Compare commits

..

10 Commits

Author SHA1 Message Date
90e53ad77b
Add luci-proto-wireguard
All checks were successful
buildbot/travis_bionic Build done.
buildbot/multibuild_parent Build done.
buildbot/job/openwrt Build done.
2023-03-01 14:37:27 +01:00
80c1368f2c
Remove cherrypy
All checks were successful
buildbot/travis_bionic Build done.
buildbot/multibuild_parent Build done.
buildbot/job/openwrt Build done.
- I don't need it after all
2023-03-01 08:17:25 +01:00
7b3a05217c
Refactor and cleanup defaults
- 49-network is now using versioning
- 50-dropbear will make sure dropbear runs even if no version bump
  happened
2023-03-01 08:15:29 +01:00
e03f2fc84f
Add packages
All checks were successful
buildbot/multibuild_parent Build done.
buildbot/travis_bionic Build done.
buildbot/job/openwrt Build done.
- found some missing and nice to have packages during testing
- also increase rootfs size
- also add encryption support to collectd network protocol
2023-03-01 03:53:35 +01:00
85c081df3d
Replace opessh-server with dropbear
All checks were successful
buildbot/travis_bionic Build done.
buildbot/multibuild_parent Build done.
buildbot/job/openwrt Build done.
- apparently dropbear now supports ed25519 keys so openssh isn't
  necessary anymore
2023-02-23 20:44:13 +08:00
1e60f1fd33
Remove adguard and DoH
All checks were successful
buildbot/travis_bionic Build done.
buildbot/multibuild_parent Build done.
buildbot/job/openwrt Build done.
- adguard needs manual setup and the install UI is exposed by default
- I would like to test DoH first, I suspect it's interfering with NTP
  during boot (sysntpd needs to be restarted manually to work, strace
  found that it can't resolve if started from init)
2023-02-23 11:19:59 +08:00
44c6ed93c4
Set a custom uci option to determine applied defaults 2023-02-16 02:48:26 +02:00
68196ebf44
Trying to make uci network configuration one time 2023-02-15 03:36:03 +02:00
8ebae57e5f
Change network defaults
All checks were successful
buildbot/multibuild_parent Build done.
buildbot/travis_bionic Build done.
buildbot/job/openwrt Build done.
- eth0 is WAN, eth1 LAN
- firewall allow incoming SSH
2023-02-14 14:23:41 +08:00
cd8043f92b
Fix ssh permissions and move ssh defaults file
All checks were successful
buildbot/travis_bionic Build done.
buildbot/job/openwrt Build done.
2023-02-14 12:08:16 +08:00
5 changed files with 72 additions and 14 deletions

View File

@ -9,6 +9,8 @@
# now I noticed there is actually a Makefile for openwrt in the repo already: # now I noticed there is actually a Makefile for openwrt in the repo already:
# https://github.com/IchthysMaranatha/asterisk-chan-quectel/tree/master/openwrt # https://github.com/IchthysMaranatha/asterisk-chan-quectel/tree/master/openwrt
set -x
tar -xJf /Downloads/openwrt-sdk-${OPENWRT_VERSION}-*.tar.xz tar -xJf /Downloads/openwrt-sdk-${OPENWRT_VERSION}-*.tar.xz
cp -r feed openwrt-sdk-*/ cp -r feed openwrt-sdk-*/
@ -23,11 +25,11 @@ cat ${pwd}/feeds.conf >> feeds.conf
./scripts/feeds install -a ./scripts/feeds install -a
make defconfig make defconfig
echo 'CONFIG_PACKAGE_python3-packages=y' >> .config # Enable collectd network encryption
echo 'CONFIG_PACKAGE_python3-packages-list="CherryPy==18.8.0"' >> .config echo "CONFIG_PACKAGE_COLLECTD_ENCRYPTED_NETWORK=y" >> .config
make package/python3-packages/compile
make package/asterisk-chan-quectel/compile make package/asterisk-chan-quectel/compile
make package/collectd/compile
# no signing key # no signing key
make package/index make package/index
@ -44,23 +46,24 @@ cp ${sdkdir}/bin/packages/aarch64_cortex-a72/quectel/*.ipk packages/
make info make info
# Double the size of the root partition # Increase the size of the root partition
echo "CONFIG_TARGET_ROOTFS_PARTSIZE=208" >> .config echo "CONFIG_TARGET_ROOTFS_PARTSIZE=308" >> .config
# Disable ext4 images # Disable ext4 images
echo "CONFIG_TARGET_ROOTFS_EXT4FS=n" >> .config echo "CONFIG_TARGET_ROOTFS_EXT4FS=n" >> .config
# Setup files # Setup files
mkdir -p files/root/.ssh mkdir -p files/etc/dropbear
cp ${pwd}/authorized_keys files/root/.ssh/ chmod 0750 files/etc/dropbear
cp ${pwd}/authorized_keys files/etc/dropbear
chmod 0400 files/etc/dropbear/authorized_keys
mkdir -p files/etc/uci-defaults mkdir -p files/etc/uci-defaults
cp ${pwd}/uci_defaults files/etc/uci-defaults/99-custom cp ${pwd}/defaults/* files/etc/uci-defaults
PACKAGES="kmod-nf-nathelper-extra kmod-rtc-ds1307 \ PACKAGES="kmod-nf-nathelper-extra kmod-rtc-ds1307 \
kmod-usb-audio kmod-usb-net-rtl8152 \ kmod-usb-audio kmod-usb-net-rtl8152 \
alsa-lib pciutils usbutils \ alsa-lib pciutils usbutils \
kmod-usb-net-qmi-wwan libqmi qmi-utils uqmi luci-proto-qmi \ kmod-usb-net-qmi-wwan libqmi qmi-utils uqmi luci-proto-qmi \
shadow-usermod \ shadow-usermod \
adguardhome \
asterisk \ asterisk \
asterisk-app-sms asterisk-pjsip asterisk-bridge-simple \ asterisk-app-sms asterisk-pjsip asterisk-bridge-simple \
asterisk-codec-alaw asterisk-codec-ulaw \ asterisk-codec-alaw asterisk-codec-ulaw \
@ -68,7 +71,7 @@ PACKAGES="kmod-nf-nathelper-extra kmod-rtc-ds1307 \
asterisk-chan-quectel \ asterisk-chan-quectel \
ca-certificates \ ca-certificates \
collectd collectd-mod-contextswitch collectd-mod-cpu \ collectd collectd-mod-contextswitch collectd-mod-cpu \
collectd-mod-curl \ collectd-mod-curl collectd-mod-df \
collectd-mod-dhcpleases collectd-mod-disk \ collectd-mod-dhcpleases collectd-mod-disk \
collectd-mod-dns collectd-mod-entropy \ collectd-mod-dns collectd-mod-entropy \
collectd-mod-ethstat collectd-mod-exec \ collectd-mod-ethstat collectd-mod-exec \
@ -85,11 +88,13 @@ PACKAGES="kmod-nf-nathelper-extra kmod-rtc-ds1307 \
collectd-mod-users collectd-mod-vmem \ collectd-mod-users collectd-mod-vmem \
collectd-mod-wireless \ collectd-mod-wireless \
curl etherwake fail2ban \ curl etherwake fail2ban \
luci-app-https-dns-proxy luci-app-mwan3 luci-app-upnp \ luci-app-mwan3 luci-app-upnp \
luci-proto-wireguard \
luci-ssl-nginx luci-app-acme \ luci-ssl-nginx luci-app-acme \
python3-packages python3-yaml \ python3-packages python3-yaml \
openssh-sftp-server tcpdump \
iptables-nft ip6tables-nft \
wireguard-tools wget-ssl \ wireguard-tools wget-ssl \
openssh-server \
" "
make image PROFILE=rpi-4 \ make image PROFILE=rpi-4 \

4
defaults/00-defaults Normal file
View File

@ -0,0 +1,4 @@
touch /etc/config/defaults
/sbin/uci get defaults.version || /sbin/uci set defaults.version=version && \
/sbin/uci commit defaults

28
defaults/49-network Normal file
View File

@ -0,0 +1,28 @@
VERSION=1
[ "$(uci -q get defaults.version.network)" -ge "$VERSION" ] & exit
# save version
/sbin/uci set defaults.version.network="$VERSION"
# switch LAN to eth1
/sbin/uci set network.@device[0].ports='eth1'
# set WAN to eth0
/sbin/uci set network.wan=interface
/sbin/uci set network.wan.device=eth0
/sbin/uci set network.wan.proto=dhcp
# firewall allow SSH
/sbin/uci add firewall rule
/sbin/uci set firewall.@rule[-1].name='Allow-SSH'
/sbin/uci set firewall.@rule[-1].src='wan'
/sbin/uci set firewall.@rule[-1].dest_port='22'
/sbin/uci set firewall.@rule[-1].proto='tcp'
/sbin/uci set firewall.@rule[-1].target='ACCEPT'
/sbin/uci commit
/sbin/service network restart
/sbin/service firewall restart
/sbin/service dnsmasq restart

23
defaults/50-dropbear Normal file
View File

@ -0,0 +1,23 @@
VERSION=1
if [ "$(uci -q get defaults.version.dropbear)" -ge "$VERSION" ]
then
# may leave dropbear off after an upgrade
/sbin/service dropbear enable
/sbin/service dropbear restart
exit 0
fi
# save version
/sbin/uci set defaults.version.dropbear="$VERSION"
/sbin/uci -q batch << EOF
set defaults.version.dropbear="$VERSION"
commit defaults
set dropbear.@dropbear[0].PasswordAuth='off'
set dropbear.@dropbear[0].RootPasswordAuth='off'
commit dropbear
EOF
/sbin/service dropbear enable
/sbin/service dropbear restart

View File

@ -1,2 +0,0 @@
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
/sbin/service sshd restart