logauth
/
setup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[update] added firewall@.service to systemd

This commit is contained in:
xdrm-brackets 2017-07-22 23:44:03 +02:00
parent 04f7701655
commit 3a150eab95
5 changed files with 63 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
clone/clone
View File

@ -299,7 +299,12 @@ step7(){
echo " - /lib/systemd/system"; echo " - /lib/systemd/system";
sudo cp ./utility/sats-dwc@.service /mnt/lib/systemd/system/sats-dwc@.service; sudo cp ./utility/sats-dwc@.service /mnt/lib/systemd/system/sats-dwc@.service;
# (5) Create sats-update timer # # (5) Create firewall@ service #
echo " (.) Create firewall@ service";
echo " - /lib/systemd/system";
sudo cp ./utility/firewall@.service /mnt/lib/systemd/system/firewall@.service;
# (6) Create sats-update timer #
echo " (.) Create sats-update timer"; echo " (.) Create sats-update timer";
echo " - /lib/systemd/system"; echo " - /lib/systemd/system";
cat ./utility/sats-update.timer | sudo tee /mnt/lib/systemd/system/sats-update.timer > /dev/null; cat ./utility/sats-update.timer | sudo tee /mnt/lib/systemd/system/sats-update.timer > /dev/null;
@ -318,8 +323,12 @@ step7(){
echo " (.) Emulate \`systemctl enable sats-dwc@wlan0.service\`"; echo " (.) Emulate \`systemctl enable sats-dwc@wlan0.service\`";
sudo ln -fs /lib/systemd/system/sats-dwc@.service /mnt/etc/systemd/system/multi-user.target.wants/sats-dwc@wlan0.service; sudo ln -fs /lib/systemd/system/sats-dwc@.service /mnt/etc/systemd/system/multi-user.target.wants/sats-dwc@wlan0.service;
# (4) Enable sats-update timer at startup # # (4) Enable firewall@default at startup #
echo " - Emulate \`systemctl enable sats-update.timer\`"; echo " (.) Emulate \`systemctl enable firewall@default.service\`";
sudo ln -fs /lib/systemd/system/firewall@.service /mnt/etc/systemd/system/multi-user.target.wants/firewall@default.service;
# (5) Enable sats-update timer at startup #
echo " (.) Emulate \`systemctl enable sats-update.timer\`";
sudo ln -fs /lib/systemd/system/sats-update.timer /mnt/etc/systemd/system/multi-user.target.wants/sats-update.timer; sudo ln -fs /lib/systemd/system/sats-update.timer /mnt/etc/systemd/system/multi-user.target.wants/sats-update.timer;
@ -337,10 +346,15 @@ step7(){
echo " (.) Create sats-loop script"; echo " (.) Create sats-loop script";
cat ./utility/sats-loop | sudo tee /mnt/service/sats-loop > /dev/null; cat ./utility/sats-loop | sudo tee /mnt/service/sats-loop > /dev/null;
# (4.1) Create sats-dwc@wlan0 script # # (4) Create sats-dwc@wlan0 script #
echo " (.) Create sats-dwc@wlan0 script"; echo " (.) Create sats-dwc@wlan0 script";
cat ./utility/wlan0.dwc | sed "s/\*\*\*SALT\*\*\*/$WIFI_SALT/" | sed "s/\*\*\*PEPPER\*\*\*/$WIFI_PEPPER/" | sudo tee /mnt/etc/wpa_supplicant/wlan0.dwc > /dev/null; cat ./utility/wlan0.dwc | sed "s/\*\*\*SALT\*\*\*/$WIFI_SALT/" | sed "s/\*\*\*PEPPER\*\*\*/$WIFI_PEPPER/" | sudo tee /mnt/etc/wpa_supplicant/wlan0.dwc > /dev/null;
# (5) Create firewall@default script #
echo " (.) Create firewall@default script";
sudo mkdir -p /opt/firewall;
cat ./utility/default.fw | sudo tee /mnt/opt/firewall/default.fw > /dev/null;
# (5) Set up permissions # (5) Set up permissions
#--------------------------------------------------------# #--------------------------------------------------------#
@ -349,23 +363,23 @@ step7(){
# (1) Services scripts # # (1) Services scripts #
echo " - sats-install (owner: pi)"; echo " - sats-install (owner: pi)";
sudo chown 1000:1000 /mnt/service/sats-install; sudo chown 1000:1000 /mnt/service/sats-install;
sudo chmod 550 /mnt/service/sats-install; sudo chmod 770 /mnt/service/sats-install;
echo " - sats-update (ownder: sats)"; echo " - sats-update (ownder: sats)";
sudo chown 666:666 /mnt/service/sats-update; sudo chown 666:666 /mnt/service/sats-update;
sudo chmod 550 /mnt/service/sats-update; sudo chmod 770 /mnt/service/sats-update;
echo " - sats-loop (ownder: sats)"; echo " - sats-loop (ownder: sats)";
sudo chown 666:666 /mnt/service/sats-loop; sudo chown 666:666 /mnt/service/sats-loop;
sudo chmod 550 /mnt/service/sats-loop; sudo chmod 770 /mnt/service/sats-loop;
echo " - sats-dwc@wlan0 (ownder: pi)"; echo " - sats-dwc@wlan0 (ownder: pi)";
sudo chown 1000:1000 /mnt/etc/wpa_supplicant/wlan0.dwc; sudo chown 1000:1000 /mnt/etc/wpa_supplicant/wlan0.dwc;
sudo chmod 550 /mnt/etc/wpa_supplicant/wlan0.dwc; sudo chmod 770 /mnt/etc/wpa_supplicant/wlan0.dwc;
echo " - /service (ownder: sats)"; echo " - /service (ownder: sats)";
sudo chown 666:666 /mnt/service/*; sudo chown 666:666 /mnt/service/*;
sudo chmod 555 /mnt/service/*; sudo chmod 775 /mnt/service/*;
echo " - /target (ownder: sats)"; echo " - /target (ownder: sats)";
sudo chown 666:666 /mnt/target; sudo chown 666:666 /mnt/target;

11
clone/utility/default.fw Normal file
View File

@ -0,0 +1,11 @@
# reset defaults
iptables -F;
iptables -P OUTPUT ACCEPT;
iptables -P FORWARD DROP;
iptables -P INPUT DROP;
# maintenance
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT;
# accept as INPUT all already ESTABLISHED connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;

12
clone/utility/firewall@.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Firewall autoconf (%i)
Wants=network-pre.target
Before=network-pre.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/bash /opt/firewall/%i.fw
[Install]
WantedBy=multi-user.target

28
clone/utility/iptables
View File

@ -1,28 +0,0 @@
# reset defaults
iptables -F;
iptables -P OUTPUT DROP;
iptables -P FORWARD DROP;
iptables -P INPUT DROP;
# maintenance
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT;
# SMMP-server
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT;
# SMMP
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT;
# apt-get
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT;
# dns
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT;
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT;
# accept as INPUT all already ESTABLISHED connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
# accept to OUTPUT all already ESTABLISHED connections
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;

40
clone/utility/sats-install
View File

@ -14,34 +14,28 @@ slog(){
} }
# [1] Set up firewall # [1] Start ssh service
slog " * 1. Setting firewall rules"; slog " * 1. Starting ssh service";
sudo sh /home/pi/iptables \
&& slog " > done" \
|| ( slog " > failed" && exit 127 );
# [2] Start ssh service
slog " * 2. Starting ssh service";
sudo systemctl start ssh \ sudo systemctl start ssh \
&& slog " > done" \ && slog " > done" \
|| ( slog " > failed" && exit 127 ); || ( slog " > failed" && exit 127 );
# [3] Notify boot (first or normal) # # [2] Notify boot (first or normal) #
echo; echo;
test ! -e /target/sync && echo "First Boot" | plog; test ! -e /target/sync && echo "First Boot" | plog;
test -e /target/sync && echo "Normal Boot" | plog; test -e /target/sync && echo "Normal Boot" | plog;
slog "============"; slog "============";
# [4] Set random passwords for 'sats' # [3] Set random passwords for 'sats'
echo " * 3. Changing sats password" | plog; echo " * 2. Changing sats password" | plog;
RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256); RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256);
echo -ne "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd sats; echo -ne "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd sats;
test $? -eq 0 \ test $? -eq 0 \
&& slog " > done" \ && slog " > done" \
|| ( slog " > failed" && exit 127 ); || ( slog " > failed" && exit 127 );
# [5] Set random passwords for 'pi' itself # [4] Set random passwords for 'pi' itself
echo " * 4. Changing pi password" | plog; echo " * 3. Changing pi password" | plog;
RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256); RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256);
echo -ne "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd pi; echo -ne "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd pi;
test $? -eq 0 \ test $? -eq 0 \
@ -56,8 +50,8 @@ test $? -eq 0 \
################################################ ################################################
if [ ! -e /target/sync ]; then if [ ! -e /target/sync ]; then
# (1) If no network -> exit # # (x) If no network -> exit #
slog " * 5. Checking connectivity"; slog " * 4. Checking connectivity";
test $(systemctl is-active network-online.target) = "active" \ test $(systemctl is-active network-online.target) = "active" \
&& slog " > done" \ && slog " > done" \
|| ( slog " > failed" && exit 127 ); || ( slog " > failed" && exit 127 );
@ -66,13 +60,13 @@ if [ ! -e /target/sync ]; then
# [1] Installation # [1] Installation
#========================================================# #========================================================#
# (1) Try to install necessary packages # (1) Try to install necessary packages
slog " * 6. Updating packages"; slog " * 5. Updating packages";
sudo apt-get update; sudo apt-get update;
test $? -eq 0 \ test $? -eq 0 \
&& slog " > done" \ && slog " > done" \
|| ( slog " > failed" && exit 127 ); || ( slog " > failed" && exit 127 );
slog " * 7. Installing necessary packages"; slog " * 6. Installing necessary packages";
sudo apt-get -y install git php5 php5-cli php5-curl python-dev; sudo apt-get -y install git php5 php5-cli php5-curl python-dev;
test $? -eq 0 \ test $? -eq 0 \
&& slog " > done" \ && slog " > done" \
@ -82,7 +76,7 @@ if [ ! -e /target/sync ]; then
BRANCH=$(sudo cat /home/sats/satsd/conf/machine.branch) > /dev/null; BRANCH=$(sudo cat /home/sats/satsd/conf/machine.branch) > /dev/null;
# (2) With git if installed # # (2) With git if installed #
slog " * 8. Cloning source"; slog " * 7. Cloning source";
sudo -u sats git clone -b $BRANCH ssh://smmp-server/satsd/git /home/sats/satsd/source; sudo -u sats git clone -b $BRANCH ssh://smmp-server/satsd/git /home/sats/satsd/source;
test $? -eq 0 \ test $? -eq 0 \
&& slog " > done" \ && slog " > done" \
@ -91,7 +85,7 @@ if [ ! -e /target/sync ]; then
# (2) Enable SPI device # # (2) Enable SPI device #
echo " * 9. Enabling spi device"; echo " * 8. Enabling spi device";
echo "dtparam=spi=on" | sudo tee -a /boot/config.txt > /dev/null \ echo "dtparam=spi=on" | sudo tee -a /boot/config.txt > /dev/null \
|| ( slog " > failed" && exit 127 ); || ( slog " > failed" && exit 127 );
echo "dtoverlay=spi-bcm2708" | sudo tee -a /boot/config.txt > /dev/null \ echo "dtoverlay=spi-bcm2708" | sudo tee -a /boot/config.txt > /dev/null \
@ -99,13 +93,13 @@ if [ ! -e /target/sync ]; then
slog " > done"; slog " > done";
# (3) Clone SPI python library # # (3) Clone SPI python library #
slog " * 10. Cloning 'SPI-Py' lib"; slog " * 9. Cloning 'SPI-Py' lib";
git clone https://github.com/lthiery/SPI-Py.git /home/pi/spi-lib \ git clone https://github.com/lthiery/SPI-Py.git /home/pi/spi-lib \
&& slog " > done" \ && slog " > done" \
|| ( slog " > failed" && exit 127 ); || ( slog " > failed" && exit 127 );
# (4) Install SPI python library # # (4) Install SPI python library #
slog " * 11. Installing 'SPI-Py' lib into the system"; slog " * 10. Installing 'SPI-Py' lib into the system";
cd /home/pi/spi-lib; cd /home/pi/spi-lib;
sudo python setup.py build \ sudo python setup.py build \
|| ( slog " > failed" && exit 127 ); || ( slog " > failed" && exit 127 );
@ -123,12 +117,12 @@ if [ ! -e /target/sync ]; then
source $__DIR__/lib/include/bash/func; source $__DIR__/lib/include/bash/func;
# (2) Process sync # # (2) Process sync #
slog " * 12. Synchronizing the SATS with SMMP's server"; slog " * 11. Synchronizing the SATS with SMMP's server";
test "$(sudo -u sats $SOURCE_DIR/lib/api/sync)" = "0" \ test "$(sudo -u sats $SOURCE_DIR/lib/api/sync)" = "0" \
&& slog " > done" \ && slog " > done" \
|| ( slog " > failed" && exit 127 ); || ( slog " > failed" && exit 127 );
slog "Creating target file 'sync'"; slog " * 12. Creating target file 'sync'";
sudo -u sats touch /target/sync \ sudo -u sats touch /target/sync \
&& slog " > done" \ && slog " > done" \
|| ( slog " > failed" && exit 127 ); || ( slog " > failed" && exit 127 );