fai-setclass $(bash $file)
}
export -f ifclass
-classes=DEFAULT # used by fcopy
+# DEFAULT is used by fcopy
+classes="DEFAULT $(hostname)"
export CLASS_DEFAULT=true
if [[ ! -d $FAI_ROOT ]]; then
export FAI_ROOT=/
# My faiserver's hostname is always faiserver, so just hardcoding it.
SERVER=faiserver
-APTPROXY=http://faiserver:3142
+# busted for debian, no time to troubleshoot atm
+#APTPROXY=http://faiserver:3142
-deb http://us.archive.ubuntu.com/ubuntu/ bionic main universe
-deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe
-deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe
-deb-src http://us.archive.ubuntu.com/ubuntu/ bionic main universe
-deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe
-deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe
+deb http://us.archive.ubuntu.com/ubuntu/ bionic main universe multiverse
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe multiverse
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe multiverse
+deb-src http://us.archive.ubuntu.com/ubuntu/ bionic main universe multiverse
+deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe multiverse
+deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe multiverse
+# multiverse needed for libfdk-aac1, which is actually free
+# https://www.gnu.org/licenses/license-list.html#fdk
+
###### Ubuntu Main Repos
-deb http://archive.ubuntu.com/ubuntu/ focal main universe
-deb-src http://archive.ubuntu.com/ubuntu/ focal main universe
+deb http://archive.ubuntu.com/ubuntu/ focal main universe multiverse
+deb-src http://archive.ubuntu.com/ubuntu/ focal main universe multiverse
###### Ubuntu Update Repos
-deb http://archive.ubuntu.com/ubuntu/ focal-security main universe
-deb http://archive.ubuntu.com/ubuntu/ focal-updates main universe
+deb http://archive.ubuntu.com/ubuntu/ focal-security main universe multiverse
+deb http://archive.ubuntu.com/ubuntu/ focal-updates main universe multiverse
deb http://archive.ubuntu.com/ubuntu/ focal-backports main universe
-deb-src http://archive.ubuntu.com/ubuntu/ focal-security main universe
-deb-src http://archive.ubuntu.com/ubuntu/ focal-updates main universe
+deb-src http://archive.ubuntu.com/ubuntu/ focal-security main universe multiverse
+deb-src http://archive.ubuntu.com/ubuntu/ focal-updates main universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-backports main universe
--- /dev/null
+#!/bin/bash
+
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
+
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
+# https://wiki.archlinux.org/index.php/Solid_state_drive#Resolving_NCQ_errors
+# evo-870 doesnt get along well with d16.
+# Dmesg gives us an ata number we could disable specifically on the command line, but I've had that number change on me between oses, so reenabling ncq
+
+upgrub=true
+if [[ $1 == no-upgrub ]]; then
+ upgrub=false
+fi
+
+byid=/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V
+if [[ ! -e $byid ]]; then
+ # not plugged in we assume
+ exit 0
+fi
+
+dev=$(readlink $byid)
+if [[ ! $dev ]]; then
+ exit 1
+fi
+
+dev=${dev##*/}
+
+depth=$(cat /sys/block/$dev/device/queue_depth)
+if [[ $depth != 0 ]]; then
+ if grep -qF libata.force=noncq /proc/cmdline; then
+ echo $0: warning, cant change queue_depth due to globally disabled ncq
+ else
+ echo 1 >/sys/block/$dev/device/queue_depth
+ fi
+fi
+
+sys=$(readlink /sys/block/$dev)
+ata=${sys#*/*/*/*/ata}
+ata=${ata%%/*}
+
+arg=libata.force=${ata}.00:noncq
+
+if ! grep "^GRUB_CMDLINE_LINUX_DEFAULT=.*[\" ]${arg//./\\.}[\" ]" /etc/default/grub; then
+ sed -ri "s/^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)/GRUB_CMDLINE_LINUX_DEFAULT=\"$arg \1/" /etc/default/grub
+ if $upgrub; then
+ echo "$0: warning: grub updated. you may want to reboot"
+ if type -P update-grub2 &>/dev/null; then
+ update-grub2
+ else
+ update-grub
+ fi
+ fi
+fi
#### begin configuration
+# this is the ordering of the /dev/sdaX, but
+# the ordering of the partition layout goes like this:
+# bios_grub
+# grub_ext
+# efi
+# root
+# swap
+# boot
+
rootn=1
swapn=2
bootn=3
# bios boot partition,
# https://wiki.archlinux.org/index.php/GRUB
bios_grubn=6
+even_bign=7
lastn=$bios_grubn
add-part() { # add partition suffix to $dev
- local d ret
+ local d part
if [[ $# == 1 ]]; then
d=$dev
part=$1
efidev() { add-part $@ $efin; }
grub_extdev() { add-part $@ $grub_extn; }
bios_grubdev() { add-part $@ $bios_grubn; }
+even_bigdev() { add-part $@ $even_bign; }
crypt-dev() { echo /dev/mapper/crypt_dev_${1##*/}; }
crypt-name() { echo crypt_dev_${1##*/}; }
swap-cryptname() { crypt-name $(swapdev $@); }
dev-mib() {
- echo $(( $(parted -m $dev unit MiB print | \
+ local d=${1:-$dev}
+ echo $(( $(parted -m $d unit MiB print | \
sed -nr "s#^/dev/[^:]+:([0-9]+).*#\1#p") - 1))
}
+luks-setup() {
+ local luksdev="$1"
+ # when we move to newer than trisquel 9, we can remove
+ # --type luks1. We can also check on cryptsetup --help | less /compil
+ # to see about the other settings. Default in debian 9 is luks2.
+ # You can convert from luks2 to luks 1 by adding a temporary key:
+ # cryptsetup luksAddKey --pbkdf pbkdf2
+ # then remove the new format keys with cryptsetup luksRemoveKey
+ # then cryptsetup convert DEV --type luks1, then readd old keys and remove temp.
+ yes YES | cryptsetup luksFormat $luksdev $luks_file \
+ --type luks1 -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
+ yes "$lukspw" | \
+ cryptsetup luksAddKey --key-file $luks_file \
+ $luksdev || [[ $? == 141 ]]
+ # background: Keyfile and password are treated just
+ # like 2 ways to input a passphrase, so we don't actually need to have
+ # different contents of keyfile and passphrase, but it makes some
+ # security sense to a really big randomly generated passphrase
+ # as much as possible, so we have both.
+ #
+ # This would remove the keyfile.
+ # yes 'test' | cryptsetup luksRemoveKey /dev/... \
+ # /key/file || [[ $? == 141 ]]
+ cryptsetup luksOpen $luksdev $(crypt-name $luksdev) --key-file $luks_file
+}
+
##### end function defs
if ifclass REPARTITION; then
wipe=true
fi
-if ((`nproc` > 2)); then
+if (($(nproc) > 2)); then
mopts=,compress=zstd
fi
if $partition; then break; fi
y=$(readlink -f $dev)
arr=($y?*)
- if (( ${#arr[@]} != lastn )); then
+ if (( ${#arr[@]} < lastn )); then
partition=true
fi
# On one system, blkid is missing some partitions.
### end wipefs
+ # When we have 2 disks of at least 100g difference in size,
+ # make an extra partition on the end of the bigger one.
+ even_big_part=false
+ even_diff_min=100000
if $even_raid; then
- for dev in ${devs[@]}; do
- cur_mib=$(dev-mib)
- if [[ ! $disk_mib ]] || (( cur_mib < disk_mib )); then
- disk_mib=$cur_mib
- fi
- done
+ smalli=0
+ bigi=1
+ if (( $(dev-mib ${devs[0]}) >= $(dev-mib ${devs[1]}) )); then
+ smalli=1
+ bigi=0
+ fi
+ disk_mib=$(dev-mib ${devs[smalli]})
+ even_big_dev=${devs[bigi]}
+ even_big_mib=$(dev-mib $even_big_dev)
+ if (( even_big_mib - disk_mib > even_diff_min )); then
+ even_big_part=true
+ fi
fi
for dev in ${devs[@]}; do
if ! $even_raid; then
disk_mib=$(dev-mib)
fi
- root_end=$(( disk_mib - swap_mib - boot_mib / ${#boot_devs[@]} ))
+ efi_mib=512
+ root_end=$(( disk_mib - swap_mib - boot_mib / ${#boot_devs[@]} - efi_mib ))
swap_end=$(( root_end + swap_mib))
parted -s $dev mklabel gpt
# MiB because parted complains about alignment otherwise.
pcmd="parted -a optimal -s -- $dev"
+ # root partition, the main big one
$pcmd mkpart primary ext3 524MiB ${root_end}MiB
# without naming, systemd gives us misc errors like:
# dev-disk-by\x2dpartlabel-primary.device: Dev dev-disk-by\x2dpartlabel-primary.device appeared twice
$pcmd name $rootn root
# normally a swap is type "linux-swap", but this is encrypted swap. using that
# label will confuse systemd.
+ # swap partition
$pcmd mkpart primary "" ${root_end}MiB ${swap_end}MiB
$pcmd name $swapn swap
+ # boot partition
$pcmd mkpart primary "" ${swap_end}MiB ${disk_mib}MiB
$pcmd name $bootn boot
- # eufi = bloated, half a gig gimme a break.
+ # uefi partition. efi sucks, half a gig, rediculous.
$pcmd mkpart primary "fat32" 12MiB 524MiB
$pcmd name $efin efi
$pcmd set $efin esp on
# I found someone saying that gparted required
# required at least 8 because of their hard drive cylinder size.
# And 8 is still very tiny.
+ # grub_ext partition
$pcmd mkpart primary "ext2" 4MiB 12MiB
$pcmd name $grub_extn grubext
# gpt ubuntu cloud image uses ~4 mb for this partition. fai uses 1 MiB.
# so, I use 3, whatever.
# note: parted manual saying cheap flash media
# should to start at 4.
+ # biols grub partition
$pcmd mkpart primary "" 1MiB 4MiB
$pcmd name $bios_grubn biosgrub
$pcmd set $bios_grubn bios_grub on
$pcmd set $bootn boot on # generally not needed on modern systems
+ if $even_big_part && [[ $dev == $even_big_dev ]]; then
+ $pcmd mkpart primary ext3 ${disk_mib}MiB ${even_big_mib}MiB
+ $pcmd name $even_bign even_big
+ fi
+
# the mkfs failed before on a vm, which prompted me to add
# sleep .1
# then it failed again on a physical machine
# Then I added the mkfs.ext2, which claimed to succeed,
# but then couldn't be found upon reboot. In that case we didn't
# wait at all. So I've added a 3 second minimum wait.
- sleep 3
secs=0
- while [[ ! -e $(rootdev) ]] && (( secs < 10 )); do
+ while [[ ! -e $(bios_grubdev) ]] && (( secs < 10 )); do
sleep 1
secs=$((secs +1))
done
+ sleep 3
mkfs.fat -F32 $(efidev)
+ if $even_big_part && [[ $dev == $even_big_dev ]]; then
+ luks-setup $(even_bigdev)
+ mkfs.btrfs -f $(crypt-dev $(even_bigdev))
+ fi
+
# Holds just a single file, rarely written, so
# use ext2, like was often used for the /boot partition.
# This exists because grub can only persist data to a non-cow fs.
# This is just a bit more robust, and it could work for booting
# into ipxe which can't persist data, if we ever got that working.
mkfs.ext2 $(grub_extdev)
- # when we move to newer than trisquel 9, we can remove
- # --type luks1. We can also check on cryptsetup --help | less /compil
- # to see about the other settings. Default in debian 9 is luks2.
- # You can convert from luks2 to luks 1 by adding a temporary key:
- # cryptsetup luksAddKey --pbkdf pbkdf2
- # then remove the new format keys with cryptsetup luksRemoveKey
- # then cryptsetup convert DEV --type luks1, then readd old keys and remove temp.
- yes YES | cryptsetup luksFormat $(rootdev) $luks_file \
- --type luks1 -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
- yes "$lukspw" | \
- cryptsetup luksAddKey --key-file $luks_file \
- $(rootdev) || [[ $? == 141 ]]
- # background: Keyfile and password are treated just
- # like 2 ways to input a passphrase, so we don't actually need to have
- # different contents of keyfile and passphrase, but it makes some
- # security sense to a really big randomly generated passphrase
- # as much as possible, so we have both.
- #
- # This would remove the keyfile.
- # yes 'test' | cryptsetup luksRemoveKey /dev/... \
- # /key/file || [[ $? == 141 ]]
-
- cryptsetup luksOpen $(rootdev) $(root-cryptname) \
- --key-file $luks_file
+ luks-setup $(rootdev)
if [[ $SPECIAL_DISK ]]; then
exit 0
ROOT_PARTITION=\${ROOT_PARTITION:-$first_root_crypt}
SWAPLIST=\${SWAPLIST:-"${swaps[@]}"}
EOF
+
+
+ if [[ $HOSTNAME == kd ]]; then
+ # note, having these with keyscript and initramfs causes a luks error in fai.log,
+ # but it is safely ignorable and gets us the ability to just type our password
+ # in once at boot. A downside is that they are probably needed to be plugged in to boot.
+ cat >>/tmp/fai/crypttab <<EOF
+crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7 /dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7 none keyscript=decrypt_keyctl,discard,luks,initramfs
+crypt_dev_ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1 /dev/disk/by-id/ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1 none keyscript=decrypt_keyctl,discard,luks,initramfs
+crypt_dev_ata-ST6000DM001-1XY17Z_Z4D29EBL-part1 /dev/disk/by-id/ata-ST6000DM001-1XY17Z_Z4D29EBL-part1 none keyscript=decrypt_keyctl,discard,luks,initramfs
+EOF
+ cat >> /tmp/fai/fstab <<EOF
+# r7 = root partition7
+/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7 /mnt/r7 btrfs nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0 0 0
+/dev/mapper/crypt_dev_ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1 /mnt/rust1 btrfs nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0 0 0
+/dev/mapper/crypt_dev_ata-ST6000DM001-1XY17Z_Z4D29EBL-part1 /mnt/rust2 btrfs nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0 0 0
+EOF
+ fi
+
fi
# initial setup of extra data fs, mounted,
# chattr +C nocow
# chown iank.iank nocow
-if [[ $HOSTNAME == kd ]]; then
- cat >>/tmp/fai/crypttab <<EOF
-crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part6 /dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part6 none keyscript=decrypt_keyctl,discard,luks,initramfs
-crypt_dev_ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1 /dev/disk/by-id/ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1 keyscript=decrypt_keyctl,discard,luks,initramfs
-EOF
- cat >> /tmp/fai/fstab <<EOF
-/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part6 /d btrfs nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvol=nocow 0 0
-# r6 = root partition6
-/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part6 /mnt/r6 btrfs nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0 0 0
-/dev/mapper/crypt_dev_ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1 /mnt/rust btrfs nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0 0 0
-EOF
-fi
iso-codes
# new package buster/nabia+
cryptsetup-initramfs
+# https://wiki.debian.org/UsrMerge
+usrmerge
# iank, copied from DEBIAN so it goes into ubuntu too
PACKAGES install GRUB_PC
speed=115200
cmdline="rd.luks.crypttab=no net.ifnames=0 console=ttyS0,${speed}n8 console=tty0"
case $HOSTNAME in
- # https://wiki.archlinux.org/index.php/Solid_state_drive#Resolving_NCQ_errors
- # evo-870 doesnt get along well with d16 with etiona.
- # the number is based on dmesg errors
- kd) cmdline+=" libata.force=4.00:noncq" ;;
+ kd)
+ fcopy -v /usr/bin/myncq
+
+ cat >$target/etc/systemd/system/myncq.service <<'EOF'
+[Unit]
+Description=fix ncq errors
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/myncq
+TimeoutStartSec=20
+
+[Install]
+# https://www.enricozini.org/blog/2017/debian/systemd-07-devices/
+WantedBy=dev-disk-by\x2did-ata\x2dSamsung_SSD_870_QVO_8TB_S5VUNG0N900656V.device
+EOF
+
+ chroot $FAI_ROOT bash <<'EOFOUTER'
+systemctl enable myncq.service
+/usr/bin/myncq no-upgrub
+EOFOUTER
+
+ ;;
# per rubens suggestion to make a d16 more stable
kd|kw) cmdline+=" pci=realloc=off" ;;
esac
chroot $FAI_ROOT bash <<EOF
set -eE -o pipefail
# https://askubuntu.com/questions/33416/how-do-i-disable-the-boot-splash-screen-and-only-show-kernel-and-boot-text-inst
-# we remove quiet and splash, and all thats left is what we want
+
+sed -ri 's/(^GRUB_CMDLINE_LINUX_DEFAULT=")quiet/\1/;s/^(GRUB_CMDLINE_LINUX_DEFAULT=".*) quiet([ "])/\1\2/' /etc/default/grub
+sed -ri 's/(^GRUB_CMDLINE_LINUX_DEFAULT=")splash/\1/;s/^(GRUB_CMDLINE_LINUX_DEFAULT=".*) splash([ "])/\1\2/' /etc/default/grub
+
+for arg in $cmdline; do
+ if ! grep "^GRUB_CMDLINE_LINUX_DEFAULT=.*[\" ]${arg//./\\.}[\" ]" /etc/default/grub; then
+ sed -ri "s/^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)/GRUB_CMDLINE_LINUX_DEFAULT=\"$arg \1/" /etc/default/grub
+ fi
+done
if grep -qF "$cmdline" /etc/default/grub; then
# already set things, exit
# warning about it in error.log
sed -i '/^ *GRUB_HIDDEN_TIMEOUT/d' /etc/default/grub
-update-grub2
+if type -P update-grub2 &>/dev/null; then
+ update-grub2
+else
+ update-grub
+fi
+
EOF
fi ##### end != dirinstall && != NOCRYPT
address 2600:3c00:e000:280::2/64
EOF
fi
-
fi
# I prefer to stick with ifup/down for now. a. networkd is not in its
if ifclass VOL_BUSTER_BOOTSTRAP; then
- fcopy -riM /etc/systemd/system
+ fcopy /etc/systemd/system/faicheck.service
chroot $FAI_ROOT bash <<'EOFOUTER'
-systemctl enable fai_check.service
+systemctl enable faicheck.service
EOFOUTER
exit 0 # avoid unnecessary stuff in bootstrap vol
fi
-
## misc settings
chroot $FAI_ROOT bash <<'EOFOUTER'
#### begin .ssh setup ###
/p/router-secrets /p/c/machine_specific/wrt/etc/wg.{key,psk} $h:
scp ../openwrtkeyring/usign/* $h:/etc/opkg/keys
-ssh $h wrt-init $HOME_DOMAIN "$@"
+ssh $h wrt-init ${HOME_DOMAIN:-b8.nz} "$@"
}
-
-
-
secrets=false
if [[ -e /root/router-secrets ]]; then
secrets=true
: ${hostname:=wrt}
+zblock=false
+if [[ -e /root/zblock ]]; then
+ zblock=true
+fi
+
dnsmasq_restart=false
+unbound_restart=false
firewall_restart=false
dev2=false
test=false
client=false
libremanage_host=wrt2
lanip=1
-while getopts hm:t: opt; do
+while getopts hm:t:yz opt; do
case $opt in
h) usage ;;
t)
*) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
esac
;;
+ y)
+ zblock=false
+ rm -f /root/zblock
+ ;;
+ z)
+ zblock=true
+ touch /root/zblock
+ ;;
m) mac=$OPTARG ;;
*) echo "$0: Internal error! unexpected args: $*" >&2 ; usage 1 ;;
esac
eval $restart_var=true
fi
}
-
+cedit() {
+ v command cedit -v "$@"
+}
### network config
# /root/relay_1.0-1_mips_24kc.ipk
v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
tcpdump openvpn-openssl adblock libusb-compat \
- screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync
+ screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync\
+ unbound-daemon-heavy unbound-checkconf
cat >/etc/libremanage.conf <<EOF
${libremanage_host}_type=switch
## ian: usb broke on old router. if that happens, can just comment this to disable problems
# echo | cedit /etc/config/fstab ||:
-v cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
+cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
config global automount
option from_fstab 1
option anon_mount 1
# # I did, and I had to restart the vpn afterwards.
# # This maps a uci interface to a real interface which is
# # managed outside of uci.
-# v cedit /etc/config/network <<'EOF' ||:
+# cedit /etc/config/network <<'EOF' ||:
# config interface 'tun0'
# option ifname 'tun0'
# option proto 'none'
# EOF
-# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
# config openvpn my_client_config
# option enabled 1
# option config /etc/openvpn/client.conf
network_restart=false
if $client; then
- v cedit wific /etc/config/network <<EOF || network_restart=true
+ cedit wific /etc/config/network <<EOF || network_restart=true
# https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi
config interface 'wwan'
option proto 'dhcp'
EOF
fi
-v cedit /etc/config/network <<EOF || network_restart=true
+cedit /etc/config/network <<EOF || network_restart=true
config 'route' 'transmission'
option 'interface' 'lan'
option 'target' '10.173.0.0'
firewall-cedit() {
if $client; then
- v cedit wific /etc/config/firewall <<EOF
+ cedit wific /etc/config/firewall <<EOF
config zone
option name wwan
option input REJECT
case $hostname in
wrt)
- v cedit host /etc/config/firewall <<EOF
+ cedit host /etc/config/firewall <<EOF
config redirect
option name ssh
option src wan
EOF
;;
cmc)
- v cedit host /etc/config/firewall <<EOF
+ cedit host /etc/config/firewall <<EOF
config redirect
option name ssh
option src wan
;;
esac
- v cedit /etc/config/firewall <<EOF
+ cedit /etc/config/firewall <<EOF
+## begin no external dns for ziva
+config rule
+ option src lan
+ option src_ip 10.2.0.23
+ option dest_port 53
+ option dest wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip 10.2.0.23
+ option src_port 53
+ option dest lan
+ option target REJECT
+
+
+config rule
+ option src lan
+ option src_ip 10.2.0.31
+ option dest_port 53
+ option dest wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip 10.2.0.31
+ option src_port 53
+ option dest lan
+ option target REJECT
+
+
+config rule
+ option src lan
+ option src_ip 10.2.0.32
+ option dest_port 53
+ option dest wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip 10.2.0.32
+ option src_port 53
+ option dest lan
+ option target REJECT
+## end no external dns for ziva
+
+
config rule
option src wan
option target ACCEPT
option dest_port 443
option proto tcp
+config redirect
+option name httpskd8448
+ option src wan
+ option src_dport 8448
+ option dest lan
+ option dest_ip $l.2
+ option proto tcp
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 8448
+ option proto tcp
+
+
config redirect
option name syncthing
option src wan
option target ACCEPT
option family ipv6
+# include a file with users custom iptables rules
+config include
+ option path /etc/firewall.user
+ option type 'restore'
+ option family 'ipv4'
+
+
EOF
}
firewall-cedit || firewall_restart=true
-v cedit /etc/hosts <<EOF || dnsmasq_restart=true
+cedit /etc/hosts <<EOF
127.0.1.1 $hostname
EOF
# not sure this case statement is needed
case $hostname in
cmc)
- v cedit host /etc/hosts <<EOF || dnsmasq_restart=true
+ cedit host /etc/hosts <<EOF
$l.1 $hostname
# 127.0.0.1 www.youtube.com
# 127.0.0.1 googlevideo.com
# todo: setup /etc/resolv.conf to point to 127.0.0.1
uset dhcp.@dnsmasq[0].resolvfile /dev/null
-# by default it will send out ipv6 dns, like this
+# if dnsmasq happens to not send out a dns server,
+# odhcpd will send one out like this:
# NetworkManager[953]: <info> [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers => 'fd58:5801:8e02::1'
# but i dont want ipv6 dns, just keep it simple to ipv4.
-uset dhcp.@odhcpd[0].dns 10.2.0.1
+# I know my isp doesnt have ipv6 right now,
+# so just stop this thing.
+# note: tried this, it didn't do anything:
+# uset dhcp.@odhcpd[0].dns 10.2.0.1
+/etc/init.d/odhcpd stop
+/etc/init.d/odhcpd disable
+# todo: make the above conditional on which server this is.
+
+# avoid errors in log. current isp doesnt have ipv6
+uset unbound.@unbound[0].protocol ip4_only
+
+# todo: im not sure all these are needed, but they all look
+# like good options.
+# https://blog.cloudflare.com/dns-over-tls-for-openwrt/
+# https://gist.github.com/vqiu/7b32d3a19a7a09d32e108d998de166c2
+#https://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/
+#
+# # i found that the zone example was having no effect on the config
+# # here:
+# https://github.com/openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md
+#
+# # todo: unbound-control, i'm not sure what the purpose of that thing is, some
+# # kind of coordination with dhcp of dnsmasq, but what?
+#
+# note: for debugging, edit /etc/init.d/unbound, change
+# procd_set_param command $PROG -d -c $UB_TOTAL_CONF
+# to:
+# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
+
+{
+ cat <<'EOF'
+do-tcp: yes
+prefetch: yes
+qname-minimisation: yes
+rrset-roundrobin: yes
+use-caps-for-id: yes
+do-ip6: no
+private-domain: b8.nz
+local-zone: "10.in-addr.arpa." transparent
+access-control-view: 10.2.0.31/32 "youtube"
+EOF
+
+ if $zblock; then
+ cat <<'EOF'
+# amy, amyw, samsungtab
+access-control-view: 10.2.0.8/32 "youtube"
+access-control-view: 10.2.0.23/32 "youtube"
+access-control-view: 10.2.0.32/32 "youtube"
+EOF
+ fi
+} | cedit /etc/unbound/unbound_srv.conf || restart_unbound=true
+
+
+# dns based blocking vs ip based. with ip, same
+# server can have multiple domains. in dns,
+# you have to make sure clients to use the local dns.
+# https dns will need to be blocked by ip in
+# order to be comprehensive
+
+cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
+local-data-ptr: "10.2.0.1 cmc.b8.nz"
+local-data-ptr: "10.2.0.2 kd.b8.nz"
+local-data-ptr: "10.2.0.3 sy.b8.nz"
+local-data-ptr: "10.2.0.4 wrt2.b8.nz"
+local-data-ptr: "10.2.0.5 x2.b8.nz"
+local-data-ptr: "10.2.0.6 x2w.b8.nz"
+local-data-ptr: "10.2.0.7 syw.b8.nz"
+local-data-ptr: "10.2.0.8 amy.b8.nz"
+local-data-ptr: "10.2.0.9 bb8.b8.nz"
+local-data-ptr: "10.2.0.12 demohost.b8.nz"
+local-data-ptr: "10.2.0.14 wrt3.b8.nz"
+local-data-ptr: "10.2.0.19 brother.b8.nz"
+local-data-ptr: "10.2.0.23 amyw.b8.nz"
+local-data-ptr: "10.2.0.25 hp.b8.nz"
+local-data-ptr: "10.2.0.31 amazontab.b8.nz"
+local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
+local-data-ptr: "10.173.0.2 transmission.b8.nz"
+local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
+local-data-ptr: "10.173.8.2 nn.b8.nz"
+
+forward-zone:
+ name: "."
+# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
+ forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+ forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+ forward-ssl-upstream: yes
+ forward-first: no
+
+view:
+ name: "youtube"
+ local-zone: "googlevideo.com." refuse
+ local-zone: "video.google.com." refuse
+ local-zone: "youtu.be." refuse
+ local-zone: "youtube-nocookie.com." refuse
+ local-zone: "youtube-ui.l.google.com." refuse
+ local-zone: "youtube.com." refuse
+ local-zone: "youtube.googleapis.com." refuse
+ local-zone: "youtubeeducation.com." refuse
+ local-zone: "youtubei.googleapis.com." refuse
+ local-zone: "yt3.ggpht.com." refuse
+ local-zone: "youtubekids.com." refuse
+ # try global if no match in view
+ view-first: yes
+EOF
+
+
+if $restart_unbound; then
+ /etc/init.d/unbound restart
+ if ! unbound-checkconf; then
+ echo $0: error: unbound-checkconf failed >&2
+ exit 1
+ fi
+fi
# disabled for now. i want to selectively enable it
# so make sure we have this dir or else dnsmasq will fail
# to start.
mkdir -p /mnt/usb/tftpboot
-v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
# no dns
port=0
server=/b8.nz/#
stop-dns-rebind
rebind-domain-ok=b8.nz
-# this says the ip of default gateway and dns server,
-# but I think they are unneded and default
-#dhcp-option=3,$l.1
-#dhcp-option=6,$l.1
+# This says the ip of dns server.
+# It is default if dnsmasq is doing dns, otherwise, we have to specify it.
+# To see it in action, I ran this from a client machine:
+# sudo dhcpcd -o domain_name_servers -T
+dhcp-option=6,$l.1
server=2606:4700:4700::1113
server=2606:4700:4700::1003
+server=10.2.0.1
# server=8.8.4.4
# server=8.8.8.8
# server=2001:4860:4860::8888
dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
+dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
+
# faiserver vm
# due to the other settings, but will be used for ptr? then maybe
# we dont have to restart dnsmasq for a dns update?
#
- # todo: according to this
+ # interesing link:
# https://www.redpill-linpro.com/techblog/2019/08/27/evaluating-local-dnssec-validators.html#toggling-dnssec-validation-1
- # we should turn on dnssec validation when wrt gets version > 2.80. currently at 2.80.
- # todo: download https://downloads.openwrt.org/snapshots/packages/mipsel_24kc/base/dnsmasq-full_2.84-1_mipsel_24kc.ipk
- # and install it. then we can turn off dnssec in systemd-resolved
+ # we could turn on dnssec validation when wrt gets dnsmasq > 2.80. currently at 2.80.
+ # also we can turn off dnssec in systemd-resolved if we know the router is doing it.
#
# Also, reload of dnsmasq seems to break things, wifi
# clients were not getting internet connectivity.
+
v /etc/init.d/dnsmasq restart
fi
iankelling.org / git / automated-distro-installer / commitdiff