Integrate LEDE image builder

doc/overlay/etc/hotplug.d/iface/50-certidude

@@ -0,0 +1,197 @@
+#!/bin/sh
+
+# To paste, press Ctrl-D to finish: cat > /etc/hotplug.d/iface/50-certidude
+# To test: ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/50-certidude
+
+# TODO: renewal
+
+[ $ACTION == "ifup" ] || exit 0
+[ $INTERFACE == "wan" ] || exit 0
+
+# TODO: iterate over all authorities
+
+AUTHORITY=certidude.@authority[0]
+URL=$(uci get $AUTHORITY.url)
+GATEWAY=$(uci get $AUTHORITY.gateway)
+
+COMMON_NAME=$(uci get $AUTHORITY.common_name)
+if [ $? -ne 0 ]; then
+     COMMON_NAME=$(uci get system.@system[0].hostname)
+fi
+
+KEY_PATH=$(uci get $AUTHORITY.key_path)
+KEY_TYPE=$(uci get $AUTHORITY.key_type)
+KEY_LENGTH=$(uci get $AUTHORITY.key_length)
+
+CERTIFICATE_PATH=$(uci get $AUTHORITY.certificate_path)
+REQUEST_PATH=$(uci get $AUTHORITY.request_path)
+AUTHORITY_PATH=$(uci get $AUTHORITY.authority_path)
+
+RED_LED=/sys/class/leds/$(uci get $AUTHORITY.red_led)
+GREEN_LED=/sys/class/leds/$(uci get $AUTHORITY.green_led)
+
+NTP_SERVERS=$(uci get system.ntp.server)
+
+logger -t certidude -s "Fetching time from NTP servers: $NTP_SERVERS"
+ntpd -q -n -d -p $NTP_SERVERS
+
+logger -t certidude -s "Time is now: $(date)"
+
+# If certificate file is there assume everything's set up
+if [ -f $CERTIFICATE_PATH ]; then
+    SERIAL=$(openssl x509 -in $CERTIFICATE_PATH -noout -serial | cut -d "=" -f 2 | tr [A-F] [a-f])
+    logger -t certidude -s "Certificate with serial $SERIAL already exists, attempting to bring up IPsec tunnel..."
+    ipsec up client-to-site
+    exit 0
+fi
+
+# Turn green off and red on
+if [ -d $GREEN_LED ] && [ -d $RED_LED ]; then
+    echo timer > $GREEN_LED/trigger
+    echo 100 | tee $GREEN_LED/delay_*
+    echo none > $RED_LED/trigger
+fi
+
+
+#########################################
+### Generate private key if necessary ###
+#########################################
+
+if [ ! -f $KEY_PATH ]; then
+    KEY_TEMP=$(mktemp -u)
+
+    logger -t certidude -s "Generating RSA key for IPsec..."
+    if [ -d $GREEN_LED ]; then
+        echo 250 | tee $GREEN_LED/delay_*
+    fi
+
+    openssl gen$KEY_TYPE -out $KEY_TEMP $KEY_LENGTH
+    chmod 0600 $KEY_TEMP
+    mv $KEY_TEMP $KEY_PATH
+fi
+
+
+############################
+### Fetch CA certificate ###
+############################
+
+if [ ! -f $AUTHORITY_PATH ]; then
+    AUTHORITY_TEMP=$(mktemp -u)
+
+    logger -t certidude -s "Fetching CA certificate from $URL/api/certificate/"
+    curl -f -s $URL/api/certificate/ > $AUTHORITY_TEMP
+    if [ $? -ne 0 ]; then
+        logger -t certidude -s "Failed to receive CA certificate, server responded: $(cat $AUTHORITY_TEMP)"
+
+        if [ -d $GREEN_LED ] && [ -d $RED_LED ]; then
+            echo none > $GREEN_LED/trigger
+            echo timer > $RED_LED/trigger
+            echo 100 | tee $RED_LED/delay_*
+        fi
+
+        exit 10
+    fi
+
+    openssl x509 -in $AUTHORITY_TEMP -noout
+    if [ $? -ne 0 ]; then
+        logger -t certidude -s "Received invalid CA certificate"
+
+        if [ -d $GREEN_LED ] && [ -d $RED_LED ]; then
+            echo none > $GREEN_LED/trigger
+            echo timer > $RED_LED/trigger
+            echo 250 | tee $RED_LED/delay_*
+        fi
+
+        exit 11
+    fi
+
+    mv $AUTHORITY_TEMP $AUTHORITY_PATH
+fi
+
+logger -t certidude -s "CA certificate md5sum: $(md5sum -b $AUTHORITY_PATH)"
+
+
+#####################################
+### Generate request if necessary ###
+#####################################
+
+if [ ! -f $REQUEST_PATH ]; then
+    REQUEST_TEMP=$(mktemp -u)
+    openssl req -new -sha256 -key $KEY_PATH -out $REQUEST_TEMP -subj "/CN=$COMMON_NAME"
+    mv $REQUEST_TEMP $REQUEST_PATH
+fi
+
+logger -t certidude -s "Request md5sum is $(md5sum -b $REQUEST_PATH)"
+
+# Wait for certificate
+if [ -d $GREEN_LED ]; then
+    echo 500 | tee $GREEN_LED/delay_*
+fi
+
+CERTIFICATE_TEMP=$(mktemp -u)
+
+curl -f -L \
+    -H "Content-Type: application/pkcs10" \
+    --data-binary @$REQUEST_PATH \
+    $URL/api/request/?autosign=true\&wait=yes > $CERTIFICATE_TEMP
+
+# TODO: Loop until we get exitcode 0
+# TODO: Use backoff time $((2\*X))
+
+if [ $? -ne 0 ]; then
+    echo "Failed to fetch certificate"
+
+    if [ -d $GREEN_LED ] && [ -d $RED_LED ]; then
+        echo none > $GREEN_LED/trigger
+        echo timer > $RED_LED/trigger
+        echo 500 | tee $RED_LED/delay_*
+    fi
+
+    exit 21
+fi
+
+# Verify certificate
+openssl verify -CAfile $AUTHORITY_PATH $CERTIFICATE_TEMP
+
+if [ $? -ne 0 ]; then
+    logger -t certidude -s "Received bogus certificate!"
+
+    if [ -d $GREEN_LED ] && [ -d $RED_LED ]; then
+        echo none > $GREEN_LED/trigger
+        echo timer > $RED_LED/trigger
+        echo 1000 | tee $RED_LED/delay_*
+    fi
+
+    exit 22
+fi
+
+logger -t certidude -s "Certificate md5sum: $(md5sum -b $CERTIFICATE_TEMP)"
+
+
+
+
+###################################
+### Generate /etc/ipsec.secrets ###
+###################################
+
+SECRETS_TEMP=$(mktemp -u)
+
+for filename in /etc/ipsec.d/private/*.pem; do
+    echo ": RSA $filename" >> $SECRETS_TEMP
+done
+
+uci commit
+
+mv $SECRETS_TEMP /etc/ipsec.secrets
+mv $IPSEC_TEMP /etc/ipsec.conf
+mv $CERTIFICATE_TEMP $CERTIFICATE_PATH
+
+# Enable services
+/etc/init.d/ipsec enable
+
+# Restart services
+/etc/init.d/ipsec restart
+
+sleep 2
+
+ipsec up client-to-site

doc/overlay/etc/profile

@@ -0,0 +1,32 @@
+#!/bin/sh
+[ -f /etc/banner ] && cat /etc/banner
+[ -e /tmp/.failsafe ] && cat /etc/banner.failsafe
+
+export PATH=/usr/bin:/usr/sbin:/bin:/sbin
+export HOME=$(grep -e "^${USER:-root}:" /etc/passwd | cut -d ":" -f 6)
+export HOME=${HOME:-/root}
+export PS1='\u@\h:\w\$ '
+
+[ -z "$KSH_VERSION" -o \! -s /etc/mkshrc ] || . /etc/mkshrc
+[ -x /bin/more ] || alias more=less
+[ -x /usr/bin/vim ] && alias vi=vim || alias vim=vi
+[ -x /usr/bin/arp ] || arp() { cat /proc/net/arp; }
+[ -x /usr/bin/ldd ] || ldd() { LD_TRACE_LOADED_OBJECTS=1 $*; }
+
+HOSTNAME=$(uci get system.@system[0].hostname)
+DOMAIN=$(uci -q get dhcp.@dnsmasq[0].domain)
+
+if [ $? -eq 0 ]; then
+    FQDN=$HOSTNAME.$DOMAIN
+else
+    FQDN=$HOSTNAME
+fi
+
+export PS1='\[\033[01;31m\]$FQDN\[\033[01;34m\] \W #\[\033[00m\] '
+case "$TERM" in
+    xterm*|rxvt*)
+        echo -ne "\033]0;${USER}@${FQDN}:${PWD}\007"
+    ;;
+    *)
+    ;;
+esac

doc/overlay/etc/uci-defaults/40-hostname

@@ -0,0 +1,21 @@
+MODEL=$(cat /etc/board.json | jsonfilter -e '@["model"]["id"]')
+
+# Hostname prefix
+case $MODEL in
+    tl-*|archer-*)  VENDOR=tplink ;;
+    cf-*) VENDOR=comfast ;;
+    *) VENDOR=ap ;;
+esac
+
+# Network interface with relevant MAC address
+case $MODEL in
+    tl-wdr*) NIC=wlan1 ;;
+    archer-*)  NIC=eth1 ;;
+    cf-e380ac-v2) NIC=eth0 ;;
+    *) NIC=wlan0 ;;
+esac
+
+HOSTNAME=$VENDOR-$(cat /sys/class/net/$NIC/address | cut -d : -f 4- | sed -e 's/://g')
+uci set system.@system[0].hostname=$HOSTNAME
+uci set network.lan.hostname=$HOSTNAME
+

doc/overlay/etc/uci-defaults/50-access-point

@@ -0,0 +1,66 @@
+# Disable DHCP servers
+/etc/init.d/odhcpd disable
+/etc/init.d/dnsmasq disable
+
+# Remove firewall rules since AP bridges ethernet to wireless anyway
+uci delete firewall.@zone[1]
+uci delete firewall.@zone[0]
+uci delete firewall.@forwarding[0]
+for j in $(seq 0 10); do uci delete firewall.@rule[0]; done
+
+# Remove WAN interface
+uci delete network.wan
+uci delete network.wan6
+
+# Reconfigure DHCP client for bridge over LAN and WAN ports
+uci delete network.lan.ipaddr
+uci delete network.lan.netmask
+uci delete network.lan.ip6assign
+uci delete network.globals.ula_prefix
+uci delete network.@switch_vlan[1]
+uci delete dhcp.@dnsmasq[0].domain
+uci set network.lan.proto=dhcp
+uci set network.lan.ipv6=0
+uci set network.lan.ifname='eth0'
+uci set network.lan.stp=1
+
+# Radio ordering differs among models
+case $(uci get wireless.radio0.hwmode) in
+    11a) uci rename wireless.radio0=radio5ghz;;
+    11g) uci rename wireless.radio0=radio2ghz;;
+esac
+case $(uci get wireless.radio1.hwmode) in
+    11a) uci rename wireless.radio1=radio5ghz;;
+    11g) uci rename wireless.radio1=radio2ghz;;
+esac
+
+# Reset virtual SSID-s
+uci delete wireless.@wifi-iface[1]
+uci delete wireless.@wifi-iface[0]
+
+# Pseudorandomize channel selection, should work with 80MHz on 5GHz band
+case $(uci get system.@system[0].hostname | md5sum) in
+   1*|2*|3*|4*) uci set wireless.radio2ghz.channel=1; uci set wireless.radio5ghz.channel=36 ;;
+   5*|6*|7*|8*) uci set wireless.radio2ghz.channel=5; uci set wireless.radio5ghz.channel=52 ;;
+   9*|0*|a*|b*) uci set wireless.radio2ghz.channel=9; uci set wireless.radio5ghz.channel=100 ;;
+   c*|d*|e*|f*) uci set wireless.radio2ghz.channel=13; uci set wireless.radio5ghz.channel=132 ;;
+esac
+
+# Create bridge for guests
+uci set network.guest=interface
+uci set network.guest.proto='static'
+uci set network.guest.address='0.0.0.0'
+uci set network.guest.type='bridge'
+uci set network.guest.ifname='eth0.156' # tag id 156 for guest network
+uci set network.guest.ipaddr='0.0.0.0'
+uci set network.guest.ipv6=0
+uci set network.guest.stp=1
+
+# Disable switch tagging and bridge all ports on TP-Link WDR3600/WDR4300
+case $(cat /etc/board.json | jsonfilter -e '@["model"]["id"]') in
+    tl-wdr*)
+        uci set network.@switch[0].enable_vlan=0
+        uci set network.@switch_vlan[0].ports='0 1 2 3 4 5 6'
+    ;;
+    *) ;;
+esac