mirror of
https://github.com/laurivosandi/certidude
synced 2024-11-14 00:46:44 +00:00
Lauri Võsandi
ce93fbb58b
* Improved offline install docs * Migrated token mechanism backend to SQL * Preliminary token mechanism frontend integration * Add clock skew tolerance for OCSP * Add 'ldap computer filter' support for Kerberized machine enroll * Include OCSP and CRL URL-s in certificates, controlled by profile.conf * Better certificate extension handling * Place DH parameters file in /etc/ssl/dhparam.pem * Always talk to CA over port 8443 for 'certidude enroll' * Hardened frontend nginx config * Separate log files for frontend nginx * Better provisioning heuristics * Add sample site.sh config for LEDE image builder * Add more device profiles for LEDE image builder * Various bugfixes and improvements
112 lines
3.8 KiB
Bash
112 lines
3.8 KiB
Bash
#!/bin/bash
|
|
|
|
. common.sh
|
|
|
|
cat << \EOF > $OVERLAY/etc/uci-defaults/40-hostname
|
|
|
|
HOSTNAME=mfp-$(cat /sys/class/net/eth0/address | cut -d : -f 4- | sed -e 's/://g')
|
|
uci set system.@system[0].hostname=$HOSTNAME
|
|
uci set network.wan.hostname=$HOSTNAME
|
|
|
|
EOF
|
|
|
|
mkdir -p $OVERLAY/etc/config/
|
|
touch $OVERLAY/etc/config/wireless
|
|
|
|
cat << EOF > $OVERLAY/etc/uci-defaults/50-mfp
|
|
|
|
# Disable rebind protection for DNS
|
|
uci set dhcp.@dnsmasq[0].rebind_protection=0
|
|
uci set dhcp.@dnsmasq[0].domain='mfp.lan'
|
|
uci delete dhcp.@dnsmasq[0].local
|
|
|
|
# Disable bridge for LAN since WiFi is disabled
|
|
uci delete network.lan.type
|
|
uci set dhcp.lan.limit=1
|
|
|
|
uci set network.vpn=interface
|
|
uci set network.vpn.ifname='ipsec0'
|
|
uci set network.vpn.proto='none'
|
|
|
|
uci set firewall.vpn=zone
|
|
uci set firewall.vpn.name="vpn"
|
|
uci set firewall.vpn.input="ACCEPT"
|
|
uci set firewall.vpn.forward="ACCEPT"
|
|
uci set firewall.vpn.output="ACCEPT"
|
|
uci set firewall.vpn.network="vpn"
|
|
|
|
uci set firewall.lan2vpn=forwarding
|
|
uci set firewall.lan2vpn.src='lan'
|
|
uci set firewall.lan2vpn.dest='vpn'
|
|
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].name="Allow IPP on MFP"
|
|
uci set firewall.@redirect[-1].src=vpn
|
|
uci set firewall.@redirect[-1].src_dport=631
|
|
uci set firewall.@redirect[-1].dest=lan
|
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
|
uci set firewall.@redirect[-1].target=DNAT
|
|
uci set firewall.@redirect[-1].proto=tcp
|
|
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].name="Allow HTTP on MFP"
|
|
uci set firewall.@redirect[-1].src=vpn
|
|
uci set firewall.@redirect[-1].src_dport=80
|
|
uci set firewall.@redirect[-1].dest=lan
|
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
|
uci set firewall.@redirect[-1].target=DNAT
|
|
uci set firewall.@redirect[-1].proto=tcp
|
|
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].name="Allow HTTPS on MFP"
|
|
uci set firewall.@redirect[-1].src=vpn
|
|
uci set firewall.@redirect[-1].src_dport=443
|
|
uci set firewall.@redirect[-1].dest=lan
|
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
|
uci set firewall.@redirect[-1].target=DNAT
|
|
uci set firewall.@redirect[-1].proto=tcp
|
|
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].name="Allow JetDirect on MFP"
|
|
uci set firewall.@redirect[-1].src=vpn
|
|
uci set firewall.@redirect[-1].src_dport=9100
|
|
uci set firewall.@redirect[-1].dest=lan
|
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
|
uci set firewall.@redirect[-1].target=DNAT
|
|
uci set firewall.@redirect[-1].proto=tcp
|
|
uci set firewall.@redirect[-1].enabled=0
|
|
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].name="Allow SNMP on MFP"
|
|
uci set firewall.@redirect[-1].src=vpn
|
|
uci set firewall.@redirect[-1].src_dport=161
|
|
uci set firewall.@redirect[-1].dest=lan
|
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
|
uci set firewall.@redirect[-1].target=DNAT
|
|
uci set firewall.@redirect[-1].proto=udp
|
|
uci set firewall.@redirect[-1].enabled=0
|
|
|
|
uci add firewall redirect
|
|
uci set firewall.@redirect[-1].name="Allow LPD on MFP"
|
|
uci set firewall.@redirect[-1].src=vpn
|
|
uci set firewall.@redirect[-1].src_dport=515
|
|
uci set firewall.@redirect[-1].dest=lan
|
|
uci set firewall.@redirect[-1].dest_ip=192.168.1.100
|
|
uci set firewall.@redirect[-1].target=DNAT
|
|
uci set firewall.@redirect[-1].proto=tcp
|
|
uci set firewall.@redirect[-1].enabled=0
|
|
|
|
/etc/init.d/dropbear disable
|
|
|
|
uci set uhttpd.main.listen_http=0.0.0.0:8080
|
|
|
|
EOF
|
|
|
|
make -C $BUILD/$BASENAME image FILES=$OVERLAY PROFILE=$PROFILE PACKAGES="openssl-util curl ca-certificates htop \
|
|
iftop tcpdump nmap nano mtr patch diffutils ipset usbutils luci dropbear kmod-tun netdata \
|
|
strongswan-default strongswan-mod-kernel-libipsec strongswan-mod-openssl strongswan-mod-curl strongswan-mod-ccm strongswan-mod-gcm \
|
|
-odhcpd -odhcp6c -kmod-ath9k picocom libustream-openssl kmod-crypto-gcm \
|
|
-pppd -luci-proto-ppp -kmod-ppp -ppp -ppp-mod-pppoe \
|
|
-kmod-ip6tables -ip6tables -luci-proto-ipv6 -kmod-iptunnel6 -kmod-ipsec6"
|
|
|