mirror of
https://github.com/laurivosandi/certidude
synced 2024-11-16 18:06:44 +00:00
Lauri Võsandi
ce93fbb58b
* Improved offline install docs * Migrated token mechanism backend to SQL * Preliminary token mechanism frontend integration * Add clock skew tolerance for OCSP * Add 'ldap computer filter' support for Kerberized machine enroll * Include OCSP and CRL URL-s in certificates, controlled by profile.conf * Better certificate extension handling * Place DH parameters file in /etc/ssl/dhparam.pem * Always talk to CA over port 8443 for 'certidude enroll' * Hardened frontend nginx config * Separate log files for frontend nginx * Better provisioning heuristics * Add sample site.sh config for LEDE image builder * Add more device profiles for LEDE image builder * Various bugfixes and improvements
119 lines
3.7 KiB
Bash
119 lines
3.7 KiB
Bash
#!/bin/bash
|
|
|
|
source common.sh
|
|
|
|
sed -e 's/trigger wan/trigger lan/' -i $OVERLAY/etc/config/certidude
|
|
|
|
cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
|
|
|
|
MODEL=$(cat /etc/board.json | jsonfilter -e '@["model"]["id"]')
|
|
|
|
# Hostname prefix
|
|
case $MODEL in
|
|
tl-*|archer-*) VENDOR=tplink ;;
|
|
cf-*) VENDOR=comfast ;;
|
|
*) VENDOR=ap ;;
|
|
esac
|
|
|
|
# Network interface with relevant MAC address
|
|
case $MODEL in
|
|
tl-wdr*) NIC=wlan1 ;;
|
|
archer-*) NIC=eth1 ;;
|
|
cf-e380ac-v2) NIC=eth0 ;;
|
|
*) NIC=wlan0 ;;
|
|
esac
|
|
|
|
HOSTNAME=$VENDOR-$(cat /sys/class/net/$NIC/address | cut -d : -f 4- | sed -e 's/://g')
|
|
uci set system.@system[0].hostname=$HOSTNAME
|
|
uci set network.lan.hostname=$HOSTNAME
|
|
|
|
EOF
|
|
|
|
cat << \EOF > $OVERLAY/etc/uci-defaults/50-access-point
|
|
|
|
# Remove firewall rules since AP bridges ethernet to wireless anyway
|
|
uci delete firewall.@zone[1]
|
|
uci delete firewall.@zone[0]
|
|
uci delete firewall.@forwarding[0]
|
|
for j in $(seq 0 10); do uci delete firewall.@rule[0]; done
|
|
|
|
# Remove WAN interface
|
|
uci delete network.wan
|
|
uci delete network.wan6
|
|
|
|
# Reconfigure DHCP client for bridge over LAN and WAN ports
|
|
uci delete network.lan.ipaddr
|
|
uci delete network.lan.netmask
|
|
uci delete network.lan.ip6assign
|
|
uci delete network.globals.ula_prefix
|
|
uci delete network.@switch_vlan[1]
|
|
uci delete dhcp.@dnsmasq[0].domain
|
|
uci set network.lan.proto=dhcp
|
|
uci set network.lan.ipv6=0
|
|
uci set network.lan.ifname='eth0'
|
|
uci set network.lan.stp=1
|
|
|
|
# Radio ordering differs among models
|
|
case $(uci get wireless.radio0.hwmode) in
|
|
11a) uci rename wireless.radio0=radio5ghz;;
|
|
11g) uci rename wireless.radio0=radio2ghz;;
|
|
esac
|
|
case $(uci get wireless.radio1.hwmode) in
|
|
11a) uci rename wireless.radio1=radio5ghz;;
|
|
11g) uci rename wireless.radio1=radio2ghz;;
|
|
esac
|
|
|
|
# Reset virtual SSID-s
|
|
uci delete wireless.@wifi-iface[1]
|
|
uci delete wireless.@wifi-iface[0]
|
|
|
|
# Pseudorandomize channel selection, should work with 80MHz on 5GHz band
|
|
case $(uci get system.@system[0].hostname | md5sum) in
|
|
1*|2*|3*|4*) uci set wireless.radio2ghz.channel=1; uci set wireless.radio5ghz.channel=36 ;;
|
|
5*|6*|7*|8*) uci set wireless.radio2ghz.channel=5; uci set wireless.radio5ghz.channel=52 ;;
|
|
9*|0*|a*|b*) uci set wireless.radio2ghz.channel=9; uci set wireless.radio5ghz.channel=100 ;;
|
|
c*|d*|e*|f*) uci set wireless.radio2ghz.channel=13; uci set wireless.radio5ghz.channel=132 ;;
|
|
esac
|
|
|
|
# Create bridge for guests
|
|
uci set network.guest=interface
|
|
uci set network.guest.proto='static'
|
|
uci set network.guest.address='0.0.0.0'
|
|
uci set network.guest.type='bridge'
|
|
uci set network.guest.ifname='eth0.156' # tag id 156 for guest network
|
|
uci set network.guest.ipaddr='0.0.0.0'
|
|
uci set network.guest.ipv6=0
|
|
uci set network.guest.stp=1
|
|
|
|
# Add VPN interface for IPSec
|
|
uci set network.vpn=interface
|
|
uci set network.vpn.ifname='ipsec0'
|
|
uci set network.vpn.proto='none'
|
|
|
|
uci set firewall.vpn=zone
|
|
uci set firewall.vpn.name="vpn"
|
|
uci set firewall.vpn.input="ACCEPT"
|
|
uci set firewall.vpn.forward="ACCEPT"
|
|
uci set firewall.vpn.output="ACCEPT"
|
|
uci set firewall.vpn.network="vpn"
|
|
|
|
# Disable switch tagging and bridge all ports on TP-Link WDR3600/WDR4300
|
|
case $(cat /etc/board.json | jsonfilter -e '@["model"]["id"]') in
|
|
tl-wdr*|archer*)
|
|
uci set network.@switch[0].enable_vlan=0
|
|
uci set network.@switch_vlan[0].ports='0 1 2 3 4 5 6'
|
|
;;
|
|
*) ;;
|
|
esac
|
|
|
|
EOF
|
|
|
|
make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="luci \
|
|
openssl-util curl ca-certificates dropbear \
|
|
strongswan-mod-kernel-libipsec kmod-tun strongswan-default strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
|
|
htop iftop netdata -odhcp6c -odhcpd -dnsmasq \
|
|
-luci-app-firewall \
|
|
-pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
|
|
-kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
|
|
|