From 739efea3642e2f8a7a672c4600da152a27bedf1a Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Tue, 8 Jun 2021 16:38:49 -0400
Subject: [PATCH] various fixes and improvements

---
 fai-wrapper                                   |   3 +-
 fai/config/class/DEFAULT.var                  |   3 +-
 .../etc/apt/sources.list.d/bionic.list/ETIONA |  12 +-
 .../etc/apt/sources.list.d/focal.list/FOCAL   |  15 +-
 .../VOL_BUSTER_BOOTSTRAP                      |   0
 fai/config/files/usr/bin/myncq/kd             |  57 ++++
 fai/config/hooks/partition.DEFAULT            | 148 ++++++----
 fai/config/package_config/STANDARD            |   2 +
 fai/config/scripts/GRUB_PC/11-iank            |  50 +++-
 wrt-setup                                     |   2 +-
 wrt-setup-local                               | 259 ++++++++++++++++--
 11 files changed, 448 insertions(+), 103 deletions(-)
 rename fai/config/files/etc/systemd/system/{fai_check.service => faicheck.service}/VOL_BUSTER_BOOTSTRAP (100%)
 create mode 100755 fai/config/files/usr/bin/myncq/kd

diff --git a/fai-wrapper b/fai-wrapper
index 93e1c6d..5efa7f1 100644
--- a/fai-wrapper
+++ b/fai-wrapper
@@ -31,7 +31,8 @@ eval-fai-classfile() {
   fai-setclass $(bash $file)
 }
 export -f ifclass
-classes=DEFAULT  # used by fcopy
+# DEFAULT is used by fcopy
+classes="DEFAULT $(hostname)"
 export CLASS_DEFAULT=true
 if [[ ! -d $FAI_ROOT ]]; then
   export FAI_ROOT=/
diff --git a/fai/config/class/DEFAULT.var b/fai/config/class/DEFAULT.var
index 1c8de54..a999512 100644
--- a/fai/config/class/DEFAULT.var
+++ b/fai/config/class/DEFAULT.var
@@ -8,4 +8,5 @@ LOGUSER=fai
 # My faiserver's hostname is always faiserver, so just hardcoding it.
 SERVER=faiserver
 
-APTPROXY=http://faiserver:3142
+# busted for debian, no time to troubleshoot atm
+#APTPROXY=http://faiserver:3142
diff --git a/fai/config/files/etc/apt/sources.list.d/bionic.list/ETIONA b/fai/config/files/etc/apt/sources.list.d/bionic.list/ETIONA
index bc32744..cb92b36 100644
--- a/fai/config/files/etc/apt/sources.list.d/bionic.list/ETIONA
+++ b/fai/config/files/etc/apt/sources.list.d/bionic.list/ETIONA
@@ -1,6 +1,6 @@
-deb http://us.archive.ubuntu.com/ubuntu/ bionic main universe
-deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe
-deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe
-deb-src http://us.archive.ubuntu.com/ubuntu/ bionic main universe
-deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe
-deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe
+deb http://us.archive.ubuntu.com/ubuntu/ bionic main universe multiverse
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe multiverse
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe multiverse
+deb-src http://us.archive.ubuntu.com/ubuntu/ bionic main universe multiverse
+deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe multiverse
+deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe multiverse
diff --git a/fai/config/files/etc/apt/sources.list.d/focal.list/FOCAL b/fai/config/files/etc/apt/sources.list.d/focal.list/FOCAL
index c1678f5..a317dfa 100644
--- a/fai/config/files/etc/apt/sources.list.d/focal.list/FOCAL
+++ b/fai/config/files/etc/apt/sources.list.d/focal.list/FOCAL
@@ -1,11 +1,14 @@
+# multiverse needed for libfdk-aac1, which is actually free
+# https://www.gnu.org/licenses/license-list.html#fdk
+
 ###### Ubuntu Main Repos
-deb http://archive.ubuntu.com/ubuntu/ focal main universe
-deb-src http://archive.ubuntu.com/ubuntu/ focal main universe
+deb http://archive.ubuntu.com/ubuntu/ focal main universe multiverse
+deb-src http://archive.ubuntu.com/ubuntu/ focal main universe multiverse
 
 ###### Ubuntu Update Repos
-deb http://archive.ubuntu.com/ubuntu/ focal-security main universe
-deb http://archive.ubuntu.com/ubuntu/ focal-updates main universe
+deb http://archive.ubuntu.com/ubuntu/ focal-security main universe multiverse
+deb http://archive.ubuntu.com/ubuntu/ focal-updates main universe multiverse
 deb http://archive.ubuntu.com/ubuntu/ focal-backports main universe
-deb-src http://archive.ubuntu.com/ubuntu/ focal-security main universe
-deb-src http://archive.ubuntu.com/ubuntu/ focal-updates main universe
+deb-src http://archive.ubuntu.com/ubuntu/ focal-security main universe multiverse
+deb-src http://archive.ubuntu.com/ubuntu/ focal-updates main universe multiverse
 deb-src http://archive.ubuntu.com/ubuntu/ focal-backports main universe
diff --git a/fai/config/files/etc/systemd/system/fai_check.service/VOL_BUSTER_BOOTSTRAP b/fai/config/files/etc/systemd/system/faicheck.service/VOL_BUSTER_BOOTSTRAP
similarity index 100%
rename from fai/config/files/etc/systemd/system/fai_check.service/VOL_BUSTER_BOOTSTRAP
rename to fai/config/files/etc/systemd/system/faicheck.service/VOL_BUSTER_BOOTSTRAP
diff --git a/fai/config/files/usr/bin/myncq/kd b/fai/config/files/usr/bin/myncq/kd
new file mode 100755
index 0000000..e2b6494
--- /dev/null
+++ b/fai/config/files/usr/bin/myncq/kd
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
+
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
+# https://wiki.archlinux.org/index.php/Solid_state_drive#Resolving_NCQ_errors
+# evo-870 doesnt get along well with d16.
+# Dmesg gives us an ata number we could disable specifically on the command line, but I've had that number change on me between oses, so reenabling ncq
+
+upgrub=true
+if [[ $1 == no-upgrub ]]; then
+  upgrub=false
+fi
+
+byid=/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V
+if [[ ! -e $byid ]]; then
+  # not plugged in we assume
+  exit 0
+fi
+
+dev=$(readlink $byid)
+if [[ ! $dev ]]; then
+  exit 1
+fi
+
+dev=${dev##*/}
+
+depth=$(cat /sys/block/$dev/device/queue_depth)
+if [[ $depth != 0 ]]; then
+  if grep -qF libata.force=noncq /proc/cmdline; then
+    echo $0: warning, cant change queue_depth due to globally disabled ncq
+  else
+    echo 1 >/sys/block/$dev/device/queue_depth
+  fi
+fi
+
+sys=$(readlink /sys/block/$dev)
+ata=${sys#*/*/*/*/ata}
+ata=${ata%%/*}
+
+arg=libata.force=${ata}.00:noncq
+
+if ! grep "^GRUB_CMDLINE_LINUX_DEFAULT=.*[\" ]${arg//./\\.}[\" ]" /etc/default/grub; then
+  sed -ri "s/^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)/GRUB_CMDLINE_LINUX_DEFAULT=\"$arg \1/" /etc/default/grub
+  if $upgrub; then
+    echo "$0: warning: grub updated. you may want to reboot"
+    if type -P update-grub2 &>/dev/null; then
+      update-grub2
+    else
+      update-grub
+    fi
+  fi
+fi
diff --git a/fai/config/hooks/partition.DEFAULT b/fai/config/hooks/partition.DEFAULT
index 61da95a..09020d2 100755
--- a/fai/config/hooks/partition.DEFAULT
+++ b/fai/config/hooks/partition.DEFAULT
@@ -94,6 +94,15 @@ fi
 
 #### begin configuration
 
+# this is the ordering of the /dev/sdaX, but
+# the ordering of the partition layout goes like this:
+# bios_grub
+# grub_ext
+# efi
+# root
+# swap
+# boot
+
 rootn=1
 swapn=2
 bootn=3
@@ -106,6 +115,7 @@ grub_extn=5
 # bios boot partition,
 # https://wiki.archlinux.org/index.php/GRUB
 bios_grubn=6
+even_bign=7
 lastn=$bios_grubn
 
 
@@ -114,7 +124,7 @@ lastn=$bios_grubn
 
 
 add-part() { # add partition suffix to $dev
-  local d ret
+  local d part
   if [[ $# == 1 ]]; then
     d=$dev
     part=$1
@@ -131,6 +141,7 @@ swapdev() { add-part $@ $swapn; }
 efidev() { add-part $@ $efin; }
 grub_extdev() { add-part $@ $grub_extn; }
 bios_grubdev() { add-part $@ $bios_grubn; }
+even_bigdev() { add-part $@ $even_bign; }
 
 crypt-dev() { echo /dev/mapper/crypt_dev_${1##*/}; }
 crypt-name() { echo crypt_dev_${1##*/}; }
@@ -140,10 +151,37 @@ root-cryptname() { crypt-name $(rootdev $@); }
 swap-cryptname() { crypt-name $(swapdev $@); }
 
 dev-mib() {
-  echo $(( $(parted -m $dev unit MiB print | \
+  local d=${1:-$dev}
+  echo $(( $(parted -m $d unit MiB print | \
                sed -nr "s#^/dev/[^:]+:([0-9]+).*#\1#p") - 1))
 }
 
+luks-setup() {
+  local luksdev="$1"
+  # when we move to newer than trisquel 9, we can remove
+  # --type luks1. We can also check on cryptsetup --help | less /compil
+  # to see about the other settings. Default in debian 9 is luks2.
+  # You can convert from luks2 to luks 1 by adding a temporary key:
+  # cryptsetup luksAddKey --pbkdf pbkdf2
+  # then remove the new format keys with cryptsetup luksRemoveKey
+  # then cryptsetup convert DEV --type luks1, then readd old keys and remove temp.
+  yes YES | cryptsetup luksFormat $luksdev $luks_file \
+                       --type luks1 -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
+  yes "$lukspw" | \
+    cryptsetup luksAddKey --key-file $luks_file \
+               $luksdev || [[ $? == 141 ]]
+  # background: Keyfile and password are treated just
+  # like 2 ways to input a passphrase, so we don't actually need to have
+  # different contents of keyfile and passphrase, but it makes some
+  # security sense to a really big randomly generated passphrase
+  # as much as possible, so we have both.
+  #
+  # This would remove the keyfile.
+  #    yes 'test' | cryptsetup luksRemoveKey /dev/... \
+    #                            /key/file || [[ $? == 141 ]]
+  cryptsetup luksOpen $luksdev $(crypt-name $luksdev) --key-file $luks_file
+}
+
 ##### end function defs
 
 if ifclass REPARTITION; then
@@ -157,7 +195,7 @@ else
   wipe=true
 fi
 
-if ((`nproc` > 2)); then
+if (($(nproc) > 2)); then
   mopts=,compress=zstd
 fi
 
@@ -206,7 +244,7 @@ for dev in ${short_devs[@]}; do
   if $partition; then break; fi
   y=$(readlink -f $dev)
   arr=($y?*)
-  if (( ${#arr[@]}  != lastn )); then
+  if (( ${#arr[@]} < lastn )); then
     partition=true
   fi
   # On one system, blkid is missing some partitions.
@@ -415,13 +453,23 @@ if $partition; then
   ### end wipefs
 
 
+  # When we have 2 disks of at least 100g difference in size,
+  # make an extra partition on the end of the bigger one.
+  even_big_part=false
+  even_diff_min=100000
   if $even_raid; then
-    for dev in ${devs[@]}; do
-      cur_mib=$(dev-mib)
-      if [[ ! $disk_mib ]] || (( cur_mib < disk_mib )); then
-        disk_mib=$cur_mib
-      fi
-    done
+    smalli=0
+    bigi=1
+    if (( $(dev-mib ${devs[0]}) >= $(dev-mib ${devs[1]}) )); then
+      smalli=1
+      bigi=0
+    fi
+    disk_mib=$(dev-mib ${devs[smalli]})
+    even_big_dev=${devs[bigi]}
+    even_big_mib=$(dev-mib $even_big_dev)
+    if (( even_big_mib - disk_mib > even_diff_min )); then
+      even_big_part=true
+    fi
   fi
 
   for dev in ${devs[@]}; do
@@ -438,23 +486,27 @@ if $partition; then
     if ! $even_raid; then
       disk_mib=$(dev-mib)
     fi
-    root_end=$(( disk_mib - swap_mib - boot_mib /  ${#boot_devs[@]} ))
+    efi_mib=512
+    root_end=$(( disk_mib - swap_mib - boot_mib /  ${#boot_devs[@]} - efi_mib ))
     swap_end=$(( root_end + swap_mib))
 
     parted -s $dev mklabel gpt
     # MiB because parted complains about alignment otherwise.
     pcmd="parted -a optimal -s -- $dev"
+    # root partition, the main big one
     $pcmd mkpart primary ext3 524MiB ${root_end}MiB
     # without naming, systemd gives us misc errors like:
     # dev-disk-by\x2dpartlabel-primary.device: Dev dev-disk-by\x2dpartlabel-primary.device appeared twice
     $pcmd name $rootn root
     # normally a swap is type "linux-swap", but this is encrypted swap. using that
     # label will confuse systemd.
+    # swap partition
     $pcmd mkpart primary "" ${root_end}MiB ${swap_end}MiB
     $pcmd name $swapn swap
+    # boot partition
     $pcmd mkpart primary "" ${swap_end}MiB ${disk_mib}MiB
     $pcmd name $bootn boot
-    # eufi = bloated, half a gig gimme a break.
+    # uefi partition. efi sucks, half a gig, rediculous.
     $pcmd mkpart primary "fat32" 12MiB 524MiB
     $pcmd name $efin efi
     $pcmd set $efin esp on
@@ -466,16 +518,23 @@ if $partition; then
     # I found someone saying that gparted required
     # required at least 8 because of their hard drive cylinder size.
     # And 8 is still very tiny.
+    # grub_ext partition
     $pcmd mkpart primary "ext2" 4MiB 12MiB
     $pcmd name $grub_extn grubext
     # gpt ubuntu cloud image uses ~4 mb for this partition. fai uses 1 MiB.
     # so, I use 3, whatever.
     # note: parted manual saying cheap flash media
     # should to start at 4.
+    # biols grub partition
     $pcmd mkpart primary "" 1MiB 4MiB
     $pcmd name $bios_grubn biosgrub
     $pcmd set $bios_grubn bios_grub on
     $pcmd set $bootn boot on # generally not needed on modern systems
+    if $even_big_part  && [[ $dev == $even_big_dev ]]; then
+      $pcmd mkpart primary ext3 ${disk_mib}MiB ${even_big_mib}MiB
+      $pcmd name $even_bign even_big
+    fi
+
     # the mkfs failed before on a vm, which prompted me to add
     # sleep .1
     # then it failed again on a physical machine
@@ -485,15 +544,20 @@ if $partition; then
     # Then I added the mkfs.ext2, which claimed to succeed,
     # but then couldn't be found upon reboot. In that case we didn't
     # wait at all. So I've added a 3 second minimum wait.
-    sleep 3
     secs=0
-    while [[ ! -e $(rootdev) ]] && (( secs < 10 )); do
+    while [[ ! -e $(bios_grubdev) ]] && (( secs < 10 )); do
       sleep 1
       secs=$((secs +1))
     done
+    sleep 3
 
     mkfs.fat -F32 $(efidev)
 
+    if $even_big_part  && [[ $dev == $even_big_dev ]]; then
+      luks-setup $(even_bigdev)
+      mkfs.btrfs -f $(crypt-dev $(even_bigdev))
+    fi
+
     # Holds just a single file, rarely written, so
     # use ext2, like was often used for the /boot partition.
     # This exists because grub can only persist data to a non-cow fs.
@@ -503,30 +567,7 @@ if $partition; then
     # This is just a bit more robust, and it could work for booting
     # into ipxe which can't persist data, if we ever got that working.
     mkfs.ext2 $(grub_extdev)
-    # when we move to newer than trisquel 9, we can remove
-    # --type luks1. We can also check on cryptsetup --help | less /compil
-    # to see about the other settings. Default in debian 9 is luks2.
-    # You can convert from luks2 to luks 1 by adding a temporary key:
-    # cryptsetup luksAddKey --pbkdf pbkdf2
-    # then remove the new format keys with cryptsetup luksRemoveKey
-    # then cryptsetup convert DEV --type luks1, then readd old keys and remove temp.
-    yes YES | cryptsetup luksFormat $(rootdev) $luks_file \
-                         --type luks1 -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
-    yes "$lukspw" | \
-      cryptsetup luksAddKey --key-file $luks_file \
-                 $(rootdev) || [[ $? == 141 ]]
-    # background: Keyfile and password are treated just
-    # like 2 ways to input a passphrase, so we don't actually need to have
-    # different contents of keyfile and passphrase, but it makes some
-    # security sense to a really big randomly generated passphrase
-    # as much as possible, so we have both.
-    #
-    # This would remove the keyfile.
-    #    yes 'test' | cryptsetup luksRemoveKey /dev/... \
-      #                            /key/file || [[ $? == 141 ]]
-
-    cryptsetup luksOpen $(rootdev) $(root-cryptname) \
-               --key-file $luks_file
+    luks-setup $(rootdev)
 
     if [[ $SPECIAL_DISK ]]; then
       exit 0
@@ -651,6 +692,25 @@ ROOT_PARTITIONS="${root_devs[@]}"
 ROOT_PARTITION=\${ROOT_PARTITION:-$first_root_crypt}
 SWAPLIST=\${SWAPLIST:-"${swaps[@]}"}
 EOF
+
+
+  if [[ $HOSTNAME == kd ]]; then
+    # note, having these with keyscript and initramfs causes a luks error in fai.log,
+    # but it is safely ignorable and gets us the ability to just type our password
+    # in once at boot. A downside is that they are probably needed to be plugged in to boot.
+    cat >>/tmp/fai/crypttab <<EOF
+crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7 /dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7  none  keyscript=decrypt_keyctl,discard,luks,initramfs
+crypt_dev_ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1 /dev/disk/by-id/ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1  none  keyscript=decrypt_keyctl,discard,luks,initramfs
+crypt_dev_ata-ST6000DM001-1XY17Z_Z4D29EBL-part1 /dev/disk/by-id/ata-ST6000DM001-1XY17Z_Z4D29EBL-part1  none  keyscript=decrypt_keyctl,discard,luks,initramfs
+EOF
+    cat >> /tmp/fai/fstab <<EOF
+# r7 = root partition7
+/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7  /mnt/r7  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0  0 0
+/dev/mapper/crypt_dev_ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1  /mnt/rust1  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0  0 0
+/dev/mapper/crypt_dev_ata-ST6000DM001-1XY17Z_Z4D29EBL-part1  /mnt/rust2  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0  0 0
+EOF
+  fi
+
 fi
 
 # initial setup of extra data fs, mounted,
@@ -658,15 +718,3 @@ fi
 # chattr +C nocow
 # chown iank.iank nocow
 
-if [[ $HOSTNAME == kd ]]; then
-  cat >>/tmp/fai/crypttab <<EOF
-crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part6 /dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part6  none  keyscript=decrypt_keyctl,discard,luks,initramfs
-crypt_dev_ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1 /dev/disk/by-id/ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1  keyscript=decrypt_keyctl,discard,luks,initramfs
-EOF
-  cat >> /tmp/fai/fstab <<EOF
-/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part6  /d  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvol=nocow  0 0
-# r6 = root partition6
-/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part6  /mnt/r6  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0  0 0
-/dev/mapper/crypt_dev_ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1  /mnt/rust  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0  0 0
-EOF
-fi
diff --git a/fai/config/package_config/STANDARD b/fai/config/package_config/STANDARD
index 7d97667..95086d0 100644
--- a/fai/config/package_config/STANDARD
+++ b/fai/config/package_config/STANDARD
@@ -64,6 +64,8 @@ publicsuffix
 iso-codes
 # new package buster/nabia+
 cryptsetup-initramfs
+# https://wiki.debian.org/UsrMerge
+usrmerge
 
 # iank, copied from DEBIAN so it goes into ubuntu too
 PACKAGES install GRUB_PC
diff --git a/fai/config/scripts/GRUB_PC/11-iank b/fai/config/scripts/GRUB_PC/11-iank
index 8a9eab7..aaebc82 100755
--- a/fai/config/scripts/GRUB_PC/11-iank
+++ b/fai/config/scripts/GRUB_PC/11-iank
@@ -104,10 +104,29 @@ if [[ $FAI_ACTION != dirinstall ]] && ! ifclass NOCRYPT; then
     speed=115200
     cmdline="rd.luks.crypttab=no net.ifnames=0 console=ttyS0,${speed}n8 console=tty0"
     case $HOSTNAME in
-      # https://wiki.archlinux.org/index.php/Solid_state_drive#Resolving_NCQ_errors
-      # evo-870 doesnt get along well with d16 with etiona.
-      # the number is based on dmesg errors
-      kd) cmdline+=" libata.force=4.00:noncq" ;;
+      kd)
+        fcopy -v /usr/bin/myncq
+
+        cat >$target/etc/systemd/system/myncq.service <<'EOF'
+[Unit]
+Description=fix ncq errors
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/myncq
+TimeoutStartSec=20
+
+[Install]
+# https://www.enricozini.org/blog/2017/debian/systemd-07-devices/
+WantedBy=dev-disk-by\x2did-ata\x2dSamsung_SSD_870_QVO_8TB_S5VUNG0N900656V.device
+EOF
+
+  chroot $FAI_ROOT bash <<'EOFOUTER'
+systemctl enable myncq.service
+/usr/bin/myncq no-upgrub
+EOFOUTER
+
+          ;;
       # per rubens suggestion to make a d16 more stable
       kd|kw) cmdline+=" pci=realloc=off" ;;
     esac
@@ -132,7 +151,15 @@ EOF
   chroot $FAI_ROOT bash <<EOF
 set -eE -o pipefail
 # https://askubuntu.com/questions/33416/how-do-i-disable-the-boot-splash-screen-and-only-show-kernel-and-boot-text-inst
-# we remove quiet and splash, and all thats left is what we want
+
+sed -ri 's/(^GRUB_CMDLINE_LINUX_DEFAULT=")quiet/\1/;s/^(GRUB_CMDLINE_LINUX_DEFAULT=".*) quiet([ "])/\1\2/' /etc/default/grub
+sed -ri 's/(^GRUB_CMDLINE_LINUX_DEFAULT=")splash/\1/;s/^(GRUB_CMDLINE_LINUX_DEFAULT=".*) splash([ "])/\1\2/' /etc/default/grub
+
+for arg in $cmdline; do
+  if ! grep "^GRUB_CMDLINE_LINUX_DEFAULT=.*[\" ]${arg//./\\.}[\" ]" /etc/default/grub; then
+    sed -ri "s/^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)/GRUB_CMDLINE_LINUX_DEFAULT=\"$arg \1/" /etc/default/grub
+  fi
+done
 
 if grep -qF "$cmdline" /etc/default/grub; then
   # already set things, exit
@@ -144,7 +171,12 @@ sed -ri 's/^ *GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT="$cmdline
 # warning about it in error.log
 sed -i '/^ *GRUB_HIDDEN_TIMEOUT/d' /etc/default/grub
 
-update-grub2
+if type -P update-grub2 &>/dev/null; then
+  update-grub2
+else
+  update-grub
+fi
+
 EOF
 fi ##### end != dirinstall && != NOCRYPT
 
@@ -249,7 +281,6 @@ iface eth0 inet6 static
 address 2600:3c00:e000:280::2/64
 EOF
   fi
-
 fi
 
 # I prefer to stick with ifup/down for now. a. networkd is not in its
@@ -263,15 +294,14 @@ EOF
 
 
 if ifclass VOL_BUSTER_BOOTSTRAP; then
-  fcopy -riM /etc/systemd/system
+  fcopy /etc/systemd/system/faicheck.service
   chroot $FAI_ROOT bash <<'EOFOUTER'
-systemctl enable fai_check.service
+systemctl enable faicheck.service
 EOFOUTER
   exit 0 # avoid unnecessary stuff in bootstrap vol
 fi
 
 
-
 ## misc settings
 chroot $FAI_ROOT bash <<'EOFOUTER'
 #### begin .ssh setup ###
diff --git a/wrt-setup b/wrt-setup
index 42c4127..9163ad3 100755
--- a/wrt-setup
+++ b/wrt-setup
@@ -78,4 +78,4 @@ sudo scp /q/root/shadow/router /p/c/machine_specific/wrt/etc/dropbear/dropbear_r
      /p/router-secrets /p/c/machine_specific/wrt/etc/wg.{key,psk} $h:
 scp ../openwrtkeyring/usign/* $h:/etc/opkg/keys
 
-ssh $h wrt-init $HOME_DOMAIN "$@"
+ssh $h wrt-init ${HOME_DOMAIN:-b8.nz} "$@"
diff --git a/wrt-setup-local b/wrt-setup-local
index 1f0a2d5..d900897 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -38,9 +38,6 @@ EOF
 }
 
 
-
-
-
 secrets=false
 if [[ -e /root/router-secrets ]]; then
   secrets=true
@@ -53,14 +50,20 @@ fi
 : ${hostname:=wrt}
 
 
+zblock=false
+if [[ -e /root/zblock ]]; then
+  zblock=true
+fi
+
 dnsmasq_restart=false
+unbound_restart=false
 firewall_restart=false
 dev2=false
 test=false
 client=false
 libremanage_host=wrt2
 lanip=1
-while getopts hm:t: opt; do
+while getopts hm:t:yz opt; do
   case $opt in
     h) usage ;;
     t)
@@ -86,6 +89,14 @@ while getopts hm:t: opt; do
         *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
       esac
       ;;
+    y)
+      zblock=false
+      rm -f /root/zblock
+      ;;
+    z)
+      zblock=true
+      touch /root/zblock
+      ;;
     m)  mac=$OPTARG ;;
     *) echo "$0: Internal error! unexpected args: $*" >&2 ; usage 1 ;;
   esac
@@ -187,7 +198,9 @@ udel() {
     eval $restart_var=true
   fi
 }
-
+cedit() {
+  v command cedit -v "$@"
+}
 
 
 ### network config
@@ -344,7 +357,8 @@ fi
 # /root/relay_1.0-1_mips_24kc.ipk
 v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
   tcpdump openvpn-openssl adblock libusb-compat \
-  screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync
+  screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync\
+  unbound-daemon-heavy unbound-checkconf
 
 cat >/etc/libremanage.conf <<EOF
 ${libremanage_host}_type=switch
@@ -371,7 +385,7 @@ mkdir -p /run/parabolaiso/bootmnt
 
 ## ian: usb broke on old router. if that happens, can just comment this to disable problems
 # echo | cedit /etc/config/fstab ||:
-v cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
+cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
 config global automount
       option from_fstab 1
       option anon_mount 1
@@ -435,12 +449,12 @@ EOF
 # # I did, and I had to restart the vpn afterwards.
 # # This maps a uci interface to a real interface which is
 # # managed outside of uci.
-# v cedit /etc/config/network <<'EOF' ||:
+# cedit /etc/config/network <<'EOF' ||:
 # config interface 'tun0'
 #         option ifname 'tun0'
 #         option proto 'none'
 # EOF
-# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
 # config openvpn my_client_config
 #         option enabled 1
 #         option config /etc/openvpn/client.conf
@@ -452,14 +466,14 @@ wgport=26000
 
 network_restart=false
 if $client; then
-  v cedit wific /etc/config/network <<EOF || network_restart=true
+  cedit wific /etc/config/network <<EOF || network_restart=true
 # https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi
 config interface 'wwan'
  option proto 'dhcp'
 EOF
 fi
 
-v cedit /etc/config/network <<EOF || network_restart=true
+cedit /etc/config/network <<EOF || network_restart=true
 config 'route' 'transmission'
  option 'interface' 'lan'
  option 'target' '10.173.0.0'
@@ -488,7 +502,7 @@ fi
 firewall-cedit() {
 
   if $client; then
-    v cedit wific /etc/config/firewall <<EOF
+    cedit wific /etc/config/firewall <<EOF
 config zone
  option name    wwan
  option input    REJECT
@@ -502,7 +516,7 @@ EOF
 
   case $hostname in
     wrt)
-      v cedit host /etc/config/firewall <<EOF
+      cedit host /etc/config/firewall <<EOF
 config redirect
  option name ssh
  option src              wan
@@ -512,7 +526,7 @@ config redirect
 EOF
       ;;
     cmc)
-      v cedit host /etc/config/firewall <<EOF
+      cedit host /etc/config/firewall <<EOF
 config redirect
  option name ssh
  option src              wan
@@ -523,7 +537,57 @@ EOF
       ;;
   esac
 
-  v cedit /etc/config/firewall <<EOF
+  cedit /etc/config/firewall <<EOF
+## begin no external dns for ziva
+config rule
+ option src  lan
+ option src_ip   10.2.0.23
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.23
+ option src_port 53
+ option dest  lan
+ option target REJECT
+
+
+config rule
+ option src  lan
+ option src_ip   10.2.0.31
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.31
+ option src_port 53
+ option dest  lan
+ option target REJECT
+
+
+config rule
+ option src  lan
+ option src_ip   10.2.0.32
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.32
+ option src_port 53
+ option dest  lan
+ option target REJECT
+## end no external dns for ziva
+
+
 config rule
  option src              wan
  option target           ACCEPT
@@ -641,6 +705,20 @@ config rule
  option dest_port        443
  option proto            tcp
 
+config redirect
+option name httpskd8448
+ option src              wan
+ option src_dport        8448
+ option dest             lan
+ option dest_ip          $l.2
+ option proto            tcp
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        8448
+ option proto            tcp
+
+
 config redirect
  option name syncthing
  option src              wan
@@ -696,6 +774,13 @@ config rule
  option target ACCEPT
  option family ipv6
 
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
+	option type 'restore'
+	option family 'ipv4'
+
+
 EOF
 }
 firewall-cedit || firewall_restart=true
@@ -712,13 +797,13 @@ firewall-cedit || firewall_restart=true
 
 
 
-v cedit /etc/hosts <<EOF || dnsmasq_restart=true
+cedit /etc/hosts <<EOF
 127.0.1.1 $hostname
 EOF
 # not sure this case statement is needed
 case $hostname in
   cmc)
-    v cedit host /etc/hosts <<EOF || dnsmasq_restart=true
+    cedit host /etc/hosts <<EOF
 $l.1 $hostname
 # 127.0.0.1 www.youtube.com
 # 127.0.0.1 googlevideo.com
@@ -750,10 +835,123 @@ uset dhcp.@dnsmasq[0].local
 # todo: setup /etc/resolv.conf to point to 127.0.0.1
 uset dhcp.@dnsmasq[0].resolvfile /dev/null
 
-# by default it will send out ipv6 dns, like this
+# if dnsmasq happens to not send out a dns server,
+# odhcpd will send one out like this:
 # NetworkManager[953]: <info>  [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers   => 'fd58:5801:8e02::1'
 # but i dont want ipv6 dns, just keep it simple to ipv4.
-uset dhcp.@odhcpd[0].dns 10.2.0.1
+# I know my isp doesnt have ipv6 right now,
+# so just stop this thing.
+# note: tried this, it didn't do anything:
+# uset dhcp.@odhcpd[0].dns 10.2.0.1
+/etc/init.d/odhcpd stop
+/etc/init.d/odhcpd disable
+# todo: make the above conditional on which server this is.
+
+# avoid errors in log. current isp doesnt have ipv6
+uset unbound.@unbound[0].protocol ip4_only
+
+# todo: im not sure all these are needed, but they all look
+# like good options.
+# https://blog.cloudflare.com/dns-over-tls-for-openwrt/
+# https://gist.github.com/vqiu/7b32d3a19a7a09d32e108d998de166c2
+#https://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/
+#
+# # i found that the zone example was having no effect on the config
+# # here:
+# https://github.com/openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md
+#
+# # todo: unbound-control, i'm not sure what the purpose of that thing is, some
+# # kind of coordination with dhcp of dnsmasq, but what?
+#
+# note: for debugging, edit /etc/init.d/unbound, change
+# procd_set_param command $PROG -d -c $UB_TOTAL_CONF
+# to:
+# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
+
+{
+  cat <<'EOF'
+do-tcp: yes
+prefetch: yes
+qname-minimisation: yes
+rrset-roundrobin: yes
+use-caps-for-id: yes
+do-ip6: no
+private-domain: b8.nz
+local-zone: "10.in-addr.arpa." transparent
+access-control-view: 10.2.0.31/32 "youtube"
+EOF
+
+  if $zblock; then
+    cat <<'EOF'
+# amy, amyw, samsungtab
+access-control-view: 10.2.0.8/32 "youtube"
+access-control-view: 10.2.0.23/32 "youtube"
+access-control-view: 10.2.0.32/32 "youtube"
+EOF
+  fi
+} | cedit /etc/unbound/unbound_srv.conf  || restart_unbound=true
+
+
+# dns based blocking vs ip based. with ip, same
+# server can have multiple domains. in dns,
+# you have to make sure clients to use the local dns.
+# https dns will need to be blocked by ip in
+# order to be comprehensive
+
+cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
+local-data-ptr: "10.2.0.1 cmc.b8.nz"
+local-data-ptr: "10.2.0.2 kd.b8.nz"
+local-data-ptr: "10.2.0.3 sy.b8.nz"
+local-data-ptr: "10.2.0.4 wrt2.b8.nz"
+local-data-ptr: "10.2.0.5 x2.b8.nz"
+local-data-ptr: "10.2.0.6 x2w.b8.nz"
+local-data-ptr: "10.2.0.7 syw.b8.nz"
+local-data-ptr: "10.2.0.8 amy.b8.nz"
+local-data-ptr: "10.2.0.9 bb8.b8.nz"
+local-data-ptr: "10.2.0.12 demohost.b8.nz"
+local-data-ptr: "10.2.0.14 wrt3.b8.nz"
+local-data-ptr: "10.2.0.19 brother.b8.nz"
+local-data-ptr: "10.2.0.23 amyw.b8.nz"
+local-data-ptr: "10.2.0.25 hp.b8.nz"
+local-data-ptr: "10.2.0.31 amazontab.b8.nz"
+local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
+local-data-ptr: "10.173.0.2 transmission.b8.nz"
+local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
+local-data-ptr: "10.173.8.2 nn.b8.nz"
+
+forward-zone:
+  name: "."
+# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
+  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+  forward-ssl-upstream: yes
+  forward-first: no
+
+view:
+  name: "youtube"
+  local-zone: "googlevideo.com." refuse
+  local-zone: "video.google.com." refuse
+  local-zone: "youtu.be." refuse
+  local-zone: "youtube-nocookie.com." refuse
+  local-zone: "youtube-ui.l.google.com." refuse
+  local-zone: "youtube.com." refuse
+  local-zone: "youtube.googleapis.com." refuse
+  local-zone: "youtubeeducation.com." refuse
+  local-zone: "youtubei.googleapis.com." refuse
+  local-zone: "yt3.ggpht.com." refuse
+  local-zone: "youtubekids.com." refuse
+  # try global if no match in view
+  view-first: yes
+EOF
+
+
+if $restart_unbound; then
+  /etc/init.d/unbound restart
+  if ! unbound-checkconf; then
+    echo $0: error: unbound-checkconf failed >&2
+    exit 1
+  fi
+fi
 
 
 # disabled for now. i want to selectively enable it
@@ -775,7 +973,7 @@ EOF
 # so make sure we have this dir or else dnsmasq will fail
 # to start.
 mkdir -p /mnt/usb/tftpboot
-v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+cedit /etc/dnsmasq.conf  <<EOF || dnsmasq_restart=true
 # no dns
 port=0
 server=/b8.nz/#
@@ -785,10 +983,11 @@ ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
 stop-dns-rebind
 rebind-domain-ok=b8.nz
 
-# this says the ip of default gateway and dns server,
-# but I think they are unneded and default
-#dhcp-option=3,$l.1
-#dhcp-option=6,$l.1
+# This says the ip of dns server.
+# It is default if dnsmasq is doing dns, otherwise, we have to specify it.
+# To see it in action, I ran this from a client machine:
+# sudo dhcpcd -o domain_name_servers -T
+dhcp-option=6,$l.1
 
 
 
@@ -814,6 +1013,7 @@ server=1.0.0.3
 server=2606:4700:4700::1113
 server=2606:4700:4700::1003
 
+server=10.2.0.1
 # server=8.8.4.4
 # server=8.8.8.8
 # server=2001:4860:4860::8888
@@ -849,6 +1049,9 @@ dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
 dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
 dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
 dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
+dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
+
 
 
 # faiserver vm
@@ -878,14 +1081,14 @@ if $dnsmasq_restart && ! $dev2; then
   # due to the other settings, but will be used for ptr? then maybe
   # we dont have to restart dnsmasq for a dns update?
   #
-  # todo: according to this
+  # interesing link:
   # https://www.redpill-linpro.com/techblog/2019/08/27/evaluating-local-dnssec-validators.html#toggling-dnssec-validation-1
-  # we should turn on dnssec validation when wrt gets version > 2.80. currently at 2.80.
-  # todo: download https://downloads.openwrt.org/snapshots/packages/mipsel_24kc/base/dnsmasq-full_2.84-1_mipsel_24kc.ipk
-  # and install it. then we can turn off dnssec in systemd-resolved
+  # we could turn on dnssec validation when wrt gets dnsmasq > 2.80. currently at 2.80.
+  # also we can turn off dnssec in systemd-resolved if we know the router is doing it.
   #
   # Also, reload of dnsmasq seems to break things, wifi
   # clients were not getting internet connectivity.
+
   v /etc/init.d/dnsmasq restart
 fi
 
-- 
2.30.2