X-Git-Url: https://iankelling.org/git/?p=automated-distro-installer;a=blobdiff_plain;f=wrt-setup;h=1e0d6362befbc4d56a9d1352cbf901f632cb0538;hp=7d806123b21b1ddd106ab5d935a992016f4cfee2;hb=6ca069946c8ff88d79d1ae421e0eda60ae1c514c;hpb=7815dd8b158226f7186bf987d270b4f824902555

diff --git a/wrt-setup b/wrt-setup
index 7d80612..1e0d636 100755
--- a/wrt-setup
+++ b/wrt-setup
@@ -1,397 +1,83 @@
 #!/bin/bash
+# Copyright (C) 2016 Ian Kelling
 
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-
-# ssh
-
-pmirror() {
-    # background: upgrading all packages is not recommended because it
-    # doesn't go into the firmware. build new firmware if you want
-    # lots of upgrades.
-    f=(/tmp/opkg-lists/*)
-    f=${f[0]}
-    if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
-        opkg update
-    fi
-}
-
-pi() {
-    for x in "$@"; do
-        if [[ ! $(opkg list-installed "$x") ]]; then
-            pmirror
-            opkg install "$@"
-        fi
-    done
-}
-
-v() {
-    printf "+ %s\n" "$*"
-    "$@"
-}
-
-cat >/usr/bin/arch-pxe-mount <<'EOFOUTER'
-#!/bin/bash
-# symlinks are collapsed for nfs mount points, so use a bind mount.
-# tried putting this in /etc/config/fstab,
-# then doig block mount, it didn't work. This doesn't persist across reboots,
-# todo: figure that out
-d=/run/archiso/bootmnt
-cat > /etc/fstab <<EOF
-/mnt/usb/tftpboot $d none bind 0 0
-EOF
-mount | grep $d &>/dev/null || mount $d
-/etc/init.d/nfsd restart
-EOFOUTER
-chmod +x /usr/bin/arch-pxe-mount
-
-cat >.profile <<'EOF'
-# changing login shell emits spam on ssh single commands & scp
-    # sed -i 's#/bin/ash$#/bin/bash#' /etc/passwd
-#https://dev.openwrt.org/ticket/13852
-[ "$PS1" = "" ] || {
-       /bin/bash
-       exit
-}
-EOF
-v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
-  tcpdump openvpn-openssl
-
-
-
-sed -ri "s/option[[:space:]]*encryption[[:space:]]*'?none'?/option encryption psk2\n        option key  pictionary49/" /etc/config/wireless
-sed -i '/^[[:space:]]*option disabled/d' /etc/config/wireless
-v wifi
-
-
-v /etc/init.d/fstab enable ||:
-
-# rebooting makes mounting work, but comparing lsmod,
-# i'm guessing this will too. todo, test it.
-# 255 == module already loaded
-for mod in scsi_mod sd_mod; do v modprobe $mod || [[ $? == 255 ]]; done
-
-# for arch pxe. The default settings in the installer expect to find
-# the NFS at /run/archiso/bootmnt
-mkdir -p /run/archiso/bootmnt
-
-# todo: at some later time, i found /mnt/usb not mounted, watch to see if
-# that is the case after running this or rebooting.
-# wiki says safe to do in case of fstab changes:
-cedit /etc/config/fstab <<'EOF' || { v block umount; v block mount; }
-config global automount
-      option from_fstab 1
-      option anon_mount 1
-
-config global autoswap
-      option from_fstab 1
-      option anon_swap 1
-
-config mount
-      option target	/mnt/usb
-      option device	/dev/sda2
-      option fstype	ext4
-      option options	rw,async,noatime,nodiratime
-      option enabled	1
-      option enabled_fsck 0
-
-config swap
-      option device	/dev/sda1
-      option enabled	1
-
-EOF
-
-
-
-# exportfs -ra wont cut it when its the same path, but now a bind mount
-cedit /etc/exports <<'EOF' || v /etc/init.d/nfsd restart ||:
-/mnt/usb  192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
-# for arch pxe
-/run/archiso/bootmnt	192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
-EOF
-
-
-v /etc/init.d/portmap start
-v /etc/init.d/nfsd start
-v /etc/init.d/portmap enable
-v /etc/init.d/nfsd enable
-
-v /etc/init.d/openvpn start
-v /etc/init.d/openvpn enable
-
-
-# setup to use only vpn in 5 ways:
-# set lan forward to vpn instead of wan,
-# disable wan masquerade,
-# set the default for outgoing to reject,
-# open wan port 1194 and 22 (ssh is too useful),
-# setup port forwardings to use vpn.
-firewall_restart=false
-# https://wiki.openwrt.org/doc/uci
-if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
-    # default is wan
-    # https://wiki.openwrt.org/doc/uci
-    v uci set firewall.@forwarding[0].dest=vpn
-    uci commit firewall
-    firewall_restart=true
-fi
-
-wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
-w="firewall.@zone[$wan_index]"
-if [[ $(uci get $w.masq) == 1 ]]; then
-    v uci set $w.masq=0
-    uci commit firewall
-    firewall_restart=true
-fi
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
 
-if [[ $(uci get $w.output) != REJECT ]]; then
-    v uci set $w.masq=REJECT
-    uci commit firewall
-    firewall_restart=true
-fi
-
-if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
-    # default is wan
-    v uci set uci set firewall.@forwarding[0].dest=vpn
-    uci commit firewall
-    firewall_restart=true
-fi
-
-
-# from https://wiki.openwrt.org/doc/uci/firewall
-# todo: not sure if /etc/init.d/network needs restarting.
-# I did, and I had to restart the vpn afterwards.
-# This maps a uci interface to a real interface which is
-# managed outside of uci.
-cedit /etc/config/network <<'EOF' ||:
-config interface 'tun0'
-        option ifname 'tun0'
-        option proto 'none'
-EOF
-
-
-
-# each port forward needs corresponding forward in the vpn server
-cedit /etc/config/firewall <<'EOF' || firewall_restart=true
-config zone
-        option name             vpn
-        list   network          'tun0'
-        option input            REJECT
-        option output           ACCEPT
-        option forward          REJECT
-        option masq             1
-
-config rule
-        option dest wan
-        option target ACCEPT
-        option dest_port '1194 22'
-
-# port forwarding
-config redirect
-option name bittorrent
-option src              vpn
-option src_dport        63324
-option dest_ip          192.168.1.2
-option dest             lan
-# making the port open (not sure if this is actually needed)
-config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        63324
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
 
-config redirect
-option name frodobittorrent
-option src              vpn
-option src_dport        63326
-option dest_ip          192.168.1.3
-option dest             lan
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
-config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        63326
 
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
-config redirect
-option name treetowlsyncthing
-option src              vpn
-option src_dport        22000
-option dest_ip          192.168.1.2
-option dest             lan
-option proto            tcp
-
-config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        22000
-
-
-config redirect
-option name bithtpc
-option src              vpn
-option src_dport        63325
-option dest_ip          192.168.1.4
-option dest             lan
-
-config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        63325
-
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
 
-config redirect
-option name ssh
-option src              wan
-# example of  using a non-standard port
-# and comment out the 22 port line
-#   option src_dport        63321
-#   option dest_port        22  # already default
-option src_dport        22
-option dest_ip          192.168.1.2
-option dest             lan
+x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*}
 
-config rule
-option src              wan
-option target           ACCEPT
-option dest_port        22
+usage() {
+  cat <<EOF
+usage: ${0##*/} [-h|--help] [HOST/IP] [wrt-setup-local_ARGS]
+setup my router in general: dhcp, dns, etc.
 
+Default HOST is 10.0.0.1 or 10.2.0.1 if they are the gateway, otherwise
+it must be specified.
 
-# not using http server atm, so disable it.
-# for https
-# config redirect
-#        option src              wan
-#        option src_dport        443
-#        option dest             lan
-#        option dest_ip          192.168.1.2
-#        option proto            tcp
+Note, use -m "''" to send an empty mac arg. When we get a new enough
+bash, we can use ${@@Q} to properly pass an empty var.
 
-# config rule
-#        option src              wan
-#        option target           ACCEPT
-#        option dest_port        443
-#        option proto            tcp
 
-# config redirect
-#        option src                      wan
-#        option src_dport        80
-#        option dest                     lan
-#        option dest_ip          192.168.1.2
-#        option proto            tcp
+Note, if we dont have internet yet, then just download the bash package,
+scp it over manually and install it, eg:
 
-# config rule
-#        option src              wan
-#        option target           ACCEPT
-#        option dest_port        80
-#        option proto            tcp
-EOF
-
-if $firewall_restart; then
-    /etc/init.d/firewall restart
-fi
-
-dnsmasq_restart=false
-cedit /etc/hosts <<EOF || dnsmasq_restart=true
-192.168.1.1 wrt
-192.168.1.2 treetowl faiserver
-192.168.1.3 frodo
-192.168.1.4 htpc
-192.168.1.5 x2
-192.168.1.6 testvm
-192.168.1.8 tp
-72.14.176.105 li
-173.255.202.210 lj
-23.239.31.172 lk
-104.131.150.120 dopub
-# cant ssh to do when on vpn. some routing/firewall rule or something,
-# I don't know. I can get there from wrt but not my machine.
-# but we can get to it from this address, so, good enough.
-10.8.0.1 do
+cat /etc/opkg/distfeeds.conf
+wget https://librecmc.org/librecmc/downloads/snapshots/v1.5.1-core/packages/mips_24kc/packages/bash_5.0-3_mips_24kc.ipk
+scp bash_5.0-3_mips_24kc.ipk wrt:
+ssh wrt
+opkg install /root/bash_5.0-3_mips_24kc.ipk
 EOF
+  wrt-setup-local -h
+  exit $1
+}
 
 
-# avoid using the dns servers that my isp tells me about.
-if [[ $(uci get dhcp.@dnsmasq[0].resolvfile) ]]; then
-    # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
-    # /etc/resolv.conf
-    v uci delete dhcp.@dnsmasq[0].resolvfile
-    uci commit dhcp
-    dnsmasq_restart=true
+case $1 in
+  -h|--help) usage ;;
+  -*) : ;;
+  ?*) h="$1"; shift ;;
+esac
+
+if [[ ! $h ]]; then
+  read -r _ _  gateway _ < <(ip -4 route get 8.8.8.8)
+  case $gateway in
+    10.0.0.1|10.2.0.1)
+      h=root@$gateway
+      ;;
+    *)
+      echo "$0: error: gateway = $gateway and no HOST/IP specified"
+      exit 1
+      ;;
+  esac
 fi
 
+echo "$0: h=$h"
+# todo: ecdsa key not working with dropbear
+cat ~/.ssh/{h,hrsa,home}.pub | ssh $h dd of=/etc/dropbear/authorized_keys 2>/dev/null
+scp /a/work/libremanage/libremanage /a/bin/fai/wrt-init /a/bin/fai/wrt-setup-local /a/bin/cedit/cedit $h:/usr/bin
+# relay is built for openwrt 18.06.2, r7676-cddd7b4c77
 
-# useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
-
-cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
-
-############ updating dns servers ###################3
-
-
-# this says the ip of default gateway and dns server,
-# but I think they are unneded and default
-#dhcp-option=3,192.168.1.1
-#dhcp-option=6,192.168.1.1
-
-
-
-# results from googling around dnsmasq optimizations
-# about 50k in memory. router has 62 megs.
-# in a browsing session, I probably won't ever do 5000 lookups
-# before the ttl expiration or whatever does expiration.
-cache-size=10000
-
-# ask all servers, use the one which responds first.
-# http://ma.ttwagner.com/make-dns-fly-with-dnsmasq-all-servers/
-all-servers
+#/a/opt/openwrt/source/bin/packages/mips_24kc/mypackages/relay_1.0-1_mips_24kc.ipk \
 
-# namebench benchmarks dns servers. google's dns was only
-# slightly less fast than some others, and I trust it more
-# to give accurate results, stay relatively fast, and
-# not do anythin too malicious, so just use that.
-# download namebench and run it like this:
-# for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr;  done
-# google
-server=8.8.4.4
-server=8.8.8.8
-server=2001:4860:4860::8888
-server=2001:4860:4860::8844
+scp /q/root/shadow/router /p/c/machine_specific/wrt/etc/dropbear/dropbear_rsa_host_key \
+     /p/router-secrets /p/c/machine_specific/wrt/etc/wg.{key,psk} $h:
+scp ../openwrtkeyring/usign/* $h:/etc/opkg/keys
 
-
-# to fixup existin ips, on the client you can do
-# sudo dhclient -r; sudo dhclient <interface-name>
-
-# default dhcp range is 100-150
-dhcp-host=f4:6d:04:02:ed:66,set:treetowl,192.168.1.2,treetowl
-dhcp-host=00:26:18:97:bb:16,set:frodo,192.168.1.3,frodo
-dhcp-host=10:78:d2:da:29:22,set:htpc,192.168.1.4,htpc
-dhcp-host=00:1f:16:16:39:24,set:x2,192.168.1.5,x2
-# this is so fai can have an explicit name to use for testing,
-# or else any random machine which did a pxe boot would get
-# reformatted. The mac is from doing a virt-install, cancelling it,
-# and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,set:demohost,192.168.1.6,demohost
-dhcp-host=52:54:00:56:09:f9,set:faiserver,192.168.1.7,faiserver
-dhcp-host=80:fa:5b:1c:6e:cf,set:tp,192.168.1.8,tp
-# this is the ip it picks by default if dhcp fails,
-# so might as well use it.
-# hostname is the name it uses according to telnet
-dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,192.168.1.251,switch9429ca
-
-
-# template
-# dhcp-host=,192.168.1.,
-
-# Just leave the tftp server up even if we aren't doing pxe boot.
-# It has no sensitive info.
-tftp-root=/mnt/usb/tftpboot
-EOF
-
-if $dnsmasq_restart; then
-    v /etc/init.d/dnsmasq restart
-fi
-
-cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
-config openvpn my_client_config
-        option enabled 1
-        option config /etc/openvpn/client.conf
-EOF
+ssh $h wrt-init ${HOME_DOMAIN:-b8.nz} "$@"