iankelling.org / git / automated-distro-installer / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
add copyright, fix arch
[automated-distro-installer] / wrt-setup
1 #!/bin/bash
2 # Copyright (C) 2016 Ian Kelling
3
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
8
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
13
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
18 set -eE -o pipefail
19 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
20
21 # ssh
22
23 pmirror() {
24 # background: upgrading all packages is not recommended because it
25 # doesn't go into the firmware. build new firmware if you want
26 # lots of upgrades.
27 f=(/tmp/opkg-lists/*)
28 f=${f[0]}
29 if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
30 opkg update
31 fi
32 }
33
34 pi() {
35 for x in "$@"; do
36 if [[ ! $(opkg list-installed "$x") ]]; then
37 pmirror
38 opkg install "$@"
39 fi
40 done
41 }
42
43 v() {
44 printf "+ %s\n" "$*"
45 "$@"
46 }
47
48 cat >/usr/bin/arch-pxe-mount <<'EOFOUTER'
49 #!/bin/bash
50 # symlinks are collapsed for nfs mount points, so use a bind mount.
51 # tried putting this in /etc/config/fstab,
52 # then doig block mount, it didn't work. This doesn't persist across reboots,
53 # todo: figure that out
54 d=/run/archiso/bootmnt
55 cat > /etc/fstab <<EOF
56 /mnt/usb/tftpboot $d none bind 0 0
57 EOF
58 mount | grep $d &>/dev/null || mount $d
59 /etc/init.d/nfsd restart
60 EOFOUTER
61 chmod +x /usr/bin/arch-pxe-mount
62
63 cat >.profile <<'EOF'
64 # changing login shell emits spam on ssh single commands & scp
65 # sed -i 's#/bin/ash$#/bin/bash#' /etc/passwd
66 #https://dev.openwrt.org/ticket/13852
67 [ "$PS1" = "" ] || {
68 /bin/bash
69 exit
70 }
71 EOF
72 v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
73 tcpdump openvpn-openssl
74
75
76
77 sed -ri "s/option[[:space:]]*encryption[[:space:]]*'?none'?/option encryption psk2\n option key pictionary49/" /etc/config/wireless
78 sed -i '/^[[:space:]]*option disabled/d' /etc/config/wireless
79 v wifi
80
81
82 v /etc/init.d/fstab enable ||:
83
84 # rebooting makes mounting work, but comparing lsmod,
85 # i'm guessing this will too. todo, test it.
86 # 255 == module already loaded
87 for mod in scsi_mod sd_mod; do v modprobe $mod || [[ $? == 255 ]]; done
88
89 # for arch pxe. The default settings in the installer expect to find
90 # the NFS at /run/archiso/bootmnt
91 mkdir -p /run/archiso/bootmnt
92
93 # todo: at some later time, i found /mnt/usb not mounted, watch to see if
94 # that is the case after running this or rebooting.
95 # wiki says safe to do in case of fstab changes:
96 cedit /etc/config/fstab <<'EOF' || { v block umount; v block mount; }
97 config global automount
98 option from_fstab 1
99 option anon_mount 1
100
101 config global autoswap
102 option from_fstab 1
103 option anon_swap 1
104
105 config mount
106 option target /mnt/usb
107 option device /dev/sda2
108 option fstype ext4
109 option options rw,async,noatime,nodiratime
110 option enabled 1
111 option enabled_fsck 0
112
113 config swap
114 option device /dev/sda1
115 option enabled 1
116
117 EOF
118
119
120
121 # exportfs -ra wont cut it when its the same path, but now a bind mount
122 cedit /etc/exports <<'EOF' || v /etc/init.d/nfsd restart ||:
123 /mnt/usb 192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
124 # for arch pxe
125 /run/archiso/bootmnt 192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
126 EOF
127
128
129 v /etc/init.d/portmap start
130 v /etc/init.d/nfsd start
131 v /etc/init.d/portmap enable
132 v /etc/init.d/nfsd enable
133
134
135
136
137
138
139 ######### uci example:#######
140 # # https://wiki.openwrt.org/doc/uci
141 # wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
142 # wan="firewall.@zone[$wan_index]"
143 # if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
144 # # default is wan
145 # v uci set firewall.@forwarding[0].dest=$forward_dest
146 # uci commit firewall
147 # firewall_restart=true
148 # fi
149
150
151
152 ########## openvpn exampl
153 ########## missing firewall settings for routing lan
154 ########## traffic
155 # v /etc/init.d/openvpn start
156 # v /etc/init.d/openvpn enable
157
158 # # from https://wiki.openwrt.org/doc/uci/firewall
159 # # todo: not sure if /etc/init.d/network needs restarting.
160 # # I did, and I had to restart the vpn afterwards.
161 # # This maps a uci interface to a real interface which is
162 # # managed outside of uci.
163 # v cedit /etc/config/network <<'EOF' ||:
164 # config interface 'tun0'
165 # option ifname 'tun0'
166 # option proto 'none'
167 # EOF
168 # v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
169 # config openvpn my_client_config
170 # option enabled 1
171 # option config /etc/openvpn/client.conf
172 # EOF
173
174
175
176 v cedit /etc/config/firewall <<'EOF' || firewall_restart=true
177 config redirect
178 option name ssh
179 option src wan
180 option src_dport 22
181 option dest_ip 192.168.1.2
182 option dest lan
183 config rule
184 option src wan
185 option target ACCEPT
186 option dest_port 22
187
188
189 #http/https
190 config redirect
191 option src wan
192 option src_dport 443
193 option dest lan
194 option dest_ip 192.168.1.2
195 option proto tcp
196 config rule
197 option src wan
198 option target ACCEPT
199 option dest_port 443
200 option proto tcp
201
202 config redirect
203 option src wan
204 option src_dport 80
205 option dest lan
206 option dest_ip 192.168.1.2
207 option proto tcp
208 config rule
209 option src wan
210 option target ACCEPT
211 option dest_port 80
212 option proto tcp
213
214 EOF
215
216
217
218
219 dnsmasq_restart=false
220 v cedit /etc/hosts <<EOF || dnsmasq_restart=true
221 192.168.1.1 wrt
222 192.168.1.2 treetowl faiserver
223 192.168.1.3 frodo
224 192.168.1.4 htpc
225 192.168.1.5 x2
226 192.168.1.6 testvm
227 192.168.1.8 tp
228 72.14.176.105 li
229 173.255.202.210 lj
230 23.239.31.172 lk
231 138.68.10.24 dopub
232 # cant ssh to do when on vpn. some routing/firewall rule or something,
233 # I don't know. I can get there from wrt but not my machine.
234 # but we can get to it from this address, so, good enough.
235 10.8.0.1 do
236 EOF
237
238
239 # avoid using the dns servers that my isp tells me about.
240 if [[ $(uci get dhcp.@dnsmasq[0].resolvfile) ]]; then
241 # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
242 # /etc/resolv.conf
243 v uci delete dhcp.@dnsmasq[0].resolvfile
244 uci commit dhcp
245 dnsmasq_restart=true
246 fi
247
248
249 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
250
251 v cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
252
253 ############ updating dns servers ###################3
254
255
256 # this says the ip of default gateway and dns server,
257 # but I think they are unneded and default
258 #dhcp-option=3,192.168.1.1
259 #dhcp-option=6,192.168.1.1
260
261
262
263 # results from googling around dnsmasq optimizations
264 # about 50k in memory. router has 62 megs.
265 # in a browsing session, I probably won't ever do 5000 lookups
266 # before the ttl expiration or whatever does expiration.
267 cache-size=10000
268
269 # ask all servers, use the one which responds first.
270 # http://ma.ttwagner.com/make-dns-fly-with-dnsmasq-all-servers/
271 all-servers
272
273 # namebench benchmarks dns servers. google's dns was only
274 # slightly less fast than some others, and I trust it more
275 # to give accurate results, stay relatively fast, and
276 # not do anythin too malicious, so just use that.
277 # download namebench and run it like this:
278 # for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr; done
279 # google
280 server=8.8.4.4
281 server=8.8.8.8
282 server=2001:4860:4860::8888
283 server=2001:4860:4860::8844
284
285
286 # to fixup existin ips, on the client you can do
287 # sudo dhclient -r; sudo dhclient <interface-name>
288
289 # default dhcp range is 100-150
290 dhcp-host=f4:6d:04:02:ed:66,set:treetowl,192.168.1.2,treetowl
291 dhcp-host=00:26:18:97:bb:16,set:frodo,192.168.1.3,frodo
292 dhcp-host=10:78:d2:da:29:22,set:htpc,192.168.1.4,htpc
293 dhcp-host=00:1f:16:16:39:24,set:x2,192.168.1.5,x2
294 # this is so fai can have an explicit name to use for testing,
295 # or else any random machine which did a pxe boot would get
296 # reformatted. The mac is from doing a virt-install, cancelling it,
297 # and copying the generated mac, so it should be randomish.
298 dhcp-host=52:54:00:9c:ef:ad,set:demohost,192.168.1.6,demohost
299 dhcp-host=52:54:00:56:09:f9,set:faiserver,192.168.1.7,faiserver
300 dhcp-host=80:fa:5b:1c:6e:cf,set:tp,192.168.1.8,tp
301 # this is the ip it picks by default if dhcp fails,
302 # so might as well use it.
303 # hostname is the name it uses according to telnet
304 dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,192.168.1.251,switch9429ca
305
306
307 # template
308 # dhcp-host=,192.168.1.,
309
310 # Just leave the tftp server up even if we aren't doing pxe boot.
311 # It has no sensitive info.
312 enable-tftp=br-lan
313 tftp-root=/mnt/usb/tftpboot
314 EOF
315
316 if $dnsmasq_restart; then
317 v /etc/init.d/dnsmasq restart
318 fi
319
320 if $firewall_restart; then
321 v /etc/init.d/firewall restart
322 fi
PXE install w multi-boot, btrfs & Libreboot support