X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=wrt-setup-local;h=d900897993b2d7503c41e9b3620229e9f4621c10;hb=739efea3642e2f8a7a672c4600da152a27bedf1a;hp=4cf186b44bf6c46047274096cde70e74c4ff42c1;hpb=c47175685b348735b3440e16851dde2cc39b6f3f;p=automated-distro-installer

diff --git a/wrt-setup-local b/wrt-setup-local
index 4cf186b..d900897 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -15,26 +15,139 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
+
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
+
+usage() {
+  cat <<EOF
+usage: ${0##*/} [-h] [-t 2|3|test|client] [-m WIRELESS_MAC]
+setup my router in general: dhcp, dns, etc.
+
+Type 2 or 3 is for setting up a backup device, there are two kinds so
+that you can switch the main device to a backup, then a backup to the
+main. Type test is for setting up a testing device.
+
+Passing an empty string for WIRELESS_MAC, or if none is defined in the
+secrets file, will cause the device's native mac to be used.
+
+EOF
+
+  exit $1
+}
+
+
+secrets=false
+if [[ -e /root/router-secrets ]]; then
+  secrets=true
+  source /root/router-secrets
+fi
+rmac=$(cat /sys/class/net/eth0/address)
+if $secrets; then
+  hostname=${rhost[$rmac]}
+fi
+: ${hostname:=wrt}
+
+
+zblock=false
+if [[ -e /root/zblock ]]; then
+  zblock=true
+fi
+
+dnsmasq_restart=false
+unbound_restart=false
+firewall_restart=false
+dev2=false
+test=false
+client=false
+libremanage_host=wrt2
+lanip=1
+while getopts hm:t:yz opt; do
+  case $opt in
+    h) usage ;;
+    t)
+      case $2 in
+        2|3)
+          dev2=true
+          libremanage_host=$hostname
+          ;;&
+        2)
+          lanip=4
+          hostname=wrt2
+          ;;
+        3)
+          lanip=14
+          hostname=wrt3
+          ;;
+        test)
+          test=true
+          ;;
+        client)
+          client=true
+          ;;
+        *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
+      esac
+      ;;
+    y)
+      zblock=false
+      rm -f /root/zblock
+      ;;
+    z)
+      zblock=true
+      touch /root/zblock
+      ;;
+    m)  mac=$OPTARG ;;
+    *) echo "$0: Internal error! unexpected args: $*" >&2 ; usage 1 ;;
+  esac
+done
+shift "$((OPTIND-1))"   # Discard the options and sentinel --
+
+if [[ ! $mac ]] && ! $test && $secrets; then
+  # if we wanted to increment it
+  #mac=${mac:0: -1}$((${mac: -1} + 2))
+  mac=${rwmac[$rmac]}
+fi
+
+if (( $# != 0 )); then
+  usage 1
+fi
+
+
+macpre=${mac:0: -1}
+macsuf=${mac: -1}
+
+
+p_updated=false
 pmirror() {
+  if $p_updated; then
+    return
+  fi
   # background: upgrading all packages is not recommended because it
   # doesn't go into the firmware. build new firmware if you want
   # lots of upgrades. I think /tmp/opkg-lists is a pre openwrt 14 location.
   f=(/var/opkg-lists/*)
   if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
-    opkg update
+    if ! opkg update; then
+      echo "$0: warning: opkg update failed" >&2
+    fi
+    p_updated=true
   fi
 }
 
 pi() {
-  for x in "$@"; do
-    if [[ ! $(opkg list-installed "$x") ]]; then
+  to_install=()
+  for p in "$@"; do
+    pname=${p##*/}
+    pname=${pname%%_*}
+    if [[ ! $(opkg list-installed "$pname") ]]; then
+      to_install+=($p)
       pmirror
-      opkg install "$@"
     fi
   done
+  if [[ $to_install ]]; then
+    opkg install ${to_install[@]}
+  fi
 }
 
 v() {
@@ -42,41 +155,216 @@ v() {
   "$@"
 }
 
+######### uci example:#######
+# # https://wiki.openwrt.org/doc/uci
+# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+# wan="firewall.@zone[$wan_index]"
+# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
+#     # default is wan
+#     v uci set firewall.@forwarding[0].dest=$forward_dest
+#     uci commit firewall
+#     firewall_restart=true
+# fi
+####### end uci example #####
+
+uset() {
+  printf "+ uset %s\n" "$*"
+  local key="$1"
+  local val="$2"
+  local service="${key%%.*}"
+  restart_var=${service}_restart
+  if [[ ! ${!restart_var} ]]; then
+    eval $restart_var=false
+  fi
+  if [[ $(uci get "$key") != "$val" ]]; then
+    v uci set "$key"="$val"
+    uci commit $service
+    eval $restart_var=true
+  fi
+}
+
+udel() {
+  printf "+ udel %s\n" "$*"
+  local key="$1"
+  local val="$2"
+  local service="${key%%.*}"
+  restart_var=${service}_restart
+  if [[ ! ${!restart_var} ]]; then
+    eval $restart_var=false
+  fi
+  if uci get "$key" &>/dev/null; then
+    v uci set "$key"="$val"
+    uci commit $service
+    eval $restart_var=true
+  fi
+}
+cedit() {
+  v command cedit -v "$@"
+}
+
+
 ### network config
 ###
-ssid=cmc2
-lan=10.1.0.0
+lan=10.0.0.0
+if $test; then
+  lan=10.1.0.0
+elif [[ $hostname == cmc ]]; then
+  lan=10.2.0.0
+elif $client; then
+  lan=10.3.0.0
+fi
+
+if $test; then
+  ssid="gnuv3"
+elif $secrets; then
+  ssid=${rssid[$rmac]}
+fi
+
+: ${ssid:=librecmc}
+
+
+if $secrets; then
+  key=${rkey[$rmac]}
+fi
+: ${key:=pictionary49}
+
 mask=255.255.0.0
+cidr=16
 l=${lan%.0}
 
 passwd -l root ||: #already locked fails
 
-cat >/usr/bin/arch-pxe-mount <<'EOFOUTER'
+sed -ibak '/^root:/d' /etc/shadow
+# /root/router created by manually running passwd then copying the resulting
+# line. We have no mkpasswd on wrt/librecmc, then we scp it in.
+cat /root/router >>/etc/shadow
+# otherwise, serial console gets root login with no password
+uset system.@system[0].ttylogin 1
+
+
+
+cat >/usr/bin/archlike-pxe-mount <<'EOFOUTER'
 #!/bin/bash
 # symlinks are collapsed for nfs mount points, so use a bind mount.
 # tried putting this in /etc/config/fstab,
-# then doig block mount, it didn't work. This doesn't persist across reboots,
+# then doing block mount, it didn't work. This doesn't persist across reboots,
 # todo: figure that out
-d=/run/archiso/bootmnt
-cat > /etc/fstab <<EOF
+rm -f /etc/fstab
+for d in /run/{arch,parabola}iso/bootmnt; do
+cat >>/etc/fstab <<EOF
 /mnt/usb/tftpboot $d none bind 0 0
 EOF
 mount | grep $d &>/dev/null || mount $d
+done
 /etc/init.d/nfsd restart
 EOFOUTER
-chmod +x /usr/bin/arch-pxe-mount
+chmod +x /usr/bin/archlike-pxe-mount
 
-cat >.profile <<'EOF'
-# changing login shell emits spam on ssh single commands & scp
-    # sed -i 's#/bin/ash$#/bin/bash#' /etc/passwd
-# https://github.com/openwrt/packages/issues/6137
-[ "$BASH_VERSION" != "" ] || exec /bin/bash -i
+sed -i '/^root:/s,/bin/ash$,/bin/bash,' /etc/passwd
+
+
+
+uset dropbear.@dropbear[0].PasswordAuth 0
+uset dropbear.@dropbear[0].RootPasswordAuth 0
+uset dropbear.@dropbear[0].Port 2220
+if ! cmp -s /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key; then
+  cp /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key
+  dropbear_restart=true
+fi
+
+if $dropbear_restart; then
+  v /etc/init.d/dropbear restart
+fi
+
+
+uset network.lan.ipaddr $l.$lanip
+uset network.lan.netmask $mask
+if $dev2  || $client; then
+  if $dev2; then
+    uset network.lan.gateway $l.1
+    uset network.wan.proto none
+    uset network.wan6.proto none
+  fi
+  /etc/init.d/dnsmasq stop
+  /etc/init.d/dnsmasq disable
+  /etc/init.d/odhcpd stop
+  /etc/init.d/odhcpd disable
+  rm -f /etc/resolv.conf
+  cat >/etc/resolv.conf <<'EOF'
+nameserver 8.8.8.8
+nameserver 8.8.4.4
 EOF
-v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
-  tcpdump openvpn-openssl adblock
+
+  # things i tried to keep dnsmasq running but not enabled except local dns,
+  # but it didnt work right and i dont need it anyways.
+  # uset dhcp.wan.ignore $dev2 # default is false
+  # uset dhcp.lan.ignore $dev2 # default is false
+  # uset dhcp.@dnsmasq[0].interface lo
+  # uset dhcp.@dnsmasq[0].localuse 0
+  # uset dhcp.@dnsmasq[0].resolvfile /etc/dnsmasq.conf
+  # uset dhcp.@dnsmasq[0].noresolv 1
+  # todo: populate /etc/resolv.conf with a static value
+
+else
+  # these are the defaults
+  uset network.lan.gateway ''
+  uset network.wan.proto dhcp
+  uset network.wan6.proto dhcpv6
+  /etc/init.d/dnsmasq start
+  # todo: figure out why this returns 1
+  /etc/init.d/dnsmasq enable ||:
+  /etc/init.d/odhcpd start
+  /etc/init.d/odhcpd enable
+fi
+
+wireless_restart=false
+
+if $client; then
+  uset wireless.default_radio0.network 'wwan'
+  uset wireless.default_radio0.ssid ${rclientssid[$rmac]}
+  uset wireless.default_radio0.encryption 'psk2'
+  uset wireless.default_radio0.device 'radio0'
+  uset wireless.default_radio0.mode 'sta'
+  uset wireless.default_radio0.bssid ${rclientbssid[$rmac]}
+  # todo: look into whether 5g network is available.
+  uset wireless.default_radio0.key ${rclientkey[$rmac]}
+  uset wireless.radio0.disabled false
+  uset wireless.radio1.disabled true
+else
+  # defaults, just reseting in case client config ran
+  uset wireless.default_radio0.network lan
+  uset wireless.default_radio0.mode ap
+  for x in 0 1; do
+    uset wireless.default_radio$x.ssid "$ssid"
+    uset wireless.default_radio$x.key $key
+    uset wireless.default_radio$x.encryption psk2
+    if [[ $mac ]]; then
+      uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
+    fi
+    # secondary device has wireless disabled
+    uset wireless.radio$x.disabled $dev2
+  done
+fi
+
+
 
 
 
+# usb, screen, relay are for libremanage
+# rsync is for brc
+#
+# relay package temporarily disabled
+# /root/relay_1.0-1_mips_24kc.ipk
+v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
+  tcpdump openvpn-openssl adblock libusb-compat \
+  screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync\
+  unbound-daemon-heavy unbound-checkconf
+
+cat >/etc/libremanage.conf <<EOF
+${libremanage_host}_type=switch
+${libremanage_host}_channel=1
+EOF
+
 
 
 v /etc/init.d/fstab enable ||:
@@ -86,27 +374,31 @@ v /etc/init.d/fstab enable ||:
 # 255 == module already loaded
 for mod in scsi_mod sd_mod; do v modprobe $mod || [[ $? == 255 ]]; done
 
-# for arch pxe. The default settings in the installer expect to find
-# the NFS at /run/archiso/bootmnt
+# for archlike pxe. The default settings in the installer expect to find
+# the NFS at one of these dirs
 mkdir -p /run/archiso/bootmnt
+mkdir -p /run/parabolaiso/bootmnt
 
 # todo: at some later time, i found /mnt/usb not mounted, watch to see if
 # that is the case after running this or rebooting.
 # wiki says safe to do in case of fstab changes:
 
 ## ian: usb broke on old router. if that happens, can just comment this to disable problems
-echo | cedit /etc/config/fstab ||:
-cedit /etc/config/fstab <<'EOF' || { v block umount; v block mount; }
+# echo | cedit /etc/config/fstab ||:
+cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
 config global automount
       option from_fstab 1
       option anon_mount 1
 
 config mount
+# /overlay is an / overlay mount for installing extra packages, etc.
+# https://openwrt.org/docs/guide-user/additional-software/extroot_configuration
       option target	/mnt/usb
+#      option target	/overlay
       option device	/dev/sda1
       option fstype	ext4
       option options	rw,async,noatime,nodiratime
-      option enabled	1
+      option enabled	0
 EOF
 
 
@@ -123,60 +415,27 @@ EOF
 
 
 # exportfs -ra wont cut it when its the same path, but now a bind mount
-cedit /etc/exports <<EOF || v /etc/init.d/nfsd restart ||:
-/mnt/usb  $lan/$netmask(rw,no_root_squash,insecure,sync,no_subtree_check)
+# todo: restart nfs when nfs is enabled?
+#cedit /etc/exports <<EOF || v /etc/init.d/nfsd restart ||:
+cedit /etc/exports <<EOF ||:
+/mnt/usb  $lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
 # for arch pxe
-/run/archiso/bootmnt	$lan/$netmask(rw,no_root_squash,insecure,sync,no_subtree_check)
+/run/archiso/bootmnt	$lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
+/run/parabolaiso/bootmnt	$lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
 EOF
 
 
-v /etc/init.d/portmap start
-v /etc/init.d/nfsd start
-v /etc/init.d/portmap enable
-v /etc/init.d/nfsd enable
+# todo: enable nfs when we need it only.
+# v /etc/init.d/portmap start
+# v /etc/init.d/nfsd start
+# v /etc/init.d/portmap enable
+# v /etc/init.d/nfsd enable
 
 
 
 
 
 
-######### uci example:#######
-# # https://wiki.openwrt.org/doc/uci
-# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
-# wan="firewall.@zone[$wan_index]"
-# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
-#     # default is wan
-#     v uci set firewall.@forwarding[0].dest=$forward_dest
-#     uci commit firewall
-#     firewall_restart=true
-# fi
-
-
-wireless_restart=true
-key=pictionary49
-for x in 0 1; do
-  if [[ $(uci get wireless.default_radio$x.ssid) != $ssid ]]; then
-    uci set wireless.default_radio$x.ssid=$ssid
-    wireless_restart=true
-  fi
-  if [[ $(uci get wireless.default_radio$x.key) != $key ]]; then
-    uci set wireless.default_radio$x.key=$key
-    wireless_restart=true
-  fi
-  if [[ $(uci get wireless.default_radio$x.encryption) != $key ]]; then
-    uci set wireless.default_radio$x.encryption=$key
-    wireless_restart=true
-  fi
-  if [[ $(uci get wireless.default_radio$x.disabled 2>/dev/null) ]]; then
-    uci delete wireless.default_radio$x.disabled
-    wireless_restart=true
-  fi
-done
-
-if $wireless_restart; then
-  uci commit wireless
-  v wifi
-fi
 
 
 ########## openvpn exampl
@@ -190,162 +449,515 @@ fi
 # # I did, and I had to restart the vpn afterwards.
 # # This maps a uci interface to a real interface which is
 # # managed outside of uci.
-# v cedit /etc/config/network <<'EOF' ||:
+# cedit /etc/config/network <<'EOF' ||:
 # config interface 'tun0'
 #         option ifname 'tun0'
 #         option proto 'none'
 # EOF
-# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
 # config openvpn my_client_config
 #         option enabled 1
 #         option config /etc/openvpn/client.conf
 # EOF
 
+wgip4=10.3.0.1/24
+wgip6=fdfd::1/64
+wgport=26000
 
+network_restart=false
+if $client; then
+  cedit wific /etc/config/network <<EOF || network_restart=true
+# https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi
+config interface 'wwan'
+ option proto 'dhcp'
+EOF
+fi
 
-v cedit /etc/config/network <<EOF || v /etc/init.d/network reload
+cedit /etc/config/network <<EOF || network_restart=true
 config 'route' 'transmission'
-        option 'interface' 'lan'
-        option 'target' '10.173.0.0'
-        option 'netmask' '255.255.0.0'
-        option 'gateway' '$l.3'
+ option 'interface' 'lan'
+ option 'target' '10.173.0.0'
+ option 'netmask' '255.255.0.0'
+ option 'gateway' '$l.3'
+
+option interface 'wg0'
+ option proto 'wireguard'
+ option private_key '$(cat /root/wg.key)'
+ option listen_port $wgport
+ list addresses '10.3.0.1/24'
+ list addresses 'fdfd::1/64'
+
+# tp
+config wireguard_wg0 'wgclient'
+ option public_key '3q+WJGrm85r59NgeXOIvppxoW4ux/+koSw6Fee1c1TI='
+ option preshared_key '$(cat /root/wg.psk)'
+ list allowed_ips '10.3.0.2/24'
+ list allowed_ips 'fdfd::2/64'
+EOF
+
+if $network_restart; then
+  v /etc/init.d/network reload
+fi
+
+firewall-cedit() {
+
+  if $client; then
+    cedit wific /etc/config/firewall <<EOF
+config zone
+ option name    wwan
+ option input    REJECT
+ option output   ACCEPT
+ option forward  REJECT
+ option masq     1
+ option mtu_fix  1
+ option network  wwan
 EOF
+  fi
 
-v cedit /etc/config/firewall <<EOF || firewall_restart=true
+  case $hostname in
+    wrt)
+      cedit host /etc/config/firewall <<EOF
+config redirect
+ option name ssh
+ option src              wan
+ option src_dport        22
+ option dest_ip          $l.3
+ option dest             lan
+EOF
+      ;;
+    cmc)
+      cedit host /etc/config/firewall <<EOF
 config redirect
-    option name ssh
-    option src              wan
-    option src_dport        22
-    option dest_ip          $l.8
-    option dest             lan
+ option name ssh
+ option src              wan
+ option src_dport        22
+ option dest_ip          $l.2
+ option dest             lan
+EOF
+      ;;
+  esac
+
+  cedit /etc/config/firewall <<EOF
+## begin no external dns for ziva
+config rule
+ option src  lan
+ option src_ip   10.2.0.23
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.23
+ option src_port 53
+ option dest  lan
+ option target REJECT
+
+
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        22
+ option src  lan
+ option src_ip   10.2.0.31
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.31
+ option src_port 53
+ option dest  lan
+ option target REJECT
+
+
+config rule
+ option src  lan
+ option src_ip   10.2.0.32
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.32
+ option src_port 53
+ option dest  lan
+ option target REJECT
+## end no external dns for ziva
+
+
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        22
 
 config redirect
-    option name sshalt
-    option src              wan
-    option src_dport        2222
-    option dest_port        22
-    option dest_ip          $l.3
-    option dest             lan
+ option name sshtp
+ option src              wan
+ option src_dport        2202
+ option dest_port        22
+ option dest_ip          $l.2
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        2222
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2202
 
 config redirect
-    option src              wan
-    option src_dport        443
-    option dest             lan
-    option dest_ip          $l.8
-    option proto            tcp
+ option name sshx2
+ option src              wan
+ option src_dport        2205
+ option dest_port        22
+ option dest_ip          $l.5
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        443
-    option proto            tcp
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2205
 
 config redirect
-    option src              wan
-    option src_dport        1196
-    option dest             lan
-    option dest_ip          $l.8
-    option proto            udp
+ option name sshx3
+ option src              wan
+ option src_dport        2207
+ option dest_port        22
+ option dest_ip          $l.7
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        1196
-    option proto            udp
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2207
 
+config redirect
+ option name sshtp
+ option src              wan
+ option src_dport        2208
+ option dest_port        22
+ option dest_ip          $l.8
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2208
 
 config redirect
-    option src              wan
-    option src_dport        80
-    option dest             lan
-    option dest_ip          $l.8
-    option proto            tcp
+ option name sshbb8
+ option src              wan
+ option src_dport        2209
+ option dest_port        22
+ option dest_ip          $l.9
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        80
-    option proto            tcp
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2209
 
 config redirect
-    option name syncthing
-    option src              wan
-    option src_dport        22001
-    option dest_ip          $l.8
-    option dest             lan
+ option name icecast
+ option src              wan
+ option src_dport        8000
+ option dest_port        8000
+ option dest_ip          $l.2
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        22001
+ option src              wan
+ option target           ACCEPT
+ option dest_port        8000
 
+config rule
+ option name sshwrt
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2220
 
+config rule
+ option name wg
+ option src              wan
+ option target           ACCEPT
+ option dest_port        $wgport
+ option proto            udp
 
-EOF
 
+config redirect
+ option name httpkd
+ option src              wan
+ option src_dport        80
+ option dest             lan
+ option dest_ip          $l.2
+ option proto            tcp
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        80
+ option proto            tcp
 
+config redirect
+ option name httpskd
+ option src              wan
+ option src_dport        443
+ option dest             lan
+ option dest_ip          $l.2
+ option proto            tcp
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        443
+ option proto            tcp
 
+config redirect
+option name httpskd8448
+ option src              wan
+ option src_dport        8448
+ option dest             lan
+ option dest_ip          $l.2
+ option proto            tcp
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        8448
+ option proto            tcp
 
-dnsmasq_restart=false
-mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
-v cedit /etc/hosts <<EOF || dnsmasq_restart=true
-127.0.1.1 wrt
-$l.1 wrt
-$l.2 kd
-$l.3 frodo
-$l.4 htpc
-$l.5 x2
-$l.6 demohost
-#$l.7 faiserver
-$l.8 tp faiserver b8.nz
-$l.9 n5
-$l.10 so
-$l.12 fz
-72.14.176.105 li
-45.33.9.11 lj
-138.68.10.24 dopub
-# netns creation looks for next free subnet starting at 10.173, but I only
-# use one, and I would keep this one as the first created.
-10.173.0.2 transmission
+
+config redirect
+ option name syncthing
+ option src              wan
+ option src_dport        22001
+ option dest_ip          $l.8
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        22001
+
+
+config rule
+ option name ssh-ipv6
+ option src wan
+ option dest lan
+ # note, using mac transform, we could allow all traffic to a host like this,
+ # replacing 1 as appropriate
+ #option dest_ip ::111:11ff:fe11:1111/::ffff:ffff:ffff:ffff
+ option dest_port 22
+ option target ACCEPT
+ option family ipv6
+
+config rule
+ option name http-ipv6
+ option src wan
+ option dest lan
+ option dest_port 80
+ option target ACCEPT
+ option family ipv6
+
+config rule
+ option name https-ipv6
+ option src wan
+ option dest lan
+ option dest_port 443
+ option target ACCEPT
+ option family ipv6
+
+config rule
+ option name node-exporter
+ option src wan
+ option dest lan
+ option dest_port 9101
+ option target ACCEPT
+ option family ipv6
+
+config rule
+ option name mail587-ipv6
+ option src wan
+ option dest lan
+ option dest_port 587
+ option target ACCEPT
+ option family ipv6
+
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
+	option type 'restore'
+	option family 'ipv4'
+
+
+EOF
+}
+firewall-cedit || firewall_restart=true
+
+# not using wireguard for now
+# if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
+#   # cant mix cedit plus uci
+#   echo | cedit /etc/config/firewall ||:
+#   uci add_list firewall.@zone[1].network=wg0
+#   uci commit firewall
+#   firewall-cedit ||:
+#   firewall_restart=true
+# fi
+
+
+
+cedit /etc/hosts <<EOF
+127.0.1.1 $hostname
+EOF
+# not sure this case statement is needed
+case $hostname in
+  cmc)
+    cedit host /etc/hosts <<EOF
+$l.1 $hostname
+# 127.0.0.1 www.youtube.com
+# 127.0.0.1 googlevideo.com
+# 127.0.0.1 youtu.be
+# 127.0.0.1 youtube-nocookie.com
+# 127.0.0.1 youtube.com
+# 127.0.0.1 youtube.googleapis.com
+# 127.0.0.1 youtubei.googleapis.com
+# 127.0.0.1 ytimg.com
+# 127.0.0.1 ytimg.l.google.com
 EOF
+    ;;
+esac
 
+
+#mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
 # if [[ $mail_host ]]; then
 #     sed -i '/^$mail_host/a mail.iankelling.org' /etc/hosts
 # fi
 
 
-# avoid using the dns servers that my isp tells me about.
-if [[ $(uci get dhcp.@dnsmasq[0].resolvfile 2>/dev/null) ]]; then
-  # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
-  # /etc/resolv.conf. not sure why I did this.
-  v uci delete dhcp.@dnsmasq[0].resolvfile
-  uci commit dhcp
-  dnsmasq_restart=true
-fi
+uset dhcp.@dnsmasq[0].domain b8.nz
+uset system.@system[0].hostname $hostname
+uset dhcp.@dnsmasq[0].local
+
+# uci doesnt seem to have a way to set an empty value,
+# if you delete it, it goes back to the default. this seems
+# to be a decent workaround.
+# todo: setup /etc/resolv.conf to point to 127.0.0.1
+uset dhcp.@dnsmasq[0].resolvfile /dev/null
+
+# if dnsmasq happens to not send out a dns server,
+# odhcpd will send one out like this:
+# NetworkManager[953]: <info>  [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers   => 'fd58:5801:8e02::1'
+# but i dont want ipv6 dns, just keep it simple to ipv4.
+# I know my isp doesnt have ipv6 right now,
+# so just stop this thing.
+# note: tried this, it didn't do anything:
+# uset dhcp.@odhcpd[0].dns 10.2.0.1
+/etc/init.d/odhcpd stop
+/etc/init.d/odhcpd disable
+# todo: make the above conditional on which server this is.
+
+# avoid errors in log. current isp doesnt have ipv6
+uset unbound.@unbound[0].protocol ip4_only
+
+# todo: im not sure all these are needed, but they all look
+# like good options.
+# https://blog.cloudflare.com/dns-over-tls-for-openwrt/
+# https://gist.github.com/vqiu/7b32d3a19a7a09d32e108d998de166c2
+#https://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/
+#
+# # i found that the zone example was having no effect on the config
+# # here:
+# https://github.com/openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md
+#
+# # todo: unbound-control, i'm not sure what the purpose of that thing is, some
+# # kind of coordination with dhcp of dnsmasq, but what?
+#
+# note: for debugging, edit /etc/init.d/unbound, change
+# procd_set_param command $PROG -d -c $UB_TOTAL_CONF
+# to:
+# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
+
+{
+  cat <<'EOF'
+do-tcp: yes
+prefetch: yes
+qname-minimisation: yes
+rrset-roundrobin: yes
+use-caps-for-id: yes
+do-ip6: no
+private-domain: b8.nz
+local-zone: "10.in-addr.arpa." transparent
+access-control-view: 10.2.0.31/32 "youtube"
+EOF
+
+  if $zblock; then
+    cat <<'EOF'
+# amy, amyw, samsungtab
+access-control-view: 10.2.0.8/32 "youtube"
+access-control-view: 10.2.0.23/32 "youtube"
+access-control-view: 10.2.0.32/32 "youtube"
+EOF
+  fi
+} | cedit /etc/unbound/unbound_srv.conf  || restart_unbound=true
+
+
+# dns based blocking vs ip based. with ip, same
+# server can have multiple domains. in dns,
+# you have to make sure clients to use the local dns.
+# https dns will need to be blocked by ip in
+# order to be comprehensive
+
+cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
+local-data-ptr: "10.2.0.1 cmc.b8.nz"
+local-data-ptr: "10.2.0.2 kd.b8.nz"
+local-data-ptr: "10.2.0.3 sy.b8.nz"
+local-data-ptr: "10.2.0.4 wrt2.b8.nz"
+local-data-ptr: "10.2.0.5 x2.b8.nz"
+local-data-ptr: "10.2.0.6 x2w.b8.nz"
+local-data-ptr: "10.2.0.7 syw.b8.nz"
+local-data-ptr: "10.2.0.8 amy.b8.nz"
+local-data-ptr: "10.2.0.9 bb8.b8.nz"
+local-data-ptr: "10.2.0.12 demohost.b8.nz"
+local-data-ptr: "10.2.0.14 wrt3.b8.nz"
+local-data-ptr: "10.2.0.19 brother.b8.nz"
+local-data-ptr: "10.2.0.23 amyw.b8.nz"
+local-data-ptr: "10.2.0.25 hp.b8.nz"
+local-data-ptr: "10.2.0.31 amazontab.b8.nz"
+local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
+local-data-ptr: "10.173.0.2 transmission.b8.nz"
+local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
+local-data-ptr: "10.173.8.2 nn.b8.nz"
+
+forward-zone:
+  name: "."
+# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
+  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+  forward-ssl-upstream: yes
+  forward-first: no
+
+view:
+  name: "youtube"
+  local-zone: "googlevideo.com." refuse
+  local-zone: "video.google.com." refuse
+  local-zone: "youtu.be." refuse
+  local-zone: "youtube-nocookie.com." refuse
+  local-zone: "youtube-ui.l.google.com." refuse
+  local-zone: "youtube.com." refuse
+  local-zone: "youtube.googleapis.com." refuse
+  local-zone: "youtubeeducation.com." refuse
+  local-zone: "youtubei.googleapis.com." refuse
+  local-zone: "yt3.ggpht.com." refuse
+  local-zone: "youtubekids.com." refuse
+  # try global if no match in view
+  view-first: yes
+EOF
 
-if [[ $(uci get dhcp.@dnsmasq[0].domain) != b8.nz ]]; then
-  v uci set dhcp.@dnsmasq[0].domain=b8.nz
-  uci commit dhcp
-  dnsmasq_restart=true
-fi
-if [[ $(uci get dhcp.@dnsmasq[0].local) != b8.nz ]]; then
-  v uci set dhcp.@dnsmasq[0].local=/b8.nz/
-  uci commit dhcp
-  dnsmasq_restart=true
-fi
 
-if [[ $(uci get system.@system[0].hostname) != wrt ]]; then
-  v uci set system.@system[0].hostname=wrt
-  uci commit system
+if $restart_unbound; then
+  /etc/init.d/unbound restart
+  if ! unbound-checkconf; then
+    echo $0: error: unbound-checkconf failed >&2
+    exit 1
+  fi
 fi
 
 
-if [[ $(uci get adblock.global.adb_enabled) != 1 ]]; then
-  v uci set adblock.global.adb_enabled=1
+# disabled for now. i want to selectively enable it
+# for specific hosts.
+if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
+  v uci set adblock.global.adb_enabled=0
   uci commit adblock
   /etc/init.d/adblock restart
 fi
@@ -361,15 +973,21 @@ EOF
 # so make sure we have this dir or else dnsmasq will fail
 # to start.
 mkdir -p /mnt/usb/tftpboot
-v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+cedit /etc/dnsmasq.conf  <<EOF || dnsmasq_restart=true
+# no dns
+port=0
+server=/b8.nz/#
+ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
 
 # https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
 stop-dns-rebind
+rebind-domain-ok=b8.nz
 
-# this says the ip of default gateway and dns server,
-# but I think they are unneded and default
-#dhcp-option=3,$l.1
-#dhcp-option=6,$l.1
+# This says the ip of dns server.
+# It is default if dnsmasq is doing dns, otherwise, we have to specify it.
+# To see it in action, I ran this from a client machine:
+# sudo dhcpcd -o domain_name_servers -T
+dhcp-option=6,$l.1
 
 
 
@@ -390,10 +1008,16 @@ all-servers
 # download namebench and run it like this:
 # for x in all regional isp global preferred nearby; do ./namebench.py -s \$x -c US -i firefox -m weighted -J 10 -w; echo \$x; hr;  done
 # google
-server=8.8.4.4
-server=8.8.8.8
-server=2001:4860:4860::8888
-server=2001:4860:4860::8844
+server=1.1.1.3
+server=1.0.0.3
+server=2606:4700:4700::1113
+server=2606:4700:4700::1003
+
+server=10.2.0.1
+# server=8.8.4.4
+# server=8.8.8.8
+# server=2001:4860:4860::8888
+# server=2001:4860:4860::8844
 
 
 # to fixup existin ips, on the client you can do
@@ -402,21 +1026,38 @@ server=2001:4860:4860::8844
 # default dhcp range is 100-150
 # bottom port,  iPXE (PCI 03:00.0) in seabios boot menu
 dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
+dhcp-host=94:05:bb:1e:2c:2e,set:sy,$l.3,sy
 # top port, iPXE (PCI 04:00.0) in seabios boot menu
 #dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
-dhcp-host=00:26:18:97:bb:16,set:frodo,$l.3,frodo
-dhcp-host=10:78:d2:da:29:22,set:htpc,$l.4,htpc
-dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
-#dhcp-host=00:c0:ca:27:e9:b2,set:x2w,$l.11,x2w
-#wireless interface
-# this is so fai can have an explicit name to use for testing,
+# 4 is reserved for a staticly configured host wrt2
+# old x2 with bad fan
+#dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
+dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
+dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
+dhcp-host=34:7d:f6:ed:ec:07,set:syw,$l.7,syw
+dhcp-host=80:fa:5b:1c:6e:cf,set:amy,$l.8,amy
+# This is so fai can have an explicit name to use for testing,
 # or else any random machine which did a pxe boot would get
 # reformatted. The mac is from doing a virt-install, cancelling it,
 # and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.6,demohost
-#dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.7,faiserver
-dhcp-host=80:fa:5b:1c:6e:cf,set:tp,$l.8,tp
-# this is the ip it picks by default if dhcp fails,
+dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
+dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
+dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
+# BRN001BA98CA823 in dhcp logs
+dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
+
+dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
+dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
+dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
+dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
+
+
+
+# faiserver vm
+dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
+
+# This is the ip it picks by default if dhcp fails,
 # so might as well use it.
 # hostname is the name it uses according to telnet
 dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
@@ -428,9 +1069,26 @@ dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
 # It has no sensitive info.
 enable-tftp=br-lan
 tftp-root=/mnt/usb/tftpboot
+dhcp-optsfile=/etc/dnsmasq-dhcpopts.conf
+
+#log-queries=extra
 EOF
 
-if $dnsmasq_restart; then
+
+if $dnsmasq_restart && ! $dev2; then
+  # todo: can our ptr records be put in /etc/hosts?
+  # eg: user normal /etc/hosts records, and they wont be used for A resolution
+  # due to the other settings, but will be used for ptr? then maybe
+  # we dont have to restart dnsmasq for a dns update?
+  #
+  # interesing link:
+  # https://www.redpill-linpro.com/techblog/2019/08/27/evaluating-local-dnssec-validators.html#toggling-dnssec-validation-1
+  # we could turn on dnssec validation when wrt gets dnsmasq > 2.80. currently at 2.80.
+  # also we can turn off dnssec in systemd-resolved if we know the router is doing it.
+  #
+  # Also, reload of dnsmasq seems to break things, wifi
+  # clients were not getting internet connectivity.
+
   v /etc/init.d/dnsmasq restart
 fi
 
@@ -438,20 +1096,14 @@ if $firewall_restart; then
   v /etc/init.d/firewall restart
 fi
 
-
-reboot=false
-if [[ $(uci get network.lan.ipaddr) != $l.1 ]]; then
-  v uci set network.lan.ipaddr=$l.1
-  uci commit network
-  reboot=true
-fi
-if [[ $(uci get network.lan.netmask) != $mask ]]; then
-  v uci set network.lan.netmask=$mask
-  uci commit network
-  reboot=true
+# this may just restart the network and take care of the network_restart below.
+if $wireless_restart; then
+  v wifi
 fi
 
-if $reboot; then
+# todo: we should catch errors and still run this if needed
+if $network_restart; then
   reboot
 fi
+
 exit 0