summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--logc/Makefile74
-rw-r--r--medkit-initial-config/Makefile32
-rw-r--r--medkit-initial-config/files/README.md50
-rw-r--r--medkit-initial-config/files/medkit-initial-config156
-rw-r--r--sentinel-fwlogs/Makefile69
-rw-r--r--sentinel-fwlogs/files/defaults.sh2
-rwxr-xr-xsentinel-fwlogs/files/init25
-rwxr-xr-xsentinel-fwlogs/files/restart-proxy-hook.sh5
-rwxr-xr-xsentinel-fwlogs/files/sentinel-firewall.sh37
-rwxr-xr-xsentinel-fwlogs/files/uci-defaults19
10 files changed, 0 insertions, 469 deletions
diff --git a/logc/Makefile b/logc/Makefile
deleted file mode 100644
index 1a4eb58..0000000
--- a/logc/Makefile
+++ /dev/null
@@ -1,74 +0,0 @@
-#
-## Copyright (C) 2020 CZ.NIC z.s.p.o. (https://www.nic.cz/)
-#
-## This is free software, licensed under the GNU General Public License v3.
-# See /LICENSE for more information.
-# #
-#
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=logc
-PKG_VERSION:=0.0.1
-PKG_RELEASE:=1
-
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/logc.git
-#PKG_SOURCE_VERSION:=v$(PKG_VERSION)
-PKG_SOURCE_VERSION:=8ea2adae681bffaec1e9efaad1d6b2b1fbb39496
-
-PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz>
-PKG_LICENSE:=MIT
-PKG_LICENSE_FILES:=LICENSE
-
-PKG_BUILD_DEPENDS:=argp-standalone
-
-PKG_INSTALL:=1
-PKG_FIXUP:=autoreconf
-
-include $(INCLUDE_DIR)/package.mk
-include $(INCLUDE_DIR)/autotools.mk
-
-define Package/Common
- SECTION:=libs
- CATEGORY:=Libraries
- URL:=https://gitlab.nic.cz/turris/logc.git
-endef
-
-define Package/logc
- $(call Package/Common)
- TITLE:=logc
-endef
-
-define Package/logc-argp
- $(call Package/Common)
- TITLE:=logc-argp
-endef
-
-define Package/logc/description
- Logging library for C (LogC)
-endef
-
-define Package/logc-argp/description
- Argument parsing library for LogC base on argp.
-endef
-
-define Build/InstallDev
- $(INSTALL_DIR) $(1)/usr/include
- $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
-
- $(INSTALL_DIR) $(1)/usr/lib/
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/
-endef
-
-define Package/logc/install
- $(INSTALL_DIR) $(1)/usr/lib/
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/liblogc.so* $(1)/usr/lib/
-endef
-
-define Package/logc-argp/install
- $(INSTALL_DIR) $(1)/usr/lib/
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/liblogc_argp.so* $(1)/usr/lib/
-endef
-
-$(eval $(call BuildPackage,logc))
-$(eval $(call BuildPackage,logc-argp))
diff --git a/medkit-initial-config/Makefile b/medkit-initial-config/Makefile
deleted file mode 100644
index c95fa53..0000000
--- a/medkit-initial-config/Makefile
+++ /dev/null
@@ -1,32 +0,0 @@
-#
-## Copyright (C) 2020 CZ.NIC z.s.p.o. (http://www.nic.cz/)
-#
-## This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-# #
-#
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=medkit-initial-config
-PKG_VERSION:=0.1.0
-PKG_RELEASE:=1
-
-PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz>
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/medkit-initial-config
- SECTION:=updater
- CATEGORY:=Turris Updater
- TITLE:=Initial config for use with medkit
- DEPENDS:=+schnapps
-endef
-
-define Package/medkit-initial-config/install
- $(INSTALL_DIR) $(1)/etc/uci-defaults
- $(INSTALL_BIN) ./files/medkit-initial-config $(1)/etc/uci-defaults/99-medkit-initial-config
-endef
-
-Build/Compile:=:
-
-$(eval $(call BuildPackage,medkit-initial-config))
diff --git a/medkit-initial-config/files/README.md b/medkit-initial-config/files/README.md
deleted file mode 100644
index 528f20b..0000000
--- a/medkit-initial-config/files/README.md
+++ /dev/null
@@ -1,50 +0,0 @@
-Medkit initial system configuration
------------------------------------
-This package provides script that allows limited configuration of router after
-medkit is used. The idea is to allow users to preconfigure router in a way they
-can connect to it in secure manner over WiFi if needed.
-
-It is applied only with first boot on medkited router. It intentionally does not
-work with just factory reset, medkit reflash is required.
-
-## Usage
-User places alongside medkit configuration file to flash drive. The name of file
-has to be in format `BOARD-medkit-config.json` where `BOARD` is name of board
-consistent with medkit prefix.
-
-## Configuration file format
-Configuration file has to contain valid JSON.
-
-### Example configuration
-```
-{
- "foris_password": "m4ZZMC9cpyu3xpbw",
- "system_password": "Wru4FU0TLw8avIVY",
- "wireless": {
- "ssid": "TurrisConfigWifi",
- "key": "tScqsSAr0DXEqUe0"
- }
-}
-```
-
-### Foris Password
-Option `foris_password` can be used to configure password for Foris web interface
-and that way skip initial step in setup.
-
-This is suggested to be used as web interfaces allows anyone to set initial
-password. That makes router administration accessible by anyone. By setting
-password even before WiFi or/and Foris are started prevents access to just
-everyone.
-
-### System Password
-Option `system_password` can be used to configure password for `root` account on
-router. This is password used by LuCI web interfaces as well as SSH.
-
-This is not essentially required on Turris, because in default root account is
-blocked for interactive login. This is included rather for convenience for cases
-when user wants to use SSH rather than Foris.
-
-### Wireless AP configuration
-Option `wireless` has to be set to object with `ssid` and `key` fields. It
-configures first radio it can access on system to AP mode with provided SSID and
-key (password).
diff --git a/medkit-initial-config/files/medkit-initial-config b/medkit-initial-config/files/medkit-initial-config
deleted file mode 100644
index c1c6f2f..0000000
--- a/medkit-initial-config/files/medkit-initial-config
+++ /dev/null
@@ -1,156 +0,0 @@
-#!/bin/sh
-set -eu
-
-# There are multiple reasons why we do not want to just automatically always run
-# this script on any other occasion except when you do medkit.
-# It is also more strait forward for users to have it as some sort of extension to
-# medkit. That is placing appropriate file beside medkit.
-# When router is medkited then there is no snapshots. Only other case when this
-# happen is when you unpack router from the box (from factory). This means that we
-# can safely assume that no snapshot is the symptom of medkit.
-# Why we want to allow configuration just in case of medkit is because we want to
-# force user to update router to latest version of drivers. It is potentially
-# dangerous to enable WiFi in old versions of system as there could be known
-# vulnerabilities.
-if ! schnapps list -j | jsonfilter -e '$.snapshots[0]' >/dev/null; then
- echo "For security concerns " >&2
- exit 1
-fi
-
-
-. /etc/os-release
-case "$OPENWRT_DEVICE_PRODUCT" in
- "Turris Mox")
- board="mox"
- ;;
- "Turris Omnia")
- board="omnia"
- ;;
- "Turris 1.x")
- board="turris1x"
- ;;
- *)
- echo "Router we are running on is not known to medkit-initial-config!" >&2
- exit 1
- ;;
-esac
-
-
-tmpmnt="$(mktemp -d)"
-tmpclean() {
- umount -fl "$tmpmnt" 2>/dev/null || true
- rmdir "$tmpmnt" 2>/dev/null || true
-}
-trap tmpclean HUP INT QUIT TERM EXIT
-
-# Locate drive with medkit and configuration file
-for dev in /dev/mmcblk*p* /dev/sd*; do
- [ -e "$dev" ] || continue
- echo "Checking device: $dev"
- mount "$dev" "$tmpmnt" || continue
-
- for medkit in \
- "$tmpmnt/$board"-medkit-*.tar.gz \
- "$tmpmnt/medkit-$board"*.tar.gz \
- ; do
- [ -f "$medkit" ] || continue
- [ -f "$medkit.md5" ] && \
- (cd "${medkit%/*}" && md5sum "$medkit.md5") || continue
- [ -f "$medkit.sha256" ] && \
- (cd "${medkit%/*}" && sha256sum "$medkit.sha256") || continue
- [ -f "$medkit.sig" ] && \
- usign -V -m "$medkit" -P /etc/opkg/keys || continue
-
- echo "Located drive used for medkit: $dev (medkit: ${medit##*/})" >&2
-
- config_file="${medkit%/*}/$board-medkit-config.json"
- if [ -f "$config_file" ]; then
- echo "Located config file: ${config_file##*/}" >&2
- break
- else
- echo "No config file located alongside the medkit." >&2
- umount -fl
- exit 0
- fi
- done
- [ -f "$config_file" ] && break
- umount -fl "$tmpmnt"
-done
-
-if [ ! -f "$config_file" ]; then
- # The only way we could get here is that device with medkit is not connected
- echo "Device with appropriate medkit not located." >&2
- exit 0
-fi
-
-
-##################################################################################
-# Load config and apply it on system
-. /usr/share/libubox/jshn.sh
-json_init
-json_load_file "$config_file"
-
-
-foris_password() {
- local password
- json_get_var password "foris_password" || {
- echo "foris_password configuration not present." >&2
- return
- }
-
- uci -q batch <<-EOF
- foris.auth=config
- foris.auth.password=$password
- commit foris.auth
- EOF
- echo "Foris password set." >&2
-}
-
-system_password() {
- local password
- json_get_var password "system_password" || {
- echo "system_password configuration not present." >&2
- return
- }
-
- echo "root:$password" | chpasswd
- passwd -u root
- echo "System password set." >&2
-}
-
-wireless() {
- json_select "wireless" >/dev/null || {
- echo "wireless configuration not present." >&2
- return
- }
- local ssid key
- for var in ssid key; do
- json_get_var "$var" "$var" || {
- echo "wireless.$var configuration is missing. Wireless configuration not performed." >&2
- return
- }
- done
-
- local wifi_dev
- wifi_dev="$(uci show 'wireless.@wifi-device[0]' | \
- sed -n 's/^wireless\.\([^.]\+\)=.*$/\1/p')" || {
- echo "Wireless configuration is not possible as there is no WiFi device." >&2
- return
- }
-
- uci -q batch <<-EOF
- wireless.wifinet_auto=wifi-iface
- wireless.wifinet_auto.device=$wifi_dev
- wireless.wifinet_auto.network=lan
- wireless.wifinet_auto.mode=ap
- wireless.wifinet_auto.ssid=$ssid
- wireless.wifinet_auto.encryption=psk2+tkip+aes
- wireless.wifinet_auto.key=$key
- commit wireless.wifinet_auto
- EOF
-}
-
-
-foris_password
-system_password
-wireless
diff --git a/sentinel-fwlogs/Makefile b/sentinel-fwlogs/Makefile
deleted file mode 100644
index 32874a9..0000000
--- a/sentinel-fwlogs/Makefile
+++ /dev/null
@@ -1,69 +0,0 @@
-#
-## Copyright (C) 2020 CZ.NIC z.s.p.o. (https://www.nic.cz/)
-#
-## This is free software, licensed under the GNU General Public License v3.
-# See /LICENSE for more information.
-# #
-#
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=sentinel-fwlogs
-PKG_VERSION:=0.0.1
-PKG_RELEASE:=4
-
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/sentinel/fwlogs.git
-#PKG_SOURCE_VERSION:=v$(PKG_VERSION)
-PKG_SOURCE_VERSION:=2b4d3924d213696cb93d2e2690a84b947ff187df
-
-PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz>
-PKG_LICENSE:=GPL-3.0-or-later
-PKG_LICENSE_FILES:=LICENSE
-
-PKG_BUILD_DEPENDS:=argp-standalone
-
-PKG_INSTALL:=1
-PKG_FIXUP:=autoreconf
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/sentinel-fwlogs
- SECTION:=collect
- CATEGORY:=Collect
- SUBMENU:=Sentinel
- TITLE:=FWLogs
- URL:=https://gitlab.nic.cz/turris/sentinel/fwlogs
- DEPENDS:=\
- +czmq \
- +msgpack-c \
- +logc +logc-argp \
- +libnetfilter-log \
- +sentinel-firewall +iptables-mod-nflog \
- +sentinel-proxy
- PROVIDES:=sentinel-nikola
- CONFLICTS:=sentinel-nikola
-endef
-
-define Package/sentinel-fwlogs/description
- Collector of firewall logs using libnetfilter-log for Turris Sentinel.
-endef
-
-define Package/sentinel-fwlogs/install
- $(INSTALL_DIR) $(1)/usr/bin
- $(INSTALL_BIN) $(PKG_BUILD_DIR)/sentinel-fwlogs $(1)/usr/bin/sentinel-fwlogs
-
- $(INSTALL_DIR) $(1)/etc/init.d
- $(INSTALL_BIN) ./files/init $(1)/etc/init.d/sentinel-fwlogs
-
- $(INSTALL_DIR) $(1)/etc/uci-defaults
- $(INSTALL_BIN) ./files/uci-defaults $(1)/etc/uci-defaults/99-sentinel-fwlogs
-
- $(INSTALL_DIR) $(1)/usr/libexec/sentinel/firewall.d
- $(INSTALL_BIN) ./files/sentinel-firewall.sh $(1)/usr/libexec/sentinel/firewall.d/60-fwlogs.sh
- $(INSTALL_DATA) ./files/defaults.sh $(1)/usr/libexec/sentinel/fwlogs-defaults.sh
-
- $(INSTALL_DIR) $(1)/usr/libexec/sentinel/reload_hooks.d
- $(INSTALL_BIN) ./files/restart-proxy-hook.sh $(1)/usr/libexec/sentinel/reload_hooks.d/50_nikola.sh
-endef
-
-$(eval $(call BuildPackage,sentinel-fwlogs))
diff --git a/sentinel-fwlogs/files/defaults.sh b/sentinel-fwlogs/files/defaults.sh
deleted file mode 100644
index 78345b4..0000000
--- a/sentinel-fwlogs/files/defaults.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-DEFAULT_NFLOG_GROUP="1914"
-DEFAULT_NFLOG_THRESHOLD="32"
diff --git a/sentinel-fwlogs/files/init b/sentinel-fwlogs/files/init
deleted file mode 100755
index 955b333..0000000
--- a/sentinel-fwlogs/files/init
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-USE_PROCD=1
-START=99
-STOP=10
-
-
-start_service() {
- source /lib/functions/sentinel.sh
- source /usr/libexec/sentinel/fwlogs-defaults.sh
- allowed_to_run "fwlogs" || return 1
-
- config_load sentinel
- local nflog_group nflog_threshold
- config_get nflog_group fwlogs nflog_group "$DEFAULT_NFLOG_GROUP"
-
- procd_open_instance
- procd_set_param command /usr/bin/sentinel-fwlogs
- procd_append_param command --nflog-group="$nflog_group"
- procd_set_param respawn 3600 5 5
- procd_set_param stdout 1
- procd_set_param stderr 1
- procd_set_param file /etc/config/sentinel
- procd_close_instance
-}
diff --git a/sentinel-fwlogs/files/restart-proxy-hook.sh b/sentinel-fwlogs/files/restart-proxy-hook.sh
deleted file mode 100755
index 938adf4..0000000
--- a/sentinel-fwlogs/files/restart-proxy-hook.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-# restart Sentinel:FWLogs service
-/etc/init.d/sentinel-fwlogs restart
-# Apply logging rules
-/etc/init.d/firewall reload
diff --git a/sentinel-fwlogs/files/sentinel-firewall.sh b/sentinel-fwlogs/files/sentinel-firewall.sh
deleted file mode 100755
index e066b16..0000000
--- a/sentinel-fwlogs/files/sentinel-firewall.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/sh
-set -e
-. "${0%/*}/common.sh"
-. /lib/functions.sh
-. /lib/functions/sentinel.sh
-. /usr/libexec/sentinel/fwlogs-defaults.sh
-
-allowed_to_run "fwlogs" 2>/dev/null || return 0
-
-
-config_load "sentinel"
-config_get nflog_group fwlogs nflog_group "$DEFAULT_NFLOG_GROUP"
-config_get nflog_threshold fwlogs nflog_threshold "$DEFAULT_NFLOG_THRESHOLD"
-
-
-fwlogs_logging() {
- local config_section="$1"
- local zone enabled
- config_get zone "$config_section" "name"
- config_get_bool enabled "$config_section" "sentinel_fwlogs" "0"
- [ "$enabled" = "1" ] || return 0
-
- report_operation "Logging of zone '$zone'"
- for fate in DROP REJECT; do
- local chain="zone_${zone}_src_${fate}"
- iptables_chain_exists "$chain" || continue
- report_info "$fate"
- iptables -I "$chain" 1 \
- -m comment --comment "!sentinel: fwlogs" \
- -j NFLOG \
- --nflog-group "$nflog_group" \
- --nflog-threshold "$nflog_threshold"
- done
-}
-
-config_load "firewall"
-config_foreach fwlogs_logging "zone"
diff --git a/sentinel-fwlogs/files/uci-defaults b/sentinel-fwlogs/files/uci-defaults
deleted file mode 100755
index c3c2644..0000000
--- a/sentinel-fwlogs/files/uci-defaults
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-set -e
-. /lib/functions/sentinel-firewall.sh
-
-# fwlogs entry in sentinel config
-if [ "$(uci -q get sentinel.fwlogs)" != "fwlogs" ]; then
- uci -q batch <<EOT
- delete sentinel.fwlogs
- set sentinel.fwlogs='fwlogs'
- commit sentinel.fwlogs
-EOT
-fi
-
-
-# Enable for default interface
-config_firewall_default_enable "sentinel_fwlogs"
-
-# Always reload firewall to use latest version of sentinel-firewall script
-/etc/init.d/firewall reload