f=/usr/local/lib/err;test -r $f || { echo "error: $0 no $f" >&2;exit 1;}; . $f
-
usage() {
cat <<EOF
usage: ${0##*/} [-h] [-t 2|3|test|client] [-m WIRELESS_MAC] [hostname]
dev2=false
test=false
client=false
+ap=false
libremanage_host=wrt2
lanip=1
while getopts hm:t:yz opt; do
client)
client=true
;;
+ ap)
+ ap=true
+ lanip=53
+ hostname=cmcap
+ ;;
*) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
esac
;;
if [[ $1 ]]; then
h=$1
+elif [[ $hostname ]]; then
+ h=$hostname
else
h=cmc
fi
+
if [[ ! $hostname ]]; then
hostname=$h
fi
lan=10.0.0.0
if $test; then
lan=10.1.0.0
-elif [[ $hostname == cmc ]]; then
+elif [[ $hostname == cmc || $hostname == cmcap ]]; then
lan=10.2.0.0
elif $client; then
lan=10.3.0.0
uset network.lan.ipaddr $l.$lanip
uset network.lan.netmask $mask
-if $dev2 || $client; then
- if $dev2; then
+if $dev2 || $client || $ap; then
+ if $dev2 || $ap; then
uset network.lan.gateway $l.1
uset network.wan.proto none
uset network.wan6.proto none
/etc/init.d/odhcpd stop
/etc/init.d/odhcpd disable
rm -f /etc/resolv.conf
- cat >/etc/resolv.conf <<'EOF'
+ if $ap; then
+ cat >/etc/resolv.conf <<EOF
+nameserver $l.1
+EOF
+ else
+ cat >/etc/resolv.conf <<'EOF'
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF
+ fi
# things i tried to keep dnsmasq running but not enabled except local dns,
# but it didnt work right and i dont need it anyways.
if [[ $mac ]]; then
uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
fi
- # secondary device has wireless disabled
+ # disable/enable. secondary device has wireless disabled
uset wireless.radio$x.disabled $dev2
done
fi
uset wireless.radio0.disassoc_low_ack 0
uset wireless.radio1.disassoc_low_ack 0
fi
-case $HOSTNAME in
- cmc)
- # found with https://openwrt.org/docs/guide-user/network/wifi/iwchan
- uset wireless.radio0.channel 11
- ;;
-esac
+
+
+# found with https://openwrt.org/docs/guide-user/network/wifi/iwchan.
+# However, the default also chooses 11, and better to let it choose in case things change.
+# case $HOSTNAME in
+# cmc)
+# uset wireless.radio0.channel 11
+# ;;
+# esac
# usb, screen, relay are for libremanage
#
# note: prometheus-node-exporter-lua-openwrt seems to be a dependency of
# prometheus-node-exporter-lua in practice.
-v pi tcpdump screen rsync unbound-daemon unbound-checkconf \
- kmod-usb-storage block-mount kmod-fs-ext4 \
- prometheus-node-exporter-lua-openwrt \
+
+pkgs=(
+ tcpdump
+ screen
+ rsync
+ kmod-usb-storage
+ block-mount
+ kmod-fs-ext4
+ prometheus-node-exporter-lua-openwrt
prometheus-node-exporter-lua
+)
+
+if ! $ap; then
+ pkgs+=(
+ unbound-daemon
+ unbound-checkconf
+ )
+fi
+
+v pi "${pkgs[@]}"
# nfs-kernel-server \
# openvpn-openssl adblock libusb-compat \
# kmod-usb-serial-cp210x kmod-usb-serial-ftdi \
cedit /etc/config/network <<EOF || network_restart=true
config 'route' 'transmission'
option 'interface' 'lan'
- option 'target' '10.173.0.0'
+ option 'target' '10.174.0.0'
option 'netmask' '255.255.0.0'
- option 'gateway' '$l.3'
+ option 'gateway' '$l.2'
option interface 'wg0'
option proto 'wireguard'
config redirect
- option name sshkd
+ option name sshfrodo
option src wan
- option src_dport 2202
+ option src_dport 2228
option dest_port 22
- option dest_ip $l.2
+ option dest_ip $l.28
option dest lan
config rule
option src wan
option target ACCEPT
- option dest_port 2202
+ option dest_port 2228
config redirect
# todo: make the above conditional on which server this is.
+## left commented in case we have ipv6 problems in the future
# avoid errors in log. current isp doesnt have ipv6
-uset unbound.@unbound[0].protocol ip4_only
+#uset unbound.@unbound[0].protocol ip4_only
# todo: im not sure all these are needed, but they all look
# like good options.
# to:
# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
-{
- cat <<'EOF'
+if ! $ap; then
+ {
+ cat <<'EOF'
do-tcp: yes
prefetch: yes
qname-minimisation: yes
access-control-view: 10.2.0.31/32 "youtube"
EOF
- if $zblock; then
- cat <<'EOF'
+ if $zblock; then
+ cat <<'EOF'
# no sy until that dongle is used by ziva
# syw
# samsungtab
access-control-view: 10.2.0.32/32 "youtube"
EOF
- fi
-} | cedit /etc/unbound/unbound_srv.conf || restart_unbound=true
+ fi
+ } | cedit /etc/unbound/unbound_srv.conf || unbound_restart=true
+
+
+ # dns based blocking vs ip based. with ip, same
+ # server can have multiple domains. in dns,
+ # you have to make sure clients to use the local dns.
+ # https dns will need to be blocked by ip in
+ # order to be comprehensive
+ cedit /etc/unbound/unbound_ext.conf <<EOF || unbound_restart=true
-# dns based blocking vs ip based. with ip, same
-# server can have multiple domains. in dns,
-# you have to make sure clients to use the local dns.
-# https dns will need to be blocked by ip in
-# order to be comprehensive
+$(cat /root/ptr-data)
-cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
local-data-ptr: "10.2.0.1 cmc.b8.nz"
-local-data-ptr: "10.2.0.2 kd.b8.nz"
-local-data-ptr: "10.2.0.3 sy.b8.nz"
local-data-ptr: "10.2.0.4 wrt2.b8.nz"
-local-data-ptr: "10.2.0.5 x2.b8.nz"
local-data-ptr: "10.2.0.6 x2w.b8.nz"
local-data-ptr: "10.2.0.7 syw.b8.nz"
-local-data-ptr: "10.2.0.8 tp.b8.nz"
local-data-ptr: "10.2.0.9 bb8.b8.nz"
-local-data-ptr: "10.2.0.12 demohost.b8.nz"
local-data-ptr: "10.2.0.14 wrt3.b8.nz"
local-data-ptr: "10.2.0.17 x3w.b8.nz"
-local-data-ptr: "10.2.0.18 x3.b8.nz"
+local-data-ptr: "10.2.0.18 tp.b8.nz"
local-data-ptr: "10.2.0.19 brother.b8.nz"
local-data-ptr: "10.2.0.23 tpw.b8.nz"
local-data-ptr: "10.2.0.24 one9p.b8.nz"
local-data-ptr: "10.2.0.25 hp.b8.nz"
-local-data-ptr: "10.2.0.28 frodo.b8.nz"
local-data-ptr: "10.2.0.29 bow.b8.nz"
local-data-ptr: "10.2.0.31 amazontab.b8.nz"
local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
local-data-ptr: "10.2.0.49 pi4.b8.nz"
local-data-ptr: "10.2.0.50 pi4w.b8.nz"
local-data-ptr: "10.2.0.52 s22.b8.nz"
-local-data-ptr: "10.173.0.2 transmission.b8.nz"
+local-data-ptr: "10.2.0.53 cmcap.b8.nz"
+local-data-ptr: "10.2.0.88 demohost.b8.nz"
+local-data-ptr: "10.174.2.2 transmission.b8.nz"
local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
local-data-ptr: "10.173.8.2 nn.b8.nz"
name: "."
# forward-addr: 8.8.8.8
# forward-addr: 8.8.8.8
+
+# ssl disabled due to this error:
+#Sat Dec 24 03:34:44 2022 daemon.err unbound: [6568:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
+#Sat Dec 24 03:34:44 2022 daemon.notice unbound: [6568:0] notice: ssl handshake failed 1.0.0.3 port 853
+# on OPENWRT_RELEASE="OpenWrt SNAPSHOT r18639-f5865452ac"
+# from about feb 2022
+
# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
- forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
- forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
- forward-ssl-upstream: yes
+# forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+# forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+# forward-ssl-upstream: yes
forward-first: no
+ forward-addr: 1.1.1.3
+ forward-addr: 1.0.0.3
view:
name: "youtube"
EOF
-if $restart_unbound; then
- /etc/init.d/unbound restart
- if ! unbound-checkconf; then
- echo $0: error: unbound-checkconf failed >&2
- exit 1
+ if $unbound_restart; then
+ /etc/init.d/unbound restart
+ if ! unbound-checkconf; then
+ echo $0: error: unbound-checkconf failed >&2
+ exit 1
+ fi
fi
-fi
-
+fi # end if $ap
# # disabled for now. i want to selectively enable it
# # for specific hosts.
dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
dhcp-host=9a:c6:52:6f:ce:7c,set:onep9,$l.24,onep9
dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
-dhcp-host=00:26:18:97:bb:16,set:frodo,$l.28,frodo
+dhcp-host=14:dd:a9:d5:31:7a,set:frodo,$l.28,frodo
#dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
dhcp-host=70:a6:cc:3a:bb:b4,set:bow,$l.29,bow
dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
EOF
-if $dnsmasq_restart && ! $dev2; then
+if $dnsmasq_restart && ! $dev2 && ! $ap; then
# todo: can our ptr records be put in /etc/hosts?
# eg: user normal /etc/hosts records, and they wont be used for A resolution
# due to the other settings, but will be used for ptr? then maybe
v /etc/init.d/dnsmasq restart
fi
-if $firewall_restart; then
+if $ap; then
+ v /etc/init.d/firewall disable
+ v /etc/init.d/firewall stop
+elif $firewall_restart; then
v /etc/init.d/firewall restart
fi
reboot
fi
-exit 0
+v exit 0
iankelling.org / git / automated-distro-installer / blobdiff