# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-f=/usr/local/lib/bash-bear;test -r $f || { echo "error: $0 no $f" >&2;exit 1;}; . $f
+set -e; . /usr/local/lib/bash-bear; set +e
+
usage() {
cat <<EOF
lanip=1
while getopts hm:t:yz opt; do
case $opt in
- h) usage ;;
+ h) usage 0 ;;
t)
case $2 in
2|3)
secrets=false
if [[ -e /root/router-secrets ]]; then
secrets=true
+ # shellcheck source=/p/router-secrets
source /root/router-secrets
fi
# doesn't go into the firmware. build new firmware if you want
# lots of upgrades. I think /tmp/opkg-lists is a pre openwrt 14 location.
f=(/var/opkg-lists/*)
- if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
+ if ! (( $(date -r ${f[0]} +%s) + 60*60*24 > $(date +%s) )); then
if ! opkg update; then
echo "$0: warning: opkg update failed" >&2
fi
pmirror
fi
done
- if [[ $to_install ]]; then
+ if (( ${#to_install[@]} >= 1 )); then
opkg install ${to_install[@]}
fi
}
if $secrets; then
key=${rkey[$h]}
fi
-: ${key:=pictionary49}
+: "${key:=pictionary49}"
mask=255.255.0.0
cidr=16
# option config /etc/openvpn/client.conf
# EOF
-wgip4=10.3.0.1/24
-wgip6=fdfd::1/64
+
wgport=26000
network_restart=false
v /etc/init.d/network reload
fi
-firewall-cedit() {
- if $client; then
- cedit wific /etc/config/firewall <<EOF
+### begin firewall edits ###
+if $client; then
+ cedit wific /etc/config/firewall <<EOF || firewall_restart=true
config zone
option name wwan
option input REJECT
option mtu_fix 1
option network wwan
EOF
- fi
+fi
- case $hostname in
- wrt)
- cedit host /etc/config/firewall <<EOF
+case $hostname in
+ wrt)
+ cedit host /etc/config/firewall <<EOF || firewall_restart=true
config redirect
option name ssh
option src wan
option dest_ip $l.3
option dest lan
EOF
- ;;
- cmc)
- cedit host /etc/config/firewall <<EOF
+ ;;
+ cmc)
+ cedit host /etc/config/firewall <<EOF || firewall_restart=true
config redirect
option name ssh
option src wan
option dest_ip $l.2
option dest lan
EOF
- ;;
- esac
+ ;;
+esac
-
- cedit /etc/config/firewall <<EOF
+{
+ . /root/cmc-firewall-data
+ cat <<EOF
## begin no external dns for ziva
config rule
option src lan
option target REJECT
## end no external dns for ziva
-$(. /root/cmc-firewall-data)
config rule
option src wan
option src wan
option src_dport 80
option dest lan
- option dest_ip $l.7
+ option dest_ip $l.9
option proto tcp
config rule
option src wan
option src wan
option src_dport 443
option dest lan
- option dest_ip $l.7
+ option dest_ip $l.9
option proto tcp
config rule
option src wan
option family ipv6
EOF
-}
-firewall-cedit || firewall_restart=true
+} | cedit /etc/config/firewall || firewall_restart=true
+### end firewall edits ###
+
# firewall comment:
# not using and in newer wrt, fails, probably due to nonexistent file, error output
# order to be comprehensive
- cedit /etc/unbound/unbound_ext.conf <<EOF || unbound_restart=true
-$(. /root/ptr-data)
+ {
+ . /root/ptr-data
+ cat <<EOF
local-data-ptr: "10.2.0.1 cmc.b8.nz"
# try global if no match in view
view-first: yes
EOF
+ } | cedit /etc/unbound/unbound_ext.conf || unbound_restart=true
if $unbound_restart; then
# so make sure we have this dir or else dnsmasq will fail
# to start.
mkdir -p /mnt/usb/tftpboot
-cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+{
+ # generated with host-info-update
+ . /root/dnsmasq-data
+ cat <<EOF
# no dns
port=0
server=/b8.nz/#
ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
-# generated with host-info-update
-$(. /root/dnsmasq-data)
# https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
stop-dns-rebind
# for debugging dhcp
#log-queries=extra
EOF
+} | cedit /etc/dnsmasq.conf || dnsmasq_restart=true
+
if $dnsmasq_restart && ! $dev2 && ! $ap; then