X-Git-Url: https://iankelling.org/git/?p=automated-distro-installer;a=blobdiff_plain;f=wrt-setup-local;h=e7ebd38d7137914515fa36b7130e9de30f51e989;hp=f465da5a75ceef8e8da54932133943a5c4c1dbb1;hb=HEAD;hpb=917fa30617ccafa3a7ed5218a418cf058948b729

diff --git a/wrt-setup-local b/wrt-setup-local
index f465da5..3d2edb8 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -15,31 +15,151 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
+f=/usr/local/lib/bash-bear;test -r $f || { echo "error: $0 no $f" >&2;exit 1;}; . $f
+
+usage() {
+  cat <<EOF
+usage: ${0##*/} [-h] [-t 2|3|test|client] [-m WIRELESS_MAC] [hostname]
+setup my router in general: dhcp, dns, etc.
+
+Type 2 or 3 is for setting up a backup device, there are two kinds so
+that you can switch the main device to a backup, then a backup to the
+main. Type test is for setting up a testing device.
+
+Passing an empty string for WIRELESS_MAC, or if none is defined in the
+secrets file, will cause the device's native mac to be used.
+
+EOF
+
+  exit $1
+}
+
+
+
+zblock=false
+if [[ -e /root/zblock ]]; then
+  zblock=true
+fi
+
+dnsmasq_restart=false
+unbound_restart=false
+firewall_restart=false
 dev2=false
-if [[ $1 == -2 ]]; then
-  dev2=true
+test=false
+client=false
+ap=false
+libremanage_host=wrt2
+lanip=1
+while getopts hm:t:yz opt; do
+  case $opt in
+    h) usage ;;
+    t)
+      case $2 in
+        2|3)
+          dev2=true
+          libremanage_host=$hostname
+          ;;&
+        2)
+          lanip=4
+          hostname=wrt2
+          ;;
+        3)
+          lanip=14
+          hostname=wrt3
+          ;;
+        test)
+          test=true
+          ;;
+        client)
+          client=true
+          ;;
+        ap)
+          ap=true
+          lanip=53
+          hostname=cmcap
+          ;;
+        *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
+      esac
+      ;;
+    y)
+      zblock=false
+      rm -f /root/zblock
+      ;;
+    z)
+      zblock=true
+      touch /root/zblock
+      ;;
+    m)  mac=$OPTARG ;;
+    *) echo "$0: Internal error! unexpected args: $*" >&2 ; usage 1 ;;
+  esac
+done
+shift "$((OPTIND-1))"   # Discard the options and sentinel --
+
+if [[ $1 ]]; then
+  h=$1
+elif [[ $hostname ]]; then
+  h=$hostname
+else
+  h=cmc
+fi
+
+if [[ ! $hostname ]]; then
+  hostname=$h
+fi
+
+
+secrets=false
+if [[ -e /root/router-secrets ]]; then
+  secrets=true
+  source /root/router-secrets
+fi
+
+if [[ ! $mac ]] && ! $test && $secrets; then
+  # if we wanted to increment it
+  #mac=${mac:0: -1}$((${mac: -1} + 2))
+  mac=${rwmac[$h]}
+fi
+
+if (( $# != 0 )); then
+  usage 1
 fi
 
+
+macpre=${mac:0: -1}
+macsuf=${mac: -1}
+
+
+p_updated=false
 pmirror() {
+  if $p_updated; then
+    return
+  fi
   # background: upgrading all packages is not recommended because it
   # doesn't go into the firmware. build new firmware if you want
   # lots of upgrades. I think /tmp/opkg-lists is a pre openwrt 14 location.
   f=(/var/opkg-lists/*)
   if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
-    opkg update
+    if ! opkg update; then
+      echo "$0: warning: opkg update failed" >&2
+    fi
+    p_updated=true
   fi
 }
 
 pi() {
-  for x in "$@"; do
-    if [[ ! $(opkg list-installed "$x") ]]; then
+  to_install=()
+  for p in "$@"; do
+    pname=${p##*/}
+    pname=${pname%%_*}
+    if [[ ! $(opkg list-installed "$pname") ]]; then
+      to_install+=($p)
       pmirror
-      opkg install "$@"
     fi
   done
+  if [[ $to_install ]]; then
+    opkg install ${to_install[@]}
+  fi
 }
 
 v() {
@@ -60,6 +180,7 @@ v() {
 ####### end uci example #####
 
 uset() {
+  printf "+ uset %s\n" "$*"
   local key="$1"
   local val="$2"
   local service="${key%%.*}"
@@ -74,19 +195,57 @@ uset() {
   fi
 }
 
+udel() {
+  printf "+ udel %s\n" "$*"
+  local key="$1"
+  local val="$2"
+  local service="${key%%.*}"
+  restart_var=${service}_restart
+  if [[ ! ${!restart_var} ]]; then
+    eval $restart_var=false
+  fi
+  if uci get "$key" &>/dev/null; then
+    v uci set "$key"="$val"
+    uci commit $service
+    eval $restart_var=true
+  fi
+}
+cedit() {
+  v command cedit -v "$@"
+}
+
 
 ### network config
 ###
-ssid="check out gnu.org"
 lan=10.0.0.0
-if $dev2; then
-  ssid="gnuv3"
+if $test; then
   lan=10.1.0.0
+elif [[ $hostname == cmc || $hostname == cmcap ]]; then
+  lan=10.2.0.0
+elif $client; then
+  lan=10.3.0.0
+fi
+
+if $test; then
+  ssid="gnuv3"
+elif $secrets; then
+  ssid=${rssid[$h]}
+fi
+
+: ${ssid:=librecmc}
+
+
+if $secrets; then
+  key=${rkey[$h]}
 fi
+: ${key:=pictionary49}
+
 mask=255.255.0.0
+cidr=16
 l=${lan%.0}
 
-passwd -l root ||: #already locked fails
+# why did we lock this? i don't know
+#passwd -l root ||: #already locked fails
 
 sed -ibak '/^root:/d' /etc/shadow
 # /root/router created by manually running passwd then copying the resulting
@@ -96,6 +255,7 @@ cat /root/router >>/etc/shadow
 uset system.@system[0].ttylogin 1
 
 
+
 cat >/usr/bin/archlike-pxe-mount <<'EOFOUTER'
 #!/bin/bash
 # symlinks are collapsed for nfs mount points, so use a bind mount.
@@ -114,11 +274,163 @@ EOFOUTER
 chmod +x /usr/bin/archlike-pxe-mount
 
 sed -i '/^root:/s,/bin/ash$,/bin/bash,' /etc/passwd
-v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
-  tcpdump openvpn-openssl adblock libusb-compat /root/relay_1.0-1_mips_24kc.ipk
 
 
 
+uset dropbear.@dropbear[0].PasswordAuth 0
+uset dropbear.@dropbear[0].RootPasswordAuth 0
+uset dropbear.@dropbear[0].Port 2220
+if ! cmp -s /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key; then
+  cp /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key
+  dropbear_restart=true
+fi
+
+if $dropbear_restart; then
+  v /etc/init.d/dropbear restart
+fi
+
+
+uset network.lan.ipaddr $l.$lanip
+uset network.lan.netmask $mask
+if $dev2  || $client || $ap; then
+  if $dev2 || $ap; then
+    uset network.lan.gateway $l.1
+    uset network.wan.proto none
+    uset network.wan6.proto none
+  fi
+  /etc/init.d/dnsmasq stop
+  /etc/init.d/dnsmasq disable
+  /etc/init.d/odhcpd stop
+  /etc/init.d/odhcpd disable
+  rm -f /etc/resolv.conf
+  if $ap; then
+    cat >/etc/resolv.conf <<EOF
+nameserver $l.1
+EOF
+  else
+    cat >/etc/resolv.conf <<'EOF'
+nameserver 8.8.8.8
+nameserver 8.8.4.4
+EOF
+  fi
+
+  # things i tried to keep dnsmasq running but not enabled except local dns,
+  # but it didnt work right and i dont need it anyways.
+  # uset dhcp.wan.ignore $dev2 # default is false
+  # uset dhcp.lan.ignore $dev2 # default is false
+  # uset dhcp.@dnsmasq[0].interface lo
+  # uset dhcp.@dnsmasq[0].localuse 0
+  # uset dhcp.@dnsmasq[0].resolvfile /etc/dnsmasq.conf
+  # uset dhcp.@dnsmasq[0].noresolv 1
+  # todo: populate /etc/resolv.conf with a static value
+
+else
+  # these are the defaults
+
+  # this is not needed unless switching from the above condition.
+  # disabling just to debug
+  #uset network.lan.gateway ''
+
+  uset network.wan.proto dhcp
+  uset network.wan6.proto dhcpv6
+  /etc/init.d/dnsmasq start
+  # todo: figure out why this returns 1
+  /etc/init.d/dnsmasq enable ||:
+  /etc/init.d/odhcpd start
+  /etc/init.d/odhcpd enable
+fi
+
+wireless_restart=false
+
+if $client; then
+  uset wireless.default_radio0.network 'wwan'
+  uset wireless.default_radio0.ssid ${rclientssid[$h]}
+  uset wireless.default_radio0.encryption 'psk2'
+  uset wireless.default_radio0.device 'radio0'
+  uset wireless.default_radio0.mode 'sta'
+  uset wireless.default_radio0.bssid ${rclientbssid[$h]}
+  # todo: look into whether 5g network is available.
+  uset wireless.default_radio0.key ${rclientkey[$h]}
+  uset wireless.radio0.disabled false
+  uset wireless.radio1.disabled true
+else
+  # defaults, just reseting in case client config ran
+  uset wireless.default_radio0.network lan
+  uset wireless.default_radio0.mode ap
+  for x in 0 1; do
+    uset wireless.default_radio$x.ssid "$ssid"
+    uset wireless.default_radio$x.key $key
+    uset wireless.default_radio$x.encryption psk2
+    if [[ $mac ]]; then
+      uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
+    fi
+    # disable/enable. secondary device has wireless disabled
+    uset wireless.radio$x.disabled $dev2
+  done
+fi
+
+if grep '^OPENWRT_BOARD="mvebu/cortexa9"' /etc/os-release &>/dev/null; then
+  # todo, I also enabled irqbalance, didnt script it though
+  # https://forum.openwrt.org/t/wrt1900acs-wifi-issue-after-upgrade-from-19-07-to-21-02-vacuum-cleaner-legacy-rate-support/113311/28
+  cat >/etc/rc.local <<'EOF'
+echo "0" >> /sys/kernel/debug/ieee80211/phy0/mwlwifi/tx_amsdu
+echo "0" >> /sys/kernel/debug/ieee80211/phy1/mwlwifi/tx_amsdu
+exit 0
+EOF
+  chmod +x /etc/rc.local
+  /etc/rc.local
+  uset wireless.radio0.disassoc_low_ack 0
+  uset wireless.radio1.disassoc_low_ack 0
+fi
+
+
+# found with https://openwrt.org/docs/guide-user/network/wifi/iwchan.
+# However, the default also chooses 11, and better to let it choose in case things change.
+# case $HOSTNAME in
+#   cmc)
+#     uset wireless.radio0.channel 11
+#     ;;
+# esac
+
+
+# usb, screen, relay are for libremanage
+# rsync is for brc
+#
+# relay package temporarily disabled
+# /root/relay_1.0-1_mips_24kc.ipk
+#
+# note: prometheus-node-exporter-lua-openwrt seems to be a dependency of
+# prometheus-node-exporter-lua in practice.
+
+pkgs=(
+  tcpdump
+  screen
+  rsync
+  kmod-usb-storage
+  block-mount
+  kmod-fs-ext4
+  prometheus-node-exporter-lua-openwrt
+  prometheus-node-exporter-lua
+)
+
+if ! $ap; then
+  pkgs+=(
+    unbound-daemon
+    unbound-checkconf
+  )
+fi
+
+v pi "${pkgs[@]}"
+# nfs-kernel-server \
+  #   openvpn-openssl adblock libusb-compat \
+  #   kmod-usb-serial-cp210x kmod-usb-serial-ftdi \
+
+
+cat >/etc/libremanage.conf <<EOF
+${libremanage_host}_type=switch
+${libremanage_host}_channel=1
+EOF
+
 
 
 v /etc/init.d/fstab enable ||:
@@ -138,7 +450,7 @@ mkdir -p /run/parabolaiso/bootmnt
 # wiki says safe to do in case of fstab changes:
 
 ## ian: usb broke on old router. if that happens, can just comment this to disable problems
-echo | cedit /etc/config/fstab ||:
+# echo | cedit /etc/config/fstab ||:
 cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
 config global automount
       option from_fstab 1
@@ -172,10 +484,10 @@ EOF
 # todo: restart nfs when nfs is enabled?
 #cedit /etc/exports <<EOF || v /etc/init.d/nfsd restart ||:
 cedit /etc/exports <<EOF ||:
-/mnt/usb  $lan/$netmask(rw,no_root_squash,insecure,sync,no_subtree_check)
+/mnt/usb  $lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
 # for arch pxe
-/run/archiso/bootmnt	$lan/$netmask(rw,no_root_squash,insecure,sync,no_subtree_check)
-/run/parabolaiso/bootmnt	$lan/$netmask(rw,no_root_squash,insecure,sync,no_subtree_check)
+/run/archiso/bootmnt	$lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
+/run/parabolaiso/bootmnt	$lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
 EOF
 
 
@@ -186,31 +498,21 @@ EOF
 # v /etc/init.d/nfsd enable
 
 
+cedit /etc/config/prometheus-node-exporter-lua <<'EOF' || /etc/init.d/prometheus-node-exporter-lua restart
+config prometheus-node-exporter-lua 'main'
+        option listen_ipv6 '0'
+        option listen_interface 'lan'
+        option listen_port '9100
+EOF
 
+# default, as of this writing is:
+# config prometheus-node-exporter-lua 'main'
+# 	option listen_interface 'loopback'
+# 	option listen_port '9100'
 
 
 
 
-uset dropbear.@dropbear[0].PasswordAuth 0
-uset dropbear.@dropbear[0].RootPasswordAuth 0
-uset dropbear.@dropbear[0].Port 2220
-
-wireless_restart=false
-key=pictionary49
-for x in 0 1; do
-  uset wireless.default_radio$x.ssid "$ssid"
-  uset wireless.default_radio$x.key $key
-  uset wireless.default_radio$x.encryption psk2
-  if [[ $(uci get wireless.radio$x.disabled 2>/dev/null) ]]; then
-    v uci delete wireless.radio$x.disabled
-    wireless_restart=true
-  fi
-done
-
-if $wireless_restart; then
-  v wifi
-fi
-
 
 ########## openvpn exampl
 ########## missing firewall settings for routing lan
@@ -223,162 +525,576 @@ fi
 # # I did, and I had to restart the vpn afterwards.
 # # This maps a uci interface to a real interface which is
 # # managed outside of uci.
-# v cedit /etc/config/network <<'EOF' ||:
+# cedit /etc/config/network <<'EOF' ||:
 # config interface 'tun0'
 #         option ifname 'tun0'
 #         option proto 'none'
 # EOF
-# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
 # config openvpn my_client_config
 #         option enabled 1
 #         option config /etc/openvpn/client.conf
 # EOF
 
+wgip4=10.3.0.1/24
+wgip6=fdfd::1/64
+wgport=26000
 
+network_restart=false
+if $client; then
+  cedit wific /etc/config/network <<EOF || network_restart=true
+# https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi
+config interface 'wwan'
+ option proto 'dhcp'
+EOF
+fi
 
-v cedit /etc/config/network <<EOF || v /etc/init.d/network reload
+cedit /etc/config/network <<EOF || network_restart=true
 config 'route' 'transmission'
-        option 'interface' 'lan'
-        option 'target' '10.173.0.0'
-        option 'netmask' '255.255.0.0'
-        option 'gateway' '$l.3'
+ option 'interface' 'lan'
+ option 'target' '10.174.0.0'
+ option 'netmask' '255.255.0.0'
+ option 'gateway' '$l.2'
+
+option interface 'wg0'
+ option proto 'wireguard'
+ option private_key '$(cat /root/wg.key)'
+ option listen_port $wgport
+ list addresses '10.3.0.1/24'
+ list addresses 'fdfd::1/64'
+
+# tp
+config wireguard_wg0 'wgclient'
+ option public_key '3q+WJGrm85r59NgeXOIvppxoW4ux/+koSw6Fee1c1TI='
+ option preshared_key '$(cat /root/wg.psk)'
+ list allowed_ips '10.3.0.2/24'
+ list allowed_ips 'fdfd::2/64'
 EOF
 
-firewall_restart=false
-v cedit /etc/config/firewall <<EOF || firewall_restart=true
+# Need to reload before we change dnsmasq to give out
+# static ips in our new range.
+if $network_restart; then
+  v /etc/init.d/network reload
+fi
+
+firewall-cedit() {
+
+  if $client; then
+    cedit wific /etc/config/firewall <<EOF
+config zone
+ option name    wwan
+ option input    REJECT
+ option output   ACCEPT
+ option forward  REJECT
+ option masq     1
+ option mtu_fix  1
+ option network  wwan
+EOF
+  fi
+
+  case $hostname in
+    wrt)
+      cedit host /etc/config/firewall <<EOF
+config redirect
+ option name ssh
+ option src              wan
+ option src_dport        22
+ option dest_ip          $l.3
+ option dest             lan
+EOF
+      ;;
+    cmc)
+      cedit host /etc/config/firewall <<EOF
+config redirect
+ option name ssh
+ option src              wan
+ option src_dport        22
+ option dest_ip          $l.2
+ option dest             lan
+EOF
+      ;;
+  esac
+
+
+  cedit /etc/config/firewall <<EOF
+## begin no external dns for ziva
+config rule
+ option src  lan
+ option src_ip   10.2.0.23
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.23
+ option src_port 53
+ option dest  lan
+ option target REJECT
+
+
+config rule
+ option src  lan
+ option src_ip   10.2.0.31
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.31
+ option src_port 53
+ option dest  lan
+ option target REJECT
+
+
+config rule
+ option src  lan
+ option src_ip   10.2.0.32
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.32
+ option src_port 53
+ option dest  lan
+ option target REJECT
+## end no external dns for ziva
+
+$(. /root/cmc-firewall-data)
+
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        22
+
+config redirect
+ option name promkd
+ option src              wan
+ option src_dport        9091
+ option dest_port        9091
+ option dest_ip          $l.2
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        9091
+
+# was working on an openvpn server, didn't finish
+# config redirect
+#  option name vpnkd
+#  option src              wan
+#  option src_dport        1196
+#  option dest_port        1196
+#  option dest_ip          $l.2
+#  option dest             lan
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        1196
 
 
 config redirect
-    option name ssh
-    option src              wan
-    option src_dport        22
-    option dest_ip          $l.8
-    option dest             lan
+ option name sshkdalt
+ option src              wan
+ option src_dport        8989
+ option dest_port        8989
+ option dest_ip          $l.2
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        22
+ option src              wan
+ option target           ACCEPT
+ option dest_port        8989
+
+
 
 config redirect
-    option name sshalt
-    option src              wan
-    option src_dport        2222
-    option dest_port        22
-    option dest_ip          $l.3
-    option dest             lan
+ option name icecast
+ option src              wan
+ option src_dport        8000
+ option dest_port        8000
+ option dest_ip          $l.2
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        2222
+ option src              wan
+ option target           ACCEPT
+ option dest_port        8000
 
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        2220
+ option name sshcmc
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2220
 
+config rule
+ option name wg
+ option src              wan
+ option target           ACCEPT
+ option dest_port        $wgport
+ option proto            udp
 
 config redirect
-    option src              wan
-    option src_dport        443
-    option dest             lan
-    option dest_ip          $l.8
-    option proto            tcp
+ option name navidromehttps
+ option src              wan
+ option src_dport        4500
+ option dest_port        4500
+ option dest_ip          $l.2
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        443
-    option proto            tcp
+ option src              wan
+ option target           ACCEPT
+ option dest_port        4500
 
 config redirect
-    option src              wan
-    option src_dport        1196
-    option dest             lan
-    option dest_ip          $l.8
-    option proto            udp
+ option name navidrome
+ option src              wan
+ option src_dport        4533
+ option dest_port        4533
+ option dest_ip          $l.2
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        1196
-    option proto            udp
+ option src              wan
+ option target           ACCEPT
+ option dest_port        4533
+
+# So a client can just have b8.nz dns even when they
+# are on the lan.
+#config redirect
+# option name navidromelan
+# option src              lan
+# option src_dport        4533
+# option dest_port        4533
+# option dest_ip          $l.2
+# option dest             lan
+
+
+# config redirect
+#  option name icecast
+#  option src              wan
+#  option src_dport        8000
+#  option dest_port        8000
+#  option dest_ip          $l.2
+#  option dest             lan
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        8000
 
+config redirect
+ option name http
+ option src              wan
+ option src_dport        80
+ option dest             lan
+ option dest_ip          $l.7
+ option proto            tcp
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        80
+ option proto            tcp
 
 config redirect
-    option src              wan
-    option src_dport        80
-    option dest             lan
-    option dest_ip          $l.8
-    option proto            tcp
+ option name https
+ option src              wan
+ option src_dport        443
+ option dest             lan
+ option dest_ip          $l.7
+ option proto            tcp
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        80
-    option proto            tcp
+ option src              wan
+ option target           ACCEPT
+ option dest_port        443
+ option proto            tcp
+
+# config redirect
+# option name httpskd8448
+#  option src              wan
+#  option src_dport        8448
+#  option dest             lan
+#  option dest_ip          $l.2
+#  option proto            tcp
+# config rule
+#  option src              wan
+#  option target           ACCEPT
+#  option dest_port        8448
+#  option proto            tcp
 
 config redirect
-    option name syncthing
-    option src              wan
-    option src_dport        22001
-    option dest_ip          $l.8
-    option dest             lan
+ option name syncthing
+ option src              wan
+ option src_dport        22001
+ option dest_ip          $l.8
+ option dest             lan
 config rule
-    option src              wan
-    option target           ACCEPT
-    option dest_port        22001
+ option src              wan
+ option target           ACCEPT
+ option dest_port        22001
+
+
+#config redirect
+# option name i2p
+# option src              wan
+# option src_dport        $i2pport
+# option dest_ip          $l.178
+# option dest             lan
+#config rule
+# option src              wan
+# option target           ACCEPT
+# option dest_port        $i2pport
 
+config rule
+ option name ssh-ipv6
+ option src wan
+ option dest lan
+ # note, using mac transform, we could allow all traffic to a host like this,
+ # replacing 1 as appropriate
+ #option dest_ip ::111:11ff:fe11:1111/::ffff:ffff:ffff:ffff
+ option dest_port 22
+ option target ACCEPT
+ option family ipv6
+
+# config rule
+#  option name http-ipv6
+#  option src wan
+#  option dest lan
+#  option dest_port 80
+#  option target ACCEPT
+#  option family ipv6
+
+# config rule
+#  option name https-ipv6
+#  option src wan
+#  option dest lan
+#  option dest_port 443
+#  option target ACCEPT
+#  option family ipv6
 
+config rule
+ option name node-exporter
+ option src wan
+ option dest lan
+ option dest_port 9101
+ option target ACCEPT
+ option family ipv6
 
-EOF
+config rule
+ option name mail587-ipv6
+ option src wan
+ option dest lan
+ option dest_port 587
+ option target ACCEPT
+ option family ipv6
 
+EOF
+}
+firewall-cedit || firewall_restart=true
+
+# firewall comment:
+# not using and in newer wrt, fails, probably due to nonexistent file, error output
+# on:
+
+# Reference error: left-hand side expression is not an array or object
+# In [anonymous function](), file /usr/share/ucode/fw4.uc, line 3137, byte 12:
+#   called from function [arrow function] (/usr/share/ucode/fw4.uc:733:71)
+#   called from function foreach ([C])
+#   called from function [anonymous function] (/usr/share/ucode/fw4.uc:733:72)
+#   called from function render_ruleset (/usr/share/firewall4/main.uc:56:24)
+#   called from anonymous function (/usr/share/firewall4/main.uc:143:29)
+#
+#  `        if (!inc.enabled) {`
+#   Near here -------^
+#
+#
+# The rendered ruleset contains errors, not doing firewall restart.
+# /usr/bin/wrt-setup-local:160:error: ""$@"" returned 1
+
+## include a file with users custom iptables rules
+#config include
+#	option path /etc/firewall.user
+#	option type 'restore'
+#	option family 'ipv4'
+
+
+
+# not using wireguard for now
+# if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
+#   # cant mix cedit plus uci
+#   echo | cedit /etc/config/firewall ||:
+#   uci add_list firewall.@zone[1].network=wg0
+#   uci commit firewall
+#   firewall-cedit ||:
+#   firewall_restart=true
+# fi
 
 
 
-dnsmasq_restart=false
-v cedit /etc/hosts <<EOF || dnsmasq_restart=true
-127.0.1.1 wrt
-$l.1 wrt
-$l.2 kd
-$l.3 frodo
-$l.4 htpc
-$l.5 x2
-$l.6 demohost
-$l.7 x3
-$l.8 tp b8.nz faiserver
-$l.9 bb8
-72.14.176.105 li
-
-# netns creation looks for next free subnet starting at 10.173, but I only
-# use one, and I would keep this one as the first created.
-10.173.0.2 transmission
+cedit /etc/hosts <<EOF ||:
+127.0.1.1 $hostname
 EOF
 
+
 #mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
 # if [[ $mail_host ]]; then
 #     sed -i '/^$mail_host/a mail.iankelling.org' /etc/hosts
 # fi
 
 
-# avoid using the dns servers that my isp tells me about.
-if [[ $(uci get dhcp.@dnsmasq[0].resolvfile 2>/dev/null) ]]; then
-  # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
-  # /etc/resolv.conf. not sure why I did this.
-  v uci delete dhcp.@dnsmasq[0].resolvfile
-  uci commit dhcp
-  dnsmasq_restart=true
-fi
-
 uset dhcp.@dnsmasq[0].domain b8.nz
-uset dhcp.@dnsmasq[0].local /b8.nz/
-uset system.@system[0].hostname wrt
+uset system.@system[0].hostname $hostname
+uset dhcp.@dnsmasq[0].local
+
+# uci doesnt seem to have a way to set an empty value,
+# if you delete it, it goes back to the default. this seems
+# to be a decent workaround.
+# todo: setup /etc/resolv.conf to point to 127.0.0.1
+# later note: disabled, I dunno why I set this.
+# uset dhcp.@dnsmasq[0].resolvfile /dev/null
+
+# if dnsmasq happens to not send out a dns server,
+# odhcpd will send one out like this:
+# NetworkManager[953]: <info>  [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers   => 'fd58:5801:8e02::1'
+# but i dont want ipv6 dns, just keep it simple to ipv4.
+# I know my isp doesnt have ipv6 right now,
+# so just stop this thing.
+# note: tried this, it didn't do anything:
+# uset dhcp.@odhcpd[0].dns 10.2.0.1
+
+# iank, disablde while debugging.
+#/etc/init.d/odhcpd stop
+#/etc/init.d/odhcpd disable
+
+# todo: make the above conditional on which server this is.
+
+## left commented in case we have ipv6 problems in the future
+# avoid errors in log. current isp doesnt have ipv6
+#uset unbound.@unbound[0].protocol ip4_only
+
+# todo: im not sure all these are needed, but they all look
+# like good options.
+# https://blog.cloudflare.com/dns-over-tls-for-openwrt/
+# https://gist.github.com/vqiu/7b32d3a19a7a09d32e108d998de166c2
+#https://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/
+#
+# # i found that the zone example was having no effect on the config
+# # here:
+# https://github.com/openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md
+#
+# # todo: unbound-control, i'm not sure what the purpose of that thing is, some
+# # kind of coordination with dhcp of dnsmasq, but what?
+#
+# note: for debugging, edit /etc/init.d/unbound, change
+# procd_set_param command $PROG -d -c $UB_TOTAL_CONF
+# to:
+# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
+
+if ! $ap; then
+  {
+    cat <<'EOF'
+do-tcp: yes
+prefetch: yes
+qname-minimisation: yes
+rrset-roundrobin: yes
+use-caps-for-id: yes
+do-ip6: no
+private-domain: b8.nz
+local-zone: "10.in-addr.arpa." transparent
+access-control-view: 10.2.0.31/32 "youtube"
+EOF
 
-if [[ $(uci get adblock.global.adb_enabled) != 1 ]]; then
-  v uci set adblock.global.adb_enabled=1
-  uci commit adblock
-  /etc/init.d/adblock restart
-fi
-# https://github.com/openwrt/packages/tree/master/net/adblock/files
-cat >/etc/crontabs/root <<'EOF'
-0 06 * * *    /etc/init.d/adblock reload
+    if $zblock; then
+      cat <<'EOF'
+# no sy until that dongle is used by ziva
+
+# syw
+#access-control-view: 10.2.0.7/32 "youtube"
+# bow
+access-control-view: 10.2.0.29/32 "youtube"
+# samsungtab
+access-control-view: 10.2.0.32/32 "youtube"
 EOF
+    fi
+  } | cedit /etc/unbound/unbound_srv.conf  || unbound_restart=true
+
+
+  # dns based blocking vs ip based. with ip, same
+  # server can have multiple domains. in dns,
+  # you have to make sure clients to use the local dns.
+  # https dns will need to be blocked by ip in
+  # order to be comprehensive
+
+
+  cedit /etc/unbound/unbound_ext.conf <<EOF || unbound_restart=true
+
+$(. /root/ptr-data)
+
+local-data-ptr: "10.2.0.1 cmc.b8.nz"
+
+local-data-ptr: "10.174.2.2 transmission.b8.nz"
+local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
+local-data-ptr: "10.173.8.2 nn.b8.nz"
+
+forward-zone:
+  name: "."
+#  forward-addr: 8.8.8.8
+#  forward-addr: 8.8.8.8
+
+# ssl disabled due to this error:
+#Sat Dec 24 03:34:44 2022 daemon.err unbound: [6568:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
+#Sat Dec 24 03:34:44 2022 daemon.notice unbound: [6568:0] notice: ssl handshake failed 1.0.0.3 port 853
+# on OPENWRT_RELEASE="OpenWrt SNAPSHOT r18639-f5865452ac"
+# from about feb 2022
+
+# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
+#  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+#  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+#  forward-ssl-upstream: yes
+  forward-first: no
+  forward-addr: 1.1.1.3
+  forward-addr: 1.0.0.3
+
+view:
+  name: "youtube"
+  local-zone: "googlevideo.com." refuse
+  local-zone: "video.google.com." refuse
+  local-zone: "youtu.be." refuse
+  local-zone: "youtube-nocookie.com." refuse
+  local-zone: "youtube-ui.l.google.com." refuse
+  local-zone: "youtube.com." refuse
+  local-zone: "youtube.googleapis.com." refuse
+  local-zone: "youtubeeducation.com." refuse
+  local-zone: "youtubei.googleapis.com." refuse
+  local-zone: "yt3.ggpht.com." refuse
+  local-zone: "youtubekids.com." refuse
+  # try global if no match in view
+  view-first: yes
+EOF
+
+
+  if $unbound_restart; then
+    /etc/init.d/unbound restart
+    if ! unbound-checkconf; then
+      echo $0: error: unbound-checkconf failed >&2
+      exit 1
+    fi
+  fi
+fi # end if $ap
+
+# # disabled for now. i want to selectively enable it
+# # for specific hosts.
+# if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
+#   v uci set adblock.global.adb_enabled=0
+#   uci commit adblock
+#   /etc/init.d/adblock restart
+# fi
+# # https://github.com/openwrt/packages/tree/master/net/adblock/files
+# cat >/etc/crontabs/root <<'EOF'
+# 0 06 * * *    /etc/init.d/adblock reload
+# EOF
 
 
 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
@@ -387,16 +1103,31 @@ EOF
 # so make sure we have this dir or else dnsmasq will fail
 # to start.
 mkdir -p /mnt/usb/tftpboot
-v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+cedit /etc/dnsmasq.conf  <<EOF || dnsmasq_restart=true
+
+# no dns
+port=0
+server=/b8.nz/#
+ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
+
+# generated with host-info-update
+$(. /root/dnsmasq-data)
 
 # https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
 stop-dns-rebind
+rebind-domain-ok=b8.nz
 
-# this says the ip of default gateway and dns server,
-# but I think they are unneded and default
-#dhcp-option=3,$l.1
-#dhcp-option=6,$l.1
+# This says the ip of dns server.
+# It is default if dnsmasq is doing dns, otherwise, we have to specify it.
+# To see it in action, I ran this from a client machine:
+# sudo dhcpcd -o domain_name_servers -T
+dhcp-option=option:dns-server,$l.1
 
+# use this when doing fai to get the right timezone, its nfsroot is
+# setup to use this dhcp option only and call ntpdate.
+# generate ips with:
+# for h in 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org ntp.ubuntu.com; do host -t a $h | awk '{print $NF}'; done | while read -r l; do printf ,$l; done
+dhcp-option=option:ntp-server,188.165.3.28,202.12.97.45,91.236.251.13,50.205.244.23,78.30.254.80,31.131.0.123,202.65.114.202,94.228.220.14,185.125.190.57,185.125.190.58,91.189.91.157,185.125.190.56,91.189.94.4
 
 
 # results from googling around dnsmasq optimizations
@@ -416,64 +1147,82 @@ all-servers
 # download namebench and run it like this:
 # for x in all regional isp global preferred nearby; do ./namebench.py -s \$x -c US -i firefox -m weighted -J 10 -w; echo \$x; hr;  done
 # google
-server=8.8.4.4
-server=8.8.8.8
-server=2001:4860:4860::8888
-server=2001:4860:4860::8844
+server=1.1.1.3
+server=1.0.0.3
+server=2606:4700:4700::1113
+server=2606:4700:4700::1003
+
+server=10.2.0.1
+# server=8.8.4.4
+# server=8.8.8.8
+# server=2001:4860:4860::8888
+# server=2001:4860:4860::8844
 
 
 # to fixup existin ips, on the client you can do
 # sudo dhclient -r; sudo dhclient <interface-name>
+# or on cmc,
+# /etc/init.d/dnsmasq stop
+# vi /tmp/dhcp.leases
+# /etc/init.d/dnsmasq start
+
 
 # default dhcp range is 100-150
-# bottom port,  iPXE (PCI 03:00.0) in seabios boot menu
-dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
-# top port, iPXE (PCI 04:00.0) in seabios boot menu
-#dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
-dhcp-host=00:26:18:97:bb:16,set:frodo,$l.3,frodo
-dhcp-host=10:78:d2:da:29:22,set:htpc,$l.4,htpc
-dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
-# This is so fai can have an explicit name to use for testing,
-# or else any random machine which did a pxe boot would get
-# reformatted. The mac is from doing a virt-install, cancelling it,
-# and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.6,demohost
-dhcp-host=00:1f:16:14:01:d8,set:tp,$l.7,x3
-dhcp-host=80:fa:5b:1c:6e:cf,set:tp,$l.8,tp
-
-# faiserver vm
-dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
-
-# This is the ip it picks by default if dhcp fails,
-# so might as well use it.
-# hostname is the name it uses according to telnet
-dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
 
 # template
 # dhcp-host=,$l.,
 
-# Just leave the tftp server up even if we aren't doing pxe boot.
-# It has no sensitive info.
-enable-tftp=br-lan
-tftp-root=/mnt/usb/tftpboot
+# pxe tftpboot for arch-like. todo: openwrt snapshot from 2022-01, it cant
+# access /mnt/usb/tftpboot due to ujail sandbox
+#enable-tftp=br-lan
+#tftp-root=/mnt/usb/tftpboot
+#tftp-root=/var/run/dnsmasq/tftpboot
+
+
+dhcp-optsfile=/var/run/dnsmasq/dhcpopts.conf
+
+# for debugging dhcp
+#log-queries=extra
 EOF
 
-if $dnsmasq_restart; then
+
+if $dnsmasq_restart && ! $dev2 && ! $ap; then
+  # todo: can our ptr records be put in /etc/hosts?
+  # eg: user normal /etc/hosts records, and they wont be used for A resolution
+  # due to the other settings, but will be used for ptr? then maybe
+  # we dont have to restart dnsmasq for a dns update?
+  #
+  # interesing link:
+  # https://www.redpill-linpro.com/techblog/2019/08/27/evaluating-local-dnssec-validators.html#toggling-dnssec-validation-1
+  # we could turn on dnssec validation when wrt gets dnsmasq > 2.80. currently at 2.80.
+  # also we can turn off dnssec in systemd-resolved if we know the router is doing it.
+  #
+  # Also, reload of dnsmasq seems to break things, wifi
+  # clients were not getting internet connectivity.
+
   v /etc/init.d/dnsmasq restart
 fi
 
-if $firewall_restart; then
+if $ap; then
+  v /etc/init.d/firewall disable
+  v /etc/init.d/firewall stop
+elif $firewall_restart; then
   v /etc/init.d/firewall restart
 fi
 
-uset network.lan.ipaddr $l.1
-uset network.lan.netmask $mask
+## turn off luci
+# if already stopped, gives error we want to ignore
+/etc/init.d/uhttpd stop |& sed '1{/^Command failed/d}'
+/etc/init.d/uhttpd disable |& sed '1{/^Command failed/d}'
 
+# this may just restart the network and take care of the network_restart below.
+if $wireless_restart; then
+  v wifi
+fi
+
+# todo: we should catch errors and still run this if needed
 if $network_restart; then
   reboot
 fi
-if $dropbear_restart; then
-  v /etc/init.d/dropbear restart
-fi
 
-exit 0
+v exit 0