# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+set -e; . /usr/local/lib/bash-bear; set +e
usage() {
dev2=false
test=false
client=false
+ap=false
libremanage_host=wrt2
lanip=1
while getopts hm:t:yz opt; do
case $opt in
- h) usage ;;
+ h) usage 0 ;;
t)
case $2 in
2|3)
client)
client=true
;;
+ ap)
+ ap=true
+ lanip=53
+ hostname=cmcap
+ ;;
*) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
esac
;;
if [[ $1 ]]; then
h=$1
- hostname=$h
+elif [[ $hostname ]]; then
+ h=$hostname
else
h=cmc
+fi
+
+if [[ ! $hostname ]]; then
hostname=$h
fi
+
secrets=false
if [[ -e /root/router-secrets ]]; then
secrets=true
+ # shellcheck source=/p/router-secrets
source /root/router-secrets
fi
# doesn't go into the firmware. build new firmware if you want
# lots of upgrades. I think /tmp/opkg-lists is a pre openwrt 14 location.
f=(/var/opkg-lists/*)
- if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
+ if ! (( $(date -r ${f[0]} +%s) + 60*60*24 > $(date +%s) )); then
if ! opkg update; then
echo "$0: warning: opkg update failed" >&2
fi
pmirror
fi
done
- if [[ $to_install ]]; then
+ if (( ${#to_install[@]} >= 1 )); then
opkg install ${to_install[@]}
fi
}
lan=10.0.0.0
if $test; then
lan=10.1.0.0
-elif [[ $hostname == cmc ]]; then
+elif [[ $hostname == cmc || $hostname == cmcap ]]; then
lan=10.2.0.0
elif $client; then
lan=10.3.0.0
if $secrets; then
key=${rkey[$h]}
fi
-: ${key:=pictionary49}
+: "${key:=pictionary49}"
mask=255.255.0.0
cidr=16
l=${lan%.0}
-passwd -l root ||: #already locked fails
+# why did we lock this? i don't know
+#passwd -l root ||: #already locked fails
sed -ibak '/^root:/d' /etc/shadow
# /root/router created by manually running passwd then copying the resulting
uset network.lan.ipaddr $l.$lanip
uset network.lan.netmask $mask
-if $dev2 || $client; then
- if $dev2; then
+if $dev2 || $client || $ap; then
+ if $dev2 || $ap; then
uset network.lan.gateway $l.1
uset network.wan.proto none
uset network.wan6.proto none
/etc/init.d/odhcpd stop
/etc/init.d/odhcpd disable
rm -f /etc/resolv.conf
- cat >/etc/resolv.conf <<'EOF'
+ if $ap; then
+ cat >/etc/resolv.conf <<EOF
+nameserver $l.1
+EOF
+ else
+ cat >/etc/resolv.conf <<'EOF'
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF
+ fi
# things i tried to keep dnsmasq running but not enabled except local dns,
# but it didnt work right and i dont need it anyways.
if [[ $mac ]]; then
uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
fi
- # secondary device has wireless disabled
+ # disable/enable. secondary device has wireless disabled
uset wireless.radio$x.disabled $dev2
done
fi
uset wireless.radio0.disassoc_low_ack 0
uset wireless.radio1.disassoc_low_ack 0
fi
-case $HOSTNAME in
- cmc)
- # found with https://openwrt.org/docs/guide-user/network/wifi/iwchan
- uset wireless.radio0.channel 11
- ;;
-esac
+
+
+# found with https://openwrt.org/docs/guide-user/network/wifi/iwchan.
+# However, the default also chooses 11, and better to let it choose in case things change.
+# case $HOSTNAME in
+# cmc)
+# uset wireless.radio0.channel 11
+# ;;
+# esac
# usb, screen, relay are for libremanage
#
# relay package temporarily disabled
# /root/relay_1.0-1_mips_24kc.ipk
-v pi tcpdump screen rsync unbound-daemon unbound-checkconf \
- kmod-usb-storage block-mount kmod-fs-ext4
+#
+# note: prometheus-node-exporter-lua-openwrt seems to be a dependency of
+# prometheus-node-exporter-lua in practice.
+
+pkgs=(
+ tcpdump
+ screen
+ rsync
+ kmod-usb-storage
+ block-mount
+ kmod-fs-ext4
+ prometheus-node-exporter-lua-openwrt
+ prometheus-node-exporter-lua
+)
+
+if ! $ap; then
+ pkgs+=(
+ unbound-daemon
+ unbound-checkconf
+ )
+fi
+
+v pi "${pkgs[@]}"
# nfs-kernel-server \
# openvpn-openssl adblock libusb-compat \
# kmod-usb-serial-cp210x kmod-usb-serial-ftdi \
# v /etc/init.d/nfsd enable
+cedit /etc/config/prometheus-node-exporter-lua <<'EOF' || /etc/init.d/prometheus-node-exporter-lua restart
+config prometheus-node-exporter-lua 'main'
+ option listen_ipv6 '0'
+ option listen_interface 'lan'
+ option listen_port '9100
+EOF
+# default, as of this writing is:
+# config prometheus-node-exporter-lua 'main'
+# option listen_interface 'loopback'
+# option listen_port '9100'
# option config /etc/openvpn/client.conf
# EOF
-wgip4=10.3.0.1/24
-wgip6=fdfd::1/64
+
wgport=26000
network_restart=false
cedit /etc/config/network <<EOF || network_restart=true
config 'route' 'transmission'
option 'interface' 'lan'
- option 'target' '10.173.0.0'
+ option 'target' '10.174.0.0'
option 'netmask' '255.255.0.0'
- option 'gateway' '$l.3'
+ option 'gateway' '$l.2'
option interface 'wg0'
option proto 'wireguard'
v /etc/init.d/network reload
fi
-firewall-cedit() {
- if $client; then
- cedit wific /etc/config/firewall <<EOF
+### begin firewall edits ###
+if $client; then
+ cedit wific /etc/config/firewall <<EOF || firewall_restart=true
config zone
option name wwan
option input REJECT
option mtu_fix 1
option network wwan
EOF
- fi
+fi
- case $hostname in
- wrt)
- cedit host /etc/config/firewall <<EOF
+case $hostname in
+ wrt)
+ cedit host /etc/config/firewall <<EOF || firewall_restart=true
config redirect
option name ssh
option src wan
option dest_ip $l.3
option dest lan
EOF
- ;;
- cmc)
- cedit host /etc/config/firewall <<EOF
+ ;;
+ cmc)
+ cedit host /etc/config/firewall <<EOF || firewall_restart=true
config redirect
option name ssh
option src wan
option dest_ip $l.2
option dest lan
EOF
- ;;
- esac
+ ;;
+esac
- cedit /etc/config/firewall <<EOF
+{
+ /root/cmc-firewall-data
+ cat <<EOF
## begin no external dns for ziva
config rule
option src lan
option dest_port 22
config redirect
- option name sshkd
+ option name promkd
option src wan
- option src_dport 2202
- option dest_port 22
+ option src_dport 9091
+ option dest_port 9091
option dest_ip $l.2
option dest lan
config rule
option src wan
option target ACCEPT
- option dest_port 2202
+ option dest_port 9091
+
+# was working on an openvpn server, didn't finish
+# config redirect
+# option name vpnkd
+# option src wan
+# option src_dport 1196
+# option dest_port 1196
+# option dest_ip $l.2
+# option dest lan
+# config rule
+# option src wan
+# option target ACCEPT
+# option dest_port 1196
config redirect
option dest_port 8989
+
config redirect
- option name sshx2
+ option name icecast
option src wan
- option src_dport 2205
- option dest_port 22
- option dest_ip $l.5
+ option src_dport 8000
+ option dest_port 8000
+ option dest_ip $l.2
option dest lan
config rule
option src wan
option target ACCEPT
- option dest_port 2205
+ option dest_port 8000
-config redirect
- option name sshx3
- option src wan
- option src_dport 2207
- option dest_port 22
- option dest_ip $l.7
- option dest lan
config rule
+ option name sshcmc
option src wan
option target ACCEPT
- option dest_port 2207
+ option dest_port 2220
-config redirect
- option name sshtp
- option src wan
- option src_dport 2208
- option dest_port 22
- option dest_ip $l.8
- option dest lan
config rule
+ option name wg
option src wan
option target ACCEPT
- option dest_port 2208
+ option dest_port $wgport
+ option proto udp
config redirect
- option name sshbb8
+ option name navidromehttps
option src wan
- option src_dport 2209
- option dest_port 22
- option dest_ip $l.9
+ option src_dport 4500
+ option dest_port 4500
+ option dest_ip $l.2
option dest lan
config rule
option src wan
option target ACCEPT
- option dest_port 2209
+ option dest_port 4500
config redirect
- option name icecast
+ option name navidrome
option src wan
- option src_dport 8000
- option dest_port 8000
+ option src_dport 4533
+ option dest_port 4533
option dest_ip $l.2
option dest lan
config rule
option src wan
option target ACCEPT
- option dest_port 8000
+ option dest_port 4533
-config rule
- option name sshwrt
- option src wan
- option target ACCEPT
- option dest_port 2220
+# So a client can just have b8.nz dns even when they
+# are on the lan.
+#config redirect
+# option name navidromelan
+# option src lan
+# option src_dport 4533
+# option dest_port 4533
+# option dest_ip $l.2
+# option dest lan
-config rule
- option name wg
- option src wan
- option target ACCEPT
- option dest_port $wgport
- option proto udp
+# config redirect
+# option name icecast
+# option src wan
+# option src_dport 8000
+# option dest_port 8000
+# option dest_ip $l.2
+# option dest lan
+# config rule
+# option src wan
+# option target ACCEPT
+# option dest_port 8000
config redirect
- option name httpkd
+ option name http
option src wan
option src_dport 80
option dest lan
- option dest_ip $l.2
+ option dest_ip $l.7
option proto tcp
config rule
option src wan
option proto tcp
config redirect
- option name httpskd
+ option name https
option src wan
option src_dport 443
option dest lan
- option dest_ip $l.2
+ option dest_ip $l.7
option proto tcp
config rule
option src wan
option dest_port 443
option proto tcp
-config redirect
-option name httpskd8448
- option src wan
- option src_dport 8448
- option dest lan
- option dest_ip $l.2
- option proto tcp
-config rule
- option src wan
- option target ACCEPT
- option dest_port 8448
- option proto tcp
+# config redirect
+# option name httpskd8448
+# option src wan
+# option src_dport 8448
+# option dest lan
+# option dest_ip $l.2
+# option proto tcp
+# config rule
+# option src wan
+# option target ACCEPT
+# option dest_port 8448
+# option proto tcp
config redirect
option name syncthing
option target ACCEPT
option family ipv6
-config rule
- option name http-ipv6
- option src wan
- option dest lan
- option dest_port 80
- option target ACCEPT
- option family ipv6
-
-config rule
- option name https-ipv6
- option src wan
- option dest lan
- option dest_port 443
- option target ACCEPT
- option family ipv6
+# config rule
+# option name http-ipv6
+# option src wan
+# option dest lan
+# option dest_port 80
+# option target ACCEPT
+# option family ipv6
+
+# config rule
+# option name https-ipv6
+# option src wan
+# option dest lan
+# option dest_port 443
+# option target ACCEPT
+# option family ipv6
config rule
option name node-exporter
option target ACCEPT
option family ipv6
-# include a file with users custom iptables rules
-config include
- option path /etc/firewall.user
- option type 'restore'
- option family 'ipv4'
+EOF
+} | cedit /etc/config/firewall || firewall_restart=true
+### end firewall edits ###
+
+
+# firewall comment:
+# not using and in newer wrt, fails, probably due to nonexistent file, error output
+# on:
+
+# Reference error: left-hand side expression is not an array or object
+# In [anonymous function](), file /usr/share/ucode/fw4.uc, line 3137, byte 12:
+# called from function [arrow function] (/usr/share/ucode/fw4.uc:733:71)
+# called from function foreach ([C])
+# called from function [anonymous function] (/usr/share/ucode/fw4.uc:733:72)
+# called from function render_ruleset (/usr/share/firewall4/main.uc:56:24)
+# called from anonymous function (/usr/share/firewall4/main.uc:143:29)
+#
+# ` if (!inc.enabled) {`
+# Near here -------^
+#
+#
+# The rendered ruleset contains errors, not doing firewall restart.
+# /usr/bin/wrt-setup-local:160:error: ""$@"" returned 1
+
+## include a file with users custom iptables rules
+#config include
+# option path /etc/firewall.user
+# option type 'restore'
+# option family 'ipv4'
-EOF
-}
-firewall-cedit || firewall_restart=true
# not using wireguard for now
# if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
# note: tried this, it didn't do anything:
# uset dhcp.@odhcpd[0].dns 10.2.0.1
-# iank, disabled while debugging.
+# iank, disablde while debugging.
#/etc/init.d/odhcpd stop
#/etc/init.d/odhcpd disable
# todo: make the above conditional on which server this is.
+## left commented in case we have ipv6 problems in the future
# avoid errors in log. current isp doesnt have ipv6
-uset unbound.@unbound[0].protocol ip4_only
+#uset unbound.@unbound[0].protocol ip4_only
# todo: im not sure all these are needed, but they all look
# like good options.
# to:
# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
-{
- cat <<'EOF'
+if ! $ap; then
+ {
+ cat <<'EOF'
do-tcp: yes
prefetch: yes
qname-minimisation: yes
access-control-view: 10.2.0.31/32 "youtube"
EOF
- if $zblock; then
- cat <<'EOF'
+ if $zblock; then
+ cat <<'EOF'
# no sy until that dongle is used by ziva
# syw
# samsungtab
access-control-view: 10.2.0.32/32 "youtube"
EOF
- fi
-} | cedit /etc/unbound/unbound_srv.conf || restart_unbound=true
+ fi
+ } | cedit /etc/unbound/unbound_srv.conf || unbound_restart=true
+
+ # dns based blocking vs ip based. with ip, same
+ # server can have multiple domains. in dns,
+ # you have to make sure clients to use the local dns.
+ # https dns will need to be blocked by ip in
+ # order to be comprehensive
-# dns based blocking vs ip based. with ip, same
-# server can have multiple domains. in dns,
-# you have to make sure clients to use the local dns.
-# https dns will need to be blocked by ip in
-# order to be comprehensive
-cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
+
+ {
+ /root/ptr-data
+ cat <<EOF
+
local-data-ptr: "10.2.0.1 cmc.b8.nz"
-local-data-ptr: "10.2.0.2 kd.b8.nz"
-local-data-ptr: "10.2.0.3 sy.b8.nz"
-local-data-ptr: "10.2.0.4 wrt2.b8.nz"
-local-data-ptr: "10.2.0.5 x2.b8.nz"
-local-data-ptr: "10.2.0.6 x2w.b8.nz"
-local-data-ptr: "10.2.0.7 syw.b8.nz"
-local-data-ptr: "10.2.0.8 amy.b8.nz"
-local-data-ptr: "10.2.0.9 bb8.b8.nz"
-local-data-ptr: "10.2.0.12 demohost.b8.nz"
-local-data-ptr: "10.2.0.14 wrt3.b8.nz"
-local-data-ptr: "10.2.0.19 brother.b8.nz"
-local-data-ptr: "10.2.0.23 amyw.b8.nz"
-local-data-ptr: "10.2.0.25 hp.b8.nz"
-local-data-ptr: "10.2.0.31 amazontab.b8.nz"
-local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
-local-data-ptr: "10.173.0.2 transmission.b8.nz"
+
+local-data-ptr: "10.174.2.2 transmission.b8.nz"
local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
local-data-ptr: "10.173.8.2 nn.b8.nz"
forward-zone:
name: "."
+# forward-addr: 8.8.8.8
+# forward-addr: 8.8.8.8
+
+# ssl disabled due to this error:
+#Sat Dec 24 03:34:44 2022 daemon.err unbound: [6568:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
+#Sat Dec 24 03:34:44 2022 daemon.notice unbound: [6568:0] notice: ssl handshake failed 1.0.0.3 port 853
+# on OPENWRT_RELEASE="OpenWrt SNAPSHOT r18639-f5865452ac"
+# from about feb 2022
+
# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
- forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
- forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
- forward-ssl-upstream: yes
+# forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+# forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+# forward-ssl-upstream: yes
forward-first: no
+ forward-addr: 1.1.1.3
+ forward-addr: 1.0.0.3
view:
name: "youtube"
# try global if no match in view
view-first: yes
EOF
+ } | cedit /etc/unbound/unbound_ext.conf || unbound_restart=true
-if $restart_unbound; then
- /etc/init.d/unbound restart
- if ! unbound-checkconf; then
- echo $0: error: unbound-checkconf failed >&2
- exit 1
+ if $unbound_restart; then
+ /etc/init.d/unbound restart
+ if ! unbound-checkconf; then
+ echo $0: error: unbound-checkconf failed >&2
+ exit 1
+ fi
fi
-fi
-
+fi # end if $ap
# # disabled for now. i want to selectively enable it
# # for specific hosts.
# so make sure we have this dir or else dnsmasq will fail
# to start.
mkdir -p /mnt/usb/tftpboot
-cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+
+{
+ # generated with host-info-update
+ /root/dnsmasq-data
+ cat <<EOF
# no dns
port=0
server=/b8.nz/#
ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
+
# https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
stop-dns-rebind
rebind-domain-ok=b8.nz
# It is default if dnsmasq is doing dns, otherwise, we have to specify it.
# To see it in action, I ran this from a client machine:
# sudo dhcpcd -o domain_name_servers -T
-dhcp-option=6,$l.1
+dhcp-option=option:dns-server,$l.1
+# use this when doing fai to get the right timezone, its nfsroot is
+# setup to use this dhcp option only and call ntpdate.
+# generate ips with:
+# for h in 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org ntp.ubuntu.com; do host -t a $h | awk '{print $NF}'; done | while read -r l; do printf ,$l; done
+dhcp-option=option:ntp-server,188.165.3.28,202.12.97.45,91.236.251.13,50.205.244.23,78.30.254.80,31.131.0.123,202.65.114.202,94.228.220.14,185.125.190.57,185.125.190.58,91.189.91.157,185.125.190.56,91.189.94.4
# results from googling around dnsmasq optimizations
# default dhcp range is 100-150
-# bottom port, iPXE (PCI 03:00.0) in seabios boot menu
-dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
-dhcp-host=94:05:bb:1e:2c:2e,set:sy,$l.3,sy
-#dhcp-host=94:05:bb:1e:2c:2e,set:bo,$l.38,bo
-# top port, iPXE (PCI 04:00.0) in seabios boot menu
-#dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
-# 4 is reserved for a staticly configured host wrt2
-# old x2 with bad fan
-#dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
-dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
-dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
-dhcp-host=70:a6:cc:34:09:22,set:syw,$l.7,syw
-dhcp-host=80:fa:5b:1c:6e:cf,set:amy,$l.8,amy
-# This is so fai can have an explicit name to use for testing,
-# or else any random machine which did a pxe boot would get
-# reformatted. The mac is from doing a virt-install, cancelling it,
-# and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
-dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
-# 14 = wrt3
-dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
-# BRN001BA98CA823 in dhcp logs
-dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
-
-dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
-dhcp-host=9a:c6:52:6f:ce:7c,set:onep9,$l.24,onep9
-dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
-dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
-dhcp-host=70:a6:cc:3a:bb:b4,set:bow,$l.29,bow
-dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
-dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
-dhcp-host=b8:27:eb:78:21:1d,set:pi3b,$l.33,pi3b
-
-
-
-# faiserver vm
-dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
-
-# This is the ip it picks by default if dhcp fails,
-# so might as well use it.
-# hostname is the name it uses according to telnet
-dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
# template
# dhcp-host=,$l.,
# for debugging dhcp
#log-queries=extra
EOF
+} | cedit /etc/dnsmasq.conf || dnsmasq_restart=true
-if $dnsmasq_restart && ! $dev2; then
+
+if $dnsmasq_restart && ! $dev2 && ! $ap; then
# todo: can our ptr records be put in /etc/hosts?
# eg: user normal /etc/hosts records, and they wont be used for A resolution
# due to the other settings, but will be used for ptr? then maybe
v /etc/init.d/dnsmasq restart
fi
-if $firewall_restart; then
+if $ap; then
+ v /etc/init.d/firewall disable
+ v /etc/init.d/firewall stop
+elif $firewall_restart; then
v /etc/init.d/firewall restart
fi
+## turn off luci
+# if already stopped, gives error we want to ignore
+/etc/init.d/uhttpd stop |& sed '1{/^Command failed/d}'
+/etc/init.d/uhttpd disable |& sed '1{/^Command failed/d}'
+
# this may just restart the network and take care of the network_restart below.
if $wireless_restart; then
v wifi
reboot
fi
-exit 0
+v exit 0
iankelling.org / git / automated-distro-installer / blobdiff