Cleaned up LEDE image builder scripts

doc/builder/ap.sh

@@ -0,0 +1,119 @@
+#!/bin/bash
+
+source common.sh
+
+uci set certidude.@authority[0].trigger=lan
+
+cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
+
+MODEL=$(cat /etc/board.json | jsonfilter -e '@["model"]["id"]')
+
+# Hostname prefix
+case $MODEL in
+    tl-*|archer-*)  VENDOR=tplink ;;
+    cf-*) VENDOR=comfast ;;
+    *) VENDOR=ap ;;
+esac
+
+# Network interface with relevant MAC address
+case $MODEL in
+    tl-wdr*) NIC=wlan1 ;;
+    archer-*)  NIC=eth1 ;;
+    cf-e380ac-v2) NIC=eth0 ;;
+    *) NIC=wlan0 ;;
+esac
+
+HOSTNAME=$VENDOR-$(cat /sys/class/net/$NIC/address | cut -d : -f 4- | sed -e 's/://g')
+uci set system.@system[0].hostname=$HOSTNAME
+uci set network.lan.hostname=$HOSTNAME
+
+EOF
+
+cat << \EOF > $OVERLAY/etc/uci-defaults/50-access-point
+
+# Remove firewall rules since AP bridges ethernet to wireless anyway
+uci delete firewall.@zone[1]
+uci delete firewall.@zone[0]
+uci delete firewall.@forwarding[0]
+for j in $(seq 0 10); do uci delete firewall.@rule[0]; done
+
+# Remove WAN interface
+uci delete network.wan
+uci delete network.wan6
+
+# Reconfigure DHCP client for bridge over LAN and WAN ports
+uci delete network.lan.ipaddr
+uci delete network.lan.netmask
+uci delete network.lan.ip6assign
+uci delete network.globals.ula_prefix
+uci delete network.@switch_vlan[1]
+uci delete dhcp.@dnsmasq[0].domain
+uci set network.lan.proto=dhcp
+uci set network.lan.ipv6=0
+uci set network.lan.ifname='eth0'
+uci set network.lan.stp=1
+
+# Radio ordering differs among models
+case $(uci get wireless.radio0.hwmode) in
+    11a) uci rename wireless.radio0=radio5ghz;;
+    11g) uci rename wireless.radio0=radio2ghz;;
+esac
+case $(uci get wireless.radio1.hwmode) in
+    11a) uci rename wireless.radio1=radio5ghz;;
+    11g) uci rename wireless.radio1=radio2ghz;;
+esac
+
+# Reset virtual SSID-s
+uci delete wireless.@wifi-iface[1]
+uci delete wireless.@wifi-iface[0]
+
+# Pseudorandomize channel selection, should work with 80MHz on 5GHz band
+case $(uci get system.@system[0].hostname | md5sum) in
+   1*|2*|3*|4*) uci set wireless.radio2ghz.channel=1; uci set wireless.radio5ghz.channel=36 ;;
+   5*|6*|7*|8*) uci set wireless.radio2ghz.channel=5; uci set wireless.radio5ghz.channel=52 ;;
+   9*|0*|a*|b*) uci set wireless.radio2ghz.channel=9; uci set wireless.radio5ghz.channel=100 ;;
+   c*|d*|e*|f*) uci set wireless.radio2ghz.channel=13; uci set wireless.radio5ghz.channel=132 ;;
+esac
+
+# Create bridge for guests
+uci set network.guest=interface
+uci set network.guest.proto='static'
+uci set network.guest.address='0.0.0.0'
+uci set network.guest.type='bridge'
+uci set network.guest.ifname='eth0.156' # tag id 156 for guest network
+uci set network.guest.ipaddr='0.0.0.0'
+uci set network.guest.ipv6=0
+uci set network.guest.stp=1
+
+# Add VPN interface for IPSec
+uci set network.vpn=interface
+uci set network.vpn.ifname='ipsec0'
+uci set network.vpn.proto='none'
+
+uci set firewall.vpn=zone
+uci set firewall.vpn.name="vpn"
+uci set firewall.vpn.input="ACCEPT"
+uci set firewall.vpn.forward="ACCEPT"
+uci set firewall.vpn.output="ACCEPT"
+uci set firewall.vpn.network="vpn"
+
+# Disable switch tagging and bridge all ports on TP-Link WDR3600/WDR4300
+case $(cat /etc/board.json | jsonfilter -e '@["model"]["id"]') in
+    tl-wdr*|archer*)
+        uci set network.@switch[0].enable_vlan=0
+        uci set network.@switch_vlan[0].ports='0 1 2 3 4 5 6'
+    ;;
+    *) ;;
+esac
+
+EOF
+
+make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="luci luci-app-commands \
+    openssl-util curl ca-certificates \
+    strongswan-mod-kernel-libipsec kmod-tun ip-full strongswan-full \
+    htop iftop tcpdump nmap nano -odhcp6c -odhcpd -dnsmasq \
+    -luci-app-firewall \
+    -pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
+    -kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
+
+

doc/builder/common.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+set -e
+set -x
+umask 022
+
+VERSION=17.01.4
+BASENAME=lede-imagebuilder-$VERSION-ar71xx-generic.Linux-x86_64
+FILENAME=$BASENAME.tar.xz
+URL=http://downloads.lede-project.org/releases/$VERSION/targets/ar71xx/generic/$FILENAME
+
+if [ ! -e $BUILD/$FILENAME ]; then
+    wget -q $URL -O $BUILD/$FILENAME
+fi
+
+if [ ! -e $BUILD/$BASENAME ]; then
+    tar xf $BUILD/$FILENAME -C $BUILD
+fi
+
+# Copy CA certificate
+AUTHORITY=$(hostname -f)
+CERTIDUDE_DIR=/var/lib/certidude/$AUTHORITY
+
+mkdir -p $OVERLAY/etc/config
+mkdir -p $OVERLAY/etc/uci-defaults
+mkdir -p $OVERLAY/etc/certidude/authority/$AUTHORITY
+cp /var/lib/certidude/$AUTHORITY/ca_cert.pem $OVERLAY/etc/certidude/authority/$AUTHORITY/
+
+cat <<EOF > $OVERLAY/etc/config/certidude
+
+config authority
+    option gateway router.k-space.ee
+    option url http://$AUTHORITY
+    option trigger wan
+    option authority_path /etc/certidude/authority/$AUTHORITY/ca_cert.pem
+    option request_path /etc/certidude/authority/$AUTHORITY/client_req.pem
+    option certificate_path /etc/certidude/authority/$AUTHORITY/client_cert.pem
+    option key_path /etc/certidude/authority/$AUTHORITY/client_key.pem
+    option key_type rsa
+    option key_length 2048
+
+EOF
+
+cat << EOF > $OVERLAY/etc/uci-defaults/40-disable-ipsec
+/etc/init.d/ipsec disable
+EOF
+
+
+
+cat << EOF > $OVERLAY/etc/ipsec.secrets
+: RSA /etc/certidude/authority/$AUTHORITY/client_key.pem
+EOF
+
+cat << EOF > $OVERLAY/etc/ipsec.conf
+
+config setup
+
+ca $AUTHORITY
+	cacert=/etc/certidude/authority/$AUTHORITY/ca_cert.pem
+	auto=add
+
+conn router.k-space.ee
+	right=router.k-space.ee
+	dpdaction=restart
+	auto=start
+	rightsubnet=0.0.0.0/0
+	rightid=%any
+	leftsourceip=%config
+	keyexchange=ikev2
+	closeaction=restart
+	leftcert=/etc/certidude/authority/$AUTHORITY/client_cert.pem
+	left=%defaultroute
+
+EOF
+
+

doc/builder/ipcam.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+. common.sh
+
+cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
+
+HOSTNAME=cam-$(cat /sys/class/net/eth0/address | cut -d : -f 4- | sed -e 's/://g')
+uci set system.@system[0].hostname=$HOSTNAME
+uci set network.wan.hostname=$HOSTNAME
+
+EOF
+
+touch $OVERLAY/etc/config/wireless
+
+cat << EOF > $OVERLAY/etc/uci-defaults/50-ipcam
+
+uci delete network.lan
+uci delete network.wan6
+
+uci set network.vpn=interface
+uci set network.vpn.ifname='ipsec0'
+uci set network.vpn.proto='none'
+uci set firewall.@zone[0].network=vpn
+uci delete firewall.@forwarding[0]
+
+uci set mjpg-streamer.core.enabled=1
+uci set mjpg-streamer.core.quality=''
+uci set mjpg-streamer.core.resolution='1280x720'
+uci delete mjpg-streamer.core.username
+uci delete mjpg-streamer.core.password
+
+uci certidude.@authority[0].red_led='gl-connect:red:wlan'
+uci certidude.@authority[0].green_led='gl-connect:green:lan'
+
+/etc/init.d/dropbear disable
+/etc/init.d/ipsec disable
+
+EOF
+
+
+make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates strongswan-full htop \
+    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci luci-app-mjpg-streamer kmod-video-uvc \
+    pciutils -dnsmasq -odhcpd -odhcp6c -kmod-ath9k picocom strongswan-mod-kernel-libipsec kmod-tun ip-full"

doc/builder/mfp.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+
+. common.sh
+
+cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
+
+HOSTNAME=mfp-$(cat /sys/class/net/eth0/address | cut -d : -f 4- | sed -e 's/://g')
+uci set system.@system[0].hostname=$HOSTNAME
+uci set network.wan.hostname=$HOSTNAME
+
+EOF
+
+mkdir -p $OVERLAY/etc/config/
+touch $OVERLAY/etc/config/wireless
+
+cat << EOF > $OVERLAY/etc/uci-defaults/50-mfp
+
+# Disable rebind protection for DNS
+uci set dhcp.@dnsmasq[0].rebind_protection=0
+uci set dhcp.@dnsmasq[0].domain='mfp.lan'
+uci delete dhcp.@dnsmasq[0].local
+
+# Disable bridge for LAN since WiFi is disabled
+uci delete network.lan.type
+uci set dhcp.lan.limit=1
+
+uci set network.vpn=interface
+uci set network.vpn.ifname='ipsec0'
+uci set network.vpn.proto='none'
+
+uci set firewall.vpn=zone
+uci set firewall.vpn.name="vpn"
+uci set firewall.vpn.input="ACCEPT"
+uci set firewall.vpn.forward="ACCEPT"
+uci set firewall.vpn.output="ACCEPT"
+uci set firewall.vpn.network="vpn"
+
+uci set firewall.lan2vpn=forwarding
+uci set firewall.lan2vpn.src='lan'
+uci set firewall.lan2vpn.dest='vpn'
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow IPP on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=631
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=tcp
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow HTTP on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=80
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=tcp
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow HTTPS on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=443
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=tcp
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow JetDirect on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=9100
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=tcp
+uci set firewall.@redirect[-1].enabled=0
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow SNMP on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=161
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=udp
+uci set firewall.@redirect[-1].enabled=0
+
+uci add firewall redirect
+uci set firewall.@redirect[-1].name="Allow LPD on MFP"
+uci set firewall.@redirect[-1].src=vpn
+uci set firewall.@redirect[-1].src_dport=515
+uci set firewall.@redirect[-1].dest=lan
+uci set firewall.@redirect[-1].dest_ip=192.168.1.100
+uci set firewall.@redirect[-1].target=DNAT
+uci set firewall.@redirect[-1].proto=tcp
+uci set firewall.@redirect[-1].enabled=0
+
+uci set uhttpd.main.listen_http=0.0.0.0:8080
+
+/etc/init.d/dropbear disable
+
+EOF
+
+make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates htop \
+    iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci \
+    strongswan-mod-kernel-libipsec kmod-tun ip-full strongswan-full \
+    pciutils -odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm"
+
+