cleanup, remove vpn stuff

[automated-distro-installer] / wrt-setup

#!/bin/bash

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

# ssh

pmirror() {
    # background: upgrading all packages is not recommended because it
    # doesn't go into the firmware. build new firmware if you want
    # lots of upgrades.
    f=(/tmp/opkg-lists/*)
    f=${f[0]}
    if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
        opkg update
    fi
}

pi() {
    for x in "$@"; do
        if [[ ! $(opkg list-installed "$x") ]]; then
            pmirror
            opkg install "$@"
        fi
    done
}

v() {
    printf "+ %s\n" "$*"
    "$@"
}

cat >/usr/bin/arch-pxe-mount <<'EOFOUTER'
#!/bin/bash
# symlinks are collapsed for nfs mount points, so use a bind mount.
# tried putting this in /etc/config/fstab,
# then doig block mount, it didn't work. This doesn't persist across reboots,
# todo: figure that out
d=/run/archiso/bootmnt
cat > /etc/fstab <<EOF
/mnt/usb/tftpboot $d none bind 0 0
EOF
mount | grep $d &>/dev/null || mount $d
/etc/init.d/nfsd restart
EOFOUTER
chmod +x /usr/bin/arch-pxe-mount

cat >.profile <<'EOF'
# changing login shell emits spam on ssh single commands & scp
    # sed -i 's#/bin/ash$#/bin/bash#' /etc/passwd
#https://dev.openwrt.org/ticket/13852
[ "$PS1" = "" ] || {
       /bin/bash
       exit
}
EOF
v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
  tcpdump openvpn-openssl



sed -ri "s/option[[:space:]]*encryption[[:space:]]*'?none'?/option encryption psk2\n        option key  pictionary49/" /etc/config/wireless
sed -i '/^[[:space:]]*option disabled/d' /etc/config/wireless
v wifi


v /etc/init.d/fstab enable ||:

# rebooting makes mounting work, but comparing lsmod,
# i'm guessing this will too. todo, test it.
# 255 == module already loaded
for mod in scsi_mod sd_mod; do v modprobe $mod || [[ $? == 255 ]]; done

# for arch pxe. The default settings in the installer expect to find
# the NFS at /run/archiso/bootmnt
mkdir -p /run/archiso/bootmnt

# todo: at some later time, i found /mnt/usb not mounted, watch to see if
# that is the case after running this or rebooting.
# wiki says safe to do in case of fstab changes:
cedit /etc/config/fstab <<'EOF' || { v block umount; v block mount; }
config global automount
      option from_fstab 1
      option anon_mount 1

config global autoswap
      option from_fstab 1
      option anon_swap 1

config mount
      option target     /mnt/usb
      option device     /dev/sda2
      option fstype     ext4
      option options    rw,async,noatime,nodiratime
      option enabled    1
      option enabled_fsck 0

config swap
      option device     /dev/sda1
      option enabled    1

EOF



# exportfs -ra wont cut it when its the same path, but now a bind mount
cedit /etc/exports <<'EOF' || v /etc/init.d/nfsd restart ||:
/mnt/usb  192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
# for arch pxe
/run/archiso/bootmnt    192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
EOF


v /etc/init.d/portmap start
v /etc/init.d/nfsd start
v /etc/init.d/portmap enable
v /etc/init.d/nfsd enable






######### uci example:#######
# # https://wiki.openwrt.org/doc/uci
# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
# wan="firewall.@zone[$wan_index]"
# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
#     # default is wan
#     v uci set firewall.@forwarding[0].dest=$forward_dest
#     uci commit firewall
#     firewall_restart=true
# fi



########## openvpn exampl
########## missing firewall settings for routing lan
########## traffic
# v /etc/init.d/openvpn start
# v /etc/init.d/openvpn enable

# # from https://wiki.openwrt.org/doc/uci/firewall
# # todo: not sure if /etc/init.d/network needs restarting.
# # I did, and I had to restart the vpn afterwards.
# # This maps a uci interface to a real interface which is
# # managed outside of uci.
# v cedit /etc/config/network <<'EOF' ||:
# config interface 'tun0'
#         option ifname 'tun0'
#         option proto 'none'
# EOF
# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
# config openvpn my_client_config
#         option enabled 1
#         option config /etc/openvpn/client.conf
# EOF



v cedit /etc/config/firewall <<'EOF' || firewall_restart=true
config redirect
    option name ssh
    option src              wan
    option src_dport        22
    option dest_ip          192.168.1.2
    option dest             lan
config rule
    option src              wan
    option target           ACCEPT
    option dest_port        22
EOF




dnsmasq_restart=false
v cedit /etc/hosts <<EOF || dnsmasq_restart=true
192.168.1.1 wrt
192.168.1.2 treetowl faiserver
192.168.1.3 frodo
192.168.1.4 htpc
192.168.1.5 x2
192.168.1.6 testvm
192.168.1.8 tp
72.14.176.105 li
173.255.202.210 lj
23.239.31.172 lk
138.68.10.24 dopub
# cant ssh to do when on vpn. some routing/firewall rule or something,
# I don't know. I can get there from wrt but not my machine.
# but we can get to it from this address, so, good enough.
10.8.0.1 do
EOF


# avoid using the dns servers that my isp tells me about.
if [[ $(uci get dhcp.@dnsmasq[0].resolvfile) ]]; then
    # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
    # /etc/resolv.conf
    v uci delete dhcp.@dnsmasq[0].resolvfile
    uci commit dhcp
    dnsmasq_restart=true
fi


# useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq

v cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true

############ updating dns servers ###################3


# this says the ip of default gateway and dns server,
# but I think they are unneded and default
#dhcp-option=3,192.168.1.1
#dhcp-option=6,192.168.1.1



# results from googling around dnsmasq optimizations
# about 50k in memory. router has 62 megs.
# in a browsing session, I probably won't ever do 5000 lookups
# before the ttl expiration or whatever does expiration.
cache-size=10000

# ask all servers, use the one which responds first.
# http://ma.ttwagner.com/make-dns-fly-with-dnsmasq-all-servers/
all-servers

# namebench benchmarks dns servers. google's dns was only
# slightly less fast than some others, and I trust it more
# to give accurate results, stay relatively fast, and
# not do anythin too malicious, so just use that.
# download namebench and run it like this:
# for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr;  done
# google
server=8.8.4.4
server=8.8.8.8
server=2001:4860:4860::8888
server=2001:4860:4860::8844


# to fixup existin ips, on the client you can do
# sudo dhclient -r; sudo dhclient <interface-name>

# default dhcp range is 100-150
dhcp-host=f4:6d:04:02:ed:66,set:treetowl,192.168.1.2,treetowl
dhcp-host=00:26:18:97:bb:16,set:frodo,192.168.1.3,frodo
dhcp-host=10:78:d2:da:29:22,set:htpc,192.168.1.4,htpc
dhcp-host=00:1f:16:16:39:24,set:x2,192.168.1.5,x2
# this is so fai can have an explicit name to use for testing,
# or else any random machine which did a pxe boot would get
# reformatted. The mac is from doing a virt-install, cancelling it,
# and copying the generated mac, so it should be randomish.
dhcp-host=52:54:00:9c:ef:ad,set:demohost,192.168.1.6,demohost
dhcp-host=52:54:00:56:09:f9,set:faiserver,192.168.1.7,faiserver
dhcp-host=80:fa:5b:1c:6e:cf,set:tp,192.168.1.8,tp
# this is the ip it picks by default if dhcp fails,
# so might as well use it.
# hostname is the name it uses according to telnet
dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,192.168.1.251,switch9429ca


# template
# dhcp-host=,192.168.1.,

# Just leave the tftp server up even if we aren't doing pxe boot.
# It has no sensitive info.
tftp-root=/mnt/usb/tftpboot
EOF

if $dnsmasq_restart; then
    v /etc/init.d/dnsmasq restart
fi

if $firewall_restart; then
    v /etc/init.d/firewall restart
fi