Cleaned up LEDE image builder scripts

doc/builder/ap.sh

@@ -0,0 +1,119 @@
+#!/bin/bash
+
+source common.sh
+
+uci set certidude.@authority[0].trigger=lan
+
+cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
+
+MODEL=$(cat /etc/board.json | jsonfilter -e '@["model"]["id"]')
+
+# Hostname prefix
+case $MODEL in
+    tl-*|archer-*)  VENDOR=tplink ;;
+    cf-*) VENDOR=comfast ;;
+    *) VENDOR=ap ;;
+esac
+
+# Network interface with relevant MAC address
+case $MODEL in
+    tl-wdr*) NIC=wlan1 ;;
+    archer-*)  NIC=eth1 ;;
+    cf-e380ac-v2) NIC=eth0 ;;
+    *) NIC=wlan0 ;;
+esac
+
+HOSTNAME=$VENDOR-$(cat /sys/class/net/$NIC/address | cut -d : -f 4- | sed -e 's/://g')
+uci set system.@system[0].hostname=$HOSTNAME
+uci set network.lan.hostname=$HOSTNAME
+
+EOF
+
+cat << \EOF > $OVERLAY/etc/uci-defaults/50-access-point
+
+# Remove firewall rules since AP bridges ethernet to wireless anyway
+uci delete firewall.@zone[1]
+uci delete firewall.@zone[0]
+uci delete firewall.@forwarding[0]
+for j in $(seq 0 10); do uci delete firewall.@rule[0]; done
+
+# Remove WAN interface
+uci delete network.wan
+uci delete network.wan6
+
+# Reconfigure DHCP client for bridge over LAN and WAN ports
+uci delete network.lan.ipaddr
+uci delete network.lan.netmask
+uci delete network.lan.ip6assign
+uci delete network.globals.ula_prefix
+uci delete network.@switch_vlan[1]
+uci delete dhcp.@dnsmasq[0].domain
+uci set network.lan.proto=dhcp
+uci set network.lan.ipv6=0
+uci set network.lan.ifname='eth0'
+uci set network.lan.stp=1
+
+# Radio ordering differs among models
+case $(uci get wireless.radio0.hwmode) in
+    11a) uci rename wireless.radio0=radio5ghz;;
+    11g) uci rename wireless.radio0=radio2ghz;;
+esac
+case $(uci get wireless.radio1.hwmode) in
+    11a) uci rename wireless.radio1=radio5ghz;;
+    11g) uci rename wireless.radio1=radio2ghz;;
+esac
+
+# Reset virtual SSID-s
+uci delete wireless.@wifi-iface[1]
+uci delete wireless.@wifi-iface[0]
+
+# Pseudorandomize channel selection, should work with 80MHz on 5GHz band
+case $(uci get system.@system[0].hostname | md5sum) in
+   1*|2*|3*|4*) uci set wireless.radio2ghz.channel=1; uci set wireless.radio5ghz.channel=36 ;;
+   5*|6*|7*|8*) uci set wireless.radio2ghz.channel=5; uci set wireless.radio5ghz.channel=52 ;;
+   9*|0*|a*|b*) uci set wireless.radio2ghz.channel=9; uci set wireless.radio5ghz.channel=100 ;;
+   c*|d*|e*|f*) uci set wireless.radio2ghz.channel=13; uci set wireless.radio5ghz.channel=132 ;;
+esac
+
+# Create bridge for guests
+uci set network.guest=interface
+uci set network.guest.proto='static'
+uci set network.guest.address='0.0.0.0'
+uci set network.guest.type='bridge'
+uci set network.guest.ifname='eth0.156' # tag id 156 for guest network
+uci set network.guest.ipaddr='0.0.0.0'
+uci set network.guest.ipv6=0
+uci set network.guest.stp=1
+
+# Add VPN interface for IPSec
+uci set network.vpn=interface
+uci set network.vpn.ifname='ipsec0'
+uci set network.vpn.proto='none'
+
+uci set firewall.vpn=zone
+uci set firewall.vpn.name="vpn"
+uci set firewall.vpn.input="ACCEPT"
+uci set firewall.vpn.forward="ACCEPT"
+uci set firewall.vpn.output="ACCEPT"
+uci set firewall.vpn.network="vpn"
+
+# Disable switch tagging and bridge all ports on TP-Link WDR3600/WDR4300
+case $(cat /etc/board.json | jsonfilter -e '@["model"]["id"]') in
+    tl-wdr*|archer*)
+        uci set network.@switch[0].enable_vlan=0
+        uci set network.@switch_vlan[0].ports='0 1 2 3 4 5 6'
+    ;;
+    *) ;;
+esac
+
+EOF
+
+make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="luci luci-app-commands \
+    openssl-util curl ca-certificates \
+    strongswan-mod-kernel-libipsec kmod-tun ip-full strongswan-full \
+    htop iftop tcpdump nmap nano -odhcp6c -odhcpd -dnsmasq \
+    -luci-app-firewall \
+    -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
+    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
+
+

doc/builder/common.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+set -e
+set -x
+umask 022
+
+VERSION=17.01.4
+BASENAME=lede-imagebuilder-$VERSION-ar71xx-generic.Linux-x86_64
+FILENAME=$BASENAME.tar.xz
+URL=http://downloads.lede-project.org/releases/$VERSION/targets/ar71xx/generic/$FILENAME
+
+if [ ! -e $BUILD/$FILENAME ]; then
+    wget -q $URL -O $BUILD/$FILENAME
+fi
+
+if [ ! -e $BUILD/$BASENAME ]; then
+    tar xf $BUILD/$FILENAME -C $BUILD
+fi
+
+# Copy CA certificate
+AUTHORITY=$(hostname -f)
+CERTIDUDE_DIR=/var/lib/certidude/$AUTHORITY
+
+mkdir -p $OVERLAY/etc/config
+mkdir -p $OVERLAY/etc/uci-defaults
+mkdir -p $OVERLAY/etc/certidude/authority/$AUTHORITY
+cp /var/lib/certidude/$AUTHORITY/ca_cert.pem $OVERLAY/etc/certidude/authority/$AUTHORITY/
+
+cat <<EOF > $OVERLAY/etc/config/certidude
+
+config authority
+    option gateway router.k-space.ee
+    option url http://$AUTHORITY
+    option trigger wan
+    option authority_path /etc/certidude/authority/$AUTHORITY/ca_cert.pem
+    option request_path /etc/certidude/authority/$AUTHORITY/client_req.pem
+    option certificate_path /etc/certidude/authority/$AUTHORITY/client_cert.pem
+    option key_path /etc/certidude/authority/$AUTHORITY/client_key.pem
+    option key_type rsa
+    option key_length 2048
+
+EOF
+
+cat << EOF > $OVERLAY/etc/uci-defaults/40-disable-ipsec
+/etc/init.d/ipsec disable
+EOF
+
+
+
+cat << EOF > $OVERLAY/etc/ipsec.secrets
+: RSA /etc/certidude/authority/$AUTHORITY/client_key.pem
+EOF
+
+cat << EOF > $OVERLAY/etc/ipsec.conf
+
+config setup
+
+ca $AUTHORITY
+	cacert=/etc/certidude/authority/$AUTHORITY/ca_cert.pem
+	auto=add
+
+conn router.k-space.ee
+	right=router.k-space.ee
+	dpdaction=restart
+	auto=start
+	rightsubnet=0.0.0.0/0
+	rightid=%any
+	leftsourceip=%config
+	keyexchange=ikev2
+	closeaction=restart
+	leftcert=/etc/certidude/authority/$AUTHORITY/client_cert.pem
+	left=%defaultroute
+
+EOF
+
+

doc/builder/ipcam.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+. common.sh
+
+cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
+
+HOSTNAME=cam-$(cat /sys/class/net/eth0/address | cut -d : -f 4- | sed -e 's/://g')
+uci set system.@system[0].hostname=$HOSTNAME
+uci set network.wan.hostname=$HOSTNAME
+
+EOF
+
+touch $OVERLAY/etc/config/wireless
+
+cat << EOF > $OVERLAY/etc/uci-defaults/50-ipcam
+
+uci delete network.lan
+uci delete network.wan6
+
+uci set network.vpn=interface
+uci set network.vpn.ifname='ipsec0'
+uci set network.vpn.proto='none'
+uci set firewall.@zone[0].network=vpn
+uci delete firewall.@forwarding[0]
+
+uci set mjpg-streamer.core.enabled=1
+uci set mjpg-streamer.core.quality=''
+uci set mjpg-streamer.core.resolution='1280x720'
+uci delete mjpg-streamer.core.username
+uci delete mjpg-streamer.core.password
+
+uci certidude.@authority[0].red_led='gl-connect:red:wlan'
+uci certidude.@authority[0].green_led='gl-connect:green:lan'
+
+/etc/init.d/dropbear disable
+/etc/init.d/ipsec disable
+
+EOF
+
+
+make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates strongswan-full htop \
+    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci luci-app-mjpg-streamer kmod-video-uvc \
+    pciutils -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun ip-full"

doc/builder/mfp.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+
+. common.sh
+
+cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
+
+HOSTNAME=mfp-$(cat /sys/class/net/eth0/address | cut -d : -f 4- | sed -e 's/://g')
+uci set system.@system[0].hostname=$HOSTNAME
+uci set network.wan.hostname=$HOSTNAME
+
+EOF
+
+mkdir -p $OVERLAY/etc/config/
+touch $OVERLAY/etc/config/wireless
+
+cat << EOF > $OVERLAY/etc/uci-defaults/50-mfp
+
+# Disable rebind protection for DNS
+uci set dhcp.@dnsmasq[0].rebind_protection=0
+uci set dhcp.@dnsmasq[0].domain='mfp.lan'
+uci delete dhcp.@dnsmasq[0].local
+
+# Disable bridge for LAN since WiFi is disabled
+uci delete network.lan.type
+uci set dhcp.lan.limit=1
+
+uci set network.vpn=interface
+uci set network.vpn.ifname='ipsec0'
+uci set network.vpn.proto='none'
+
+uci set firewall.vpn=zone
+uci set firewall.vpn.name="vpn"
+uci set firewall.vpn.input="ACCEPT"
+uci set firewall.vpn.forward="ACCEPT"
+uci set firewall.vpn.output="ACCEPT"
+uci set firewall.vpn.network="vpn"
+
+uci set firewall.lan2vpn=forwarding
+uci set firewall.lan2vpn.src='lan'
+uci set firewall.lan2vpn.dest='vpn'
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow IPP on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=631
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=tcp
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow HTTP on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=80
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=tcp
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow HTTPS on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=443
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=tcp
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow JetDirect on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=9100
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=tcp
+uci set firewall.@redirect[-1].enabled=0
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow SNMP on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=161
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=udp
+uci set firewall.@redirect[-1].enabled=0
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow LPD on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=515
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=tcp
+uci set firewall.@redirect[-1].enabled=0
+
+uci set uhttpd.main.listen_http=0.0.0.0:8080
+
+/etc/init.d/dropbear disable
+
+EOF
+
+make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates htop \
+    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci \
+    strongswan-mod-kernel-libipsec kmod-tun ip-full strongswan-full \
+    pciutils -odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm"
+
+

doc/overlay/etc/hotplug.d/iface/50-certidude

@@ -1,178 +0,0 @@
-#!/bin/sh
-
-# To paste, press Ctrl-D to finish: cat > /etc/hotplug.d/iface/50-certidude
-# To test: ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/50-certidude
-
-# TODO: renewal
-
-AUTHORITY=certidude.@authority[0]
-
-[ $ACTION == "ifup" ] || exit 0
-[ $INTERFACE == "$(uci get $AUTHORITY.trigger)" ] || exit 0
-
-# TODO: iterate over all authorities
-
-URL=$(uci get $AUTHORITY.url)
-GATEWAY=$(uci get $AUTHORITY.gateway)
-
-COMMON_NAME=$(uci get $AUTHORITY.common_name)
-if [ $? -ne 0 ]; then
-     COMMON_NAME=$(uci get system.@system[0].hostname)
-fi
-
-KEY_PATH=$(uci get $AUTHORITY.key_path)
-KEY_TYPE=$(uci get $AUTHORITY.key_type)
-KEY_LENGTH=$(uci get $AUTHORITY.key_length)
-
-CERTIFICATE_PATH=$(uci get $AUTHORITY.certificate_path)
-REQUEST_PATH=$(uci get $AUTHORITY.request_path)
-AUTHORITY_PATH=$(uci get $AUTHORITY.authority_path)
-
-RED_LED=/sys/class/leds/$(uci get $AUTHORITY.red_led)
-GREEN_LED=/sys/class/leds/$(uci get $AUTHORITY.green_led)
-
-NTP_SERVERS=$(uci get system.ntp.server)
-
-logger -t certidude -s "Fetching time from NTP servers: $NTP_SERVERS"
-ntpd -q -n -d -p $NTP_SERVERS
-
-logger -t certidude -s "Time is now: $(date)"
-
-# If certificate file is there assume everything's set up
-if [ -f $CERTIFICATE_PATH ]; then
-    SERIAL=$(openssl x509 -in $CERTIFICATE_PATH -noout -serial | cut -d "=" -f 2 | tr [A-F] [a-f])
-    logger -t certidude -s "Certificate with serial $SERIAL already exists in $CERTIFICATE_PATH, attempting to bring up VPN tunnel..."
-    /etc/init.d/openvpn start
-    /etc/init.d/ipsec start
-    exit 0
-fi
-
-# Turn green off and red on
-if [ -d $GREEN_LED ] && [ -d $RED_LED ]; then
-    echo timer > $GREEN_LED/trigger
-    echo 100 | tee $GREEN_LED/delay_*
-    echo none > $RED_LED/trigger
-fi
-
-
-#########################################
-### Generate private key if necessary ###
-#########################################
-
-if [ ! -f $KEY_PATH ]; then
-    KEY_TEMP=$(mktemp -u)
-
-    logger -t certidude -s "Generating RSA key for VPN..."
-    if [ -d $GREEN_LED ]; then
-        echo 250 | tee $GREEN_LED/delay_*
-    fi
-
-    openssl gen$KEY_TYPE -out $KEY_TEMP $KEY_LENGTH
-    chmod 0600 $KEY_TEMP
-    mv $KEY_TEMP $KEY_PATH
-fi
-
-
-############################
-### Fetch CA certificate ###
-############################
-
-if [ ! -f $AUTHORITY_PATH ]; then
-    AUTHORITY_TEMP=$(mktemp -u)
-
-    logger -t certidude -s "Fetching CA certificate from $URL/api/certificate/"
-    curl -f -s $URL/api/certificate/ > $AUTHORITY_TEMP
-    if [ $? -ne 0 ]; then
-        logger -t certidude -s "Failed to receive CA certificate, server responded: $(cat $AUTHORITY_TEMP)"
-
-        if [ -d $GREEN_LED ] && [ -d $RED_LED ]; then
-            echo none > $GREEN_LED/trigger
-            echo timer > $RED_LED/trigger
-            echo 100 | tee $RED_LED/delay_*
-        fi
-
-        exit 10
-    fi
-
-    openssl x509 -in $AUTHORITY_TEMP -noout
-    if [ $? -ne 0 ]; then
-        logger -t certidude -s "Received invalid CA certificate"
-
-        if [ -d $GREEN_LED ] && [ -d $RED_LED ]; then
-            echo none > $GREEN_LED/trigger
-            echo timer > $RED_LED/trigger
-            echo 250 | tee $RED_LED/delay_*
-        fi
-
-        exit 11
-    fi
-
-    mv $AUTHORITY_TEMP $AUTHORITY_PATH
-fi
-
-logger -t certidude -s "CA certificate md5sum: $(md5sum -b $AUTHORITY_PATH)"
-
-
-#####################################
-### Generate request if necessary ###
-#####################################
-
-if [ ! -f $REQUEST_PATH ]; then
-    REQUEST_TEMP=$(mktemp -u)
-    openssl req -new -sha256 -key $KEY_PATH -out $REQUEST_TEMP -subj "/CN=$COMMON_NAME"
-    mv $REQUEST_TEMP $REQUEST_PATH
-fi
-
-logger -t certidude -s "Request md5sum is $(md5sum -b $REQUEST_PATH)"
-
-# Wait for certificate
-if [ -d $GREEN_LED ]; then
-    echo 500 | tee $GREEN_LED/delay_*
-fi
-
-CERTIFICATE_TEMP=$(mktemp -u)
-
-curl -f -L \
-    -H "Content-Type: application/pkcs10" \
-    --data-binary @$REQUEST_PATH \
-    $URL/api/request/?autosign=true\&wait=yes > $CERTIFICATE_TEMP
-
-# TODO: Loop until we get exitcode 0
-# TODO: Use backoff time $((2\*X))
-
-if [ $? -ne 0 ]; then
-    echo "Failed to fetch certificate"
-
-    if [ -d $GREEN_LED ] && [ -d $RED_LED ]; then
-        echo none > $GREEN_LED/trigger
-        echo timer > $RED_LED/trigger
-        echo 500 | tee $RED_LED/delay_*
-    fi
-
-    exit 21
-fi
-
-# Verify certificate
-openssl verify -CAfile $AUTHORITY_PATH $CERTIFICATE_TEMP
-
-if [ $? -ne 0 ]; then
-    logger -t certidude -s "Received bogus certificate!"
-
-    if [ -d $GREEN_LED ] && [ -d $RED_LED ]; then
-        echo none > $GREEN_LED/trigger
-        echo timer > $RED_LED/trigger
-        echo 1000 | tee $RED_LED/delay_*
-    fi
-
-    exit 22
-fi
-
-logger -t certidude -s "Certificate md5sum: $(md5sum -b $CERTIFICATE_TEMP)"
-
-uci commit
-
-mv $CERTIFICATE_TEMP $CERTIFICATE_PATH
-
-# Restart services
-/etc/init.d/ipsec start
-/etc/init.d/openvpn start