpa_supplicant.service

@@ -1,3 +0,0 @@
-[Service]
-ExecStart=
-ExecStart=/usr/bin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant.conf -i%I

config/automatrop/roles/system/handlers/main.yaml

@@ -19,22 +19,6 @@
   listen: systemd changed
   become: yes
 
-- name: Restart wpa_supplicant
-  systemd:
-    name: "wpa_supplicant@{{ item }}"
-    state: restarted
-  become: yes
-  loop: "{{ ansible_interfaces }}"
-  when: "item.startswith('wl')"
-  listen: wpa_supplicant changed
-# Could probably use something better like
-# listing /sys/class/ieee80211/*/device/net/
-
-- name: Warn about changed Wi-Fi setup
-  debug:
-    msg: "The Wi-Fi configuration was changed, but not applied to let this playbook finish. A reboot is required."
-  listen: wifi setup changed
-
 - name: Warn about changed Panfrost config
   debug:
     msg: "The Panfrost display driver configuration was changed, but needs a reboot to be applied."

config/automatrop/roles/system/tasks/main.yml

@@ -79,75 +79,6 @@
 
 ### STOPPED HERE ###
 
-- name: Configure wpa_supplicant
-  template:
-    src: wpa_supplicant.conf.j2
-    dest: /etc/wpa_supplicant/wpa_supplicant.conf
-  notify:
-    - etc changed
-    - wpa_supplicant changed
-  become: yes
-  tags:
-    - wificonf
-
-- name: Prepare directory for wpa_supplicant service override
-  file:
-    path: /etc/systemd/system/wpa_supplicant@.service.d
-    state: directory
-    mode: "u=rwx,g=rx,o=rx"
-  become: yes
-
-- name: Make wpa_supplicant use a common configuration file
-  copy:
-    src: wpa_supplicant.service
-    dest: /etc/systemd/system/wpa_supplicant@.service.d/override.conf
-  become: yes
-  notify:
-    - etc changed
-    - systemd changed
-    - wifi setup changed
-
-- name: Disable wpa_supplicant for networkmanager
-  systemd:
-    name: wpa_supplicant
-    enabled: no
-  become: yes
-  notify:
-    - etc changed
-    - wifi setup changed
-
-- name: Start/enable wpa_supplicant for interface
-  systemd:
-    name: "wpa_supplicant@{{ item }}"
-    enabled: yes
-  become: yes
-  notify:
-    - etc changed
-    - wifi setup changed
-  loop: "{{ ansible_interfaces }}"
-  when: "item.startswith('wl')"
-# Could probably use something better like
-# listing /sys/class/ieee80211/*/device/net/
-
-- name: Uninstall networkmanager
-  pacman:
-    name: networkmanager
-    state: absent
-    extra_args: "--cascade --recursive"
-  when: arch_based
-  become: yes
-  notify:
-    - wifi setup changed
-
-- name: Mask systemd-networkd
-  systemd:
-    name: systemd-networkd
-    state: stopped
-    enabled: no
-    masked: yes
-  become: yes
-  notify: etc changed
-
 # Time synchronisation
 
 - name: Mask systemd-timesyncd

config/automatrop/roles/system/templates/wpa_supplicant.conf.j2

@@ -1,102 +0,0 @@
-# Giving configuration update rights to wpa_cli
-ctrl_interface=/run/wpa_supplicant
-ctrl_interface_group=wheel
-update_config=1
-
-# AP scanning
-ap_scan=1
-
-# ISO/IEC alpha2 country code in which the device is operating
-country=NL
-
-{% set password_store_path = lookup('env', 'PASSWORD_STORE_DIR') or ansible_user_dir + '/.password-store/' %}
-{% set wifi_pass_paths = query('fileglob', password_store_path + 'wifi/*.gpg') %}
-{% set names = wifi_pass_paths | map('regex_replace', '^.+/wifi/(.+).gpg$', '\\1') | sort%}
-{% for name in names %}
-{#
-community.general.passwordstore doesn't support path with spaces in it,
-so we're using a `ssid` attribute, which default to the names for SSIDs without space.
-#}
-{% set suffixes = lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=suffixes') or [''] %}
-{% set ssid = lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=ssid') or name %}
-{% set type = lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=type') or 'wpa' %}
-{% if type in ('wpa', 'wep', 'wpa-eap') %}
-{% set pass = lookup('community.general.passwordstore', 'wifi/' + name) %}
-{% else %}
-{% set pass = 'Error, no pass for type ' + type %}
-{% endif %}
-# {{ name }}
-{% for suffix in suffixes %}
-network={
-    ssid="{{ ssid }}{{ suffix }}"
-{% if type == 'wpa' %}
-    psk="{{ pass }}"
-{% elif type == 'wep' %}
-    key_mgmt=NONE
-    wep_key0={{ pass }}
-{% elif type == 'wpa-eap' %}
-    key_mgmt=WPA-EAP
-    eap={{ lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=eap') }}
-    identity="{{ lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=identity') }}"
-    password="{{ pass }}"
-    ca_cert="{{ lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=ca_cert') }}"
-    altsubject_match="{{ lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=altsubject_match') }}"
-    phase2="{{ lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=phase2') }}"
-{% elif type == 'open' %}
-    key_mgmt=NONE
-{% else %}
-    # Error, unknown type: {{ type }}
-{% endif %}
-}
-{% endfor %}
-
-{% endfor %}
-{# REFERENCES
-
-# WPA
-network={
-    ssid="WPA_SSID"
-    psk="XXXXXXXXXXXXXXXXXXXXXXXXXX"
-}
-
-# WEP
-network={
-    ssid="WEP_SSID"
-    key_mgmt=NONE
-    wep_key0=FFFFFFFFFFFFFFFFFFFFFFFFFF
-}
-
-# Open
-network={
-    ssid="OPEN_SSID"
-    key_mgmt=NONE
-}
-
-# eduroam password
-network={
-    ssid="eduroam"
-    key_mgmt=WPA-EAP
-    eap=PEAP
-    identity="id@univ.tld"
-    password="hunter2"
-}
-
-# eduroam certificate
-network={
-    ssid="eduroam"
-    key_mgmt=WPA-EAP
-    # pairwise=CCMP
-    pairwise=CCMP TKIP
-    group=CCMP TKIP
-    eap=TLS
-    ca_cert="/path/to/ca.pem"
-    identity="id@univ.tld"
-    domain_suffix_match="wifi.univ.tld"
-    client_cert="/path/to/cert.pem"
-    private_key="/path/to/key.pem"
-    private_key_passwd="hunter2"
-    phase2="auth="
-    #anonymous_identity=""
-}
-
-#}