[update] added firewall@.service to systemd
This commit is contained in:
xdrm-brackets
parent
04f7701655
commit
3a150eab95
32
clone/clone
32
clone/clone
|
|
@ -299,7 +299,12 @@ step7(){
|
|||
echo " - /lib/systemd/system";
|
||||
sudo cp ./utility/sats-dwc@.service /mnt/lib/systemd/system/sats-dwc@.service;
|
||||
|
||||
# (5) Create sats-update timer #
|
||||
# (5) Create firewall@ service #
|
||||
echo " (.) Create firewall@ service";
|
||||
echo " - /lib/systemd/system";
|
||||
sudo cp ./utility/firewall@.service /mnt/lib/systemd/system/firewall@.service;
|
||||
|
||||
# (6) Create sats-update timer #
|
||||
echo " (.) Create sats-update timer";
|
||||
echo " - /lib/systemd/system";
|
||||
cat ./utility/sats-update.timer | sudo tee /mnt/lib/systemd/system/sats-update.timer > /dev/null;
|
||||
|
|
@ -318,8 +323,12 @@ step7(){
|
|||
echo " (.) Emulate \`systemctl enable sats-dwc@wlan0.service\`";
|
||||
sudo ln -fs /lib/systemd/system/sats-dwc@.service /mnt/etc/systemd/system/multi-user.target.wants/sats-dwc@wlan0.service;
|
||||
|
||||
# (4) Enable sats-update timer at startup #
|
||||
echo " - Emulate \`systemctl enable sats-update.timer\`";
|
||||
# (4) Enable firewall@default at startup #
|
||||
echo " (.) Emulate \`systemctl enable firewall@default.service\`";
|
||||
sudo ln -fs /lib/systemd/system/firewall@.service /mnt/etc/systemd/system/multi-user.target.wants/firewall@default.service;
|
||||
|
||||
# (5) Enable sats-update timer at startup #
|
||||
echo " (.) Emulate \`systemctl enable sats-update.timer\`";
|
||||
sudo ln -fs /lib/systemd/system/sats-update.timer /mnt/etc/systemd/system/multi-user.target.wants/sats-update.timer;
|
||||
|
||||
|
||||
|
|
@ -337,10 +346,15 @@ step7(){
|
|||
echo " (.) Create sats-loop script";
|
||||
cat ./utility/sats-loop | sudo tee /mnt/service/sats-loop > /dev/null;
|
||||
|
||||
# (4.1) Create sats-dwc@wlan0 script #
|
||||
# (4) Create sats-dwc@wlan0 script #
|
||||
echo " (.) Create sats-dwc@wlan0 script";
|
||||
cat ./utility/wlan0.dwc | sed "s/\*\*\*SALT\*\*\*/$WIFI_SALT/" | sed "s/\*\*\*PEPPER\*\*\*/$WIFI_PEPPER/" | sudo tee /mnt/etc/wpa_supplicant/wlan0.dwc > /dev/null;
|
||||
|
||||
# (5) Create firewall@default script #
|
||||
echo " (.) Create firewall@default script";
|
||||
sudo mkdir -p /opt/firewall;
|
||||
cat ./utility/default.fw | sudo tee /mnt/opt/firewall/default.fw > /dev/null;
|
||||
|
||||
|
||||
# (5) Set up permissions
|
||||
#--------------------------------------------------------#
|
||||
|
|
@ -349,23 +363,23 @@ step7(){
|
|||
# (1) Services scripts #
|
||||
echo " - sats-install (owner: pi)";
|
||||
sudo chown 1000:1000 /mnt/service/sats-install;
|
||||
sudo chmod 550 /mnt/service/sats-install;
|
||||
sudo chmod 770 /mnt/service/sats-install;
|
||||
|
||||
echo " - sats-update (ownder: sats)";
|
||||
sudo chown 666:666 /mnt/service/sats-update;
|
||||
sudo chmod 550 /mnt/service/sats-update;
|
||||
sudo chmod 770 /mnt/service/sats-update;
|
||||
|
||||
echo " - sats-loop (ownder: sats)";
|
||||
sudo chown 666:666 /mnt/service/sats-loop;
|
||||
sudo chmod 550 /mnt/service/sats-loop;
|
||||
sudo chmod 770 /mnt/service/sats-loop;
|
||||
|
||||
echo " - sats-dwc@wlan0 (ownder: pi)";
|
||||
sudo chown 1000:1000 /mnt/etc/wpa_supplicant/wlan0.dwc;
|
||||
sudo chmod 550 /mnt/etc/wpa_supplicant/wlan0.dwc;
|
||||
sudo chmod 770 /mnt/etc/wpa_supplicant/wlan0.dwc;
|
||||
|
||||
echo " - /service (ownder: sats)";
|
||||
sudo chown 666:666 /mnt/service/*;
|
||||
sudo chmod 555 /mnt/service/*;
|
||||
sudo chmod 775 /mnt/service/*;
|
||||
|
||||
echo " - /target (ownder: sats)";
|
||||
sudo chown 666:666 /mnt/target;
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
# reset defaults
|
||||
iptables -F;
|
||||
iptables -P OUTPUT ACCEPT;
|
||||
iptables -P FORWARD DROP;
|
||||
iptables -P INPUT DROP;
|
||||
|
||||
# maintenance
|
||||
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT;
|
||||
|
||||
# accept as INPUT all already ESTABLISHED connections
|
||||
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=Firewall autoconf (%i)
|
||||
Wants=network-pre.target
|
||||
Before=network-pre.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/bin/bash /opt/firewall/%i.fw
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
# reset defaults
|
||||
iptables -F;
|
||||
iptables -P OUTPUT DROP;
|
||||
iptables -P FORWARD DROP;
|
||||
iptables -P INPUT DROP;
|
||||
|
||||
# maintenance
|
||||
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT;
|
||||
|
||||
# SMMP-server
|
||||
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT;
|
||||
|
||||
# SMMP
|
||||
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT;
|
||||
|
||||
# apt-get
|
||||
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
|
||||
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT;
|
||||
|
||||
# dns
|
||||
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT;
|
||||
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT;
|
||||
|
||||
# accept as INPUT all already ESTABLISHED connections
|
||||
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
|
||||
|
||||
# accept to OUTPUT all already ESTABLISHED connections
|
||||
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
|
||||
|
|
@ -14,34 +14,28 @@ slog(){
|
|||
}
|
||||
|
||||
|
||||
# [1] Set up firewall
|
||||
slog " * 1. Setting firewall rules";
|
||||
sudo sh /home/pi/iptables \
|
||||
&& slog " > done" \
|
||||
|| ( slog " > failed" && exit 127 );
|
||||
|
||||
# [2] Start ssh service
|
||||
slog " * 2. Starting ssh service";
|
||||
# [1] Start ssh service
|
||||
slog " * 1. Starting ssh service";
|
||||
sudo systemctl start ssh \
|
||||
&& slog " > done" \
|
||||
|| ( slog " > failed" && exit 127 );
|
||||
|
||||
# [3] Notify boot (first or normal) #
|
||||
# [2] Notify boot (first or normal) #
|
||||
echo;
|
||||
test ! -e /target/sync && echo "First Boot" | plog;
|
||||
test -e /target/sync && echo "Normal Boot" | plog;
|
||||
slog "============";
|
||||
|
||||
# [4] Set random passwords for 'sats'
|
||||
echo " * 3. Changing sats password" | plog;
|
||||
# [3] Set random passwords for 'sats'
|
||||
echo " * 2. Changing sats password" | plog;
|
||||
RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256);
|
||||
echo -ne "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd sats;
|
||||
test $? -eq 0 \
|
||||
&& slog " > done" \
|
||||
|| ( slog " > failed" && exit 127 );
|
||||
|
||||
# [5] Set random passwords for 'pi' itself
|
||||
echo " * 4. Changing pi password" | plog;
|
||||
# [4] Set random passwords for 'pi' itself
|
||||
echo " * 3. Changing pi password" | plog;
|
||||
RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256);
|
||||
echo -ne "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd pi;
|
||||
test $? -eq 0 \
|
||||
|
|
@ -56,8 +50,8 @@ test $? -eq 0 \
|
|||
################################################
|
||||
if [ ! -e /target/sync ]; then
|
||||
|
||||
# (1) If no network -> exit #
|
||||
slog " * 5. Checking connectivity";
|
||||
# (x) If no network -> exit #
|
||||
slog " * 4. Checking connectivity";
|
||||
test $(systemctl is-active network-online.target) = "active" \
|
||||
&& slog " > done" \
|
||||
|| ( slog " > failed" && exit 127 );
|
||||
|
|
@ -66,13 +60,13 @@ if [ ! -e /target/sync ]; then
|
|||
# [1] Installation
|
||||
#========================================================#
|
||||
# (1) Try to install necessary packages
|
||||
slog " * 6. Updating packages";
|
||||
slog " * 5. Updating packages";
|
||||
sudo apt-get update;
|
||||
test $? -eq 0 \
|
||||
&& slog " > done" \
|
||||
|| ( slog " > failed" && exit 127 );
|
||||
|
||||
slog " * 7. Installing necessary packages";
|
||||
slog " * 6. Installing necessary packages";
|
||||
sudo apt-get -y install git php5 php5-cli php5-curl python-dev;
|
||||
test $? -eq 0 \
|
||||
&& slog " > done" \
|
||||
|
|
@ -82,7 +76,7 @@ if [ ! -e /target/sync ]; then
|
|||
BRANCH=$(sudo cat /home/sats/satsd/conf/machine.branch) > /dev/null;
|
||||
|
||||
# (2) With git if installed #
|
||||
slog " * 8. Cloning source";
|
||||
slog " * 7. Cloning source";
|
||||
sudo -u sats git clone -b $BRANCH ssh://smmp-server/satsd/git /home/sats/satsd/source;
|
||||
test $? -eq 0 \
|
||||
&& slog " > done" \
|
||||
|
|
@ -91,7 +85,7 @@ if [ ! -e /target/sync ]; then
|
|||
|
||||
|
||||
# (2) Enable SPI device #
|
||||
echo " * 9. Enabling spi device";
|
||||
echo " * 8. Enabling spi device";
|
||||
echo "dtparam=spi=on" | sudo tee -a /boot/config.txt > /dev/null \
|
||||
|| ( slog " > failed" && exit 127 );
|
||||
echo "dtoverlay=spi-bcm2708" | sudo tee -a /boot/config.txt > /dev/null \
|
||||
|
|
@ -99,13 +93,13 @@ if [ ! -e /target/sync ]; then
|
|||
slog " > done";
|
||||
|
||||
# (3) Clone SPI python library #
|
||||
slog " * 10. Cloning 'SPI-Py' lib";
|
||||
slog " * 9. Cloning 'SPI-Py' lib";
|
||||
git clone https://github.com/lthiery/SPI-Py.git /home/pi/spi-lib \
|
||||
&& slog " > done" \
|
||||
|| ( slog " > failed" && exit 127 );
|
||||
|
||||
# (4) Install SPI python library #
|
||||
slog " * 11. Installing 'SPI-Py' lib into the system";
|
||||
slog " * 10. Installing 'SPI-Py' lib into the system";
|
||||
cd /home/pi/spi-lib;
|
||||
sudo python setup.py build \
|
||||
|| ( slog " > failed" && exit 127 );
|
||||
|
|
@ -123,12 +117,12 @@ if [ ! -e /target/sync ]; then
|
|||
source $__DIR__/lib/include/bash/func;
|
||||
|
||||
# (2) Process sync #
|
||||
slog " * 12. Synchronizing the SATS with SMMP's server";
|
||||
slog " * 11. Synchronizing the SATS with SMMP's server";
|
||||
test "$(sudo -u sats $SOURCE_DIR/lib/api/sync)" = "0" \
|
||||
&& slog " > done" \
|
||||
|| ( slog " > failed" && exit 127 );
|
||||
|
||||
slog "Creating target file 'sync'";
|
||||
slog " * 12. Creating target file 'sync'";
|
||||
sudo -u sats touch /target/sync \
|
||||
&& slog " > done" \
|
||||
|| ( slog " > failed" && exit 127 );
|
||||
|
|
|
|||
Loading…
Reference in New Issue