X-Git-Url: https://iankelling.org/git/?p=automated-distro-installer;a=blobdiff_plain;f=wrt-setup;h=1c4a033c3f3c4cf9c92ab70bd1aa612920db6379;hp=7d806123b21b1ddd106ab5d935a992016f4cfee2;hb=05e47f6734e5a9354a3243686ae55fe4ab2b72c7;hpb=7815dd8b158226f7186bf987d270b4f824902555

diff --git a/wrt-setup b/wrt-setup
index 7d80612..1c4a033 100755
--- a/wrt-setup
+++ b/wrt-setup
@@ -1,17 +1,29 @@
 #!/bin/bash
+# Copyright (C) 2016 Ian Kelling
+
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 
-# ssh
-
 pmirror() {
     # background: upgrading all packages is not recommended because it
     # doesn't go into the firmware. build new firmware if you want
     # lots of upgrades.
     f=(/tmp/opkg-lists/*)
-    f=${f[0]}
     if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
         opkg update
     fi
@@ -79,28 +91,32 @@ mkdir -p /run/archiso/bootmnt
 # todo: at some later time, i found /mnt/usb not mounted, watch to see if
 # that is the case after running this or rebooting.
 # wiki says safe to do in case of fstab changes:
-cedit /etc/config/fstab <<'EOF' || { v block umount; v block mount; }
-config global automount
-      option from_fstab 1
-      option anon_mount 1
-
-config global autoswap
-      option from_fstab 1
-      option anon_swap 1
-
-config mount
-      option target	/mnt/usb
-      option device	/dev/sda2
-      option fstype	ext4
-      option options	rw,async,noatime,nodiratime
-      option enabled	1
-      option enabled_fsck 0
-
-config swap
-      option device	/dev/sda1
-      option enabled	1
 
-EOF
+## ian: commented and replaced with just an echo
+## since usb port seems to be busted.
+echo | cedit /etc/config/fstab ||:
+# cedit /etc/config/fstab <<'EOF' || { v block umount; v block mount; }
+# config global automount
+#       option from_fstab 1
+#       option anon_mount 1
+
+# config global autoswap
+#       option from_fstab 1
+#       option anon_swap 1
+
+# config mount
+#       option target	/mnt/usb
+#       option device	/dev/sda2
+#       option fstype	ext2
+#       option options	rw,async,noatime,nodiratime
+#       option enabled	1
+#       option enabled_fsck 0
+
+# config swap
+#       option device	/dev/sda1
+#       option enabled	1
+
+# EOF
 
 
 
@@ -117,212 +133,196 @@ v /etc/init.d/nfsd start
 v /etc/init.d/portmap enable
 v /etc/init.d/nfsd enable
 
-v /etc/init.d/openvpn start
-v /etc/init.d/openvpn enable
-
-
-# setup to use only vpn in 5 ways:
-# set lan forward to vpn instead of wan,
-# disable wan masquerade,
-# set the default for outgoing to reject,
-# open wan port 1194 and 22 (ssh is too useful),
-# setup port forwardings to use vpn.
-firewall_restart=false
-# https://wiki.openwrt.org/doc/uci
-if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
-    # default is wan
-    # https://wiki.openwrt.org/doc/uci
-    v uci set firewall.@forwarding[0].dest=vpn
-    uci commit firewall
-    firewall_restart=true
-fi
 
-wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
-w="firewall.@zone[$wan_index]"
-if [[ $(uci get $w.masq) == 1 ]]; then
-    v uci set $w.masq=0
-    uci commit firewall
-    firewall_restart=true
-fi
 
-if [[ $(uci get $w.output) != REJECT ]]; then
-    v uci set $w.masq=REJECT
-    uci commit firewall
-    firewall_restart=true
-fi
 
-if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
-    # default is wan
-    v uci set uci set firewall.@forwarding[0].dest=vpn
-    uci commit firewall
-    firewall_restart=true
-fi
 
 
-# from https://wiki.openwrt.org/doc/uci/firewall
-# todo: not sure if /etc/init.d/network needs restarting.
-# I did, and I had to restart the vpn afterwards.
-# This maps a uci interface to a real interface which is
-# managed outside of uci.
-cedit /etc/config/network <<'EOF' ||:
-config interface 'tun0'
-        option ifname 'tun0'
-        option proto 'none'
-EOF
+######### uci example:#######
+# # https://wiki.openwrt.org/doc/uci
+# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+# wan="firewall.@zone[$wan_index]"
+# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
+#     # default is wan
+#     v uci set firewall.@forwarding[0].dest=$forward_dest
+#     uci commit firewall
+#     firewall_restart=true
+# fi
 
 
 
-# each port forward needs corresponding forward in the vpn server
-cedit /etc/config/firewall <<'EOF' || firewall_restart=true
-config zone
-        option name             vpn
-        list   network          'tun0'
-        option input            REJECT
-        option output           ACCEPT
-        option forward          REJECT
-        option masq             1
+########## openvpn exampl
+########## missing firewall settings for routing lan
+########## traffic
+# v /etc/init.d/openvpn start
+# v /etc/init.d/openvpn enable
+
+# # from https://wiki.openwrt.org/doc/uci/firewall
+# # todo: not sure if /etc/init.d/network needs restarting.
+# # I did, and I had to restart the vpn afterwards.
+# # This maps a uci interface to a real interface which is
+# # managed outside of uci.
+# v cedit /etc/config/network <<'EOF' ||:
+# config interface 'tun0'
+#         option ifname 'tun0'
+#         option proto 'none'
+# EOF
+# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# config openvpn my_client_config
+#         option enabled 1
+#         option config /etc/openvpn/client.conf
+# EOF
 
-config rule
-        option dest wan
-        option target ACCEPT
-        option dest_port '1194 22'
 
-# port forwarding
+v cedit /etc/config/network <<'EOF' || v /etc/init.d/network reload
+config 'route' 'transmission'
+        option 'interface' 'lan'
+        option 'target' '10.173.0.0'
+        option 'netmask' '255.255.0.0'
+        option 'gateway' '192.168.1.3'
+EOF
+
+v cedit /etc/config/firewall <<'EOF' || firewall_restart=true
 config redirect
-option name bittorrent
-option src              vpn
-option src_dport        63324
-option dest_ip          192.168.1.2
-option dest             lan
-# making the port open (not sure if this is actually needed)
+    option name ssh
+    option src              wan
+    option src_dport        22
+    option dest_ip          192.168.1.8
+    option dest             lan
 config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        63324
+    option src              wan
+    option target           ACCEPT
+    option dest_port        22
 
 config redirect
-option name frodobittorrent
-option src              vpn
-option src_dport        63326
-option dest_ip          192.168.1.3
-option dest             lan
-
+    option name sshalt
+    option src              wan
+    option src_dport        2222
+    option dest_port        22
+    option dest_ip          192.168.1.3
+    option dest             lan
 config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        63326
-
+    option src              wan
+    option target           ACCEPT
+    option dest_port        2222
 
 config redirect
-option name treetowlsyncthing
-option src              vpn
-option src_dport        22000
-option dest_ip          192.168.1.2
-option dest             lan
-option proto            tcp
+    option src              wan
+    option src_dport        443
+    option dest             lan
+    option dest_ip          192.168.1.8
+    option proto            tcp
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        443
+    option proto            tcp
 
+config redirect
+    option src              wan
+    option src_dport        1196
+    option dest             lan
+    option dest_ip          192.168.1.8
+    option proto            udp
 config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        22000
+    option src              wan
+    option target           ACCEPT
+    option dest_port        1196
+    option proto            udp
 
 
 config redirect
-option name bithtpc
-option src              vpn
-option src_dport        63325
-option dest_ip          192.168.1.4
-option dest             lan
+    option src              wan
+    option src_dport        80
+    option dest             lan
+    option dest_ip          192.168.1.8
+    option proto            tcp
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        80
+    option proto            tcp
 
+config redirect
+    option name syncthing
+    option src              wan
+    option src_dport        22001
+    option dest_ip          192.168.1.8
+    option dest             lan
 config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        63325
+    option src              wan
+    option target           ACCEPT
+    option dest_port        22001
 
 
-config redirect
-option name ssh
-option src              wan
-# example of  using a non-standard port
-# and comment out the 22 port line
-#   option src_dport        63321
-#   option dest_port        22  # already default
-option src_dport        22
-option dest_ip          192.168.1.2
-option dest             lan
 
-config rule
-option src              wan
-option target           ACCEPT
-option dest_port        22
-
-
-# not using http server atm, so disable it.
-# for https
-# config redirect
-#        option src              wan
-#        option src_dport        443
-#        option dest             lan
-#        option dest_ip          192.168.1.2
-#        option proto            tcp
-
-# config rule
-#        option src              wan
-#        option target           ACCEPT
-#        option dest_port        443
-#        option proto            tcp
-
-# config redirect
-#        option src                      wan
-#        option src_dport        80
-#        option dest                     lan
-#        option dest_ip          192.168.1.2
-#        option proto            tcp
-
-# config rule
-#        option src              wan
-#        option target           ACCEPT
-#        option dest_port        80
-#        option proto            tcp
 EOF
 
-if $firewall_restart; then
-    /etc/init.d/firewall restart
-fi
+
+
 
 dnsmasq_restart=false
-cedit /etc/hosts <<EOF || dnsmasq_restart=true
+mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
+v cedit /etc/hosts <<EOF || dnsmasq_restart=true
+127.0.1.1 wrt
 192.168.1.1 wrt
-192.168.1.2 treetowl faiserver
+192.168.1.2 treetowl
 192.168.1.3 frodo
 192.168.1.4 htpc
 192.168.1.5 x2
-192.168.1.6 testvm
-192.168.1.8 tp
+192.168.1.6 demohost
+#192.168.1.7 faiserver
+192.168.1.8 tp faiserver b8.nz
+192.168.1.9 n5
+192.168.1.10 kw
+192.168.1.11 kww
+192.168.1.12 fz
 72.14.176.105 li
-173.255.202.210 lj
-23.239.31.172 lk
-104.131.150.120 dopub
-# cant ssh to do when on vpn. some routing/firewall rule or something,
-# I don't know. I can get there from wrt but not my machine.
-# but we can get to it from this address, so, good enough.
-10.8.0.1 do
+45.33.9.11 lj
+138.68.10.24 dopub
+# netns creation looks for next free subnet starting at 10.173, but I only
+# use one, and I would keep this one as the first created.
+10.173.0.2 transmission
 EOF
 
+# if [[ $mail_host ]]; then
+#     sed -i '/^$mail_host/a mail.iankelling.org' /etc/hosts
+# fi
+
 
 # avoid using the dns servers that my isp tells me about.
 if [[ $(uci get dhcp.@dnsmasq[0].resolvfile) ]]; then
     # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
-    # /etc/resolv.conf
+    # /etc/resolv.conf. not sure why I did this.
     v uci delete dhcp.@dnsmasq[0].resolvfile
     uci commit dhcp
     dnsmasq_restart=true
 fi
 
+if [[ $(uci get dhcp.@dnsmasq[0].domain) != b8.nz ]]; then
+    v uci set dhcp.@dnsmasq[0].domain=b8.nz
+    uci commit dhcp
+    dnsmasq_restart=true
+fi
+if [[ $(uci get dhcp.@dnsmasq[0].local) != b8.nz ]]; then
+    v uci set dhcp.@dnsmasq[0].local=/b8.nz/
+    uci commit dhcp
+    dnsmasq_restart=true
+fi
+
+if [[ $(uci get system.@system[0].hostname) != wrt ]]; then
+    v uci set system.@system[0].hostname=wrt
+    uci commit system
+fi
+
 
 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
 
-cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
+# sometimes /mnt/usb fails, cuz it's just a flash drive,
+# so make sure we have this dir or else dnsmasq will fail
+# to start.
+mkdir -p /mnt/usb/tftpboot
+v cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
 
 ############ updating dns servers ###################3
 
@@ -364,25 +364,28 @@ server=2001:4860:4860::8844
 dhcp-host=f4:6d:04:02:ed:66,set:treetowl,192.168.1.2,treetowl
 dhcp-host=00:26:18:97:bb:16,set:frodo,192.168.1.3,frodo
 dhcp-host=10:78:d2:da:29:22,set:htpc,192.168.1.4,htpc
-dhcp-host=00:1f:16:16:39:24,set:x2,192.168.1.5,x2
+dhcp-host=00:1f:16:16:39:24,set:kw,192.168.1.5,x2
+#dhcp-host=00:1f:16:16:39:24,set:kw,192.168.1.10,kw
+#dhcp-host=00:c0:ca:27:e9:b2,set:kww,192.168.1.11,kww
 # this is so fai can have an explicit name to use for testing,
 # or else any random machine which did a pxe boot would get
 # reformatted. The mac is from doing a virt-install, cancelling it,
 # and copying the generated mac, so it should be randomish.
 dhcp-host=52:54:00:9c:ef:ad,set:demohost,192.168.1.6,demohost
-dhcp-host=52:54:00:56:09:f9,set:faiserver,192.168.1.7,faiserver
+#dhcp-host=52:54:00:56:09:f9,set:faiserver,192.168.1.7,faiserver
 dhcp-host=80:fa:5b:1c:6e:cf,set:tp,192.168.1.8,tp
+dhcp-host=c4:43:8f:f2:79:1f,set:n5,192.168.1.9,n5
 # this is the ip it picks by default if dhcp fails,
 # so might as well use it.
 # hostname is the name it uses according to telnet
 dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,192.168.1.251,switch9429ca
 
-
 # template
 # dhcp-host=,192.168.1.,
 
 # Just leave the tftp server up even if we aren't doing pxe boot.
 # It has no sensitive info.
+enable-tftp=br-lan
 tftp-root=/mnt/usb/tftpboot
 EOF
 
@@ -390,8 +393,6 @@ if $dnsmasq_restart; then
     v /etc/init.d/dnsmasq restart
 fi
 
-cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
-config openvpn my_client_config
-        option enabled 1
-        option config /etc/openvpn/client.conf
-EOF
+if $firewall_restart; then
+    v /etc/init.d/firewall restart
+fi