ffgw: new appliance (Freifunk Gateway)

ffgw/Makefile

@@ -0,0 +1,19 @@
+02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
+cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
+
+
+systemd-units: appliance/cert-renew.service appliance/cert-renew.timer
+	cp appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
+
+$(02firstboot): appliance/02firstboot.start
+	mkdir -p $(CHROOT)/usr/local/bin
+	cp $< $@
+	touch $(CHROOT)/02firstboot
+
+$(cert-renew.sh): appliance/cert-renew.sh
+	mkdir -p $(CHROOT)/etc/ssl
+	cp $< $@
+
+preinstall:
+
+postinstall: systemd-units $(02firstboot) $(cert-renew.sh)

ffgw/appliance/02firstboot.start

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# variables
+LABEL="DATA"
+TLD="freifunk-gera-greiz.de"
+HOST="gwx"
+ORGNAME="Freifunk example gateway"
+
+# start
+set -e
+
+[ -e /01firstboot ] && exit 0
+[ -e /02firstboot ] || exit 0
+
+# Certificate
+if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
+    # angepaßtes Zertifikat vorhanden (kein example)
+    if [ ! -L /etc/ssl/cert-renew.sh ]; then
+        rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
+        mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
+    else
+        rm -f "/etc/ssl/cert-renew.sh"
+    fi
+    ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
+else
+    echo 'Create example certificate...'
+    mkdir -p "/$LABEL/CERTS/KEYS/"
+    mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
+    echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
+    cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
+    touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
+fi
+
+rm -rf /etc/ssl/nginx
+mkdir -p /etc/ssl
+ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx"
+
+/etc/ssl/cert-renew.sh
+
+rm /02firstboot

ffgw/appliance/cert-renew.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/etc/ssl/cert-renew.sh

ffgw/appliance/cert-renew.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+HOST="gwx"
+TLD="freifunk-gera-greiz.de"
+FQDN="$HOST.$TLD"
+LABEL="DATA"
+
+CERT_DIR=/$LABEL/CERTS
+CERT_NGINX=/$LABEL/etc/ssl/nginx
+GETREPO=""
+GETUSER=""
+GETPASS=""
+
+function getCurrentVersion() {
+# Get hash from latest revision
+  git log --format=format:%H -1
+}
+
+cd $CERT_DIR
+
+if [ -z "$GETREPO" ]; then
+  GIT_REVISION=0
+  GIT_NEW_REVISION=1
+  cd $FQDN
+elif [ ! -d "$FQDN" ]; then
+  GIT_REVISION=0
+  git clone "https://$GETUSER:$GETPASS@$GETREPO"
+  cd $FQDN
+  GIT_NEW_REVISION=$(getCurrentVersion)
+else
+  cd $FQDN
+  GIT_REVISION=$(getCurrentVersion)
+  git commit -m "CRON: auto commit"
+  git fetch
+  git merge origin/master -m "Auto Merge"
+  GIT_NEW_REVISION=$(getCurrentVersion)
+fi
+
+echo "old: $GIT_REVISION"
+echo "new: $GIT_NEW_REVISION"
+
+if [ $GIT_REVISION != $GIT_NEW_REVISION ]
+then
+  echo "Update Nginx certificate..."
+  mkdir -p $CERT_NGINX
+  cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_NGINX/nginx.pem
+  cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_NGINX/nginx.key
+  chown nginx:nginx $CERT_NGINX/nginx.*
+  chmod 444 $CERT_NGINX/nginx.pem
+  chmod 400 $CERT_NGINX/nginx.key
+  echo "Restarting Nginx..."
+  systemctl is-active --quiet nginx && systemctl restart nginx
+fi
+
+exit 0

ffgw/appliance/cert-renew.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 03:33:00
+Unit=cert-renew.service
+ 
+[Install]
+WantedBy=default.target

ffgw/ffgw.cfg

@@ -0,0 +1,3 @@
+REPO_NAMES += ff-overlay
+REPO_URI_ff-overlay = https://github.com/ffggrz/ff-overlay.git
+KERNEL_CONFIG = appliances/$(APPLIANCE)/kernel.config

ffgw/package.accept_keywords

@@ -0,0 +1,20 @@
+## Freifunk
+#
+net-misc/bird
+net-vpn/tinc
+#
+# ab systemd-248 gibts Batman-Support
+sys-apps/systemd
+#
+# ebtables-2.0.11-r2 sucht ethertypes nicht in /etc, sondern im Doku-Verzeichnis
+=net-firewall/ebtables-2.0.11-r3
+#
+# eigene Ebuilds
+dev-libs/libuecc
+net-misc/batctl
+net-misc/batman-adv
+net-misc/ecdsautils
+net-misc/ext-respondd
+net-misc/fastd
+net-misc/mesh-announce
+net-misc/tunneldigger

ffgw/package.use

@@ -0,0 +1,5 @@
+media-libs/gd png fontconfig truetype
+net-analyzer/vnstat gd
+net-dns/dnsmasq auth-dns dhcp-tools
+net-misc/batman-adv bla dat mcast nc
+net-vpn/openvpn iproute2 passwordsave

ffgw/world

@@ -0,0 +1,26 @@
+net-analyzer/iptstate
+net-analyzer/nmap
+net-analyzer/tcpdump
+net-analyzer/traceroute
+net-analyzer/vnstat
+net-dns/bind-tools
+net-dns/dnsmasq
+net-firewall/ebtables
+net-firewall/ipt_netflow
+net-misc/batctl
+net-misc/batman-adv
+net-misc/bird
+net-misc/bridge-utils
+net-misc/ecdsautils
+net-misc/ext-respondd
+net-misc/fastd
+net-misc/iperf:3
+net-misc/mesh-announce
+net-misc/ntp
+net-misc/telnet-bsd
+net-misc/tunneldigger
+net-vpn/openvpn
+net-vpn/tinc
+sys-apps/texinfo
+sys-process/lsof
+www-servers/nginx