add swapfile for dot-vc2

[myNix.git] / lbhost / wrt-bj-setup.sh

#!/usr/bin/env sh


opkg update && opkg install \
        luci-app-ddns curl ca-bundle \
        luci-app-ocserv


# Solving dnsmasq failures, https://github.com/openwrt/openwrt/issues/9346
echo "Fixing dnsmasq errors"
uci add_list dhcp.@dnsmasq[0].notinterface='pppoe-wan'


echo "Basic system configuration initializing"
# System
uci batch << EOI
set system.@system[].hostname="wrt-bj"
set system.@system[].timezone="CST-8"
set dropbear.@dropbear[].Interface="lan"
EOI
# Interface
uci batch << EOI
set network.lan.ipaddr="192.168.132.1"
EOI
# DHCP
uci batch << EOI
set dhcp.lan.start="50"
set dhcp.lan.limit="50"
EOI
# Wireless
uci batch << EOI
set wireless.radio0.channel="auto"
set wireless.default_radio0.encryption="psk2"
set wireless.radio1.channel="auto"
set wireless.default_radio1.encryption="psk2"
EOI
# Firewall
if [ ! "$(uci get firewall.@zone[0].name)" = "lan" ]; then
        echo "expecting firewall zone[0] is lan" >&2
        exit 1
fi
uci rename firewall.@zone[0]="lan"
if [ ! "$(uci get firewall.@zone[1].name)" = "wan" ]; then
        echo "expecting firewall zone[1] is wan" >&2
        exit 1
fi
uci rename firewall.@zone[1]="wan"


# Allow-IPv6
echo "Allowing all IPv6 incoming to lan"
uci batch << EOI
add firewall rule
set firewall.@rule[-1].name="Allow-IPv6"
set firewall.@rule[-1].family="ipv6"
set firewall.@rule[-1].proto="all"
set firewall.@rule[-1].src="wan"
set firewall.@rule[-1].dest="lan"
set firewall.@rule[-1].target="ACCEPT"
EOI
# Allow-OpenConnect
echo "Allowing OpenConnect incoming to device"
uci batch << EOI
add_list firewall.lan.device="vpns+"
add firewall rule
set firewall.@rule[-1].name="Allow-OpenConnect"
set firewall.@rule[-1].src="wan"
set firewall.@rule[-1].dest_port="4443"
set firewall.@rule[-1].proto="tcp udp"
set firewall.@rule[-1].target="ACCEPT"
EOI


# Port Forwards
echo "Forwarding local lan ports"
add_dnat() {
        uci batch << EOI
        add firewall redirect
        set firewall.@redirect[-1].dest="lan"
        set firewall.@redirect[-1].target="DNAT"
        set firewall.@redirect[-1].src="wan"
        set firewall.@redirect[-1].src_dport="${3}"
        set firewall.@redirect[-1].dest_port="${3}"
        set firewall.@redirect[-1].dest_ip="${2}"
        set firewall.@redirect[-1].name="${1}"
EOI
}
add_dnat "aria2://nuc-pri.internal" "192.168.132.213" 51413
add_dnat "http://nuc-pri.internal" "192.168.132.213" 80
add_dnat "https://nuc-pri.internal" "192.168.132.213" 443


# OpenConnect
echo "OpenConnect service basic configuration initializing"
while uci -q delete ocserv.@routes[]; do :; done
while uci -q delete ocserv.@dns[]; do :; done
uci batch << EOI
set ocserv.config.port="4443"
set ocserv.config.ipaddr="192.168.133.1"
set ocserv.config.netmask="255.255.255.0"
add ocserv routes
set ocserv.@routes[-1].ip="192.168.132.0"
set ocserv.@routes[-1].netmask="255.255.255.0"
add ocserv routes
set ocserv.@routes[-1].ip="192.168.133.0"
set ocserv.@routes[-1].netmask="255.255.255.0"
EOI


# DDNS
echo "DDNS service basic configuration initializing"
uci batch << EOI
set ddns.global.use_curl="1"
EOI
# DDNS duckdns_ipv4
uci batch << EOI
rename ddns.myddns_ipv4="duckdns_ipv4"
set ddns.duckdns_ipv4.service_name="duckdns.org"
set ddns.duckdns_ipv4.use_ipv6="0"
set ddns.duckdns_ipv4.ip_source="interface"
set ddns.duckdns_ipv4.ip_interface="pppoe-wan"
set ddns.duckdns_ipv4.interface="pppoe-wan"
set ddns.duckdns_ipv4.use_https="1"
set ddns.duckdns_ipv4.cacert="/etc/ssl/certs/ca-certificates.crt"
EOI
# DDNS duckdns_ipv6
uci batch << EOI
rename ddns.myddns_ipv6="duckdns_ipv6"
set ddns.duckdns_ipv6.service_name="duckdns.org"
set ddns.duckdns_ipv6.use_ipv6="1"
set ddns.duckdns_ipv6.ip_source="interface"
set ddns.duckdns_ipv6.ip_interface="pppoe-wan"
set ddns.duckdns_ipv6.interface="pppoe-wan"
set ddns.duckdns_ipv6.use_https="1"
set ddns.duckdns_ipv6.cacert="/etc/ssl/certs/ca-certificates.crt"
EOI

uci changes
echo "ALL DONE, waiting to commit"