X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=wrt-setup-local;h=39321173d639f6295e1309cdafe2d296779e387f;hb=1d15a0e7a8a4e854d52e266947c37ed61af63bcc;hp=cda21df9229b2042b138acdd147ca10417bceb08;hpb=53b932c6f960b7f4a9bd2171cdfd630304f15fd8;p=automated-distro-installer

diff --git a/wrt-setup-local b/wrt-setup-local
index cda21df..3932117 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -16,9 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
+f=/usr/local/lib/bash-bear;test -r $f || { echo "error: $0 no $f" >&2;exit 1;}; . $f
 
 usage() {
   cat <<EOF
@@ -50,6 +48,7 @@ firewall_restart=false
 dev2=false
 test=false
 client=false
+ap=false
 libremanage_host=wrt2
 lanip=1
 while getopts hm:t:yz opt; do
@@ -75,6 +74,11 @@ while getopts hm:t:yz opt; do
         client)
           client=true
           ;;
+        ap)
+          ap=true
+          lanip=53
+          hostname=cmcap
+          ;;
         *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
       esac
       ;;
@@ -94,12 +98,17 @@ shift "$((OPTIND-1))"   # Discard the options and sentinel --
 
 if [[ $1 ]]; then
   h=$1
-  hostname=$h
+elif [[ $hostname ]]; then
+  h=$hostname
 else
   h=cmc
+fi
+
+if [[ ! $hostname ]]; then
   hostname=$h
 fi
 
+
 secrets=false
 if [[ -e /root/router-secrets ]]; then
   secrets=true
@@ -211,7 +220,7 @@ cedit() {
 lan=10.0.0.0
 if $test; then
   lan=10.1.0.0
-elif [[ $hostname == cmc ]]; then
+elif [[ $hostname == cmc || $hostname == cmcap ]]; then
   lan=10.2.0.0
 elif $client; then
   lan=10.3.0.0
@@ -235,7 +244,8 @@ mask=255.255.0.0
 cidr=16
 l=${lan%.0}
 
-passwd -l root ||: #already locked fails
+# why did we lock this? i don't know
+#passwd -l root ||: #already locked fails
 
 sed -ibak '/^root:/d' /etc/shadow
 # /root/router created by manually running passwd then copying the resulting
@@ -282,8 +292,8 @@ fi
 
 uset network.lan.ipaddr $l.$lanip
 uset network.lan.netmask $mask
-if $dev2  || $client; then
-  if $dev2; then
+if $dev2  || $client || $ap; then
+  if $dev2 || $ap; then
     uset network.lan.gateway $l.1
     uset network.wan.proto none
     uset network.wan6.proto none
@@ -293,10 +303,16 @@ if $dev2  || $client; then
   /etc/init.d/odhcpd stop
   /etc/init.d/odhcpd disable
   rm -f /etc/resolv.conf
-  cat >/etc/resolv.conf <<'EOF'
+  if $ap; then
+    cat >/etc/resolv.conf <<EOF
+nameserver $l.1
+EOF
+  else
+    cat >/etc/resolv.conf <<'EOF'
 nameserver 8.8.8.8
 nameserver 8.8.4.4
 EOF
+  fi
 
   # things i tried to keep dnsmasq running but not enabled except local dns,
   # but it didnt work right and i dont need it anyways.
@@ -348,7 +364,7 @@ else
     if [[ $mac ]]; then
       uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
     fi
-    # secondary device has wireless disabled
+    # disable/enable. secondary device has wireless disabled
     uset wireless.radio$x.disabled $dev2
   done
 fi
@@ -366,12 +382,15 @@ EOF
   uset wireless.radio0.disassoc_low_ack 0
   uset wireless.radio1.disassoc_low_ack 0
 fi
-case $HOSTNAME in
-  cmc)
-    # found with https://openwrt.org/docs/guide-user/network/wifi/iwchan
-    uset wireless.radio0.channel 11
-    ;;
-esac
+
+
+# found with https://openwrt.org/docs/guide-user/network/wifi/iwchan.
+# However, the default also chooses 11, and better to let it choose in case things change.
+# case $HOSTNAME in
+#   cmc)
+#     uset wireless.radio0.channel 11
+#     ;;
+# esac
 
 
 # usb, screen, relay are for libremanage
@@ -379,8 +398,29 @@ esac
 #
 # relay package temporarily disabled
 # /root/relay_1.0-1_mips_24kc.ipk
-v pi tcpdump screen rsync unbound-daemon unbound-checkconf \
-  kmod-usb-storage block-mount kmod-fs-ext4
+#
+# note: prometheus-node-exporter-lua-openwrt seems to be a dependency of
+# prometheus-node-exporter-lua in practice.
+
+pkgs=(
+  tcpdump
+  screen
+  rsync
+  kmod-usb-storage
+  block-mount
+  kmod-fs-ext4
+  prometheus-node-exporter-lua-openwrt
+  prometheus-node-exporter-lua
+)
+
+if ! $ap; then
+  pkgs+=(
+    unbound-daemon
+    unbound-checkconf
+  )
+fi
+
+v pi "${pkgs[@]}"
 # nfs-kernel-server \
   #   openvpn-openssl adblock libusb-compat \
   #   kmod-usb-serial-cp210x kmod-usb-serial-ftdi \
@@ -458,7 +498,17 @@ EOF
 # v /etc/init.d/nfsd enable
 
 
+cedit /etc/config/prometheus-node-exporter-lua <<'EOF' || /etc/init.d/prometheus-node-exporter-lua restart
+config prometheus-node-exporter-lua 'main'
+        option listen_ipv6 '0'
+        option listen_interface 'lan'
+        option listen_port '9100
+EOF
 
+# default, as of this writing is:
+# config prometheus-node-exporter-lua 'main'
+# 	option listen_interface 'loopback'
+# 	option listen_port '9100'
 
 
 
@@ -502,9 +552,9 @@ fi
 cedit /etc/config/network <<EOF || network_restart=true
 config 'route' 'transmission'
  option 'interface' 'lan'
- option 'target' '10.173.0.0'
+ option 'target' '10.174.0.0'
  option 'netmask' '255.255.0.0'
- option 'gateway' '$l.3'
+ option 'gateway' '$l.2'
 
 option interface 'wg0'
  option proto 'wireguard'
@@ -565,6 +615,7 @@ EOF
       ;;
   esac
 
+
   cedit /etc/config/firewall <<EOF
 ## begin no external dns for ziva
 config rule
@@ -621,6 +672,32 @@ config rule
  option target           ACCEPT
  option dest_port        22
 
+config redirect
+ option name promkd
+ option src              wan
+ option src_dport        9091
+ option dest_port        9091
+ option dest_ip          $l.2
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        9091
+
+
+config redirect
+ option name nagioskd
+ option src              wan
+ option src_dport        3005
+ option dest_port        3005
+ option dest_ip          $l.2
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        3005
+
+
 config redirect
  option name sshkd
  option src              wan
@@ -633,6 +710,19 @@ config rule
  option target           ACCEPT
  option dest_port        2202
 
+# was working on an openvpn server, didn't finish
+# config redirect
+#  option name vpnkd
+#  option src              wan
+#  option src_dport        1196
+#  option dest_port        1196
+#  option dest_ip          $l.2
+#  option dest             lan
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        1196
+
 
 config redirect
  option name sshkdalt
@@ -695,6 +785,20 @@ config rule
  option target           ACCEPT
  option dest_port        2209
 
+
+config redirect
+ option name sshfrodo
+ option src              wan
+ option src_dport        2228
+ option dest_port        22
+ option dest_ip          $l.28
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2228
+
+
 config redirect
  option name icecast
  option src              wan
@@ -708,7 +812,7 @@ config rule
  option dest_port        8000
 
 config rule
- option name sshwrt
+ option name sshcmc
  option src              wan
  option target           ACCEPT
  option dest_port        2220
@@ -720,46 +824,80 @@ config rule
  option dest_port        $wgport
  option proto            udp
 
-
 config redirect
- option name httpkd
+ option name navidrome
  option src              wan
- option src_dport        80
- option dest             lan
+ option src_dport        4533
+ option dest_port        4533
  option dest_ip          $l.2
- option proto            tcp
+ option dest             lan
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        80
- option proto            tcp
+ option dest_port        4533
+
+# So a client can just have i.b8.nz dns even when they
+# are on the lan.
+#config redirect
+# option name navidromelan
+# option src              lan
+# option src_dport        4533
+# option dest_port        4533
+# option dest_ip          $l.2
+# option dest             lan
+
+
+# config redirect
+#  option name icecast
+#  option src              wan
+#  option src_dport        8000
+#  option dest_port        8000
+#  option dest_ip          $l.2
+#  option dest             lan
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        8000
 
 config redirect
- option name httpskd
+ option name http
  option src              wan
- option src_dport        443
+ option src_dport        80
  option dest             lan
  option dest_ip          $l.2
  option proto            tcp
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        443
+ option dest_port        80
  option proto            tcp
 
 config redirect
-option name httpskd8448
+ option name https
  option src              wan
- option src_dport        8448
+ option src_dport        443
  option dest             lan
  option dest_ip          $l.2
  option proto            tcp
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        8448
+ option dest_port        443
  option proto            tcp
 
+# config redirect
+# option name httpskd8448
+#  option src              wan
+#  option src_dport        8448
+#  option dest             lan
+#  option dest_ip          $l.2
+#  option proto            tcp
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        8448
+#  option proto            tcp
+
 config redirect
  option name syncthing
  option src              wan
@@ -794,21 +932,21 @@ config rule
  option target ACCEPT
  option family ipv6
 
-config rule
- option name http-ipv6
- option src wan
- option dest lan
- option dest_port 80
- option target ACCEPT
- option family ipv6
-
-config rule
- option name https-ipv6
- option src wan
- option dest lan
- option dest_port 443
- option target ACCEPT
- option family ipv6
+# config rule
+#  option name http-ipv6
+#  option src wan
+#  option dest lan
+#  option dest_port 80
+#  option target ACCEPT
+#  option family ipv6
+
+# config rule
+#  option name https-ipv6
+#  option src wan
+#  option dest lan
+#  option dest_port 443
+#  option target ACCEPT
+#  option family ipv6
 
 config rule
  option name node-exporter
@@ -826,17 +964,37 @@ config rule
  option target ACCEPT
  option family ipv6
 
-# include a file with users custom iptables rules
-config include
-	option path /etc/firewall.user
-	option type 'restore'
-	option family 'ipv4'
-
-
 EOF
 }
 firewall-cedit || firewall_restart=true
 
+# firewall comment:
+# not using and in newer wrt, fails, probably due to nonexistent file, error output
+# on:
+
+# Reference error: left-hand side expression is not an array or object
+# In [anonymous function](), file /usr/share/ucode/fw4.uc, line 3137, byte 12:
+#   called from function [arrow function] (/usr/share/ucode/fw4.uc:733:71)
+#   called from function foreach ([C])
+#   called from function [anonymous function] (/usr/share/ucode/fw4.uc:733:72)
+#   called from function render_ruleset (/usr/share/firewall4/main.uc:56:24)
+#   called from anonymous function (/usr/share/firewall4/main.uc:143:29)
+#
+#  `        if (!inc.enabled) {`
+#   Near here -------^
+#
+#
+# The rendered ruleset contains errors, not doing firewall restart.
+# /usr/bin/wrt-setup-local:160:error: ""$@"" returned 1
+
+## include a file with users custom iptables rules
+#config include
+#	option path /etc/firewall.user
+#	option type 'restore'
+#	option family 'ipv4'
+
+
+
 # not using wireguard for now
 # if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
 #   # cant mix cedit plus uci
@@ -880,14 +1038,15 @@ uset dhcp.@dnsmasq[0].local
 # note: tried this, it didn't do anything:
 # uset dhcp.@odhcpd[0].dns 10.2.0.1
 
-# iank, disabled while debugging.
+# iank, disablde while debugging.
 #/etc/init.d/odhcpd stop
 #/etc/init.d/odhcpd disable
 
 # todo: make the above conditional on which server this is.
 
+## left commented in case we have ipv6 problems in the future
 # avoid errors in log. current isp doesnt have ipv6
-uset unbound.@unbound[0].protocol ip4_only
+#uset unbound.@unbound[0].protocol ip4_only
 
 # todo: im not sure all these are needed, but they all look
 # like good options.
@@ -907,8 +1066,9 @@ uset unbound.@unbound[0].protocol ip4_only
 # to:
 # procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
 
-{
-  cat <<'EOF'
+if ! $ap; then
+  {
+    cat <<'EOF'
 do-tcp: yes
 prefetch: yes
 qname-minimisation: yes
@@ -920,51 +1080,75 @@ local-zone: "10.in-addr.arpa." transparent
 access-control-view: 10.2.0.31/32 "youtube"
 EOF
 
-  if $zblock; then
-    cat <<'EOF'
-# amy, amyw, samsungtab
-access-control-view: 10.2.0.8/32 "youtube"
-access-control-view: 10.2.0.23/32 "youtube"
+    if $zblock; then
+      cat <<'EOF'
+# no sy until that dongle is used by ziva
+
+# syw
+#access-control-view: 10.2.0.7/32 "youtube"
+# bow
+access-control-view: 10.2.0.29/32 "youtube"
+# samsungtab
 access-control-view: 10.2.0.32/32 "youtube"
 EOF
-  fi
-} | cedit /etc/unbound/unbound_srv.conf  || restart_unbound=true
+    fi
+  } | cedit /etc/unbound/unbound_srv.conf  || unbound_restart=true
 
 
-# dns based blocking vs ip based. with ip, same
-# server can have multiple domains. in dns,
-# you have to make sure clients to use the local dns.
-# https dns will need to be blocked by ip in
-# order to be comprehensive
+  # dns based blocking vs ip based. with ip, same
+  # server can have multiple domains. in dns,
+  # you have to make sure clients to use the local dns.
+  # https dns will need to be blocked by ip in
+  # order to be comprehensive
+
+  cedit /etc/unbound/unbound_ext.conf <<EOF || unbound_restart=true
+
+$(cat /root/ptr-data)
 
-cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
 local-data-ptr: "10.2.0.1 cmc.b8.nz"
-local-data-ptr: "10.2.0.2 kd.b8.nz"
-local-data-ptr: "10.2.0.3 sy.b8.nz"
 local-data-ptr: "10.2.0.4 wrt2.b8.nz"
-local-data-ptr: "10.2.0.5 x2.b8.nz"
 local-data-ptr: "10.2.0.6 x2w.b8.nz"
 local-data-ptr: "10.2.0.7 syw.b8.nz"
-local-data-ptr: "10.2.0.8 amy.b8.nz"
 local-data-ptr: "10.2.0.9 bb8.b8.nz"
-local-data-ptr: "10.2.0.12 demohost.b8.nz"
 local-data-ptr: "10.2.0.14 wrt3.b8.nz"
+local-data-ptr: "10.2.0.17 x3w.b8.nz"
+local-data-ptr: "10.2.0.18 tp.b8.nz"
 local-data-ptr: "10.2.0.19 brother.b8.nz"
-local-data-ptr: "10.2.0.23 amyw.b8.nz"
+local-data-ptr: "10.2.0.23 tpw.b8.nz"
+local-data-ptr: "10.2.0.24 one9p.b8.nz"
 local-data-ptr: "10.2.0.25 hp.b8.nz"
+local-data-ptr: "10.2.0.29 bow.b8.nz"
 local-data-ptr: "10.2.0.31 amazontab.b8.nz"
 local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
-local-data-ptr: "10.173.0.2 transmission.b8.nz"
+local-data-ptr: "10.2.0.38 x8.b8.nz"
+local-data-ptr: "10.2.0.48 bigs.b8.nz"
+local-data-ptr: "10.2.0.49 pi4.b8.nz"
+local-data-ptr: "10.2.0.50 pi4w.b8.nz"
+local-data-ptr: "10.2.0.52 s22.b8.nz"
+local-data-ptr: "10.2.0.53 cmcap.b8.nz"
+local-data-ptr: "10.2.0.88 demohost.b8.nz"
+local-data-ptr: "10.174.2.2 transmission.b8.nz"
 local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
 local-data-ptr: "10.173.8.2 nn.b8.nz"
 
 forward-zone:
   name: "."
+#  forward-addr: 8.8.8.8
+#  forward-addr: 8.8.8.8
+
+# ssl disabled due to this error:
+#Sat Dec 24 03:34:44 2022 daemon.err unbound: [6568:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
+#Sat Dec 24 03:34:44 2022 daemon.notice unbound: [6568:0] notice: ssl handshake failed 1.0.0.3 port 853
+# on OPENWRT_RELEASE="OpenWrt SNAPSHOT r18639-f5865452ac"
+# from about feb 2022
+
 # https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
-  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
-  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
-  forward-ssl-upstream: yes
+#  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+#  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+#  forward-ssl-upstream: yes
   forward-first: no
+  forward-addr: 1.1.1.3
+  forward-addr: 1.0.0.3
 
 view:
   name: "youtube"
@@ -984,14 +1168,14 @@ view:
 EOF
 
 
-if $restart_unbound; then
-  /etc/init.d/unbound restart
-  if ! unbound-checkconf; then
-    echo $0: error: unbound-checkconf failed >&2
-    exit 1
+  if $unbound_restart; then
+    /etc/init.d/unbound restart
+    if ! unbound-checkconf; then
+      echo $0: error: unbound-checkconf failed >&2
+      exit 1
+    fi
   fi
-fi
-
+fi # end if $ap
 
 # # disabled for now. i want to selectively enable it
 # # for specific hosts.
@@ -1026,8 +1210,13 @@ rebind-domain-ok=b8.nz
 # It is default if dnsmasq is doing dns, otherwise, we have to specify it.
 # To see it in action, I ran this from a client machine:
 # sudo dhcpcd -o domain_name_servers -T
-dhcp-option=6,$l.1
+dhcp-option=option:dns-server,$l.1
 
+# use this when doing fai to get the right timezone, its nfsroot is
+# setup to use this dhcp option only and call ntpdate.
+# generate ips with:
+# for h in 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org ntp.ubuntu.com; do host -t a $h | awk '{print $NF}'; done | while read -r l; do printf ,$l; done
+dhcp-option=option:ntp-server,188.165.3.28,202.12.97.45,91.236.251.13,50.205.244.23,78.30.254.80,31.131.0.123,202.65.114.202,94.228.220.14,185.125.190.57,185.125.190.58,91.189.91.157,185.125.190.56,91.189.94.4
 
 
 # results from googling around dnsmasq optimizations
@@ -1070,23 +1259,24 @@ server=10.2.0.1
 # default dhcp range is 100-150
 # bottom port,  iPXE (PCI 03:00.0) in seabios boot menu
 dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
-dhcp-host=94:05:bb:1e:2c:2e,set:sy,$l.3,sy
+#dhcp-host=94:05:bb:1e:2c:2e,set:bo,$l.38,bo
 # top port, iPXE (PCI 04:00.0) in seabios boot menu
 #dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
 # 4 is reserved for a staticly configured host wrt2
-# old x2 with bad fan
-#dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
-dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
-dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
-dhcp-host=34:7d:f6:ed:ec:07,set:syw,$l.7,syw
+
+
+dhcp-host=c4:8e:8f:60:63:cb,set:x2w,$l.6,x2w
+dhcp-host=10:51:07:f5:f1:b8,set:syw,$l.7,syw
 dhcp-host=80:fa:5b:1c:6e:cf,set:amy,$l.8,amy
-# This is so fai can have an explicit name to use for testing,
-# or else any random machine which did a pxe boot would get
-# reformatted. The mac is from doing a virt-install, cancelling it,
-# and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
-dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
+dhcp-host=a0:ce:c8:9f:7a:f3,set:sy,$l.12,sy
+# alternate dongle
+#dhcp-host=94:05:bb:1e:2c:2e,set:sy,$l.12,sy
+dhcp-host=00:1f:16:16:39:24,set:x2,$l.13,x2
+
+## for using different dhcp server
+#dhcp-host=52:54:00:9c:ef:ad,ignore
 # 14 = wrt3
+dhcp-host=ac:d1:b8:5c:eb:d7,set:x3w,$l.17,x3w
 dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
 # BRN001BA98CA823 in dhcp logs
 dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
@@ -1094,34 +1284,46 @@ dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
 dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
 dhcp-host=9a:c6:52:6f:ce:7c,set:onep9,$l.24,onep9
 dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
-dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+dhcp-host=14:dd:a9:d5:31:7a,set:frodo,$l.28,frodo
+#dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+dhcp-host=70:a6:cc:3a:bb:b4,set:bow,$l.29,bow
 dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
 dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
+# server d16:
+dhcp-host=38:2c:4a:c9:33:13,set:bigs,$l.48,bigs
+dhcp-host=e4:5f:01:07:50:40,set:pi4,$l.49,pi4
+dhcp-host=e4:5f:01:07:50:3f,set:pi4w,$l.50,pi4w
+# samsung phone
+dhcp-host=a8:79:8d:71:54:68,set:s22,$l.52,s22
 
+# This is so fai can have an explicit name to use for testing,
+# or else any random machine which did a pxe boot would get
+# reformatted. The mac is from doing a virt-install, cancelling it,
+# and copying the generated mac, so it should be randomish.
+dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.88,demohost
 
 
 # faiserver vm
-dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
-
-# This is the ip it picks by default if dhcp fails,
-# so might as well use it.
-# hostname is the name it uses according to telnet
-dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
+#dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
 
 # template
 # dhcp-host=,$l.,
 
-# uncomment to do tftpboot. openwrt snapshot from 2022-01, seems like it cant
-# access /mnt/usb/tftpboot due to some jail or sandbox thing
+# pxe tftpboot for arch-like. todo: openwrt snapshot from 2022-01, it cant
+# access /mnt/usb/tftpboot due to ujail sandbox
 #enable-tftp=br-lan
 #tftp-root=/mnt/usb/tftpboot
-#dhcp-optsfile=/etc/dnsmasq-dhcpopts.conf
+#tftp-root=/var/run/dnsmasq/tftpboot
+
 
+dhcp-optsfile=/var/run/dnsmasq/dhcpopts.conf
+
+# for debugging dhcp
 #log-queries=extra
 EOF
 
 
-if $dnsmasq_restart && ! $dev2; then
+if $dnsmasq_restart && ! $dev2 && ! $ap; then
   # todo: can our ptr records be put in /etc/hosts?
   # eg: user normal /etc/hosts records, and they wont be used for A resolution
   # due to the other settings, but will be used for ptr? then maybe
@@ -1138,10 +1340,18 @@ if $dnsmasq_restart && ! $dev2; then
   v /etc/init.d/dnsmasq restart
 fi
 
-if $firewall_restart; then
+if $ap; then
+  v /etc/init.d/firewall disable
+  v /etc/init.d/firewall stop
+elif $firewall_restart; then
   v /etc/init.d/firewall restart
 fi
 
+## turn off luci
+# if already stopped, gives error we want to ignore
+/etc/init.d/uhttpd stop |& sed '1{/^Command failed/d}'
+/etc/init.d/uhttpd disable |& sed '1{/^Command failed/d}'
+
 # this may just restart the network and take care of the network_restart below.
 if $wireless_restart; then
   v wifi
@@ -1152,4 +1362,4 @@ if $network_restart; then
   reboot
 fi
 
-exit 0
+v exit 0