diff --git a/README.md b/README.md index 5099cc40..926bad7c 100644 --- a/README.md +++ b/README.md @@ -8,13 +8,13 @@ It will replicate all the services on the network, and it can be deleted without Especially focused above security in every ISO/OSI pile level. -Applications are multiples, from bypass the European ECHELON, an enormous sniffer from some ISP, or the great firewall in China, to create very secure not logged chat, to dynamic traditional services that will move from an host to another in a total transparent mode to the final user. +Applications are multiples, from bypass the European [ECHELON](https://en.wikipedia.org/wiki/ECHELON), an enormous sniffer from some ISP, or the great firewall in China, to create very secure not logged chat, to dynamic traditional services that will move from an host to another in a total transparent mode to the final user. I'm an addicted of privacy and security and I'm very tired about the modern slavery network transmitted by weapons from the European elite. -**Vatican and Aristocracy are totally guilty about the recent destroy of democracy.** +*Vatican, a big part of Aristocracy and a lot of leafs, and some corrupted secret services are totally guilty about the recent destroy of democracy. They are owners of an exploitation camp transmitted by electromagnetic weapons and elaborated by artificial intelligence from the Collserola tower in Barcelona above all the Mediterranean area. Electronic slavery, the modern slavery that United Nation is investigating is my goal.* -### Install procedure +#### VPS election First of all you've got to rent a VPS in one service provider, there are a lot on Internet a great resource to find the correct one is this website: @@ -26,6 +26,7 @@ Some that I use or I've used: - [AlphaVPS - Cheap and Reliable Hosting and Servers](https://alphavps.com/) - [VPS Hosting in Europe and USA. Join VPS2DAY now!](https://www.vps2day.com/) - [Liveinhost Web Services – The Best Web Hosting | Fast Professional Website Hosting Services](https://www.liveinhost.com/) +- [Scaleway Dedibox | The Reference for Dedicated Servers | Scaleway](https://www.scaleway.com/en/dedibox/) Try to understand that we've got to build a network of VPS interconnected site to site between everyone with IPsec and every host is plug and play, I mean that we can add or remove VPS just running the software in this repository. First of all it is important to understand that we can use this design in two different application, one will use registered domains the other will use free dns services. Goal for everyone is security trough simplicity, open source design and the correct use and implementation of robust compliance protocols and daemons. The system operative is [OpenBSD](https://www.openbsd.org/) but later we will use also [Alpine Linux](https://alpinelinux.org/). At that point the goal will be interoperability and the search of near perfect TCP/IP throughput. Another goal will be the use of ARM64 mobile devices also based up Alpine, my favorite one is: @@ -42,8 +43,8 @@ Many times we've got to resolve problems like the one where OpenBSD isn't listed First of all install a classic Linux, like Debian for example. Next ssh to the new machine with the credentials provided. Next download the latest stable `miniroot` image into the root and write it to the start of our virtual disk, in linux normally it will be `vda`. ```sh -# wget https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/miniroot68.img -# dd if=miniroot68.img of=/dev/vda bs=4M +# wget https://cdn.openbsd.org/pub/OpenBSD/6.9/amd64/miniroot69.img +# dd if=miniroot69.img of=/dev/vda bs=4M ``` After the successful write to the virtual disk we've got to reboot the machine but we will do it in a particular way using the `proc` filesystem: @@ -53,7 +54,9 @@ First of all install a classic Linux, like Debian for example. Next ssh to the n # echo b > /proc/sysrq-trigger ``` -Next reopen the KVM web console and the installation process of OpenBSD will start. Interrupt it choosing for the (S)hell option and: +#### Semi automatic system installation + +Open the `KVM` web console and the installation process of OpenBSD will start. Interrupt it choosing for the (S)hell option and: ```shell # dhclient vio0 @@ -62,11 +65,199 @@ Next reopen the KVM web console and the installation process of OpenBSD will sta # reboot ``` +The default `root` password in our `install.conf` file is `123456789`. But it is encrypted as `$2b$10$4tPKeRmxVyffVkrQMve70.CiPmE28khH9UXiuSYpzAKbZrOfQq0Pm`. + +The default `uid 1000` user is `taglio`, my nickname and unix user. You can update `installation/install-vps` file with your. I also specify my `ed25519` ssh key that I've got generated with `ssh-keygen -t ed25519 -C "taglio@telecom.lobby"`as you can appreciate in the configuration file: + +`Public ssh key for user = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKG4yMhKX37SXV8LGDuVe4r1PBSS5HOWb6jFpNiG3cvW taglio@telecom.lobby` + +*Please update this file with your specifications forking my repository*. + After the reboot login in the new node and change the password and upgrade the system with `syspatch`. +#### [![OpenBSD MESH IPSec guerrila host](https://img.youtube.com/vi/6-M4IxeSctI/0.jpg)](https://www.youtube.com/watch?v=6-M4IxeSctI "OpenBSD MESH IPSec guerrila host") + #### First steps -Next that we will have a running fresh and patched OpenBSD system let's start to configure our guerrilla MESH node. Install the git package: +First of all I want to underline that we use some values in the `DNS` master zone of the domain where we want to attach our new `VPS` host. *It's not exactly all automatic*. + +``` shell +root@ganesha:/var/nsd/zones/master# cat telecomlobby.com.zone | grep ipsec && cat telecomlobby.com.zone | grep gre +ipsec20591 IN TXT "uk:ganesha;us:saraswati;jp:shiva;es:indra;fr:uma;bg:neo;" +gre7058 IN TXT "216" +gre18994 IN TXT "3" +root@ganesha:/var/nsd/zones/master# +``` + +We use the [TXT record](https://en.wikipedia.org/wiki/TXT_record) to add some more information to the process of automatically add the new host to our MESH network. Hostname are: + +```shell +root@ganesha:/var/nsd/zones/master# echo ipsec${RANDOM} && echo gre${RANDOM} && echo gre${RANDOM} +ipsec6150 +gre9262 +gre1331 +root@ganesha:/var/nsd/zones/master# +``` + +```$RANDOM``` is a special variable in `ksh` used to generate random numbers between 0 and 32767. + +The string specified by `TXT` value of `ipsec` is `;` separated values and contain [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) [country codes](https://en.wikipedia.org/wiki/Country_code) followed by `:` and the name of the host machine. + +The string specified by `TXT` values of the two `gre` are integer, the first between 0 and 255 indicating last /30 network allocated by a `gre` point to point and the second is a counter indicating the number of MESH guerrilla OpenBSD hosts. + +Remember to update those `TXT` to archive the connection process. + +It's important also to configure DNS resolution and also [RDNS](https://en.wikipedia.org/wiki/Reverse_DNS_lookup) of the assigned IPv4 address in our master zone. Depending on the provider adding the reverse dns resolution host it could be writing to the support office or simply use a web mask. + +[![OpenBSD MESH IPSec guerrila host](https://asciinema.org/a/417997.png)](https://asciinema.org/a/417997) + +Next we've got to update the master zone of the principle public domain, in my case `telecomlobby.com`. + +The first value to update is the IPv4 of the new machine: + +```shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ dig de.telecomlobby.com A +short +45.63.116.141 +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ssh ganesha.telecom.lobby +Host key fingerprint is SHA256:mZiIJWncSs+jJUjAho8NNQeO1wSHKVpFORP5wZdDaNo ++--[ED25519 256]--+ +|+.=BB= o.. | +|=*+O= = + | +|+OO +B o . | +|+=oB..Eo o | +|. + * o S | +| + . | +| . | +| | +| | ++----[SHA256]-----+ +OpenBSD 6.9 (GENERIC) #2: Sat May 22 12:49:54 MDT 2021 + root@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC +real mem = 1056813056 (1007MB) +avail mem = 1009553408 (962MB) +10:49AM up 2 days, 23:46, 2 users, load averages: 0.01, 0.02, 0.00 +ID Pri State DeadTime Address Iface Uptime +192.168.13.59 1 FULL/P2P 00:00:34 10.10.10.201 gre4 02:55:38 +192.168.13.81 1 FULL/P2P 00:00:30 10.10.10.217 gre3 06:51:01 +192.168.13.1 1 FULL/P2P 00:00:36 10.10.10.225 gre2 06:45:49 +192.168.13.34 1 FULL/P2P 00:00:33 10.10.10.230 gre1 06:51:03 +192.168.13.33 1 FULL/P2P 00:00:36 10.10.10.250 gre0 1d06h55m +Go 'way! You're bothering me! + +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ doas su +doas (taglio@ganesha.telecom.lobby) password: +root@ganesha:/home/taglio# cd /var/nsd/zones/master +root@ganesha:/var/nsd/zones/master# cat telecomlobby.com.zone | grep vpnc +vpnc IN A 45.32.144.15 +vpnc IN A 78.141.201.0 +vpnc IN A 155.138.247.27 +vpnc IN A 139.180.206.19 +vpncN IN A 94.72.143.163 +vpnc IN TXT "RT-01.cat.telecomlobby.com" +root@ganesha:/var/nsd/zones/master# + +``` + +As you can see theres some values about the `vpnc` and `vpncN` host: + +- `vpnc IN A` in the list of public IPv4 that are connected through IPsec in our MESH network. +- `vpncN IN A` in the new host to add to. + +Upgrade the configuration to reflect to new one and test it: + +``` shell +riccardo@trimurti:~$ dig @8.8.8.8 vpnc.telecomlobby.com A +short +45.32.144.15 +78.141.201.0 +155.138.247.27 +139.180.206.19 +94.72.143.163 +riccardo@trimurti:~$ dig @8.8.8.8 vpncN.telecomlobby.com A +short +45.63.116.141 +riccardo@trimurti:~$ +``` + +In my configuration I've got also a dynamic IPv4 [EdgeOS](https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf) endpoint and another with fixed IPv4 [RouterOS](https://es.wikipedia.org/wiki/MikroTik) one. In EdgeOS I've got to update the black hole routing table excluding the new ip: + +```shell +taglio@indra# set protocols static interface-route 45.63.116.141/32 next-hop-interface pppoe0 +[edit] +taglio@indra# commit +[edit] +taglio@indra# save +Saving configuration to '/config/config.boot'... +Done +[edit] +taglio@indra# exit +``` + +In the RouterOS one I've got to update the address list relative to the host presents in my IPSec network: + +```shell +[admin@uma.telecom.lobby] /ip firewall address-list> add list=servers comment=durpa address=45.63.116.141/32 +[admin@uma.telecom.lobby] /ip firewall address-list> +``` + +#### Update the IPSec CA server + +Now start to configure the `CA server` about the `IPsec` public and private key. + +In my network layout I've got a [Mikrotik](https://mikrotik.com/) `VPS` that administrate the `IPsec` certificate repositories. + +[![Mikrotik CA certificate](https://img.youtube.com/vi/A7O_Pe91a6Y/0.jpg)](https://youtu.be/A7O_Pe91a6Y "Mikrotik CA certificate") + +You can use also the RouterOS console: + +```shell +[admin@uma.telecom.lobby] > /certificate add name=au.telecomlobby.com country=AU s +tate="New South Wales" locality=Sidney common-name=au.telecomlobby.com subject-alt +-name=email:vishnu@ca.telecomlobby.com +[admin@uma.telecom.lobby] > +``` + +Download the [p12](https://en.wikipedia.org/wiki/PKCS_12) combined certificate and private key and upload into the new host `/tmp` directory. + +``` shell +sftp> get cert_export_de.telecomlobby.com.p12 +Fetching /cert_export_de.telecomlobby.com.p12 to cert_export_de.telecomlobby.com.p12 +/cert_export_de.telecomlobby.c 100% 3880 74.6KB/s 00:00 +sftp> ^D +riccardo@trimurti:~/Work/redama$ mv cert_export_de.telecomlobby.com.p12 de.telecomlobby.com.p12 +riccardo@trimurti:~/Work/redama/durpa$ scp de.telecomlobby.com.p12 taglio@de.telecomlobby.com:/tmp +de.telecomlobby.com.p12 100% 3880 106.4KB/s 00:00 +riccardo@trimurti:~/Work/redama/durpa$ +``` + +The p12 file have to be protected by the password `123456789`. + +Next use the script `ipsec_newpubkey` to add the new public IPSec key to the `src/etc/iked/pubkeys/ufqdn` directory update the repository and use the console script in the right way: + +```shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ./ipsec_newpubkey /home/riccardo/Work/redama/varuna/bg.telecomlobby.com.p12 +neo@ca.telecomlobby.com created please update repository and all the others Openbsd hosts +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ sh git_openbsd.sh +git add, commit, sign and push +check branch +[taglio-15062021 48dc7f5] Please enter the commit message for your changes. Lines starting with '' will be ignored, and an empty message aborts the commit. + 1 file changed, 9 insertions(+) + create mode 100644 src/etc/iked/pubkeys/ufqdn/neo@ca.telecomlobby.com +Enumerating objects: 14, done. +Counting objects: 100% (14/14), done. +Delta compression using up to 8 threads +Compressing objects: 100% (7/7), done. +Writing objects: 100% (8/8), 1.73 KiB | 886.00 KiB/s, done. +Total 8 (delta 4), reused 3 (delta 0), pack-reused 0 +remote: Resolving deltas: 100% (4/4), completed with 4 local objects. +To github.com:redeltaglio/OpenBSD.git + c773e1e..48dc7f5 taglio-15062021 -> taglio-15062021 +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ./console -I telecom.lobby -G +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ./console -I telecom.lobby -N + +``` + +#### Login and start the connection process + +Install the git package: ```shell neo# pkg_add git @@ -76,19 +267,302 @@ neo$ git clone https://github.com/noplacenoaddress/OpenBSD.git Next let's start to configure the system with our script `setup_node`, you've got to go ahead to every point pressing `1` or to type different variables: +- the type of IPv6 address: + - `static`: + - [IPv6 address](https://en.wikipedia.org/wiki/IPv6) without prefixlen. + - The [prefixlen](https://www.ciscopress.com/articles/article.asp?p=2803866&seqNum=2). + - The [IPv6 default route](https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-16-10/iri-xe-16-10-book/ip6-route-static-xe.pdf). + - `dynamic`, using [slaacd (8)](https://www.openbsd.org/papers/florian_slaacd_bsdcan2018.pdf) - `hostname`, the name of the machine. +- `landomainname`, the interior domain name that in my case is `telecom.lobby` - `routerid`, the OSPFD router id and the IP of the `vether0` interface. -- `publichost`, the DNS of the public ip of the `vio0` interface. ```shell -root@neo:/home/taglio/Sources/Git/OpenBSD# sh setup_node -changing installurl +root@neo:/home/taglio/Sources/Git/OpenBSD# sh setup_node changing installurl Go ahead type 1 ``` -#### Registered domains application +After some points the program give us the root ssh `ed25519` key of the new host. That is [EdDSA](https://en.wikipedia.org/wiki/EdDSA) in [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography). Update the repository: + +``` shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ sed -i '/durga.telecom.lobby/d' src/etc/ssh/remote_install/authorized_keys +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHfCxPKwUqEG9JaEaK6uqFDfDMFYFTblLEWPekGh8CAn root@durga.telecom.lobby" >> src/etc/ssh/remote_install/authorized_keys +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ +``` + +To do this operation you can use also the `console` script in the forked repository root: + +```shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ./console -I telecom.lobby -RS +Type the LAN hostname +durga.telecom.lobby +Type the public hostname +de.telecomlobby.com +Type the ED25519 hash +AAAAC3NzaC1lZDI1NTE5AAAAIH6Kju+51Vud+0cHKgpdFNSRIpXM/PcLQAO86xKgc+Op +remote_install/authorized_keys and ssh_known_hosts UPDATED + + please use git_openbsd.sh to update the public GIT +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ +``` + +Use the script `git_openbsd.sh` using values depending in your forked repository to update the git. + +Next update every host using `git pull` using the `console` script and launch the `newhost` option using the same script: + + ``` shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ./console -I telecom.lobby -G +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ./console -I telecom.lobby -N + ``` + +The `console` script depend on a `TXT` record in the master `nsd` for the LAN domain name: + +```shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ host -t txt openbsd.telecom.lobby +openbsd.telecom.lobby descriptive text "ganesha;saraswati;shiva;varuna;" +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ +``` + +Those are the host names of every OpenBSD guy connected to our network, remember to update it! + +[![OpenBSD MESH IPSec guerrila host](https://asciinema.org/a/418749.png)](https://asciinema.org/a/418749) + +You've got to update also the CA server inside your network. As the other use the new `ed25519` public key: + +```shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD-private-CA$ mkdir src/etc/ssh/ca/host/durga.telecom.lobby +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD-private-CA$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHfCxPKwUqEG9JaEaK6uqFDfDMFYFTblLEWPekGh8CAn root@durga.telecom.lobby" > src/etc/ssh/ca/host/durpa.telecom.lobby/ssh_host_ed25519_key.pub +``` + +Update the repository using the script `git_openbsd-private-ca.sh` and next create the new `ssh_host_ed25519_key-cert.pub` with: + +```shell +root@cyberanarkhia:/home/taglio/Sources/Git/OpenBSD-private-CA# ./setup_ca +./setup_ca have to be used with the following options + +install -> create SSH and SSL private CA +verify -> printout and verify certificates +reset -> reset filesystem hierarchy and delete certificates and keys +transfer -> tar files on /home/taglio +newhost -> add a new MESH host + +root@cyberanarkhia:/home/taglio/Sources/Git/OpenBSD-private-CA# + +``` + +Use `newhost` and `transfer` options. -Start with two VPS, one master in DNS service and the other slave. All the others services will be replicated. Some providers doesn't permit the installation of OpenBSD as a default option so install Linux and then rewrite the disc with `dd` as explained: +[![OpenBSD MESH IPSec guerrila host](https://asciinema.org/a/420482.png)](https://asciinema.org/a/420482) + +#### Automatic install + +```shell +taglio@varuna:/home/taglio$ cat /tmp/config.ini static#1 +ipv6ctrl#static +ipv6egress#2a01:8740:1:ff48::64a8 +ipv6prefix#48 +ipv6defrouter#2a01:8740:1:ff00::1 +installurl#1 +shell#1 +users#1 +hostname#varuna +landomainname#telecom.lobby +routerid#192.168.13.59 +basic#1 +unbound#1 +ssh#1 +ipsec#1 +gre#1 +pf#1 +ospf#1 +remote#1 +taglio@varuna:/home/taglio$ + +``` + +This is the configuration file obtained by the semi automatic installation process. You can adapt to your configuration but be careful with the `static` or `dynamic` IPv6. To archive that you can use also the `configure` script in the root of the repository, simply answer to the questions. + +[![OpenBSD MESH IPSec guerrila host](https://asciinema.org/a/421061.png)](https://asciinema.org/a/421061) + +#### You successfully installed and connected a new OpenBSD MESH guerrilla host + +*Ok baby let's rock&roll. We've configured a new IPSec MESH host in a semi automatic way, a lot of work done in a few clicks with our preferred system operative, the secure fish! OpenBSD!* + +The first step after is to add the new [SSHFP](https://en.wikipedia.org/wiki/SSHFP_record) record to our internal [nsd](https://en.wikipedia.org/wiki/NSD) server. Scan them: + +```shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ssh-keyscan -D -t ed25519 varuna.telecom.lobby +; varuna.telecom.lobby:22 SSH-2.0-OpenSSH_8.6 +varuna.telecom.lobby IN SSHFP 4 1 6e77aacf6c65bac6ff6dcb8e21ce9beb7cb9d832 +varuna.telecom.lobby IN SSHFP 4 2 9baacb4c882270c8f37f2fbc847f1094b2b78a34da4650ec24a3b69ad6033dc3 +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ +``` + +And update the zone in the server and the `openbsd` record: + +```shell +root@cyberanarkhia:/var/nsd/zones/master# rcctl restart nsd +nsd(ok) +nsd(ok) +root@cyberanarkhia:/var/nsd/zones/master# rcctl restart unbound +unbound(ok) +unbound(ok) +root@cyberanarkhia:/var/nsd/zones/master# cat telecom.lobby | grep varuna +varuna IN A 192.168.13.59 +varuna.telecom.lobby IN SSHFP 4 1 6e77aacf6c65bac6ff6dcb8e21ce9beb7cb9d832 +varuna.telecom.lobby IN SSHFP 4 2 9baacb4c882270c8f37f2fbc847f1094b2b78a34da4650ec24a3b69ad6033dc3 +openbsd IN TXT "ganesha;saraswati;shiva;varuna;" +root@cyberanarkhia:/var/nsd/zones/master# +``` + +Enter in the new system and add a password, use a great password manager in your workstation like [KeePassXC](https://keepassxc.org/): + +```shell +taglio@varuna:/etc$ su +Password: +root@varuna:/etc# passwd taglio +Changing password for taglio. +New password: +Retype new password: +root@varuna:/etc# +``` + +Then create a new SSL internal [CSR](https://en.wikipedia.org/wiki/Certificate_signing_request) certificate request and download it to the CA server to create a new [x.509](https://en.wikipedia.org/wiki/X.509) [CRT](https://en.wikipedia.org/wiki/X.690#DER_encoding) for the internal services like `httpd(8)` and the surely next installed daemon [dovecot](https://www.dovecot.org/). + +```shell +root@varuna:/home/taglio/Sources/Git/OpenBSD# sh setup_node -A sslcareq +Generating RSA private key, 2048 bit long modulus +...................................................................+++++ +.......+++++ +e is 65537 (0x10001) +writing RSA key +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) []:BG +State or Province Name (full name) []:Lovech +Locality Name (eg, city) []:Troyan +Organization Name (eg, company) []:Telecom Lobby +Organizational Unit Name (eg, section) []:VPNC +Common Name (eg, fully qualified host name) []:varuna.telecom.lobby +Email Address []:varuna@ca.telecom.lobby + +Please enter the following 'extra' attributes +to be sent with your certificate request +A challenge password []: +Download csr from http://varuna.telecom.lobby/varuna.telecom.lobby.csr to the CA server +root@varuna:/home/taglio/Sources/Git/OpenBSD# +``` + +*Recent versions of our tool will do it automatically.* + +[![OpenBSD MESH IPSec guerrila host](https://asciinema.org/a/421920.png)](https://asciinema.org/a/421920) + +In this video you can appreciate also a [tmux](https://en.wikipedia.org/wiki/Tmux) session with all the OpenBSD host connected via `ssh` automatically, one session to the internal CA server that in my case is `cyberanarkhia`, and the last onto the workstation that in my case is `trimurti`, an [Ubuntu](https://en.wikipedia.org/wiki/Ubuntu) host. + +***I'm fighting hard.*** + +#### Others system operatives + +![VyOS](https://www.programmersought.com/images/37/227a77d35c99e18bb4a03c3aeece6045.png) + +In my MESH network I've got to others types of system operatives dedicated to my business of selling Internet and IP transport using terrestrial radio waves. A wireless Internet service provider. + +The types of are: + +- [EdgeOS](https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf) a commercial and customized version of [VyOS](https://en.wikipedia.org/wiki/VyOS) from [Ubiquiti](https://es.wikipedia.org/wiki/Ubiquiti_Networks). +- [RouterOS](https://mikrotik.com/software) a commercial and customized version of Linux from [Mikrotik](https://en.wikipedia.org/wiki/MikroTik). + +My software build scripts to automatic configure the new hosts also for those guys. + +To add the new OpenBSD host to my Mikrotik steps are very simple. Do this in the new guy: + +```shell +root@varuna:/home/taglio/Sources/Git/OpenBSD# sh setup_node -A otheros +Download Mikrotik Routeros script from http://varuna.telecom.lobby/fr.telecomlobby.com/fr.telecomlobby.com.rsc +root@varuna:/home/taglio/Sources/Git/OpenBSD# +``` + + And do that from the workstation: + +```shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ./console -I telecom.lobby -M +Type the Mikrotik internal hostname +uma +Type the new OpenBSD internal hostname +varuna +--2021-06-23 15:27:46-- http://varuna.telecom.lobby/fr.telecomlobby.com/fr.telecomlobby.com.rsc +Resolving varuna.telecom.lobby (varuna.telecom.lobby)... 192.168.13.59 +Connecting to varuna.telecom.lobby (varuna.telecom.lobby)|192.168.13.59|:80... connected. +HTTP request sent, awaiting response... 200 OK +Length: 1686 (1,6K) [application/octet-stream] +Saving to: ‘/tmp/fr.telecomlobby.com.rsc’ + +/tmp/fr.telecomlobby.com.rsc 100%[====================================================================================================================================================================>] 1,65K --.-KB/s in 0,07s + +2021-06-23 15:27:46 (22,5 KB/s) - ‘/tmp/fr.telecomlobby.com.rsc’ saved [1686/1686] + +fr.telecomlobby.com.rsc 100% 1686 63.5KB/s 00:00 + +Script file loaded and executed successfully +Host varuna.telecom.lobby configured into Mikrotik uma.telecom.lobby +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ + +``` + +And here you a video: + +[![OpenBSD MESH IPSec guerrila host](https://asciinema.org/a/421957.png)](https://asciinema.org/a/421957) + +#### Routine maintenance + +![](https://thumbs.dreamstime.com/b/routine-maintenance-mechanism-golden-metallic-cogwheels-glow-effect-d-rendering-concept-gears-illustration-114332777.jpg) + +One of the important routine maintenance operation that we shall do in our network is the renew of the `EdDSA` key for the workstation's user authorized by the [CA server](https://github.com/redeltaglio/OpenBSD-private-CA). + +Use the `console` script as usual following those operations: + +```shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ./console -I telecom.lobby -U +mv: cannot stat '/home/riccardo/.ssh/id_ed25519-cert.pub': No such file or directory +Generating public/private ed25519 key pair. +Enter file in which to save the key (/home/riccardo/.ssh/id_ed25519): +Enter passphrase (empty for no passphrase): +Enter same passphrase again: +Your identification has been saved in /home/riccardo/.ssh/id_ed25519 +Your public key has been saved in /home/riccardo/.ssh/id_ed25519.pub +The key fingerprint is: +SHA256:IE3Ad3KZdNWitnj0lIjaqLq2SVCNPR52G1UDZHttIKA taglio@ +The key's randomart image is: ++--[ED25519 256]--+ +| ...o+B==... | +| +.+oo=+ +. . | +| o E.=+...ooo | +| . o = +..=.o | +|. . .+S+ + | +| . o o o . | +| . . . | +| .... | +| .=+ | ++----[SHA256]-----+ +Password: +Type the mounted FAT32 pen drive directory:/media/riccardo/0903-C8DC +Ready? type 1 +``` + +Next take the pen drive to the CA server physic station and run the setup_ca script with the correct option `setup_ca upuser`. Return it to the workstation and type `1`. + +#### Remote upgrade + +![](https://redama.es/Imagenes/varuna_shell.png) + +If the VPS provider got the option to install OpenBSD, a custom ISO or hasn't the solution is always the same, use `sysupgrade`. + +The upgrade our git repository and launch the `upgrade.sh` script. Remember to wait a couple of days after the [release announce](https://www.openbsd.org/69.html) is published by [Theo de Raddt](https://www.theos.com/deraadt/). #### Possible applications @@ -96,6 +570,171 @@ Let's start discussing how we can boost our presence in Internet using that guer I've got to cases, one is about the correct information about the modern slavery network transmitted by electromagnetic weapons to the marginal and worker class of many countries, also Europeans. The other is to have got a great site about my professional work, Redama, a wireless ISP but also an Internet website that sold security focused end devices and gateways. +Next some daemons that we've got to configure to start a new world of applications, remember that my goals are: + +- a distributed spider to search for clients for my business and to catalog emails, fax numbers and contacts of United Nations personal that work fighting the modern slavery. I'm a private investigator and I've got to massively denunciate the remote neural control and interference to the brain facility. +- a multi language web site, one for my work the other for my page of public compliant. +- a massive system of alert by www, smtpd and SIP. + +#### NSD and PowerDNS + +![](https://raw.githubusercontent.com/redeltaglio/OpenBSD/master/img/OpenBSD_5-9.jpg) + +[PowerDNS](https://en.wikipedia.org/wiki/PowerDNS) is a [DNS server](https://en.wikipedia.org/wiki/Name_server) that we are going to use because of it [GeoIP](https://en.wikipedia.org/wiki/Internet_geolocation) [features](https://doc.powerdns.com/authoritative/backends/geoip.html). Using that we will reply to dns request in different ways depending on the geographical position of the source IP. Onto the position in the world map of our client. Why? To load balance requests and to archive a lot of features more. + +Next feature for example can be serving a web page in a different language depending on the language used in the web browser of our client but this is another think. + +![Political Map](https://upload.wikimedia.org/wikipedia/commons/5/55/Political_Map_of_the_World.png) + +```shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ./console -I telecom.lobby -Z + +Type the two .com domains (the principle and the secondary) divided by a comma: +telecomlobby.com,9-rg.com + +telecomlobby.com: + Name Server: B.NS.BUDDYNS.COM + Name Server: JP.TELECOMLOBBY.COM + Name Server: UK.TELECOMLOBBY.COM + Name Server: US.TELECOMLOBBY.COM + +DNSSEC not enable onto telecomlobby! +<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>> + +9-rg.com: + Name Server: B.NS.BUDDYNS.COM + Name Server: JP.TELECOMLOBBY.COM + Name Server: UK.TELECOMLOBBY.COM + Name Server: US.TELECOMLOBBY.COM + +DNSSEC not enable onto 9-rg.com! +<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>> +You've got servers in: + + +GB +513030-0000731 Europe/London + +{ + "ip": "78.141.201.0", + "hostname": "uk.telecomlobby.com", + "city": "London", + "region": "England", + "country": "GB", + "loc": "51.5085,-0.1257", + "org": "AS20473 The Constant Company, LLC", + "postal": "EC1A", + "timezone": "Europe/London", +} +LAT --> 51 +LONG --> -0 + +GROUP --> 3 + +US/Central + +{ + "ip": "155.138.247.27", + "hostname": "us.telecomlobby.com", + "city": "Dallas", + "region": "Texas", + "country": "US", + "loc": "32.7831,-96.8067", + "org": "AS20473 The Constant Company, LLC", + "postal": "75270", + "timezone": "America/Chicago", +} +LAT --> 32 +LONG --> -96 + +GROUP --> 1 + +Japan + +{ + "ip": "139.180.206.19", + "hostname": "jp.telecomlobby.com", + "city": "Kamimaruko", + "region": "Nagano", + "country": "JP", + "loc": "36.3186,138.2733", + "org": "AS20473 The Constant Company, LLC", + "postal": "386-0404", + "timezone": "Asia/Tokyo", +} +LAT --> 36 +LONG --> 138 + +GROUP --> 5 + +BG +4241+02319 Europe/Sofia + +{ + "ip": "94.72.143.163", + "hostname": "bg.telecomlobby.com", + "city": "Sofia", + "region": "Sofia-Capital", + "country": "BG", + "loc": "42.6975,23.3241", + "org": "AS203380 DA International Group Ltd.", + "postal": "1000", + "timezone": "Europe/Sofia", +} +LAT --> 42 +LONG --> 23 + +GROUP --> 3 + +DE +5230+01322 Europe/Berlin Germany (most areas) + +{ + "ip": "45.63.116.141", + "hostname": "de.telecomlobby.com", + "city": "Frankfurt am Main", + "region": "Hesse", + "country": "DE", + "loc": "50.1155,8.6842", + "org": "AS20473 The Constant Company, LLC", + "postal": "60311", + "timezone": "Europe/Berlin", +} +LAT --> 50 +LONG --> 8 + +GROUP --> 3 + +AU -3352+15113 Australia/Sydney New South Wales (most areas) + +{ + "ip": "139.180.165.223", + "hostname": "au.telecomlobby.com", + "city": "Sydney", + "region": "New South Wales", + "country": "AU", + "loc": "-33.8678,151.2073", + "org": "AS20473 The Constant Company, LLC", + "postal": "1001", + "timezone": "Australia/Sydney", +} +LAT --> -33 +LONG --> 151 + +GROUP --> 6 + +``` + +Using the `console` script from the workstation give us a global vision of our IPSec network. It's important because of management of the DNS servers and the geo-ip feature. + +I use two domain names because administrating the NS pulls which others. + +I've divided world into six groups depending onto GPS system. `console` give you at what group is pertaining every host connected to our guerrilla network. Next we will create three containers in which we will put those hosts to create three pulls of name servers. After depending onto the geographical position of the client doing the query the system will reply in a manner or another using the `powerdns` geo-ip feature. + +Another important feature is that our tool give us information withing the [whois database](https://en.wikipedia.org/wiki/WHOIS) if the suite of extensions [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is enable from the registrant. + +#### DNSSEC + +![](https://www.researchgate.net/profile/Nicola-Zannone/publication/326276803/figure/fig1/AS:648934477283337@1531729444191/An-overview-of-DNSSEC.png) + Nice Regards, -Riccardo `` Giuntoli. \ No newline at end of file +Riccardo `` Giuntoli. + diff --git a/TODO.md b/TODO.md new file mode 100644 index 00000000..8030558a --- /dev/null +++ b/TODO.md @@ -0,0 +1,15 @@ +- arp sentinel + +- ``` shell + if [[ $# -eq 0 ]]; then + print $0 "have to be used with the following options \ + \n \ + \ninstall -> fresh install OpenBSD VPS \ + \nupgrade -> upgrade OpenBSD VPS \ + \nreset -> reset OpenBSD VPS \ + \n" + + exit 1 + fi + ``` + diff --git a/clean_last b/clean_last new file mode 100755 index 00000000..d4ab999a --- /dev/null +++ b/clean_last @@ -0,0 +1,58 @@ +#!/bin/ksh + +set -o errexit +set -o nounset + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/Bin +BACKUPS="/root/Backups" + +uid=$(id -u) +datarelease=$(date +"%d%m%Y%H%m%S") + + + + +function backup { + CURRENTBACKUP="$BACKUPS/$datarelease" + mkdir -p "$CURRENTBACKUP/$1/" + case $1 in + "etc") + tar -cvf "$CURRENTBACKUP/$1/etc.tar" /etc + ;; + esac +} + + +if [[ $uid -ne 0 ]]; then + print $0 "you've got to run $0 as UID=0 \n" + exit 1 +fi +nohup backup "etc" & > /tmp/nohup +last=$(basename $(cat /etc/iked.conf | grep "iked.conf." | tail -n 1 | awk '{print $2}' | sed 's/"//g' | sed 's/iked.conf.//')) +publichostname=$(echo $last | cut -d . -f1) +domainname=$(echo $last | sed "s/$publichostname.//") + +for a in $(dig ipsec20591.$domainname TXT +short @8.8.8.8 | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + b=$(echo $a | cut -d : -f1) + if [[ "$b" -eq "$publichostname" ]]; then + srcid=$(echo $a | cut -d : -f2) + fi +done + +filename=$(find /etc -name "*$last" -maxdepth 1 -type f) +sed -i "/$last/d" /etc/iked.conf +/bin/rm -r "$filename" +rcctl restart iked +for file in $(grep "$last" /etc/* | grep hostname | cut -d : -f1); do + interface=$(echo $file | cut -d . -f2) + if [[ $interface == gre? ]]; then + ospfinterface=$interface + fi + ifconfig $interface destroy + /bin/rm -r $file +done +pubkey="$srcid@ca.$domainname" +sed -i "/interface $ospfinterface/,/}/d" /etc/ospfd.conf +/bin/rm -r "/etc/iked/pubkeys/ufqdn/${pubkey}" +nohup rcctl restart ospfd & > /tmp/nohup +exit diff --git a/console b/console new file mode 100755 index 00000000..dbb13a68 --- /dev/null +++ b/console @@ -0,0 +1,414 @@ +#!/usr/bin/bash + +#GLOBAL VAR + +uid=$(id -u) +userna=$(id -nu $uid) +userhome="/home/taglio" +proghome="$userhome/Sources/Git/OpenBSD" +daterelease=$(date +"%d%m%Y%H%m%S") + +if [[ $uid -ne 1000 ]]; then + echo -e $0 "you've got to run $0 as UID=1000 \n" + exit 1 +fi + +if [[ $# -eq 0 ]]; then + echo -e $0 "have to be used with the following options \ + \n-I -> local domain name [x]\ + \n-N -> newhost [o]\ + \n-G -> git pull [o]\ + \n-S -> scripts [o] \ + \n-D -> dyndnspop [o] \ + \n-F -> single file update [o] \ + \n-C -> cleanlast [o] \ + \n-RS -> repository ssh update [o] \ + \n-K -> new IKED pk12 archive [o] \ + \n-T -> tmux and SSH to all openbsd MESH hosts [o] \ + \n-M -> Mikrotik RouterOS add new OpenBSD [o] \ + \n-E -> Ubiquiti EdgeOS add new OpenBSD [o] \ + \n-P -> Mass syspatch OpenBSD hosts [o] \ + \n-Z -> Global network domains setup [o] \ + \n-OM -> Mikrotik RouterOS ospf-in/out filter [o] \ + \n-OE -> EdgeOS ospf-in/out filter [o] \ + \n-OO -> OpenBSD ospf filter [o] \ + \n-U -> update the workstation's user EdDSA certificate + \n" + + exit 1 +fi + +localdomainname=$2 + + +case $3 in + "-G") + for vpnc_host in $(dig openbsd.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + echo -e "Connecting to $vpnc_host" + ssh $vpnc_host.$localdomainname git -C "$proghome" pull + done + ;; + "-N") + for vpnc_host in $(dig openbsd.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + echo -e "Connecting to $vpnc_host" + ssh -t $vpnc_host.$localdomainname doas sh "/home/taglio/Sources/Git/OpenBSD/setup_node" -U newhost + done + ;; + "-S") + for vpnc_host in $(dig openbsd.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + echo -e "Connecting to $vpnc_host" + ssh -t $vpnc_host.$localdomainname doas sh "/home/taglio/Sources/Git/OpenBSD/setup_node" -U scripts + done + ;; + "-D") + for vpnc_host in $(dig openbsd.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + echo -e "Connecting to $vpnc_host" + ssh -t $vpnc_host.$localdomainname doas sh "/home/taglio/Sources/Git/OpenBSD/setup_node" -U dyndnspop + sleep 10 + done + ;; + "-F") + for vpnc_host in $(dig openbsd.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + echo -e "Connecting to $vpnc_host" + ssh -t $vpnc_host.$localdomainname doas sh "/home/taglio/Sources/Git/OpenBSD/setup_node" -U file + sleep 10 + done + ;; + "-C") + for vpnc_host in $(dig openbsd.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + echo -e "Connecting to $vpnc_host" + ssh -t $vpnc_host.$localdomainname doas sh "/home/taglio/Sources/Git/OpenBSD/setup_node" -A cleanlast + done + ;; + "-P") + for vpnc_host in $(dig openbsd.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + echo -e "Connecting to $vpnc_host" + ssh -t $vpnc_host.$localdomainname doas syspatch + done + ;; + "-RS") + lanhost= + while [ -z $lanhost ] + do + echo 'Type the LAN hostname ' + read lanhost + done + pubhost= + while [ -z $pubhost ] + do + echo 'Type the public hostname ' + read pubhost + done + hash= + while [ -z $hash ] + do + echo 'Type the ED25519 hash ' + read hash + done + if [[ $(grep -c $lanhost src/etc/ssh/remote_install/authorized_keys) -gt 0 ]]; then + for linenum in $(grep -n $lanhost src/etc/ssh/remote_install/authorized_keys | cut -d : -f1); do + sed -i "$linenum"d src/etc/ssh/remote_install/authorized_keys + done + fi + + echo "ssh-ed25519 $hash root@$lanhost" >> src/etc/ssh/remote_install/authorized_keys + # if [[ $(grep -c $pubhost src/etc/ssh/ssh_known_hosts) -gt 0 ]]; then + # for linenum in $(grep -n $pubhost src/etc/ssh/ssh_known_hosts | cut -d : -f1); do + # sed -i "$linenum"d src/etc/ssh/ssh_known_hosts + # done + # fi + # + # echo "# $pubhost:31137 SSH-2.0-OpenSSH_8.6" >> src/etc/ssh/ssh_known_hosts + # echo "[$pubhost]:31137 ssh-ed25519 $hash" >> src/etc/ssh/ssh_known_hosts + echo -e "remote_install/authorized_keys and ssh_known_hosts UPDATED + \n please use git_openbsd.sh to update the public GIT" + ;; + "-K") + ikedpub= + while [ -z $ikedpub ] + do + echo 'Type the PATH to the new iked PK12 file ' + read ikedpub + done + tmpdir=$(mktemp -d) + pk12=$(basename $ikedpub) + publichost=$(echo $pk12 | sed 's/.p12//') + publichostname=$(echo $publichost | cut -d . -f1) + domainname=$(echo $publichost | sed "s/$publichostname.//") + + + for a in $(dig ipsec20591.$domainname TXT +short @8.8.8.8 | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + b=$(echo $a | cut -d : -f1) + if [[ "$b" -eq "$publichostname" ]]; then + srcid=$(echo $a | cut -d : -f2) + fi + done + ssh-keygen -f "/home/riccardo/.ssh/known_hosts" -R "$publichost" + scp $ikedpub "taglio@$publichost:/tmp" + openssl pkcs12 -nodes -in $ikedpub -nocerts -passin pass:123456789 -passout pass:123456789 -out "$tmpdir/local.key" + openssl pkcs12 -nodes -in $ikedpub -clcerts -nokeys -passin pass:123456789 -passout pass:123456789 -out "$tmpdir/new.crt" + openssl x509 -pubkey -noout -passin pass:123456789 -in "$tmpdir/new.crt" > src/etc/iked/pubkeys/ufqdn/"$srcid@ca.$domainname" + rm -rf $tmpdir + echo -e "$srcid@ca.$domainname created please update repository and all the others Openbsd hosts" + ;; + "-T") + echo -e "Launching TMUX" + tmux new-session -d -s "LOBBY" + for vpnc_host in $(dig openbsd.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + echo -e "Creating $vpnc_host TMUX windows" + tmux rename-window "$vpnc_host" + tmux send -t "LOBBY:$vpnc_host" ssh SPACE "$vpnc_host.$localdomainname" ENTER + tmux new-window + done + tmux rename-window "CA" + tmux send -t "LOBBY:CA" ssh SPACE "ca.$localdomainname" ENTER + tmux new-window + tmux rename-window $(hostname -s) + tmux -2 attach-session -t "LOBBY" + ;; + "-M") + mkhost= + while [ -z $mkhost ] + do + echo 'Type the Mikrotik internal hostname ' + read mkhost + done + openbsd= + while [ -z $openbsd ] + do + echo 'Type the new OpenBSD internal hostname ' + read openbsd + done + mkaddr=$(ssh admin@$mkhost /ip addr pr where dynamic | awk '{print $3}' | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b") + mkpublichost=$(dig -x $mkaddr +short @8.8.8.8 | sed 's/.$//') + wget "http://$openbsd.$2/$mkpublichost/$mkpublichost.rsc" -O "/tmp/$mkpublichost.rsc" + scp "/tmp/$mkpublichost.rsc" "admin@$mkhost:/$mkpublichost.rsc" + ssh admin@$mkhost /import file-name=$mkpublichost.rsc + echo -e "Host $openbsd.$2 configured into Mikrotik $mkhost.$2" + ssh admin@$mkhost /sys package update check-for-updates + ;; + "-E") + edgehost= + while [ -z $edgehost ] + do + echo 'Type the EdgeOS external hostname ' + read edgehost + done + openbsd= + while [ -z $openbsd ] + do + echo 'Type the new OpenBSD internal hostname ' + read openbsd + done + publicip=$(ssh -q $openbsd.$localdomainname ifconfig egress | awk 'FNR == 7' | awk '{print $2}') + publichost=$(dig -x $publicip +short | sed 's/.$//' | cut -d . -f1) + publicdomainname=$(dig -x $publicip +short | sed "s/$publichost.//" | sed 's/.$//') + publichostname=$(echo $edgehost | sed "s/.$publicdomainname//") + for edge_host in $(dig edgeos.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + publicedgehost=$(echo $edge_host | cut -d : -f2) + if [[ $publichostname = $publicedgehost ]]; then + edgeos=$(echo $edge_host | cut -d : -f1) + fi + done + wget "http://$openbsd.$2/$edgehost.tar" -O "/tmp/$edgehost.tar" + cd /tmp + if [[ ! -d "$edgehost" ]]; then + mkdir "$edgehost" + fi + tar xvf "/tmp/$edgehost.tar" -C "/tmp/$edgehost" + cd $edgehost + for file in $(ls .); do + if [[ $file = "gre.sh" || $file = "ospf.sh" || $file = "ipsec.sh" ]]; then + cat $file | ssh -q $edgeos + elif [[ $file = *updown.sh ]]; then + a=$(echo $file | sed "s/-updown.sh//") + c=$(echo $a | sed "s/-//") + v=$(echo $file | sed "s/$a/$c/") + scp -q $file "$edgeos:/tmp" + ssh -q $edgeos "sudo mv /tmp/$file /config/ipsec/$v ; chmod +x /config/ipsec/$v" + elif [[ $file = *_netwatch.sh ]]; then + a=$(echo $file | sed "s/_netwatch.sh//") + c=$(echo $a | sed "s/-//") + v=$(echo $file | sed "s/$a/$c/") + scp -q $file "$edgeos:/tmp" + ssh -q $edgeos "sudo mv /tmp/$file /config/scripts/$v; chmod +x /config/scripts/$v" + elif [[ $file = *.crt ]]; then + scp -q $file "$edgeos:/tmp" + ssh -q $edgeos sudo cp "/tmp/$file" /config/auth; sudo mv "/tmp/$file" /etc/ipsec.d/certs/ + elif [[ $file = *.conf ]]; then + if [[ $(ssh -q $edgeos grep -c telecomlobby-$(head -n 1 $file | cut -d \- -f2) /config/ipsec.conf) -eq 0 ]]; then + cat $file | ssh -qt $edgeos "cat - >> /config/ipsec.conf" + fi + fi + done + ssh -q $edgeos echo "cp /config/auth/$publichostname.crt /etc/ipsec.d/certs/" >> /config/scripts/post-config.d/files.sh + ctrl= + while [ -z $ctrl ] + do + echo "Do you want to restart ipsec into $edgeos " + read ctrl + done + rm -rf "/tmp/$edgehost" + case $ctrl in + "yes") + ssh -q $edgeos restart vpn + ;; + "no") + ;; + *) + echo 'Reply yes or no' + ;; + esac + + ;; + "-Z") + comdomains= + echo -e "Type the two .com domains (the principle and the secondary) divided by a comma: " + read comdomains + principledomain=$(printf $comdomains | cut -d , -f1) + secondarydomain=$(printf $comdomains | cut -d , -f2) + for domain in $(printf "$comdomains" | xargs -d, -n1); do + echo -e "\n$domain: " + whois -H $domain | grep "Name Server" | grep -v "^Name" + dnssec=$(whois -H $domain| grep DNSSEC | awk '{print $2}') + [[ $dnssec == "unsigned" ]] || echo -e "\nDNSSEC not enable onto $domain!" + echo "<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>" + done + echo -e "You've got servers in:\n" + for vpnc_host in $(dig openbsd.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + local=$(ssh -q $vpnc_host.$localdomainname readlink /etc/localtime | sed "s/\/usr\/share\/zoneinfo\///") + zonetab=$(ssh -q $vpnc_host.$localdomainname cat /usr/share/zoneinfo/zone.tab | grep $local) + [[ $zonetab ]] && echo -e "\n$zonetab\n" || echo -e "\n$local\n" + publicip=$(ssh -q $vpnc_host.$localdomainname ifconfig egress | grep inet |grep -v inet6 | cut -d ' ' -f2) + curl -s "http://ipinfo.io/$publicip" | sed '/readme/d' + loc=$(curl -s "http://ipinfo.io/$publicip" | grep loc | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g") + long=$(echo $loc | cut -d , -f2 | cut -d . -f1) + lat=$(echo $loc | cut -d , -f1 | cut -d . -f1) + echo -e "\nLAT --> $lat" + echo -e "LONG --> $long\n" + if [[ $long -ge -180 && $long -le -60 && $lat -ge 0 ]]; then group=1; fi + if [[ $long -ge -60 && $long -le 60 && $lat -ge 0 ]]; then group=3; fi + if [[ $long -ge 60 && $long -le 180 && $lat -ge 0 ]]; then group=5; fi + if [[ $long -ge -180 && $long -le -60 && $lat -le 0 ]]; then group=2; fi + if [[ $long -ge -60 && $long -le 60 && $lat -le 0 ]]; then group=4; fi + if [[ $long -ge 60 && $long -le 180 && $lat -le 0 ]]; then group=6; fi + echo -e "GROUP --> $group\n" + done + ;; + "-OM") + mk= + echo -e "Type the internal hostname of the Mikrotik: " + read mk + for ((x=0 ; x<255 ;)); do + for ((y=0 ; y<4; )); do + [[ $x < 255 ]] && \ + case $y in + 0) + ssh -q admin@$mk "/routing filter add action=discard address-family=ip chain=ospf-in ospf-type=intra-area prefix=10.10.10.$x prefix-length=30 protocol=ospf" + ssh -q admin@$mk "/routing filter add action=discard address-family=ip chain=ospf-out ospf-type=intra-area prefix=10.10.10.$x prefix-length=30 protocol=ospf match-chain=ospf-out" + ;; + 3) + ;; + *) + ssh -q admin@$mk "/routing filter add action=discard address-family=ip chain=ospf-in ospf-type=intra-area prefix=10.10.10.$x protocol=ospf" + ssh -q admin@$mk "/routing filter add action=discard address-family=ip chain=ospf-out ospf-type=intra-area prefix=10.10.10.$x protocol=ospf match-chain=ospf-out" + ;; + esac + let x+=1 + let y+=1 + done + done + ;; + "-OE") + edgeos= + echo -e "Type the internal hostname of the EdgeOS: " + read edgeos + edgescript=$(mktemp) + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin" > $edgescript + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113" >> $edgescript + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113 description OSPF-IN" >> $edgescript + #echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 131" >> $edgescript + #echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 131 description OSPF-OUT" >> $edgescript + for ((x=0 ; x<=255 ;)); do + for ((y=0 ; y<4; )); do + [[ $x < 255 ]] && \ + + case $y in + 0) + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113 rule $((x+1)) action deny" >> $edgescript + #echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 131 rule $((x+1)) action deny" >> $edgescript + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113 rule $((x+1)) destination inverse-mask 252.255.255.255" >> $edgescript + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113 rule $((x+1)) destination network 10.10.10.$x" >> $edgescript + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113 rule $((x+1)) source any" >> $edgescript + #echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 131 rule $((x+1)) destination inverse-mask 252.255.255.255" >> $edgescript + #echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 131 rule $((x+1)) destination network 10.10.10.$x" >> $edgescript + ;; + 3) + ;; + *) + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113 rule $((x+1)) action deny" >> $edgescript + #echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 131 rule $((x+1)) action deny" >> $edgescript + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113 rule $((x+1)) destination host 10.10.10.$x" >> $edgescript + #echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 131 rule $((x+1)) destination host 10.10.10.$x" >> $edgescript + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113 rule $((x+1)) source any" >> $edgescript + ;; + esac + + + let x+=1 + let y+=1 + done + done + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113 rule $((x+10)) action permit" >> $edgescript + #echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 131 rule $((x+10)) action permit" >> $edgescript + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113 rule $((x+10)) destination any" >> $edgescript + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 113 rule $((x+10)) source any" >> $edgescript + #echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set policy access-list 131 rule $((x+10)) destination any" >> $edgescript + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit" >> $edgescript + echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper save" >> $edgescript + + cat $edgescript | grep -v "rule 256" + ;; + "-OO") + + ;; + "-U") + if [[ ! -d "$HOME/.ssh/Backup$daterelease" ]]; then + mkdir "$HOME/.ssh/Backup$daterelease" + else + rm -rf "$HOME/.ssh/Backup$daterelease" + mkdir "$HOME/.ssh/Backup$daterelease" + fi + if [[ -e "$HOME/.ssh/id_ed25519" ]]; then + mv $HOME/.ssh/{id_ed25519,id_ed25519.pub,id_ed25519-cert.pub} "$HOME/.ssh/Backup$daterelease" + fi + ssh-keygen -t ed25519 -C "taglio@$localdomainname" + pwdfile=$(mktemp) + # Read Password + password=$(systemd-ask-password "Enter password: ") + # Run Command + echo $password > $pwdfile + echo -n Type the mounted FAT32 pen drive directory: + read fat32pen + if [[ ! -d "$fat32pen" ]]; then + mkdir "$fat32pen/CA_update" + else + rm -rf "$fat32pen/CA_update" + mkdir "$fat32pen/CA_update" + fi + cp "$HOME/.ssh/id_ed25519.pub" "$fat32pen/CA_update" + cp $pwdfile "$fat32pen/CA_update/capwd.txt" + srm $pwdfile + umount $fat32pen + ctrl= + while [ -z $ctrl ] + do + echo -e "Ready? type 1 " + read ctrl + done + cp "$fat32pen/CA_update/id_ed25519-cert.pub" "$HOME/.ssh/" + srm "$fat32pen/CA_update/" + ;; + *) + ;; +esac diff --git a/data/GRE-TABLE.sql b/data/GRE-TABLE.sql new file mode 100644 index 00000000..f77f7730 --- /dev/null +++ b/data/GRE-TABLE.sql @@ -0,0 +1,33 @@ +CREATE TABLE [GRE] ( + [HOST-SRCID] NVARCHAR(30) , + [PTP] NVARCHAR(5) PRIMARY KEY, + [PTP-NETWORK] NVARCHAR(16), + [PTP-LATENCY] INTEGER, + [INTERFACE] NVARCHAR(13), + [COST] INTEGER, + [HOPCOST] INTEGER +); + +INSERT INTO GRE (HOST-SRCID, PTP, PTP-NETWORK, PTP-LATENCY, INTERFACE, COST, HOPCOST) +VALUES + ("indra@ca.telecomlobby.com", "ES-FR", "10.10.10.252/30", 24, "tun0", 12, 0), + ("indra@ca.telecomlobby.com", "ES-UK", "10.10.10.228/30", 35, "tun3", 17, 0), + ("indra@ca.telecomlobby.com", "ES-US", "10.10.10.236/30", 139, "tun1", 70, 0), + ("indra@ca.telecomlobby.com", "ES-JP", "10.10.10.232/30", 267, "tun2", 133, 0), + ("uma@ca.telecomlobby.com", "FR-ES", "10.10.10.252/30", 24, "gre-tunnel1", 12, 0), + ("uma@ca.telecomlobby.com", "FR-UK", "10.10.10.248/30", 6, "gre-tunnel2", 3, 13), + ("uma@ca.telecomlobby.com", "FR-US", "10.10.10.244/30", 109, "gre-tunnel4", 55, 65), + ("uma@ca.telecomlobby.com", "FR-JP", "10.10.10.240/30", 231, "gre-tunnel3", 115, 125), + ("ganesha@ca.telecomlobby.com", "UK-ES", "10.10.10.228/30", 35, "gre1", 17, 0), + ("ganesha@ca.telecomlobby.com", "UK-FR", "10.10.10.248/30", 6, "gre0", 3, 13), + ("ganesha@ca.telecomlobby.com", "UK-US", "10.10.10.225/30", 105, "gre2", 52, 62), + ("ganesha@ca.telecomlobby.com", "UK-JP", "10.10.10.114/30", 244, "gre3", 122, 132), + ("shiva@ca.telecomlobby.com", "JP-ES", "10.10.10.232/30", 267, "gre12", 133, 0), + ("shiva@ca.telecomlobby.com", "JP-FR", "10.10.10.240/30", 231, "gre0", 115, 125), + ("shiva@ca.telecomlobby.com", "JP-US", "10.10.10.118/30", 151, "gre2", 75, 0), + ("shiva@ca.telecomlobby.com", "JP-UK", "10.10.10.114/30", 244, "gre3", 122, 132), + ("saraswati@ca.telecomlobby.com", "US-ES", "10.10.10.236/30", 139, "gre1", 70, 0), + ("saraswati@ca.telecomlobby.com", "US-FR", "10.10.10.244/30", 109, "gre0", 55, 65), + ("saraswati@ca.telecomlobby.com", "US-UK", "10.10.10.225/30", 105, "gre2", 52, 62), + ("saraswati@ca.telecomlobby.com", "US-JP", "10.10.10.118/30", 151, "gre3", 75, 0); + diff --git a/data/gre.db b/data/gre.db new file mode 100644 index 00000000..23c5a267 Binary files /dev/null and b/data/gre.db differ diff --git a/img/OpenBSD_5-9.jpg b/img/OpenBSD_5-9.jpg new file mode 100644 index 00000000..7d3db180 Binary files /dev/null and b/img/OpenBSD_5-9.jpg differ diff --git a/installation/autodisklabel b/installation/autodisklabel new file mode 100644 index 00000000..b1d564f4 --- /dev/null +++ b/installation/autodisklabel @@ -0,0 +1,2 @@ +/ 250M-95% +swap 250M-5% diff --git a/installation/disklabel b/installation/disklabel deleted file mode 100644 index 6f234706..00000000 --- a/installation/disklabel +++ /dev/null @@ -1,2 +0,0 @@ -/ 3G -swap 512M diff --git a/installation/disklabel-vps b/installation/disklabel-vps deleted file mode 100644 index 43034904..00000000 --- a/installation/disklabel-vps +++ /dev/null @@ -1,2 +0,0 @@ -/ 13G -swap 512M diff --git a/installation/install-vps.conf b/installation/install-vps.conf index 5c24506f..efb1f708 100644 --- a/installation/install-vps.conf +++ b/installation/install-vps.conf @@ -8,24 +8,26 @@ IPv6 address for vio0 = autoconf Which network interface do you wish to configure = done Default IPv4 route = DNS domain name = telecom.lobby -Password for root = 123456789 +Password for root = $2b$10$4tPKeRmxVyffVkrQMve70.CiPmE28khH9UXiuSYpzAKbZrOfQq0Pm #Public ssh key for root account = ssh key stored in /root/.ssh/authorized_keys Start sshd(8) by default = yes Do you expect to run the X Window System = no Setup a user = taglio Full name for user = Riccardo Giuntoli -Password for user = 123456789 -#Public ssh key for user = ssh key stored in ~/.ssh/authorized_keys +Password for user = ********* +Public ssh key for user = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKG4yMhKX37SXV8LGDuVe4r1PBSS5HOWb6jFpNiG3cvW taglio@telecom.lobby Allow root ssh login = no -What timezone are you in = Europe/Sofia +What timezone are you in = UTC Which disk is the root disk = sd0 # see disklabel.min, disklabel, or disklabel.lax -URL to autopartitioning template for disklabel = https://raw.githubusercontent.com/redeltaglio/OpenBSD/master/installation/disklabel-vps +# URL to autopartitioning template for disklabel = https://raw.githubusercontent.com/redeltaglio/OpenBSD/master/installation/autodisklabel Unable to connect using https. Use http instead = yes Location of sets = http HTTP proxy URL = none HTTP Server = cdn.openbsd.org -Server directory = pub/OpenBSD/6.8/amd64 -Set name(s) = -x* +Server directory = pub/OpenBSD/6.9/amd64 +#Set name(s) = -x* # or minimum sets (disklabel.min) -#Set name(s) = -comp* -game* -x* +Set name(s) = -comp* -x* +Continue without verification = yes + diff --git a/io b/io deleted file mode 100644 index e69de29b..00000000 diff --git a/pdf/Vyatta-OSPF_6.5R1_v01.pdf b/pdf/Vyatta-OSPF_6.5R1_v01.pdf new file mode 100644 index 00000000..6c1a7f57 Binary files /dev/null and b/pdf/Vyatta-OSPF_6.5R1_v01.pdf differ diff --git a/setup_node b/setup_node index 027ec372..328be681 100755 --- a/setup_node +++ b/setup_node @@ -3,60 +3,744 @@ # $Telecomlobby: setup_node,v 0.1 11/3/2021 21:01:04 taglio$ # #unbound: https://blog.c6h12o6.org/post/unbound-dnssec-dns-over-tls/ -#sshd: https://github.com/vedetta-com/vedetta/blob/master/src/usr/local/share/doc/vedetta/OpenSSH_Principals.md +#sshd: https:/github.com/vedetta-com/vedetta/blob/master/$basedir/src/usr/local/share/doc/vedetta/OpenSSH_Principals.md +#smptd: https://github.com/vedetta-com/caesonia +#smtpd: https://www.vultr.com/docs/an-openbsd-e-mail-server-using-opensmtpd-dovecot-rspamd-and-rainloop +#smtpd: https://prefetch.eu/blog/2020/email-server/ +#smtpd: https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/ +#smtpd: https://unixsheikh.com/tutorials/arch-linux-mail-server-tutorial-part-2-opensmtpd-dovecot-dkimproxy-and-lets-encrypt.html +#smtpd: https://wiki.archlinux.org/title/OpenSMTPD +#smtpd: https://git.sr.ht/~guidocella/personal-email-server-guide +#nsd and powerdns: https://github.com/vedetta-com/dithematic +#geoip and powerdns: https://doc.powerdns.com/authoritative/backends/geoip.html +#OSPF: NBMA design https://www.blackhole-networks.com/OSPF_overload/ +##### +# +#TODO ssh reverse tool in installation to launch different process executed by hand +# configure to create /tmp/config.ini +# +# +##### set -o errexit set -o nounset -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/Bin -UID=$(id -u) +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/Bin:/home/taglio/Sources/Git/OpenBSD +BACKUPS="/root/Backups" + +#GLOBAL VAR + +uid=$(id -u) +app=$(basename $0) +egressinterface=$(ifconfig egress | cut -d : -f1 | head -n1) +publicip=$(ifconfig $egressinterface | grep inet |grep -v inet6 | cut -d ' ' -f2) +publicnetmask=$(ifconfig $egressinterface | grep inet | grep -v inet6 | awk '{print $4}') +publicbcast=$(ifconfig $egressinterface | grep inet | grep -v inet6 | awk '{print $6}') +publichost=$(dig -x $publicip +short @8.8.8.8 | sed 's/.$//') +domainname=$(print $publichost | sed 's/^[^.]*.//') +defaultv4router=$(route -n show | awk '/default/{print $2}' | head -n 1) +macdefaultv4router=$(arp -an | grep -w $defaultv4router | awk '{print $2}') +dyndns=$(host -t a cat-01.hopto.org | cut -d ' ' -f4) +basedir="/home/taglio/Sources/Git/OpenBSD" +tmpdir=$(mktemp -d) +datarelease=$(date +"%d%m%Y%H%m%S") +userna=$(id -nu $uid) +ipv6ctrl= +ipv6egress= +ipv6prefix= +ipv6defrouter= +sha256ctrl=0 + +umask 002 -if [[ $UID -ne 0 ]]; then +if [[ $uid -ne 0 ]]; then print $0 "you've got to run $0 as UID=0 \n" exit 1 fi - +if [[ $# -eq 0 ]]; then + print $0 "have to be used with the following options \ + \n \ + \n-I -> install \ + \n-U -> upgrade \ + \n-D -> daemons \ + \n-A -> administrate \ + \n" + + exit 1 +fi function error_exit { echo "${app}: ${1:-"Unknown Error"}" 1>&2 exit 1 } -app=$(basename $0) -backups="/root/Backups" -publicip=$(ifconfig egress | grep inet |grep -v inet6 | cut -d ' ' -f2) -dyndns=$(host -t a cat-01.hopto.org | cut -d ' ' -f4) -basedir=$(pwd) - function pidof { ps axc -o pid,command | awk "\$2~/^`echo $1`\$/ {print \$1}" } function pkg { - phase=$1 + typeset var phase=$1 case $phase in "shell") - pkg_add colorls nano wget fping iperf uptimed oidentd - ;; + pkg_add colorls nano wget fping iperf uptimed oidentd sqlite3 \ + nmap tor ipcalc gnupg-- rspamd-- + ;; + "smtpd") + pkg_add opensmtpd-filter-rspamd \ + dovecot dovecot-pigeonhole + ;; + "powernsd") + pkg_add powerdns ldns-utils drill + ;; esac } function cleanold { - directory=$1 + typeset var directory=$1 for file in $directory*.old; do if [[ -e "$file" ]]; then - mv $file $backups + mv $file $BACKUPS fi done for file in $directory.*.old; do if [[ -e "$file" ]]; then - mv $file $backups + mv $file $BACKUPS fi done } +function custom { + for file in $(find $1 -type f -maxdepth $2); do + (: "${hostname?}") 2>/dev/null && sed -i "s/\/HOSTNAME\//$hostname/g" $file + (: "${landomainname?}") 2>/dev/null && sed -i "s/\/LANDOMAINNAME\//$landomainname/g" $file + (: "${routerid?}") 2>/dev/null && sed -i "s/\/ROUTERID\//$routerid/g" $file + (: "${publichost?}") 2>/dev/null && sed -i "s/\/PUBLICHOST\//$publichost/g" $file + (: "${domainname?}") 2>/dev/null && sed -i "s/\/DOMAINNAME\//$domainname/g" $file + (: "${srcid?}") 2>/dev/null && sed -i "s/\/SRCID\//$srcid/g" $file + (: "${publichostname?}") 2>/dev/null && sed -i "s/\/PUBLICHOSTNAME\//$publichostname/g" $file + (: "${publicip?}") 2>/dev/null && sed -i "s/\/PUBLICIP\//$publicip/g" $file + (: "${dyndns?}") 2>/dev/null && sed -i "s/\/DYNDNS\//$dyndns/g" $file + (: "${publicnetmask?}") 2>/dev/null && sed -i "s/\/PUBLICNETMASK\//$publicnetmask/g" $file + (: "${publicbcast?}") 2>/dev/null && sed -i "s/\/PUBLICBCAST\//$publicbcast/g" $file + (: "${ipv6egress?}") 2>/dev/null && sed -i "s/\/PUBV6\//${ipv6egress}/g" $file + (: "${ipv6prefix?}") 2>/dev/null && sed -i "s/\/PREFIX\//${ipv6prefix}/g" $file + (: "${defaultv4router?}") 2>/dev/null && sed -i "s/\/ROUTEV4\//${defaultv4router}/g" $file + (: "${ipv6defrouter?}") 2>/dev/null && sed -i "s/\/ROUTEV6\//${ipv6defrouter}/g" $file + + done +} + +function sha256compare { + if [[ -e $1 ]]; then + oldsha256=$(sha256 $1 | awk '{print $4}') + else + oldsha256="" + fi + newsha256=$(sha256 $2 | awk '{print $4}') + if [ "$oldsha256" != "$newsha256" ]; then + sha256ctrl=1 + else + sha256ctrl=0 + fi +} + + +function backup { + CURRENTBACKUP="$BACKUPS/$datarelease" + mkdir -p "$CURRENTBACKUP/$1/" + case $1 in + "static") + + cp -p /etc/{hostname.$egressinterface,mygate} "$CURRENTBACKUP/$1/" + ;; + "basic") + mkdir -p "$CURRENTBACKUP/$1/{$uidna,root,etc}" + for file in $(find "/home/$uidna" -type f -maxdepth 1 -name ".*"); do + cp -p $file "$CURRENTBACKUP/$1/$uidna" + done + for file in $(find "/root" -type f -maxdepth 1 -name ".*"); do + cp -p $file "$CURRENTBACKUP/$1/root" + done + + cp -p /etc/{dhclient.conf,resolv.conf.tail,doas.conf,myname,sysctl.conf,hostname.vether0,daily.local,rc.local} "$CURRENTBACKUP/$1/etc" + ;; + "users") + for file in $(find "/home/$uidna/Bin" -type f -maxdepth 1 ); do + cp -p $file "$CURRENTBACKUP/$1" + done + ;; + "scripts") + for file in $(find "/root/Bin" -type f -maxdepth 1 ); do + cp -p $file "$CURRENTBACKUP/$1" + done + ;; + "unbound") + mkdir -p "$CURRENTBACKUP/$1/{etc,db}" + for file in $(find "/var/unbound/etc" -type f -maxdepth 1); do + cp -p $file "$CURRENTBACKUP/$1/etc" + done + for file in $(find "/var/unbound/db" -type f -maxdepth 1); do + cp -p $file "$CURRENTBACKUP/$1/db" + done + ;; + "ssh") + for file in $(find "/etc/ssh" -type f -maxdepth 2); do + cp -p $file "$CURRENTBACKUP/$1/" + done + ;; + "ipsec") + cp -Rp /etc/iked/ "$CURRENTBACKUP/$1/" + cp -p /etc/{iked.conf,iked.conf.*} "$CURRENTBACKUP/$1/" + ;; + "gre") + configuration "gre" + ;; + "pf") + for file in $(find "/etc" -type f -maxdepth 1 -name "pf.*"); do + cp -p $file "$CURRENTBACKUP/$1/" + done + + ;; + "ospf") + configuration "ospf" + ;; + "ntpd") + configuration "ntpd" + ;; + "remote") + if [[ -d /etc/ssh/remote_install ]]; then + for file in $(find "/etc/ssh/remote_install" -type f -maxdepth 1); do + cp -p $file "$CURRENTBACKUP/$1/" + done + fi + ;; + "httpdbasic") + for file in $(find /etc -name "httpd.*" -type f -maxdepth 1); do + cp -p $file "$CURRENTBACKUP/$1/" + done + ;; + "relayd") + configuration "relayd" + ;; + "all") + sh setup_node -I + ;; + esac +} + + +function upgrade { + case $1 in + "unbound") + pkill dhclient + install -o root -g wheel -m 0644 $basedir/src/etc/resolv.conf /etc/ + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/unbound.conf /var/unbound/etc/unbound.conf + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/stub-zone.conf /var/unbound/etc/stub-zone.conf + rcctl restart unbound || error_exit "$LINENO: ERROR: UNBOUND failed." + ;; + "ssh") + if [[ ! -d "$basedir/../OpenBSD-private-CA" ]]; then + echo "OpenBSD-private-CA not found cloning it..." + cd .. + git clone https://github.com/redeltaglio/OpenBSD-private-CA.git + chown -R taglio:wheel OpenBSD-private-CA/ + cd OpenBSD-private-CA + sh setup_host + else + cd "$basedir/../OpenBSD-private-CA" + git pull + cd .. + chown -R taglio:wheel OpenBSD-private-CA/ + cd OpenBSD-private-CA + sh setup_host + fi + rm /etc/ssh/principals/taglio + echo "wheel" > /etc/ssh/principals/taglio + ;; + "ipsec") + sha256compare "/etc/iked/ca/ca.crt" "$basedir/src/etc/iked/ca/ca.crt" + if [[ $sha256ctrl -eq 1 ]]; then + echo "ca.crt upgrade" + install -o root -g wheel -m 0644 $basedir/src/etc/ca/ca.crt /etc/iked/ca/ + fi + tmpdir=$(mktemp -d) + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -nocerts -passin pass:123456789 -passout pass:123456789 -out "$tmpdir/local.key" + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -clcerts -nokeys -passin pass:123456789 -passout pass:123456789 -out "$tmpdir/$publichost.crt" + openssl x509 -pubkey -noout -passin pass:123456789 -in "/etc/iked/certs/$publichost.crt" > "$tmpdir/local.pub" + sha256compare "/etc/iked/private/local.key" "$tmpdir/local.key" + if [[ $sha256ctrl -eq 1 ]]; then + echo "local.key upgrade" + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -nocerts -passin pass:123456789 -passout pass:123456789 -out /etc/iked/private/local.key + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -clcerts -nokeys -passin pass:123456789 -passout pass:123456789 -out "/etc/iked/certs/$publichost.crt" + openssl x509 -pubkey -noout -passin pass:123456789 -in "/etc/iked/certs/$publichost.crt" > /etc/iked/local.pub + fi + rm -rf $tmpdir + for file in $(find $basedir/src/etc/iked/pubkeys/ufqdn/ -name "*@*"); do + filename=$(basename $file) + sha256compare "$file" "/etc/iked/pubkeys/ufqdn/$filename" + if [[ $sha256ctrl -eq 1 ]]; then + echo "$filename upgrade" + install -o root -g wheel -m 0644 $file /etc/iked/pubkeys/ufqdn/ + fi + done + rm -rf $tmpdir + tmpdir=$(mktemp -d) + cp $basedir/src/etc/iked.conf $tmpdir + if [[ $(grep -c hostname /tmp/config.ini) -eq 1 ]]; then + srcid=$(cat /tmp/config.ini | grep hostname |cut -d \# -f2) + else + srcid=$(hostname -s) + fi + if [[ "$srcid" == "varuna" ]]; then + srcid="neo" + fi + for vpnc_ip in $(dig vpnc.$domainname A +short @8.8.8.8); do + vpnc_host=$(dig -x $vpnc_ip +short @8.8.8.8 | sed 's/.$//') + if [[ -e "/etc/iked.conf.$vpnc_host" ]]; then + echo include \"/etc/iked.conf.$vpnc_host\" >> "$tmpdir/iked.conf" + if grep -q "ecp384" "/etc/iked.conf.$vpnc_host"; then + cp $basedir/src/etc/iked.conf.mikrotik "$tmpdir/iked.conf.$vpnc_host" + elif grep -q "ecp256" "/etc/iked.conf.$vpnc_host"; then + cp $basedir/src/etc/iked.conf.edgeos "$tmpdir/iked.conf.$vpnc_host" + else + cp $basedir/src/etc/iked.conf.openbsd "$tmpdir/iked.conf.$vpnc_host" + fi + sed -i "s/\/POP\//$vpnc_host/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/POPIP\//$vpnc_ip/g" "$tmpdir/iked.conf.$vpnc_host" + type=$(cat "/etc/iked.conf.$vpnc_host" | head -n 1 | awk '{print $3}') + sed -i "s/\/TYPE\//$type/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/PUBLICIP\//$publicip/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/PUBLICHOST\//$publichost/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/SRCID\//$srcid/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/DOMAINNAME\//$domainname/g" "$tmpdir/iked.conf.$vpnc_host" + encx=$(cat "/etc/iked.conf.$vpnc_host" | awk -F'enc' '{print substr($2,0,1)}' | tail -n 1) + sed -i "s/\/X\//$encx/g" "$tmpdir/iked.conf.$vpnc_host" + sha256compare "/etc/iked.conf.$vpnc_host" "$tmpdir/iked.conf.$vpnc_host" + if [[ $sha256ctrl -eq 1 ]]; then + echo "$vpnc_host upgrade" + install -o root -g wheel -m 0640 "$tmpdir/iked.conf.$vpnc_host" /etc/ + fi + fi + done + for vpnc_host in $(dig vpnc.telecomlobby.com TXT +short @8.8.8.8 | sed 's/\"//g'); do + if [[ -e "/etc/iked.conf.$vpnc_host" ]]; then + echo include \"/etc/iked.conf.${vpnc_host}\" >> "$tmpdir/iked.conf" + fi + vpnc_ip=$(dig $vpnc_host A +short @8.8.8.8 | tail -n 1) + cp $basedir/src/etc/iked.conf.edgeos "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/POP\//$vpnc_host/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/POPIP\//$vpnc_ip/g" "$tmpdir/iked.conf.$vpnc_host" + type=$(cat "/etc/iked.conf.$vpnc_host" | head -n 1 | awk '{print $3}') + sed -i "s/\/TYPE\//$type/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/PUBLICIP\//$publicip/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/PUBLICHOST\//$publichost/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/SRCID\//$srcid/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/DOMAINNAME\//$domainname/g" "$tmpdir/iked.conf.$vpnc_host" + encx=$(cat "/etc/iked.conf.$vpnc_host" | awk -F'enc' '{print substr($2,0,1)}' | tail -n 1) + sed -i "s/\/X\//$encx/g" "$tmpdir/iked.conf.$vpnc_host" + sha256compare "/etc/iked.conf.$vpnc_host" "$tmpdir/iked.conf.$vpnc_host" + if [[ $sha256ctrl -eq 1 ]]; then + echo "$vpnc_host upgrade" + install -o root -g wheel -m 0640 "$tmpdir/iked.conf.$vpnc_host" /etc/ + fi + sha256compare "/etc/iked.conf.$vpnc_host" "$tmpdir/iked.conf.$vpnc_host" + if [[ $sha256ctrl -eq 1 ]]; then + echo "$vpnc_host upgrade" + install -o root -g wheel -m 0640 "$tmpdir/iked.conf.$vpnc_host" /etc/ + fi + done + sha256compare "/etc/iked.conf" "$tmpdir/iked.conf" + if [[ $sha256ctrl -eq 1 ]]; then + echo "iked.conf upgrade" + install -o root -g wheel -m 0600 "$tmpdir/iked.conf" /etc/iked.conf + fi + iked -n + if [[ $sha256ctrl -eq 1 ]]; then + rcctl restart iked || error_exit "$LINENO: ERROR: IKED failed." + fi + + ;; + "gre") + configuration "gre" + ;; + "pf") + tmpdir=$(mktemp -d) + for file in $(find $basedir/src/etc/ -name "pf.*" -type f -maxdepth 1); do + cp $file $tmpdir + done + for vpnc_ip in $(dig vpnc.$domainname A +short @8.8.8.8); do + echo "$vpnc_ip/32" >> "$tmpdir/pf.conf.table.ipsec" + done + for vpnc_ip in $(dig vpncN.$domainname A +short @8.8.8.8); do + echo "$vpnc_ip/32" >> "$tmpdir/pf.conf.table.ipsec" + done + for vpnc_host in $(dig vpnc.telecomlobby.com TXT +short @8.8.8.8 | sed 's/\"//g'); do + vpnc_ip=$(dig $vpnc_host A +short @8.8.8.8 | tail -n 1) + if [[ ! -z $vpnc_ip ]]; then + echo "$vpnc_ip/32" >> "$tmpdir/pf.conf.table.ipsec" + fi + done + sha256compare "/etc/pf.conf.table.ipsec" "$tmpdir/pf.conf.table.ipsec" + if [[ $sha256ctrl -eq 1 ]]; then + echo "pf.conf.table.ipsec upgrade" + install -o root -g wheel -m 0640 "$tmpdir/pf.conf.table.ipsec" /etc/ + pfctl -nf /etc/pf.conf + pfctl -f /etc/pf.conf + fi + sha256compare "/etc/pf.conf.table.nsd" "$tmpdir/pf.conf.table.nsd" + if [[ $sha256ctrl -eq 1 ]]; then + echo "pf.conf.table.nsd upgrade" + install -o root -g wheel -m 0640 "$tmpdir/pf.conf.table.nsd" /etc/ + pfctl -nf /etc/pf.conf + pfctl -f /etc/pf.conf + fi + for file in $(find /etc -maxdepth 1 -name "iked.conf.*") ; do + tagged=$(echo $file | sed "s/\/etc\/iked.conf.//") + count=$(dig $tagged A +short @8.8.8.8 | wc -l) + if [[ $count -gt 1 ]]; then + iptagged=$(dig $tagged A +short @8.8.8.8 | tail -n 1) + else + iptagged=$(dig $tagged A +short @8.8.8.8) + fi + sed -i "s/\/TAGGED\//${tagged}/g" $tmpdir/pf.conf.macro.enc.{in,out} + sed -i "s/\/IPTAGGED\//${iptagged}/g" $tmpdir/pf.conf.macro.enc.{in,out} + cat $basedir/src/openbsd/pf.conf.openbsd | head -n 1 >> $tmpdir/pf.conf.macro.enc.in + cat $basedir/src/openbsd/pf.conf.openbsd | tail -n 1 >> $tmpdir/pf.conf.macro.enc.out + done + sed -i '$d' $tmpdir/pf.conf.macro.enc.{in,out} + sha256compare "/etc/pf.conf.macro.enc.in" "$tmpdir/pf.conf.macro.enc.in" + if [[ $sha256ctrl -eq 1 ]]; then + echo "pf.conf.macro.enc.in upgrade" + install -o root -g wheel -m 0640 "$tmpdir/pf.conf.macro.enc.in" /etc/ + fi + sha256compare "/etc/pf.conf.macro.enc.out" "$tmpdir/pf.conf.macro.enc.out" + if [[ $sha256ctrl -eq 1 ]]; then + echo "pf.conf.macro.enc.out upgrade" + install -o root -g wheel -m 0640 "$tmpdir/pf.conf.macro.enc.out" /etc/ + fi + landomainname=$(cat /etc/myname | sed 's/^[^.]*.//') + custom "$tmpdir" "1" + sha256compare "/etc/pf.conf" "$tmpdir/pf.conf" + if [[ $sha256ctrl -eq 1 ]]; then + echo "pf.conf upgrade" + install -o root -g wheel -m 0640 "$tmpdir/pf.conf" /etc/ + fi + if [[ $sha256ctrl -eq 1 ]]; then + pfctrl=$(pfctl -nf /etc/pf.conf) + if [[ -z $pfctrl ]]; then + echo "PF ruleset OK" + fi + ctrl= + while [ -z $ctrl ] + do + echo 'The load PF rules and enable it type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + if [[ $(pfctl -si | head -n 1 | grep -c "Disabled") -eq 1 ]]; then + pfctl -f /etc/pf.conf + ctrl= + while [ -z $ctrl ] + do + echo 'Your connection will be close type 1 to continue ' + read ctrl + pfctl -e && exit 1 + done + elif [[ $(pfctl -si | head -n 1 | grep -c "Disabled") -eq 0 ]]; then + pfctl -f /etc/pf.conf + fi + fi + done + fi + ;; + "ospf") + configuration "ospf" + ;; + "ntpd") + configuration "ntpd" + ;; + "remote") + tmpdir=$(mktemp -d) + if [[ -d "/etc/ssh/remote_install" ]]; then + cp $basedir/src/etc/ssh/remote_install/* $tmpdir + custom "$tmpdir" "1" + sha256compare "/etc/ssh/remote_install/remote_install.conf" "$tmpdir/remote_install.conf" + if [[ $sha256ctrl -eq 1 ]]; then + echo "remote_install.conf upgrade" + install -o root -g wheel -m 0640 "$tmpdir/remote_install.conf" /etc/ssh/remote_install + fi + sha256compare "/etc/ssh/remote_install/authorized_keys" "$tmpdir/authorized_keys" + if [[ $sha256ctrl -eq 1 ]]; then + echo "authorized_keys upgrade" + install -o root -g wheel -m 0640 "$tmpdir/authorized_keys" /etc/ssh/remote_install + fi + else + mkdir /etc/ssh/remote_install + for file in $(find $basedir/src/etc/ssh/remote_install/ -type f); do + filename=$(basename $file) + if [[ "$filename" != "rc.local" ]]; then + install -o root -g wheel -m 0640 $file /etc/ssh/remote_install/ + fi + done + custom "/etc/ssh/remote_install" "1" + + fi + sha256compare "$basedir/src/usr/local/sbin/remote-install" "/usr/local/sbin/remote-install" + if [[ $sha256ctrl -eq 1 ]]; then + echo "remote-install upgrade" + install -o root -g wheel -m 0750 $basedir/src/usr/local/sbin/remote-install /usr/local/sbin/ + fi + if [[ $(grep -c remote_install.conf /etc/rc.local) -eq 0 ]]; then + cat $basedir/src/etc/ssh/remote_install/rc.local >> /etc/rc.local + fi + pidof_remote=$(pidof "remote") + if [[ -z $pidof_remote ]]; then + /usr/sbin/sshd -f /etc/ssh/remote_install/remote_install.conf + else + kill -9 $(cat /var/run/sshd-remote-install.pid) + /usr/sbin/sshd -f /etc/ssh/remote_install/remote_install.conf + fi + install -o root -g wheel -m 0640 $basedir/src/etc/httpd.conf.acmefirst /etc/httpd.conf + custom "/etc/" "1" + httpd -n + pidof_httpd=$(pidof "httpd") + if [[ -z $pidof_remote ]]; then + rcctl enable httpd + rcctl start httpd || error_exit "$LINENO: ERROR: HTTPD failed." + else + rcctl restart httpd + fi + + ;; + "remoteinstall") + echo "connecting to remote OpenBSD MESH hosts..." + cat /dev/null > /etc/ssh/ssh_known_hosts + for file in $(find /etc -maxdepth 1 -name "iked.conf.*" -type f); do + if [[ $(grep -c "brainpool512" $file) -eq 1 ]]; then + remotehost=$(echo $file | sed "s/\/etc\/iked.conf.//") + ssh-keyscan -t ed25519 -p 31137 $remotehost > /etc/ssh/ssh_known_hosts + ssh -p 31137 $remotehost -v + fi + done + sleep 31 + ctrl= + while [ -z $ctrl ] + do + echo 'Have you add the root ssh key to admin user onto mikrotik ?' + cat /root/.ssh/id_rsa.pub + echo 'Type 1 to continue ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + echo "ok" + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done + ;; + "relayd") + configuration "relayd" + ;; + "newhost") + + sh "$basedir/$app" -U pf + install -o root -g wheel -m 0640 $basedir/src/etc/ssh/remote_install/authorized_keys /etc/ssh/remote_install/ + pubkey=$(ls -lt "$basedir/src/etc/iked/pubkeys/ufqdn/" | awk '{print $9}' | awk 'FNR == 2 {print}') + install -o root -g wheel -m 0640 "$basedir/src/etc/iked/pubkeys/ufqdn/$pubkey" /etc/iked/pubkeys/ufqdn/ + + ;; + "scripts") + configuration "scripts" + ;; + "file") + if [[ ! -e "$BACKUPS/file" ]]; then + mkdir "$BACKUPS/file" + fi + fileupdate= + while [ -z $fileupdate ] + do + echo "Which file do you want to update [type dst complete PATH]? " + read fileupdate + cp -p $fileupdate "$BACKUPS/file/$(basename $fileupdate)" + gitfile="$basedir/src$fileupdate" + install -o root -g wheel -m 0644 $gitfile $fileupdate + done + ;; + "dyndnspop") + for vpnc_host in $(dig vpnc.telecomlobby.com TXT +short @8.8.8.8 | sed 's/\"//g'); do + vpnc_ip=$(dig $vpnc_host A +short @8.8.8.8 | tail -n 1) + if [[ ! -z $vpnc_ip ]]; then + for iked_conf in $(ls /etc/iked.conf.*); do + if [[ $(grep -c "ecp256" $iked_conf) -eq 2 ]]; then + pophost=$(cat $iked_conf | head -n 1 | awk '{print $2}' | sed 's/"//g') + greinterface=$(cat $iked_conf | tail -n 1 | awk '{print $4}' | sed 's/enc/gre/') + sh /root/Bin/change_endpoint.sh $greinterface $pophost + + fi + done + fi + done + ;; + esac +} + +function admin { + case $1 in + "cleanlast") + sh $basedir/clean_last + ;; + "sslcareq") + cd /etc/ssl + ftp -o /tmp/root-ca.crt http://ocsp.$(hostname | sed "s/$(hostname -s).//")/root-ca.crt + openssl x509 -in /tmp/root-ca.crt -out /tmp/root-ca.pem + if [[ $(grep -c "ocsp.$(hostname | sed "s/$(hostname -s).//")" /etc/ssl/cert.pem) -eq 0 ]]; then + echo "\n#ocsp.$(hostname | sed "s/$(hostname -s).//")\n" >> /etc/ssl/cert.pem + cat /tmp/root-ca.crt >> /etc/ssl/cert.pem + fi + rm -rf /tmp/root-ca.{crt,pem} + if [[ ! -d csr ]]; then + mkdir csr + fi + if [[ ! -d certs ]]; then + mkdir certs + fi + openssl genrsa -out "private/$(hostname).key" 2048 + openssl rsa -in "/etc/ssl/private/$(hostname).key" -out "/etc/ssl/private/$(hostname)-nopwd.key" + openssl req -new -key "/etc/ssl/private/$(hostname)-nopwd.key" -out "/etc/ssl/csr/$(hostname).csr" + if [[ ! -d "/var/www/htdocs/$(hostname)" ]]; then + mkdir "/var/www/htdocs/$(hostname)" + fi + cp "/etc/ssl/csr/$(hostname).csr" "/var/www/htdocs/$(hostname)" + echo "Download csr from http://$(hostname)/$(hostname).csr to the CA server" + ctrl= + echo "Have you created the certificate onto the CA?" + while [ -z $ctrl ] + do + echo "Type 1 to go ahead " + read ctrl + done + ftp -o certs/$(hostname).crt http://web.telecom.lobby/CA_transfer/$(hostname)/$(hostname).crt + openssl x509 -in certs/$(hostname).crt -out certs/$(hostname).pem + echo "CRT downloaded and PEM created" + ;; + "otheros") + hostname=$(hostname -s) + srcid=$(echo $publichost | sed "s/.$domainname//") + for vpnc_ip in $(dig vpnc.$domainname A +short @8.8.8.8); do + if [[ $(nc -w1 $vpnc_ip 22 | grep -c "ROSSSH") -eq 1 ]]; then + vpnc_host=$(dig -x $vpnc_ip +short @8.8.8.8 | sed 's/.$//') + if [[ -d "/var/www/htdocs/$(hostname)/$vpnc_host" ]]; then + rm -rf "/var/www/htdocs/$(hostname)/$vpnc_host" + fi + if [[ -d "/tmp/$vpnc_host" ]]; then + echo "Download Mikrotik Routeros script from http://$(hostname)/$vpnc_host/$vpnc_host.rsc" + mv "/tmp/$vpnc_host" "/var/www/htdocs/$(hostname)/" + rm -rf "/tmp/$vpnc_host" + else + mkdir "/tmp/$vpnc_host" + cp $basedir/src/mikrotik/ipsec.rsc "/tmp/$vpnc_host/$vpnc_host.rsc" + sed -i "s/\/POPIP\//$vpnc_ip/g" "/tmp/$vpnc_host/$vpnc_host.rsc" + sed -i "s/\/POP\//$vpnc_host/g" "/tmp/$vpnc_host/$vpnc_host.rsc" + for file in $(ls /etc/hostname.gre?); do + if [[ $(grep -c "$vpnc_host" $file) -eq 1 ]]; then + greinterface=$(echo $file | cut -d . -f2) + grepopip=$(cat $file | awk 'FNR == 5 {print}' | awk '{print $4}') + cat $basedir/src/mikrotik/gre.rsc >> "/tmp/$vpnc_host/$vpnc_host.rsc" + sed -i "s/\/GREPOPIP\//$grepopip/" "/tmp/$vpnc_host/$vpnc_host.rsc" + fi + done + cat $basedir/src/mikrotik/firewall.rsc >> "/tmp/$vpnc_host/$vpnc_host.rsc" + md5=$(awk "/$greinterface/{x=NR+11}(NR<=x){print}" /etc/ospfd.conf | awk 'FNR == 4 {print}' | awk '{print $3}' | sed "s/\"//g") + metric=$(awk "/$greinterface/{x=NR+11}(NR<=x){print}" /etc/ospfd.conf | awk 'FNR == 6 {print}' | awk '{print $2}') + cat $basedir/src/mikrotik/ospfd.rsc >> "/tmp/$vpnc_host/$vpnc_host.rsc" + sed -i "s/\/METRIC\//$metric/" "/tmp/$vpnc_host/$vpnc_host.rsc" + sed -i "s/\/OSPFMD5\//$md5/" "/tmp/$vpnc_host/$vpnc_host.rsc" + typeset -u publichostname=$(echo $publichost | sed "s/.$domainname//") + typeset -u pophostname=$(echo $vpnc_host | sed "s/.$domainname//") + sed -i "s/\/POPHOSTNAME\//$pophostname/" "/tmp/$vpnc_host/$vpnc_host.rsc" + greip=$(ifconfig $greinterface | tail -n 1 | awk '{print $2}') + grenetwork=$(ipcalc -c $greip / 30 | grep network | awk '{ print $3 }') + sed -i "s/\/GRENETWORK\//$grenetwork/" "/tmp/$vpnc_host/$vpnc_host.rsc" + custom "/tmp/$vpnc_host" "1" + echo "Download Mikrotik Routeros script from http://$(hostname)/$vpnc_host/$vpnc_host.rsc" + mv "/tmp/$vpnc_host" "/var/www/htdocs/$(hostname)/" + fi + fi + done + for vpnc_host in $(dig vpnc.$domainname TXT +short @8.8.8.8 | sed 's/\"//g'); do + vpnc_ip=$(dig $vpnc_host A +short @8.8.8.8 | tail -n 1) + if [[ -d "/tmp/$vpnc_host" ]]; then + echo "Download Ubiquiti EdgeOS scripts from http://$(hostname)/$vpnc_host/$vpnc_host.tar" + tar -cvf "/tmp/$vpnc_host.tar" -C /tmp -s /tmp// $vpnc_host + mv "/tmp/$vpnc_host" "/var/www/htdocs/$(hostname)/" + mv "/tmp/$vpnc_host.tar" "/var/www/htdocs/$(hostname)/" + rm -rf "/tmp/$vpnc_host" + else + tmpdir=$(mktemp -d) + cp $basedir/src/edgeos/ipsec.conf "$tmpdir" + cp "/etc/iked/certs/$publichost.crt" "$tmpdir" + cp $basedir/src/edgeos/ipsec.sh "$tmpdir" + cp $basedir/src/edgeos/scripts/ES-SRCID-_netwatch.sh "$tmpdir/ES-${publichostname}_netwatch.sh" + cp $basedir/src/edgeos/scripts/ES-SRCID--updown.sh "$tmpdir/ES-$publichostname-updown.sh" + cp $basedir/src/edgeos/gre.sh "$tmpdir" + for file in $(ls /etc/hostname.gre?); do + if [[ $(grep -c "$vpnc_host" $file) -eq 1 ]]; then + greinterface=$(echo $file | cut -d . -f2) + grepopip=$(cat $file | awk 'FNR == 5 {print}' | awk '{print $4}') + grenetwork=$(ipcalc -c $grepopip / 30 | grep network | awk '{ print $3 }') + sed -i "s/\/GREPOPIP\//$grepopip/g" "$tmpdir/ES-${publichostname}_netwatch.sh" + sed -i "s/\/GREPOPIP\//$grepopip/g" "$tmpdir/gre.sh" + sed -i "s/\/PUBLICHOSTNAME\//$publichostname/g" "$tmpdir/ES-${publichostname}_netwatch.sh" + fi + done + lasttun=$(ls -l /etc/hostname.gre? | tail -n 1 |awk '{print $9}' | sed "s/\/etc\/hostname.gre//") + lasttunctrl= + while [ -z $lasttunctrl ] + do + echo "Is EdgeOS tun interface $lasttun? " + read lasttunctrl + case $lasttunctrl in + "yes") + ;; + "no") + echo "Type the last digit of the TUN interface " + read lasttun + ;; + *) + echo "Type yes or no" + exit 1 + ;; + esac + done + sed -i "s/\/TUN\//tun$lasttun/g" "$tmpdir/ES-${publichostname}_netwatch.sh" + sed -i "s/\/TUN\//tun$lasttun/g" "$tmpdir/ES-$publichostname-updown.sh" + sed -i "s/\/TUN\//tun$lasttun/g" "$tmpdir/gre.sh" + sed -i "s/\/PUBLICHOST\//$publichost/g" "$tmpdir/gre.sh" + sed -i "s/\/PUBLICIP\//$publicip/g" "$tmpdir/gre.sh" + sed -i "s/\/PUBLICHOSTNAME\//$publichostname/g" "$tmpdir/ipsec.sh" + if [[ -d "/var/www/htdocs/$(hostname)/${vpnc_host}/" ]]; then + rm -rf "/var/www/htdocs/$(hostname)/${vpnc_host}/" + fi + md5=$(awk "/$greinterface/{x=NR+11}(NR<=x){print}" /etc/ospfd.conf | awk 'FNR == 4 {print}' | awk '{print $3}' | sed "s/\"//g") + metric=$(awk "/$greinterface/{x=NR+11}(NR<=x){print}" /etc/ospfd.conf | awk 'FNR == 6 {print}' | awk '{print $2}') + cp $basedir/src/edgeos/ospf.sh "$tmpdir" + sed -i "s/\/TUN\//tun$lasttun/g" "$tmpdir/ospf.sh" + sed -i "s/\/OSPFMD5\//${md5}/g" "$tmpdir/ospf.sh" + sed -i "s/\/METRIC\//${metric}/g" "$tmpdir/ospf.sh" + sed -i "s/\/GRENETWORK\//${grenetwork}\/30/g" "$tmpdir/ospf.sh" + custom "$tmpdir" 1 + subdir=$(echo $tmpdir | sed "s/\/tmp\///") + tar -cvzf "/tmp/$vpnc_host.tar" -C $tmpdir $(ls $tmpdir) + mv "$tmpdir" "/var/www/htdocs/$(hostname)/${vpnc_host}/" + mv "/tmp/$vpnc_host.tar" "/var/www/htdocs/$(hostname)/" + rm -rf "$tmpdir" + fi + done + + ;; + esac +} function configuration { phase=$1 @@ -64,26 +748,69 @@ function configuration { subphase=$2 fi case $phase in + "static") + ifconfig $egressinterface -inet6 + install -o root -g wheel -m 0640 $basedir/src/etc/hostname.egress "/etc/hostname.$egressinterface" + install -o root -g wheel -m 0640 $basedir/src/etc/mygate /etc/ + if [[ "$ipv6ctrl" -eq "static" ]]; then + rcctl stop slaacd + rcctl disable slaacd + tmphostname=$(mktemp) + cat "/etc/hostname.$egressinterface" | sed '/^inet6/d' > $tmphostname + echo "inet6 -autoconf" >> $tmphostname + echo "inet6 -soii" >> $tmphostname + echo "inet6 -temporary" >> $tmphostname + echo "inet6 $ipv6egress/$ipv6prefix" >> $tmphostname + cat $tmphostname > "/etc/hostname.$egressinterface" + echo $ipv6defrouter >> /etc/mygate + fi + echo "arp -s $defaultv4router $macdefaultv4router" > /etc/rc.local + arp -s $defaultv4router $macdefaultv4router + custom "/etc" "1" + cd /tmp + nohup sh /etc/netstart & + cd $basedir + ;; "basic") + hostname "$hostname.$landomainname" echo "dot files" - for file in src/home/taglio/.*; do + for file in $basedir/src/home/taglio/.*; do if [[ -e "$file" ]]; then install -o taglio -g wheel -m 0640 $file /home/taglio/ fi done cleanold "/home/taglio/" - for file in src/root/.*; do + for file in $basedir/src/root/.*; do if [[ -e "$file" ]]; then install -o root -g wheel -m 0640 $file /root/ fi done cleanold "/root/" - echo "dhclient, resolv.conf.tail and doas.conf" - install -o root -g wheel -m 0644 src/etc/{dhclient.conf,resolv.conf.tail,doas.conf} /etc/ - install -o root -g wheel -m 0640 src/etc/hostname.vio0 /etc/ + echo "timezone from public ip \n" + tmp=$(mktemp) + curl "http://ipinfo.io/$publicip" > $tmp + iptmz=$(cat $tmp | grep timezone | cut -d \" -f4) + rm -rf {/etc/localtime,$tmp} + ln -fs "/usr/share/zoneinfo/$iptmz" /etc/localtime + echo "installing automatic update \n" + if [[ ! -e "/etc/daily.local" ]]; then + install -o root -g wheel -m 0640 $basedir/src/etc/daily.local /etc/ + elif ! grep -q "pkg_add" "/etc/daily.local"; then + cat $basedir/src/etc/daily.local >> "/etc/daily.local" + fi + echo "doas.conf, myname and sysctl.conf \n" + install -o root -g wheel -m 0644 $basedir/src/etc/{doas.conf,myname,sysctl.conf} /etc/ + cat $basedir/src/etc/rc.local >> /etc/rc.local + file="/etc/sysctl.conf" + while IFS= read -r line + do + if [[ ! -z $line ]]; then + sysctl -w ${line} + fi + done <"$file" echo "vether" - install -o root -g wheel -m 0644 src/etc/hostname.vether0 /etc/ - echo "configuring iperf uptimed and oidentd" + install -o root -g wheel -m 0644 $basedir/src/etc/hostname.vether0 /etc/ + echo "configuring iperf uptimed and oidentd \n" pidof_uptimed=$(pidof "uptimed") if [[ -z $pidof_uptimed ]]; then rcctl enable uptimed @@ -91,14 +818,33 @@ function configuration { else rcctl restart uptimed || error_exit "$LINENO: ERROR: UPTIMED failed." fi - install -o root -g wheel -m 0640 src/etc/rc.local /etc/ - cleanold "/etc/" + custom "/etc" "1" cd /tmp - nohup $SH /etc/netstart vio0 & - nohup $SH /etc/netstart vether0 & + nohup sh /etc/netstart vether0 & cd $basedir sh /etc/rc.local - ;; + if [[ ! -e /root/.ssh/id_ed25519 ]]; then + cat /dev/zero | ssh-keygen -t ed25519 -N "" -C "root@$hostname.$landomainname" -f /root/.ssh/id_ed25519 + cat /dev/zero | ssh-keygen -N "" -C "root@$hostname.$landomainname" -f /root/.ssh/id_rsa + fi + rm -rf /etc/ssh/ssh_host_ed25519_* + cat /dev/zero | ssh-keygen -q -N "" -t ed25519 -C "$hostname@$landomainname" -f /etc/ssh/ssh_host_ed25519_key + echo "Add your new id_ed25519.pub to the repository src/etc/ssh/remote_install/authorized_keys and update others hosts" + cat /root/.ssh/id_ed25519.pub + echo "Add your new ssh_host_ed25519_key.pub to the CA repository src/etc/ssh/ca/host/$hostname.$landomainname/ and create the new SSHCA certificate" + cat /etc/ssh/ssh_host_ed25519_key.pub + echo "Update the nsd internal $landomainname zone $hostname SSHFP record, you can do it automatically" + + ssh-keygen -r $hostname -f /etc/ssh/ssh_host_ed25519_key.pub + if [[ $configini -eq 1 ]]; then + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + done + fi + ;; "users") echo "vmail, dsync, _iperfd, wwwuser" if ! getent passwd vmail 1>&-; then @@ -113,23 +859,22 @@ function configuration { if ! getent passwd wwwftp 1>&-; then useradd -u 2003 -g =uid -c "WWW Ftpd user" -d /var/www/htdocs -s /root/Bin/fake_shell.sh wwwftp fi - for file in src/home/taglio/Bin/*; do + for file in $basedir/src/home/taglio/Bin/*; do if [[ -e "$file" ]]; then install -o taglio -g wheel -m 0750 $file /home/taglio/Bin/ - mv $file $backups fi done - if [[ ! -e /home/taglio/.ssh/id_ed25519 ]]; then - doas -u taglio ssh-keygen -t ed25519 -N "" -f /home/taglio/.ssh/id_ed25519 - fi;; + + + ;; "scripts") - for file in src/root/Bin/*.sh; do + for file in $basedir/src/root/Bin/*.sh; do if [[ -e "$file" ]]; then install -o root -g wheel -m 0700 $file /root/Bin/ fi done cleanold "/root/Bin/" - ;; + ;; "unbound") pidof_unbound=$(pidof "unbound") if [[ -z $pidof_unbound ]]; then @@ -137,239 +882,998 @@ function configuration { fi case $subphase in "local") - unbound-anchor -a /var/unbound/db/root.key + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/db/root.key /var/unbound/db/ wget --no-check-certificate https://192.0.47.9/domain/named.root -O /var/unbound/db/root.hints - install -o _unbound -g _unbound -m 0750 src/var/unbound/db/ca-certificates.crt /var/unbound/db/ - chown_unbound:_unbound /var/unbound/db/* - install -o _unbound -g _unbound -m 0750 src/var/unbound/etc/unbound-local.conf /var/unbound/etc/unbound.conf - install -o _unbound -g _unbound -m 0750 src/var/unbound/etc/remote-control.conf /var/unbound/etc/ - install -o _unbound -g _unbound -m 0750 src/var/unbound/etc/forward-zone.conf /var/unbound/etc/ + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/db/ca-certificates.crt /var/unbound/db/ + chown _unbound:_unbound /var/unbound/db/* + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/unbound-local.conf /var/unbound/etc/unbound.conf + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/remote-control.conf /var/unbound/etc/ + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/forward-zone.conf /var/unbound/etc/ + custom "/var" "2" if [[ -z $pidof_unbound ]]; then rcctl start unbound || error_exit "$LINENO: ERROR: UNBOUND failed." else rcctl restart unbound || error_exit "$LINENO: ERROR: UNBOUND failed." fi - cleanold "/var/unbound/etc/" - ;; - "network") - install -o _unbound -g _unbound -m 0750 src/var/unbound/etc/unbound.conf /var/unbound/etc/unbound.conf - install -o _unbound -g _unbound -m 0750 src/var/unbound/etc/stub-zone.conf /var/unbound/etc/stub-zone.conf + ;; + "ipsec") + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/unbound.conf /var/unbound/etc/unbound.conf + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/stub-zone.conf /var/unbound/etc/stub-zone.conf rcctl restart unbound || error_exit "$LINENO: ERROR: UNBOUND failed." - cleanold "/var/unbound/etc/" - ;; + ;; esac - ;; + ;; "ssh") - for file in src/etc/ssh/*; do - if [[ -e "$file" ]]; then - install -o root -g wheel -m 0650 $file /etc/ssh/ - fi - done - rcctl restart sshd || error_exit "$LINENO: ERROR: UNBOUND failed." - cleanold "/etc/ssh/";; + publickey=$(ssh-keyscan -t ed25519 ::1 | sed "s/::1/[$publicip,$routerid]/") + sshfp=$(ssh-keyscan -D -t ed25519 ::1 | sed "s/::1/$hostname/") + if [[ ! -d /etc/ssh/ca ]]; then + mkdir -p /etc/ssh/ca/principals + fi + case $subphase in + "public") + install -o root -g wheel -m 0640 $basedir/src/etc/ssh/sshd_public /etc/ssh/sshd_config + install -o root -g wheel -m 0640 $basedir/src/etc/ssh/ssh_config /etc/ssh/ + #install -o root -g wheel -m 0640 $basedir/src/etc/ssh/ssh_known_hosts /etc/ssh + install -o root -g wheel -m 0640 $basedir/src/etc/ssh/authorized_keys /etc/ssh/ + workstahost=$(cat /etc/ssh/authorized_keys | cut -d @ -f2) + if [[ ! -d "/tmp/$workstahost.$landomainname" ]]; then + mkdir "/tmp/$workstahost.$landomainname" + else + rm -rf "/tmp/$workstahost.$landomainname" + mkdir "/tmp/$workstahost.$landomainname" + fi + custom "/etc/ssh" "2" + custom "/etc" "1" + rcctl restart sshd || error_exit "$LINENO: ERROR: SSHD failed." + ;; + "ipsec") + ;; + esac + if [[ ! -d "/tmp/ca.$landomainname" ]]; then + mkdir "/tmp/ca.$landomainname" + else + rm -rf "/tmp/ca.$landomainname" + mkdir "/tmp/ca.$landomainname" + fi + echo $sshfp > "/tmp/ca.$landomainname/$landomainname.zone" + ;; "ipsec") - iked_ca_reset.sh - install -o root -g wheel -m 0640 src/etc/iked/ca/ca.crt /etc/iked/ca/ - ssl_pk12_cert_pub_priv_extract.sh "/tmp/$subphase.p12" + if [[ -e "/etc/iked.conf" ]]; then + rm -rf /etc/{iked,iked.conf,iked.conf.*} + else + rm -rf /etc/iked + fi + mkdir -p /etc/iked/{ca,certs,crls,export,private,pubkeys} + mkdir -p /etc/iked/pubkeys/{ipv4,ipv6,fqdn,ufqdn} + cd $basedir + install -o root -g wheel -m 0644 $basedir/src/etc/iked/ca/ca.crt /etc/iked/ca/ + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -nocerts -passin pass:123456789 -passout pass:123456789 -out /etc/iked/private/local.key + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -clcerts -nokeys -passin pass:123456789 -passout pass:123456789 -out "/etc/iked/certs/$publichost.crt" + openssl x509 -pubkey -noout -passin pass:123456789 -in "/etc/iked/certs/$publichost.crt" > /etc/iked/local.pub + + for file in $(find $basedir/src/etc/iked/pubkeys/ufqdn/ -name "*@*"); do + install -o root -g wheel -m 0644 $file /etc/iked/pubkeys/ufqdn/ + done rcctl enable iked rcctl set iked flags "-vv" - for file in src/etc/iked.conf* ; do - if [[ -e "$file" ]]; then - install -o root -g wheel -m 0640 $file /etc/ + typeset -i i + i=0 + install -o root -g wheel -m 0640 $basedir/src/etc/iked.conf /etc/ + custom "/etc" "1" + for vpnc_ip in $(dig vpnc.$domainname A +short @8.8.8.8) + do + vpnc_host=$(dig -x $vpnc_ip +short @8.8.8.8 | sed 's/.$//') + vpnc_ips[i]="$vpnc_ip" + vpnc_hosts[i]="$vpnc_host" + if [ ! -d "/tmp/$vpnc_host" ]; then + mkdir "/tmp/$vpnc_host" + else + rm -rf "/tmp/$vpnc_host" + mkdir "/tmp/$vpnc_host" + fi + + echo include \"/etc/iked.conf.$vpnc_host\" >> /etc/iked.conf + if [[ $(nc -w1 $vpnc_ip 22 | grep -c "ROSSSH") -eq 1 ]]; then + install -o root -g wheel -m 0640 $basedir/src/etc/iked.conf.mikrotik "/etc/iked.conf.$vpnc_host" + if [[ -e "/tmp/$vpnc_host/$vpnc_host.rsc" ]]; then + rm -rf "/tmp/$vpnc_host/$vpnc_host.rsc" + fi + cp $basedir/src/mikrotik/ipsec.rsc "/tmp/$vpnc_host/$vpnc_host.rsc" + sed -i "s/\/POPIP\//$vpnc_ip/g" "/tmp/$vpnc_host/$vpnc_host.rsc" + sed -i "s/\/POP\//$vpnc_host/g" "/tmp/$vpnc_host/$vpnc_host.rsc" + elif [[ $(nc -w1 $vpnc_ip 22 | grep -c "ROSSSH") -eq 0 ]]; then + install -o root -g wheel -m 0640 $basedir/src/etc/iked.conf.openbsd "/etc/iked.conf.$vpnc_host" + cp $basedir/src/openbsd/iked.conf.openbsd "/tmp/$vpnc_host/iked.conf.$publichost" + x=$((RANDOM%2+1)) + case $x in + 1) + sed -i "s/\/TYPE\//active/g" "/etc/iked.conf.$vpnc_host" + sed -i "s/\/TYPE\//passive/g" "/tmp/$vpnc_host/iked.conf.$publichost" + + ;; + 2) + sed -i "s/\/TYPE\//passive/g" "/etc/iked.conf.$vpnc_host" + sed -i "s/\/TYPE\//active/g" "/tmp/$vpnc_host/iked.conf.$publichost" + ;; + esac + sed -i "s/\/POPIP\//$vpnc_ip/g" "/tmp/$vpnc_host/iked.conf.$publichost" + sed -i "s/\/POP\//$vpnc_host/g" "/tmp/$vpnc_host/iked.conf.$publichost" + srcid=$(hostname -s) + if [[ "$srcid" == "varuna" ]]; then + srcid="neo" + fi + sed -i "s/\/POPID\//$srcid/g" "/tmp/$vpnc_host/iked.conf.$publichost" fi + sed -i "s/\/POPIP\//$vpnc_ip/g" "/etc/iked.conf.$vpnc_host" + sed -i "s/\/POP\//$vpnc_host/g" "/etc/iked.conf.$vpnc_host" + sed -i "s/\/X\//$i/g" "/etc/iked.conf.$vpnc_host" + install -o root -g wheel -m 0640 $basedir/src/etc/hostname.enc-X- "/etc/hostname.enc$i" + sed -i "s/\/POP\//$vpnc_host/g" "/etc/hostname.enc$i" + sh /etc/netstart "enc$i" + i=$i+1 done - install -o root -g wheel -m 0640 src/etc/iked.conf /etc/ - rcctl start iked - cleanold "/etc/";; - "gre") - for file in src/etc/hostname.gre? ; do - if [[ -e "$file" ]]; then - install -o root -g wheel -m 0700 $file /etc/ - sh /etc/netstart $(echo $file | awk -F. '{print $2}') + dyndnshost=$(dig vpnc.$domainname TXT +short @8.8.8.8 | sed 's/\"//g') + if [[ ! -d "/tmp/$dyndnshost" ]]; then + mkdir "/tmp/$dyndnshost" + else + rm -rf "/tmp/$dyndnshost" + mkdir "/tmp/$dyndnshost" + fi + echo include \"/etc/iked.conf.$dyndnshost\" >> /etc/iked.conf + install -o root -g wheel -m 0640 $basedir/src/etc/iked.conf.edgeos "/etc/iked.conf.$dyndnshost" + sed -i "s/\/POPIP\//$(dig $dyndnshost A +short | tail -n 1)/g" "/etc/iked.conf.$dyndnshost" + sed -i "s/\/POP\//$dyndnshost/g" "/etc/iked.conf.$dyndnshost" + sed -i "s/\/X\//$i/g" "/etc/iked.conf.$dyndnshost" + install -o root -g wheel -m 0640 $basedir/src/etc/hostname.enc-X- "/etc/hostname.enc$i" + sed -i "s/\/POP\//$dyndnshost/g" "/etc/hostname.enc$i" + sh /etc/netstart "enc$i" + cp $basedir/src/edgeos/ipsec.conf "/tmp/$dyndnshost/" + cp "/etc/iked/certs/$publichost.crt" "/tmp/$dyndnshost/" + find /etc/ -type f -name "iked.*" | xargs -I {} + custom "/tmp" "2" + custom "/etc" "1" + rcctl start iked || error_exit "$LINENO: ERROR: IKED failed." + ;; + "gre") + if [[ -e "/etc/hostname.gre0" ]]; then + rm -rf /etc/hostname.gre? + fi + typeset -i i + typeset -i lasttun + lasttun=$(dig gre18994.$domainname TXT +short @8.8.8.8 | sed 's/\"//g') + lasttun=$lasttun+1 + i=0 + for file in $(find /etc -maxdepth 1 -name "iked.conf.*") ; do + index=$(cat $file | tail -n 1 | awk '{print $4}' | sed 's/enc//') + install -o root -g wheel -m 0640 $basedir/src/etc/hostname.gre-X- "/etc/hostname.gre$index" + pophost=$(echo $file | sed "s/\/etc\/iked.conf.//") + sed -i "s/\/POPHOST\//$pophost/g" "/etc/hostname.gre$index" + if [ "$pophost" == "uk.telecomlobby.com" ]; then + sed -i "s/\/GROUP\//nsd/g" "/etc/hostname.gre$index" + else + sed -i "s/\/GROUP\//gre/g" "/etc/hostname.gre$index" fi + sed -i "s/\/PUBLICIP\//$publicip/g" "/etc/hostname.gre$index" + sed -i "s/\/X\//$index/g" "/etc/hostname.gre$index" + count=$(dig $pophost A +short @8.8.8.8 | wc -l) + if [[ $count -gt 1 ]]; then + popip=$(dig $pophost A +short @8.8.8.8 | tail -n 1) + else + popip=$(dig $pophost A +short @8.8.8.8) + fi + sed -i "s/\/POPIP\//$popip/g" "/etc/hostname.gre$index" + if [ $i -eq 0 ]; then + typeset -i lastnet + lastnet=$(dig gre7058.$domainname TXT +short @8.8.8.8 | sed 's/\"//g') + else + lastnet=$lastnet-4 + fi + typeset -i grepopip + grepopip=$lastnet-2 + sed -i "s/\/GREPOPIP\//10.10.10.$grepopip/g" "/etc/hostname.gre$index" + typeset -i grelocalip + grelocalip=$lastnet-3 + sed -i "s/\/GRELOCALIP\//10.10.10.$grelocalip/g" "/etc/hostname.gre$index" + if grep -q "ecp384" $file; then + cat $basedir/src/mikrotik/gre.rsc >> "/tmp/$pophost/$pophost.rsc" + sed -i "s/\/GREPOPIP\//10.10.10.$grepopip\/g" "/tmp/$pophost/$pophost.rsc" + sed -i "s/\/HOSTNAME\//$hostname/g" "/tmp/$pophost/$pophost.rsc" + sed -i "s/\/PUBLICIP\//$publicip/g" "/tmp/$pophost/$pophost.rsc" + elif grep -q "ecp256" $file; then + cp $basedir/src/edgeos/scripts/ES-SRCID-_netwatch.sh "/tmp/$pophost/ES-${publichostname}_netwatch.sh" + cp $basedir/src/edgeos/scripts/ES-SRCID--updown.sh "/tmp/$pophost/ES-$publichostname-updown.sh" + cp $basedir/src/edgeos/gre.sh "/tmp/$pophost/" + sed -i "s/\/GREPOPIP\//10.10.10.$grepopip/g" "/tmp/$pophost/ES-${publichostname}_netwatch.sh" + sed -i "s/\/GREPOPIP\//10.10.10.$grepopip/g" "/tmp/$pophost/gre.sh" + sed -i "s/\/PUBLICHOSTNAME\//$publichostname/g" "/tmp/$pophost/ES-${publichostname}_netwatch.sh" + sed -i "s/\/TUN\//tun$lasttun/g" "/tmp/$pophost/ES-${publichostname}_netwatch.sh" + sed -i "s/\/TUN\//tun$lasttun/g" "/tmp/$pophost/ES-$publichostname-updown.sh" + sed -i "s/\/TUN\//tun$lasttun/g" "/tmp/$pophost/gre.sh" + sed -i "s/\/PUBLICHOST\//$publichost/g" "/tmp/$pophost/gre.sh" + sed -i "s/\/PUBLICIP\//$publicip/g" "/tmp/$pophost/gre.sh" + else + cp $basedir/src/openbsd/hostname.gre.openbsd "/tmp/$pophost/hostname.gre$lasttun" + cp $basedir/src/openbsd/hostname.enc.openbsd "/tmp/$pophost/hostname.enc$lasttun" + sed -i "s/\/PUBLICHOST\//$publichost/g" "/tmp/$pophost/hostname.gre$lasttun" + sed -i "s/\/PUBLICHOST\//$publichost/g" "/tmp/$pophost/hostname.enc$lasttun" + sed -i "s/\/X\//$lasttun/g" "/tmp/$pophost/hostname.gre$lasttun" + sed -i "s/\/X\//$lasttun/g" "/tmp/$pophost/iked.conf.$publichost" + sed -i "s/\/POPIP\//$popip/g" "/tmp/$pophost/hostname.gre$lasttun" + sed -i "s/\/PUBLICIP\//$publicip/g" "/tmp/$pophost/hostname.gre$lasttun" + sed -i "s/\/GREPOPIP\//10.10.10.$grepopip/g" "/tmp/$pophost/hostname.gre$lasttun" + sed -i "s/\/GRELOCALIP\//10.10.10.$grelocalip/g" "/tmp/$pophost/hostname.gre$lasttun" + fi + i=$i+1 done - cleanold "/etc/";; + lastnet=$lastnet-4 + echo "update gre7058.$domainname TXT to $lastnet \ + \n gre18994.$domainname TXT to $lasttun \n" + custom "/etc" "1" + for file in /etc/hostname.gre? ; do + sh /etc/netstart $(echo $file | awk -F. '{print $2}') + done + ;; "pf") - for file in src/etc/pf.* ; do + for file in $basedir/src/etc/pf.* ; do if [[ -e "$file" ]]; then - install -o root -g wheel -m 0700 $file /etc/ + install -o root -g wheel -m 0640 $file /etc/ fi done - cleanold "/etc/" - pfctl -nf /etc/pf.conf || error_exit "$LINENO: ERROR: PF failed." - pfctl -f /etc/pf.conf;; + for vpnc_ip in $(dig vpnc.$domainname A +short @8.8.8.8); do + echo "$vpnc_ip/32" >> /etc/pf.conf.table.ipsec + done + for vpnc_ip in $(dig vpncN.$domainname A +short @8.8.8.8); do + echo "$vpnc_ip/32" >> "$tmpdir/pf.conf.table.ipsec" + done + for vpnc_host in $(dig vpnc.telecomlobby.com TXT +short @8.8.8.8 | sed 's/\"//g'); do + vpnc_ip=$(dig $vpnc_host A +short @8.8.8.8 | tail -n 1) + if [[ ! -z $vpnc_ip ]]; then + echo "$vpnc_ip/32" >> /etc/pf.conf.table.ipsec + fi + done + for file in $(find /tmp -name "*.rsc"); do + cat $basedir/src/mikrotik/firewall.rsc >> "$file" + sed -i "s/\/HOSTNAME\//${hostname}/g" $file + done + for file in $(find /etc -maxdepth 1 -name "iked.conf.*") ; do + tagged=$(echo $file | sed "s/\/etc\/iked.conf.//") + count=$(dig $tagged A +short @8.8.8.8 | wc -l) + if [[ $count -gt 1 ]]; then + iptagged=$(dig $tagged A +short @8.8.8.8 | tail -n 1) + else + iptagged=$(dig $tagged A +short @8.8.8.8) + fi + sed -i "s/\/TAGGED\//${tagged}/g" /etc/pf.conf.macro.enc.{in,out} + sed -i "s/\/IPTAGGED\//${iptagged}/g" /etc/pf.conf.macro.enc.{in,out} + cat $basedir/src/openbsd/pf.conf.openbsd | head -n 1 >> /etc/pf.conf.macro.enc.in + cat $basedir/src/openbsd/pf.conf.openbsd | tail -n 1 >> /etc/pf.conf.macro.enc.out + done + sed -i '$d' /etc/pf.conf.macro.enc.{in,out} + + custom "/etc" "1" + pfctrl=$(pfctl -nf /etc/pf.conf) + if [[ -z $pfctrl ]]; then + echo "PF ruleset OK" + fi + ;; "ospf") rcctl enable ospfd - install -o root -g wheel -m 0600 src/etc/ospfd.conf /etc/ - cleanold "/etc/" - rcctl start ospfd || error_exit "$LINENO: ERROR: OSPFD failed.";; + install -o root -g wheel -m 0600 $basedir/src/etc/ospfd.conf /etc/ + sed -i "s/\/ROUTERID\//$routerid/g" /etc/ospfd.conf + for file in $(find /etc/ -name "hostname.gre?" -maxdepth 1); do + x=$(basename $file | cut -d . -f2 | sed "s/gre//g") + sed -i "s/\/X\//$x/g" /etc/ospfd.conf + ospfmd5=$(tr -cd '[:alnum:],.' < /dev/urandom | fold -w 15 | head -n 1) + sed -i "s/\/OSPFMD5\//${ospfmd5}/g" /etc/ospfd.conf + pophost=$(cat /etc/`basename $file` | head -n 1 | cut -d ' ' -f2 | sed "s/\"//g") + #popip=$(dig $pophost A +short @8.8.8.8) + typeset -i latency=$(ping -c4 $pophost | tail -1| awk '{print $4}' | cut -d '/' -f 2 | cut -d . -f1) + typeset -i metric=$(expr $latency / 2) + sed -i "s/\/METRIC\//${metric}/g" /etc/ospfd.conf + cat $basedir/src/openbsd/ospfd.conf.openbsd >> /etc/ospfd.conf + if [[ $(ls "/tmp/$pophost/" | grep -c "hostname") -eq 2 ]]; then + typeset -i lasttun + lasttun=$(dig gre18994.$domainname TXT +short @8.8.8.8 | sed 's/\"//g') + lasttun=$lasttun+1 + cp $basedir/src/openbsd/ospfd.conf.openbsd "/tmp/$pophost/ospfd.conf" + sed -i "s/\/X\//$lasttun/g" "/tmp/$pophost/ospfd.conf" + sed -i "s/\/METRIC\//${metric}/g" "/tmp/$pophost/ospfd.conf" + sed -i "s/\/OSPFMD5\//${ospfmd5}/g" "/tmp/$pophost/ospfd.conf" + elif [[ $(ls "/tmp/$pophost/" | grep -c "rsc") -ne 0 ]]; then + pophostname=$(echo $pophost | cut -d . -f1) + cp $basedir/src/mikrotik/ospfd.rsc "/tmp/$pophost" + sed -i "s/\/HOSTNAME\//${hostname}/g" "/tmp/$pophost/ospfd.rsc" + sed -i "s/\/OSPFMD5\//${ospfmd5}/g" "/tmp/$pophost/ospfd.rsc" + sed -i "s/\/METRIC\//${metric}/g" "/tmp/$pophost/ospfd.rsc" + typeset -u pophostname=$pophostname + sed -i "s/\/POPHOSTNAME\//${pophostname}/g" "/tmp/$pophost/ospfd.rsc" + greip=$(ifconfig `basename $file | cut -d . -f2` | grep inet | cut -d ' ' -f2 | tail -n 1) + grenetwork=$(ipcalc -c $greip / 30 | grep network | awk '{ print $3 }') + sed -i "s/\/GRENETWORK\//${grenetwork}/g" "/tmp/$pophost/ospfd.rsc" + cat "/tmp/$pophost/ospfd.rsc" >> "/tmp/$pophost/$pophost.rsc" + elif [[ $(ls "/tmp/$pophost/" | grep -c "netwatch") -eq 1 ]]; then + tunif=$(cat "/tmp/$pophost/gre.sh" | awk '{ print $4 }' | grep tun | head -n 1) + cp $basedir/src/edgeos/ospf.sh "/tmp/$pophost/" + sed -i "s/\/TUN\//${tunif}/g" "/tmp/$pophost/ospf.sh" + sed -i "s/\/OSPFMD5\//${ospfmd5}/g" "/tmp/$pophost/ospf.sh" + sed -i "s/\/METRIC\//${metric}/g" "/tmp/$pophost/ospf.sh" + fi + done + cat /etc/ospfd.conf | sed -n -e :a -e '1,12!{P;N;D;};N;ba' > /tmp/ospfd.conf + mv /tmp/ospfd.conf /etc/ospfd.conf + echo "}" >> /etc/ospfd.conf + chmod 600 /etc/ospfd.conf + custom "/etc" "1" + pidof_ospfd=$(pidof "ospfd") + if [[ -z $pidof_ospfd ]]; then + rcctl start ospfd || error_exit "$LINENO: ERROR: OSPFD failed." + else + rcctl restart ospfd || error_exit "$LINENO: ERROR: OSPFD failed." + fi + ;; "ntpd") - install -o root -g wheel -m 0644 src/etc/ntpd.conf /etc/ + install -o root -g wheel -m 0644 $basedir/src/etc/ntpd.conf /etc/ cleanold "/etc/" - rcctl restart ntpd || error_exit "$LINENO: ERROR: NTPD failed.";; + rcctl restart ntpd || error_exit "$LINENO: ERROR: NTPD failed." + ;; + "remote") + + for file in $(find /tmp -type d -maxdepth 1); do + filename=$(basename $file) + typeset -i dots=$(echo $filename| tr -cd '.' | wc -c) + if [[ $dots -eq 2 ]]; then + if [[ $(ls $file/ | grep -c "hostname") -eq 2 ]]; then + tar -cvf "/tmp/$filename.tar" -C /tmp -s /tmp// $file + sha256 -q "$file.tar" > "/tmp/$filename.sha256" + if [[ ! -d "/var/www/htdocs/$publichost" ]]; then + mkdir "/var/www/htdocs/$publichost" + fi + mv "/tmp/$filename.tar" "/var/www/htdocs/$publichost" + mv "/tmp/$filename.sha256" "/var/www/htdocs/$publichost" + rm -rf $file + fi + fi + done + if [[ ! -d /etc/ssh/remote_install ]]; then + mkdir /etc/ssh/remote_install + chmod g-w /etc/ssh/remote_install + else + rm -rf /etc/ssh/remote_install + mkdir /etc/ssh/remote_install + chmod g-w /etc/ssh/remote_install + fi + for file in $(find $basedir/src/etc/ssh/remote_install/ -type f); do + filename=$(basename $file) + if [[ "$filename" != "rc.local" ]]; then + install -o root -g wheel -m 0640 $file /etc/ssh/remote_install/ + elif [[ "$filename" == "rc.local" ]]; then + cat $file >> /etc/rc.local + fi + done + custom "/etc/ssh/remote_install" "1" + install -o root -g wheel -m 0750 $basedir/src/usr/local/sbin/remote-install /usr/local/sbin/ + pidof_remote=$(pidof "remote") + if [[ -z $pidof_remote ]]; then + /usr/sbin/sshd -f /etc/ssh/remote_install/remote_install.conf + else + kill -9 $(cat /var/run/sshd-remote-install.pid) + /usr/sbin/sshd -f /etc/ssh/remote_install/remote_install.conf + fi + install -o root -g wheel -m 0640 $basedir/src/etc/httpd.conf.acmefirst /etc/httpd.conf + custom "/etc/" "1" + httpd -n + pidof_httpd=$(pidof "httpd") + if [[ -z $pidof_remote ]]; then + rcctl enable httpd + rcctl start httpd || error_exit "$LINENO: ERROR: HTTPD failed." + else + rcctl restart httpd + fi + echo "connecting to remote OpenBSD MESH hosts..." + for file in $(find /etc -maxdepth 1 -name "iked.conf.*" -type f); do + if [[ $(grep -c "brainpool512" $file) -eq 1 ]]; then + remotehost=$(echo $file | sed "s/\/etc\/iked.conf.//") + ssh-keyscan -p 31137 -t ed25519 $remotehost > /etc/ssh/ssh_known_hosts + ssh -p 31137 $remotehost -v + fi + done + sleep 31 + + + + ;; + "httpd") + case $subphase in + "basic") + (: "${hostname?}") 2>/dev/null || hostname=$(hostname -s) + (: "${landomainname?}") 2>/dev/null || landomainname=$(hostname | sed "s/`hostname -s`.//") + install -o root -g wheel -m 0640 $basedir/src/etc/httpd.conf.mime.types /etc + install -o root -g wheel -m 0640 $basedir/src/etc/httpd.conf /etc + install -o root -g wheel -m 0640 $basedir/src/etc/httpd.conf.local /etc + install -o root -g wheel -m 0640 $basedir/src/etc/httpd.conf.vhosts.basic /etc/httpd.conf.vhosts + custom "/etc" "1" + if [[ ! -d "/var/www/htdocs/$publichost" ]]; then + mkdir "/var/www/htdocs/$publichost" + + fi + chown -R wwwftp:www "/var/www/htdocs/$publichost" + if [[ ! -d "/var/www/htdocs/$hostname.$landomainname" ]]; then + mkdir "/var/www/htdocs/$hostname.$landomainname" + fi + if [[ $(ls "/var/www/htdocs/$publichost/" | grep -c "sha256") -ne 0 ]]; then + mv "/var/www/htdocs/$publichost/"* "/var/www/htdocs/$hostname.$landomainname" + fi + chown -R wwwftp:www "/var/www/htdocs/$hostname.$landomainname" + rcctl restart httpd + esac + ;; + "relayd") + + install -o root -g wheel -m 0640 $basedir/src/etc/relayd.conf /etc/ + custom "/etc" "1" + sed -i "s/\/PUBV6\//${ipv6egress}/g" /etc/relayd.conf + rcctl enable relayd + ;; + "smtpd") + pkg "smtpd" + ;; + "powernsd") + pkg "powernsd" + ;; esac } -echo "changing installurl" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - install -o root -g wheel -m 0644 src/etc/installurl /etc/ - else - error_exit "$LINENO: EXIT FROM USER." - fi - -done -echo "adding basic shell packages" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - pkg "shell" - else - error_exit "$LINENO: EXIT FROM USER." - fi - -done -echo "installing automatic update \n" -if [[ ! -e "/etc/daily.local" ]]; then - install -o root -g wheel -m 0640 src/etc/daily.local /etc/ -elif ! grep -q "pkg_add" "/etc/daily.local"; then - cat src/etc/daily.local >> "/etc/daily.local" -fi -rcctl disable sndiod -rcctl stop sndiod -rcctl disable check_quotas -echo "configuring users" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - if [ ! -d /root/Bin ]; then - mkdir /root/Bin - chmod 700 /root/Bin +case $1 in + "-I") + configini= + if [[ ! -e "/tmp/config.ini" ]]; then + touch "/tmp/config.ini" + else + echo "Type 1 to use /tmp/config.ini " + read configini + fi + + echo "changing IPv4 from dynamic to static on $egressinterface and do a perfect IPv6" + if [[ $configini -eq 1 ]]; then + ipv6ctrl=$(cat /tmp/config.ini | grep ipv6ctrl |cut -d \# -f2) + case $ipv6ctrl in + "static") + ipv6egress=$(cat /tmp/config.ini | grep ipv6egress |cut -d \# -f2) + ipv6prefix=$(cat /tmp/config.ini | grep ipv6prefix |cut -d \# -f2) + ipv6defrouter=$(cat /tmp/config.ini | grep ipv6defrouter |cut -d \# -f2) + ;; + "dynamic") + ipv6egress=$(slaacctl show interface | grep 2001 | awk 'NR>2' | head -n 1 | cut -d , -f1) + ipv6prefix=$(slaacctl show interface | grep 2001 | awk 'NR>2' | head -n 1 | cut -d \/ -f2) + ipv6defrouter=$(netstat -rn -f inet6 | awk 'NR>8' | head -n 1 | awk '{print $2}') + ;; + esac + configuration "static" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + echo "static#$ctrl" > /tmp/config.ini + while [ -z $ipv6ctrl ] + do + echo -n 'Is the IPv6 address on the egress interface static or dynamic?\n' + read ipv6ctrl + echo "ipv6ctrl#$ipv6ctrl" >> /tmp/config.ini + case $ipv6ctrl in + "static") + echo -n 'Type the IPv6 address without prefixlen ' + read ipv6egress + echo -n 'Type the prefixlen ' + read ipv6prefix + echo -n 'Type the IPv6 default route ' + read ipv6defrouter + echo "ipv6egress#$ipv6egress" >> /tmp/config.ini + echo "ipv6prefix#$ipv6prefix" >> /tmp/config.ini + echo "ipv6defrouter#$ipv6defrouter" >> /tmp/config.ini + ;; + "dynamic") + ipv6egress=$(slaacctl show interface | grep 2001 | awk 'NR>2' | head -n 1 | cut -d , -f1) + ipv6prefix=$(slaacctl show interface | grep 2001 | awk 'NR>2' | head -n 1 | cut -d \/ -f2) + ipv6defrouter=$(netstat -rn -f inet6 | awk 'NR>8' | head -n 1 | awk '{print $2}') + ;; + *) + echo -n "Please type static or dynamic \n" + continue + ;; + esac + done + configuration "static" + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done fi - if [ ! -d /root/Backups ]; then - mkdir /root/Backups - chmod 700 /root/Backups + echo "changing installurl" + if [[ $configini -eq 1 ]]; then + install -o root -g wheel -m 0644 $basedir/src/etc/installurl /etc/ + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + install -o root -g wheel -m 0644 $basedir/src/etc/installurl /etc/ + echo "installurl#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done fi - if [ ! -d /home/taglio/Bin ]; then - mkdir /home/taglio/Bin - chown taglio:wheel /home/taglio/Bin + echo "adding basic shell packages" + if [[ $configini -eq 1 ]]; then + pkg "shell" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + pkg "shell" + echo "shell#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done fi - - configuration "users" - configuration "scripts" - else - error_exit "$LINENO: EXIT FROM USER." - fi - -done - -hostname= -while [ -z $hostname ] -do - echo -n 'Type the hostname ' - read hostname - echo $hostname > conf/hostname - find . -type f | xargs -I {} sed -i "s/\/HOSTNAME\//$hostname/g" {} -done -routerid= -while [ -z $routerid ] -do - echo -n 'Type the routerid ' - read routerid - echo $routerid > conf/routerid - find . -type f | xargs -I {} sed -i "s/\/ROUTERID\//$routerid/g" {} -done -publichost= -while [ -z $publichost ] -do - echo -n 'Type the publichost ' - read publichost - echo $publichost > conf/publichost - find . -type f | xargs -I {} sed -i "s/\/PUBLICHOST\//$publichost/g" {} -done -echo $publicip > conf/publicip -echo $dyndns > conf/dyndns -find . -type f | xargs -I {} sed -i "s/\/PUBLICIP\//$publicip/g" {} -find . -type f | xargs -I {} sed -i "s/\/DYNDNS\//$dyndns/g" {} -publickey=$(ssh-keyscan -t ed25519 ::1 | sed "s/::1/[$publicip,$routerid]/") -if grep -q "$publickey" src/etc/ssh/ssh_known_hosts; then - echo $publickey >> src/etc/ssh/ssh_known_hosts -fi -sshfp=$(ssh-keyscan -D -t ed25519 ::1 | sed "s/::1/$hostname/") -echo $sshfp > conf/sshfp -echo "configuring basic" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - configuration "basic" - else - error_exit "$LINENO: EXIT FROM USER." - fi - -done -echo "configuring unbound" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - configuration "unbound" "local" - else - error_exit "$LINENO: EXIT FROM USER." - fi - -done -echo -n "configuring ssh \ - \nplease add \ - \n${publickey} \ - \nto ~/.ssh/known_hosts \ - \nto the others nodes \ - \nplease add \ - \n${sshfp} \ - \nto /var/nsd/zones/master/telecom.lobby.zone in cyberanarkhia \ - \n" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - configuration "ssh" - else - error_exit "$LINENO: EXIT FROM USER." - fi -done -echo -n "configuring ipsec \ - \nplease add ${publicip}/32 to \ - \n/etc/pf.conf/table.ipsec \ - \nto the others nodes and reload them! \ - \n" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - configuration "ipsec" $publichost - else - error_exit "$LINENO: EXIT FROM USER." - fi -done + rcctl disable sndiod + rcctl disable check_quotas + rcctl stop sndiod + + echo "configuring users" + if [[ $configini -eq 1 ]]; then + if [ ! -d /root/Bin ]; then + mkdir /root/Bin + chmod 700 /root/Bin + fi + if [ ! -d /root/Backups ]; then + mkdir /root/Backups + chmod 700 /root/Backups + fi + if [ ! -d /home/taglio/Bin ]; then + mkdir /home/taglio/Bin + chown taglio:wheel /home/taglio/Bin + fi + + configuration "users" + configuration "scripts" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + if [ ! -d /root/Bin ]; then + mkdir /root/Bin + chmod 700 /root/Bin + fi + if [ ! -d /root/Backups ]; then + mkdir /root/Backups + chmod 700 /root/Backups + fi + if [ ! -d /home/taglio/Bin ]; then + mkdir /home/taglio/Bin + chown taglio:wheel /home/taglio/Bin + fi + + configuration "users" + configuration "scripts" + echo "users#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done + fi + if [[ $configini -eq 1 ]]; then + hostname=$(cat /tmp/config.ini | grep hostname |cut -d \# -f2) + else + hostname= + while [ -z $hostname ] + do + echo 'Type the hostname ' + read hostname + echo "hostname#$hostname" >> /tmp/config.ini + done + fi + if [[ $configini -eq 1 ]]; then + landomainname=$(cat /tmp/config.ini | grep landomainname |cut -d \# -f2) + else + landomainname= + while [ -z $landomainname ] + do + echo 'Type the LAN domain name ' + read landomainname + echo "landomainname#$landomainname" >> /tmp/config.ini + done + fi + if [[ $configini -eq 1 ]]; then + routerid=$(cat /tmp/config.ini | grep routerid |cut -d \# -f2) + else + routerid= + while [ -z $routerid ] + do + echo 'Type the routerid ' + read routerid + echo "routerid#$routerid" >> /tmp/config.ini + done + fi + srcid=$(print $publichost | cut -d . -f1) + typeset -u publichostname=$srcid + domainname=$(print $publichost | sed "s/$srcid.//") + for a in $(dig ipsec20591.$domainname TXT +short @8.8.8.8 | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + b=$(echo $a | cut -d : -f1) + if [ "$b" = "$srcid" ]; then + srcid=$(echo $a | cut -d : -f2) + fi + done + echo "configuring basic" + if [[ $configini -eq 1 ]]; then + configuration "basic" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "basic" + echo "basic#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done + fi + echo "configuring unbound \n" + if [[ $configini -eq 1 ]]; then + sleep 3 + configuration "unbound" "local" + else + ctrl= + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "unbound" "local" + echo "unbound#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + fi + echo "configuring ssh \n" + if [[ $configini -eq 1 ]]; then + configuration "ssh" "public" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "ssh" "public" + echo "ssh#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + echo "configuring ipsec \ + \nplease add ${publicip}/32 to \ + \n/etc/pf.conf/table.ipsec \ + \nto the others nodes and reload them! \ + \n" + if [[ $configini -eq 1 ]]; then + configuration "ipsec" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "ipsec" + echo "ipsec#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + if [[ $configini -eq 1 ]]; then + configuration "gre" + else + echo "configuring gre interfaces \ + \n" + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "gre" + echo "gre#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + echo "configuring PF firewall and others environments \n" + if [[ $configini -eq 1 ]]; then + configuration "pf" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "pf" + echo "pf#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + + echo "configuring OSPF routing protocol \n" + if [[ $configini -eq 1 ]]; then + configuration "ospf" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "ospf" + echo "ospf#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + + echo "preparing archives, signing them, starting httpd default host and start the remote install procedure \n" + if [[ $configini -eq 1 ]]; then + configuration "remote" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "remote" + echo "remote#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + echo "configuring unbound for IPSec MESH network \n" + if [[ $configini -eq 1 ]]; then + upgrade "unbound" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + upgrade "unbound" + echo "unboundipsec#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + echo "configuring sshd for IPSec MESH network with certificates\n" + if [[ $configini -eq 1 ]]; then + upgrade "ssh" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + upgrade "ssh" + echo "sshipsec#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + pfctl -f /etc/pf.conf + rcctl restart syslogd + echo "configuring basic httpd for IPSec MESH network operations\n" + if [[ $configini -eq 1 ]]; then + configuration "httpd" "basic" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "httpd" "basic" + echo "httpdbasic#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + install -o root -g wheel -m 0640 src/etc/ntpd.conf /etc + rcctl restart ntpd + pfctl -f /etc/pf.conf + rcctl restart syslogd + sh "$basedir/$app" -A sslcareq + echo "You successfully installed and connected a new OpenBSD MESH guerrilla host" + sh "$basedir/$app" -A otheros + ;; + "-U") + if [[ $# -ne 2 ]]; then + print $0 "UPGRADE option must be followed by: \ + \n \ + \nall -> redo the installation and reset all the system \ + \nstatic \ + \nbasic \ + \nusers \ + \nscripts \ + \nunbound_ipsec\ + \nssh_ipsec\ + \nipsec \ + \ngre \ + \npf \ + \nospf \ + \nremote \ + \nremoteinstall \ + \nrelayd \ + \nnewhost \ + \nscripts \ + \ndyndnspop \ + \nhttpdbasic \ + \n" + exit 1 + fi + case $2 in + "static") + backup "static" + configuration "static" + ;; + "basic") + pkg "shell" + backup "basic" + configuration "basic" + ;; + "static") + backup "static" + configuration "static" + ;; + "users") + backup "users" + configuration "users" + ;; + "scripts") + backup "scripts" + configuration "scripts" + ;; + "unbound_ipsec") + backup "unbound" + upgrade "unbound" + ;; + "ssh_ipsec") + backup "ssh" + upgrade "ssh" + ;; + "ipsec") + backup "ipsec" + upgrade "ipsec" + ;; + "gre") + upgrade "gre" + ;; + "pf") + backup "pf" + upgrade "pf" + ;; + "ospf") + upgrade "ospf" + ;; + "remote") + backup "remote" + upgrade "remote" + ;; + "httpdbasic") + backup "httpdbasic" + configuration "httpd" "basic" + ;; + "remoteinstall") + upgrade "remoteinstall" + ;; + "relayd") + upgrade "relayd" + ;; + "newhost") + upgrade "newhost" + ;; + "scripts") + upgrade "scripts" + ;; + "dyndnspop") + upgrade "dyndnspop" + ;; + "file") + upgrade "file" + ;; + "all") + sh setup_node -I + + ;; + esac + ;; + "-D") + if [[ $# -ne 2 ]]; then + print $0 "DAEMONS option must be followed by: \ + \n \ + \npowernsd \ + \nhttpd \ + \nsmtpd \ + \nimapd \ + \n" + exit 1 + fi + case $2 in + "powernsd") + echo "configuring nsd and powerdns" + configuration "powernsd" + ;; + "smtpd") + echo "configuring smtpd" + configuration "smtpd" + ;; + esac + + ;; + "-A") + if [[ $# -ne 2 ]]; then + print $0 "ADMINISTRATE option must be followed by: \ + \n \ + \ncleanlast \ + \nsslcareq \ + \notheros \ + \n" + exit 1 + fi + case $2 in + "cleanlast") + admin "cleanlast" + ;; + "sslcareq") + admin "sslcareq" + ;; + "otheros") + admin "otheros" + ;; + esac + ;; + *) + exit 1 + ;; +esac diff --git a/src/edgeos/example_ospf b/src/edgeos/example_ospf new file mode 100644 index 00000000..8b1966f3 --- /dev/null +++ b/src/edgeos/example_ospf @@ -0,0 +1,229 @@ +ubnt@NTR-NLK01:~$ show configuration +firewall { + all-ping enable + broadcast-ping disable + conntrack-expect-table-size 4096 + conntrack-hash-size 4096 + conntrack-table-size 32768 + conntrack-tcp-loose enable + ipv6-receive-redirects disable + ipv6-src-route disable + ip-src-route disable + log-martians enable + receive-redirects disable + send-redirects disable + source-validation disable + syn-cookies enable +} +interfaces { + ethernet eth0 { + address 10.1.100.25/29 + description Telecom + duplex auto + speed auto + } + ethernet eth1 { + address 10.1.100.1/30 + description NTR-WRW01 + duplex auto + speed auto + } + ethernet eth2 { + duplex auto + speed auto + } + ethernet eth3 { + duplex auto + speed auto + } + ethernet eth4 { + duplex auto + speed auto + } + ethernet eth5 { + duplex auto + speed auto + } + ethernet eth6 { + duplex auto + speed auto + } + ethernet eth7 { + duplex auto + speed auto + } + loopback lo { + address 10.1.100.21/32 + } +} +policy { + access-list 10 { + description IN + rule 10 { + action permit + source { + inverse-mask 0.0.0.255 + network 10.1.100.0 + } + } + rule 20 { + action permit + source { + inverse-mask 0.0.0.255 + network 130.159.97.0 + } + } + rule 30 { + action permit + source { + inverse-mask 0.0.0.255 + network 172.16.72.0 + } + } + rule 50 { + action deny + source { + inverse-mask 0.0.7.255 + network 209.17.250.0 + } + } + rule 51 { + action deny + source { + inverse-mask 0.0.255.255 + network 192.168.0.0 + } + } + rule 52 { + action deny + source { + inverse-mask 0.15.255.255 + network 172.16.0.0 + } + } + rule 60 { + action permit + source { + any + } + } + } + route-map CONNECT { + rule 10 { + action permit + match { + interface eth0 + ip { + route-source { + access-list 10 + } + } + } + } + rule 11 { + action permit + match { + interface eth1 + } + } + rule 20 { + action deny + match { + interface eth4 + } + } + } +} +protocols { + ospf { + area 0 { + network 10.1.100.0/24 + } + log-adjacency-changes { + } + parameters { + abr-type cisco + router-id 10.1.100.21 + } + redistribute { + connected { + metric-type 2 + } + static { + metric 10 + metric-type 2 + } + } + } + static { + route 10.1.100.40/29 { + next-hop 10.1.100.26 { + } + } + route 10.1.100.48/28 { + next-hop 10.1.100.26 { + } + } + route 10.1.100.64/26 { + next-hop 10.1.100.26 { + } + } + route 10.1.100.128/26 { + next-hop 10.1.100.26 { + distance 2 + } + } + route 10.1.100.192/27 { + next-hop 10.1.100.26 { + distance 2 + } + } + route 10.1.100.240/28 { + next-hop 10.1.100.26 { + distance 2 + } + } + } +} +service { + gui { + https-port 443 + } + ssh { + port 22 + protocol-version v2 + } +} +system { + host-name ***** + login { + user ubnt { + authentication { + encrypted-password **************** + } + level admin + } + } + name-server 10.1.100.66 + name-server 10.1.100.67 + ntp { + server { + } + server { + } + server { + } + } + syslog { + global { + facility all { + level notice + } + facility protocols { + level debug + } + } + } + time-zone ******* +} +ubnt@NTR-NLK01:~$ diff --git a/src/edgeos/gre.sh b/src/edgeos/gre.sh new file mode 100644 index 00000000..2e0bba01 --- /dev/null +++ b/src/edgeos/gre.sh @@ -0,0 +1,19 @@ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ address /GREPOPIP//30 +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ description /PUBLICHOST/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ encapsulation gre +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ firewall +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ firewall local +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ firewall local name GRE +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ local-ip 0.0.0.0 +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ mtu 1392 +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ multicast enable +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ remote-ip /PUBLICIP/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ ttl 255 +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set firewall group address-group PPPOE address /PUBLICIP/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static table /ROUTERIDLAST/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static table /ROUTERIDLAST/ description /PUBLICHOSTNAME/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static table /ROUTERIDLAST/ interface-route 0.0.0.0/0 next-hop-interface /TUN/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper save diff --git a/src/edgeos/ipsec.conf b/src/edgeos/ipsec.conf new file mode 100644 index 00000000..9001ee55 --- /dev/null +++ b/src/edgeos/ipsec.conf @@ -0,0 +1,18 @@ +conn telecomlobby-/PUBLICHOSTNAME/ + left=%defaultroute + leftsourceip=%config4 + leftauth=pubkey + leftid=%indra@ca./DOMAINNAME/ + leftprotoport=gre + leftupdown=/config/ipsec/ES/PUBLICHOSTNAME/-updown.sh + ike=aes256-sha2_256-ecp256! + esp=aes256-sha2_256-ecp256! + + + right=/PUBLICIP/ + rightsubnet=/PUBLICIP/ + rightauth=pubkey + rightid=%/PUBLICHOST/ + rightcert=/etc/ipsec.d/certs//PUBLICHOST/.crt + rightprotoport=gre + diff --git a/src/edgeos/ipsec.sh b/src/edgeos/ipsec.sh new file mode 100644 index 00000000..0c5b39aa --- /dev/null +++ b/src/edgeos/ipsec.sh @@ -0,0 +1,6 @@ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set system task-scheduler task ES/PUBLICHOSTNAME/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set system task-scheduler task ES/PUBLICHOSTNAME/ executable path /config/scripts/ES/PUBLICHOSTNAME/_netwatch.sh +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set system task-scheduler task ES/PUBLICHOSTNAME/ interval 1m +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper save diff --git a/src/edgeos/ipsec/ES--SRCID--updown.sh b/src/edgeos/ipsec/ES--SRCID--updown.sh new file mode 100644 index 00000000..4b218092 --- /dev/null +++ b/src/edgeos/ipsec/ES--SRCID--updown.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +set -o nounset +set -o errexit + +TUN_IFACE="tun0" +BACKUP_ROUTE="tun3" + +case "${PLUTO_VERB}" in + up-host) + echo "Putting interface ${TUN_IFACE} up" + ifconfig $TUN_IFACE up + echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}" + sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1" + echo "Accepting gre keepalive" + sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1" + echo "Adding default route to table 3" + ip route del table 2 default + ip route add table 2 default nexthop dev ${TUN_IFACE} + + ;; + down-host) + ifconfig $TUN_IFACE down + ip route add table 2 default nexthop dev ${BACKUP_ROUTE} + ;; +esac + diff --git a/src/edgeos/ospf.sh b/src/edgeos/ospf.sh new file mode 100644 index 00000000..84d62a08 --- /dev/null +++ b/src/edgeos/ospf.sh @@ -0,0 +1,15 @@ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ ip ospf authentication md5 +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ ip ospf authentication md5 key-id 1 md5-key /OSPFMD5/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ ip ospf cost /METRIC/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ ip ospf dead-interval 40 +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ ip ospf hello-interval 10 +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ ip ospf network point-to-point +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ ip ospf priority 1 +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ ip ospf retransmit-interval 5 +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel /TUN/ ip ospf transmit-delay 1 +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols ospf area 0.0.0.0 network /GRENETWORK/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols ospf passive-interface-exclude /TUN/ +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit +/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper save + diff --git a/src/edgeos/scripts/ES-SRCID--updown.sh b/src/edgeos/scripts/ES-SRCID--updown.sh new file mode 100644 index 00000000..d26b7363 --- /dev/null +++ b/src/edgeos/scripts/ES-SRCID--updown.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -o nounset +set -o errexit + +TUN_IFACE="/TUN/" + +case "${PLUTO_VERB}" in + up-host) + echo "Putting interface ${TUN_IFACE} up" + ifconfig $TUN_IFACE up + echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}" + sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1" + echo "Accepting gre keepalive" + sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1" + ;; + down-host) + ifconfig $TUN_IFACE down + ;; +esac + diff --git a/src/edgeos/scripts/ES-SRCID-_netwatch.sh b/src/edgeos/scripts/ES-SRCID-_netwatch.sh new file mode 100644 index 00000000..613b4c1a --- /dev/null +++ b/src/edgeos/scripts/ES-SRCID-_netwatch.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +ROUTER_IP=/GREPOPIP/ +IPSEC="telecomlobby-/PUBLICHOSTNAME/" +GRE="/TUN/" + +PING_RESULT=$(/usr/bin/fping -I$GRE $ROUTER_IP 2>&1) +ALIVE="alive" +STATUS=$(/usr/sbin/ipsec status $IPSEC) +ESTABLISHED="INSTALLED" + +if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then + /usr/sbin/ipsec stroke down-nb $IPSEC + /usr/sbin/ipsec down $IPSEC + /usr/sbin/ipsec up $IPSEC +fi + diff --git a/src/etc/acme-client.conf b/src/etc/acme-client.conf index 788eb7ca..25efa1f3 100644 --- a/src/etc/acme-client.conf +++ b/src/etc/acme-client.conf @@ -11,66 +11,10 @@ authority letsencrypt-staging { account key "/etc/ssl/letsencrypt-staging-privkey.pem" } -domain www.telecomlobby.com { - alternative names { \ - telecomlobby.com \ - rnmnetwork.telecomlobby.com \ - taglio.telecomlobby.com \ - technomafia.telecomlobby.com \ - brainhack.telecomlobby.com \ - electronicharassment.telecomlobby.com \ - brainwashing.telecomlobby.com \ - neuroscience.telecomlobby.com \ - unspider.telecomlobby.com \ - elf.telecomlobby.com \ - riccardogiuntoli.telecomlobby.com \ - mindgames.telecomlobby.com \ - gangstalking.telecomlobby.com \ - targetindividual.telecomlobby.com \ - es.telecomlobby.com \ - it.telecomlobby.com \ - va.telecomlobby.com \ - united.telecomlobby.com \ - redama.es \ - www.redama.es \ - internet.redama.es \ - radioenlace.redama.es \ - catalunya.redama.es \ - wifi4eu.redama.es \ - wifi.redama.es \ - mensajeria.redama.es \ - redama.cat \ - internet.redama.cat \ - radioenllac.redama.cat \ - catalunya.redama.cat \ - wifi4eu.redama.cat \ - wifi.redama.cat \ - missatgeria.redama.cat \ - redama.pe \ - www.redama.pe \ - internet.redama.pe \ - radioenlace.redama.pe \ - catalunya.redama.pe \ - wifi4eu.redama.pe \ - wifi.redama.pe \ - mensajeria.redama.pe } - domain key "/etc/ssl/private/www.telecomlobby.com.key" - domain certificate "/etc/ssl/www.telecomlobby.com.crt" - domain full chain certificate "/etc/ssl/www.telecomlobby.com.pem" - sign with letsencrypt -} - -domain uk.telecomlobby.com { - alternative names { \ - mail.telecomlobby.com \ - autoconfig.telecomlobby.com \ - mta-sts.telecomlobby.com \ - wkd.telecomlobby.com } - domain key "/etc/ssl/private/uk.telecomlobby.com.key" - domain certificate "/etc/ssl/uk.telecomlobby.com.crt" - domain full chain certificate "/etc/ssl/uk.telecomlobby.com.pem" +domain /PUBHOST/ { + domain key "/etc/ssl/private//PUBHOST/.key" + domain certificate "/etc/ssl//PUBHOST/.crt" + domain full chain certificate "/etc/ssl//PUBHOST/.pem" sign with letsencrypt } - - diff --git a/lets-encrypt-r3.pem b/src/etc/acme/lets-encrypt-r3.pem similarity index 100% rename from lets-encrypt-r3.pem rename to src/etc/acme/lets-encrypt-r3.pem diff --git a/src/etc/daily.local b/src/etc/daily.local index ee221bfc..be7ca5c4 100644 --- a/src/etc/daily.local +++ b/src/etc/daily.local @@ -1,3 +1,3 @@ next_part "Checking packages:" -pkg_add -su +pkg_add -u diff --git a/src/etc/dhclient.conf b/src/etc/dhclient.conf index 4658d834..60c620e9 100644 --- a/src/etc/dhclient.conf +++ b/src/etc/dhclient.conf @@ -7,7 +7,7 @@ send host-name "/HOSTNAME/"; supersede host-name "/HOSTNAME/"; -supersede domain-name "telecom.lobby"; -supersede domain-search "telecom.lobby"; +supersede domain-name "/LANDOMAINAME/"; +supersede domain-search "/LANDOMAINAME/"; supersede domain-name-servers 127.0.0.1; diff --git a/src/etc/doas.conf b/src/etc/doas.conf index 133ac29e..6afc3262 100644 --- a/src/etc/doas.conf +++ b/src/etc/doas.conf @@ -3,8 +3,14 @@ # See doas.conf(5) for syntax and examples. permit persist keepenv :wheel -#permit nopass taglio as root cmd chown args "-R wwwftp:www /var/www/htdocs/*telecomlobby.com" -#permit nopass taglio as root cmd chmod args "-R g+wrx,o-rwx /var/www/htdocs/*telecomlobby.com" +permit nopass taglio as root cmd sh args /home/taglio/Sources/Git/OpenBSD/setup_node -U newhost +permit nopass taglio as root cmd sh args /home/taglio/Sources/Git/OpenBSD/setup_node -U scripts +permit nopass taglio as root cmd sh args /home/taglio/Sources/Git/OpenBSD/setup_node -U dyndnspop +permit nopass taglio as root cmd sh args /home/taglio/Sources/Git/OpenBSD/setup_node -U file +permit nopass taglio as root cmd sh args /home/taglio/Sources/Git/OpenBSD/setup_node -A cleanlast +permit nopass taglio as root cmd syspatch +permit nopass root as taglio cmd git args clone +permit nopass root as taglio cmd git args pull permit nopass root as _iperfd cmd \ /usr/local/bin/iperf args \ -s -B /ROUTERID/ -D -N diff --git a/src/etc/hostname.egress b/src/etc/hostname.egress new file mode 100644 index 00000000..242454d2 --- /dev/null +++ b/src/etc/hostname.egress @@ -0,0 +1,5 @@ +-inet +-inet6 +inet /PUBLICIP/ /PUBLICNETMASK/ /PUBLICBCAST/ +inet6 autoconf -temporary -soii + diff --git a/src/etc/hostname.enc-X- b/src/etc/hostname.enc-X- new file mode 100644 index 00000000..0b5374a5 --- /dev/null +++ b/src/etc/hostname.enc-X- @@ -0,0 +1,2 @@ +description "/POP/" +up diff --git a/src/etc/hostname.gre-X- b/src/etc/hostname.gre-X- new file mode 100644 index 00000000..c8af50b3 --- /dev/null +++ b/src/etc/hostname.gre-X- @@ -0,0 +1,8 @@ +description "/POPHOST/" +keepalive 5 2 +mtu 1392 +rtlabel gre +group /GROUP/ +!ifconfig gre/X/ /GRELOCALIP/ /GREPOPIP/ netmask 0xfffffffc up +!ifconfig gre/X/ tunnel /PUBLICIP/ /POPIP/ + diff --git a/src/etc/hostname.gre0 b/src/etc/hostname.gre0 deleted file mode 100644 index fd6c22e2..00000000 --- a/src/etc/hostname.gre0 +++ /dev/null @@ -1,6 +0,0 @@ -description "fr.telecomlobby.com" -keepalive 5 2 -mtu 1392 -!ifconfig gre0 10.10.10.249 10.10.10.250 netmask 0xfffffffc up -!ifconfig gre0 tunnel 78.141.201.0 45.32.144.15 - diff --git a/src/etc/hostname.gre1 b/src/etc/hostname.gre1 deleted file mode 100644 index 1ba7533e..00000000 --- a/src/etc/hostname.gre1 +++ /dev/null @@ -1,6 +0,0 @@ -description "RT-01.cat.telecomlobby.com" -mtu 1392 -keepalive 5 2 -!ifconfig gre1 10.10.10.229 10.10.10.230 netmask 0xfffffffc up -!ifconfig gre1 tunnel 78.141.201.0 81.44.32.47 - diff --git a/src/etc/hostname.gre2 b/src/etc/hostname.gre2 deleted file mode 100644 index bd96bc36..00000000 --- a/src/etc/hostname.gre2 +++ /dev/null @@ -1,6 +0,0 @@ -description "us.telecomlobby.com" -mtu 1392 -keepalive 5 2 -group nsd -!ifconfig gre2 10.10.10.226 10.10.10.225 netmask 0xfffffffc up -!ifconfig gre2 tunnel 78.141.201.0 155.138.247.27 diff --git a/src/etc/hostname.gre3 b/src/etc/hostname.gre3 deleted file mode 100644 index 05d0bcb7..00000000 --- a/src/etc/hostname.gre3 +++ /dev/null @@ -1,6 +0,0 @@ -description "jp.telecomlobby.com" -keepalive 5 2 -mtu 1392 -group nsd -!ifconfig gre3 10.10.10.116 10.10.10.115 netmask 0xfffffffc up -!ifconfig gre3 tunnel 78.141.201.0 139.180.206.19 diff --git a/src/etc/hostname.pflog0 b/src/etc/hostname.pflog0 new file mode 100644 index 00000000..e31ee94e --- /dev/null +++ b/src/etc/hostname.pflog0 @@ -0,0 +1 @@ +up diff --git a/src/etc/hostname.vether0 b/src/etc/hostname.vether0 index a2875be4..1d657ae5 100644 --- a/src/etc/hostname.vether0 +++ b/src/etc/hostname.vether0 @@ -1,4 +1,4 @@ -inet -inet6 lladdr random -inet /ROUTERID/ +inet /ROUTERID//32 diff --git a/src/etc/hostname.vio0 b/src/etc/hostname.vio0 deleted file mode 100644 index 4fd7a8f5..00000000 --- a/src/etc/hostname.vio0 +++ /dev/null @@ -1,6 +0,0 @@ --inet --inet6 -dhcp -inet6 -autoconfprivacy -inet6 -soii -inet6 autoconf diff --git a/src/etc/httpd.conf b/src/etc/httpd.conf index 9221988c..d1e389b5 100644 --- a/src/etc/httpd.conf +++ b/src/etc/httpd.conf @@ -5,8 +5,6 @@ types { include "/etc/httpd.conf.mime.types" } -include "/etc/httpd.conf.local.pub" - include "/etc/httpd.conf.vhosts" include "/etc/httpd.conf.local" diff --git a/src/etc/httpd.conf.acmefirst b/src/etc/httpd.conf.acmefirst new file mode 100644 index 00000000..b1418783 --- /dev/null +++ b/src/etc/httpd.conf.acmefirst @@ -0,0 +1,9 @@ +server "/PUBLICHOST/" { + listen on egress port 80 + root "htdocs//PUBLICHOST/" + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } +} + diff --git a/src/etc/httpd.conf.local b/src/etc/httpd.conf.local index 6fe7af02..b71eeef2 100644 --- a/src/etc/httpd.conf.local +++ b/src/etc/httpd.conf.local @@ -1,4 +1,7 @@ -server "ganesha.telecom.lobby" { +server "/HOSTNAME/./LANDOMAINNAME/" { listen on vether0 port 80 - root "htdocs/ganesha.telecom.lobby" + root "htdocs//HOSTNAME/./LANDOMAINNAME/" + location "/*" { + directory auto index + } } diff --git a/src/etc/httpd.conf.vhosts.basic b/src/etc/httpd.conf.vhosts.basic new file mode 100644 index 00000000..b1418783 --- /dev/null +++ b/src/etc/httpd.conf.vhosts.basic @@ -0,0 +1,9 @@ +server "/PUBLICHOST/" { + listen on egress port 80 + root "htdocs//PUBLICHOST/" + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } +} + diff --git a/src/etc/iked.conf b/src/etc/iked.conf index 12d2746d..66757cc4 100644 --- a/src/etc/iked.conf +++ b/src/etc/iked.conf @@ -2,16 +2,5 @@ # # See iked.conf(5) for syntax and examples. -include "/etc/iked.conf.fr.telecomlobby.com" -include "/etc/iked.conf.RT-01.cat.telecomlobby.com" -include "/etc/iked.conf.us.telecomlobby.com" -include "/etc/iked.conf.uk.telecomlobby.com" - - - - - - - - +set dpd_check_interval 15 diff --git a/src/etc/iked.conf.RT-01.cat.telecomlobby.com b/src/etc/iked.conf.RT-01.cat.telecomlobby.com deleted file mode 100644 index f1fc8374..00000000 --- a/src/etc/iked.conf.RT-01.cat.telecomlobby.com +++ /dev/null @@ -1,8 +0,0 @@ -ikev2 "RT-01.cat.telecomlobby.com" passive transport \ - proto gre \ - from /PUBLICIP/ to /DYNDNS/ \ - local /PUBLICHOST/ peer any \ - ikesa auth hmac-sha2-256 enc aes-256 group ecp256 \ - childsa auth hmac-sha2-256 enc aes-256 group ecp256 \ - srcid "/HOSTNAME/@ca.telecomlobby.com" \ - ikelifetime 86400 lifetime 3600 diff --git a/src/etc/iked.conf.edgeos b/src/etc/iked.conf.edgeos new file mode 100644 index 00000000..0ad6254c --- /dev/null +++ b/src/etc/iked.conf.edgeos @@ -0,0 +1,9 @@ +ikev2 "/POP/" passive transport \ + proto gre \ + from /PUBLICIP/ to /POPIP/ \ + local /PUBLICHOST/ peer any \ + ikesa auth hmac-sha2-256 enc aes-256 group ecp256 \ + childsa auth hmac-sha2-256 enc aes-256 group ecp256 \ + srcid "/SRCID/@ca./DOMAINNAME/" \ + ikelifetime 86400 lifetime 3600 \ + tag /POP/ tap enc/X/ diff --git a/src/etc/iked.conf.fr.telecomlobby.com b/src/etc/iked.conf.fr.telecomlobby.com deleted file mode 100644 index a6b11b66..00000000 --- a/src/etc/iked.conf.fr.telecomlobby.com +++ /dev/null @@ -1,8 +0,0 @@ -ikev2 "fr.telecomlobby.com" active transport \ - proto gre \ - from /PUBLICIP/ to 45.32.144.15 \ - local /PUBLICHOST/ peer fr.telecomlobby.com \ - ikesa auth hmac-sha2-256 enc aes-256 group ecp384 \ - childsa auth hmac-sha2-256 enc aes-256 \ - srcid "/HOSTNAME/@ca.telecomlobby.com" \ - ikelifetime 86400 lifetime 3600 diff --git a/src/etc/iked.conf.mikrotik b/src/etc/iked.conf.mikrotik new file mode 100644 index 00000000..18bf955b --- /dev/null +++ b/src/etc/iked.conf.mikrotik @@ -0,0 +1,9 @@ +ikev2 "/POP/" active transport \ + proto gre \ + from /PUBLICIP/ to /POPIP/ \ + local /PUBLICHOST/ peer /POP/ \ + ikesa auth hmac-sha2-256 enc aes-256 group ecp384 \ + childsa auth hmac-sha2-256 enc aes-256 \ + srcid "/SRCID/@ca./DOMAINNAME/" \ + ikelifetime 86400 lifetime 3600 \ + tag /POP/ tap enc/X/ diff --git a/src/etc/iked.conf.openbsd b/src/etc/iked.conf.openbsd new file mode 100644 index 00000000..b5e29a5b --- /dev/null +++ b/src/etc/iked.conf.openbsd @@ -0,0 +1,9 @@ +ikev2 "/POP/" /TYPE/ transport \ + proto gre \ + from /PUBLICIP/ to /POPIP/ \ + local /PUBLICHOST/ peer /POP/ \ + ikesa prf hmac-sha2-512 enc aes-256-gcm-12 group brainpool512 \ + childsa enc chacha20-poly1305 group curve25519 \ + srcid "/SRCID/@ca./DOMAINNAME/" \ + ikelifetime 86400 lifetime 3600 \ + tag /POP/ tap enc/X/ diff --git a/src/etc/iked.conf.uk.telecomlobby.com b/src/etc/iked.conf.uk.telecomlobby.com deleted file mode 100644 index a208c8b8..00000000 --- a/src/etc/iked.conf.uk.telecomlobby.com +++ /dev/null @@ -1,8 +0,0 @@ -ikev2 "uk.telecomlobby.com" passive transport \ - proto gre \ - from /PUBLICIP/ to 78.141.201.0 \ - local /PUBLICHOST/ peer uk.telecomlobby.com \ - ikesa prf hmac-sha2-512 enc aes-256-gcm-12 group brainpool512 \ - childsa enc chacha20-poly1305 group curve25519 \ - srcid "/HOSTNAME/@ca.telecomlobby.com" \ - ikelifetime 86400 lifetime 3600 diff --git a/src/etc/iked.conf.us.telecomlobby.com b/src/etc/iked.conf.us.telecomlobby.com deleted file mode 100644 index 0d680a5e..00000000 --- a/src/etc/iked.conf.us.telecomlobby.com +++ /dev/null @@ -1,8 +0,0 @@ -ikev2 "us.telecomlobby.com" active transport \ - proto gre \ - from /PUBLICIP/ to 155.138.247.27 \ - local /PUBLICHOST/ peer us.telecomlobby.com \ - ikesa prf hmac-sha2-512 enc aes-256-gcm-12 group brainpool512 \ - childsa enc chacha20-poly1305 group curve25519 \ - srcid "/HOSTNAME/@ca.telecomlobby.com" \ - ikelifetime 86400 lifetime 3600 diff --git a/src/etc/iked/pubkeys/ufqdn/durga@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/durga@ca.telecomlobby.com new file mode 100644 index 00000000..e7f1ad9d --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/durga@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt1uvi1yFdvs0jfbmHIrg +1+gu3/zq1TIIJ0EHC0FRLKN2ekqDorWLmtbxSGQOfP2Z+UYOzAD902pCZdXn9GRv +gPca9xITBGiGeP+J/DuJYkwP3LlN2oEpZ8vOsHsXzD8zifIl05JonMFYLoZmVn5E +hTYw1rEf1fuAVOTlSXDnrMGUK3B0O9HiBRL2T6VeoT7D46rV1sM3xKHhC2Y96f99 +cfkCRIPHkub8hINcfcjBaWDdw5+c+ZrNCffNSf9UTNWdKW07T0ppJHAza5bwUGUI +aq1IuOg83vw0FwuQOrMqTZnIo3Tn4HecBs/L7q/1syzSB/0Ux3HgfmS0/OaWSocc +IQIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/ganesha@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/ganesha@ca.telecomlobby.com new file mode 100644 index 00000000..05d60dd6 --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/ganesha@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvnF3R2FKEWEfwpp/A/fI +6HFJ9Gb7ihzuWwGQDnLpXc3xRt4Dw+cECxUeWb1tfuHkt+YhWG+mkAwHqlF+9ze5 +wTJ4Vly8FE1CKJ0BMFx/6ME1QPXeWG2Ivo8KdemXbRZFhuu5VLIaS7G0jGF+Mhui +nNZwVhNoMPMYG1T8XB777WYZY4piujEuXajxRuHxHT4h7NATlOK1vxzhOLuqSPAV +IL+SO7vyznmdLF1erzXtEkwizssvw+ZWbaN7h72YsrarnZ8QqdmkOdo9Y4V0zzMi +4Bqmt2F3hjI54c/ccJeUZqhFSP4WkoHaLj+c3ICnaP2RAz5t+77xMTwxiCB1PaSl +6wIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/indra@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/indra@ca.telecomlobby.com new file mode 100644 index 00000000..e2343480 --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/indra@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo9tIpLBAtVaCgTJvdTkG +WCWeqYUrbuqmAcTGkvqAsW5eu8+AcpR6wHP5uONyh8+8bUAC8gDW2vcMBAsaPxqN ++uU99y2a0kmAPqGmsdwvQ6b1a5MBmKELeeRKy/MPaKqPPn8GoMsXKDWEUCYp3gvF +CGh1ICSFVrqy/tHEynruCMRYdGGLgNgtD9j5XkREttRFtyI+ZSlFnmcrvmQFAD3f +7EkeYZLmbA5Xz5N/NyjCnLnH2bzpcKoDcPt+GeP3FQstLXBsMuCYbXi8CyXu//4n +cH4b02yqyET6/XknlcuLkZtA2ZBu19zMEZKx0YRTbVZ7a6n1y+2yeJmlzXUUwerq +GwIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/neo@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/neo@ca.telecomlobby.com new file mode 100644 index 00000000..f5c0a1af --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/neo@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+Kx0GzhOwejOeZTm0E8 +jUoYBEtMshlxp63RBjt3B3r0zp+VAe8YuH11ycUq3ZYF523TSu9iQpZyOoE0lsv6 +b9YAGGT3FT2LjCQDSY6/JbaMXP/iQf11cYACktlekC24uhYmMHkArFeC83Au7jmi +sMAIB0Cl5OarPV0DGe9ocukoYunA0rfQqfU6QRl6tKS3eGm3C/o+5p6thPNpBABi +W2/x3bWf8Q41GfI0XgYfbozb6Wtilm+Vr2TbyziJAnEv92/VjViDv9iYrc/lvtAm +vmDdW8z5CC3gIgR60Q3YW+RXheEKdVuyHcVsboQetLtdtiv1pfolxYVkRGORwfLh +jQIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/saraswati@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/saraswati@ca.telecomlobby.com new file mode 100644 index 00000000..eede1c13 --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/saraswati@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx4T/28bKmqsFVZdc50hM +X4tUF6pwCsNs0eOX7S7k7vhMWW8Gw8X6IUQmWH0hzvxe/Ie9qdarMpRgknX/nEB5 +KitIc+NKbHl/N0wU+Qa5v2pb/vlA3lGwZb50mwJ0ULvA4nYiVPq5OuMdUdFdbzkM +3TESz+pA/qZYUzI79JqZu+Kd5txsQqQ4iffRJfEFaMmjXK+1lO94vBLnrIGGrDLy +skKwkx9ntnw1CRCOUMhXwUpvma3du4/wnzjBNEZBFcwIawp/NlbFKRTpKEd0zoKq +yQk51eMnsM2/PCL4ZEzsiPGh5EvkrF3HYcu+m9UbW3V8Hh7rxCoAM37QwfkEdvZE +dQIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/shiva@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/shiva@ca.telecomlobby.com new file mode 100644 index 00000000..e30b77ef --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/shiva@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0kSelCwnNbBZ+FO5gnyF +qLKgmREQ2062aoqTmH3FrvEMV4NrLDY2SxVPz1BPlxCjuvzDi47HFpDh1/Q56N13 +4tHoRxn3e4g7FQFe0CcaDu3xUsm6vHsuRKxieHFfSENEa9f0/ZaOUM5kQtuN59R1 +U1sH085yed9g2MzWNDSag22gAzgdrLjLv6eL2V69QGfCwcvKTGxyFUeUkpOOQicI +ro6S7VOzINi2cl3A3B+Xed02FB29vsRUFNqpuYlw7p8Xrh88nWYeqGcq0xc8nkQ2 +tj7xyfJYor+H+81ssH2Dp98/dvHDrqHb5f+1/LmdNApn7CSHSsuh8D437MSnoZ9G +LQIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/uma@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/uma@ca.telecomlobby.com new file mode 100644 index 00000000..f74aea36 --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/uma@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArq1WqHI24Q2rtgCdJOsP +/pvi7JCWlqHuwUmQuUZH/XAv6ZMlcenacqZAj2qN7P+8eCIzonp61HGnDbkeV2ZF +zNW7Ri3DS7ZXf8FDvvQnDwJw15xW3F49KLXNhWfi80lJfKQKvigAIvKjtqrAQQrt +B5p49sJIp7VubxP5JIXjnqcSFeYk9MKxTlB8pQsfDuJx4ozvu+2Zfj93fFysSA2A +y25k4OZhFZs8ga98os2g3cEdO3v/3xQoUoA+O/vYNHX/gy+xK5Vzty8oYSom9cp8 +Pxm5wijQYjR+kKAh3fnxu4vQ+vyZ3ZPQS8YGAK4UAzZgxjY/6pWK3cNNIU+RELFq +IwIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/vishnu@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/vishnu@ca.telecomlobby.com new file mode 100644 index 00000000..522ffd25 --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/vishnu@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnlt2ZkvyYtZytKerjlBV +NC+cwIL8xBkQQCqAVBVr34fdM44U2bTj00YDbCQZxslOf46VU3irX0vX+fIlUSYM +oD7EnNARURODEABDmqh5Qj+SeraxfYk7PrE9Hs/OQ4mti5f1gIY7cjrF+Vi03fOS +PZeJ8YyxjfQnlWrtLGkXSMHkqrbKv+pXk8YyLjerRiwjscCEDOBAeDJgM4s2SWf0 +a/2Gua/nzp+oOg+m3iJOfRpmfRh/ieLSjb5qKbxu5ytRKyi0/vkoh8fAOrBb8h+p +w8oHL1j0ulFo8mITXJ58NN/glVVcF/Hw39wfIgtw/0SnBrvZuQdxzJmqCMMjsoeM +QwIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/mygate b/src/etc/mygate new file mode 100644 index 00000000..5023f03d --- /dev/null +++ b/src/etc/mygate @@ -0,0 +1 @@ +/ROUTEV4/ diff --git a/src/etc/myname b/src/etc/myname index 7ba194ef..e9b32017 100644 --- a/src/etc/myname +++ b/src/etc/myname @@ -1 +1 @@ -ganesha.telecom.lobby +/HOSTNAME/./LANDOMAINNAME/ diff --git a/src/etc/ospfd.conf b/src/etc/ospfd.conf index 33b8ebc2..cc08fd1d 100644 --- a/src/etc/ospfd.conf +++ b/src/etc/ospfd.conf @@ -1,67 +1,27 @@ -# $OpenBSD: ospfd.conf,v 1.2 2018/08/07 07:06:20 claudio Exp $ +# $OpenBSD: ospfd.conf router-id "/ROUTERID/" no redistribute connected +no redistribute rtlabel gre # areas area 0.0.0.0 { - interface gre0 { + interface gre/X/ { type p2p auth-type crypt - auth-md 1 "oRcEZMsomYfaMHv" + auth-md 1 "/OSPFMD5/" auth-md-keyid 1 - metric 13 + metric /METRIC/ auth-md-keyid 1 router-dead-time 40 hello-interval 10 retransmit-interval 5 transmit-delay 1 } - interface gre1 { - type p2p - auth-type crypt - auth-md 1 "8nnQgl8H5ygb4PA" - auth-md-keyid 1 - metric 17 - auth-md-keyid 1 - router-dead-time 40 - hello-interval 10 - retransmit-interval 5 - transmit-delay 1 - } - interface gre2 { - type p2p - auth-type crypt - auth-md 1 "kbduTVvkfdfqoyJ" - auth-md-keyid 1 - metric 62 - auth-md-keyid 1 - router-dead-time 40 - hello-interval 10 - retransmit-interval 5 - transmit-delay 1 - } - interface gre3 { - type p2p - auth-type crypt - auth-md 1 "voNbLgsqOoKnnjX" - auth-md-keyid 1 - metric 132 - auth-md-keyid 1 - router-dead-time 40 - hello-interval 10 - retransmit-interval 5 - transmit-delay 1 - - } interface vether0 { metric 1 passive } - interface wg0 { - metric 1 - passive - } -} + diff --git a/src/etc/pf.conf b/src/etc/pf.conf index 543f75ea..9f0a9c69 100644 --- a/src/etc/pf.conf +++ b/src/etc/pf.conf @@ -21,11 +21,12 @@ #OPTIONS set block-policy drop -set skip on {lo0, enc0} +set skip on lo0 set block-policy drop set loginterface egress set loginterface gre set loginterface vether +set loginterface enc #VARIABLES ext_if="vio0" @@ -37,6 +38,9 @@ table const persist counters file "/etc/pf.conf.table.locals" table const persist counters file "/etc/pf.conf.table.ipsec" table const persist counters file "/etc/pf.conf.table.reserved" table const persist counters file "/etc/pf.conf.table.nsd" +table const persist counters file "/etc/pf.conf.table.unbound" +table const persist counters file "/etc/pf.conf.table.cdn" + table persist const {224.0.0.5, 224.0.0.6} @@ -44,11 +48,11 @@ table persist table persist #DEFAULT POLICY -block in log +block log block quick log from block quick log from block log proto {tcp,udp} user _iperfd -pass out + pass quick on $ext_if to $ext_if:broadcast @@ -58,23 +62,36 @@ pass quick on $ext_if to $ext_if:broadcast #NAT -match out on $ext_if from to ! received-on gre nat-to $pub +match out on $ext_if from to ! received-on gre nat-to $pub tag /LANDOMAINNAME/ #match out on $ext_if from wg:network to ! nat-to $ext_if #INGRESS -pass in on $ext_if inet6 proto icmp6 icmp6-type { routeradv neighbrsol neighbradv } -pass in on $ext_if proto icmp from any to $pub icmp-type echoreq -pass in on $ext_if proto icmp6 from any to $pub_v6 icmp6-type echoreq +#PUB + +#routeradv 134 +#neighbrsol 135 +#neighbradv 136 +#echoreq 128 + +pass in on $ext_if inet6 proto icmp6 icmp6-type { 128, 133, 134, 135, 136 } +pass in on $ext_if proto icmp from any to $pub icmp-type echoreq +pass in on $ext_if proto tcp from to $pub port { ssh, 31137 } modulate state pass in on $ext_if proto tcp from any to $pub port { smtp, smtps } modulate state (max-src-conn 2, max-src-conn-rate 8/30, overload ) pass in on $ext_if proto tcp from any to $pub_v6 port { smtp, smtps } modulate state (max-src-conn 2, max-src-conn-rate 8/30, overload ) pass in on $ext_if proto tcp from any to { $pub , $pub_v6 } port auth modulate state -pass in on $ext_if proto {tcp udp} from any to { $pub , $pub_v6 } port domain modulate state -pass in on $ext_if proto tcp from any to { $pub , $pub_v6 } port {www, https} modulate state -pass in on $ext_if proto udp from any to { $pub , $pub_v6 } port 65131 modulate state +pass in on $ext_if proto {tcp udp} from any to { $pub , $pub_v6 } port domain +pass in on $ext_if proto tcp from any to { $pub , $pub_v6 } port {www, https} modulate state +pass in on $ext_if proto udp from any to { $pub , $pub_v6 } port 65131 pass in on $ext_if proto udp from to $pub port {isakmp, ipsec-nat-t} pass in on $ext_if proto esp from to $pub +#ENC + +#include "/etc/pf.conf.macro.enc.in" + +pass quick on enc proto gre + #GRE pass in quick on gre from to ! @@ -82,18 +99,23 @@ pass in on gre proto gre no state pass in on gre proto icmp from to gre icmp-type echoreq pass in on gre proto ospf pass in on gre proto icmp from to vether0 icmp-type echoreq -pass in on gre proto tcp from to vether0 port {ftp, ssh, http, imaps, 31337} +pass in on gre inet proto icmp from to icmp-type echoreq +pass in on gre inet proto tcp from to port ssh modulate state +pass in on gre proto tcp from to vether0 port {ftp, ssh, http, imaps, 31337} modulate state +pass in on gre proto udp from to 172.16.17.106 port {domain, ntp} +pass in on gre proto tcp from to 172.16.17.106 port http modulate state pass in on gre proto udp from to vether0 port 5353 user _tor modulate state pass in on gre proto tcp from to vether0 port \ {9900, 9901, 9902, 9903, 9904, 9905, 9906, 9007, 9008, 9009, 9010, 9011, 9012, 9013, 9050} user _tor modulate state pass in on gre proto tcp from to vether0 port {http, submission} modulate state +pass in on gre proto tcp from to port http modulate state pass in on gre proto tcp from to vether0 port 5001 user _iperfd modulate state -pass in on nsd proto {tcp, udp} from nsd:peer to port domain modulate state +pass in on nsd proto {tcp, udp} from nsd:peer to nsd port domain #VETHER -pass in on vether0 proto icmp from to vether0 icmp-type echoreq modulate state +pass in on vether0 proto icmp from to vether0 icmp-type echoreq pass in on vether0 proto tcp from to vether0 port {ftp, ssh, http, submission, imaps, 31337} modulate state -pass in on vether0 proto udp from to vether0 port 5353 user _tor modulate state +pass in on vether0 proto udp from to vether0 port 5353 user _tor pass in on vether0 proto tcp from to vether0 port \ {9900, 9901, 9902, 9903, 9904, 9905, 9906, 9007, 9008, 9009, 9010, 9011, 9012, 9013, 9050} user _tor modulate state pass in on vether0 proto tcp from to vether0 port {http, submission} modulate state @@ -101,5 +123,48 @@ pass in on vether0 proto tcp from to vether0 port 5001 user _iperfd mod #OUTGRESS -block out log quick on $ext_if proto gre from $pub to -block out log quick on gre from gre to + +#PUB + +pass out quick on $ext_if tagged /LANDOMAINNAME/ +pass out quick on $ext_if inet6 proto icmp6 icmp6-type { 128, 133, 134, 135, 136 } +pass out quick on $ext_if proto icmp from $pub to any icmp-type echoreq +pass out quick on $ext_if proto tcp from $pub to port {ssh, 31137} modulate state +pass out quick on $ext_if proto tcp from $pub to any port { smtp, smtps } modulate state +pass out quick on $ext_if proto tcp from $pub_v6 to any port { smtp, smtps } modulate state +pass out quick on $ext_if proto {tcp, udp} from $pub to 8.8.8.8 port domain +pass out quick on $ext_if proto tcp from $pub to any port https user _rspamd modulate state +pass out quick on $ext_if proto tcp from $pub_v6 to any port https user _rspamd modulate state +pass out quick on $ext_if proto tcp from $pub to any port {http, https} modulate state +pass out quick on $ext_if proto {tcp, udp} from $pub to port domain-s +pass out quick on $ext_if proto {tcp, udp} from $pub_v6 to port domain-s +pass out quick on $ext_if proto {tcp, udp} from $pub port domain user _unbound +pass out quick on $ext_if proto {tcp, udp} from $pub to port domain user _nsd +pass out quick on $ext_if proto {tcp, udp} from $pub_v6 to port domain user _nsd +pass out quick on $ext_if proto tcp from $pub to port {http, https} modulate state +pass out quick on $ext_if proto tcp from $pub_v6 to port {http, https} modulate state +pass out quick on $ext_if proto udp from $pub to port {isakmp, ipsec-nat-t} +pass out quick on $ext_if proto esp from $pub to + +#ENC + +#include "/etc/pf.conf.macro.enc.out" + +pass out quick on enc proto gre + +#VETHER + +pass out quick on vether0 proto ospf + +#GRE + +pass out quick on gre proto udp from gre to 172.16.17.106 port {domain, ntp} +pass out quick on gre proto udp from to 172.16.17.106 port {domain, ntp} +pass out quick on gre proto tcp from to 172.16.17.106 port http modulate state +pass out quick on gre proto tcp from gre to 172.16.17.106 port http +pass out on gre proto gre no state +pass out quick on gre proto ospf +pass out quick on gre proto icmp from gre to icmp-type echoreq +pass out quick on gre inet proto icmp from to icmp-type echoreq +pass out quick on gre inet proto tcp from to port {ssh, http} modulate state +pass out quick on nsd proto {tcp, udp} from nsd to nsd:peer port domain diff --git a/src/etc/pf.conf.macro.enc.in b/src/etc/pf.conf.macro.enc.in new file mode 100644 index 00000000..ecbd2836 --- /dev/null +++ b/src/etc/pf.conf.macro.enc.in @@ -0,0 +1 @@ +pass in quick on enc proto gre from /IPTAGGED/ to $pub tagged /TAGGED/ diff --git a/src/etc/pf.conf.macro.enc.out b/src/etc/pf.conf.macro.enc.out new file mode 100644 index 00000000..4fc1a79b --- /dev/null +++ b/src/etc/pf.conf.macro.enc.out @@ -0,0 +1 @@ +pass out quick on enc proto gre from $pub to /IPTAGGED/ tagged /TAGGED/ diff --git a/src/etc/pf.conf.macro.public b/src/etc/pf.conf.macro.public index d1f07ee6..bb7c375f 100644 --- a/src/etc/pf.conf.macro.public +++ b/src/etc/pf.conf.macro.public @@ -1,5 +1,5 @@ -pub="78.141.201.0" -pub_v6="2001:19f0:7401:8c01:5400:2ff:fe79:3b4d" +pub="/PUBLICIP/" +pub_v6="/PUBV6///PREFIX/" diff --git a/src/etc/pf.conf.table.cdn b/src/etc/pf.conf.table.cdn new file mode 100644 index 00000000..79c82cdc --- /dev/null +++ b/src/etc/pf.conf.table.cdn @@ -0,0 +1,14 @@ +# /sbin/pfctl -t cdn -T kill -f /etc/pf.conf.table.cdn +# /sbin/pfctl -t cdn -T add -f /etc/pf.conf.table.cdn +# /sbin/pfctl -t cdn -T show +# + +151.101.130.217 +151.101.194.217 +151.101.2.217 +151.101.66.217 +2a04:4e42:600::729 +2a04:4e42::729 +2a04:4e42:200::729 +2a04:4e42:400::729 + diff --git a/src/etc/pf.conf.table.ipsec b/src/etc/pf.conf.table.ipsec index 23b0f810..9efa909f 100644 --- a/src/etc/pf.conf.table.ipsec +++ b/src/etc/pf.conf.table.ipsec @@ -1,7 +1,5 @@ -# /sbin/pfctl -t ipsec -T replace -f /etc/pf.conf.table.ipsec +# /sbin/pfctl -t ipsec -T kill -f /etc/pf.conf.table.ipsec +# /sbin/pfctl -t ipsec -T add -f /etc/pf.conf.table.ipsec +# /sbin/pfctl -t ipsec -T show # -fr.telecomlobby.com -uk.telecomlobby.com -us.telecomlobby.com -jp.telecomlobby.com -cat-01.telecomlobby.com + diff --git a/src/etc/pf.conf.table.locals b/src/etc/pf.conf.table.locals index 09986a11..c65bcf6e 100644 --- a/src/etc/pf.conf.table.locals +++ b/src/etc/pf.conf.table.locals @@ -1,3 +1,11 @@ -# /sbin/pfctl -t locals -T replace -f /etc/pf.conf.table.locals +# /sbin/pfctl -t locals -T kill -f /etc/pf.conf.table.locals +# /sbin/pfctl -t locals -T add -f /etc/pf.conf.table.locals +# /sbin/pfctl -t locals -T show # +# +172.16.19.0/24 +172.16.17.0/24 +172.16.18.0/24 +10.10.10.0/24 +192.168.13.0/24 diff --git a/src/etc/pf.conf.table.nsd b/src/etc/pf.conf.table.nsd index b184f549..b7799f8b 100644 --- a/src/etc/pf.conf.table.nsd +++ b/src/etc/pf.conf.table.nsd @@ -1,4 +1,35 @@ -# /sbin/pfctl -t nsd -T replace -f /etc/pf.conf.table.nsd -# -10.10.10.116/32 -10.10.10.226/32 +# /sbin/pfctl -t nsd -T kill -f /etc/pf.conf.table.nsd +# /sbin/pfctl -t nsd -T add -f /etc/pf.conf.table.nsd +# /sbin/pfctl -t nsd -T show + +194.69.254.2 +108.61.224.67 +116.203.6.3 +107.191.99.111 +185.22.172.112 +103.6.87.125 +192.184.93.99 +119.252.20.56 +31.220.30.73 +185.34.136.178 +185.136.176.247 +45.77.29.133 +116.203.0.64 +167.88.161.228 +199.195.249.208 +104.244.78.122 +2001:19f0:6400:8642::3 +2a01:4f8:1c0c:8115::3 +2604:180:2:4cf::3 +2a00:1838:20:2::cd5e:68e9 +2403:2500:4000::f3e +2604:180:1:92a::3 +2401:1400:1:1201::1:7853:1a5 +2a04:bdc7:100:1b::3 +2a00:dcc7:d3ff:88b2::1 +2a06:fdc0:fade:2f7::1 +2001:19f0:7001:381::3 +2a01:4f8:1c0c:8122::3 +2605:6400:20:d5e::3 +2605:6400:10:65::3 +2605:6400:30:fd6e::3 diff --git a/src/etc/pf.conf.table.reserved b/src/etc/pf.conf.table.reserved index 70963887..56435aab 100644 --- a/src/etc/pf.conf.table.reserved +++ b/src/etc/pf.conf.table.reserved @@ -1,4 +1,6 @@ -# /sbin/pfctl -t reserved -T replace -f /etc/pf.conf.table.reserved +# /sbin/pfctl -t reserved -T kill -f /etc/pf.conf.table.reserved +# /sbin/pfctl -t reserved -T add -f /etc/pf.conf.table.reserved +# /sbin/pfctl -t reserved -T show # # https://www.iana.org/assignments/iana-ipv4-special-registry/ 0.0.0.0/8 diff --git a/src/etc/pf.conf.table.unbound b/src/etc/pf.conf.table.unbound new file mode 100644 index 00000000..51e83d1f --- /dev/null +++ b/src/etc/pf.conf.table.unbound @@ -0,0 +1,17 @@ +# /sbin/pfctl -t unbound -T kill -f /etc/pf.conf.table.unbound +# /sbin/pfctl -t unbound -T add -f /etc/pf.conf.table.unbound +# /sbin/pfctl -t unbound -T show +# + +2606:4700:4700::1111 # CloudFlare primary +2606:4700:4700::1001 # CloudFlare secondary +2620:fe::fe # Quad9 primary +2620:fe::9 # Quad9 secondary +2001:4860:4860::8888 # Google primary +2001:4860:4860::8844 # Google secondary +1.1.1.1 # CloudFlare primary +1.0.0.1 # CloudFlare secondary +9.9.9.9 # Quad9 primary +149.112.112.112 # Quad9 secondary +8.8.8.8 # Google primary +8.8.4.4 # Google secondary diff --git a/src/etc/pf.conf.table.users b/src/etc/pf.conf.table.users index 26c1d51f..0f040f9d 100644 --- a/src/etc/pf.conf.table.users +++ b/src/etc/pf.conf.table.users @@ -1,3 +1,10 @@ -# /sbin/pfctl -t users -T replace -f /etc/pf.conf.table.users +# /sbin/pfctl -t users -T kill -f /etc/pf.conf.table.users +# /sbin/pfctl -t users -T add -f /etc/pf.conf.table.users +# /sbin/pfctl -t users -T show # +172.16.19.0/24 +172.16.16.0/24 +172.16.18.0/24 +172.16.17.106/32 +140.82.54.216/32 diff --git a/src/etc/powerdns/powerdns.conf b/src/etc/powerdns/powerdns.conf new file mode 100644 index 00000000..71493044 --- /dev/null +++ b/src/etc/powerdns/powerdns.conf @@ -0,0 +1,688 @@ +## OpenBSD package configuration sample for various backends. +## See /usr/local/share/doc/powerdns for database schemas. + +setuid=_powerdns + +# MySQL +#launch=gmysql +#gmysql-host=127.0.0.1 +#gmysql-dbname=powerdns +#gmysql-user=powerdns +#gmysql-password=powerdns + +# PostgreSQL +#launch=gpgsql +#gpgsql-host=127.0.0.1 +#gpgsql-dbname=powerdns +#gpgsql-user=powerdns +#gpgsql-password=powerdns + +# SQLite 3 +launch=gsqlite3 +gsqlite3-database=/var/powerdns/powerdns.sqlite +gsqlite3-dnssec=/var/powerdns/powerdnssec.sqlite + +# BIND zone files +#launch=bind +#bind-config=/var/named/etc/named.conf + + +## Upstream's standard configuration sample: + +# Autogenerated configuration file template +################################# +# 8bit-dns Allow 8bit dns queries +# +# 8bit-dns=no + +################################# +# allow-axfr-ips Allow zonetransfers only to these subnets +# +# allow-axfr-ips=127.0.0.0/8,::1 +# disallow all IPs, except those explicitly allowed by domainmetadata records +# https://doc.powerdns.com/authoritative/domainmetadata.html#allow-axfr-from + +################################# +# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. +# +# allow-dnsupdate-from=127.0.0.0/8,::1 +allow-dnsupdate-from= + +################################# +# allow-notify-from Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies. +# +# allow-notify-from=0.0.0.0/0,::/0 +allow-notify-from=127.0.0.0/8,::1 + +################################# +# allow-unsigned-notify Allow unsigned notifications for TSIG secured domains +# +# allow-unsigned-notify=yes +allow-unsigned-notify=no + +################################# +# allow-unsigned-supermaster Allow supermasters to create zones without TSIG signed NOTIFY +# +# allow-unsigned-supermaster=yes +allow-unsigned-supermaster=no + +################################# +# also-notify When notifying a domain, also notify these nameservers +# +# also-notify= +also-notify=127.0.0.1:10053, [::1]:10053 + +################################# +# any-to-tcp Answer ANY queries with tc=1, shunting to TCP +# +# any-to-tcp=yes + +################################# +# api Enable/disable the REST API (including HTTP listener) +# +# api=no + +################################# +# api-key Static pre-shared authentication key for access to the REST API +# +# api-key= + +################################# +# api-logfile Location of the server logfile (used by the REST API) +# +# api-logfile=/var/log/powerdns.log + +################################# +# api-readonly Disallow data modification through the REST API when set +# +# api-readonly=no + +################################# +# axfr-lower-serial Also AXFR a zone from a master with a lower serial +# +# axfr-lower-serial=no + +################################# +# cache-ttl Seconds to store packets in the PacketCache +# +# cache-ttl=20 + +################################# +# carbon-interval Number of seconds between carbon (graphite) updates +# +# carbon-interval=30 + +################################# +# carbon-ourname If set, overrides our reported hostname for carbon stats +# +# carbon-ourname= + +################################# +# carbon-server If set, send metrics in carbon (graphite) format to this server IP address +# +# carbon-server= + +################################# +# chroot If set, chroot to this directory for more security +# +# chroot= + +################################# +# config-dir Location of configuration directory (powerdns.conf) +# +config-dir=/etc/powerdns + +################################# +# config-name Name of this virtual configuration - will rename the binary image +# +# config-name= + +################################# +# control-console Debugging switch - don't use +# +# control-console=no + +################################# +# daemon Operate as a daemon +# +# daemon=no + +################################# +# default-ksk-algorithm Default KSK algorithm +# +# default-ksk-algorithm=ecdsa256 + +################################# +# default-ksk-size Default KSK size (0 means default) +# +# default-ksk-size=0 + +################################# +# default-soa-edit Default SOA-EDIT value +# +# default-soa-edit= +default-soa-edit=INCREMENT-WEEKS + +################################# +# default-soa-edit-signed Default SOA-EDIT value for signed zones +# +# default-soa-edit-signed= +default-soa-edit-signed=INCREMENT-WEEKS + +################################# +# default-soa-mail mail address to insert in the SOA record if none set in the backend +# +# default-soa-mail= +default-soa-mail=hostmaster@telecomlobby.com + +################################# +# default-soa-name name to insert in the SOA record if none set in the backend +# +# default-soa-name=a.misconfigured.powerdns.server +default-soa-name=13.ns.telecomlobby.com + +################################# +# default-ttl Seconds a result is valid if not set otherwise +# +# default-ttl=3600 +default-ttl=86400 + +################################# +# default-zsk-algorithm Default ZSK algorithm +# +# default-zsk-algorithm= + +################################# +# default-zsk-size Default ZSK size (0 means default) +# +# default-zsk-size=0 + +################################# +# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis +# +# direct-dnskey=no + +################################# +# disable-axfr Disable zonetransfers but do allow TCP queries +# +# disable-axfr=no + +################################# +# disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing. +# +# disable-axfr-rectify=no + +################################# +# disable-syslog Disable logging to syslog, useful when running inside a supervisor that logs stdout +# +# disable-syslog=no + +################################# +# disable-tcp Do not listen to TCP queries +# +# disable-tcp=no + +################################# +# distributor-threads Default number of Distributor (backend) threads to start +# +# distributor-threads=3 + +################################# +# dname-processing If we should support DNAME records +# +# dname-processing=no + +################################# +# dnssec-key-cache-ttl Seconds to cache DNSSEC keys from the database +# +# dnssec-key-cache-ttl=30 + +################################# +# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. +# +# dnsupdate=no +dnsupdate=yes + +################################# +# do-ipv6-additional-processing Do AAAA additional processing +# +# do-ipv6-additional-processing=yes + +################################# +# domain-metadata-cache-ttl Seconds to cache domain metadata from the database +# +# domain-metadata-cache-ttl=60 + +################################# +# edns-subnet-processing If we should act on EDNS Subnet options +# +# edns-subnet-processing=no + +################################# +# entropy-source If set, read entropy from this file +# +# entropy-source=/dev/urandom + +################################# +# expand-alias Expand ALIAS records +# +# expand-alias=no + +################################# +# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master. +# +# forward-dnsupdate=yes + +################################# +# forward-notify IP addresses to forward received notifications to regardless of master or slave settings +# +# forward-notify= + +################################# +# guardian Run within a guardian process +# +# guardian=no + +################################# +# include-dir Include *.conf files from this directory +# +# include-dir= + +################################# +# launch Which backends to launch and order to query them in +# +# launch= + +################################# +# load-modules Load this module - supply absolute or relative path +# +# load-modules= + +################################# +# local-address Local IP addresses to which we bind +# +# local-address=0.0.0.0 +local-address=127.0.0.1 + +################################# +# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server +# +# local-address-nonexist-fail=yes + +################################# +# local-ipv6 Local IP address to which we bind +# +# local-ipv6=:: +local-ipv6=::1 + +################################# +# local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server +# +# local-ipv6-nonexist-fail=yes + +################################# +# local-port The port on which we listen +# +# local-port=53 +local-port=20053 + +################################# +# log-dns-details If powerdns should log DNS non-erroneous details +# +# log-dns-details=no +log-dns-details=yes + +################################# +# log-dns-queries If powerdns should log all incoming DNS queries +# +# log-dns-queries=no +log-dns-queries=yes + +################################# +# log-timestamp Print timestamps in log lines +# +# log-timestamp=yes + +################################# +# logging-facility Log under a specific facility +# +# logging-facility= + +################################# +# loglevel Amount of logging. Higher is more. Do not set below 3 +# +# loglevel=4 + +################################# +# lua-axfr-script Script to be used to edit incoming AXFRs +# +# lua-axfr-script= + +################################# +# lua-dnsupdate-policy-script Lua script with DNS update policy handler +# +# lua-dnsupdate-policy-script= + +################################# +# lua-prequery-script Lua script with prequery handler (DO NOT USE) +# +# lua-prequery-script= + +################################# +# master Act as a master +# +# master=no +master=yes + +################################# +# max-cache-entries Maximum number of entries in the query cache +# +# max-cache-entries=1000000 + +################################# +# max-ent-entries Maximum number of empty non-terminals in a zone +# +# max-ent-entries=100000 + +################################# +# max-nsec3-iterations Limit the number of NSEC3 hash iterations +# +# max-nsec3-iterations=500 + +################################# +# max-packet-cache-entries Maximum number of entries in the packet cache +# +# max-packet-cache-entries=1000000 + +################################# +# max-queue-length Maximum queuelength before considering situation lost +# +# max-queue-length=5000 + +################################# +# max-signature-cache-entries Maximum number of signatures cache entries +# +# max-signature-cache-entries= + +################################# +# max-tcp-connection-duration Maximum time in seconds that a TCP DNS connection is allowed to stay open. +# +# max-tcp-connection-duration=0 + +################################# +# max-tcp-connections Maximum number of TCP connections +# +# max-tcp-connections=20 + +################################# +# max-tcp-connections-per-client Maximum number of simultaneous TCP connections per client +# +# max-tcp-connections-per-client=0 + +################################# +# max-tcp-transactions-per-conn Maximum number of subsequent queries per TCP connection +# +# max-tcp-transactions-per-conn=0 + +################################# +# module-dir Default directory for modules +# +# module-dir=/usr/local/lib/powerdns + +################################# +# negquery-cache-ttl Seconds to store negative query results in the QueryCache +# +# negquery-cache-ttl=60 + +################################# +# no-shuffle Set this to prevent random shuffling of answers - for regression testing +# +# no-shuffle=off + +################################# +# non-local-bind Enable binding to non-local addresses by using FREEBIND / BINDANY socket options +# +# non-local-bind=no + +################################# +# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks +# +# only-notify=0.0.0.0/0,::/0 +# disable default notifications: only-notify=0.0.0.0/32,::/128 +only-notify= + +################################# +# out-of-zone-additional-processing Do out of zone additional processing +# +# out-of-zone-additional-processing=yes + +################################# +# outgoing-axfr-expand-alias Expand ALIAS records during outgoing AXFR +# +# outgoing-axfr-expand-alias=no +outgoing-axfr-expand-alias=yes + +################################# +# overload-queue-length Maximum queuelength moving to packetcache only +# +# overload-queue-length=0 + +################################# +# prevent-self-notification Don't send notifications to what we think is ourself +# +# prevent-self-notification=yes + +################################# +# query-cache-ttl Seconds to store query results in the QueryCache +# +# query-cache-ttl=20 + +################################# +# query-local-address Source IP address for sending queries +# +# query-local-address=0.0.0.0 + +################################# +# query-local-address6 Source IPv6 address for sending queries +# +# query-local-address6=:: + +################################# +# query-logging Hint backends that queries should be logged +# +# query-logging=no + +################################# +# queue-limit Maximum number of milliseconds to queue a query +# +# queue-limit=1500 + +################################# +# receiver-threads Default number of receiver threads to start +# +# receiver-threads=1 + +################################# +# resolver Use this resolver for ALIAS and the internal stub resolver +# +# resolver=no +resolver=[::1]:53 + +################################# +# retrieval-threads Number of AXFR-retrieval threads for slave operation +# +# retrieval-threads=2 + +################################# +# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket +# +# reuseport=no + +################################# +# security-poll-suffix Domain name from which to query security update notifications +# +# security-poll-suffix=secpoll.powerdns.com. +security-poll-suffix= + +################################# +# server-id Returned when queried for 'id.server' TXT or NSID, defaults to hostname - disabled or custom +# +# server-id= + +################################# +# setgid If set, change group id to this gid for more security +# +# setgid= + +################################# +# setuid If set, change user id to this uid for more security +# +# setuid= + +################################# +# signing-threads Default number of signer threads to start +# +# signing-threads=3 + +################################# +# slave Act as a slave +# +# slave=no +#slave=yes + +################################# +# slave-cycle-interval Schedule slave freshness checks once every .. seconds +# +# slave-cycle-interval=60 + +################################# +# slave-renotify If we should send out notifications for slaved updates +# +# slave-renotify=no + +################################# +# soa-expire-default Default SOA expire +# +# soa-expire-default=604800 + +################################# +# soa-minimum-ttl Default SOA minimum ttl +# +# soa-minimum-ttl=3600 +soa-minimum-ttl=86400 + +################################# +# soa-refresh-default Default SOA refresh +# +# soa-refresh-default=10800 +soa-refresh-default=28800 + +################################# +# soa-retry-default Default SOA retry +# +# soa-retry-default=3600 +soa-retry-default=7200 + +################################# +# socket-dir Where the controlsocket will live, /var/run when unset and not chrooted +# +# socket-dir= + +################################# +# superslave Act as a superslave +# +# superslave=yes + +################################# +# tcp-control-address If set, PowerDNS can be controlled over TCP on this address +# +# tcp-control-address= + +################################# +# tcp-control-port If set, PowerDNS can be controlled over TCP on this address +# +# tcp-control-port=53000 + +################################# +# tcp-control-range If set, remote control of PowerDNS is possible over these networks only +# +# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 + +################################# +# tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret +# +# tcp-control-secret= + +################################# +# tcp-fast-open Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size +# +# tcp-fast-open=0 + +################################# +# tcp-idle-timeout Maximum time in seconds that a TCP DNS connection is allowed to stay open while being idle +# +# tcp-idle-timeout=5 + +################################# +# traceback-handler Enable the traceback handler (Linux only) +# +# traceback-handler=yes + +################################# +# trusted-notification-proxy IP address of incoming notification proxy +# +# trusted-notification-proxy= + +################################# +# udp-truncation-threshold Maximum UDP response size before we truncate +# +# udp-truncation-threshold=1680 + +################################# +# version-string PowerDNS version in packets - full, anonymous, powerdns or custom +# +# version-string=full +version-string=31137 + +################################# +# webserver Start a webserver for monitoring (api=yes also enables the HTTP listener) +# +# webserver=no + +################################# +# webserver-address IP Address of webserver/API to listen on +# +# webserver-address=127.0.0.1 + +################################# +# webserver-allow-from Webserver/API access is only allowed from these subnets +# +# webserver-allow-from=127.0.0.1,::1 + +################################# +# webserver-password Password required for accessing the webserver +# +# webserver-password= + +################################# +# webserver-port Port of webserver/API to listen on +# +# webserver-port=8081 + +################################# +# webserver-print-arguments If the webserver should print arguments +# +# webserver-print-arguments=no + +################################# +# write-pid Write a PID file +# +# write-pid=yes + +################################# +# xfr-max-received-mbytes Maximum number of megabytes received from an incoming XFR +# +# xfr-max-received-mbytes=100 +xfr-max-received-mbytes=1 + + diff --git a/src/etc/rc b/src/etc/rc new file mode 100644 index 00000000..ae059465 --- /dev/null +++ b/src/etc/rc @@ -0,0 +1,629 @@ +# $OpenBSD: rc,v 1.549 2021/03/13 21:11:56 deraadt Exp $ + +# System startup script run by init on autoboot or after single-user. +# Output and error are redirected to console by init, and the console is the +# controlling terminal. + +# Turn off Strict Bourne shell. +set +o sh + +# Subroutines (have to come first). + +# Strip in- and whole-line comments from a file. +# Strip leading and trailing whitespace if IFS is set. +# Usage: stripcom /path/to/file +stripcom() { + local _file=$1 _line + + [[ -s $_file ]] || return + + while read _line ; do + _line=${_line%%#*} + [[ -n $_line ]] && print -r -- "$_line" + done <$_file +} + +# Update resource limits based on login.conf settings. +# Usage: update_limit -flag capability +update_limit() { + local _flag=$1 # ulimit flag + local _cap=$2 _val # login.conf capability and its value + local _suffix + + for _suffix in {,-max,-cur}; do + _val=$(getcap -f /etc/login.conf -s ${_cap}${_suffix} daemon 2>/dev/null) + [[ -n $_val ]] || continue + [[ $_val == infinity ]] && _val=unlimited + + case $_suffix in + -cur) ulimit -S $_flag $_val + ;; + -max) ulimit -H $_flag $_val + ;; + *) ulimit $_flag $_val + return + ;; + esac + done +} + +# Apply sysctl.conf(5) settings. +sysctl_conf() { + # do not use a pipe as limits would only be applied to the subshell + set -- $(stripcom /etc/sysctl.conf) + while [[ $# > 0 ]] ; do + sysctl "$1" + + case "$1" in + kern.maxproc=*) + update_limit -p maxproc + ;; + kern.maxfiles=*) + update_limit -n openfiles + ;; + esac + shift + done +} + +# Apply mixerctl.conf(5) settings. +mixerctl_conf() { + stripcom /etc/mixerctl.conf | + while read _line; do + mixerctl -q "$_line" 2>/dev/null + done +} + +# Apply wsconsctl.conf(5) settings. +wsconsctl_conf() { + [[ -x /sbin/wsconsctl ]] || return + + stripcom /etc/wsconsctl.conf | + while read _line; do + eval "wsconsctl $_line" + done +} + +# Push the old seed into the kernel, create a future seed and create a seed +# file for the boot-loader. +random_seed() { + dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none + chmod 600 /var/db/host.random + dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none + dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none + chmod 600 /etc/random.seed +} + +# Populate net.inet.(tcp|udp).baddynamic with the contents of /etc/services so +# as to avoid randomly allocating source ports that correspond to well-known +# services. +# Usage: fill_baddynamic tcp|udp +fill_baddynamic() { + local _service=$1 + local _sysctl="net.inet.${_service}.baddynamic" + + stripcom /etc/services | + { + _ban= + while IFS=" /" read _name _port _srv _junk; do + [[ $_srv == $_service ]] || continue + + _ban="${_ban:+$_ban,}+$_port" + + # Flush before argv gets too long + if ((${#_ban} > 1024)); then + sysctl -q "$_sysctl=$_ban" + _ban= + fi + done + [[ -n $_ban ]] && sysctl -q "$_sysctl=$_ban" + } +} + +# Start daemon using the rc.d daemon control scripts. +# Usage: start_daemon daemon1 daemon2 daemon3 +start_daemon() { + local _daemon + + for _daemon; do + eval "_do=\${${_daemon}_flags}" + [[ $_do != NO ]] && /etc/rc.d/${_daemon} start + done +} + +# Generate keys for isakmpd, iked and sshd if they don't exist yet. +make_keys() { + local _isakmpd_key=/etc/isakmpd/private/local.key + local _isakmpd_pub=/etc/isakmpd/local.pub + local _iked_key=/etc/iked/private/local.key + local _iked_pub=/etc/iked/local.pub + + if [[ ! -f $_isakmpd_key ]]; then + echo -n "openssl: generating isakmpd/iked RSA keys... " + if openssl genrsa -out $_isakmpd_key 2048 >/dev/null 2>&1 && + chmod 600 $_isakmpd_key && + openssl rsa -out $_isakmpd_pub -in $_isakmpd_key \ + -pubout >/dev/null 2>&1; then + echo done. + else + echo failed. + fi + fi + + if [[ ! -f $_iked_key ]]; then + # Just copy the generated isakmpd key + cp $_isakmpd_key $_iked_key + chmod 600 $_iked_key + cp $_isakmpd_pub $_iked_pub + fi + + ssh-keygen -A + + if [[ ! -f /etc/soii.key ]]; then + openssl rand -hex 16 > /etc/soii.key && + chmod 600 /etc/soii.key && sysctl -q \ + "net.inet6.ip6.soiikey=$(&1 | tee /dev/tty | + mail -Es "$(hostname) rc.$_suffix output" root >/dev/null + fi + rm -f /etc/rc.$_suffix.run +} + +# Check filesystems, optionally by using a fsck(8) flag. +# Usage: do_fsck [-flag] +do_fsck() { + fsck -p "$@" + case $? in + 0) ;; + 2) exit 1 + ;; + 4) echo "Rebooting..." + reboot + echo "Reboot failed; help!" + exit 1 + ;; + 8) echo "Automatic file system check failed; help!" + exit 1 + ;; + 12) echo "Boot interrupted." + exit 1 + ;; + 130) # Interrupt before catcher installed. + exit 1 + ;; + *) echo "Unknown error; help!" + exit 1 + ;; + esac +} + +# End subroutines. + +stty status '^T' + +# Set shell to ignore SIGINT (2), but not children; shell catches SIGQUIT (3) +# and returns to single user after fsck. +trap : 2 +trap : 3 # Shouldn't be needed. + +export HOME=/ +export INRC=1 +export PATH=/sbin:/bin:/usr/sbin:/usr/bin + +# /etc/myname contains my symbolic name. +if [[ -f /etc/myname ]]; then + hostname "$(stripcom /etc/myname)" +fi + +# Must set the domainname before rc.conf, so YP startup choices can be made. +if [[ -s /etc/defaultdomain ]]; then + domainname "$(stripcom /etc/defaultdomain)" +fi + +# Get local functions from rc.subr to load rc.conf into scope. +FUNCS_ONLY=1 . /etc/rc.d/rc.subr +_rc_parse_conf + +# If executed with the 'shutdown' parameter by the halt, reboot or shutdown: +# - update seed files +# - execute the rc.d scripts specified by $pkg_scripts in reverse order +# - bring carp interfaces down gracefully +if [[ $1 == shutdown ]]; then + if echo 2>/dev/null >>/var/db/host.random || + echo 2>/dev/null >>/etc/random.seed; then + random_seed + else + echo warning: cannot write random seed to disk + fi + + # If we are in secure level 0, assume single user mode. + if (($(sysctl -n kern.securelevel) == 0)); then + echo 'single user: not running shutdown scripts' + else + set -A _d -- $pkg_scripts + _i=${#_d[*]} + if ((_i)); then + echo -n 'stopping package daemons:' + while ((--_i >= 0)); do + [[ -x /etc/rc.d/${_d[_i]} ]] && + /etc/rc.d/${_d[_i]} stop + done + echo '.' + fi + + if /etc/rc.d/vmd check > /dev/null; then + echo -n 'stopping VMs' + /etc/rc.d/vmd stop > /dev/null + echo '.' + fi + + [[ -f /etc/rc.shutdown ]] && sh /etc/rc.shutdown + fi + + ifconfig | while read _if _junk; do + [[ $_if == carp+([0-9]): ]] && ifconfig ${_if%:} down + done + + exit 0 +fi + +# If bootblocks failed to give us random, try to cause some churn +(dmesg; sysctl hw.{uuid,serialno,sensors} ) >/dev/random 2>&1 + +# Add swap block-devices. +swapctl -A -t blk + +# Run filesystem check unless a /fastboot file exists. +if [[ -e /fastboot ]]; then + echo "Fast boot: skipping disk checks." +elif [[ $1 == autoboot ]]; then + echo "Automatic boot in progress: starting file system checks." + do_fsck +fi + +# From now on, allow user to interrupt (^C) the boot process. +trap "echo 'Boot interrupted.'; exit 1" 3 + +# Unmount all filesystems except root. +umount -a >/dev/null 2>&1 + +# Mount all filesystems except those of type NFS and VND. +mount -a -t nonfs,vnd + +# Re-mount the root filesystem read/writeable. (root on nfs requires this, +# others aren't hurt.) +mount -uw / +chmod og-rwx /bsd +ln -fh /bsd /bsd.booted + +rm -f /fastboot + +# Set flags on ttys. +ttyflags -a + +# Set keyboard encoding. +if [[ -x /sbin/kbd && -s /etc/kbdtype ]]; then + kbd "$(/dev/null 2>&1; then + RULES="$RULES + pass out inet6 proto icmp6 all icmp6-type neighbrsol + pass in inet6 proto icmp6 all icmp6-type neighbradv + pass out inet6 proto icmp6 all icmp6-type routersol + pass in inet6 proto icmp6 all icmp6-type routeradv + pass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server + pass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client" + fi + + RULES="$RULES + pass in proto carp keep state (no-sync) + pass out proto carp !received-on any keep state (no-sync)" + + if (($(sysctl -n vfs.mounts.nfs 2>/dev/null)+0 > 0)); then + # Don't kill NFS. + RULES="set reassemble yes no-df + $RULES + pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any + pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" + fi + + print -- "$RULES" | pfctl -f - + pfctl -e +fi + +fill_baddynamic udp +fill_baddynamic tcp + +sysctl_conf + +start_daemon slaacd >/dev/null 2>&1 + +echo 'starting network' + +# Set carp interlock by increasing the demotion counter. +# Prevents carp from preempting until the system is booted. +ifconfig -g carp carpdemote 128 + +sh /etc/netstart + +mount -s /usr >/dev/null 2>&1 +mount -s /var >/dev/null 2>&1 + +start_daemon dhcpleased unwind resolvd >/dev/null 2>&1 + +# Load pf rules and bring up pfsync interface. +if [[ $pf != NO ]]; then + if [[ -f /etc/pf.conf ]]; then + pfctl -f /etc/pf.conf + fi + if [[ -f /etc/hostname.pfsync0 ]]; then + sh /etc/netstart pfsync0 + fi +fi + +random_seed + +reorder_libs + +# Clean up left-over files. +rm -f /etc/nologin /var/spool/lock/LCK.* +(cd /var/run && { rm -rf -- *; install -c -m 664 -g utmp /dev/null utmp; }) +(cd /var/authpf && rm -rf -- *) + +# Save a copy of the boot messages. +dmesg >/var/run/dmesg.boot + +make_keys + +echo -n 'starting early daemons:' +start_daemon syslogd ldattach pflogd nsd unbound +start_daemon iscsid isakmpd iked sasyncd ldapd npppd ntpd +echo '.' + +# Load IPsec rules. +if [[ $ipsec != NO && -f /etc/ipsec.conf ]]; then + ipsecctl -f /etc/ipsec.conf +fi + +echo -n 'starting RPC daemons:' +start_daemon portmap ypldap +rm -f /var/run/ypbind.lock +if [[ -n $(domainname) ]]; then + start_daemon ypserv ypbind +fi +start_daemon mountd nfsd lockd statd amd +echo '.' + +# Check and mount remaining file systems and enable additional swap. +mount -a +swapctl -A -t noblk +do_fsck -N +mount -a -N + +# Build kvm(3) and /dev databases. +kvm_mkdb +dev_mkdb + +# /var/crash should be a directory or a symbolic link to the crash directory +# if core dumps are to be saved. +if [[ -d /var/crash ]]; then + savecore $savecore_flags /var/crash +fi + +# Store ACPI tables in /var/db/acpi to be used by sendbug(1). +if [[ -x /usr/sbin/acpidump ]]; then + acpidump -q -o /var/db/acpi/ +fi + +if [[ $check_quotas == YES ]]; then + echo -n 'checking quotas:' + quotacheck -a + echo ' done.' + quotaon -a +fi + +# Set proper permission for the tty device files. +chmod 666 /dev/tty[pqrstuvwxyzPQRST]* +chown root:wheel /dev/tty[pqrstuvwxyzPQRST]* + +# Check for the password temp/lock file. +if [[ -f /etc/ptmp ]]; then + logger -s -p auth.err \ + 'password file may be incorrect -- /etc/ptmp exists' +fi + +echo clearing /tmp + +# Prune quickly with one rm, then use find to clean up /tmp/[lqv]* +# (not needed with mfs /tmp, but doesn't hurt there...). +(cd /tmp && rm -rf [a-km-pr-uw-zA-Z]*) +(cd /tmp && + find . -maxdepth 1 ! -name . ! -name lost+found ! -name quota.user \ + ! -name quota.group ! -name vi.recover -execdir rm -rf -- {} \;) + +# Create Unix sockets directories for X if needed and make sure they have +# correct permissions. +[[ -d /usr/X11R6/lib ]] && mkdir -m 1777 /tmp/.{X11,ICE}-unix + +[[ -f /etc/rc.securelevel ]] && sh /etc/rc.securelevel + +# rc.securelevel did not specifically set -1 or 2, so select the default: 1. +(($(sysctl -n kern.securelevel) == 0)) && sysctl kern.securelevel=1 + + +# Patch /etc/motd. +if [[ ! -f /etc/motd ]]; then + install -c -o root -g wheel -m 664 /dev/null /etc/motd +fi +if T=$(mktemp /tmp/_motd.XXXXXXXXXX); then + sysctl -n kern.version | sed 1q >$T + sed -n '/^$/,$p' >$T + cmp -s $T /etc/motd || cp $T /etc/motd + rm -f $T +fi + +if [[ $accounting == YES ]]; then + [[ ! -f /var/account/acct ]] && touch /var/account/acct + echo 'turning on accounting' + accton /var/account/acct +fi + +if [[ -x /sbin/ldconfig ]]; then + echo 'creating runtime link editor directory cache.' + [[ -d /usr/local/lib ]] && shlib_dirs="/usr/local/lib $shlib_dirs" + [[ -d /usr/X11R6/lib ]] && shlib_dirs="/usr/X11R6/lib $shlib_dirs" + ldconfig $shlib_dirs +fi + +echo 'preserving editor files.'; /usr/libexec/vi.recover + +# If rc.sysmerge exists, run it just once, and make sure it is deleted. +run_upgrade_script sysmerge + +echo -n 'starting network daemons:' +start_daemon ldomd sshd switchd snmpd ldpd ripd ospfd ospf6d bgpd ifstated +start_daemon relayd dhcpd dhcrelay mrouted dvmrpd radiusd eigrpd route6d +start_daemon rad hostapd lpd smtpd slowcgi httpd ftpd +start_daemon ftpproxy ftpproxy6 tftpd tftpproxy identd inetd rarpd bootparamd +start_daemon rbootd mopd vmd spamd spamlogd sndiod +echo '.' + +# If rc.firsttime exists, run it just once, and make sure it is deleted. +run_upgrade_script firsttime + +# Run rc.d(8) scripts from packages. +if [[ -n $pkg_scripts ]]; then + echo -n 'starting package daemons:' + for _daemon in $pkg_scripts; do + if [[ -x /etc/rc.d/$_daemon ]]; then + start_daemon $_daemon + else + echo -n " ${_daemon}(absent)" + fi + done + echo '.' +fi + +[[ -f /etc/rc.local ]] && sh /etc/rc.local + +# Disable carp interlock. +ifconfig -g carp -carpdemote 128 + +mixerctl_conf + +echo -n 'starting local daemons:' +start_daemon apmd sensorsd hotplugd watchdogd cron wsmoused xenodm +echo '.' + +# Re-link the kernel, placing the objects in a random order. +# Replace current with relinked kernel and inform root about it. +/usr/libexec/reorder_kernel & + +date +exit 0 + diff --git a/src/etc/rc.local b/src/etc/rc.local index fc30e8a9..915ace0a 100644 --- a/src/etc/rc.local +++ b/src/etc/rc.local @@ -1,6 +1,6 @@ if [ -x /usr/local/sbin/oidentd ]; then echo -n ' oidentd'; /usr/local/sbin/oidentd -m fi -doas -u _iperfd /usr/local/bin/iperf \ - -s -B /ROUTERID/ \ - -D -N +#doas -u _iperfd /usr/local/bin/iperf \ +# -s -B /ROUTERID/ \ +# -D -N diff --git a/src/etc/relayd.conf b/src/etc/relayd.conf new file mode 100644 index 00000000..1b8bedee --- /dev/null +++ b/src/etc/relayd.conf @@ -0,0 +1,47 @@ +# $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $ + +# Macros + +ext_ip1="/PUBLICIP/" +ext_ip2="/PUBV6/" + +table { 127.0.0.1, ::1 } + +# Global Options + +log connection errors + + +# Redirections + +redirect "http" { + listen on $ext_ip1 port http + listen on $ext_ip2 port http + forward to check tcp +} + +# Relays + +http protocol "https" { + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + match request header set "Connection" value "close" + tcp { sack, backlog 128 } + tls ciphers "HIGH:!AES128:!kRSA:!aNULL" + tls ecdhe "P-384,P-256,X25519" + tls keypair /PUBLICHOST/ +} + +# a relay for each IP + +relay "https" { + listen on $ext_ip1 port https tls + protocol "https" + forward to check tcp +} + +relay "https2" { + listen on $ext_ip2 port https tls + protocol "https" + forward to check tcp +} diff --git a/src/etc/resolv.conf b/src/etc/resolv.conf new file mode 100644 index 00000000..463f159a --- /dev/null +++ b/src/etc/resolv.conf @@ -0,0 +1,6 @@ +search telecom.lobby +nameserver 127.0.0.1 +nameserver ::1 +lookup bind +domain telecom.lobby + diff --git a/src/etc/ssh/authorized_keys b/src/etc/ssh/authorized_keys new file mode 100644 index 00000000..6f187b3b --- /dev/null +++ b/src/etc/ssh/authorized_keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKG4yMhKX37SXV8LGDuVe4r1PBSS5HOWb6jFpNiG3cvW taglio@telecom.lobby diff --git a/src/etc/ssh/remote_install/authorized_keys b/src/etc/ssh/remote_install/authorized_keys new file mode 100644 index 00000000..8cb135c9 --- /dev/null +++ b/src/etc/ssh/remote_install/authorized_keys @@ -0,0 +1,3 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIk5CAm5Rpc9p27lB/L58XYzG/W0LuwMwuCa+ayw3x6 root@varuna.telecom.lobby +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEI6SwgCvmkyVb3FMcBj3RRgcLf0aT98iRK2NUX/yfci root@durga.telecom.lobby +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKnHnn1f56ldXLc9z0QjswEZ3/n1VAmEDfQlwLUtlPg root@vishnu.telecom.lobby diff --git a/src/etc/ssh/remote_install/rc.local b/src/etc/ssh/remote_install/rc.local new file mode 100644 index 00000000..87238f67 --- /dev/null +++ b/src/etc/ssh/remote_install/rc.local @@ -0,0 +1,4 @@ +if [ -e /etc/ssh/remote_install/remote_install.conf ]; then + echo -n 'sshd remote install'; /usr/sbin/sshd -f /etc/ssh/remote_install/remote_install.conf +fi + diff --git a/src/etc/ssh/remote_install/remote_install.conf b/src/etc/ssh/remote_install/remote_install.conf new file mode 100644 index 00000000..d09af840 --- /dev/null +++ b/src/etc/ssh/remote_install/remote_install.conf @@ -0,0 +1,26 @@ +Port 31137 +ListenAddress /PUBLICIP/ +PidFile /var/run/sshd-remote-install.pid + +LoginGraceTime 10s +PermitRootLogin prohibit-password +MaxSessions 1 +ClientAliveCountMax 1 + +AllowTcpForwarding no +PasswordAuthentication no +PermitTunnel no +PrintMotd no +PubkeyAuthentication yes +X11Forwarding no + +IgnoreUserKnownHosts yes + +AuthorizedKeysFile /etc/ssh/remote_install/authorized_keys +AuthorizedKeysCommand /usr/local/sbin/remote-install %f +AuthorizedKeysCommandUser root + +Match User root + ForceCommand "/usr/local/sbin/remote-install" + + diff --git a/src/etc/ssh/ssh_config b/src/etc/ssh/ssh_config index 6506c308..d757025b 100644 --- a/src/etc/ssh/ssh_config +++ b/src/etc/ssh/ssh_config @@ -1,9 +1,6 @@ -Host * - IdentityFile ~/.ssh/id_ed25519 - SendEnv LANG LC_* - HashKnownHosts no - GSSAPIAuthentication yes - VerifyHostKeyDNS ask - VisualHostKey yes +Host *.telecomlobby.com + IdentityFile /root/.ssh/id_ed25519 + User root + diff --git a/src/etc/ssh/ssh_known_hosts b/src/etc/ssh/ssh_known_hosts index 9b854626..43ffc8e3 100644 --- a/src/etc/ssh/ssh_known_hosts +++ b/src/etc/ssh/ssh_known_hosts @@ -1,6 +1,11 @@ -[78.141.201.0,192.168.13.44] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIc88kX2C37lxPzgG3flLXx4Ev6LMIbSxPDpz5wOWevx -[139.180.206.19,192.168.13.81] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpQ//kBuiaafaxAuZ8Moupz4wcyi2Ujk6t3HthHetjd -[155.138.247.27,192.168.13.1] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKugDXoBFKt69t3O97KHh4yEKEBZ6PMW+iLs40aRjN2A -[/DYNDNS/,192.168.13.34] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICSuwjxabSlvjU/KDBkrXSI2gv6tzq2GjLNJTBg5tipF -[45.32.144.15,192.168.13.33] ssh-rsa AAAAB3NzaC1yc2EAAAABAwAAAQEAyNOyJ6t8eL22ghZsnzHz9rHraOgj8twhipGKO5A7mhX4xaKYhrAtNwN3wUOswKwbjirPmtwcsmrYDgTZO37XHIoN6VF3aeWwa4kKbl1dJo7mt66jtuhCSmlzqfTI8cF4qkr3jm6DHYjyKYpf5HxYagOqBP8LM6BSqt/N/oHXm5/MzuYRSVEy+bdsRNUeO8n78ITngRUYCZsu+UXsILotcINBZi36qWYgnzYnnQiDXLztojVK3NwmhCKye434IZOycBJ+zQ9g+XS/8osJTaG7ti6HDBKs6ImdFkasWwgrWYgD+QtvftOjtv97RIQstXh9Sj9toC/Oia3VMG3fHGjCYQ== - +# uk.telecomlobby.com:31137 SSH-2.0-OpenSSH_8.6 +[uk.telecomlobby.com]:31137 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/UYjK2pmrppk8Kbn+lelXc8yC/U2Bd0yzAfFBY9Lc9 +# jp.telecomlobby.com:31137 SSH-2.0-OpenSSH_8.6 +[jp.telecomlobby.com]:31137 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+nwDg//wQ2MPXe3+BZoNDfqIRvPJuWghipYWSVRb5R +# us.telecomlobby.com:31137 SSH-2.0-OpenSSH_8.6 +[us.telecomlobby.com]:31137 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKugDXoBFKt69t3O97KHh4yEKEBZ6PMW+iLs40aRjN2A +[bg.telecomlobby.com]:31137 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPh1lOsfMa9EtuLiqkDEPuXDuk2QFGcPNZUguNPx6eue +[bg.telecomlobby.com]:31137 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIk5CAm5Rpc9p27lB/L58XYzG/W0LuwMwuCa+ayw3x6 +# de.telecomlobby.com:31137 SSH-2.0-OpenSSH_8.6 +# de.telecomlobby.com:31137 SSH-2.0-OpenSSH_8.6 +[de.telecomlobby.com]:31137 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIO2zqC8dmWWNyfj0Ml7AbCYrrZGDG8p6NM1Hd86rVJ diff --git a/src/etc/ssh/sshd_public b/src/etc/ssh/sshd_public new file mode 100644 index 00000000..b2ea1eef --- /dev/null +++ b/src/etc/ssh/sshd_public @@ -0,0 +1,9 @@ +ListenAddress ::1 +ListenAddress /PUBLICIP/ +HostKey /etc/ssh/ssh_host_ed25519_key +PermitRootLogin no +PubkeyAuthentication yes +AuthorizedKeysFile /etc/ssh/authorized_keys +PasswordAuthentication no +UseDNS yes +Subsystem sftp /usr/libexec/sftp-server diff --git a/src/etc/sysctl.conf b/src/etc/sysctl.conf index dc88875c..d2ac42e4 100644 --- a/src/etc/sysctl.conf +++ b/src/etc/sysctl.conf @@ -4,3 +4,6 @@ net.inet6.ip6.forwarding=1 net.inet.ipcomp.enable=1 net.inet.gre.allow=1 net.inet6.ip6.multipath=1 +ddb.panic=0 +kern.splassert=2 + diff --git a/src/etc/template.config b/src/etc/template.config new file mode 100644 index 00000000..413e7ef3 --- /dev/null +++ b/src/etc/template.config @@ -0,0 +1,20 @@ +static#1 +ipv6ctrl#? +ipv6egress#? +ipv6prefix#? +ipv6defrouter#? +installurl#1 +shell#1 +users#1 +hostname#? +landomainname#? +routerid#? +basic#1 +unbound#1 +ssh#1 +ipsec#1 +gre#1 +pf#1 +ospf#1 +remote#1 + diff --git a/src/home/taglio/.kshrc b/src/home/taglio/.kshrc index ecd5b472..2c17a837 100644 --- a/src/home/taglio/.kshrc +++ b/src/home/taglio/.kshrc @@ -10,7 +10,6 @@ PATH=$HOME/Bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/ PROMPT='$USER@$HOST:$PWD'"$PS1S" PS1=$PROMPT EDITOR=nano -TZ=Europe/Madrid CVSROOT=anoncvs@anoncvs.spacehopper.org:/cvs FTPMODE=passive GPG_TTY=$(tty) diff --git a/src/home/taglio/.profile b/src/home/taglio/.profile index 01744c30..1e5b93c3 100644 --- a/src/home/taglio/.profile +++ b/src/home/taglio/.profile @@ -3,6 +3,6 @@ # sh/ksh initialization dmesg | head -n 4 uptime -#ospfctl sh nei +ospfctl sh nei /usr/games/fortune -a export ENV=$HOME/.kshrc diff --git a/src/mikrotik/firewall.rsc b/src/mikrotik/firewall.rsc new file mode 100644 index 00000000..ccef4531 --- /dev/null +++ b/src/mikrotik/firewall.rsc @@ -0,0 +1,13 @@ +/ip fire filter remove [/ip fire filter find comment=LAST] + +/ip firewall filter + +add action=accept chain=input protocol=ospf in-interface=[/interface get [/interface gre find where comment="/HOSTNAME/"] name]; +add action=accept chain=input dst-port=22 protocol=tcp src-address-list=lan in-interface=[/interface get [/interface gre find where comment="/HOSTNAME/"] name]; +add action=drop chain=input comment=LAST log-prefix="debug drop input" + +/ip firewall mangle + +add action=change-mss chain=postrouting ipsec-policy=out,ipsec new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!1300-1300 out-interface=[/interface get [/interface gre find where comment="/HOSTNAME/"] name]; + + diff --git a/src/mikrotik/gre.rsc b/src/mikrotik/gre.rsc new file mode 100644 index 00000000..b0448db7 --- /dev/null +++ b/src/mikrotik/gre.rsc @@ -0,0 +1,7 @@ +#Mikrotik POP GRE template site to site OpenBSD + +/interface gre +add comment=/HOSTNAME/ keepalive=5s,2 local-address=45.32.144.15 mtu=1392 remote-address=/PUBLICIP/ + +/ip address +add address=/GREPOPIP//30 interface=[/interface get [/interface gre find where comment="/HOSTNAME/"] name]; diff --git a/src/mikrotik/ipsec.rsc b/src/mikrotik/ipsec.rsc new file mode 100644 index 00000000..0d03b9a7 --- /dev/null +++ b/src/mikrotik/ipsec.rsc @@ -0,0 +1,12 @@ +#Mikrotik POP VPN template site to site OpenBSD + +/ip ipsec peer +add address=/PUBLICIP//32 exchange-mode=ike2 local-address=/POPIP/ name=/HOSTNAME/_ikev2_cert passive=yes profile=NSA-RECOMMENDED + +/ip ipsec identity +add auth-method=digital-signature certificate=/POP/ match-by=certificate peer=/HOSTNAME/_ikev2_cert policy-template-group=group_ikev2_cert remote-certificate=/PUBLICHOST/ remote-id=user-fqdn:/SRCID/@ca./DOMAINNAME/ + +/ip ipsec policy + +add dst-address=/PUBLICIP//32 peer=/HOSTNAME/_ikev2_cert proposal=NSA protocol=gre src-address=/POPIP//32 + diff --git a/src/mikrotik/ospfd.rsc b/src/mikrotik/ospfd.rsc new file mode 100644 index 00000000..0e1cca71 --- /dev/null +++ b/src/mikrotik/ospfd.rsc @@ -0,0 +1,5 @@ +/routing ospf interface +add authentication=md5 authentication-key=/OSPFMD5/ comment=/POPHOSTNAME/-/PUBLICHOSTNAME/ cost=/METRIC/ interface=[/interface get [/interface gre find where comment="/HOSTNAME/"] name] network-type=point-to-point +/routing ospf network +add area=backbone network=/GRENETWORK//30 + diff --git a/src/openbsd/hostname.enc.openbsd b/src/openbsd/hostname.enc.openbsd new file mode 100644 index 00000000..8a8d5f24 --- /dev/null +++ b/src/openbsd/hostname.enc.openbsd @@ -0,0 +1,2 @@ +description "/PUBLICHOST/" +up diff --git a/src/openbsd/hostname.gre.openbsd b/src/openbsd/hostname.gre.openbsd new file mode 100644 index 00000000..29b7f72c --- /dev/null +++ b/src/openbsd/hostname.gre.openbsd @@ -0,0 +1,7 @@ +description "/PUBLICHOST/" +keepalive 5 2 +mtu 1392 +rtlabel gre +!ifconfig gre/X/ /GREPOPIP/ /GRELOCALIP/ netmask 0xfffffffc up +!ifconfig gre/X/ tunnel /POPIP/ /PUBLICIP/ + diff --git a/src/openbsd/iked.conf.openbsd b/src/openbsd/iked.conf.openbsd new file mode 100644 index 00000000..b226bc97 --- /dev/null +++ b/src/openbsd/iked.conf.openbsd @@ -0,0 +1,9 @@ +ikev2 "/PUBLICHOST/" /TYPE/ transport \ + proto gre \ + from /POPIP/ to /PUBLICIP/ \ + local /POP/ peer /PUBLICHOST/ \ + ikesa prf hmac-sha2-512 enc aes-256-gcm-12 group brainpool512 \ + childsa enc chacha20-poly1305 group curve25519 \ + srcid "/POPID/@ca./DOMAINNAME/" \ + ikelifetime 86400 lifetime 3600 \ + tag /PUBLICHOST/ tap enc/X/ diff --git a/src/openbsd/ospfd.conf.openbsd b/src/openbsd/ospfd.conf.openbsd new file mode 100644 index 00000000..51195b02 --- /dev/null +++ b/src/openbsd/ospfd.conf.openbsd @@ -0,0 +1,12 @@ + interface gre/X/ { + type p2p + auth-type crypt + auth-md 1 "/OSPFMD5/" + auth-md-keyid 1 + metric /METRIC/ + auth-md-keyid 1 + router-dead-time 40 + hello-interval 10 + retransmit-interval 5 + transmit-delay 1 + } diff --git a/src/openbsd/pf.conf.fintemp.openbsd b/src/openbsd/pf.conf.fintemp.openbsd new file mode 100644 index 00000000..00035ed6 --- /dev/null +++ b/src/openbsd/pf.conf.fintemp.openbsd @@ -0,0 +1,5 @@ +#GRE + +pass out quick on gre proto udp from gre to 172.16.17.106 port {domain, ntp} modulate state +pass out quick on gre proto ospf keep state + diff --git a/src/openbsd/pf.conf.openbsd b/src/openbsd/pf.conf.openbsd new file mode 100644 index 00000000..437ea9ea --- /dev/null +++ b/src/openbsd/pf.conf.openbsd @@ -0,0 +1,2 @@ +pass in quick on enc proto gre from /IPTAGGED/ to $pub tagged /TAGGED/ +pass out quick on enc proto gre from $pub to /IPTAGGED/ tagged /TAGGED/ diff --git a/src/root/Bin/change_endpoint.sh b/src/root/Bin/change_endpoint.sh index f2107810..1670e9fb 100755 --- a/src/root/Bin/change_endpoint.sh +++ b/src/root/Bin/change_endpoint.sh @@ -4,12 +4,16 @@ NEWIP=$(dig +short @8.8.8.8 cat-01.hopto.org) OLDIP=$(ifconfig $1 | grep tunnel | cut -d ' ' -f5) echo "updating PF" -sed -i 's/$OLDIP/$NEWIP/g' /etc/pf.conf +sed -i "s/$OLDIP/$NEWIP/g" /etc/pf.conf.table.ipsec pfctl -f /etc/pf.conf echo "updating IKED" -sed -i 's/$OLDIP/$NEWIP/g' /etc/iked.conf -ipsecctl -f /etc/iked.conf +sed -i "s/$OLDIP/$NEWIP/g" /etc/iked.conf.$2 +rcctl restart iked echo "updating GRE" -sed -i 's/$OLDIP/$NEWIP/g' /etc/hostname.$1 +sed -i "s/$OLDIP/$NEWIP/g" /etc/hostname.$1 ifconfig $1 destroy sh /etc/netstart $1 +nohup rcctl restart ospfd & +exit + + diff --git a/src/root/Bin/pf_disable.sh b/src/root/Bin/pf_disable.sh new file mode 100644 index 00000000..b5012e2d --- /dev/null +++ b/src/root/Bin/pf_disable.sh @@ -0,0 +1,3 @@ +#!/bin/ksh + +pfctl -d diff --git a/src/root/Bin/pf_enable.sh b/src/root/Bin/pf_enable.sh new file mode 100644 index 00000000..9a10cba4 --- /dev/null +++ b/src/root/Bin/pf_enable.sh @@ -0,0 +1,3 @@ +#!/bin/ksh + +pfctl -e diff --git a/src/root/Bin/pf_show_rules.sh b/src/root/Bin/pf_show_rules.sh new file mode 100755 index 00000000..67e5ea8e --- /dev/null +++ b/src/root/Bin/pf_show_rules.sh @@ -0,0 +1,3 @@ +#!/bin/ksh + +pfctl -sr -vv diff --git a/src/usr/local/sbin/remote-install b/src/usr/local/sbin/remote-install new file mode 100644 index 00000000..4d5644f2 --- /dev/null +++ b/src/usr/local/sbin/remote-install @@ -0,0 +1,60 @@ +#!/bin/ksh + +ipconnected=$(cat /var/log/authlog | grep Accepted | tail -n 1| awk '{print $11}') +hostconnected=$(dig -x $ipconnected +short @8.8.8.8 | sed 's/.$//') +egressinterface=$(ifconfig egress | cut -d : -f1 | head -n1) +publicip=$(ifconfig $egressinterface | grep inet |grep -v inet6 | cut -d ' ' -f2) +publicnetmask=$(ifconfig $egressinterface | grep inet | grep -v inet6 | awk '{print $4}') +publicbcast=$(ifconfig $egressinterface | grep inet | grep -v inet6 | awk '{print $6}') +publichost=$(dig -x $publicip +short @8.8.8.8 | sed 's/.$//') +domainname=$(print $publichost | sed 's/^[^.]*.//') +defaultv4router=$(route -n show | awk '/default/{print $2}' | head -n 1) +macdefaultv4router=$(arp -an | grep $defaultv4router | awk '{print $2}') +tmpdir=$(mktemp -d) + +cd $tmpdir +wget "http://$hostconnected/$publichost.tar" +wget "http://$hostconnected/$publichost.sha256" +logger "$0: update downloaded from $hostconnected" +tarsha256=$(sha256 "$publichost.tar" | awk '{print $4}') +if [ "$tarsha256" == $(cat "$publichost.sha256") ]; then + tar xvf "$publichost.tar" + cd "$publichost" + install -o root -g wheel -m 0640 hostname.gre? /etc/ + install -o root -g wheel -m 0640 hostname.enc? /etc/ + srcid=$(cat iked.conf.$hostconnected | grep srcid | awk '{print $2}' | sed 's/"//g' | cut -d @ -f1) + sed -i "s/$srcid/$(hostname -s)/" iked.conf.* + vpnc_host=$(ls iked.conf.* | sed 's/iked.conf.//') + if [[ $(grep -c $vpnc_host /etc/iked.conf) -eq 0 ]]; then + echo include \"/etc/iked.conf.$vpnc_host\" >> /etc/iked.conf + fi + #if [[ $(grep -c $vpnc_host /etc/pf.conf.macro.enc.in) -eq 0 ]]; then + # echo "pass in quick on enc proto gre from $ipconnected to \$pub tagged $vpnc_host" >> /etc/pf.conf.macro.enc.in + # pfctl -f /etc/pf.conf + #fi + #if [[ $(grep -c $vpnc_host /etc/pf.conf.macro.enc.out) -eq 0 ]]; then + # echo "pass out quick on enc proto gre from \$pub to $ipconnected tagged $vpnc_host" >> /etc/pf.conf.macro.enc.out + # pfctl -f /etc/pf.conf + #fi + greinterface=$(ls hostname.gre? | sed 's/hostname.//') + encinterface=$(ls hostname.enc? | sed 's/hostname.//') + sh /etc/netstart $greinterface + sh /etc/netstart $encinterface + if [[ $(grep -c $greinterface /etc/ospfd.conf) -ne 1 ]]; then + sed -i '$d' /etc/ospfd.conf + cat ospfd.conf >> /etc/ospfd.conf + echo "}" >> /etc/ospfd.conf + fi + mv iked.conf.* /etc + chown root:wheel /etc/iked.conf.* + chmod go-rwx /etc/iked.conf.* + iked -n + rcctl restart iked + rcctl restart ospfd + +else + logger "$0: sha256 failed from $publichost.tar" +fi + + + diff --git a/src/usr/local/share/geoip/GeoIP.dat.gz b/src/usr/local/share/geoip/GeoIP.dat.gz new file mode 100644 index 00000000..4ad2da62 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIP.dat.gz differ diff --git a/src/usr/local/share/geoip/GeoIPASNum.dat.gz b/src/usr/local/share/geoip/GeoIPASNum.dat.gz new file mode 100644 index 00000000..f0ca199d Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPASNum.dat.gz differ diff --git a/src/usr/local/share/geoip/GeoIPASNum2.zip b/src/usr/local/share/geoip/GeoIPASNum2.zip new file mode 100644 index 00000000..d6b19a82 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPASNum2.zip differ diff --git a/src/usr/local/share/geoip/GeoIPASNum2v6.zip b/src/usr/local/share/geoip/GeoIPASNum2v6.zip new file mode 100644 index 00000000..5f99ab40 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPASNum2v6.zip differ diff --git a/src/usr/local/share/geoip/GeoIPASNumv6.dat.gz b/src/usr/local/share/geoip/GeoIPASNumv6.dat.gz new file mode 100644 index 00000000..e9e5dff4 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPASNumv6.dat.gz differ diff --git a/src/usr/local/share/geoip/GeoIPCountryCSV.zip b/src/usr/local/share/geoip/GeoIPCountryCSV.zip new file mode 100644 index 00000000..4d76319f Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPCountryCSV.zip differ diff --git a/src/usr/local/share/geoip/GeoIPv6.csv.gz b/src/usr/local/share/geoip/GeoIPv6.csv.gz new file mode 100644 index 00000000..5d979e21 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPv6.csv.gz differ diff --git a/src/usr/local/share/geoip/GeoIPv6.dat.gz b/src/usr/local/share/geoip/GeoIPv6.dat.gz new file mode 100644 index 00000000..ef848940 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPv6.dat.gz differ diff --git a/src/usr/local/share/geoip/GeoLiteCity-latest.zip b/src/usr/local/share/geoip/GeoLiteCity-latest.zip new file mode 100644 index 00000000..7949f7e7 Binary files /dev/null and b/src/usr/local/share/geoip/GeoLiteCity-latest.zip differ diff --git a/src/usr/local/share/geoip/GeoLiteCityv6.csv.gz b/src/usr/local/share/geoip/GeoLiteCityv6.csv.gz new file mode 100644 index 00000000..36453924 Binary files /dev/null and b/src/usr/local/share/geoip/GeoLiteCityv6.csv.gz differ diff --git a/src/usr/local/share/geoip/GeoLiteCityv6.dat.gz b/src/usr/local/share/geoip/GeoLiteCityv6.dat.gz new file mode 100644 index 00000000..e8c817fd Binary files /dev/null and b/src/usr/local/share/geoip/GeoLiteCityv6.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind.dat.gz b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind.dat.gz new file mode 100644 index 00000000..0494c203 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind4.dat.gz b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind4.dat.gz new file mode 100644 index 00000000..06343fc9 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind4.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind6.dat.gz b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind6.dat.gz new file mode 100644 index 00000000..d189489c Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind6.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip.dat.gz new file mode 100644 index 00000000..4f4be8c8 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip4.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip4.dat.gz new file mode 100644 index 00000000..1e7c26b1 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip4.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip6.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip6.dat.gz new file mode 100644 index 00000000..2ed8c4c5 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip6.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip.dat.gz new file mode 100644 index 00000000..dca242cd Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip4.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip4.dat.gz new file mode 100644 index 00000000..2d123963 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip4.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip6.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip6.dat.gz new file mode 100644 index 00000000..93168345 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip6.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/city/maxmind.dat.gz b/src/usr/local/share/geoip/miyuru.lk/city/maxmind.dat.gz new file mode 100644 index 00000000..29c0f623 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/city/maxmind.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/city/maxmind4.dat.gz b/src/usr/local/share/geoip/miyuru.lk/city/maxmind4.dat.gz new file mode 100644 index 00000000..13061523 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/city/maxmind4.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/city/maxmind4_piwik.dat.gz b/src/usr/local/share/geoip/miyuru.lk/city/maxmind4_piwik.dat.gz new file mode 100644 index 00000000..1708dfc2 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/city/maxmind4_piwik.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/city/maxmind6.dat.gz b/src/usr/local/share/geoip/miyuru.lk/city/maxmind6.dat.gz new file mode 100644 index 00000000..ead94b84 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/city/maxmind6.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/country/maxmind.dat.gz b/src/usr/local/share/geoip/miyuru.lk/country/maxmind.dat.gz new file mode 100644 index 00000000..9d18ba5d Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/country/maxmind.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/country/maxmind4.dat.gz b/src/usr/local/share/geoip/miyuru.lk/country/maxmind4.dat.gz new file mode 100644 index 00000000..83bef46e Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/country/maxmind4.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/country/maxmind6.dat.gz b/src/usr/local/share/geoip/miyuru.lk/country/maxmind6.dat.gz new file mode 100644 index 00000000..ead94b84 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/country/maxmind6.dat.gz differ diff --git a/src/var/unbound/db/root.key b/src/var/unbound/db/root.key new file mode 100644 index 00000000..e292b5a7 --- /dev/null +++ b/src/var/unbound/db/root.key @@ -0,0 +1 @@ +. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D diff --git a/src/var/unbound/etc/unbound.conf b/src/var/unbound/etc/unbound.conf index 1b56c777..775e39e2 100644 --- a/src/var/unbound/etc/unbound.conf +++ b/src/var/unbound/etc/unbound.conf @@ -24,7 +24,7 @@ server: rrset-roundrobin: yes minimal-responses: yes val-log-level: 1 - tls-cert-bundle: "/var/unbound/etc/ca-certificates.crt" + tls-cert-bundle: "/var/unbound/db/ca-certificates.crt" do-not-query-localhost: no private-domain: "telecom.lobby" private-domain: "13.168.192.in-addr.arpa"