# Giving configuration update rights to wpa_cli
ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=wheel
update_config=1

# AP scanning
ap_scan=1

# ISO/IEC alpha2 country code in which the device is operating
country=NL

{% set password_store_path = lookup('env', 'PASSWORD_STORE_DIR') or ansible_user_dir + '/.password-store/' %}
{% set wifi_pass_paths = query('fileglob', password_store_path + 'wifi/*.gpg') %}
{% set names = wifi_pass_paths | map('regex_replace', '^.+/wifi/(.+).gpg$', '\\1') | sort%}
{% for name in names %}
{#
community.general.passwordstore doesn't support path with spaces in it,
so we're using a `ssid` attribute, which default to the names for SSIDs without space.
#}
{% set suffixes = lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=suffixes') or [''] %}
{% set ssid = lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=ssid') or name %}
{% set type = lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=type') or 'wpa' %}
{% set pass = lookup('community.general.passwordstore', 'wifi/' + name) %}
# {{ name }}
{% for suffix in suffixes %}
network={
    ssid="{{ ssid }}{{ suffix }}"
{% if type == 'wpa' %}
    psk="{{ pass }}"
{% elif type == 'wep' %}
    key_mgmt=NONE
    wep_key0={{ pass }}
{% elif type == 'open' %}
    key_mgmt=NONE
{% else %}
    # Error, unknown type: {{ type }}
{% endif %}
}
{% endfor %}

{% endfor %}
{# REFERENCES

# WPA
network={
    ssid="WPA_SSID"
    psk="XXXXXXXXXXXXXXXXXXXXXXXXXX"
}

# WEP
network={
    ssid="WEP_SSID"
    key_mgmt=NONE
    wep_key0=FFFFFFFFFFFFFFFFFFFFFFFFFF
}

# Open
network={
    ssid="OPEN_SSID"
    key_mgmt=NONE
}

# eduroam password
network={
    ssid="eduroam"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="id@univ.tld"
    password="hunter2"
}

# eduroam certificate
network={
    ssid="eduroam"
    key_mgmt=WPA-EAP
    # pairwise=CCMP
    pairwise=CCMP TKIP
    group=CCMP TKIP
    eap=TLS
    ca_cert="/path/to/ca.pem"
    identity="id@univ.tld"
    domain_suffix_match="wifi.univ.tld"
    client_cert="/path/to/cert.pem"
    private_key="/path/to/key.pem"
    private_key_passwd="hunter2"
    phase2="auth="
    #anonymous_identity=""
}

#}