diff --git a/setup-viirb.sh b/setup-viirb.sh index 79483c6..2f8ba82 100755 --- a/setup-viirb.sh +++ b/setup-viirb.sh @@ -2,18 +2,28 @@ # 2020-06-13, Nico Schottelius # See https://ungleich.ch/u/products/viirb-ipv6-box/ -if [ $# -ne 4 ]; then - echo "$0 interface viirb-id your-dot-cdist" +if [ $# -lt 4 ]; then + echo "$0 interface viirb-id your-dot-cdist [stages]" echo " interface to add the config ip address to" echo " viirb-id: number in decimal format" echo " your-dot-cdist: path to YOUR ungleich-dot-cdist repo" echo " owner-mail-reference: How to identify the owner" + echo " stages: define which stages to execute" + echo "" + echo " stage1: setup your host, check connection to VIIRB" + echo " stage2: flash latest openwrt onto the VIIRB" + echo " stage3: configure the vpn endpoint" + echo " stage4: configure the VIIRB with wireguard + settings" + echo " stage5: Verify VIIRB on VPN, cleanup VIIRB" echo "" echo "Example to configure viirb02:" echo "$0 wlan0 2 ~/vcs/ungleich-dot-cdist 'Nico Schottelius, nico.schottelius@ungleich.ch, Ticket 2342'" + echo "$0 wlan0 2 ~/vcs/ungleich-dot-cdist 'Nico Schottelius, nico.schottelius@ungleich.ch, Ticket 2342' '1 3 4'" exit 1 fi +echo "FIXME: missing IPv6 announcements on LAN" + set -x set -x @@ -22,6 +32,12 @@ id=$1; shift dot_cdist=$1; shift owner=$1; shift +if [ $# -ge 1 ]; then + stages=$1; shift +else + stages="1 2 3 4 5" +fi + hex_id=$(printf "%0.2x\n" "$id") viirb_hostname=viirb${hex_id} @@ -37,12 +53,14 @@ my_wifi_ip=${my_prefix}:7ea::42 version=19.07.3 filename=openwrt-${version}-ramips-mt76x8-vocore2-squashfs-sysupgrade.bin +# root password +root_password=$(pwgen -1 32) + # IP address for setting it up initially viirb_ip=192.168.61.1 # wireguard private_key=$(wg genkey) -private_key=EL76tScnk84v8TGSSD3tPDhUjjYVPrfmNMBE3zbuRXg= public_key=$(echo $private_key | wg pubkey) vpn_endpoint_host=vpn-2a0ae5c1300.ungleich.ch @@ -50,12 +68,81 @@ vpn_endpoint_pubkey=ft68G2RID7gZ6PXjFCSCOdJ9yspRg+tUw0YrNK9cTxE= # cdist dot_cdist_files=${dot_cdist}/type/__ungleich_wireguard/files -peerfile=${dot_cdist_files}/${vpn_endpoint_host}.peer${hex_id} +peerfilename=${vpn_endpoint_host}.peer${hex_id} +peerfile=${dot_cdist_files}/${peerfilename} vpnconfig=${dot_cdist_files}/${vpn_endpoint_host} -# Configure VPN server / update cdist -echo Updating VPNserver -cat < ${peerfile} +################################################################################ +# Stage 1: test / connect to the new VIIRB +# +# We delete so that we can run idempotent +stage1() +{ + sudo ip addr del 192.168.61.2/24 dev "$dev" 2>/dev/null || true + sudo ip addr add 192.168.61.2/24 dev "$dev" + + # don't care about other/old known_host entries + ssh-keygen -R ${viirb_ip} + + ping -c2 ${viirb_ip} + if [ $? -ne 0 ]; then + echo "Cannot reach any VIIRB - exiting" + exit 1 + fi + + cat ~/.ssh/id_rsa.pub | ssh root@${viirb_ip} "cat > /etc/dropbear/authorized_keys" +} + + + +################################################################################ +# Get latest OpenWRT & flash it +stage2() +{ + # Don't re-download if we already have it + wget -c http://downloads.openwrt.org/releases/${version}/targets/ramips/mt76x8/${filename} + scp ${filename} root@${viirb_ip}:/tmp + ssh root@${viirb_ip} "sysupgrade /tmp/*.bin" + + # It still pings for some time - wait for the reboot to happen + echo "Waiting for VIIRB to disappear" + sleep 15 + + wait=0 + found="" + + while [ $wait -lt 180 ]; do + ping -c1 ${viirb_ip} >/dev/null + + if [ $? -eq 0 ]; then + found=yes + # wait for ssh to come up + sleep 10 + break + fi + + sleep 1 + wait=$((wait+1)) + done + + if [ ! "$found" ]; then + echo "Did not find updated viirb - debug / restart it" + exit 1 + fi + +} + + +################################################################################ +# Stage 3: prepare VPN endpoint +# + +stage3() +{ + + # Configure VPN server / update cdist + echo Updating VPNserver + cat < ${peerfile} # ${viirb_hostname} ${owner} [Peer] PublicKey = ${public_key} @@ -63,28 +150,32 @@ AllowedIPs = ${my_network} EOF -# Generate real config -cat ${dot_cdist_files}/${vpn_endpoint_host}.* > ${vpnconfig} -cd ${dot_cdist_files} -git add ${vpn_endpoint_host} -git commit -m "[vpn] Updated config for peer ${viirb_hostname} ${my_network}" -git pull -git push + # Generate real config + cat ${dot_cdist_files}/${vpn_endpoint_host}.* > ${vpnconfig} + cd ${dot_cdist_files} + git add ${vpn_endpoint_host} ${peerfilename} + git commit -m "[vpn] Updated config for peer ${viirb_hostname} ${my_network}" + git pull + git push -cdist config -vv -j8 ${vpn_endpoint_host} -c ${dot_cdist} + cdist config -vv -j8 ${vpn_endpoint_host} -c ${dot_cdist} +} -exit 0 +################################################################################ +# Stage 4: configure the VIIRB +# +stage4() +{ -# System -cat </dev/null || true -sudo ip addr add 192.168.61.2/24 dev "$dev" + while [ $wait -lt 180 ]; do + ping -c1 ${my_wireguard_ip} >/dev/null -# don't care about other/old known_host entries -ssh-keygen -R 192.168.61.1 + if [ $? -eq 0 ]; then + found=yes + break + fi + sleep 1 + wait=$((wait+1)) + done -ping -c2 ${viirb_ip} -if [ $? -ne 0 ]; then - echo "Cannot reach any VIIRB - exiting" - exit 1 -fi + if [ ! "$found" ]; then + echo "Cannot reach VIIRB via VPN - check manually" + exit 1 + fi -set -e + echo "Cleanup process." + echo "Set the root password when prompted to: ${root_password}" + # VPN works, remove artefacts, set correct DNS servers that support DNS64 + cat </dev/null +# Remove our ssh keys +rm -f /etc/dropbear/authorized_keys - if [ $? -eq 0 ]; then - found=yes - # wait for ssh to come up - sleep 10 +# Setup root password +printf "${root_password}\n${root_password}\n" | passwd +EOF + + echo "Submit to user the root password = ${root_password}" + +} + +for stage in $(seq 1 5);do + if echo $stages | grep -q $stage; then + eval stage${stage} fi done - -if [ ! "$found" ]; then - echo "Did not find updated viirb - debug / restart it" - exit 1 -fi - -exit 0