X-Git-Url: https://iankelling.org/git/?p=automated-distro-installer;a=blobdiff_plain;f=wrt-setup-local;h=e7ebd38d7137914515fa36b7130e9de30f51e989;hp=7efa19a66fb7d3bc4eeed3ee21155df03d9e86e6;hb=HEAD;hpb=14f283f82afc48d6cec1bb7498ec34ac2b0da77c

diff --git a/wrt-setup-local b/wrt-setup-local
index 7efa19a..3d2edb8 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -16,9 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
+f=/usr/local/lib/bash-bear;test -r $f || { echo "error: $0 no $f" >&2;exit 1;}; . $f
 
 usage() {
   cat <<EOF
@@ -50,6 +48,7 @@ firewall_restart=false
 dev2=false
 test=false
 client=false
+ap=false
 libremanage_host=wrt2
 lanip=1
 while getopts hm:t:yz opt; do
@@ -75,6 +74,11 @@ while getopts hm:t:yz opt; do
         client)
           client=true
           ;;
+        ap)
+          ap=true
+          lanip=53
+          hostname=cmcap
+          ;;
         *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
       esac
       ;;
@@ -94,12 +98,17 @@ shift "$((OPTIND-1))"   # Discard the options and sentinel --
 
 if [[ $1 ]]; then
   h=$1
-  hostname=$h
+elif [[ $hostname ]]; then
+  h=$hostname
 else
   h=cmc
+fi
+
+if [[ ! $hostname ]]; then
   hostname=$h
 fi
 
+
 secrets=false
 if [[ -e /root/router-secrets ]]; then
   secrets=true
@@ -211,7 +220,7 @@ cedit() {
 lan=10.0.0.0
 if $test; then
   lan=10.1.0.0
-elif [[ $hostname == cmc ]]; then
+elif [[ $hostname == cmc || $hostname == cmcap ]]; then
   lan=10.2.0.0
 elif $client; then
   lan=10.3.0.0
@@ -235,7 +244,8 @@ mask=255.255.0.0
 cidr=16
 l=${lan%.0}
 
-passwd -l root ||: #already locked fails
+# why did we lock this? i don't know
+#passwd -l root ||: #already locked fails
 
 sed -ibak '/^root:/d' /etc/shadow
 # /root/router created by manually running passwd then copying the resulting
@@ -282,8 +292,8 @@ fi
 
 uset network.lan.ipaddr $l.$lanip
 uset network.lan.netmask $mask
-if $dev2  || $client; then
-  if $dev2; then
+if $dev2  || $client || $ap; then
+  if $dev2 || $ap; then
     uset network.lan.gateway $l.1
     uset network.wan.proto none
     uset network.wan6.proto none
@@ -293,10 +303,16 @@ if $dev2  || $client; then
   /etc/init.d/odhcpd stop
   /etc/init.d/odhcpd disable
   rm -f /etc/resolv.conf
-  cat >/etc/resolv.conf <<'EOF'
+  if $ap; then
+    cat >/etc/resolv.conf <<EOF
+nameserver $l.1
+EOF
+  else
+    cat >/etc/resolv.conf <<'EOF'
 nameserver 8.8.8.8
 nameserver 8.8.4.4
 EOF
+  fi
 
   # things i tried to keep dnsmasq running but not enabled except local dns,
   # but it didnt work right and i dont need it anyways.
@@ -348,7 +364,7 @@ else
     if [[ $mac ]]; then
       uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
     fi
-    # secondary device has wireless disabled
+    # disable/enable. secondary device has wireless disabled
     uset wireless.radio$x.disabled $dev2
   done
 fi
@@ -366,12 +382,15 @@ EOF
   uset wireless.radio0.disassoc_low_ack 0
   uset wireless.radio1.disassoc_low_ack 0
 fi
-case $HOSTNAME in
-  cmc)
-    # found with https://openwrt.org/docs/guide-user/network/wifi/iwchan
-    uset wireless.radio0.channel 11
-    ;;
-esac
+
+
+# found with https://openwrt.org/docs/guide-user/network/wifi/iwchan.
+# However, the default also chooses 11, and better to let it choose in case things change.
+# case $HOSTNAME in
+#   cmc)
+#     uset wireless.radio0.channel 11
+#     ;;
+# esac
 
 
 # usb, screen, relay are for libremanage
@@ -382,10 +401,26 @@ esac
 #
 # note: prometheus-node-exporter-lua-openwrt seems to be a dependency of
 # prometheus-node-exporter-lua in practice.
-v pi tcpdump screen rsync unbound-daemon unbound-checkconf \
-  kmod-usb-storage block-mount kmod-fs-ext4 \
-  prometheus-node-exporter-lua-openwrt \
+
+pkgs=(
+  tcpdump
+  screen
+  rsync
+  kmod-usb-storage
+  block-mount
+  kmod-fs-ext4
+  prometheus-node-exporter-lua-openwrt
   prometheus-node-exporter-lua
+)
+
+if ! $ap; then
+  pkgs+=(
+    unbound-daemon
+    unbound-checkconf
+  )
+fi
+
+v pi "${pkgs[@]}"
 # nfs-kernel-server \
   #   openvpn-openssl adblock libusb-compat \
   #   kmod-usb-serial-cp210x kmod-usb-serial-ftdi \
@@ -517,9 +552,9 @@ fi
 cedit /etc/config/network <<EOF || network_restart=true
 config 'route' 'transmission'
  option 'interface' 'lan'
- option 'target' '10.173.0.0'
+ option 'target' '10.174.0.0'
  option 'netmask' '255.255.0.0'
- option 'gateway' '$l.3'
+ option 'gateway' '$l.2'
 
 option interface 'wg0'
  option proto 'wireguard'
@@ -580,6 +615,7 @@ EOF
       ;;
   esac
 
+
   cedit /etc/config/firewall <<EOF
 ## begin no external dns for ziva
 config rule
@@ -630,6 +666,7 @@ config rule
  option target REJECT
 ## end no external dns for ziva
 
+$(. /root/cmc-firewall-data)
 
 config rule
  option src              wan
@@ -648,18 +685,18 @@ config rule
  option target           ACCEPT
  option dest_port        9091
 
-
-config redirect
- option name sshkd
- option src              wan
- option src_dport        2202
- option dest_port        22
- option dest_ip          $l.2
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        2202
+# was working on an openvpn server, didn't finish
+# config redirect
+#  option name vpnkd
+#  option src              wan
+#  option src_dport        1196
+#  option dest_port        1196
+#  option dest_ip          $l.2
+#  option dest             lan
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        1196
 
 
 config redirect
@@ -675,79 +712,78 @@ config rule
  option dest_port        8989
 
 
+
 config redirect
- option name sshx2
+ option name icecast
  option src              wan
- option src_dport        2205
- option dest_port        22
- option dest_ip          $l.5
+ option src_dport        8000
+ option dest_port        8000
+ option dest_ip          $l.2
  option dest             lan
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        2205
+ option dest_port        8000
 
-config redirect
- option name sshx3
- option src              wan
- option src_dport        2207
- option dest_port        22
- option dest_ip          $l.7
- option dest             lan
 config rule
+ option name sshcmc
  option src              wan
  option target           ACCEPT
- option dest_port        2207
+ option dest_port        2220
 
-config redirect
- option name sshtp
- option src              wan
- option src_dport        2208
- option dest_port        22
- option dest_ip          $l.8
- option dest             lan
 config rule
+ option name wg
  option src              wan
  option target           ACCEPT
- option dest_port        2208
+ option dest_port        $wgport
+ option proto            udp
 
 config redirect
- option name sshbb8
+ option name navidromehttps
  option src              wan
- option src_dport        2209
- option dest_port        22
- option dest_ip          $l.9
+ option src_dport        4500
+ option dest_port        4500
+ option dest_ip          $l.2
  option dest             lan
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        2209
+ option dest_port        4500
 
 config redirect
- option name icecast
+ option name navidrome
  option src              wan
- option src_dport        8000
- option dest_port        8000
+ option src_dport        4533
+ option dest_port        4533
  option dest_ip          $l.2
  option dest             lan
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        8000
+ option dest_port        4533
 
-config rule
- option name sshwrt
- option src              wan
- option target           ACCEPT
- option dest_port        2220
+# So a client can just have b8.nz dns even when they
+# are on the lan.
+#config redirect
+# option name navidromelan
+# option src              lan
+# option src_dport        4533
+# option dest_port        4533
+# option dest_ip          $l.2
+# option dest             lan
 
-config rule
- option name wg
- option src              wan
- option target           ACCEPT
- option dest_port        $wgport
- option proto            udp
 
+# config redirect
+#  option name icecast
+#  option src              wan
+#  option src_dport        8000
+#  option dest_port        8000
+#  option dest_ip          $l.2
+#  option dest             lan
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        8000
 
 config redirect
  option name http
@@ -775,18 +811,18 @@ config rule
  option dest_port        443
  option proto            tcp
 
-config redirect
-option name httpskd8448
- option src              wan
- option src_dport        8448
- option dest             lan
- option dest_ip          $l.2
- option proto            tcp
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        8448
- option proto            tcp
+# config redirect
+# option name httpskd8448
+#  option src              wan
+#  option src_dport        8448
+#  option dest             lan
+#  option dest_ip          $l.2
+#  option proto            tcp
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        8448
+#  option proto            tcp
 
 config redirect
  option name syncthing
@@ -822,21 +858,21 @@ config rule
  option target ACCEPT
  option family ipv6
 
-config rule
- option name http-ipv6
- option src wan
- option dest lan
- option dest_port 80
- option target ACCEPT
- option family ipv6
-
-config rule
- option name https-ipv6
- option src wan
- option dest lan
- option dest_port 443
- option target ACCEPT
- option family ipv6
+# config rule
+#  option name http-ipv6
+#  option src wan
+#  option dest lan
+#  option dest_port 80
+#  option target ACCEPT
+#  option family ipv6
+
+# config rule
+#  option name https-ipv6
+#  option src wan
+#  option dest lan
+#  option dest_port 443
+#  option target ACCEPT
+#  option family ipv6
 
 config rule
  option name node-exporter
@@ -854,17 +890,37 @@ config rule
  option target ACCEPT
  option family ipv6
 
-# include a file with users custom iptables rules
-config include
-	option path /etc/firewall.user
-	option type 'restore'
-	option family 'ipv4'
-
-
 EOF
 }
 firewall-cedit || firewall_restart=true
 
+# firewall comment:
+# not using and in newer wrt, fails, probably due to nonexistent file, error output
+# on:
+
+# Reference error: left-hand side expression is not an array or object
+# In [anonymous function](), file /usr/share/ucode/fw4.uc, line 3137, byte 12:
+#   called from function [arrow function] (/usr/share/ucode/fw4.uc:733:71)
+#   called from function foreach ([C])
+#   called from function [anonymous function] (/usr/share/ucode/fw4.uc:733:72)
+#   called from function render_ruleset (/usr/share/firewall4/main.uc:56:24)
+#   called from anonymous function (/usr/share/firewall4/main.uc:143:29)
+#
+#  `        if (!inc.enabled) {`
+#   Near here -------^
+#
+#
+# The rendered ruleset contains errors, not doing firewall restart.
+# /usr/bin/wrt-setup-local:160:error: ""$@"" returned 1
+
+## include a file with users custom iptables rules
+#config include
+#	option path /etc/firewall.user
+#	option type 'restore'
+#	option family 'ipv4'
+
+
+
 # not using wireguard for now
 # if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
 #   # cant mix cedit plus uci
@@ -908,14 +964,15 @@ uset dhcp.@dnsmasq[0].local
 # note: tried this, it didn't do anything:
 # uset dhcp.@odhcpd[0].dns 10.2.0.1
 
-# iank, disabled while debugging.
+# iank, disablde while debugging.
 #/etc/init.d/odhcpd stop
 #/etc/init.d/odhcpd disable
 
 # todo: make the above conditional on which server this is.
 
+## left commented in case we have ipv6 problems in the future
 # avoid errors in log. current isp doesnt have ipv6
-uset unbound.@unbound[0].protocol ip4_only
+#uset unbound.@unbound[0].protocol ip4_only
 
 # todo: im not sure all these are needed, but they all look
 # like good options.
@@ -935,8 +992,9 @@ uset unbound.@unbound[0].protocol ip4_only
 # to:
 # procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
 
-{
-  cat <<'EOF'
+if ! $ap; then
+  {
+    cat <<'EOF'
 do-tcp: yes
 prefetch: yes
 qname-minimisation: yes
@@ -948,8 +1006,8 @@ local-zone: "10.in-addr.arpa." transparent
 access-control-view: 10.2.0.31/32 "youtube"
 EOF
 
-  if $zblock; then
-    cat <<'EOF'
+    if $zblock; then
+      cat <<'EOF'
 # no sy until that dongle is used by ziva
 
 # syw
@@ -959,34 +1017,24 @@ access-control-view: 10.2.0.29/32 "youtube"
 # samsungtab
 access-control-view: 10.2.0.32/32 "youtube"
 EOF
-  fi
-} | cedit /etc/unbound/unbound_srv.conf  || restart_unbound=true
+    fi
+  } | cedit /etc/unbound/unbound_srv.conf  || unbound_restart=true
 
 
-# dns based blocking vs ip based. with ip, same
-# server can have multiple domains. in dns,
-# you have to make sure clients to use the local dns.
-# https dns will need to be blocked by ip in
-# order to be comprehensive
+  # dns based blocking vs ip based. with ip, same
+  # server can have multiple domains. in dns,
+  # you have to make sure clients to use the local dns.
+  # https dns will need to be blocked by ip in
+  # order to be comprehensive
+
+
+  cedit /etc/unbound/unbound_ext.conf <<EOF || unbound_restart=true
+
+$(. /root/ptr-data)
 
-cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
 local-data-ptr: "10.2.0.1 cmc.b8.nz"
-local-data-ptr: "10.2.0.2 kd.b8.nz"
-local-data-ptr: "10.2.0.3 sy.b8.nz"
-local-data-ptr: "10.2.0.4 wrt2.b8.nz"
-local-data-ptr: "10.2.0.5 x2.b8.nz"
-local-data-ptr: "10.2.0.6 x2w.b8.nz"
-local-data-ptr: "10.2.0.7 syw.b8.nz"
-local-data-ptr: "10.2.0.8 amy.b8.nz"
-local-data-ptr: "10.2.0.9 bb8.b8.nz"
-local-data-ptr: "10.2.0.12 demohost.b8.nz"
-local-data-ptr: "10.2.0.14 wrt3.b8.nz"
-local-data-ptr: "10.2.0.19 brother.b8.nz"
-local-data-ptr: "10.2.0.23 amyw.b8.nz"
-local-data-ptr: "10.2.0.25 hp.b8.nz"
-local-data-ptr: "10.2.0.31 amazontab.b8.nz"
-local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
-local-data-ptr: "10.173.0.2 transmission.b8.nz"
+
+local-data-ptr: "10.174.2.2 transmission.b8.nz"
 local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
 local-data-ptr: "10.173.8.2 nn.b8.nz"
 
@@ -994,11 +1042,20 @@ forward-zone:
   name: "."
 #  forward-addr: 8.8.8.8
 #  forward-addr: 8.8.8.8
+
+# ssl disabled due to this error:
+#Sat Dec 24 03:34:44 2022 daemon.err unbound: [6568:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
+#Sat Dec 24 03:34:44 2022 daemon.notice unbound: [6568:0] notice: ssl handshake failed 1.0.0.3 port 853
+# on OPENWRT_RELEASE="OpenWrt SNAPSHOT r18639-f5865452ac"
+# from about feb 2022
+
 # https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
-  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
-  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
-  forward-ssl-upstream: yes
+#  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+#  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+#  forward-ssl-upstream: yes
   forward-first: no
+  forward-addr: 1.1.1.3
+  forward-addr: 1.0.0.3
 
 view:
   name: "youtube"
@@ -1018,14 +1075,14 @@ view:
 EOF
 
 
-if $restart_unbound; then
-  /etc/init.d/unbound restart
-  if ! unbound-checkconf; then
-    echo $0: error: unbound-checkconf failed >&2
-    exit 1
+  if $unbound_restart; then
+    /etc/init.d/unbound restart
+    if ! unbound-checkconf; then
+      echo $0: error: unbound-checkconf failed >&2
+      exit 1
+    fi
   fi
-fi
-
+fi # end if $ap
 
 # # disabled for now. i want to selectively enable it
 # # for specific hosts.
@@ -1047,11 +1104,15 @@ fi
 # to start.
 mkdir -p /mnt/usb/tftpboot
 cedit /etc/dnsmasq.conf  <<EOF || dnsmasq_restart=true
+
 # no dns
 port=0
 server=/b8.nz/#
 ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
 
+# generated with host-info-update
+$(. /root/dnsmasq-data)
+
 # https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
 stop-dns-rebind
 rebind-domain-ok=b8.nz
@@ -1060,8 +1121,13 @@ rebind-domain-ok=b8.nz
 # It is default if dnsmasq is doing dns, otherwise, we have to specify it.
 # To see it in action, I ran this from a client machine:
 # sudo dhcpcd -o domain_name_servers -T
-dhcp-option=6,$l.1
+dhcp-option=option:dns-server,$l.1
 
+# use this when doing fai to get the right timezone, its nfsroot is
+# setup to use this dhcp option only and call ntpdate.
+# generate ips with:
+# for h in 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org ntp.ubuntu.com; do host -t a $h | awk '{print $NF}'; done | while read -r l; do printf ,$l; done
+dhcp-option=option:ntp-server,188.165.3.28,202.12.97.45,91.236.251.13,50.205.244.23,78.30.254.80,31.131.0.123,202.65.114.202,94.228.220.14,185.125.190.57,185.125.190.58,91.189.91.157,185.125.190.56,91.189.94.4
 
 
 # results from googling around dnsmasq optimizations
@@ -1102,52 +1168,6 @@ server=10.2.0.1
 
 
 # default dhcp range is 100-150
-# bottom port,  iPXE (PCI 03:00.0) in seabios boot menu
-dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
-dhcp-host=94:05:bb:1e:2c:2e,set:sy,$l.3,sy
-#dhcp-host=94:05:bb:1e:2c:2e,set:bo,$l.38,bo
-# top port, iPXE (PCI 04:00.0) in seabios boot menu
-#dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
-# 4 is reserved for a staticly configured host wrt2
-# old x2 with bad fan
-#dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
-dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
-dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
-dhcp-host=70:a6:cc:34:09:22,set:syw,$l.7,syw
-dhcp-host=80:fa:5b:1c:6e:cf,set:amy,$l.8,amy
-# This is so fai can have an explicit name to use for testing,
-# or else any random machine which did a pxe boot would get
-# reformatted. The mac is from doing a virt-install, cancelling it,
-# and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
-## for using different dhcp server
-#dhcp-host=52:54:00:9c:ef:ad,ignore
-dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
-# 14 = wrt3
-dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
-# BRN001BA98CA823 in dhcp logs
-dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
-
-dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
-dhcp-host=9a:c6:52:6f:ce:7c,set:onep9,$l.24,onep9
-dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
-dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
-dhcp-host=70:a6:cc:3a:bb:b4,set:bow,$l.29,bow
-dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
-dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
-dhcp-host=b8:27:eb:78:21:1d,set:pi3b,$l.33,pi3b
-dhcp-host=e4:5f:01:07:50:3f,set:pi4,$l.38,pi4
-dhcp-host=e4:5f:01:07:50:40,set:pi4w,$l.39,pi4w
-#dhcp-host=,set:pi4,$l.33,pi4
-
-
-# faiserver vm
-#dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
-
-# This is the ip it picks by default if dhcp fails,
-# so might as well use it.
-# hostname is the name it uses according to telnet
-dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
 
 # template
 # dhcp-host=,$l.,
@@ -1166,7 +1186,7 @@ dhcp-optsfile=/var/run/dnsmasq/dhcpopts.conf
 EOF
 
 
-if $dnsmasq_restart && ! $dev2; then
+if $dnsmasq_restart && ! $dev2 && ! $ap; then
   # todo: can our ptr records be put in /etc/hosts?
   # eg: user normal /etc/hosts records, and they wont be used for A resolution
   # due to the other settings, but will be used for ptr? then maybe
@@ -1183,10 +1203,18 @@ if $dnsmasq_restart && ! $dev2; then
   v /etc/init.d/dnsmasq restart
 fi
 
-if $firewall_restart; then
+if $ap; then
+  v /etc/init.d/firewall disable
+  v /etc/init.d/firewall stop
+elif $firewall_restart; then
   v /etc/init.d/firewall restart
 fi
 
+## turn off luci
+# if already stopped, gives error we want to ignore
+/etc/init.d/uhttpd stop |& sed '1{/^Command failed/d}'
+/etc/init.d/uhttpd disable |& sed '1{/^Command failed/d}'
+
 # this may just restart the network and take care of the network_restart below.
 if $wireless_restart; then
   v wifi
@@ -1197,4 +1225,4 @@ if $network_restart; then
   reboot
 fi
 
-exit 0
+v exit 0