#!/bin/sh
# 2020-06-13, Nico Schottelius
# See https://ungleich.ch/u/products/viirb-ipv6-box/

if [ $# -lt 4 ]; then
    echo "$0 interface viirb-id your-dot-cdist [stages]"
    echo "    interface to add the config ip address to"
    echo "    viirb-id: number in decimal format"
    echo "    your-dot-cdist: path to YOUR ungleich-dot-cdist repo"
    echo "    owner-mail-reference: How to identify the owner"
    echo "    stages: define which stages to execute"
    echo ""
    echo "    stage1: setup your host, check connection to VIIRB"
    echo "    stage2: flash latest openwrt onto the VIIRB"
    echo "    stage3: configure the vpn endpoint"
    echo "    stage4: configure the VIIRB with wireguard + settings"
    echo "    stage5: Verify VIIRB on VPN, cleanup VIIRB"
    echo ""
    echo "Example to configure viirb02:"
    echo "$0 wlan0 2 ~/vcs/ungleich-dot-cdist 'Nico Schottelius, nico.schottelius@ungleich.ch, Ticket 2342'"
    echo "$0 wlan0 2 ~/vcs/ungleich-dot-cdist 'Nico Schottelius, nico.schottelius@ungleich.ch, Ticket 2342' '1 3 4'"
    exit 1
fi

echo "FIXME: missing IPv6 announcements on LAN"
echo "FIXME: DNS situation: upstream, non upstream, ungleich, how to resolve tunnel endpoint"

set -x

set -x
dev=$1; shift
id=$1; shift
dot_cdist=$1; shift
owner=$1; shift

if [ $# -ge 1 ]; then
    stages=$1; shift
else
    stages="1 2 3 4 5"
fi

hex_id=$(printf "%0.2x\n" "$id")
viirb_hostname=viirb${hex_id}

prefix_base=2a0a:e5c1:3
my_prefix=${prefix_base}${hex_id}
my_network=${my_prefix}::/48

my_wireguard_ip=${my_prefix}::42
my_lan_ip=${my_prefix}:cafe::42
my_wifi_ip=${my_prefix}:7ea::42

# openwrt
version=19.07.3
filename=openwrt-${version}-ramips-mt76x8-vocore2-squashfs-sysupgrade.bin

# root password
root_password=$(pwgen -1 32)

# IP address for setting it up initially
viirb_ip=192.168.61.1

# wireguard
private_key=$(wg genkey)
public_key=$(echo $private_key | wg pubkey)

vpn_endpoint_host=vpn-2a0ae5c1300.ungleich.ch
vpn_endpoint_pubkey=ft68G2RID7gZ6PXjFCSCOdJ9yspRg+tUw0YrNK9cTxE=

# cdist
dot_cdist_files=${dot_cdist}/type/__ungleich_wireguard/files
peerfilename=${vpn_endpoint_host}.peer${hex_id}
peerfile=${dot_cdist_files}/${peerfilename}
vpnconfig=${dot_cdist_files}/${vpn_endpoint_host}

################################################################################
# Stage 1: test / connect to the new VIIRB
#
# We delete so that we can run idempotent
stage1()
{
    sudo ip addr del 192.168.61.2/24 dev "$dev" 2>/dev/null || true
    sudo ip addr add 192.168.61.2/24 dev "$dev"

    # don't care about other/old known_host entries
    ssh-keygen  -R ${viirb_ip}

    ping -c2 ${viirb_ip}
    if [ $? -ne 0 ]; then
        echo "Cannot reach any VIIRB - exiting"
        exit 1
    fi

    cat ~/.ssh/id_rsa.pub | ssh root@${viirb_ip} "cat > /etc/dropbear/authorized_keys"
}



################################################################################
# Get latest OpenWRT & flash it
stage2()
{
    # Don't re-download if we already have it
    wget -c http://downloads.openwrt.org/releases/${version}/targets/ramips/mt76x8/${filename}
    scp ${filename} root@${viirb_ip}:/tmp
    ssh root@${viirb_ip} "sysupgrade /tmp/*.bin"

    # It still pings for some time - wait for the reboot to happen
    echo "Waiting for VIIRB to disappear"
    sleep 15

    wait=0
    found=""

    while [ $wait -lt 180 ]; do
        ping -c1 ${viirb_ip} >/dev/null

        if [ $? -eq 0 ]; then
            found=yes
            # wait for ssh to come up
            sleep 10
            break
        fi

        sleep 1
        wait=$((wait+1))
    done

    if [ ! "$found" ]; then
        echo "Did not find updated viirb - debug / restart it"
        exit 1
    fi

}


################################################################################
# Stage 3: prepare VPN endpoint
#

stage3()
{

    # Configure VPN server / update cdist
    echo Updating VPNserver
    cat <<EOF > ${peerfile}
# ${viirb_hostname} ${owner}
[Peer]
PublicKey = ${public_key}
AllowedIPs = ${my_network}

EOF

    # Generate real config
    cat ${dot_cdist_files}/${vpn_endpoint_host}.* > ${vpnconfig}
    cd ${dot_cdist_files}
    git add ${vpn_endpoint_host} ${peerfilename}
    git commit -m "[vpn] Updated config for peer ${viirb_hostname} ${my_network}"
    git pull
    git push

    cdist config -vv -j8 ${vpn_endpoint_host} -c ${dot_cdist}
}

################################################################################
# Stage 4: configure the VIIRB
#
stage4()
{

    cat <<EOF | ssh -t "root@${viirb_ip}"
set -x

# Setup lan to also retrieve an ip address via dhcp

# This stays in the final setup
uci set network.lan.proto='dhcp'
uci delete network.lan.ipaddr
uci delete network.lan.netmask

# This is temporary
uci set network.lanv4temp=interface
uci set network.lanv4temp.proto='static'
uci set network.lanv4temp.ifname='br-lan'
uci set network.lanv4temp.ipaddr='192.168.61.1'
uci set network.lanv4temp.netmask='255.255.255.0'

uci commit network
/etc/init.d/network restart

# ensure internet is up and running
sleep 3
ping -c5 ungleich.ch

# update the sources
opkg update

# install wireguard + gui
opkg install wireguard
opkg install luci-app-wireguard

# The IPv6 lan configuration
uci set network.lanv6=interface
uci set network.lanv6.proto='static'
uci set network.lanv6.ip6addr='${my_lan_ip}/64'
uci set network.lanv6.ifname='br-lan'

# wifi ip address
uci set network.wifi=interface
uci set network.wifi.proto='static'
uci set network.wifi.ip6addr='${my_wifi_ip}/64'

# Wifi configuration
uci set wireless.radio0=wifi-device
uci set wireless.radio0.type='mac80211'
uci set wireless.radio0.hwmode='11g'
uci set wireless.radio0.path='platform/10300000.wmac'
uci set wireless.radio0.htmode='HT40'
uci set wireless.radio0.country='CH'
uci set wireless.radio0.channel='6'

# Ensure it is not disabled
uci delete wireless.radio0.disabled

uci set wireless.default_radio0=wifi-iface
uci set wireless.default_radio0.device='radio0'
uci set wireless.default_radio0.mode='ap'
uci set wireless.default_radio0.encryption='psk2'
uci set wireless.default_radio0.key='iloveipv6'
uci set wireless.default_radio0.ssid='IPv6 everywhere ${viirb_hostname}'
uci set wireless.default_radio0.network='wifi'

# Wifi / Router advertisements
uci set dhcp.wifi=dhcp
uci set dhcp.wifi.interface='wifi'
uci set dhcp.wifi.ra='server'
uci set dhcp.wifi.dynamicdhcp='0'

# LAN / Router advertisements / DHCP
# DHCP: we are not authoratative
uci delete dhcp.@dnsmasq[0].authoritative
uci delete dhcp.lan.dhcpv6
uci delete dhcp.lan.start
uci delete dhcp.lan.limit
uci delete dhcp.lan.leasetime

# Do not announce ULA - we have GUA
uci delete network.globals.ula_prefix

uci set dhcp.lan=dhcp
uci set dhcp.lan.interface='lanv6'
uci set dhcp.lan.ra='server'
uci set dhcp.lan.dynamicdhcp='0'


# Fix DNS: make dnsmasq NOT use a resolv.conf
# so that it only reads from our servers with DNS64 enabled
uci set dhcp.@dnsmasq[0].noresolv='1'

# Fix DNS: make the OS use the locally provided DNS servers
# otherwise the VPN tunnel cannot be established
dhcp.@dnsmasq[0].localuse='0'

# DNS upstream over VPN gives DNS64
uci delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'

# VPN / Wireguard
uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key='${private_key}'
uci set network.wg0.listen_port='51820'
uci set network.wg0.addresses='${my_wireguard_ip}/64'

if ! uci get network.@wireguard_wg0[0]; then
   uci add network wireguard_wg0
fi

uci set network.@wireguard_wg0[0]=wireguard_wg0
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}'
uci set network.@wireguard_wg0[0].description='IPv6VPN.ch by ungleich'
uci set network.@wireguard_wg0[0].allowed_ips='::/0'
uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
uci set network.@wireguard_wg0[0].endpoint_port='51820'
uci set network.@wireguard_wg0[0].route_allowed_ips='1'

uci set system.@system[0].hostname="${viirb_hostname}"

uci commit

# Firewall configuration

if ! uci show firewall | grep "name='Allow-SSH'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-SSH'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'
fi

if ! uci show firewall | grep "name='Allow-HTTPS'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-HTTPS'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='443'
uci set firewall.@rule[-1].target='ACCEPT'
fi

if ! uci show firewall | grep "name='Allow-HTTP'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-HTTP'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
fi

# Add interfaces to the right network zone
uci set firewall.@zone[0].network='lan lanv6 wifi'
uci set firewall.@zone[1].network='wg0'

uci commit firewall

# Reboot
reboot
EOF

    echo "Wireguard public key: ${public_key}"
}

################################################################################
# Stage 5: Verify the VIIRB via VPN
#
stage5()
{

    # Wait for the VIIRB to come back, but on the VPN address
    wait=0
    found=""

    while [ $wait -lt 180 ]; do
        ping -c1 ${my_wireguard_ip} >/dev/null

        if [ $? -eq 0 ]; then
            found=yes
            break
        fi
        sleep 1
        wait=$((wait+1))
    done

    if [ ! "$found" ]; then
        echo "Cannot reach VIIRB via VPN - check manually"
        exit 1
    fi

    echo "Cleanup process."
    echo "Set the root password when prompted to: ${root_password}"

    # VPN works, remove artefacts, set correct DNS servers that support DNS64
    cat <<EOF | ssh -t "root@${viirb_ip}"
# Remove temporary IP
uci delete network.lanv4temp

# Correct SSID
uci set wireless.default_radio0.ssid='IPv6 everywhere'
uci commit

# Remove our ssh keys
rm -f /etc/dropbear/authorized_keys

# Setup root password
printf "${root_password}\n${root_password}\n" | passwd
EOF

    echo "Submit to user the root password = ${root_password}"

}

for stage in $(seq 1 5);do
    if echo $stages | grep -q $stage; then
        eval stage${stage}
    fi
done