# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+# shellcheck disable=SC1091 # somewhat dynamic
+
+set -e; . /usr/local/lib/bash-bear; set +e
-f=/usr/local/lib/bash-bear;test -r $f || { echo "error: $0 no $f" >&2;exit 1;}; . $f
usage() {
cat <<EOF
lanip=1
while getopts hm:t:yz opt; do
case $opt in
- h) usage ;;
+ h) usage 0 ;;
t)
case $2 in
2|3)
secrets=false
if [[ -e /root/router-secrets ]]; then
secrets=true
+ # shellcheck source=/p/router-secrets
source /root/router-secrets
fi
# doesn't go into the firmware. build new firmware if you want
# lots of upgrades. I think /tmp/opkg-lists is a pre openwrt 14 location.
f=(/var/opkg-lists/*)
- if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
+ if ! (( $(date -r ${f[0]} +%s) + 60*60*24 > $(date +%s) )); then
if ! opkg update; then
echo "$0: warning: opkg update failed" >&2
fi
pmirror
fi
done
- if [[ $to_install ]]; then
+ if (( ${#to_install[@]} >= 1 )); then
opkg install ${to_install[@]}
fi
}
ssid=${rssid[$h]}
fi
-: ${ssid:=librecmc}
+: "${ssid:=librecmc}"
if $secrets; then
key=${rkey[$h]}
fi
-: ${key:=pictionary49}
+: "${key:=pictionary49}"
mask=255.255.0.0
cidr=16
# option config /etc/openvpn/client.conf
# EOF
-wgip4=10.3.0.1/24
-wgip6=fdfd::1/64
+
wgport=26000
network_restart=false
v /etc/init.d/network reload
fi
-firewall-cedit() {
- if $client; then
- cedit wific /etc/config/firewall <<EOF
+### begin firewall edits ###
+if $client; then
+ cedit wific /etc/config/firewall <<EOF || firewall_restart=true
config zone
option name wwan
option input REJECT
option mtu_fix 1
option network wwan
EOF
- fi
+fi
- case $hostname in
- wrt)
- cedit host /etc/config/firewall <<EOF
+case $hostname in
+ wrt)
+ cedit host /etc/config/firewall <<EOF || firewall_restart=true
config redirect
option name ssh
option src wan
option dest_ip $l.3
option dest lan
EOF
- ;;
- cmc)
- cedit host /etc/config/firewall <<EOF
+ ;;
+ cmc)
+ cedit host /etc/config/firewall <<EOF || firewall_restart=true
config redirect
option name ssh
option src wan
option dest_ip $l.2
option dest lan
EOF
- ;;
- esac
+ ;;
+esac
+
+{
+ # shellcheck source=/p/c/cmc-firewall-data
+ . /root/cmc-firewall-data
+ # sets $http_ip
+ # shellcheck source=/p/c/cmc-firewall-data-http
+ . /root/cmc-firewall-data-http
+ cat <<EOF
+config redirect
+ option name http
+ option src wan
+ option src_dport 80
+ option dest lan
+ option dest_ip $l.$http_ip
+ option proto tcp
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 80
+ option proto tcp
+
+config redirect
+ option name https
+ option src wan
+ option src_dport 443
+ option dest lan
+ option dest_ip $l.$http_ip
+ option proto tcp
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 443
+ option proto tcp
- cedit /etc/config/firewall <<EOF
## begin no external dns for ziva
config rule
option src lan
option target ACCEPT
option dest_port 9091
-config redirect
- option name sshkd
- option src wan
- option src_dport 2202
- option dest_port 22
- option dest_ip $l.2
- option dest lan
-config rule
- option src wan
- option target ACCEPT
- option dest_port 2202
-
# was working on an openvpn server, didn't finish
# config redirect
# option name vpnkd
option dest_port 8989
-config redirect
- option name sshx2
- option src wan
- option src_dport 2205
- option dest_port 22
- option dest_ip $l.5
- option dest lan
-config rule
- option src wan
- option target ACCEPT
- option dest_port 2205
-
-config redirect
- option name sshx3
- option src wan
- option src_dport 2207
- option dest_port 22
- option dest_ip $l.7
- option dest lan
-config rule
- option src wan
- option target ACCEPT
- option dest_port 2207
-
-config redirect
- option name sshbb8
- option src wan
- option src_dport 2209
- option dest_port 22
- option dest_ip $l.32
- option dest lan
-config rule
- option src wan
- option target ACCEPT
- option dest_port 2209
-
-
-config redirect
- option name sshfrodo
- option src wan
- option src_dport 2234
- option dest_port 34
- option dest_ip $l.34
- option dest lan
-config rule
- option src wan
- option target ACCEPT
- option dest_port 2234
-
config redirect
option name icecast
option target ACCEPT
option dest_port 4533
-# So a client can just have i.b8.nz dns even when they
+# So a client can just have b8.nz dns even when they
# are on the lan.
#config redirect
# option name navidromelan
# option target ACCEPT
# option dest_port 8000
-config redirect
- option name http
- option src wan
- option src_dport 80
- option dest lan
- option dest_ip $l.7
- option proto tcp
-config rule
- option src wan
- option target ACCEPT
- option dest_port 80
- option proto tcp
-
-config redirect
- option name https
- option src wan
- option src_dport 443
- option dest lan
- option dest_ip $l.7
- option proto tcp
-config rule
- option src wan
- option target ACCEPT
- option dest_port 443
- option proto tcp
# config redirect
# option name httpskd8448
option family ipv6
EOF
-}
-firewall-cedit || firewall_restart=true
+} | cedit /etc/config/firewall || firewall_restart=true
+### end firewall edits ###
+
# firewall comment:
# not using and in newer wrt, fails, probably due to nonexistent file, error output
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
-do-ip6: no
+do-ip6: yes
private-domain: b8.nz
local-zone: "10.in-addr.arpa." transparent
access-control-view: 10.2.0.31/32 "youtube"
# order to be comprehensive
- cedit /etc/unbound/unbound_ext.conf <<EOF || unbound_restart=true
-$(. /root/ptr-data)
+ {
+ # shellcheck source=/p/c/ptr-data
+ . /root/ptr-data
+ cat <<EOF
local-data-ptr: "10.2.0.1 cmc.b8.nz"
# try global if no match in view
view-first: yes
EOF
+ } | cedit /etc/unbound/unbound_ext.conf || unbound_restart=true
if $unbound_restart; then
# so make sure we have this dir or else dnsmasq will fail
# to start.
mkdir -p /mnt/usb/tftpboot
-cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+{
+ # generated with host-info-update
+ # shellcheck source=/p/c/dnsmasq-data
+ . /root/dnsmasq-data
+ cat <<EOF
# no dns
port=0
server=/b8.nz/#
ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
-# generated with host-info-update
-$(. /root/dnsmasq-data)
# https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
stop-dns-rebind
# for debugging dhcp
#log-queries=extra
EOF
+} | cedit /etc/dnsmasq.conf || dnsmasq_restart=true
+
if $dnsmasq_restart && ! $dev2 && ! $ap; then