From d92fa0478e116a4f189ac1229d952c15dcb4b5c4 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 6 Jan 2022 01:25:30 +0100 Subject: ap01: ... --- files/files/etc/config/dropbear | 5 ++ files/files/etc/config/firewall | 69 ++++++++++++++++++++++ files/files/etc/config/network | 45 ++++++++++++++ files/files/etc/config/system | 18 ++++++ files/files/etc/config/wireless | 43 ++++++++++++++ files/files/etc/dropbear/authorized_keys | 1 + .../etc/dropbear/dropbear_ed25519_host_key.sops | 21 +++++++ files/files/etc/fw_env.config | 1 + files/files/etc/rc.local | 7 +++ files/files/etc/shadow | 9 +++ files/files/etc/sysctl.conf | 1 + flake.nix | 2 +- patches/shannon-passphrase.patch.sops | 21 +++++++ 13 files changed, 242 insertions(+), 1 deletion(-) create mode 100644 files/files/etc/config/dropbear create mode 100644 files/files/etc/config/firewall create mode 100644 files/files/etc/config/network create mode 100644 files/files/etc/config/system create mode 100644 files/files/etc/config/wireless create mode 100644 files/files/etc/dropbear/authorized_keys create mode 100644 files/files/etc/dropbear/dropbear_ed25519_host_key.sops create mode 100644 files/files/etc/fw_env.config create mode 100644 files/files/etc/rc.local create mode 100644 files/files/etc/shadow create mode 100644 files/files/etc/sysctl.conf create mode 100644 patches/shannon-passphrase.patch.sops diff --git a/files/files/etc/config/dropbear b/files/files/etc/config/dropbear new file mode 100644 index 0000000..39ba220 --- /dev/null +++ b/files/files/etc/config/dropbear @@ -0,0 +1,5 @@ +config dropbear + option Port '22' + option PasswordAuth 'off' + option RootPasswordAuth 'off' + diff --git a/files/files/etc/config/firewall b/files/files/etc/config/firewall new file mode 100644 index 0000000..9b4d252 --- /dev/null +++ b/files/files/etc/config/firewall @@ -0,0 +1,69 @@ +config defaults + option syn_flood '1' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'REJECT' + +config zone 'lan' + option name 'lan' + list network 'lan' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'REJECT' + +config zone 'mgmt' + option name 'mgmt' + list network 'mgmt' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'REJECT' + +config rule + option name 'Allow-Ping' + option src '*' + option proto 'icmp' + option icmp_type 'echo-request' + option family 'ipv4' + option target 'ACCEPT' + +config rule + option name 'Allow-ICMPv6-Input' + option src '*' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + list icmp_type 'router-solicitation' + list icmp_type 'neighbour-solicitation' + list icmp_type 'router-advertisement' + list icmp_type 'neighbour-advertisement' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-ICMPv6-Forward' + option src '*' + option dest '*' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-SSH' + option src '*' + option dest_port '22' + option proto 'tcp' + option target 'ACCEPT' diff --git a/files/files/etc/config/network b/files/files/etc/config/network new file mode 100644 index 0000000..288cdc9 --- /dev/null +++ b/files/files/etc/config/network @@ -0,0 +1,45 @@ +config interface 'loopback' + option ifname 'lo' + option proto 'static' + option ipaddr '127.0.0.1' + option netmask '255.0.0.0' + +config globals 'globals' + option ula_prefix 'fd69:f71f:1364::/48' + +config interface 'lan' + option type 'bridge' + option proto 'dhcp' + list ifname 'eth0.3' + list ifname 'eth0.101' + list ifname 'eth0.102' + +config interface 'mgmt' + option type 'bridge' + option proto 'dhcp' + list ifname 'eth0.2' + +config switch + option name 'switch0' + option reset '1' + option enable_vlan '1' + +config switch_vlan + option device 'switch0' + option vlan '101' + option ports '3 0t' + +config switch_vlan + option device 'switch0' + option vlan '102' + option ports '2 0t' + +config switch_vlan + option device 'switch0' + option vlan '3' + option ports '2t 0t' + +config switch_vlan + option device 'switch0' + option vlan '2' + option ports '2t 0t' \ No newline at end of file diff --git a/files/files/etc/config/system b/files/files/etc/config/system new file mode 100644 index 0000000..e5ccea0 --- /dev/null +++ b/files/files/etc/config/system @@ -0,0 +1,18 @@ +config system + option timezone 'UTC' + option ttylogin '0' + option log_size '64' + option urandom_seed '0' + option hostname 'ap01' + +config timeserver 'ntp' + option enabled '1' + option enable_server '0' + list server '10.141.1.1' + +config led + option name 'BlueDome' + option trigger 'none' + option brightness '0' + option default '0' + option sysfs 'blue:dome' diff --git a/files/files/etc/config/wireless b/files/files/etc/config/wireless new file mode 100644 index 0000000..6204c21 --- /dev/null +++ b/files/files/etc/config/wireless @@ -0,0 +1,43 @@ +config wifi-device 'radio0' + option type 'mac80211' + option hwmode '11a' + option path 'pci0000:00/0000:00:00.0' + option htmode 'VHT80' + option country 'DE' + option disabled '0' + option channel '60' + +config wifi-iface 'default_radio0' + option device 'radio0' + option network 'lan' + option mode 'ap' + option key '' + option ssid 'shannon' + option encryption 'psk2+ccmp' + option ieee80211r '1' + option mobility_domain 'e612' + option ft_psk_generate_local '1' + option ft_over_ds '1' + option pmk_r1_push '1' + +config wifi-device 'radio1' + option type 'mac80211' + option channel '11' + option hwmode '11g' + option path 'platform/ahb/18100000.wmac' + option htmode 'HT20' + option country 'DE' + option disabled '0' + +config wifi-iface 'default_radio1' + option device 'radio1' + option network 'lan' + option mode 'ap' + option ssid 'shannon' + option encryption 'psk2+ccmp' + option key '' + option ieee80211r '1' + option mobility_domain 'e612' + option ft_psk_generate_local '1' + option ft_over_ds '1' + option pmk_r1_push '1' diff --git a/files/files/etc/dropbear/authorized_keys b/files/files/etc/dropbear/authorized_keys new file mode 100644 index 0000000..e9aaf21 --- /dev/null +++ b/files/files/etc/dropbear/authorized_keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrHPERae+OUTNOzNf9d2767ljFCm5hgmQw48Dj4RrlU gkleen@sif.midgard.yggdrasil diff --git a/files/files/etc/dropbear/dropbear_ed25519_host_key.sops b/files/files/etc/dropbear/dropbear_ed25519_host_key.sops new file mode 100644 index 0000000..4757e37 --- /dev/null +++ b/files/files/etc/dropbear/dropbear_ed25519_host_key.sops @@ -0,0 +1,21 @@ +{ + "data": "ENC[AES256_GCM,data:VLWYJ9WkBtH428VWlrb5Bwtcp8ONUPxcvW9cNFC0dpEf+i1FKHHoaQJ7t6jTAn2vR/tW3gQ1NQw1OG42ISaDyvOZvx2Axl3Y20LdYL/TcJ0ZV08=,iv:uIllCug5SLdx5Z72GNdVr9LFbFA7tNNVhAbJhWqwgDQ=,tag:rR0Za81+313HsggbDoppdQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-01-05T23:40:44Z", + "mac": "ENC[AES256_GCM,data:4X+vdVWKrr7zlVAlRPd3ZCrVQIcqtHfEoxncemPvgPN4OrBoKLhKOkFn0UmzM3FxOfQsTVagvLzcz2TjQ6iwpeigzGETIdMSolOLg1mSwk1+mJliTaOZUTuTvkybZJYda1DKcpRY61HAVAWjPNgxtGe/VdSAhbQFmlgx3Vbi+fc=,iv:HOoc4ojQBKoaCp/qLFEs/HJAL9ilknhqpM7xgP4ZQ4o=,tag:Ih+mzHyk3u/3mOCR8/kyXw==,type:str]", + "pgp": [ + { + "created_at": "2022-01-05T23:40:44Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA2WT0pJ8xrYTjc1nz1oAmjUptqCbFRC4WvyiO69w8Riww\n9dGqIDPFj63lC/WgzWdbLdBw4mga6JPV81BJUZvmf6u3EIH9d97Dvch4jMdJgY0t\n0l4BUw/tckmp6bGjsrswU5HOn6M8fXcRPUz1tIl71XjpKsTy5z40W+Afzg+Oetly\nrNEIJNHS+tOVNaACi8mWjBa/aZmXHAY96kT0wViwDM6CI7kbqupEL6ZEXl5ENfJa\n=i4pI\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/files/files/etc/fw_env.config b/files/files/etc/fw_env.config new file mode 100644 index 0000000..a2a2b3c --- /dev/null +++ b/files/files/etc/fw_env.config @@ -0,0 +1 @@ +/dev/mtd1 0x0000 0x10000 0x10000 diff --git a/files/files/etc/rc.local b/files/files/etc/rc.local new file mode 100644 index 0000000..569c686 --- /dev/null +++ b/files/files/etc/rc.local @@ -0,0 +1,7 @@ +# Put your custom commands here that should be executed once +# the system init finished. By default this file does nothing. + +echo "timer" > /sys/class/leds/ubnt\:blue\:dome/trigger +sleep 1 +echo "none" > /sys/class/leds/ubnt\:blue\:dome/trigger +exit 0 diff --git a/files/files/etc/shadow b/files/files/etc/shadow new file mode 100644 index 0000000..6511d4f --- /dev/null +++ b/files/files/etc/shadow @@ -0,0 +1,9 @@ +root:x:0:0:99999:7::: +daemon:*:0:0:99999:7::: +ftp:*:0:0:99999:7::: +network:*:0:0:99999:7::: +nobody:*:0:0:99999:7::: +ntp:x:0:0:99999:7::: +dnsmasq:x:0:0:99999:7::: +logd:x:0:0:99999:7::: +ubus:x:0:0:99999:7::: \ No newline at end of file diff --git a/files/files/etc/sysctl.conf b/files/files/etc/sysctl.conf new file mode 100644 index 0000000..75dd97e --- /dev/null +++ b/files/files/etc/sysctl.conf @@ -0,0 +1 @@ +net.ipv6.conf.default.accept_ra=1 diff --git a/flake.nix b/flake.nix index 17b8b92..40fd0be 100644 --- a/flake.nix +++ b/flake.nix @@ -128,7 +128,7 @@ function unpackPhase() { ${pkgs.rsync}/bin/rsync --chmod=u+wX -rlptD ${openwrtWithPackages}/. ${./files}/. ./. - patchDir=$(mktemp -d patches.XXXXXXXXXX) + patchDir=$(mktemp -d -t patches.XXXXXXXXXX) ${pkgs.rsync}/bin/rsync --chmod=u+wX -rlptD ${./patches}/. "$patchDir/." while IFS= read -r -d $'\0' sopsFile; do diff --git a/patches/shannon-passphrase.patch.sops b/patches/shannon-passphrase.patch.sops new file mode 100644 index 0000000..592aa7f --- /dev/null +++ b/patches/shannon-passphrase.patch.sops @@ -0,0 +1,21 @@ +{ + "data": "ENC[AES256_GCM,data:fL0e0Vt/uesQkV/tMz3DusvCfaKnBEZEtphBdqsg6d/GGU1Ob8PHAwpvtAuEkI+5iY5oJaN6iuatdRQgfqn+6+ni7JclQCNxv3T+8cy9Ljn5OBhTanRn50vJoWaipFzD2qKlNpuYI5i8k5eUcJDJI8xZ2Lwbu7lPilZWKCb9SiOYbNQtT4R3cI9Y9uUb8imzkzwCluAf517+ZSeI61oF6NAxcS0j49BtJWYe9/aPgX9G7slXktiP4lJD2AUKvdLp6VURurSfQCmWd5jrMw3kjM93bUgnOZGbKF/VYQz4Uon+va5cbmYGeDoYZwzFVn142w7gxLk3GC2NUjkl1DbWHbpfUF3GP1jXGlspZEUIU0AbP3MqSsAdq3W4LKB0peF3oZiJdeWEIbpr4i0anx7VLFPdjyJlXvrEJJLko+Prez5Nxf9ih+u7Nvy5Yz89CSenieDnlCCbWCHD9U4Kitb8aNPr1oQ/h4JTC6FUjJdSzmeQhLK08a1wA3c4pi/kYndQYhR0vvYQuE712A4D/WjPOl+ADjsPedo/su0jHZ67pcEyRsq6tLf0hTtPQws9CSJkbLickbvmHygMfXFJUoujr8FcAt6vdhgtkD+3jZiL6lwIWyYgSuXGs0Y0yMYEbukfi/oD85bZtMwZlJv63dhn5btXICHS1Ix7Je0BtOk9k1BKp9GNhoZn5bpSFsLDMbD8zktTlkI+lLsAXIJNDbwA7yt2jQKX6b9xvYgEnwyL/q8Y3oP/CXTc/q64ocbZS+gFboLRfI/GDW3vjj3Vuzw3+NuEF/E7xyv8G8gzEy+q7m6+TG/pcDyECeQso+40gYW5rqkE922JqtLb6wB5EI5nLRcjW1xGdKT8zqrzr9FKCsvXz+mG9ee8Bc1cB+9I//LPuVAIIdsPYQd4WB953M/xRcD+lvzpYD4dTWjb+db1y86ybLW+Z9qykrvNLOy/TSPKgDrxH8iOYfk=,iv:yBpJGbVzEqwQ3/xQqTMqsUP6lPfbp+TvKG+uK+1HdFo=,tag:lB/qb6Bwc6cKuW6RZlHvOg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-01-06T00:06:07Z", + "mac": "ENC[AES256_GCM,data:0/3v8DeWijSOIJAMsKwXZsDXy020FWWWKquMs+99IB0ky8r/BX8CGlJD3T1mKO+j1olznvN4AqpaOFsMEexdqlxOFx1UwBMTzQZhfPlHsgDkf3XtplHMZbLsK+XNWAjCPiAqdooCd5NeYKiYKBRvJP3IclIwn+aLFw5wv4LlMuo=,iv:lcQeXL/s/NwxyysdqcSfBr8XXN8ef3T9Sw5s2uPYlG8=,tag:lWNPEENTv42CZuZIutxAJA==,type:str]", + "pgp": [ + { + "created_at": "2022-01-06T00:06:07Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAiTff5/oPWj97TYpAeywxbPJxgeiZJcsKBSqB4c/fEC4w\nnkrawta5umacLix+FgjfJwsqcsI7kHtgUlwhE0oPr+CoinVP5SXqvsm5oPqIxQCw\n0lwB0Wy6sCLBUyXrqbQX8jZQEUl6xMDb55W8Vk3YEurYpYtYya7jL7ArxB3qkyts\nKEnP7TVTcQrppUeHFwLHZp1PTiOyUuYVhhlpUWs3YhSuRj0OXqepVjbs3Uf/jQ==\n=3zRQ\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file -- cgit v1.2.3