1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-11-16 09:56:44 +00:00
certidude/doc/builder/mfp.sh
Lauri Võsandi ce93fbb58b Several updates #4
* Improved offline install docs
* Migrated token mechanism backend to SQL
* Preliminary token mechanism frontend integration
* Add clock skew tolerance for OCSP
* Add 'ldap computer filter' support for Kerberized machine enroll
* Include OCSP and CRL URL-s in certificates, controlled by profile.conf
* Better certificate extension handling
* Place DH parameters file in /etc/ssl/dhparam.pem
* Always talk to CA over port 8443 for 'certidude enroll'
* Hardened frontend nginx config
* Separate log files for frontend nginx
* Better provisioning heuristics
* Add sample site.sh config for LEDE image builder
* Add more device profiles for LEDE image builder
* Various bugfixes and improvements
2018-05-15 07:45:29 +00:00

112 lines
3.8 KiB
Bash

#!/bin/bash
. common.sh
cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
HOSTNAME=mfp-$(cat /sys/class/net/eth0/address | cut -d : -f 4- | sed -e 's/://g')
uci set system.@system[0].hostname=$HOSTNAME
uci set network.wan.hostname=$HOSTNAME
EOF
mkdir -p $OVERLAY/etc/config/
touch $OVERLAY/etc/config/wireless
cat << EOF > $OVERLAY/etc/uci-defaults/50-mfp
# Disable rebind protection for DNS
uci set dhcp.@dnsmasq[0].rebind_protection=0
uci set dhcp.@dnsmasq[0].domain='mfp.lan'
uci delete dhcp.@dnsmasq[0].local
# Disable bridge for LAN since WiFi is disabled
uci delete network.lan.type
uci set dhcp.lan.limit=1
uci set network.vpn=interface
uci set network.vpn.ifname='ipsec0'
uci set network.vpn.proto='none'
uci set firewall.vpn=zone
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="ACCEPT"
uci set firewall.vpn.forward="ACCEPT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.network="vpn"
uci set firewall.lan2vpn=forwarding
uci set firewall.lan2vpn.src='lan'
uci set firewall.lan2vpn.dest='vpn'
uci add firewall redirect
uci set firewall.@redirect[-1].name="Allow IPP on MFP"
uci set firewall.@redirect[-1].src=vpn
uci set firewall.@redirect[-1].src_dport=631
uci set firewall.@redirect[-1].dest=lan
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].proto=tcp
uci add firewall redirect
uci set firewall.@redirect[-1].name="Allow HTTP on MFP"
uci set firewall.@redirect[-1].src=vpn
uci set firewall.@redirect[-1].src_dport=80
uci set firewall.@redirect[-1].dest=lan
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].proto=tcp
uci add firewall redirect
uci set firewall.@redirect[-1].name="Allow HTTPS on MFP"
uci set firewall.@redirect[-1].src=vpn
uci set firewall.@redirect[-1].src_dport=443
uci set firewall.@redirect[-1].dest=lan
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].proto=tcp
uci add firewall redirect
uci set firewall.@redirect[-1].name="Allow JetDirect on MFP"
uci set firewall.@redirect[-1].src=vpn
uci set firewall.@redirect[-1].src_dport=9100
uci set firewall.@redirect[-1].dest=lan
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].proto=tcp
uci set firewall.@redirect[-1].enabled=0
uci add firewall redirect
uci set firewall.@redirect[-1].name="Allow SNMP on MFP"
uci set firewall.@redirect[-1].src=vpn
uci set firewall.@redirect[-1].src_dport=161
uci set firewall.@redirect[-1].dest=lan
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].proto=udp
uci set firewall.@redirect[-1].enabled=0
uci add firewall redirect
uci set firewall.@redirect[-1].name="Allow LPD on MFP"
uci set firewall.@redirect[-1].src=vpn
uci set firewall.@redirect[-1].src_dport=515
uci set firewall.@redirect[-1].dest=lan
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].proto=tcp
uci set firewall.@redirect[-1].enabled=0
/etc/init.d/dropbear disable
uci set uhttpd.main.listen_http=0.0.0.0:8080
EOF
make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates htop \
iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci dropbear kmod-tun netdata \
strongswan-default strongswan-mod-kernel-libipsec strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
-odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm \
-pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
-kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"