From 6d8c93b54cb5d7c1928331351ce2a2c84c8d743c Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Sat, 1 Aug 2020 12:26:17 +0200
Subject: [PATCH] iHmm?

Signed-off-by: Nico Schottelius <nico@nico-notebook.schottelius.org>
---
 viirb-2-configure-fully-after-upgrade.sh |   4 +
 viirb-setup-all.sh                       | 391 -----------------------
 2 files changed, 4 insertions(+), 391 deletions(-)
 delete mode 100755 viirb-setup-all.sh

diff --git a/viirb-2-configure-fully-after-upgrade.sh b/viirb-2-configure-fully-after-upgrade.sh
index 161b39d..f92a13c 100755
--- a/viirb-2-configure-fully-after-upgrade.sh
+++ b/viirb-2-configure-fully-after-upgrade.sh
@@ -63,7 +63,10 @@ uci delete dhcp.lan.leasetime
 # Do not announce ULA - we have GUA
 uci delete network.globals.ula_prefix
 
+# This is configuring the dhcp IPv4 client
 uci set dhcp.lan=dhcp
+
+# Setup Router Advertisements
 uci set dhcp.lan.interface='lanv6'
 uci set dhcp.lan.ra='server'
 uci set dhcp.lan.dynamicdhcp='0'
@@ -114,6 +117,7 @@ uci delete wireless.radio0.disabled
 
 # This is temporary - keeping it until the config process is through
 # Probably not needet - we can connect to the final IPv6 address!
+# This code commented out == The address vanishes due to above reconfiguration
 # uci set network.lanv4temp=interface
 # uci set network.lanv4temp.proto='static'
 # uci set network.lanv4temp.ifname='br-lan'
diff --git a/viirb-setup-all.sh b/viirb-setup-all.sh
deleted file mode 100755
index 63286cb..0000000
--- a/viirb-setup-all.sh
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/bin/sh
-# 2020-06-13, Nico Schottelius
-# See https://ungleich.ch/u/products/viirb-ipv6-box/
-
-if [ $# -lt 4 ]; then
-    echo "$0 interface viirb-id your-dot-cdist [stages]"
-    echo "    interface to add the config ip address to"
-    echo "    viirb-id: number in decimal format"
-    echo "    your-dot-cdist: path to YOUR ungleich-dot-cdist repo"
-    echo "    owner-mail-reference: How to identify the owner"
-    echo "    stages: define which stages to execute"
-    echo ""
-    echo "    stage1: setup your host, check connection to VIIRB"
-    echo "    stage2: flash latest openwrt onto the VIIRB"
-    echo "    stage3: configure the vpn endpoint"
-    echo "    stage4: configure the VIIRB with wireguard + settings"
-    echo "    stage5: Verify VIIRB on VPN, cleanup VIIRB"
-    echo ""
-    echo "Example to configure viirb02:"
-    echo "$0 wlan0 2 ~/vcs/ungleich-dot-cdist 'Nico Schottelius, nico.schottelius@ungleich.ch, Ticket 2342'"
-    echo "$0 wlan0 2 ~/vcs/ungleich-dot-cdist 'Nico Schottelius, nico.schottelius@ungleich.ch, Ticket 2342' '1 3 4'"
-    exit 1
-fi
-
-echo "FIXME: missing IPv6 announcements on LAN"
-echo "FIXME: DNS situation: upstream, non upstream, ungleich, how to resolve tunnel endpoint"
-
-set -x
-
-set -x
-dev=$1; shift
-id=$1; shift
-dot_cdist=$1; shift
-owner=$1; shift
-
-if [ $# -ge 1 ]; then
-    stages=$1; shift
-else
-    stages="1 2 3 4 5"
-fi
-
-hex_id=$(printf "%0.2x\n" "$id")
-viirb_hostname=viirb${hex_id}
-
-prefix_base=2a0a:e5c1:3
-my_prefix=${prefix_base}${hex_id}
-my_network=${my_prefix}::/48
-
-my_wireguard_ip=${my_prefix}::42
-my_lan_ip=${my_prefix}:cafe::42
-my_wifi_ip=${my_prefix}:7ea::42
-
-# openwrt
-version=19.07.3
-filename=openwrt-${version}-ramips-mt76x8-vocore2-squashfs-sysupgrade.bin
-
-# root password
-root_password=$(pwgen -1 32)
-
-# IP address for setting it up initially
-viirb_ip=192.168.61.1
-
-# wireguard
-private_key=$(wg genkey)
-public_key=$(echo $private_key | wg pubkey)
-
-vpn_endpoint_host=vpn-2a0ae5c1300.ungleich.ch
-vpn_endpoint_pubkey=ft68G2RID7gZ6PXjFCSCOdJ9yspRg+tUw0YrNK9cTxE=
-
-# cdist
-dot_cdist_files=${dot_cdist}/type/__ungleich_wireguard/files
-peerfilename=${vpn_endpoint_host}.peer${hex_id}
-peerfile=${dot_cdist_files}/${peerfilename}
-vpnconfig=${dot_cdist_files}/${vpn_endpoint_host}
-
-################################################################################
-# Stage 1: test / connect to the new VIIRB
-#
-# We delete so that we can run idempotent
-stage1()
-{
-    sudo ip addr del 192.168.61.2/24 dev "$dev" 2>/dev/null || true
-    sudo ip addr add 192.168.61.2/24 dev "$dev"
-
-    # don't care about other/old known_host entries
-    ssh-keygen  -R ${viirb_ip}
-
-    ping -c2 ${viirb_ip}
-    if [ $? -ne 0 ]; then
-        echo "Cannot reach any VIIRB - exiting"
-        exit 1
-    fi
-
-    cat ~/.ssh/id_rsa.pub | ssh root@${viirb_ip} "cat > /etc/dropbear/authorized_keys"
-}
-
-
-
-################################################################################
-# Get latest OpenWRT & flash it
-stage2()
-{
-    # Don't re-download if we already have it
-    wget -c http://downloads.openwrt.org/releases/${version}/targets/ramips/mt76x8/${filename}
-    scp ${filename} root@${viirb_ip}:/tmp
-    ssh root@${viirb_ip} "sysupgrade /tmp/*.bin"
-
-    # It still pings for some time - wait for the reboot to happen
-    echo "Waiting for VIIRB to disappear"
-    sleep 15
-
-    wait=0
-    found=""
-
-    while [ $wait -lt 180 ]; do
-        ping -c1 ${viirb_ip} >/dev/null
-
-        if [ $? -eq 0 ]; then
-            found=yes
-            # wait for ssh to come up
-            sleep 10
-            break
-        fi
-
-        sleep 1
-        wait=$((wait+1))
-    done
-
-    if [ ! "$found" ]; then
-        echo "Did not find updated viirb - debug / restart it"
-        exit 1
-    fi
-
-}
-
-
-################################################################################
-# Stage 3: prepare VPN endpoint
-#
-
-stage3()
-{
-
-    # Configure VPN server / update cdist
-    echo Updating VPNserver
-    cat <<EOF > ${peerfile}
-# ${viirb_hostname} ${owner}
-[Peer]
-PublicKey = ${public_key}
-AllowedIPs = ${my_network}
-
-EOF
-
-    # Generate real config
-    cat ${dot_cdist_files}/${vpn_endpoint_host}.* > ${vpnconfig}
-    cd ${dot_cdist_files}
-    git add ${vpn_endpoint_host} ${peerfilename}
-    git commit -m "[vpn] Updated config for peer ${viirb_hostname} ${my_network}"
-    git pull
-    git push
-
-    cdist config -vv -j8 ${vpn_endpoint_host} -c ${dot_cdist}
-}
-
-################################################################################
-# Stage 4: configure the VIIRB
-#
-stage4()
-{
-
-    cat <<EOF | ssh -t "root@${viirb_ip}"
-set -x
-
-# Setup lan to also retrieve an ip address via dhcp
-
-# This stays in the final setup
-uci set network.lan.proto='dhcp'
-uci delete network.lan.ipaddr
-uci delete network.lan.netmask
-
-# This is temporary
-uci set network.lanv4temp=interface
-uci set network.lanv4temp.proto='static'
-uci set network.lanv4temp.ifname='br-lan'
-uci set network.lanv4temp.ipaddr='192.168.61.1'
-uci set network.lanv4temp.netmask='255.255.255.0'
-
-uci commit network
-/etc/init.d/network restart
-
-# ensure internet is up and running
-sleep 3
-ping -c5 ungleich.ch
-
-# update the sources
-opkg update
-
-# install wireguard + gui
-opkg install wireguard
-opkg install luci-app-wireguard
-
-# The IPv6 lan configuration
-uci set network.lanv6=interface
-uci set network.lanv6.proto='static'
-uci set network.lanv6.ip6addr='${my_lan_ip}/64'
-uci set network.lanv6.ifname='br-lan'
-
-# wifi ip address
-uci set network.wifi=interface
-uci set network.wifi.proto='static'
-uci set network.wifi.ip6addr='${my_wifi_ip}/64'
-
-# Wifi configuration
-uci set wireless.radio0=wifi-device
-uci set wireless.radio0.type='mac80211'
-uci set wireless.radio0.hwmode='11g'
-uci set wireless.radio0.path='platform/10300000.wmac'
-uci set wireless.radio0.htmode='HT40'
-uci set wireless.radio0.country='CH'
-uci set wireless.radio0.channel='6'
-
-# Ensure it is not disabled
-uci delete wireless.radio0.disabled
-
-uci set wireless.default_radio0=wifi-iface
-uci set wireless.default_radio0.device='radio0'
-uci set wireless.default_radio0.mode='ap'
-uci set wireless.default_radio0.encryption='psk2'
-uci set wireless.default_radio0.key='iloveipv6'
-uci set wireless.default_radio0.ssid='IPv6 everywhere ${viirb_hostname}'
-uci set wireless.default_radio0.network='wifi'
-
-# Wifi / Router advertisements
-uci set dhcp.wifi=dhcp
-uci set dhcp.wifi.interface='wifi'
-uci set dhcp.wifi.ra='server'
-uci set dhcp.wifi.dynamicdhcp='0'
-
-# LAN / Router advertisements / DHCP
-# DHCP: we are not authoratative
-uci delete dhcp.@dnsmasq[0].authoritative
-uci delete dhcp.lan.dhcpv6
-uci delete dhcp.lan.start
-uci delete dhcp.lan.limit
-uci delete dhcp.lan.leasetime
-
-# Do not announce ULA - we have GUA
-uci delete network.globals.ula_prefix
-
-uci set dhcp.lan=dhcp
-uci set dhcp.lan.interface='lanv6'
-uci set dhcp.lan.ra='server'
-uci set dhcp.lan.dynamicdhcp='0'
-
-
-# Fix DNS: make dnsmasq NOT use a resolv.conf
-# so that it only reads from our servers with DNS64 enabled
-uci set dhcp.@dnsmasq[0].noresolv='1'
-
-# Fix DNS: make the OS use the locally provided DNS servers
-# otherwise the VPN tunnel cannot be established
-dhcp.@dnsmasq[0].localuse='0'
-
-# DNS upstream over VPN gives DNS64
-uci delete dhcp.@dnsmasq[0].server
-uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
-uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
-
-# VPN / Wireguard
-uci set network.wg0=interface
-uci set network.wg0.proto='wireguard'
-uci set network.wg0.private_key='${private_key}'
-uci set network.wg0.listen_port='51820'
-uci set network.wg0.addresses='${my_wireguard_ip}/64'
-
-if ! uci get network.@wireguard_wg0[0]; then
-   uci add network wireguard_wg0
-fi
-
-uci set network.@wireguard_wg0[0]=wireguard_wg0
-uci set network.@wireguard_wg0[0].persistent_keepalive='25'
-uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}'
-uci set network.@wireguard_wg0[0].description='IPv6VPN.ch by ungleich'
-uci set network.@wireguard_wg0[0].allowed_ips='::/0'
-uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
-uci set network.@wireguard_wg0[0].endpoint_port='51820'
-uci set network.@wireguard_wg0[0].route_allowed_ips='1'
-
-uci set system.@system[0].hostname="${viirb_hostname}"
-
-uci commit
-
-# Firewall configuration
-
-if ! uci show firewall | grep "name='Allow-SSH'"; then
-uci add firewall rule
-uci set firewall.@rule[-1].name='Allow-SSH'
-uci set firewall.@rule[-1].src='wan'
-uci set firewall.@rule[-1].dest='lan'
-uci set firewall.@rule[-1].proto='tcp'
-uci set firewall.@rule[-1].dest_port='22'
-uci set firewall.@rule[-1].target='ACCEPT'
-fi
-
-if ! uci show firewall | grep "name='Allow-HTTPS'"; then
-uci add firewall rule
-uci set firewall.@rule[-1].name='Allow-HTTPS'
-uci set firewall.@rule[-1].src='wan'
-uci set firewall.@rule[-1].dest='lan'
-uci set firewall.@rule[-1].proto='tcp'
-uci set firewall.@rule[-1].dest_port='443'
-uci set firewall.@rule[-1].target='ACCEPT'
-fi
-
-if ! uci show firewall | grep "name='Allow-HTTP'"; then
-uci add firewall rule
-uci set firewall.@rule[-1].name='Allow-HTTP'
-uci set firewall.@rule[-1].src='wan'
-uci set firewall.@rule[-1].dest='lan'
-uci set firewall.@rule[-1].proto='tcp'
-uci set firewall.@rule[-1].dest_port='80'
-uci set firewall.@rule[-1].target='ACCEPT'
-fi
-
-# Add interfaces to the right network zone
-uci set firewall.@zone[0].network='lan lanv6 wifi'
-uci set firewall.@zone[1].network='wg0'
-
-uci commit firewall
-
-# Reboot
-reboot
-EOF
-
-    echo "Wireguard public key: ${public_key}"
-}
-
-################################################################################
-# Stage 5: Verify the VIIRB via VPN
-#
-stage5()
-{
-
-    # Wait for the VIIRB to come back, but on the VPN address
-    wait=0
-    found=""
-
-    while [ $wait -lt 180 ]; do
-        ping -c1 ${my_wireguard_ip} >/dev/null
-
-        if [ $? -eq 0 ]; then
-            found=yes
-            break
-        fi
-        sleep 1
-        wait=$((wait+1))
-    done
-
-    if [ ! "$found" ]; then
-        echo "Cannot reach VIIRB via VPN - check manually"
-        exit 1
-    fi
-
-    echo "Cleanup process."
-    echo "Set the root password when prompted to: ${root_password}"
-
-    # VPN works, remove artefacts, set correct DNS servers that support DNS64
-    cat <<EOF | ssh -t "root@${viirb_ip}"
-# Remove temporary IP
-uci delete network.lanv4temp
-
-# Correct SSID
-uci set wireless.default_radio0.ssid='IPv6 everywhere'
-uci commit
-
-# Remove our ssh keys
-rm -f /etc/dropbear/authorized_keys
-
-# Setup root password
-printf "${root_password}\n${root_password}\n" | passwd
-EOF
-
-    echo "Submit to user the root password = ${root_password}"
-
-}
-
-for stage in $(seq 1 5);do
-    if echo $stages | grep -q $stage; then
-        eval stage${stage}
-    fi
-done