X-Git-Url: https://iankelling.org/git/?p=automated-distro-installer;a=blobdiff_plain;f=wrt-setup-local;h=e7ebd38d7137914515fa36b7130e9de30f51e989;hp=d900897993b2d7503c41e9b3620229e9f4621c10;hb=HEAD;hpb=739efea3642e2f8a7a672c4600da152a27bedf1a

diff --git a/wrt-setup-local b/wrt-setup-local
index d900897..3d2edb8 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -16,13 +16,11 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
+f=/usr/local/lib/bash-bear;test -r $f || { echo "error: $0 no $f" >&2;exit 1;}; . $f
 
 usage() {
   cat <<EOF
-usage: ${0##*/} [-h] [-t 2|3|test|client] [-m WIRELESS_MAC]
+usage: ${0##*/} [-h] [-t 2|3|test|client] [-m WIRELESS_MAC] [hostname]
 setup my router in general: dhcp, dns, etc.
 
 Type 2 or 3 is for setting up a backup device, there are two kinds so
@@ -38,17 +36,6 @@ EOF
 }
 
 
-secrets=false
-if [[ -e /root/router-secrets ]]; then
-  secrets=true
-  source /root/router-secrets
-fi
-rmac=$(cat /sys/class/net/eth0/address)
-if $secrets; then
-  hostname=${rhost[$rmac]}
-fi
-: ${hostname:=wrt}
-
 
 zblock=false
 if [[ -e /root/zblock ]]; then
@@ -61,6 +48,7 @@ firewall_restart=false
 dev2=false
 test=false
 client=false
+ap=false
 libremanage_host=wrt2
 lanip=1
 while getopts hm:t:yz opt; do
@@ -86,6 +74,11 @@ while getopts hm:t:yz opt; do
         client)
           client=true
           ;;
+        ap)
+          ap=true
+          lanip=53
+          hostname=cmcap
+          ;;
         *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
       esac
       ;;
@@ -103,10 +96,29 @@ while getopts hm:t:yz opt; do
 done
 shift "$((OPTIND-1))"   # Discard the options and sentinel --
 
+if [[ $1 ]]; then
+  h=$1
+elif [[ $hostname ]]; then
+  h=$hostname
+else
+  h=cmc
+fi
+
+if [[ ! $hostname ]]; then
+  hostname=$h
+fi
+
+
+secrets=false
+if [[ -e /root/router-secrets ]]; then
+  secrets=true
+  source /root/router-secrets
+fi
+
 if [[ ! $mac ]] && ! $test && $secrets; then
   # if we wanted to increment it
   #mac=${mac:0: -1}$((${mac: -1} + 2))
-  mac=${rwmac[$rmac]}
+  mac=${rwmac[$h]}
 fi
 
 if (( $# != 0 )); then
@@ -208,7 +220,7 @@ cedit() {
 lan=10.0.0.0
 if $test; then
   lan=10.1.0.0
-elif [[ $hostname == cmc ]]; then
+elif [[ $hostname == cmc || $hostname == cmcap ]]; then
   lan=10.2.0.0
 elif $client; then
   lan=10.3.0.0
@@ -217,14 +229,14 @@ fi
 if $test; then
   ssid="gnuv3"
 elif $secrets; then
-  ssid=${rssid[$rmac]}
+  ssid=${rssid[$h]}
 fi
 
 : ${ssid:=librecmc}
 
 
 if $secrets; then
-  key=${rkey[$rmac]}
+  key=${rkey[$h]}
 fi
 : ${key:=pictionary49}
 
@@ -232,7 +244,8 @@ mask=255.255.0.0
 cidr=16
 l=${lan%.0}
 
-passwd -l root ||: #already locked fails
+# why did we lock this? i don't know
+#passwd -l root ||: #already locked fails
 
 sed -ibak '/^root:/d' /etc/shadow
 # /root/router created by manually running passwd then copying the resulting
@@ -279,8 +292,8 @@ fi
 
 uset network.lan.ipaddr $l.$lanip
 uset network.lan.netmask $mask
-if $dev2  || $client; then
-  if $dev2; then
+if $dev2  || $client || $ap; then
+  if $dev2 || $ap; then
     uset network.lan.gateway $l.1
     uset network.wan.proto none
     uset network.wan6.proto none
@@ -290,10 +303,16 @@ if $dev2  || $client; then
   /etc/init.d/odhcpd stop
   /etc/init.d/odhcpd disable
   rm -f /etc/resolv.conf
-  cat >/etc/resolv.conf <<'EOF'
+  if $ap; then
+    cat >/etc/resolv.conf <<EOF
+nameserver $l.1
+EOF
+  else
+    cat >/etc/resolv.conf <<'EOF'
 nameserver 8.8.8.8
 nameserver 8.8.4.4
 EOF
+  fi
 
   # things i tried to keep dnsmasq running but not enabled except local dns,
   # but it didnt work right and i dont need it anyways.
@@ -307,7 +326,11 @@ EOF
 
 else
   # these are the defaults
-  uset network.lan.gateway ''
+
+  # this is not needed unless switching from the above condition.
+  # disabling just to debug
+  #uset network.lan.gateway ''
+
   uset network.wan.proto dhcp
   uset network.wan6.proto dhcpv6
   /etc/init.d/dnsmasq start
@@ -321,13 +344,13 @@ wireless_restart=false
 
 if $client; then
   uset wireless.default_radio0.network 'wwan'
-  uset wireless.default_radio0.ssid ${rclientssid[$rmac]}
+  uset wireless.default_radio0.ssid ${rclientssid[$h]}
   uset wireless.default_radio0.encryption 'psk2'
   uset wireless.default_radio0.device 'radio0'
   uset wireless.default_radio0.mode 'sta'
-  uset wireless.default_radio0.bssid ${rclientbssid[$rmac]}
+  uset wireless.default_radio0.bssid ${rclientbssid[$h]}
   # todo: look into whether 5g network is available.
-  uset wireless.default_radio0.key ${rclientkey[$rmac]}
+  uset wireless.default_radio0.key ${rclientkey[$h]}
   uset wireless.radio0.disabled false
   uset wireless.radio1.disabled true
 else
@@ -341,13 +364,33 @@ else
     if [[ $mac ]]; then
       uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
     fi
-    # secondary device has wireless disabled
+    # disable/enable. secondary device has wireless disabled
     uset wireless.radio$x.disabled $dev2
   done
 fi
 
+if grep '^OPENWRT_BOARD="mvebu/cortexa9"' /etc/os-release &>/dev/null; then
+  # todo, I also enabled irqbalance, didnt script it though
+  # https://forum.openwrt.org/t/wrt1900acs-wifi-issue-after-upgrade-from-19-07-to-21-02-vacuum-cleaner-legacy-rate-support/113311/28
+  cat >/etc/rc.local <<'EOF'
+echo "0" >> /sys/kernel/debug/ieee80211/phy0/mwlwifi/tx_amsdu
+echo "0" >> /sys/kernel/debug/ieee80211/phy1/mwlwifi/tx_amsdu
+exit 0
+EOF
+  chmod +x /etc/rc.local
+  /etc/rc.local
+  uset wireless.radio0.disassoc_low_ack 0
+  uset wireless.radio1.disassoc_low_ack 0
+fi
 
 
+# found with https://openwrt.org/docs/guide-user/network/wifi/iwchan.
+# However, the default also chooses 11, and better to let it choose in case things change.
+# case $HOSTNAME in
+#   cmc)
+#     uset wireless.radio0.channel 11
+#     ;;
+# esac
 
 
 # usb, screen, relay are for libremanage
@@ -355,10 +398,33 @@ fi
 #
 # relay package temporarily disabled
 # /root/relay_1.0-1_mips_24kc.ipk
-v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
-  tcpdump openvpn-openssl adblock libusb-compat \
-  screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync\
-  unbound-daemon-heavy unbound-checkconf
+#
+# note: prometheus-node-exporter-lua-openwrt seems to be a dependency of
+# prometheus-node-exporter-lua in practice.
+
+pkgs=(
+  tcpdump
+  screen
+  rsync
+  kmod-usb-storage
+  block-mount
+  kmod-fs-ext4
+  prometheus-node-exporter-lua-openwrt
+  prometheus-node-exporter-lua
+)
+
+if ! $ap; then
+  pkgs+=(
+    unbound-daemon
+    unbound-checkconf
+  )
+fi
+
+v pi "${pkgs[@]}"
+# nfs-kernel-server \
+  #   openvpn-openssl adblock libusb-compat \
+  #   kmod-usb-serial-cp210x kmod-usb-serial-ftdi \
+
 
 cat >/etc/libremanage.conf <<EOF
 ${libremanage_host}_type=switch
@@ -432,7 +498,17 @@ EOF
 # v /etc/init.d/nfsd enable
 
 
+cedit /etc/config/prometheus-node-exporter-lua <<'EOF' || /etc/init.d/prometheus-node-exporter-lua restart
+config prometheus-node-exporter-lua 'main'
+        option listen_ipv6 '0'
+        option listen_interface 'lan'
+        option listen_port '9100
+EOF
 
+# default, as of this writing is:
+# config prometheus-node-exporter-lua 'main'
+# 	option listen_interface 'loopback'
+# 	option listen_port '9100'
 
 
 
@@ -476,9 +552,9 @@ fi
 cedit /etc/config/network <<EOF || network_restart=true
 config 'route' 'transmission'
  option 'interface' 'lan'
- option 'target' '10.173.0.0'
+ option 'target' '10.174.0.0'
  option 'netmask' '255.255.0.0'
- option 'gateway' '$l.3'
+ option 'gateway' '$l.2'
 
 option interface 'wg0'
  option proto 'wireguard'
@@ -495,6 +571,8 @@ config wireguard_wg0 'wgclient'
  list allowed_ips 'fdfd::2/64'
 EOF
 
+# Need to reload before we change dnsmasq to give out
+# static ips in our new range.
 if $network_restart; then
   v /etc/init.d/network reload
 fi
@@ -537,6 +615,7 @@ EOF
       ;;
   esac
 
+
   cedit /etc/config/firewall <<EOF
 ## begin no external dns for ziva
 config rule
@@ -587,6 +666,7 @@ config rule
  option target REJECT
 ## end no external dns for ziva
 
+$(. /root/cmc-firewall-data)
 
 config rule
  option src              wan
@@ -594,64 +674,44 @@ config rule
  option dest_port        22
 
 config redirect
- option name sshtp
+ option name promkd
  option src              wan
- option src_dport        2202
- option dest_port        22
+ option src_dport        9091
+ option dest_port        9091
  option dest_ip          $l.2
  option dest             lan
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        2202
+ option dest_port        9091
+
+# was working on an openvpn server, didn't finish
+# config redirect
+#  option name vpnkd
+#  option src              wan
+#  option src_dport        1196
+#  option dest_port        1196
+#  option dest_ip          $l.2
+#  option dest             lan
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        1196
 
-config redirect
- option name sshx2
- option src              wan
- option src_dport        2205
- option dest_port        22
- option dest_ip          $l.5
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        2205
 
 config redirect
- option name sshx3
+ option name sshkdalt
  option src              wan
- option src_dport        2207
- option dest_port        22
- option dest_ip          $l.7
+ option src_dport        8989
+ option dest_port        8989
+ option dest_ip          $l.2
  option dest             lan
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        2207
+ option dest_port        8989
 
-config redirect
- option name sshtp
- option src              wan
- option src_dport        2208
- option dest_port        22
- option dest_ip          $l.8
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        2208
 
-config redirect
- option name sshbb8
- option src              wan
- option src_dport        2209
- option dest_port        22
- option dest_ip          $l.9
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        2209
 
 config redirect
  option name icecast
@@ -666,7 +726,7 @@ config rule
  option dest_port        8000
 
 config rule
- option name sshwrt
+ option name sshcmc
  option src              wan
  option target           ACCEPT
  option dest_port        2220
@@ -678,46 +738,91 @@ config rule
  option dest_port        $wgport
  option proto            udp
 
-
 config redirect
- option name httpkd
+ option name navidromehttps
  option src              wan
- option src_dport        80
+ option src_dport        4500
+ option dest_port        4500
+ option dest_ip          $l.2
  option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        4500
+
+config redirect
+ option name navidrome
+ option src              wan
+ option src_dport        4533
+ option dest_port        4533
  option dest_ip          $l.2
- option proto            tcp
+ option dest             lan
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        80
- option proto            tcp
+ option dest_port        4533
+
+# So a client can just have b8.nz dns even when they
+# are on the lan.
+#config redirect
+# option name navidromelan
+# option src              lan
+# option src_dport        4533
+# option dest_port        4533
+# option dest_ip          $l.2
+# option dest             lan
+
+
+# config redirect
+#  option name icecast
+#  option src              wan
+#  option src_dport        8000
+#  option dest_port        8000
+#  option dest_ip          $l.2
+#  option dest             lan
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        8000
 
 config redirect
- option name httpskd
+ option name http
  option src              wan
- option src_dport        443
+ option src_dport        80
  option dest             lan
- option dest_ip          $l.2
+ option dest_ip          $l.7
  option proto            tcp
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        443
+ option dest_port        80
  option proto            tcp
 
 config redirect
-option name httpskd8448
+ option name https
  option src              wan
- option src_dport        8448
+ option src_dport        443
  option dest             lan
- option dest_ip          $l.2
+ option dest_ip          $l.7
  option proto            tcp
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        8448
+ option dest_port        443
  option proto            tcp
 
+# config redirect
+# option name httpskd8448
+#  option src              wan
+#  option src_dport        8448
+#  option dest             lan
+#  option dest_ip          $l.2
+#  option proto            tcp
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        8448
+#  option proto            tcp
 
 config redirect
  option name syncthing
@@ -731,6 +836,17 @@ config rule
  option dest_port        22001
 
 
+#config redirect
+# option name i2p
+# option src              wan
+# option src_dport        $i2pport
+# option dest_ip          $l.178
+# option dest             lan
+#config rule
+# option src              wan
+# option target           ACCEPT
+# option dest_port        $i2pport
+
 config rule
  option name ssh-ipv6
  option src wan
@@ -742,21 +858,21 @@ config rule
  option target ACCEPT
  option family ipv6
 
-config rule
- option name http-ipv6
- option src wan
- option dest lan
- option dest_port 80
- option target ACCEPT
- option family ipv6
-
-config rule
- option name https-ipv6
- option src wan
- option dest lan
- option dest_port 443
- option target ACCEPT
- option family ipv6
+# config rule
+#  option name http-ipv6
+#  option src wan
+#  option dest lan
+#  option dest_port 80
+#  option target ACCEPT
+#  option family ipv6
+
+# config rule
+#  option name https-ipv6
+#  option src wan
+#  option dest lan
+#  option dest_port 443
+#  option target ACCEPT
+#  option family ipv6
 
 config rule
  option name node-exporter
@@ -774,17 +890,37 @@ config rule
  option target ACCEPT
  option family ipv6
 
-# include a file with users custom iptables rules
-config include
-	option path /etc/firewall.user
-	option type 'restore'
-	option family 'ipv4'
-
-
 EOF
 }
 firewall-cedit || firewall_restart=true
 
+# firewall comment:
+# not using and in newer wrt, fails, probably due to nonexistent file, error output
+# on:
+
+# Reference error: left-hand side expression is not an array or object
+# In [anonymous function](), file /usr/share/ucode/fw4.uc, line 3137, byte 12:
+#   called from function [arrow function] (/usr/share/ucode/fw4.uc:733:71)
+#   called from function foreach ([C])
+#   called from function [anonymous function] (/usr/share/ucode/fw4.uc:733:72)
+#   called from function render_ruleset (/usr/share/firewall4/main.uc:56:24)
+#   called from anonymous function (/usr/share/firewall4/main.uc:143:29)
+#
+#  `        if (!inc.enabled) {`
+#   Near here -------^
+#
+#
+# The rendered ruleset contains errors, not doing firewall restart.
+# /usr/bin/wrt-setup-local:160:error: ""$@"" returned 1
+
+## include a file with users custom iptables rules
+#config include
+#	option path /etc/firewall.user
+#	option type 'restore'
+#	option family 'ipv4'
+
+
+
 # not using wireguard for now
 # if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
 #   # cant mix cedit plus uci
@@ -797,26 +933,9 @@ firewall-cedit || firewall_restart=true
 
 
 
-cedit /etc/hosts <<EOF
+cedit /etc/hosts <<EOF ||:
 127.0.1.1 $hostname
 EOF
-# not sure this case statement is needed
-case $hostname in
-  cmc)
-    cedit host /etc/hosts <<EOF
-$l.1 $hostname
-# 127.0.0.1 www.youtube.com
-# 127.0.0.1 googlevideo.com
-# 127.0.0.1 youtu.be
-# 127.0.0.1 youtube-nocookie.com
-# 127.0.0.1 youtube.com
-# 127.0.0.1 youtube.googleapis.com
-# 127.0.0.1 youtubei.googleapis.com
-# 127.0.0.1 ytimg.com
-# 127.0.0.1 ytimg.l.google.com
-EOF
-    ;;
-esac
 
 
 #mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
@@ -833,7 +952,8 @@ uset dhcp.@dnsmasq[0].local
 # if you delete it, it goes back to the default. this seems
 # to be a decent workaround.
 # todo: setup /etc/resolv.conf to point to 127.0.0.1
-uset dhcp.@dnsmasq[0].resolvfile /dev/null
+# later note: disabled, I dunno why I set this.
+# uset dhcp.@dnsmasq[0].resolvfile /dev/null
 
 # if dnsmasq happens to not send out a dns server,
 # odhcpd will send one out like this:
@@ -843,12 +963,16 @@ uset dhcp.@dnsmasq[0].resolvfile /dev/null
 # so just stop this thing.
 # note: tried this, it didn't do anything:
 # uset dhcp.@odhcpd[0].dns 10.2.0.1
-/etc/init.d/odhcpd stop
-/etc/init.d/odhcpd disable
+
+# iank, disablde while debugging.
+#/etc/init.d/odhcpd stop
+#/etc/init.d/odhcpd disable
+
 # todo: make the above conditional on which server this is.
 
+## left commented in case we have ipv6 problems in the future
 # avoid errors in log. current isp doesnt have ipv6
-uset unbound.@unbound[0].protocol ip4_only
+#uset unbound.@unbound[0].protocol ip4_only
 
 # todo: im not sure all these are needed, but they all look
 # like good options.
@@ -868,8 +992,9 @@ uset unbound.@unbound[0].protocol ip4_only
 # to:
 # procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
 
-{
-  cat <<'EOF'
+if ! $ap; then
+  {
+    cat <<'EOF'
 do-tcp: yes
 prefetch: yes
 qname-minimisation: yes
@@ -881,51 +1006,56 @@ local-zone: "10.in-addr.arpa." transparent
 access-control-view: 10.2.0.31/32 "youtube"
 EOF
 
-  if $zblock; then
-    cat <<'EOF'
-# amy, amyw, samsungtab
-access-control-view: 10.2.0.8/32 "youtube"
-access-control-view: 10.2.0.23/32 "youtube"
+    if $zblock; then
+      cat <<'EOF'
+# no sy until that dongle is used by ziva
+
+# syw
+#access-control-view: 10.2.0.7/32 "youtube"
+# bow
+access-control-view: 10.2.0.29/32 "youtube"
+# samsungtab
 access-control-view: 10.2.0.32/32 "youtube"
 EOF
-  fi
-} | cedit /etc/unbound/unbound_srv.conf  || restart_unbound=true
+    fi
+  } | cedit /etc/unbound/unbound_srv.conf  || unbound_restart=true
+
 
+  # dns based blocking vs ip based. with ip, same
+  # server can have multiple domains. in dns,
+  # you have to make sure clients to use the local dns.
+  # https dns will need to be blocked by ip in
+  # order to be comprehensive
 
-# dns based blocking vs ip based. with ip, same
-# server can have multiple domains. in dns,
-# you have to make sure clients to use the local dns.
-# https dns will need to be blocked by ip in
-# order to be comprehensive
 
-cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
+  cedit /etc/unbound/unbound_ext.conf <<EOF || unbound_restart=true
+
+$(. /root/ptr-data)
+
 local-data-ptr: "10.2.0.1 cmc.b8.nz"
-local-data-ptr: "10.2.0.2 kd.b8.nz"
-local-data-ptr: "10.2.0.3 sy.b8.nz"
-local-data-ptr: "10.2.0.4 wrt2.b8.nz"
-local-data-ptr: "10.2.0.5 x2.b8.nz"
-local-data-ptr: "10.2.0.6 x2w.b8.nz"
-local-data-ptr: "10.2.0.7 syw.b8.nz"
-local-data-ptr: "10.2.0.8 amy.b8.nz"
-local-data-ptr: "10.2.0.9 bb8.b8.nz"
-local-data-ptr: "10.2.0.12 demohost.b8.nz"
-local-data-ptr: "10.2.0.14 wrt3.b8.nz"
-local-data-ptr: "10.2.0.19 brother.b8.nz"
-local-data-ptr: "10.2.0.23 amyw.b8.nz"
-local-data-ptr: "10.2.0.25 hp.b8.nz"
-local-data-ptr: "10.2.0.31 amazontab.b8.nz"
-local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
-local-data-ptr: "10.173.0.2 transmission.b8.nz"
+
+local-data-ptr: "10.174.2.2 transmission.b8.nz"
 local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
 local-data-ptr: "10.173.8.2 nn.b8.nz"
 
 forward-zone:
   name: "."
+#  forward-addr: 8.8.8.8
+#  forward-addr: 8.8.8.8
+
+# ssl disabled due to this error:
+#Sat Dec 24 03:34:44 2022 daemon.err unbound: [6568:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
+#Sat Dec 24 03:34:44 2022 daemon.notice unbound: [6568:0] notice: ssl handshake failed 1.0.0.3 port 853
+# on OPENWRT_RELEASE="OpenWrt SNAPSHOT r18639-f5865452ac"
+# from about feb 2022
+
 # https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
-  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
-  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
-  forward-ssl-upstream: yes
+#  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+#  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+#  forward-ssl-upstream: yes
   forward-first: no
+  forward-addr: 1.1.1.3
+  forward-addr: 1.0.0.3
 
 view:
   name: "youtube"
@@ -945,26 +1075,26 @@ view:
 EOF
 
 
-if $restart_unbound; then
-  /etc/init.d/unbound restart
-  if ! unbound-checkconf; then
-    echo $0: error: unbound-checkconf failed >&2
-    exit 1
+  if $unbound_restart; then
+    /etc/init.d/unbound restart
+    if ! unbound-checkconf; then
+      echo $0: error: unbound-checkconf failed >&2
+      exit 1
+    fi
   fi
-fi
-
-
-# disabled for now. i want to selectively enable it
-# for specific hosts.
-if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
-  v uci set adblock.global.adb_enabled=0
-  uci commit adblock
-  /etc/init.d/adblock restart
-fi
-# https://github.com/openwrt/packages/tree/master/net/adblock/files
-cat >/etc/crontabs/root <<'EOF'
-0 06 * * *    /etc/init.d/adblock reload
-EOF
+fi # end if $ap
+
+# # disabled for now. i want to selectively enable it
+# # for specific hosts.
+# if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
+#   v uci set adblock.global.adb_enabled=0
+#   uci commit adblock
+#   /etc/init.d/adblock restart
+# fi
+# # https://github.com/openwrt/packages/tree/master/net/adblock/files
+# cat >/etc/crontabs/root <<'EOF'
+# 0 06 * * *    /etc/init.d/adblock reload
+# EOF
 
 
 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
@@ -974,11 +1104,15 @@ EOF
 # to start.
 mkdir -p /mnt/usb/tftpboot
 cedit /etc/dnsmasq.conf  <<EOF || dnsmasq_restart=true
+
 # no dns
 port=0
 server=/b8.nz/#
 ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
 
+# generated with host-info-update
+$(. /root/dnsmasq-data)
+
 # https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
 stop-dns-rebind
 rebind-domain-ok=b8.nz
@@ -987,8 +1121,13 @@ rebind-domain-ok=b8.nz
 # It is default if dnsmasq is doing dns, otherwise, we have to specify it.
 # To see it in action, I ran this from a client machine:
 # sudo dhcpcd -o domain_name_servers -T
-dhcp-option=6,$l.1
+dhcp-option=option:dns-server,$l.1
 
+# use this when doing fai to get the right timezone, its nfsroot is
+# setup to use this dhcp option only and call ntpdate.
+# generate ips with:
+# for h in 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org ntp.ubuntu.com; do host -t a $h | awk '{print $NF}'; done | while read -r l; do printf ,$l; done
+dhcp-option=option:ntp-server,188.165.3.28,202.12.97.45,91.236.251.13,50.205.244.23,78.30.254.80,31.131.0.123,202.65.114.202,94.228.220.14,185.125.190.57,185.125.190.58,91.189.91.157,185.125.190.56,91.189.94.4
 
 
 # results from googling around dnsmasq optimizations
@@ -1022,60 +1161,32 @@ server=10.2.0.1
 
 # to fixup existin ips, on the client you can do
 # sudo dhclient -r; sudo dhclient <interface-name>
+# or on cmc,
+# /etc/init.d/dnsmasq stop
+# vi /tmp/dhcp.leases
+# /etc/init.d/dnsmasq start
+
 
 # default dhcp range is 100-150
-# bottom port,  iPXE (PCI 03:00.0) in seabios boot menu
-dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
-dhcp-host=94:05:bb:1e:2c:2e,set:sy,$l.3,sy
-# top port, iPXE (PCI 04:00.0) in seabios boot menu
-#dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
-# 4 is reserved for a staticly configured host wrt2
-# old x2 with bad fan
-#dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
-dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
-dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
-dhcp-host=34:7d:f6:ed:ec:07,set:syw,$l.7,syw
-dhcp-host=80:fa:5b:1c:6e:cf,set:amy,$l.8,amy
-# This is so fai can have an explicit name to use for testing,
-# or else any random machine which did a pxe boot would get
-# reformatted. The mac is from doing a virt-install, cancelling it,
-# and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
-dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
-dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
-# BRN001BA98CA823 in dhcp logs
-dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
-
-dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
-dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
-dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
-dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
-dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
-
-
-
-# faiserver vm
-dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
-
-# This is the ip it picks by default if dhcp fails,
-# so might as well use it.
-# hostname is the name it uses according to telnet
-dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
 
 # template
 # dhcp-host=,$l.,
 
-# Just leave the tftp server up even if we aren't doing pxe boot.
-# It has no sensitive info.
-enable-tftp=br-lan
-tftp-root=/mnt/usb/tftpboot
-dhcp-optsfile=/etc/dnsmasq-dhcpopts.conf
+# pxe tftpboot for arch-like. todo: openwrt snapshot from 2022-01, it cant
+# access /mnt/usb/tftpboot due to ujail sandbox
+#enable-tftp=br-lan
+#tftp-root=/mnt/usb/tftpboot
+#tftp-root=/var/run/dnsmasq/tftpboot
 
+
+dhcp-optsfile=/var/run/dnsmasq/dhcpopts.conf
+
+# for debugging dhcp
 #log-queries=extra
 EOF
 
 
-if $dnsmasq_restart && ! $dev2; then
+if $dnsmasq_restart && ! $dev2 && ! $ap; then
   # todo: can our ptr records be put in /etc/hosts?
   # eg: user normal /etc/hosts records, and they wont be used for A resolution
   # due to the other settings, but will be used for ptr? then maybe
@@ -1092,10 +1203,18 @@ if $dnsmasq_restart && ! $dev2; then
   v /etc/init.d/dnsmasq restart
 fi
 
-if $firewall_restart; then
+if $ap; then
+  v /etc/init.d/firewall disable
+  v /etc/init.d/firewall stop
+elif $firewall_restart; then
   v /etc/init.d/firewall restart
 fi
 
+## turn off luci
+# if already stopped, gives error we want to ignore
+/etc/init.d/uhttpd stop |& sed '1{/^Command failed/d}'
+/etc/init.d/uhttpd disable |& sed '1{/^Command failed/d}'
+
 # this may just restart the network and take care of the network_restart below.
 if $wireless_restart; then
   v wifi
@@ -1106,4 +1225,4 @@ if $network_restart; then
   reboot
 fi
 
-exit 0
+v exit 0