X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=wrt-setup-local;h=73eaeba8bdd2cc3462dfd5756d446c17e6578fda;hb=45578de750fb07f7a7f64181e6b3b749ef727725;hp=43628bc8bee6f049a19807c2fc0c549ad45ab01c;hpb=0d7f79362d601b278236cd1c533c7333e342b54a;p=automated-distro-installer

diff --git a/wrt-setup-local b/wrt-setup-local
index 43628bc..73eaeba 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -18,23 +18,105 @@
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
+
+usage() {
+  cat <<EOF
+usage: ${0##*/} [-h] [-t 2|test] [-m WIRELESS_MAC]
+setup my router in general: dhcp, dns, etc.
+
+Type 2 or 3 is for setting up a backup device, there are two kinds so
+that you can switch the main device to a backup, then a backup to the
+main. Type test is for setting up a testing device.
+
+Passing an empty string for WIRELESS_MAC will cause the device's native
+mac to be used.
+
+EOF
+
+  exit $1
+}
+
+
+dev2=false
+test=false
+hostname=wrt
+libremanage_host=wrt2
+
+lanip=1
+while getopts hm:t: opt; do
+  case $opt in
+    h) usage ;;
+    t)
+      case $2 in
+        2|3)
+          dev2=true
+          libremanage_host=wrt
+          ;;&
+        2)
+          lanip=4
+          hostname=wrt2
+          ;;
+        3)
+          lanip=14
+          hostname=wrt3
+          ;;
+        test)
+          test=true
+          ;;
+        *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
+      esac
+      ;;
+    m)  mac=$OPTARG ;;
+    *) echo "$0: Internal error! unexpected args: $*" >&2 ; usage 1 ;;
+  esac
+done
+shift "$((OPTIND-1))"   # Discard the options and sentinel --
+
+if [[ ! $mac ]] && ! $test; then
+  # if we wanted to increment it
+  #WIRELESSMAC=${WIRELESSMAC:0: -1}$((${WIRELESSMAC: -1} + 2))
+  mac=$WIRELESSMAC
+fi
+
+if (( $# != 0 )); then
+  usage 1
+fi
+
+
+macpre=${mac:0: -1}
+macsuf=${mac: -1}
+
+
+p_updated=false
 pmirror() {
+  if $p_updated; then
+    return
+  fi
   # background: upgrading all packages is not recommended because it
   # doesn't go into the firmware. build new firmware if you want
   # lots of upgrades. I think /tmp/opkg-lists is a pre openwrt 14 location.
   f=(/var/opkg-lists/*)
   if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
-    opkg update
+    if ! opkg update; then
+      echo "$0: warning: opkg update failed" >&2
+    fi
+    p_updated=true
   fi
 }
 
 pi() {
-  for x in "$@"; do
-    if [[ ! $(opkg list-installed "$x") ]]; then
+  to_install=()
+  for p in "$@"; do
+    pname=${p##*/}
+    pname=${pname%%_*}
+    if [[ ! $(opkg list-installed "$pname") ]]; then
+      to_install+=($p)
       pmirror
-      opkg install "$@"
     fi
   done
+  if [[ $to_install ]]; then
+    opkg install ${to_install[@]}
+  fi
 }
 
 v() {
@@ -42,15 +124,57 @@ v() {
   "$@"
 }
 
+######### uci example:#######
+# # https://wiki.openwrt.org/doc/uci
+# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+# wan="firewall.@zone[$wan_index]"
+# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
+#     # default is wan
+#     v uci set firewall.@forwarding[0].dest=$forward_dest
+#     uci commit firewall
+#     firewall_restart=true
+# fi
+####### end uci example #####
+
+uset() {
+  printf "+ uset %s\n" "$*"
+  local key="$1"
+  local val="$2"
+  local service="${key%%.*}"
+  restart_var=${service}_restart
+  if [[ ! ${!restart_var} ]]; then
+    eval $restart_var=false
+  fi
+  if [[ $(uci get "$key") != "$val" ]]; then
+    v uci set "$key"="$val"
+    uci commit $service
+    eval $restart_var=true
+  fi
+}
+
+
 ### network config
 ###
 ssid="check out gnu.org"
 lan=10.0.0.0
+if $test; then
+  ssid="gnuv3"
+  lan=10.1.0.0
+fi
 mask=255.255.0.0
+cidr=16
 l=${lan%.0}
 
 passwd -l root ||: #already locked fails
 
+sed -ibak '/^root:/d' /etc/shadow
+# /root/router created by manually running passwd then copying the resulting
+# line. We have no mkpasswd on wrt/librecmc, then we scp it in.
+cat /root/router >>/etc/shadow
+# otherwise, serial console gets root login with no password
+uset system.@system[0].ttylogin 1
+
+
 cat >/usr/bin/archlike-pxe-mount <<'EOFOUTER'
 #!/bin/bash
 # symlinks are collapsed for nfs mount points, so use a bind mount.
@@ -68,16 +192,16 @@ done
 EOFOUTER
 chmod +x /usr/bin/archlike-pxe-mount
 
-cat >.profile <<'EOF'
-# changing login shell emits spam on ssh single commands & scp
-    # sed -i 's#/bin/ash$#/bin/bash#' /etc/passwd
-# https://github.com/openwrt/packages/issues/6137
-[ "$BASH_VERSION" != "" ] || exec /bin/bash -i
-EOF
+sed -i '/^root:/s,/bin/ash$,/bin/bash,' /etc/passwd
+# usb, screen, relay are for libremanage
 v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
-  tcpdump openvpn-openssl adblock
-
+  tcpdump openvpn-openssl adblock libusb-compat /root/relay_1.0-1_mips_24kc.ipk \
+  screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi
 
+cat >/etc/libremanage.conf <<EOF
+${libremanage_host}_type=switch
+${libremanage_host}_channel=1
+EOF
 
 
 
@@ -98,18 +222,21 @@ mkdir -p /run/parabolaiso/bootmnt
 # wiki says safe to do in case of fstab changes:
 
 ## ian: usb broke on old router. if that happens, can just comment this to disable problems
-echo | cedit /etc/config/fstab ||:
-cedit /etc/config/fstab <<'EOF' || { v block umount; v block mount; }
+# echo | cedit /etc/config/fstab ||:
+v cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
 config global automount
       option from_fstab 1
       option anon_mount 1
 
 config mount
+# /overlay is an / overlay mount for installing extra packages, etc.
+# https://openwrt.org/docs/guide-user/additional-software/extroot_configuration
       option target	/mnt/usb
+#      option target	/overlay
       option device	/dev/sda1
       option fstype	ext4
       option options	rw,async,noatime,nodiratime
-      option enabled	1
+      option enabled	0
 EOF
 
 
@@ -126,59 +253,50 @@ EOF
 
 
 # exportfs -ra wont cut it when its the same path, but now a bind mount
-cedit /etc/exports <<EOF || v /etc/init.d/nfsd restart ||:
-/mnt/usb  $lan/$netmask(rw,no_root_squash,insecure,sync,no_subtree_check)
+# todo: restart nfs when nfs is enabled?
+#cedit /etc/exports <<EOF || v /etc/init.d/nfsd restart ||:
+cedit /etc/exports <<EOF ||:
+/mnt/usb  $lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
 # for arch pxe
-/run/archiso/bootmnt	$lan/$netmask(rw,no_root_squash,insecure,sync,no_subtree_check)
-/run/parabolaiso/bootmnt	$lan/$netmask(rw,no_root_squash,insecure,sync,no_subtree_check)
+/run/archiso/bootmnt	$lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
+/run/parabolaiso/bootmnt	$lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
 EOF
 
 
-v /etc/init.d/portmap start
-v /etc/init.d/nfsd start
-v /etc/init.d/portmap enable
-v /etc/init.d/nfsd enable
+# todo: enable nfs when we need it only.
+# v /etc/init.d/portmap start
+# v /etc/init.d/nfsd start
+# v /etc/init.d/portmap enable
+# v /etc/init.d/nfsd enable
 
 
 
 
 
 
-######### uci example:#######
-# # https://wiki.openwrt.org/doc/uci
-# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
-# wan="firewall.@zone[$wan_index]"
-# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
-#     # default is wan
-#     v uci set firewall.@forwarding[0].dest=$forward_dest
-#     uci commit firewall
-#     firewall_restart=true
-# fi
 
+uset dropbear.@dropbear[0].PasswordAuth 0
+uset dropbear.@dropbear[0].RootPasswordAuth 0
+uset dropbear.@dropbear[0].Port 2220
+if ! cmp -s /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key; then
+  cp /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key
+  dropbear_restart=true
+fi
 
 wireless_restart=false
 key=pictionary49
 for x in 0 1; do
-  if [[ $(uci get wireless.default_radio$x.ssid) != "$ssid" ]]; then
-    v uci set wireless.default_radio$x.ssid="$ssid"
-    wireless_restart=true
-  fi
-  if [[ $(uci get wireless.default_radio$x.key) != $key ]]; then
-    v uci set wireless.default_radio$x.key=$key
-    wireless_restart=true
-  fi
-  if [[ $(uci get wireless.default_radio$x.encryption) != psk2 ]]; then
-    v uci set wireless.default_radio$x.encryption=psk2
-    wireless_restart=true
-  fi
-  if [[ $(uci get wireless.default_radio$x.disabled 2>/dev/null) ]]; then
-    v uci delete wireless.default_radio$x.disabled
-    wireless_restart=true
+  uset wireless.default_radio$x.ssid "$ssid"
+  uset wireless.default_radio$x.key $key
+  uset wireless.default_radio$x.encryption psk2
+  if [[ $mac ]]; then
+    uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
   fi
+  # secondary device has wireless disabled
+  uset wireless.radio$x.disabled $dev2
 done
 
 if $wireless_restart; then
-  uci commit wireless
   v wifi
 fi
 
@@ -217,78 +335,129 @@ EOF
 
 firewall_restart=false
 v cedit /etc/config/firewall <<EOF || firewall_restart=true
+
+
 config redirect
-    option name ssh
-    option src              wan
-    option src_dport        22
-    option dest_ip          $l.8
-    option dest             lan
+ option name ssh
+ option src              wan
+ option src_dport        22
+ option dest_ip          $l.8
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        22
+ option src              wan
+ option target           ACCEPT
+ option dest_port        22
 
 config redirect
-    option name sshalt
-    option src              wan
-    option src_dport        2222
-    option dest_port        22
-    option dest_ip          $l.3
-    option dest             lan
+ option name sshalt
+ option src              wan
+ option src_dport        2222
+ option dest_port        22
+ option dest_ip          $l.3
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        2222
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2222
+
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2220
+
 
 config redirect
-    option src              wan
-    option src_dport        443
-    option dest             lan
-    option dest_ip          $l.8
-    option proto            tcp
+ option src              wan
+ option src_dport        443
+ option dest             lan
+ option dest_ip          $l.8
+ option proto            tcp
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        443
-    option proto            tcp
+ option src              wan
+ option target           ACCEPT
+ option dest_port        443
+ option proto            tcp
 
 config redirect
-    option src              wan
-    option src_dport        1196
-    option dest             lan
-    option dest_ip          $l.8
-    option proto            udp
+ option src              wan
+ option src_dport        1196
+ option dest             lan
+ option dest_ip          $l.8
+ option proto            udp
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        1196
-    option proto            udp
+ option src              wan
+ option target           ACCEPT
+ option dest_port        1196
+ option proto            udp
 
 
 config redirect
-    option src              wan
-    option src_dport        80
-    option dest             lan
-    option dest_ip          $l.8
-    option proto            tcp
+ option src              wan
+ option src_dport        80
+ option dest             lan
+ option dest_ip          $l.8
+ option proto            tcp
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        80
-    option proto            tcp
+ option src              wan
+ option target           ACCEPT
+ option dest_port        80
+ option proto            tcp
 
 config redirect
-    option name syncthing
-    option src              wan
-    option src_dport        22001
-    option dest_ip          $l.8
-    option dest             lan
+ option name syncthing
+ option src              wan
+ option src_dport        22001
+ option dest_ip          $l.8
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        22001
+ option src              wan
+ option target           ACCEPT
+ option dest_port        22001
 
 
+config rule
+ option name ssh-ipv6
+ option src wan
+ option dest lan
+ # note, using mac transform, we could allow all traffic to a host like this,
+ # replacing 1 as appropriate
+ #option dest_ip ::111:11ff:fe11:1111/::ffff:ffff:ffff:ffff
+ option dest_port 22
+ option target ACCEPT
+ option family ipv6
+
+config rule
+ option name http-ipv6
+ option src wan
+ option dest lan
+ option dest_port 80
+ option target ACCEPT
+ option family ipv6
+
+config rule
+ option name http-ipv6
+ option src wan
+ option dest lan
+ option dest_port 80
+ option target ACCEPT
+ option family ipv6
+
+config rule
+ option name node-exporter
+ option src wan
+ option dest lan
+ option dest_port 9101
+ option target ACCEPT
+ option family ipv6
+
+config rule
+ option name mail587-ipv6
+ option src wan
+ option dest lan
+ option dest_port 587
+ option target ACCEPT
+ option family ipv6
+
 
 EOF
 
@@ -296,28 +465,26 @@ EOF
 
 
 dnsmasq_restart=false
-mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
 v cedit /etc/hosts <<EOF || dnsmasq_restart=true
 127.0.1.1 wrt
 $l.1 wrt
 $l.2 kd
 $l.3 frodo
-$l.4 htpc
+$l.4 wrt2
 $l.5 x2
 $l.6 demohost
-#$l.7 faiserver
-$l.8 tp faiserver b8.nz
-$l.9 n5
-$l.10 so
-$l.12 fz
+$l.7 x3
+$l.8 tp b8.nz faiserver
+$l.9 bb8
+$l.14 wrt3
 72.14.176.105 li
-45.33.9.11 lj
-138.68.10.24 dopub
+
 # netns creation looks for next free subnet starting at 10.173, but I only
 # use one, and I would keep this one as the first created.
 10.173.0.2 transmission
 EOF
 
+#mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
 # if [[ $mail_host ]]; then
 #     sed -i '/^$mail_host/a mail.iankelling.org' /etc/hosts
 # fi
@@ -332,22 +499,9 @@ if [[ $(uci get dhcp.@dnsmasq[0].resolvfile 2>/dev/null) ]]; then
   dnsmasq_restart=true
 fi
 
-if [[ $(uci get dhcp.@dnsmasq[0].domain) != b8.nz ]]; then
-  v uci set dhcp.@dnsmasq[0].domain=b8.nz
-  uci commit dhcp
-  dnsmasq_restart=true
-fi
-if [[ $(uci get dhcp.@dnsmasq[0].local) != /b8.nz/ ]]; then
-  v uci set dhcp.@dnsmasq[0].local=/b8.nz/
-  uci commit dhcp
-  dnsmasq_restart=true
-fi
-
-if [[ $(uci get system.@system[0].hostname) != wrt ]]; then
-  v uci set system.@system[0].hostname=wrt
-  uci commit system
-fi
-
+uset dhcp.@dnsmasq[0].domain b8.nz
+uset dhcp.@dnsmasq[0].local /b8.nz/
+uset system.@system[0].hostname $hostname
 
 if [[ $(uci get adblock.global.adb_enabled) != 1 ]]; then
   v uci set adblock.global.adb_enabled=1
@@ -367,6 +521,12 @@ EOF
 # to start.
 mkdir -p /mnt/usb/tftpboot
 v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+server=/dmarctest.b8.nz/#
+server=/_domainkey.b8.nz/#
+server=/_dmarc.b8.nz/#
+mx-host=b8.nz,mail.iankelling.org,10
+txt-record=b8.nz,"v=spf1 a ?all"
+
 
 # https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
 stop-dns-rebind
@@ -410,18 +570,20 @@ dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
 # top port, iPXE (PCI 04:00.0) in seabios boot menu
 #dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
 dhcp-host=00:26:18:97:bb:16,set:frodo,$l.3,frodo
-dhcp-host=10:78:d2:da:29:22,set:htpc,$l.4,htpc
+# 4 is reserved for a staticly configured host.
 dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
-#dhcp-host=00:c0:ca:27:e9:b2,set:x2w,$l.11,x2w
-#wireless interface
-# this is so fai can have an explicit name to use for testing,
+# This is so fai can have an explicit name to use for testing,
 # or else any random machine which did a pxe boot would get
 # reformatted. The mac is from doing a virt-install, cancelling it,
 # and copying the generated mac, so it should be randomish.
 dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.6,demohost
-#dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.7,faiserver
+dhcp-host=00:1f:16:14:01:d8,set:tp,$l.7,x3
 dhcp-host=80:fa:5b:1c:6e:cf,set:tp,$l.8,tp
-# this is the ip it picks by default if dhcp fails,
+
+# faiserver vm
+dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
+
+# This is the ip it picks by default if dhcp fails,
 # so might as well use it.
 # hostname is the name it uses according to telnet
 dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
@@ -435,6 +597,22 @@ enable-tftp=br-lan
 tftp-root=/mnt/usb/tftpboot
 EOF
 
+uset network.lan.ipaddr $l.$lanip
+uset network.lan.netmask $mask
+uset dhcp.wan.ignore $dev2 # default is false
+uset dhcp.lan.ignore $dev2 # default is false
+if $dev2; then
+  uset network.lan.gateway $l.1
+  uset network.wan.proto none
+  uset network.wan6.proto none
+else
+  # these are the defaults
+  uset network.lan.gateway ''
+  uset network.wan.proto dhcp
+  uset network.wan6.proto dhcpv6
+fi
+
+
 if $dnsmasq_restart; then
   v /etc/init.d/dnsmasq restart
 fi
@@ -444,19 +622,12 @@ if $firewall_restart; then
 fi
 
 
-reboot=false
-if [[ $(uci get network.lan.ipaddr) != $l.1 ]]; then
-  v uci set network.lan.ipaddr=$l.1
-  uci commit network
-  reboot=true
-fi
-if [[ $(uci get network.lan.netmask) != $mask ]]; then
-  v uci set network.lan.netmask=$mask
-  uci commit network
-  reboot=true
-fi
 
-if $reboot; then
+if $network_restart; then
   reboot
 fi
+if $dropbear_restart; then
+  v /etc/init.d/dropbear restart
+fi
+
 exit 0