[pib] update setup script

pib-setup.sh

@@ -1,25 +1,33 @@
 #!/bin/sh
 
+# Assumptions:
+# - pib is factory reset
+# - WAN port is connected with an active upstream
+# - You are connected via LAN/can ssh into it
+
 if [ $# -ne 2 ]; then
-    echo "$0 ip-address vpn-network"
+    echo "$0 ip-address vpn-network [wireguard-private-key]"
     echo "    ip-address: where to find the PIB"
     echo "    network: 2a0a:e5c0:123::/48"
+    echo "    private-key: specify if you already have a private key"
     exit 1
 fi
 
-
-
 my_ip=$1; shift
 my_network=$1; shift
 
+if [ $# -eq 1 ]; then
+    private_key=$1; shift
+else
+    private_key=$(wg genkey)
+fi
+
 my_prefix=$(echo $my_network | sed 's,::/.*,,')
 my_hostname=pib-$(echo ${my_prefix} | sed 's/:/-/g')
 
 my_wireguard_ip=${my_prefix}::42
 my_lan_ip=${my_prefix}:cafe::42
-my_lanv6_ip=${my_prefix}:7ea::42
 
-private_key=$(wg genkey)
 public_key=$(echo $private_key | wg pubkey)
 
 vpn_endpoint_host=vpn-2a0ae5c1.ungleich.ch
@@ -28,7 +36,16 @@ vpn_endpoint_pubkey=hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
 cat <<EOF | ssh -t "root@${my_ip}"
 set -x
 
-# Global / general settings
+# Check if we can reach upstream - otherwise abort
+ping -c5 ungleich.ch || exit 1
+
+# update the sources & allow https handling
+opkg update
+opkg install libustream-openssl ca-bundle ca-certificates
+
+# install wireguard + gui
+opkg install wireguard
+opkg install luci-app-wireguard
 
 # We are never authoritative for IPv4
 uci delete dhcp.@dnsmasq[0].authoritative
@@ -43,55 +60,33 @@ uci set dhcp.@dnsmasq[0].noresolv='1'
 # otherwise the VPN tunnel cannot be established
 uci set dhcp.@dnsmasq[0].localuse='0'
 
-# Remove static IPv4 from LAN / replace with DHCP
+# Remove static IPv4 on LAN
 uci delete network.lan.ipaddr
 uci delete network.lan.netmask
-uci set network.lan.ifname='eth1'
-uci set network.lan.proto='dhcp'
 
-# Add IPv6 address in LAN
+# Setup IPv6 on LAN
-uci set network.lanv6=interface
+uci add_list network.lan.ip6addr='${my_lan_ip}/64'
-uci set network.lanv6.ifname='br-lan'
-uci set network.lanv6.proto='static'
-uci set network.lanv6.ifname='br-lan'
-uci add_list network.lanv6.ip6addr='${my_lan_ip}/64'
 
-# IPv6 announcements / no DHCP server on the LAN
+# IPv6 announcements
 uci set dhcp.lan.ra='server'
 uci set dhcp.lan.ra_management='1'
+
+# No DHCP server on the LAN
 uci set dhcp.lan.ignore='1'
 
+# Cleanup dhcp options
+
+# Disable any dynamic leases
 uci set dhcp.lan.dynamicdhcp='0'
+
+# Remove dhcpv6 server
 uci delete dhcp.lan.dhcpv6
+
+# Remove leftover from the dhcpv4 server items
 uci delete dhcp.lan.start
 uci delete dhcp.lan.limit
 uci delete dhcp.lan.leasetime
 
-uci commit
-
-reboot
-
-EOF
-
-my_ip=$my_lan_ip
-echo "Waiting for it to come back..."
-while ! ping -c1 ${my_ip}; do
-    echo "Cannot ping $my_ip yet - waiting"
-    sleep 1
-done
-
-
-cat <<EOF | ssh -t "root@${my_ip}"
-ping -c5 ungleich.ch || exit 1
-
-# update the sources & allow https handling
-opkg update
-opkg install libustream-openssl ca-bundle ca-certificates
-
-# install wireguard + gui
-opkg install wireguard
-opkg install luci-app-wireguard
-
 # VPN / Wireguard
 uci set network.wg0=interface
 uci set network.wg0.proto='wireguard'
@@ -155,14 +150,23 @@ uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
 uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
 
 uci commit
-
 reboot
+
 EOF
 
+my_ip=$my_lan_ip
+echo "Waiting for it to come back..."
+while ! ping -c1 ${my_ip}; do
+    echo "Cannot ping $my_ip yet - waiting"
+    sleep 1
+done
+
 echo "Wireguard public key and id: ${id} ${public_key}"
 echo ${public_key} > ${my_hostname}.public_key
 
-exit 0
+cat <<EOF
+Open steps:
 
-
+- Remove your ssh key(s) from the device
-#  wget -O - https://downloads.openwrt.org/releases/19.07.3/targets/x86/64/openwrt-19.07.3-x86-64-rootfs-ext4.img.gz | gunzip  > /dev/sda
+- Setup a secure root password and forward it to the customer
+EOF