summaryrefslogtreecommitdiff
path: root/medkit-initial-config/files
diff options
context:
space:
mode:
Diffstat (limited to 'medkit-initial-config/files')
-rw-r--r--medkit-initial-config/files/README.md50
-rw-r--r--medkit-initial-config/files/medkit-initial-config156
2 files changed, 206 insertions, 0 deletions
diff --git a/medkit-initial-config/files/README.md b/medkit-initial-config/files/README.md
new file mode 100644
index 0000000..528f20b
--- /dev/null
+++ b/medkit-initial-config/files/README.md
@@ -0,0 +1,50 @@
+Medkit initial system configuration
+-----------------------------------
+This package provides script that allows limited configuration of router after
+medkit is used. The idea is to allow users to preconfigure router in a way they
+can connect to it in secure manner over WiFi if needed.
+
+It is applied only with first boot on medkited router. It intentionally does not
+work with just factory reset, medkit reflash is required.
+
+## Usage
+User places alongside medkit configuration file to flash drive. The name of file
+has to be in format `BOARD-medkit-config.json` where `BOARD` is name of board
+consistent with medkit prefix.
+
+## Configuration file format
+Configuration file has to contain valid JSON.
+
+### Example configuration
+```
+{
+ "foris_password": "m4ZZMC9cpyu3xpbw",
+ "system_password": "Wru4FU0TLw8avIVY",
+ "wireless": {
+ "ssid": "TurrisConfigWifi",
+ "key": "tScqsSAr0DXEqUe0"
+ }
+}
+```
+
+### Foris Password
+Option `foris_password` can be used to configure password for Foris web interface
+and that way skip initial step in setup.
+
+This is suggested to be used as web interfaces allows anyone to set initial
+password. That makes router administration accessible by anyone. By setting
+password even before WiFi or/and Foris are started prevents access to just
+everyone.
+
+### System Password
+Option `system_password` can be used to configure password for `root` account on
+router. This is password used by LuCI web interfaces as well as SSH.
+
+This is not essentially required on Turris, because in default root account is
+blocked for interactive login. This is included rather for convenience for cases
+when user wants to use SSH rather than Foris.
+
+### Wireless AP configuration
+Option `wireless` has to be set to object with `ssid` and `key` fields. It
+configures first radio it can access on system to AP mode with provided SSID and
+key (password).
diff --git a/medkit-initial-config/files/medkit-initial-config b/medkit-initial-config/files/medkit-initial-config
new file mode 100644
index 0000000..c1c6f2f
--- /dev/null
+++ b/medkit-initial-config/files/medkit-initial-config
@@ -0,0 +1,156 @@
+#!/bin/sh
+set -eu
+
+# There are multiple reasons why we do not want to just automatically always run
+# this script on any other occasion except when you do medkit.
+# It is also more strait forward for users to have it as some sort of extension to
+# medkit. That is placing appropriate file beside medkit.
+# When router is medkited then there is no snapshots. Only other case when this
+# happen is when you unpack router from the box (from factory). This means that we
+# can safely assume that no snapshot is the symptom of medkit.
+# Why we want to allow configuration just in case of medkit is because we want to
+# force user to update router to latest version of drivers. It is potentially
+# dangerous to enable WiFi in old versions of system as there could be known
+# vulnerabilities.
+if ! schnapps list -j | jsonfilter -e '$.snapshots[0]' >/dev/null; then
+ echo "For security concerns " >&2
+ exit 1
+fi
+
+
+. /etc/os-release
+case "$OPENWRT_DEVICE_PRODUCT" in
+ "Turris Mox")
+ board="mox"
+ ;;
+ "Turris Omnia")
+ board="omnia"
+ ;;
+ "Turris 1.x")
+ board="turris1x"
+ ;;
+ *)
+ echo "Router we are running on is not known to medkit-initial-config!" >&2
+ exit 1
+ ;;
+esac
+
+
+tmpmnt="$(mktemp -d)"
+tmpclean() {
+ umount -fl "$tmpmnt" 2>/dev/null || true
+ rmdir "$tmpmnt" 2>/dev/null || true
+}
+trap tmpclean HUP INT QUIT TERM EXIT
+
+# Locate drive with medkit and configuration file
+for dev in /dev/mmcblk*p* /dev/sd*; do
+ [ -e "$dev" ] || continue
+ echo "Checking device: $dev"
+ mount "$dev" "$tmpmnt" || continue
+
+ for medkit in \
+ "$tmpmnt/$board"-medkit-*.tar.gz \
+ "$tmpmnt/medkit-$board"*.tar.gz \
+ ; do
+ [ -f "$medkit" ] || continue
+ [ -f "$medkit.md5" ] && \
+ (cd "${medkit%/*}" && md5sum "$medkit.md5") || continue
+ [ -f "$medkit.sha256" ] && \
+ (cd "${medkit%/*}" && sha256sum "$medkit.sha256") || continue
+ [ -f "$medkit.sig" ] && \
+ usign -V -m "$medkit" -P /etc/opkg/keys || continue
+
+ echo "Located drive used for medkit: $dev (medkit: ${medit##*/})" >&2
+
+ config_file="${medkit%/*}/$board-medkit-config.json"
+ if [ -f "$config_file" ]; then
+ echo "Located config file: ${config_file##*/}" >&2
+ break
+ else
+ echo "No config file located alongside the medkit." >&2
+ umount -fl
+ exit 0
+ fi
+ done
+ [ -f "$config_file" ] && break
+ umount -fl "$tmpmnt"
+done
+
+if [ ! -f "$config_file" ]; then
+ # The only way we could get here is that device with medkit is not connected
+ echo "Device with appropriate medkit not located." >&2
+ exit 0
+fi
+
+
+##################################################################################
+# Load config and apply it on system
+. /usr/share/libubox/jshn.sh
+json_init
+json_load_file "$config_file"
+
+
+foris_password() {
+ local password
+ json_get_var password "foris_password" || {
+ echo "foris_password configuration not present." >&2
+ return
+ }
+
+ uci -q batch <<-EOF
+ foris.auth=config
+ foris.auth.password=$password
+ commit foris.auth
+ EOF
+ echo "Foris password set." >&2
+}
+
+system_password() {
+ local password
+ json_get_var password "system_password" || {
+ echo "system_password configuration not present." >&2
+ return
+ }
+
+ echo "root:$password" | chpasswd
+ passwd -u root
+ echo "System password set." >&2
+}
+
+wireless() {
+ json_select "wireless" >/dev/null || {
+ echo "wireless configuration not present." >&2
+ return
+ }
+ local ssid key
+ for var in ssid key; do
+ json_get_var "$var" "$var" || {
+ echo "wireless.$var configuration is missing. Wireless configuration not performed." >&2
+ return
+ }
+ done
+
+ local wifi_dev
+ wifi_dev="$(uci show 'wireless.@wifi-device[0]' | \
+ sed -n 's/^wireless\.\([^.]\+\)=.*$/\1/p')" || {
+ echo "Wireless configuration is not possible as there is no WiFi device." >&2
+ return
+ }
+
+ uci -q batch <<-EOF
+ wireless.wifinet_auto=wifi-iface
+ wireless.wifinet_auto.device=$wifi_dev
+ wireless.wifinet_auto.network=lan
+ wireless.wifinet_auto.mode=ap
+ wireless.wifinet_auto.ssid=$ssid
+ wireless.wifinet_auto.encryption=psk2+tkip+aes
+ wireless.wifinet_auto.key=$key
+ commit wireless.wifinet_auto
+ EOF
+}
+
+
+foris_password
+system_password
+wireless