X-Git-Url: https://iankelling.org/git/?p=automated-distro-installer;a=blobdiff_plain;f=wrt-setup-local;h=17fb9d2adb4ff915f94f5e33aaa0f64b2e9a12b8;hp=642c1935150c17dd756a08740f8ed4d94a5c1f04;hb=632c94b8382717f1a06b350c971b8246abbbbe61;hpb=3f20eea52b8d7f665b2c3b483921f15a0e48d7ee

diff --git a/wrt-setup-local b/wrt-setup-local
index 642c193..17fb9d2 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -39,15 +39,19 @@ EOF
 
 
 
+dnsmasq_restart=false
+firewall_restart=false
 dev2=false
 test=false
 libremanage_host=wrt2
 
-if [[ -e /p/router-secrets ]]; then
-  source /p/router-secrets
+secrets=false
+if [[ -e /root/router-secrets ]]; then
+  secrets=true
+  source /root/router-secrets
 fi
 rmac=$(cat /sys/class/net/eth0/address)
-if [[ $rhost ]]; then
+if $secrets; then
   hostname=${rhost[$rmac]}
 fi
 : ${hostname:=wrt}
@@ -83,10 +87,10 @@ while getopts hm:t: opt; do
 done
 shift "$((OPTIND-1))"   # Discard the options and sentinel --
 
-if [[ ! $mac ]] && ! $test; then
+if [[ ! $mac ]] && ! $test && $secrets; then
   # if we wanted to increment it
-  #WIRELESSMAC=${WIRELESSMAC:0: -1}$((${WIRELESSMAC: -1} + 2))
-  mac=$WIRELESSMAC
+  #mac=${mac:0: -1}$((${mac: -1} + 2))
+  mac=${rwmac[$rmac]}
 fi
 
 if (( $# != 0 )); then
@@ -183,17 +187,23 @@ udel() {
 
 ### network config
 ###
-ssid="check out gnu.org"
 lan=10.0.0.0
 if $test; then
-  ssid="gnuv3"
   lan=10.1.0.0
 elif [[ $hostname == cmc ]]; then
-  ssid=Svenska
   lan=10.2.0.0
 fi
 
-if [[ $rkey ]]; then
+if $test; then
+  ssid="gnuv3"
+elif $secrets; then
+  ssid=${rssid[$rmac]}
+fi
+
+: ${ssid:=librecmc}
+
+
+if $secrets; then
   key=${rkey[$rmac]}
 fi
 : ${key:=pictionary49}
@@ -212,6 +222,7 @@ cat /root/router >>/etc/shadow
 uset system.@system[0].ttylogin 1
 
 
+
 cat >/usr/bin/archlike-pxe-mount <<'EOFOUTER'
 #!/bin/bash
 # symlinks are collapsed for nfs mount points, so use a bind mount.
@@ -408,25 +419,60 @@ EOF
 #         option config /etc/openvpn/client.conf
 # EOF
 
+wgip4=10.3.0.1/24
+wgip6=fdfd::1/64
+wgport=26000
 
 
 v cedit /etc/config/network <<EOF || v /etc/init.d/network reload
 config 'route' 'transmission'
-        option 'interface' 'lan'
-        option 'target' '10.173.0.0'
-        option 'netmask' '255.255.0.0'
-        option 'gateway' '$l.3'
+ option 'interface' 'lan'
+ option 'target' '10.173.0.0'
+ option 'netmask' '255.255.0.0'
+ option 'gateway' '$l.3'
+
+option interface 'wg0'
+ option proto 'wireguard'
+ option private_key '$(cat /root/wg.key)'
+ option listen_port $wgport
+ list addresses '10.3.0.1/24'
+ list addresses 'fdfd::1/64'
+
+# tp
+config wireguard_wg0 'wgclient'
+ option public_key '3q+WJGrm85r59NgeXOIvppxoW4ux/+koSw6Fee1c1TI='
+ option preshared_key '$(cat /root/wg.psk)'
+ list allowed_ips '10.3.0.2/24'
+ list allowed_ips 'fdfd::2/64'
 EOF
 
-firewall_restart=false
-v cedit /etc/config/firewall <<EOF || firewall_restart=true
 
+
+firewall-cedit() {
+  case $hostname in
+    wrt)
+      v cedit host /etc/config/firewall <<EOF
+config redirect
+ option name ssh
+ option src              wan
+ option src_dport        22
+ option dest_ip          $l.3
+ option dest             lan
+EOF
+      ;;
+    cmc)
+      v cedit host /etc/config/firewall <<EOF
 config redirect
  option name ssh
  option src              wan
  option src_dport        22
  option dest_ip          $l.2
  option dest             lan
+EOF
+      ;;
+  esac
+
+  v cedit /etc/config/firewall <<EOF
 config rule
  option src              wan
  option target           ACCEPT
@@ -444,18 +490,6 @@ config rule
  option target           ACCEPT
  option dest_port        2202
 
-config redirect
- option name sshfrodo
- option src              wan
- option src_dport        2203
- option dest_port        22
- option dest_ip          $l.3
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        2203
-
 config redirect
  option name sshx2
  option src              wan
@@ -492,6 +526,17 @@ config rule
  option target           ACCEPT
  option dest_port        2208
 
+config redirect
+ option name icecast
+ option src              wan
+ option src_dport        8000
+ option dest_port        8000
+ option dest_ip          $l.2
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        8000
 
 config rule
  option name sshwrt
@@ -499,6 +544,13 @@ config rule
  option target           ACCEPT
  option dest_port        2220
 
+config rule
+ option name wg
+ option src              wan
+ option target           ACCEPT
+ option dest_port        $wgport
+ option proto            udp
+
 
 config redirect
  option name vpntp
@@ -595,34 +647,53 @@ config rule
  option target ACCEPT
  option family ipv6
 
-
 EOF
+}
+firewall-cedit || firewall_restart=true
+
+if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
+  # cant mix cedit plus uci
+  echo | cedit /etc/config/firewall ||:
+  uci add_list firewall.@zone[1].network=wg0
+  uci commit firewall
+  firewall-cedit ||:
+  firewall_restart=true
+fi
 
 
 
-
-dnsmasq_restart=false
 v cedit /etc/hosts <<EOF || dnsmasq_restart=true
 127.0.1.1 $hostname
-$l.1 $hostname
-$l.2 kd faiserver
-$l.3 frodo
-$l.4 wrt2
-$l.5 x2
-$l.6 demohost
 #$l.7 x3
-$l.8 tp b8.nz
-$l.9 bb8
-$l.14 wrt3
-2600:3c00::f03c:91ff:fe6d:baf8 li
+$l.12 demohost
+$l.13 trp
 72.14.176.105 li
-2a01:7e01::f03c:91ff:feb5:baec l2
-172.105.84.95 l2
+2600:3c00::f03c:91ff:fe6d:baf8 li
 
 # netns creation looks for next free subnet starting at 10.173, but I only
 # use one, and I would keep this one as the first created.
 10.173.0.2 transmission
 EOF
+case $hostname in
+  cmc)
+    v cedit host /etc/hosts <<EOF || dnsmasq_restart=true
+$l.1 $hostname b8.nz
+$l.2 kd
+#$l.3 frodo
+$l.4 wrt2
+$l.5 x2 faiserver
+$l.6 x2w
+$l.7 rp
+$l.8 tp
+$l.9 bb8
+$l.14 wrt3
+#$l.18 x3
+$l.19 brother
+#$l.28 frodow
+EOF
+    ;;
+esac
+
 
 #mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
 # if [[ $mail_host ]]; then
@@ -633,9 +704,16 @@ EOF
 uset dhcp.@dnsmasq[0].domain b8.nz
 uset dhcp.@dnsmasq[0].local /b8.nz/
 uset system.@system[0].hostname $hostname
-
-if [[ $(uci get adblock.global.adb_enabled) != 1 ]]; then
-  v uci set adblock.global.adb_enabled=1
+# uci doesnt seem to have a way to set an empty value,
+# if you delete it, it goes back to the default. this seems
+# to be a decent workaround.
+# todo: setup /etc/resolv.conf to point to 127.0.0.1
+uset dhcp.@dnsmasq[0].resolvfile=/dev/null
+
+# disabled for now. i want to selectively enable it
+# for specific hosts.
+if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
+  v uci set adblock.global.adb_enabled=0
   uci commit adblock
   /etc/init.d/adblock restart
 fi
@@ -657,6 +735,8 @@ server=/_domainkey.b8.nz/#
 server=/_dmarc.b8.nz/#
 server=/ns1.b8.nz/#
 server=/ns2.b8.nz/#
+server=/bk.b8.nz/#
+server=/je.b8.nz/#
 mx-host=b8.nz,mail.iankelling.org,10
 txt-record=b8.nz,"v=spf1 a ?all"
 
@@ -703,15 +783,24 @@ dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
 # top port, iPXE (PCI 04:00.0) in seabios boot menu
 #dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
 dhcp-host=00:26:18:97:bb:16,set:frodo,$l.3,frodo
-# 4 is reserved for a staticly configured host.
-dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
+# 4 is reserved for a staticly configured host wrt2
+# old x2 with bad fan
+#dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
+dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
+dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
 # This is so fai can have an explicit name to use for testing,
 # or else any random machine which did a pxe boot would get
 # reformatted. The mac is from doing a virt-install, cancelling it,
 # and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.6,demohost
-dhcp-host=00:1f:16:14:01:d8,set:tp,$l.7,x3
+dhcp-host=fa:08:f8:4c:14:1c,set:tp,$l.7,rp
 dhcp-host=80:fa:5b:1c:6e:cf,set:tp,$l.8,tp
+dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
+dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
+dhcp-host=00:1f:16:14:01:d8,set:tp,$l.18,x3
+# BRN001BA98CA823 in dhcp logs
+dhcp-host=00:1b:a9:8c:a8:23,set:tp,$l.19,brother
+dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+
 
 # faiserver vm
 dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
@@ -729,6 +818,8 @@ dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
 enable-tftp=br-lan
 tftp-root=/mnt/usb/tftpboot
 dhcp-optsfile=/etc/dnsmasq-dhcpopts.conf
+
+#log-queries=extra
 EOF