X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=wrt-setup-local;h=17fb9d2adb4ff915f94f5e33aaa0f64b2e9a12b8;hb=632c94b8382717f1a06b350c971b8246abbbbe61;hp=38a276d65edf1f9bd57aea795f3b347b40821d0c;hpb=cf3b64c21818d0033ffe5447d30e45141c81ee1b;p=automated-distro-installer

diff --git a/wrt-setup-local b/wrt-setup-local
index 38a276d..17fb9d2 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -21,7 +21,7 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 usage() {
   cat <<EOF
-usage: ${0##*/} [-h] [-t 2|test] [-m WIRELESS_MAC]
+usage: ${0##*/} [-h] [-t 2|3|test] [-m WIRELESS_MAC]
 setup my router in general: dhcp, dns, etc.
 
 Type 2 or 3 is for setting up a backup device, there are two kinds so
@@ -37,11 +37,26 @@ EOF
 }
 
 
+
+
+dnsmasq_restart=false
+firewall_restart=false
 dev2=false
 test=false
-hostname=wrt
 libremanage_host=wrt2
 
+secrets=false
+if [[ -e /root/router-secrets ]]; then
+  secrets=true
+  source /root/router-secrets
+fi
+rmac=$(cat /sys/class/net/eth0/address)
+if $secrets; then
+  hostname=${rhost[$rmac]}
+fi
+: ${hostname:=wrt}
+
+
 lanip=1
 while getopts hm:t: opt; do
   case $opt in
@@ -50,7 +65,7 @@ while getopts hm:t: opt; do
       case $2 in
         2|3)
           dev2=true
-          libremanage_host=wrt
+          libremanage_host=$hostname
           ;;&
         2)
           lanip=4
@@ -72,10 +87,10 @@ while getopts hm:t: opt; do
 done
 shift "$((OPTIND-1))"   # Discard the options and sentinel --
 
-if [[ ! $mac ]] && ! $test; then
+if [[ ! $mac ]] && ! $test && $secrets; then
   # if we wanted to increment it
-  #WIRELESSMAC=${WIRELESSMAC:0: -1}$((${WIRELESSMAC: -1} + 2))
-  mac=$WIRELESSMAC
+  #mac=${mac:0: -1}$((${mac: -1} + 2))
+  mac=${rwmac[$rmac]}
 fi
 
 if (( $# != 0 )); then
@@ -152,15 +167,47 @@ uset() {
   fi
 }
 
+udel() {
+  printf "+ udel %s\n" "$*"
+  local key="$1"
+  local val="$2"
+  local service="${key%%.*}"
+  restart_var=${service}_restart
+  if [[ ! ${!restart_var} ]]; then
+    eval $restart_var=false
+  fi
+  if uci get "$key" &>/dev/null; then
+    v uci set "$key"="$val"
+    uci commit $service
+    eval $restart_var=true
+  fi
+}
+
+
 
 ### network config
 ###
-ssid="check out gnu.org"
 lan=10.0.0.0
 if $test; then
-  ssid="gnuv3"
   lan=10.1.0.0
+elif [[ $hostname == cmc ]]; then
+  lan=10.2.0.0
 fi
+
+if $test; then
+  ssid="gnuv3"
+elif $secrets; then
+  ssid=${rssid[$rmac]}
+fi
+
+: ${ssid:=librecmc}
+
+
+if $secrets; then
+  key=${rkey[$rmac]}
+fi
+: ${key:=pictionary49}
+
 mask=255.255.0.0
 cidr=16
 l=${lan%.0}
@@ -175,6 +222,7 @@ cat /root/router >>/etc/shadow
 uset system.@system[0].ttylogin 1
 
 
+
 cat >/usr/bin/archlike-pxe-mount <<'EOFOUTER'
 #!/bin/bash
 # symlinks are collapsed for nfs mount points, so use a bind mount.
@@ -193,10 +241,83 @@ EOFOUTER
 chmod +x /usr/bin/archlike-pxe-mount
 
 sed -i '/^root:/s,/bin/ash$,/bin/bash,' /etc/passwd
+
+
+
+uset dropbear.@dropbear[0].PasswordAuth 0
+uset dropbear.@dropbear[0].RootPasswordAuth 0
+uset dropbear.@dropbear[0].Port 2220
+if ! cmp -s /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key; then
+  cp /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key
+  dropbear_restart=true
+fi
+
+if $dropbear_restart; then
+  v /etc/init.d/dropbear restart
+fi
+
+
+uset network.lan.ipaddr $l.$lanip
+uset network.lan.netmask $mask
+if $dev2; then
+  uset network.lan.gateway $l.1
+  uset network.wan.proto none
+  uset network.wan6.proto none
+  /etc/init.d/dnsmasq stop
+  /etc/init.d/dnsmasq disable
+  /etc/init.d/odhcpd stop
+  /etc/init.d/odhcpd disable
+  rm -f /etc/resolv.conf
+  cat >/etc/resolv.conf <<'EOF'
+nameserver 8.8.8.8
+nameserver 8.8.4.4
+EOF
+
+  # things i tried to keep dnsmasq running but not enabled except local dns,
+  # but it didnt work right and i dont need it anyways.
+  # uset dhcp.wan.ignore $dev2 # default is false
+  # uset dhcp.lan.ignore $dev2 # default is false
+  # uset dhcp.@dnsmasq[0].interface lo
+  # uset dhcp.@dnsmasq[0].localuse 0
+  # uset dhcp.@dnsmasq[0].resolvfile /etc/dnsmasq.conf
+  # uset dhcp.@dnsmasq[0].noresolv 1
+  # todo: populate /etc/resolv.conf with a static value
+
+else
+  # these are the defaults
+  uset network.lan.gateway ''
+  uset network.wan.proto dhcp
+  uset network.wan6.proto dhcpv6
+  /etc/init.d/dnsmasq start
+  # todo: figure out why this returns 1
+  /etc/init.d/dnsmasq enable ||:
+  /etc/init.d/odhcpd start
+  /etc/init.d/odhcpd enable
+fi
+
+wireless_restart=false
+for x in 0 1; do
+  uset wireless.default_radio$x.ssid "$ssid"
+  uset wireless.default_radio$x.key $key
+  uset wireless.default_radio$x.encryption psk2
+  if [[ $mac ]]; then
+    uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
+  fi
+  # secondary device has wireless disabled
+  uset wireless.radio$x.disabled $dev2
+done
+
+if $wireless_restart; then
+  v wifi
+fi
+
+
+
 # usb, screen, relay are for libremanage
+# rsync is for brc
 v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
   tcpdump openvpn-openssl adblock libusb-compat /root/relay_1.0-1_mips_24kc.ipk \
-  screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi
+  screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync
 
 cat >/etc/libremanage.conf <<EOF
 ${libremanage_host}_type=switch
@@ -275,31 +396,6 @@ EOF
 
 
 
-uset dropbear.@dropbear[0].PasswordAuth 0
-uset dropbear.@dropbear[0].RootPasswordAuth 0
-uset dropbear.@dropbear[0].Port 2220
-if ! cmp -s /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key; then
-  cp /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key
-  dropbear_restart=true
-fi
-
-wireless_restart=false
-key=pictionary49
-for x in 0 1; do
-  uset wireless.default_radio$x.ssid "$ssid"
-  uset wireless.default_radio$x.key $key
-  uset wireless.default_radio$x.encryption psk2
-  if [[ $mac ]]; then
-    uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
-  fi
-  # secondary device has wireless disabled
-  uset wireless.radio$x.disabled $dev2
-done
-
-if $wireless_restart; then
-  v wifi
-fi
-
 
 ########## openvpn exampl
 ########## missing firewall settings for routing lan
@@ -323,54 +419,76 @@ fi
 #         option config /etc/openvpn/client.conf
 # EOF
 
+wgip4=10.3.0.1/24
+wgip6=fdfd::1/64
+wgport=26000
 
 
 v cedit /etc/config/network <<EOF || v /etc/init.d/network reload
 config 'route' 'transmission'
-        option 'interface' 'lan'
-        option 'target' '10.173.0.0'
-        option 'netmask' '255.255.0.0'
-        option 'gateway' '$l.3'
+ option 'interface' 'lan'
+ option 'target' '10.173.0.0'
+ option 'netmask' '255.255.0.0'
+ option 'gateway' '$l.3'
+
+option interface 'wg0'
+ option proto 'wireguard'
+ option private_key '$(cat /root/wg.key)'
+ option listen_port $wgport
+ list addresses '10.3.0.1/24'
+ list addresses 'fdfd::1/64'
+
+# tp
+config wireguard_wg0 'wgclient'
+ option public_key '3q+WJGrm85r59NgeXOIvppxoW4ux/+koSw6Fee1c1TI='
+ option preshared_key '$(cat /root/wg.psk)'
+ list allowed_ips '10.3.0.2/24'
+ list allowed_ips 'fdfd::2/64'
 EOF
 
-firewall_restart=false
-v cedit /etc/config/firewall <<EOF || firewall_restart=true
 
 
+firewall-cedit() {
+  case $hostname in
+    wrt)
+      v cedit host /etc/config/firewall <<EOF
 config redirect
  option name ssh
  option src              wan
  option src_dport        22
- option dest_ip          $l.8
+ option dest_ip          $l.3
  option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        22
-
+EOF
+      ;;
+    cmc)
+      v cedit host /etc/config/firewall <<EOF
 config redirect
- option name sshkd
+ option name ssh
  option src              wan
- option src_dport        2202
- option dest_port        22
+ option src_dport        22
  option dest_ip          $l.2
  option dest             lan
+EOF
+      ;;
+  esac
+
+  v cedit /etc/config/firewall <<EOF
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        2202
+ option dest_port        22
 
 config redirect
- option name sshfrodo
+ option name sshtp
  option src              wan
- option src_dport        2203
+ option src_dport        2202
  option dest_port        22
- option dest_ip          $l.3
+ option dest_ip          $l.8
  option dest             lan
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        2203
+ option dest_port        2202
 
 config redirect
  option name sshx2
@@ -408,6 +526,17 @@ config rule
  option target           ACCEPT
  option dest_port        2208
 
+config redirect
+ option name icecast
+ option src              wan
+ option src_dport        8000
+ option dest_port        8000
+ option dest_ip          $l.2
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        8000
 
 config rule
  option name sshwrt
@@ -415,6 +544,13 @@ config rule
  option target           ACCEPT
  option dest_port        2220
 
+config rule
+ option name wg
+ option src              wan
+ option target           ACCEPT
+ option dest_port        $wgport
+ option proto            udp
+
 
 config redirect
  option name vpntp
@@ -511,32 +647,53 @@ config rule
  option target ACCEPT
  option family ipv6
 
-
 EOF
+}
+firewall-cedit || firewall_restart=true
+
+if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
+  # cant mix cedit plus uci
+  echo | cedit /etc/config/firewall ||:
+  uci add_list firewall.@zone[1].network=wg0
+  uci commit firewall
+  firewall-cedit ||:
+  firewall_restart=true
+fi
 
 
 
-
-dnsmasq_restart=false
 v cedit /etc/hosts <<EOF || dnsmasq_restart=true
-127.0.1.1 wrt
-$l.1 wrt
-$l.2 kd
-$l.3 frodo
-$l.4 wrt2
-$l.5 x2 faiserver
-$l.6 demohost
-$l.7 x3
-$l.8 tp b8.nz
-$l.9 bb8
-$l.14 wrt3
+127.0.1.1 $hostname
+#$l.7 x3
+$l.12 demohost
+$l.13 trp
 72.14.176.105 li
-172.105.84.95 l2
+2600:3c00::f03c:91ff:fe6d:baf8 li
 
 # netns creation looks for next free subnet starting at 10.173, but I only
 # use one, and I would keep this one as the first created.
 10.173.0.2 transmission
 EOF
+case $hostname in
+  cmc)
+    v cedit host /etc/hosts <<EOF || dnsmasq_restart=true
+$l.1 $hostname b8.nz
+$l.2 kd
+#$l.3 frodo
+$l.4 wrt2
+$l.5 x2 faiserver
+$l.6 x2w
+$l.7 rp
+$l.8 tp
+$l.9 bb8
+$l.14 wrt3
+#$l.18 x3
+$l.19 brother
+#$l.28 frodow
+EOF
+    ;;
+esac
+
 
 #mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
 # if [[ $mail_host ]]; then
@@ -544,21 +701,19 @@ EOF
 # fi
 
 
-# avoid using the dns servers that my isp tells me about.
-if [[ $(uci get dhcp.@dnsmasq[0].resolvfile 2>/dev/null) ]]; then
-  # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
-  # /etc/resolv.conf. not sure why I did this.
-  v uci delete dhcp.@dnsmasq[0].resolvfile
-  uci commit dhcp
-  dnsmasq_restart=true
-fi
-
 uset dhcp.@dnsmasq[0].domain b8.nz
 uset dhcp.@dnsmasq[0].local /b8.nz/
 uset system.@system[0].hostname $hostname
-
-if [[ $(uci get adblock.global.adb_enabled) != 1 ]]; then
-  v uci set adblock.global.adb_enabled=1
+# uci doesnt seem to have a way to set an empty value,
+# if you delete it, it goes back to the default. this seems
+# to be a decent workaround.
+# todo: setup /etc/resolv.conf to point to 127.0.0.1
+uset dhcp.@dnsmasq[0].resolvfile=/dev/null
+
+# disabled for now. i want to selectively enable it
+# for specific hosts.
+if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
+  v uci set adblock.global.adb_enabled=0
   uci commit adblock
   /etc/init.d/adblock restart
 fi
@@ -580,6 +735,8 @@ server=/_domainkey.b8.nz/#
 server=/_dmarc.b8.nz/#
 server=/ns1.b8.nz/#
 server=/ns2.b8.nz/#
+server=/bk.b8.nz/#
+server=/je.b8.nz/#
 mx-host=b8.nz,mail.iankelling.org,10
 txt-record=b8.nz,"v=spf1 a ?all"
 
@@ -626,15 +783,24 @@ dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
 # top port, iPXE (PCI 04:00.0) in seabios boot menu
 #dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
 dhcp-host=00:26:18:97:bb:16,set:frodo,$l.3,frodo
-# 4 is reserved for a staticly configured host.
-dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
+# 4 is reserved for a staticly configured host wrt2
+# old x2 with bad fan
+#dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
+dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
+dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
 # This is so fai can have an explicit name to use for testing,
 # or else any random machine which did a pxe boot would get
 # reformatted. The mac is from doing a virt-install, cancelling it,
 # and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.6,demohost
-dhcp-host=00:1f:16:14:01:d8,set:tp,$l.7,x3
+dhcp-host=fa:08:f8:4c:14:1c,set:tp,$l.7,rp
 dhcp-host=80:fa:5b:1c:6e:cf,set:tp,$l.8,tp
+dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
+dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
+dhcp-host=00:1f:16:14:01:d8,set:tp,$l.18,x3
+# BRN001BA98CA823 in dhcp logs
+dhcp-host=00:1b:a9:8c:a8:23,set:tp,$l.19,brother
+dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+
 
 # faiserver vm
 dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
@@ -651,25 +817,15 @@ dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
 # It has no sensitive info.
 enable-tftp=br-lan
 tftp-root=/mnt/usb/tftpboot
+dhcp-optsfile=/etc/dnsmasq-dhcpopts.conf
+
+#log-queries=extra
 EOF
 
-uset network.lan.ipaddr $l.$lanip
-uset network.lan.netmask $mask
-uset dhcp.wan.ignore $dev2 # default is false
-uset dhcp.lan.ignore $dev2 # default is false
-if $dev2; then
-  uset network.lan.gateway $l.1
-  uset network.wan.proto none
-  uset network.wan6.proto none
-else
-  # these are the defaults
-  uset network.lan.gateway ''
-  uset network.wan.proto dhcp
-  uset network.wan6.proto dhcpv6
-fi
 
 
-if $dnsmasq_restart; then
+
+if $dnsmasq_restart && ! $dev2; then
   v /etc/init.d/dnsmasq restart
 fi
 
@@ -678,12 +834,9 @@ if $firewall_restart; then
 fi
 
 
-
+# todo: we should catch errors and still run this if needed
 if $network_restart; then
   reboot
 fi
-if $dropbear_restart; then
-  v /etc/init.d/dropbear restart
-fi
 
 exit 0