iankelling.org Git - automated-distro-installer/blob - wrt-setup

   1 #!/bin/bash
   2
   3 set -eE -o pipefail
   4 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
   5
   6 # ssh
   7
   8 pmirror() {
   9     # background: upgrading all packages is not recommended because it
  10     # doesn't go into the firmware. build new firmware if you want
  11     # lots of upgrades.
  12     f=(/tmp/opkg-lists/*)
  13     f=${f[0]}
  14     if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
  15         opkg update
  16     fi
  17 }
  18
  19 pi() {
  20     for x in "$@"; do
  21         if [[ ! $(opkg list-installed "$x") ]]; then
  22             pmirror
  23             opkg install "$@"
  24         fi
  25     done
  26 }
  27
  28 v() {
  29     printf "+ %s\n" "$*"
  30     "$@"
  31 }
  32
  33 cat >/usr/bin/arch-pxe-mount <<'EOFOUTER'
  34 #!/bin/bash
  35 # symlinks are collapsed for nfs mount points, so use a bind mount.
  36 # tried putting this in /etc/config/fstab,
  37 # then doig block mount, it didn't work. This doesn't persist across reboots,
  38 # todo: figure that out
  39 d=/run/archiso/bootmnt
  40 cat > /etc/fstab <<EOF
  41 /mnt/usb/tftpboot $d none bind 0 0
  42 EOF
  43 mount | grep $d &>/dev/null || mount $d
  44 /etc/init.d/nfsd restart
  45 EOFOUTER
  46 chmod +x /usr/bin/arch-pxe-mount
  47
  48 cat >.profile <<'EOF'
  49 # changing login shell emits spam on ssh single commands & scp
  50     # sed -i 's#/bin/ash$#/bin/bash#' /etc/passwd
  51 #https://dev.openwrt.org/ticket/13852
  52 [ "$PS1" = "" ] || {
  53        /bin/bash
  54        exit
  55 }
  56 EOF
  57 v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
  58   tcpdump openvpn-openssl
  59
  60
  61
  62 sed -ri "s/option[[:space:]]*encryption[[:space:]]*'?none'?/option encryption psk2\n        option key  pictionary49/" /etc/config/wireless
  63 sed -i '/^[[:space:]]*option disabled/d' /etc/config/wireless
  64 v wifi
  65
  66
  67 v /etc/init.d/fstab enable ||:
  68
  69 # rebooting makes mounting work, but comparing lsmod,
  70 # i'm guessing this will too. todo, test it.
  71 # 255 == module already loaded
  72 for mod in scsi_mod sd_mod; do v modprobe $mod || [[ $? == 255 ]]; done
  73
  74 # for arch pxe. The default settings in the installer expect to find
  75 # the NFS at /run/archiso/bootmnt
  76 mkdir -p /run/archiso/bootmnt
  77
  78 # todo: at some later time, i found /mnt/usb not mounted, watch to see if
  79 # that is the case after running this or rebooting.
  80 # wiki says safe to do in case of fstab changes:
  81 cedit /etc/config/fstab <<'EOF' || { v block umount; v block mount; }
  82 config global automount
  83       option from_fstab 1
  84       option anon_mount 1
  85
  86 config global autoswap
  87       option from_fstab 1
  88       option anon_swap 1
  89
  90 config mount
  91       option target     /mnt/usb
  92       option device     /dev/sda2
  93       option fstype     ext4
  94       option options    rw,async,noatime,nodiratime
  95       option enabled    1
  96       option enabled_fsck 0
  97
  98 config swap
  99       option device     /dev/sda1
 100       option enabled    1
 101
 102 EOF
 103
 104
 105
 106 # exportfs -ra wont cut it when its the same path, but now a bind mount
 107 cedit /etc/exports <<'EOF' || v /etc/init.d/nfsd restart ||:
 108 /mnt/usb  192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
 109 # for arch pxe
 110 /run/archiso/bootmnt    192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
 111 EOF
 112
 113
 114 v /etc/init.d/portmap start
 115 v /etc/init.d/nfsd start
 116 v /etc/init.d/portmap enable
 117 v /etc/init.d/nfsd enable
 118
 119
 120
 121
 122
 123
 124 ######### uci example:#######
 125 # # https://wiki.openwrt.org/doc/uci
 126 # wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
 127 # wan="firewall.@zone[$wan_index]"
 128 # if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
 129 #     # default is wan
 130 #     v uci set firewall.@forwarding[0].dest=$forward_dest
 131 #     uci commit firewall
 132 #     firewall_restart=true
 133 # fi
 134
 135
 136
 137 ########## openvpn exampl
 138 ########## missing firewall settings for routing lan
 139 ########## traffic
 140 # v /etc/init.d/openvpn start
 141 # v /etc/init.d/openvpn enable
 142
 143 # # from https://wiki.openwrt.org/doc/uci/firewall
 144 # # todo: not sure if /etc/init.d/network needs restarting.
 145 # # I did, and I had to restart the vpn afterwards.
 146 # # This maps a uci interface to a real interface which is
 147 # # managed outside of uci.
 148 # v cedit /etc/config/network <<'EOF' ||:
 149 # config interface 'tun0'
 150 #         option ifname 'tun0'
 151 #         option proto 'none'
 152 # EOF
 153 # v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
 154 # config openvpn my_client_config
 155 #         option enabled 1
 156 #         option config /etc/openvpn/client.conf
 157 # EOF
 158
 159
 160
 161 v cedit /etc/config/firewall <<'EOF' || firewall_restart=true
 162 config redirect
 163     option name ssh
 164     option src              wan
 165     option src_dport        22
 166     option dest_ip          192.168.1.2
 167     option dest             lan
 168 config rule
 169     option src              wan
 170     option target           ACCEPT
 171     option dest_port        22
 172
 173
 174 #http/https
 175 config redirect
 176        option src              wan
 177        option src_dport        443
 178        option dest             lan
 179        option dest_ip          192.168.1.2
 180        option proto            tcp
 181 config rule
 182        option src              wan
 183        option target           ACCEPT
 184        option dest_port        443
 185        option proto            tcp
 186
 187 config redirect
 188        option src              wan
 189        option src_dport        80
 190        option dest             lan
 191        option dest_ip          192.168.1.2
 192        option proto            tcp
 193 config rule
 194        option src              wan
 195        option target           ACCEPT
 196        option dest_port        80
 197        option proto            tcp
 198
 199 EOF
 200
 201
 202
 203
 204 dnsmasq_restart=false
 205 v cedit /etc/hosts <<EOF || dnsmasq_restart=true
 206 192.168.1.1 wrt
 207 192.168.1.2 treetowl faiserver
 208 192.168.1.3 frodo
 209 192.168.1.4 htpc
 210 192.168.1.5 x2
 211 192.168.1.6 testvm
 212 192.168.1.8 tp
 213 72.14.176.105 li
 214 173.255.202.210 lj
 215 23.239.31.172 lk
 216 138.68.10.24 dopub
 217 # cant ssh to do when on vpn. some routing/firewall rule or something,
 218 # I don't know. I can get there from wrt but not my machine.
 219 # but we can get to it from this address, so, good enough.
 220 10.8.0.1 do
 221 EOF
 222
 223
 224 # avoid using the dns servers that my isp tells me about.
 225 if [[ $(uci get dhcp.@dnsmasq[0].resolvfile) ]]; then
 226     # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
 227     # /etc/resolv.conf
 228     v uci delete dhcp.@dnsmasq[0].resolvfile
 229     uci commit dhcp
 230     dnsmasq_restart=true
 231 fi
 232
 233
 234 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
 235
 236 v cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
 237
 238 ############ updating dns servers ###################3
 239
 240
 241 # this says the ip of default gateway and dns server,
 242 # but I think they are unneded and default
 243 #dhcp-option=3,192.168.1.1
 244 #dhcp-option=6,192.168.1.1
 245
 246
 247
 248 # results from googling around dnsmasq optimizations
 249 # about 50k in memory. router has 62 megs.
 250 # in a browsing session, I probably won't ever do 5000 lookups
 251 # before the ttl expiration or whatever does expiration.
 252 cache-size=10000
 253
 254 # ask all servers, use the one which responds first.
 255 # http://ma.ttwagner.com/make-dns-fly-with-dnsmasq-all-servers/
 256 all-servers
 257
 258 # namebench benchmarks dns servers. google's dns was only
 259 # slightly less fast than some others, and I trust it more
 260 # to give accurate results, stay relatively fast, and
 261 # not do anythin too malicious, so just use that.
 262 # download namebench and run it like this:
 263 # for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr;  done
 264 # google
 265 server=8.8.4.4
 266 server=8.8.8.8
 267 server=2001:4860:4860::8888
 268 server=2001:4860:4860::8844
 269
 270
 271 # to fixup existin ips, on the client you can do
 272 # sudo dhclient -r; sudo dhclient <interface-name>
 273
 274 # default dhcp range is 100-150
 275 dhcp-host=f4:6d:04:02:ed:66,set:treetowl,192.168.1.2,treetowl
 276 dhcp-host=00:26:18:97:bb:16,set:frodo,192.168.1.3,frodo
 277 dhcp-host=10:78:d2:da:29:22,set:htpc,192.168.1.4,htpc
 278 dhcp-host=00:1f:16:16:39:24,set:x2,192.168.1.5,x2
 279 # this is so fai can have an explicit name to use for testing,
 280 # or else any random machine which did a pxe boot would get
 281 # reformatted. The mac is from doing a virt-install, cancelling it,
 282 # and copying the generated mac, so it should be randomish.
 283 dhcp-host=52:54:00:9c:ef:ad,set:demohost,192.168.1.6,demohost
 284 dhcp-host=52:54:00:56:09:f9,set:faiserver,192.168.1.7,faiserver
 285 dhcp-host=80:fa:5b:1c:6e:cf,set:tp,192.168.1.8,tp
 286 # this is the ip it picks by default if dhcp fails,
 287 # so might as well use it.
 288 # hostname is the name it uses according to telnet
 289 dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,192.168.1.251,switch9429ca
 290
 291
 292 # template
 293 # dhcp-host=,192.168.1.,
 294
 295 # Just leave the tftp server up even if we aren't doing pxe boot.
 296 # It has no sensitive info.
 297 tftp-root=/mnt/usb/tftpboot
 298 EOF
 299
 300 if $dnsmasq_restart; then
 301     v /etc/init.d/dnsmasq restart
 302 fi
 303
 304 if $firewall_restart; then
 305     v /etc/init.d/firewall restart
 306 fi