iankelling.org / git / automated-distro-installer / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
whitespace
[automated-distro-installer] / wrt-setup-local
1 #!/bin/bash
2 # Copyright (C) 2016 Ian Kelling
3
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
8
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
13
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
18 set -eE -o pipefail
19 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
20
21 pmirror() {
22 # background: upgrading all packages is not recommended because it
23 # doesn't go into the firmware. build new firmware if you want
24 # lots of upgrades. I think /tmp/opkg-lists is a pre openwrt 14 location.
25 f=(/var/opkg-lists/*)
26 if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
27 opkg update
28 fi
29 }
30
31 pi() {
32 for x in "$@"; do
33 if [[ ! $(opkg list-installed "$x") ]]; then
34 pmirror
35 opkg install "$@"
36 fi
37 done
38 }
39
40 v() {
41 printf "+ %s\n" "$*"
42 "$@"
43 }
44
45 ### network config
46 ###
47 ssid="check out gnu.org"
48 lan=10.0.0.0
49 mask=255.255.0.0
50 l=${lan%.0}
51
52 passwd -l root ||: #already locked fails
53
54 cat >/usr/bin/arch-pxe-mount <<'EOFOUTER'
55 #!/bin/bash
56 # symlinks are collapsed for nfs mount points, so use a bind mount.
57 # tried putting this in /etc/config/fstab,
58 # then doig block mount, it didn't work. This doesn't persist across reboots,
59 # todo: figure that out
60 d=/run/archiso/bootmnt
61 cat > /etc/fstab <<EOF
62 /mnt/usb/tftpboot $d none bind 0 0
63 EOF
64 mount | grep $d &>/dev/null || mount $d
65 /etc/init.d/nfsd restart
66 EOFOUTER
67 chmod +x /usr/bin/arch-pxe-mount
68
69 cat >.profile <<'EOF'
70 # changing login shell emits spam on ssh single commands & scp
71 # sed -i 's#/bin/ash$#/bin/bash#' /etc/passwd
72 # https://github.com/openwrt/packages/issues/6137
73 [ "$BASH_VERSION" != "" ] || exec /bin/bash -i
74 EOF
75 v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
76 tcpdump openvpn-openssl adblock
77
78
79
80
81
82 v /etc/init.d/fstab enable ||:
83
84 # rebooting makes mounting work, but comparing lsmod,
85 # i'm guessing this will too. todo, test it.
86 # 255 == module already loaded
87 for mod in scsi_mod sd_mod; do v modprobe $mod || [[ $? == 255 ]]; done
88
89 # for arch pxe. The default settings in the installer expect to find
90 # the NFS at /run/archiso/bootmnt
91 mkdir -p /run/archiso/bootmnt
92
93 # todo: at some later time, i found /mnt/usb not mounted, watch to see if
94 # that is the case after running this or rebooting.
95 # wiki says safe to do in case of fstab changes:
96
97 ## ian: usb broke on old router. if that happens, can just comment this to disable problems
98 echo | cedit /etc/config/fstab ||:
99 cedit /etc/config/fstab <<'EOF' || { v block umount; v block mount; }
100 config global automount
101 option from_fstab 1
102 option anon_mount 1
103
104 config mount
105 option target /mnt/usb
106 option device /dev/sda1
107 option fstype ext4
108 option options rw,async,noatime,nodiratime
109 option enabled 1
110 EOF
111
112
113 # ian: disabled because afaik I don't need it, no benefit.
114 # config global autoswap
115 # option from_fstab 1
116 # option anon_swap 1
117
118 # config swap
119 # option device /dev/sda1
120 # option enabled 1
121
122
123
124
125 # exportfs -ra wont cut it when its the same path, but now a bind mount
126 cedit /etc/exports <<EOF || v /etc/init.d/nfsd restart ||:
127 /mnt/usb $lan/$netmask(rw,no_root_squash,insecure,sync,no_subtree_check)
128 # for arch pxe
129 /run/archiso/bootmnt $lan/$netmask(rw,no_root_squash,insecure,sync,no_subtree_check)
130 EOF
131
132
133 v /etc/init.d/portmap start
134 v /etc/init.d/nfsd start
135 v /etc/init.d/portmap enable
136 v /etc/init.d/nfsd enable
137
138
139
140
141
142
143 ######### uci example:#######
144 # # https://wiki.openwrt.org/doc/uci
145 # wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
146 # wan="firewall.@zone[$wan_index]"
147 # if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
148 # # default is wan
149 # v uci set firewall.@forwarding[0].dest=$forward_dest
150 # uci commit firewall
151 # firewall_restart=true
152 # fi
153
154
155 wireless_restart=true
156 key=pictionary49
157 for x in 0 1; do
158 if [[ $(uci get wireless.default_radio$x.ssid) != "$ssid" ]]; then
159 v uci set wireless.default_radio$x.ssid="$ssid"
160 wireless_restart=true
161 fi
162 if [[ $(uci get wireless.default_radio$x.key) != $key ]]; then
163 v uci set wireless.default_radio$x.key=$key
164 wireless_restart=true
165 fi
166 if [[ $(uci get wireless.default_radio$x.encryption) != $key ]]; then
167 v uci set wireless.default_radio$x.encryption=$key
168 wireless_restart=true
169 fi
170 if [[ $(uci get wireless.default_radio$x.disabled 2>/dev/null) ]]; then
171 v uci delete wireless.default_radio$x.disabled
172 wireless_restart=true
173 fi
174 done
175
176 if $wireless_restart; then
177 uci commit wireless
178 v wifi
179 fi
180
181
182 ########## openvpn exampl
183 ########## missing firewall settings for routing lan
184 ########## traffic
185 # v /etc/init.d/openvpn start
186 # v /etc/init.d/openvpn enable
187
188 # # from https://wiki.openwrt.org/doc/uci/firewall
189 # # todo: not sure if /etc/init.d/network needs restarting.
190 # # I did, and I had to restart the vpn afterwards.
191 # # This maps a uci interface to a real interface which is
192 # # managed outside of uci.
193 # v cedit /etc/config/network <<'EOF' ||:
194 # config interface 'tun0'
195 # option ifname 'tun0'
196 # option proto 'none'
197 # EOF
198 # v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
199 # config openvpn my_client_config
200 # option enabled 1
201 # option config /etc/openvpn/client.conf
202 # EOF
203
204
205
206 v cedit /etc/config/network <<EOF || v /etc/init.d/network reload
207 config 'route' 'transmission'
208 option 'interface' 'lan'
209 option 'target' '10.173.0.0'
210 option 'netmask' '255.255.0.0'
211 option 'gateway' '$l.3'
212 EOF
213
214 v cedit /etc/config/firewall <<EOF || firewall_restart=true
215 config redirect
216 option name ssh
217 option src wan
218 option src_dport 22
219 option dest_ip $l.8
220 option dest lan
221 config rule
222 option src wan
223 option target ACCEPT
224 option dest_port 22
225
226 config redirect
227 option name sshalt
228 option src wan
229 option src_dport 2222
230 option dest_port 22
231 option dest_ip $l.3
232 option dest lan
233 config rule
234 option src wan
235 option target ACCEPT
236 option dest_port 2222
237
238 config redirect
239 option src wan
240 option src_dport 443
241 option dest lan
242 option dest_ip $l.8
243 option proto tcp
244 config rule
245 option src wan
246 option target ACCEPT
247 option dest_port 443
248 option proto tcp
249
250 config redirect
251 option src wan
252 option src_dport 1196
253 option dest lan
254 option dest_ip $l.8
255 option proto udp
256 config rule
257 option src wan
258 option target ACCEPT
259 option dest_port 1196
260 option proto udp
261
262
263 config redirect
264 option src wan
265 option src_dport 80
266 option dest lan
267 option dest_ip $l.8
268 option proto tcp
269 config rule
270 option src wan
271 option target ACCEPT
272 option dest_port 80
273 option proto tcp
274
275 config redirect
276 option name syncthing
277 option src wan
278 option src_dport 22001
279 option dest_ip $l.8
280 option dest lan
281 config rule
282 option src wan
283 option target ACCEPT
284 option dest_port 22001
285
286
287
288 EOF
289
290
291
292
293 dnsmasq_restart=false
294 mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
295 v cedit /etc/hosts <<EOF || dnsmasq_restart=true
296 127.0.1.1 wrt
297 $l.1 wrt
298 $l.2 kd
299 $l.3 frodo
300 $l.4 htpc
301 $l.5 x2
302 $l.6 demohost
303 #$l.7 faiserver
304 $l.8 tp faiserver b8.nz
305 $l.9 n5
306 $l.10 so
307 $l.12 fz
308 72.14.176.105 li
309 45.33.9.11 lj
310 138.68.10.24 dopub
311 # netns creation looks for next free subnet starting at 10.173, but I only
312 # use one, and I would keep this one as the first created.
313 10.173.0.2 transmission
314 EOF
315
316 # if [[ $mail_host ]]; then
317 # sed -i '/^$mail_host/a mail.iankelling.org' /etc/hosts
318 # fi
319
320
321 # avoid using the dns servers that my isp tells me about.
322 if [[ $(uci get dhcp.@dnsmasq[0].resolvfile 2>/dev/null) ]]; then
323 # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
324 # /etc/resolv.conf. not sure why I did this.
325 v uci delete dhcp.@dnsmasq[0].resolvfile
326 uci commit dhcp
327 dnsmasq_restart=true
328 fi
329
330 if [[ $(uci get dhcp.@dnsmasq[0].domain) != b8.nz ]]; then
331 v uci set dhcp.@dnsmasq[0].domain=b8.nz
332 uci commit dhcp
333 dnsmasq_restart=true
334 fi
335 if [[ $(uci get dhcp.@dnsmasq[0].local) != b8.nz ]]; then
336 v uci set dhcp.@dnsmasq[0].local=/b8.nz/
337 uci commit dhcp
338 dnsmasq_restart=true
339 fi
340
341 if [[ $(uci get system.@system[0].hostname) != wrt ]]; then
342 v uci set system.@system[0].hostname=wrt
343 uci commit system
344 fi
345
346
347 if [[ $(uci get adblock.global.adb_enabled) != 1 ]]; then
348 v uci set adblock.global.adb_enabled=1
349 uci commit adblock
350 /etc/init.d/adblock restart
351 fi
352 # https://github.com/openwrt/packages/tree/master/net/adblock/files
353 cat >/etc/crontabs/root <<'EOF'
354 0 06 * * * /etc/init.d/adblock reload
355 EOF
356
357
358 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
359
360 # sometimes /mnt/usb fails, cuz it's just a flash drive,
361 # so make sure we have this dir or else dnsmasq will fail
362 # to start.
363 mkdir -p /mnt/usb/tftpboot
364 v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
365
366 # https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
367 stop-dns-rebind
368
369 # this says the ip of default gateway and dns server,
370 # but I think they are unneded and default
371 #dhcp-option=3,$l.1
372 #dhcp-option=6,$l.1
373
374
375
376 # results from googling around dnsmasq optimizations
377 # about 50k in memory. router has 62 megs.
378 # in a browsing session, I probably won't ever do 5000 lookups
379 # before the ttl expiration or whatever does expiration.
380 cache-size=10000
381
382 # ask all servers, use the one which responds first.
383 # http://ma.ttwagner.com/make-dns-fly-with-dnsmasq-all-servers/
384 all-servers
385
386 # namebench benchmarks dns servers. google's dns was only
387 # slightly less fast than some others, and I trust it more
388 # to give accurate results, stay relatively fast, and
389 # not do anythin too malicious, so just use that.
390 # download namebench and run it like this:
391 # for x in all regional isp global preferred nearby; do ./namebench.py -s \$x -c US -i firefox -m weighted -J 10 -w; echo \$x; hr; done
392 # google
393 server=8.8.4.4
394 server=8.8.8.8
395 server=2001:4860:4860::8888
396 server=2001:4860:4860::8844
397
398
399 # to fixup existin ips, on the client you can do
400 # sudo dhclient -r; sudo dhclient <interface-name>
401
402 # default dhcp range is 100-150
403 # bottom port, iPXE (PCI 03:00.0) in seabios boot menu
404 dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
405 # top port, iPXE (PCI 04:00.0) in seabios boot menu
406 #dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
407 dhcp-host=00:26:18:97:bb:16,set:frodo,$l.3,frodo
408 dhcp-host=10:78:d2:da:29:22,set:htpc,$l.4,htpc
409 dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
410 #dhcp-host=00:c0:ca:27:e9:b2,set:x2w,$l.11,x2w
411 #wireless interface
412 # this is so fai can have an explicit name to use for testing,
413 # or else any random machine which did a pxe boot would get
414 # reformatted. The mac is from doing a virt-install, cancelling it,
415 # and copying the generated mac, so it should be randomish.
416 dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.6,demohost
417 #dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.7,faiserver
418 dhcp-host=80:fa:5b:1c:6e:cf,set:tp,$l.8,tp
419 # this is the ip it picks by default if dhcp fails,
420 # so might as well use it.
421 # hostname is the name it uses according to telnet
422 dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
423
424 # template
425 # dhcp-host=,$l.,
426
427 # Just leave the tftp server up even if we aren't doing pxe boot.
428 # It has no sensitive info.
429 enable-tftp=br-lan
430 tftp-root=/mnt/usb/tftpboot
431 EOF
432
433 if $dnsmasq_restart; then
434 v /etc/init.d/dnsmasq restart
435 fi
436
437 if $firewall_restart; then
438 v /etc/init.d/firewall restart
439 fi
440
441
442 reboot=false
443 if [[ $(uci get network.lan.ipaddr) != $l.1 ]]; then
444 v uci set network.lan.ipaddr=$l.1
445 uci commit network
446 reboot=true
447 fi
448 if [[ $(uci get network.lan.netmask) != $mask ]]; then
449 v uci set network.lan.netmask=$mask
450 uci commit network
451 reboot=true
452 fi
453
454 if $reboot; then
455 reboot
456 fi
457 exit 0
PXE install w multi-boot, btrfs & Libreboot support