From 618f91c33547784eb50d4173ca3b36add5f2bf3d Mon Sep 17 00:00:00 2001 From: mpmc Date: Wed, 14 Sep 2022 23:09:19 +0100 Subject: [PATCH] add files from misc repo --- caddy/Caddyfile | 102 +++++++++++ caddy/Caddyfile-localonly | 78 ++++++++ caddy/README.debian.md | 122 +++++++++++++ dnsmasq.d/README.debian.md | 45 +++++ dnsmasq.d/dhcp-server-static.conf | 1 + dnsmasq.d/dhcp-server.conf | 13 ++ dnsmasq.d/disable-forwarding.conf | 2 + other_py_scripts/two_resistor_output.py | 166 ++++++++++++++++++ other_sh_scripts/asterisk-18.sh | 43 +++++ other_sh_scripts/asterisk-chan-quectel.sh | 27 +++ other_sh_scripts/backup.sh | 86 +++++++++ other_sh_scripts/caddy-install.sh | 12 ++ other_sh_scripts/favourites.sh | 19 ++ other_sh_scripts/mariadb-add-user-db.sh | 83 +++++++++ other_sh_scripts/mariadb-install.sh | 10 ++ other_sh_scripts/nextcloud-sync.sh | 86 +++++++++ other_sh_scripts/php8.1-sury-install.sh | 37 ++++ other_sh_scripts/site-dirs.sh | 79 +++++++++ other_sh_scripts/sshd-enable-sftp.sh | 32 ++++ other_sh_scripts/sshd-limit-passwords.sh | 14 ++ .../systemd-network-enable-default-dhcp.sh | 51 ++++++ other_sh_scripts/toggle-motd.sh | 17 ++ php/7.4/fpm/pool.d/localhost.conf.example | 65 +++++++ php/README.debian.md | 96 ++++++++++ php/php-7.4-install.sh | 14 ++ systemd/network/10-eth0.network | 53 ++++++ systemd/network/30-wwan0.network | 19 ++ systemd/network/50-usb0.network | 14 ++ systemd/network/60-wlan0.network | 15 ++ systemd/network/70-wgs0.netdev | 41 +++++ systemd/network/71-wgs0.network | 17 ++ systemd/network/80-wg0.netdev | 42 +++++ systemd/network/81-wg0.network | 12 ++ systemd/network/README.md | 46 +++++ systemd/network/wwan-simcom7600.md | 51 ++++++ systemd/system/lan-http-proxy.service | 9 + systemd/system/mnt-sda1.mount | 9 + systemd/system/qmi-network@.service | 61 +++++++ systemd/system/wifi-power@.service | 17 ++ wpa_supplicant/README.debian.md | 76 ++++++++ wpa_supplicant/wpa_supplicant-wlan0.conf | 26 +++ 41 files changed, 1808 insertions(+) create mode 100755 caddy/Caddyfile create mode 100755 caddy/Caddyfile-localonly create mode 100755 caddy/README.debian.md create mode 100755 dnsmasq.d/README.debian.md create mode 100755 dnsmasq.d/dhcp-server-static.conf create mode 100755 dnsmasq.d/dhcp-server.conf create mode 100755 dnsmasq.d/disable-forwarding.conf create mode 100755 other_py_scripts/two_resistor_output.py create mode 100755 other_sh_scripts/asterisk-18.sh create mode 100755 other_sh_scripts/asterisk-chan-quectel.sh create mode 100755 other_sh_scripts/backup.sh create mode 100755 other_sh_scripts/caddy-install.sh create mode 100755 other_sh_scripts/favourites.sh create mode 100755 other_sh_scripts/mariadb-add-user-db.sh create mode 100755 other_sh_scripts/mariadb-install.sh create mode 100755 other_sh_scripts/nextcloud-sync.sh create mode 100755 other_sh_scripts/php8.1-sury-install.sh create mode 100755 other_sh_scripts/site-dirs.sh create mode 100755 other_sh_scripts/sshd-enable-sftp.sh create mode 100755 other_sh_scripts/sshd-limit-passwords.sh create mode 100755 other_sh_scripts/systemd-network-enable-default-dhcp.sh create mode 100755 other_sh_scripts/toggle-motd.sh create mode 100755 php/7.4/fpm/pool.d/localhost.conf.example create mode 100755 php/README.debian.md create mode 100755 php/php-7.4-install.sh create mode 100755 systemd/network/10-eth0.network create mode 100755 systemd/network/30-wwan0.network create mode 100755 systemd/network/50-usb0.network create mode 100755 systemd/network/60-wlan0.network create mode 100755 systemd/network/70-wgs0.netdev create mode 100755 systemd/network/71-wgs0.network create mode 100755 systemd/network/80-wg0.netdev create mode 100755 systemd/network/81-wg0.network create mode 100755 systemd/network/README.md create mode 100755 systemd/network/wwan-simcom7600.md create mode 100755 systemd/system/lan-http-proxy.service create mode 100755 systemd/system/mnt-sda1.mount create mode 100755 systemd/system/qmi-network@.service create mode 100755 systemd/system/wifi-power@.service create mode 100755 wpa_supplicant/README.debian.md create mode 100755 wpa_supplicant/wpa_supplicant-wlan0.conf diff --git a/caddy/Caddyfile b/caddy/Caddyfile new file mode 100755 index 0000000..1cc2add --- /dev/null +++ b/caddy/Caddyfile @@ -0,0 +1,102 @@ +# Global options +{ + # Debug mode - uncomment to activate. + #debug + + # Use local-only certs? Comment out the on_demand_tls block + # if you use this. + #local_certs + + # To use automatic on/demand SSL/TLS certs we need to ask an + # end-point if we host the domain. + on_demand_tls { + # This can be any http url you like, a domain query will be + # attached. A request will be made such as + # http://my.end.point:80/hosted/?domain=myawesomesite.foo + # The end-point MUST return a 200 response if the domain is + # valid. + #ask http://my.end.point:80/hosted/ + + # So we don't have to use external scripting let's get caddy + # to check a directory for us instead. There needs to be a + # block below to handle this otherwise all domains using SSL + # will fail. + ask http://127.0.0.1:62453/ + } +} + +# On-demand SSL/TLS end-point to check if we host the domain before +# getting a cert. +http://127.0.0.1:62453 { + # The folder where ALL sites are so we can check if hosted or not. + # No files from here are served. + root * /var/www/ + + # Log to stdout. + log + + # Rewrite the domain query into a path request and only if /. + @domain_query { + path / + query domain=* + } + rewrite @domain_query /{query.domain}/ + + # Match domain. + # The path regex matcher must come first, Thanks caddy devs! + # Info https://github.com/caddyserver/caddy/issues/4204 + @domain_in_path path_regexp domain \/(www\.)?([^\.\\\/].{1,})\/ + handle @domain_in_path { + @domain_exists file {re.domain.2}/ + respond @domain_exists 200 { + close + } + } + + # Default response if domain doesn't exist. + respond 404 { + close + } +} + +# Catch-all SSL/TLS site(s) - this must be last! +:443 { + # Strip www from host header. + @host_header header_regexp host Host (www\.)?([^\.\\\/].{1,}) + + # Enable on-demand SSL/TLS certs. + tls { + on_demand + } + + handle_errors { + respond "{http.error.status_text}." { + close + } + } + + handle @host_header { + root * /var/www/{re.host.2}/htdocs/ + file_server { + hide .* ~* + } + + @has_reverse_proxy { + file /run/{re.host.2}.sock + path !*.php + } + + handle @has_reverse_proxy { + reverse_proxy unix//run/{re.host.2}.sock { + header_up Host {upstream_hostport} + header_up X-Forwarded-Host {host} + } + } + + php_fastcgi unix//run/php/{re.host.2}.sock { + # This only works with Caddy versions >= 2.4.6 + try_files {path} {path}/ {path}/index.php =404 + } + } + error 404 +} diff --git a/caddy/Caddyfile-localonly b/caddy/Caddyfile-localonly new file mode 100755 index 0000000..2b8fa0a --- /dev/null +++ b/caddy/Caddyfile-localonly @@ -0,0 +1,78 @@ +# Global options +{ + # Debug mode - uncomment to activate. + #debug + + # Use local-only certs. + local_certs +} + +# For freepbx. +:443 { + handle_errors { + respond "{http.error.status_text}." { + close + } + } + root * /var/www/localhost/htdocs/ + # https://community.freepbx.org/t/using-caddy-instead-of-apache-in-freepbx/80200 + handle /admin/* { + @blocked_admin { + path */.* + path */i18n/* + path */helpers/* + path */libraries/* + path */node/* + path */views/*php + } + respond @blocked_admin 403 + php_fastcgi unix//run/php/localhost.sock + file_server + } + handle { + @blocked_main { + path */.* + } + respond @blocked_main 403 + php_fastcgi unix//run/php/localhost.sock + file_server + } + error 404 +} + +# Local only service (original). +localhost.orig:443 { + # Strip www from host header. + @host_header header_regexp host Host (www\.)?([^\.\\\/].{1,}) + + handle_errors { + respond "{http.error.status_text}." { + close + } + } + + handle @host_header { + root * /var/www/{re.host.2}/htdocs/ + file_server { + hide .* ~* + } + + @has_reverse_proxy { + file /run/{re.host.2}.sock + path !*.php + } + + handle @has_reverse_proxy { + reverse_proxy unix//run/{re.host.2}.sock { + header_up Host {upstream_hostport} + header_up X-Forwarded-Host {host} + } + } + + php_fastcgi unix//run/php/{re.host.2}.sock { + # This only works with Caddy versions >= 2.4.6 + try_files {path} {path}/ {path}/index.php =404 + } + } + error 404 +} diff --git a/caddy/README.debian.md b/caddy/README.debian.md new file mode 100755 index 0000000..76467e4 --- /dev/null +++ b/caddy/README.debian.md @@ -0,0 +1,122 @@ +# Caddy +To setup Caddy you must be root ( `sudo -s` ). + +Add the repo... + +``` +apt install -y curl debian-keyring debian-archive-keyring apt-transport-https +curl 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' -o /etc/apt/trusted.gpg.d/caddy_repo_signing.asc +curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list +``` + +--- + +Now update apt & install it... + +``` +apt update +apt install caddy +``` +--- + +Once installed we need to make a backup of the default Caddyfile and +replace it with our own... + +``` +mv -iv /etc/caddy/Caddyfile /etc/caddy/Caddyfile.old +cp -v ./Caddyfile /etc/caddy/Caddyfile +``` + +--- +We need somewhere to serve sites... + +``` +mkdir -v /var/www +``` + +## Site setup + +Create the site's base directory but don't include `www.` and +change to it... + +``` +mkdir -v /var/www/example.com +cd /var/www/example.com +``` + +**Make sure you're in the right directory before continuing.** You can +use a tilde `~` in your terminal to see your current directory. + +--- + +The site needs some folders... + +``` +mkdir -v htdocs +mkdir data tmp sessions +``` + +`htdocs` is where the site's public-accessible files are kept, +`data` is for private site files, `tmp` is for temporary site files - +such as uploads, and `sessions` is for site vistor session data. + +--- + +Everyone on the system can access the site's files and we don't want +that, change the folder(s) permissions... + +**Take note of the `.` in the command below do not just enter `/` !** + +``` +chmod -Rv 750 ./ +``` + +--- + +Drat, only root can access the folders now, but Caddy and others need +to be able to read the htdocs folder too... + +``` +chmod -Rv 755 htdocs +``` + +--- + +If you want another user on the system to own the files, say we have +user `fred` and they're in group `fred`... + +**Take note of the `.` in the command below do not just enter `/` !** + +``` +chown -Rv fred:fred ./* +``` + +If `fred` is in a different user group and you don't know which, you can +run `groups fred` to find out! + +--- + +## Things to know + +The `Caddyfile` included here will (in this order)... + +* Check if the requested host (without `www.`) is served here, if not +return 404. + +* If the requested file exists serve it. The files index.html index.php +take precedence and will always be served if no path is given. Requests +where the requested path/file doesn't exist will be passed on to the +other handlers (described below). + +* Reverse proxy the request if a socket matching the hostname +(without `www.`) exists in `/run/`. This can be any service that +understands how to handle HTTP requests. It just needs to be setup to +listen via a socket matching the hostname in `/run/`, e.g. +`/run/myawesomesite.com.sock`. + +* If the above socket does not exist and/or a php file is requested, +attempt to pass along the request to php-fpm (setup to listen via a +socket matching the hostname in `/run/php`, e.g. +`/run/php/myawesomesite.com.sock`). + +* Return 404 if the request cannot be handled by any of the above. diff --git a/dnsmasq.d/README.debian.md b/dnsmasq.d/README.debian.md new file mode 100755 index 0000000..e2db0e6 --- /dev/null +++ b/dnsmasq.d/README.debian.md @@ -0,0 +1,45 @@ +# Dnsmasq + + +To setup Dnsmasq you must be root ( `sudo -s` ) then install it with... + +``` +apt install dnsmasq +``` + +**When using systemd-resolved, you'll get a service start failure during install, so must disable DNS forwarding.**... + +``` +cp -iv disable-forwarding.conf /etc/dnsmasq.d/ +``` + +--- + +Once installed, we want dnsmasq to serve addresses... + +**You'll need to change the IP address range (in the file) to match your LAN configuration.** + +``` +cp -iv dhcp-server.conf /etc/dnsmasq.d/ +``` + +--- + +Static IP addresses can be set, copy the file `dhcp-server-static.conf` in this directory to `/etc/dnsmasq.d/`... + +**You'll need to add the MAC and IP addresses for your devices.** + +``` +cp -iv dhcp-server-static.conf /etc/dnsmasq.d/ +``` + +--- + +Finally restart dnsmasq and check for errors. + +``` +systemctl restart dnsmasq +systemctl status dnsmasq +``` + +You should now have a running dnsmasq service! diff --git a/dnsmasq.d/dhcp-server-static.conf b/dnsmasq.d/dhcp-server-static.conf new file mode 100755 index 0000000..e968865 --- /dev/null +++ b/dnsmasq.d/dhcp-server-static.conf @@ -0,0 +1 @@ +dhcp-host=ff:ff:ff:ff:ff:ff,192.168.156.2,24h diff --git a/dnsmasq.d/dhcp-server.conf b/dnsmasq.d/dhcp-server.conf new file mode 100755 index 0000000..cb82ffa --- /dev/null +++ b/dnsmasq.d/dhcp-server.conf @@ -0,0 +1,13 @@ +log-dhcp +domain-needed +bogus-priv +no-resolv +server=1.1.1.1 +server=1.0.0.1 +listen-address=::1,127.0.0.1,192.168.156.1 +expand-hosts +domain=lan +dhcp-range=192.168.156.2,192.168.156.250,24h +dhcp-option=option:router,192.168.156.1 +dhcp-authoritative +#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases diff --git a/dnsmasq.d/disable-forwarding.conf b/dnsmasq.d/disable-forwarding.conf new file mode 100755 index 0000000..befbb8d --- /dev/null +++ b/dnsmasq.d/disable-forwarding.conf @@ -0,0 +1,2 @@ +# You only need this if using systemd-resolved. +port=0 diff --git a/other_py_scripts/two_resistor_output.py b/other_py_scripts/two_resistor_output.py new file mode 100755 index 0000000..14a9b29 --- /dev/null +++ b/other_py_scripts/two_resistor_output.py @@ -0,0 +1,166 @@ +#!/usr/bin/env python3 + +"""Variables with values exclosed in 3 double quotes (") allow +multi-line strings. It can also be used for comments. + +Any words in curly braces like {this} are placeholders & can be replaced +later if desired with the method 'format' on string variables. +Single line strings can have replaceable placeholders too. + +Below is a variable named "foo" containing a single line string with +a placeholder... + +foo = "Here is a single line placeholder of {replaceme}." + +We can just print foo as-is using... + +print(foo) + +or replace _all_ "{replaceme}" within it using format... + +print(foo.format(replaceme='new value here')) + +or replace it with another variable... + +new_replaceme='this is a new replacement' + +print(foo.format(replaceme=new_replaceme) + +Make sure that any variables, (new_replaceme in the above in this case) +is defined or you'll get a KeyError if you try to print a format()'d +string! + +""" + +msg = """Voltage Divider Calculator (v1.1) +Formula: "Voltage out is Voltage in * Resistor 2 / Resistor 1 + Resistor 2" + +You entered: + Voltage in {voltage} + Resistor 1 {resistor1} + Resistor 2 {resistor2} + +Which equals: + {output} + +Output voltage is: "{output}", rounded (nearest 10) is "{rounded}"! +""" + +error = """Usage: python3 {script} . +Example: python3 {script} 5000 2000 4000 + +Seeing an Error? +ValueError: You enter an invalid value (or left it empty). +""" + + +def main(args): + """ + The parameter args is a list populated by your shell/terminal. + + All values are added in the order they were passed to the script. + + The first item in the list args[0] will always be the script + that was passed to python. If you named this file foo.py and + called python3 foo.py args[0] would be the string "foo.py". + """ + + # Remove this script's file-name and store it in the variable + # "script" for later use. + script = args.pop(0) + + """ + "try and except" allows us to capture an exception (in this case + we only want to capture a ValueError so we can first print + a nice error message and then have python raise it, printing it + underneath, and finally exiting. + """ + + try: + """ + What "list(map(int, args))" is doing... + + As we've already removed the script file-name from the args + list we should just be left with numberic values. + + However, they're strings and we need integers! + We use the built-in method "map" which calls the method + given ("int" here), that'll convert each value (from strings) + within the list to the integers we need. + + Now we have a new problem we've given ourselves :(. + + "map" will return a map object which we don't want so we + need to convert (the map object) back into a list, + using, you guessed it, the method named "list"! + + Each value from the converted list is then unpacked into the + variables "voltage", "resistor1" and "resistor2" (from right + to left). So say we have a list of [1, 2, 3], We can + unpack those values as... + + one, two, three = [1, 2, 3] + """ + voltage, resistor1, resistor2 = list(map(int, args)) + + # Here we're just calulating the voltage value using the values + # from each variable. + output = voltage * (resistor2 / (resistor1 + resistor2)) + except ValueError: + """ + Oh no, we're missing a value or a non-numeric value was + entered! Let the user know by printing our nice + error message, contained with in the "error" multi-line + variable above. + + Remember the "replaceme" variable we talked about earlier? + Well, we're doing the same thing here but we're replacing + the text "{script}" (in the "error" variable above) with + the variable "script" (also above!). + + It sounds confusing? Yes, I agree. It can be made easier + by using another word different to your variable as a + placeholder and replace it with any variable you like! + + script = "carrots are lovely" + msg = "my {placeholder}." + print(msg.format(placeholder=script)) + """ + print(error.format(script=script)) + + """ + STOP! Ham, Ahem... Exception time! + "raise" here (unless captured by another try/except block) + just tells python to print the exception then + stop executing the script. + """ + raise + + """ + If we get here it means our voltage has been calculated, + and so (just like the above error message) we format then + print the _good_ message "msg" variable and we're done. + """ + print(msg.format(voltage=voltage, resistor1=resistor1, + resistor2=resistor2, output=output, + rounded=round(output))) + + +""" +This "if block" tells python not to run the method "main" (above) +If our script was imported by another python script. + +The method "main" will only get called if our script was called directly +by python and is the "main" (hence __main__ below) script. + +This also means we import our script from within another script and +call our module's (what python calls scripts) method "main". +""" + +if __name__ == '__main__': + import sys + + # main(sys.argv) calls our main function & passes the arguments + # given to it by the terminal. + # sys.exit returns the value from the method main. + sys.exit(main(sys.argv)) diff --git a/other_sh_scripts/asterisk-18.sh b/other_sh_scripts/asterisk-18.sh new file mode 100755 index 0000000..2400744 --- /dev/null +++ b/other_sh_scripts/asterisk-18.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +set -eux + +DATE_STAMP=$(date '+%s') + +apt -y install build-essential checkinstall libncurses5 git curl wget libnewt-dev libssl-dev libncurses5-dev subversion libsqlite3-dev libjansson-dev libxml2-dev uuid-dev default-libmysqlclient-dev + +mkdir asterisk-${DATE_STAMP:-fail} + +cd asterisk-${DATE_STAMP:-fail} + +mkdir build + +wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-18-current.tar.gz \ +-O asterisk-18-current.tar.gz --show-progress + +cd build + +tar xf ../asterisk-18-current.tar.gz + +cd asterisk* + +# Main build bit. +./contrib/scripts/get_mp3_source.sh + +contrib/scripts/install_prereq install + +./configure + +make + +#sudo checkinstall --default --pkgname asterisk --addso=yes make install config samples + +echo "Install Asterisk and kitchen sink (everything)?" +read + +make install +make samples +make config +ldconfig + +exit 0; diff --git a/other_sh_scripts/asterisk-chan-quectel.sh b/other_sh_scripts/asterisk-chan-quectel.sh new file mode 100755 index 0000000..918d6da --- /dev/null +++ b/other_sh_scripts/asterisk-chan-quectel.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +set -eux + +DATE_STAMP=$(date '+%s') + +apt install asterisk asterisk-dev libasound2-dev build-essential git + +mkdir asterisk-chan-quectel-${DATE_STAMP} + +cd asterisk-chan-quectel-${DATE_STAMP} + +mkdir build + +cd build + +git clone https://github.com/IchthysMaranatha/asterisk-chan-quectel.git . + +./bootstrap + +INSTALLED_AST_VERSION=$(asterisk -V | cut -d " " -f 2) + +./configure --with-astversion=${INSTALLED_AST_VERSION} + +make + +make install diff --git a/other_sh_scripts/backup.sh b/other_sh_scripts/backup.sh new file mode 100755 index 0000000..42b193c --- /dev/null +++ b/other_sh_scripts/backup.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# Crontab line. +#0 2 * * * bash /root/backup.sh | tee -a /var/log/backup_$(date +"\%Y-\%m-\%d").log + +# Exit on error. +# Because I've been grilled about not using this - phillw, I'm looking +# at you ;) +set -e + +# Where do we locally store the backups? +BACKUP_STORE='/backup' + +# What directories do we backup? +# Each _full_ path must be seperated by a space. If a path uses a +# special char e.g, space or non-alphanumeric chars escape it with a +# backslash. +BACKUP_DIRS='/etc /home /var/www /root' + +# A date string for file/folder-names. +SCRIPT_RUN_DATE=`date '+%Y-%m-%d-%H-%M'` + +# Backup the above $BACKUP_DIRS. Set to 0 to disable. +BACKUP_DIRECTORIES_AND_FILES="1" + +# CRON backup? Set to 0 to disable. +BACKUP_CRON="1" + +# MARIADB/MYSQL dump backup? Set to 0 to disable. +BACKUP_SQL="1" + + +## Edit below at own risk.. +if [[ $EUID -ne 0 ]]; then + echo 'run as root' + exit 1 +fi + +# Before we do anything, switch to our backup store directory. +cd "${BACKUP_STORE:-/tmp/$SCRIPT_RUN_DATE}" + +# Now make our backup directory using the script_run_date. +BACKUP_CWD="./${SCRIPT_RUN_DATE:-fail}" +mkdir "${BACKUP_CWD}" +cd "${BACKUP_CWD}" + +if [[ "$BACKUP_DIRECTORIES_AND_FILES" == "1" ]]; then + + for OBJ in ${BACKUP_DIRS:-}; do + OBJ_S=${OBJ//\//-} + OBJ_S=${OBJ_S/-/} + + if [[ ! -f "${OBJ}" ]]; then + if [[ ! -d "${OBJ}" ]]; then + printf "\n!! file or directory \"%s\" not found, skipping..\n" "${OBJ}" + continue; + fi + fi + + tar -cJf "./$OBJ_S.tar.xz" "${OBJ}" + done + +fi + +if [[ "$BACKUP_SQL" == "1" ]]; then + + DATABASES="$(echo "show databases" | mysql | grep -Ev "^(Database|mysql|performance_schema|information_schema)$" | paste -sd " " -)" + + [[ -z "${DATABASES:-}" ]] && exit 1 + + for DB in $DATABASES; do + mysqldump --single-transaction --routines --events --triggers --lock-tables $DB > "./$DB.sql" || exit 1; + done + +fi + +if [[ "$BACKUP_CRON" == "1" ]]; then + + for USER in $(cut -f1 -d: /etc/passwd); do + crontab -u $USER -l > "${USER}-cron.txt" || continue; + done + +fi + +echo "$SCRIPT_RUN_DATE OK" >> /var/log/$0-run.log + diff --git a/other_sh_scripts/caddy-install.sh b/other_sh_scripts/caddy-install.sh new file mode 100755 index 0000000..e2ec38c --- /dev/null +++ b/other_sh_scripts/caddy-install.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# Exit on error. +set -e + +# The following was modifed but the original was graciously provided by the +# caddy docs -> https://caddyserver.com/docs/install#debian-ubuntu-raspbian +apt install -y curl debian-keyring debian-archive-keyring apt-transport-https +curl 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' -o /etc/apt/trusted.gpg.d/caddy_repo_signing.asc +curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list +apt update +apt install caddy diff --git a/other_sh_scripts/favourites.sh b/other_sh_scripts/favourites.sh new file mode 100755 index 0000000..85ededc --- /dev/null +++ b/other_sh_scripts/favourites.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# Exit on error. +# Because I've been grilled about not using this - phillw, I'm looking +# at you ;) - No, you'll never escape this lmao. +set -e + +LIST='rsync nano htop net-tools vnstat screen git curl coreutils chrony +command-not-found' + +[[ ! "${1:-}" == "1" ]] && \ + printf 'Install "%s?" - press ctrl+c to cancel\n' "$LIST" && read + +apt update + +for pkg in $LIST +do + apt install -y "$pkg" +done diff --git a/other_sh_scripts/mariadb-add-user-db.sh b/other_sh_scripts/mariadb-add-user-db.sh new file mode 100755 index 0000000..72a5a8d --- /dev/null +++ b/other_sh_scripts/mariadb-add-user-db.sh @@ -0,0 +1,83 @@ +#!/bin/bash + +# Exit on error. +set -e + +# Command we pipe to execute the sql. +sql_cmd='mariadb -u root' + +# SQL to create the database. +sql_create_db="CREATE DATABASE \`%s\`;" + +# SQL to create user. +sql_create_user="CREATE USER IF NOT EXISTS '%s'@'%s' IDENTIFIED BY '%s';" + +# SQL grant usage. +sql_grant_usage="GRANT USAGE ON *.* TO '%s'@'%s' IDENTIFIED BY '%s';" + +# SQL grant on users database. +sql_grant_on_db="GRANT ALL privileges ON \`%s\`.* TO '%s'@'%s';" + +# SQL flush +sql_flush='FLUSH PRIVILEGES;' + +DB_HOST='localhost' +DB_USER="" +DB_NAME="" +DB_PASS="" +DB_PASS_REP="" + +new_user() { + + printf '(new) database user?\n' && read -t 120 DB_USER; + + [[ ! "${DB_USER}" =~ ^[A-Za-z]{1}[A-Za-z0-9\_\-]+$ ]] && \ + printf 'min 2 chars, A-z0-9_- allowed.. ' && new_user + + return 0 +} + +new_db_name() { + + printf '(new) database name?\n' && read -t 120 DB_NAME; + + [[ ! "${DB_NAME}" =~ ^[A-Za-z]{1}[A-Za-z0-9\_\-]+$ ]] && \ + printf 'min 2 chars, A-z0-9_- allowed.. ' && new_db_name + + return 0 +} + +new_pass() { + + printf 'password? (input hidden)\n' && read -st 120 DB_PASS; + printf 'password again?\n' && read -st 120 DB_PASS_REP; + + [[ -z "$DB_PASS" ]] || [[ -z "$DB_PASS_REP" ]] && new_pass + [[ ! "$DB_PASS" == "$DB_PASS_REP" ]] && \ + printf 'passwords do not match.. ' && new_pass + + return 0 + +} + +# Note: set -e requires the functions to return 0. +new_db_name +new_user +new_pass + +# Create database. +printf "$sql_create_db" "$DB_NAME" | $sql_cmd; + +# The user. +printf "$sql_create_user" "$DB_USER" "${DB_HOST:-NONE}" \ + "$DB_PASS" | $sql_cmd; + +# The grants. +printf "$sql_grant_usage" "$DB_USER" "${DB_HOST:-NONE}" \ + "$DB_PASS" | $sql_cmd; + +printf "$sql_grant_on_db" "$DB_NAME" "${DB_USER:-NONE}" \ + "${DB_HOST:-NONE}" | $sql_cmd; + +printf "$sql_flush" | $sql_cmd; + diff --git a/other_sh_scripts/mariadb-install.sh b/other_sh_scripts/mariadb-install.sh new file mode 100755 index 0000000..01f6665 --- /dev/null +++ b/other_sh_scripts/mariadb-install.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# Exit on error. +set -e + +# Simple "script" to install mariadb-server +apt update && sudo apt install -y mariadb-server + +# After the install is done, run the security script. +mysql_secure_installation diff --git a/other_sh_scripts/nextcloud-sync.sh b/other_sh_scripts/nextcloud-sync.sh new file mode 100755 index 0000000..e8c5022 --- /dev/null +++ b/other_sh_scripts/nextcloud-sync.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# Run this script with "(sudo) bash ". +# +# 0 2 * * * bash /root/nextcloud-sync.sh | tee /var/log/nextcloud.log > /dev/null 2>&1 + + +# Exit on error. +#set -eux # debug on +set -e + +# Timestamp +DATE_STAMP=$(date '+%s') + +############ REMOTE +# Host must have SSH keys setup. +# Must have access to the below paths & access to the database. +SSH_REMOTE_HOST='host' +SSH_REMOTE_USER='root' + +# The user to run the _REMOTE_ nextcloud install uses. +# For running commands etc. +NEXTCLOUD_REMOTE_USER='nextcloud' +NEXTCLOUD_REMOTE_DATABASE_NAME='nextcloud' + +# Paths. +PHP_REMOTE_BIN='php' +NEXTCLOUD_REMOTE_FILE_DATA='/nextcloud/data' +NEXTCLOUD_REMOTE_FILE_ROOT='/var/www/nextcloud/htdocs' + +REMOTE_NC_MAINTENANCE_ON="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST sudo -u $NEXTCLOUD_REMOTE_USER $PHP_REMOTE_BIN $NEXTCLOUD_REMOTE_FILE_ROOT/occ maintenance:mode --on" + +REMOTE_NC_MAINTENANCE_OFF="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST sudo -u $NEXTCLOUD_REMOTE_USER $PHP_REMOTE_BIN $NEXTCLOUD_REMOTE_FILE_ROOT/occ maintenance:mode --off" + +REMOTE_DB_CREATE_DUMP="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST mysqldump --single-transaction $NEXTCLOUD_REMOTE_DATABASE_NAME > /tmp/nextcloud-$DATE_STAMP.sql" + +############ LOCAL +NEXTCLOUD_USER='nextcloud' +NEXTCLOUD_DATABASE_NAME='nextcloud' + +# Paths. +PHP_BIN='php' +NEXTCLOUD_FILE_DATA='/nextcloud/data' +NEXTCLOUD_FILE_ROOT='/var/www/nextcloud/htdocs' + +NC_MAINTENANCE_ON="sudo -u $NEXTCLOUD_USER $PHP_BIN $NEXTCLOUD_FILE_ROOT/occ maintenance:mode --on" + +NC_MAINTENANCE_OFF="sudo -u $NEXTCLOUD_USER $PHP_BIN $NEXTCLOUD_FILE_ROOT/occ maintenance:mode --off" + +GET_DB_DUMP_FROM_REMOTE="rsync --progress -Aavx $SSH_REMOTE_USER@$SSH_REMOTE_HOST:/tmp/nextcloud-$DATE_STAMP.sql /tmp/nextcloud-$DATE_STAMP.sql" + +GET_DATA_FILES_FROM_REMOTE="rsync --progress -Aavx $SSH_REMOTE_USER@$SSH_REMOTE_HOST:$NEXTCLOUD_REMOTE_FILE_DATA/. $NEXTCLOUD_FILE_DATA" + +GET_NC_FILES_FROM_REMOTE="rsync --progress -Aavx $SSH_REMOTE_USER@$SSH_REMOTE_HOST:$NEXTCLOUD_REMOTE_FILE_ROOT/. $NEXTCLOUD_FILE_ROOT" + +######### + +# Enable remote MAINTENANCE mode. +${REMOTE_NC_MAINTENANCE_ON} + +# Make remote dump. +${REMOTE_DB_CREATE_DUMP} + +# Enable local MAINTENANCE mode. +${NC_MAINTENANCE_ON} + +# Sync nc files. +${GET_NC_FILES_FROM_REMOTE} + +# Sync files. +${GET_DATA_FILES_FROM_REMOTE} + +# Get database dump. +${GET_DB_DUMP_FROM_REMOTE} + +# Disable remote MAINTENANCE mode. +${REMOTE_NC_MAINTENANCE_OFF} + +# Restore database dump. +# You can't script this due to the redirection. +mysql $NEXTCLOUD_DATABASE_NAME < /tmp/nextcloud-$DATE_STAMP.sql && rm /tmp/nextcloud-$DATE_STAMP.sql + +# Disable local MAINTENANCE mode. +${NC_MAINTENANCE_OFF} + +echo "$DATE_STAMP OK" >> /var/log/nc-sync.log diff --git a/other_sh_scripts/php8.1-sury-install.sh b/other_sh_scripts/php8.1-sury-install.sh new file mode 100755 index 0000000..3f0a70b --- /dev/null +++ b/other_sh_scripts/php8.1-sury-install.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# Run this script with "(sudo) bash ". + +# Exit on error. +set -e + +# We'll use the debian binaries provided by sury.org, we need some +# packages to add the repo. +# +# Most of this is taken from https://packages.sury.org/php/README.txt +# but I've modified one or two lines. +apt install -y apt-transport-https lsb-release ca-certificates curl + +# PHP packages to install. +PHP_PKGS='php8.1-fpm php8.1-readline php8.1-mbstring php8.1-gd php8.1-curl php8.1-zip php8.1-mysql php8.1-dom' + +# Apt format. +DEB_FMT='deb %s %s %s' + +# Repo URL. +DEB_URL='https://packages.sury.org/php/' +DEB_KEY_URL='https://packages.sury.org/php/apt.gpg' + +# Distro codename. +DISTRO_CODE="$(lsb_release -sc)" + +REPO_SUITE='main' + +curl -o /etc/apt/trusted.gpg.d/packages.sury.org.gpg "${DEB_KEY_URL:-}" + +printf "${DEB_FMT:-}\n" "$DEB_URL" "$DISTRO_CODE" "$REPO_SUITE" | + tee /etc/apt/sources.list.d/php-packages.sury.list + +apt update + +apt install -y $PHP_PKGS diff --git a/other_sh_scripts/site-dirs.sh b/other_sh_scripts/site-dirs.sh new file mode 100755 index 0000000..bfed443 --- /dev/null +++ b/other_sh_scripts/site-dirs.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# Run this script with "(sudo) bash ". + +# Exit on error. +set -e + +UNDER_PATH=${1:-`pwd`} +OWNER=${2:-www-data} +OWNER_GROUP=${3:-`id -gn $OWNER`} + +PRIVATE_DIRS="data tmp sessions" +PUBLIC_DIRS="public" + +printf 'Create site directories in "%s" owned by "%s" with group "%s"... + +Is this correct? + +OK = cd /var/www && sudo bash %s ./mysite.com +OK = sudo bash %s /var/www/mysite.com +AVOID = sudo bash %s /var/www/mysite.com/site2.com + + & are optional, both default to www-data user/group. + +The parent directory must already exist, this script will NOT +recursively create directories. + +Press ctrl+c to cancel or enter to continue...' \ +"$UNDER_PATH" "$OWNER" "$OWNER_GROUP" "$0" "$0" "$0" +read + +[[ "$UNDER_PATH" == "/" ]] && ( + printf "Do you really want to create this folder in your root path? + +Press ctrl+c to cancel or hit enter to confirm... +" \ + "$UNDER_PATH" + read +) + +[[ -z "$OWNER_GROUP" ]] && ( + printf '\nNo group for user "%s"! +' "$OWNER" + exit 1 +) + +printf 'Creating folders with user "%s" and group "%s"... +' "$OWNER" "$OWNER_GROUP" + +mkdir "$UNDER_PATH" +cd "$UNDER_PATH" + +mkdir ".test" +chown "$OWNER":"$OWNER_GROUP" .test || ( + printf 'Failed change permissions of test folder :(. + +-> Check the user and/or group exist! +-> You may need to be root or use sudo to run this script. +' + exit 1 + ) + +[[ -d ".test" ]] && rm -R ".test" + +# Create the private & public folders then set permissions... +for private_folder in $PRIVATE_DIRS; do + mkdir -v "$private_folder" + chown -v "$OWNER":"$OWNER_GROUP" "$private_folder" + chmod -cR 750 "$private_folder" + chmod -cR u+s,g+s,o+s "$private_folder" +done + +for public_folder in $PUBLIC_DIRS; do + mkdir -v "$public_folder" + chown -v "$OWNER":"$OWNER_GROUP" "$public_folder" + chmod -cR 755 "$public_folder" + chmod -cR u+s,g+s,o+s "$public_folder" +done + diff --git a/other_sh_scripts/sshd-enable-sftp.sh b/other_sh_scripts/sshd-enable-sftp.sh new file mode 100755 index 0000000..a9b2de8 --- /dev/null +++ b/other_sh_scripts/sshd-enable-sftp.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +# Run this script with "(sudo) bash ". + +# Exit on error. +set -e + +# sftp group to create/use +SFTP_GROUP='sftp' + +if [[ ! -z "$1" ]]; then + usermod -aG "$SFTP_GROUP" "$1" +else + # Add sftp group. + addgroup ${SFTP_GROUP:-sftp} || true + +cat << EOF > /etc/ssh/sshd_config.d/sftp.conf +Match Group ${SFTP_GROUP:-sftp} + PasswordAuthentication yes + ChrootDirectory %h + X11Forwarding no + AllowTcpForwarding no + ForceCommand internal-sftp + +Match all +EOF + +systemctl restart sshd + +printf 'Call this script with a user to add them to the sftp group.\n' + +fi diff --git a/other_sh_scripts/sshd-limit-passwords.sh b/other_sh_scripts/sshd-limit-passwords.sh new file mode 100755 index 0000000..de43864 --- /dev/null +++ b/other_sh_scripts/sshd-limit-passwords.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# Run this script with "(sudo) bash ". + +# Exit on error. +set -e + +# This is just a simple echo & a restart. +# NOTE: This will not stop passwords (for some users) if another config +# drop-in overrides it e.g, match group/users etc. +echo "PasswordAuthentication no" > \ + /etc/ssh/sshd_config.d/10-PasswordAuthentication.conf + +systemctl restart sshd diff --git a/other_sh_scripts/systemd-network-enable-default-dhcp.sh b/other_sh_scripts/systemd-network-enable-default-dhcp.sh new file mode 100755 index 0000000..36d2f50 --- /dev/null +++ b/other_sh_scripts/systemd-network-enable-default-dhcp.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +# Run this script with "(sudo) bash ". + +# Exit on error. +set -e + +[[ ! "$1" == "yes" ]] && ( + printf " + This script modifies networking and will reboot your system! + Please ensure you have backup access. + + DO NOT USE THIS IF YOU HAVE NO DHCP OR NEED STATIC IP ADDRESSING!! + + To confirm, please re-run this script with \"yes\" + + \"%s yes\".\n" "$0" + exit 1; +) + +# Enable systemd-resolved & link stub-resolv.conf. +systemctl enable --now systemd-resolved + +ln -sf /var/run/systemd/resolve/stub-resolv.conf /etc/resolv.conf + +cat << EOF > /etc/systemd/network/10-default-dhcp.network +[Match] +Name=* + +[Network] +DHCP=yes + +DNSOverTLS=opportunistic + +DNS=1.1.1.1 + +DNS=1.0.0.1 + +# Link discovery causes some issues so disable it. +LLDP=no +EOF + +# Before rebooting ensure old networking isn't started on boot. +systemctl disable networking +systemctl enable systemd-networkd + +# Final warning. +printf 'Rebooting in 30 seconds, hit ctrl+c to cancel.\n' +sleep 30; + +halt --reboot diff --git a/other_sh_scripts/toggle-motd.sh b/other_sh_scripts/toggle-motd.sh new file mode 100755 index 0000000..f088582 --- /dev/null +++ b/other_sh_scripts/toggle-motd.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# Run this script with "bash ". + +# Exit on error. +set -e + +FILE='/etc/motd' +DISABLED_EXT='disabled' + +if [ -f "${FILE:-/tmp/none}.${DISABLED_EXT:-/oops}" ]; then + mv -v "${FILE:-/tmp/none}.${DISABLED_EXT:-/oops}" \ + "${FILE:-/tmp/none}" +else + mv -v "${FILE:-/tmp/none}" \ + "${FILE:-/tmp/none}.${DISABLED_EXT:-/oops}" +fi diff --git a/php/7.4/fpm/pool.d/localhost.conf.example b/php/7.4/fpm/pool.d/localhost.conf.example new file mode 100755 index 0000000..914734d --- /dev/null +++ b/php/7.4/fpm/pool.d/localhost.conf.example @@ -0,0 +1,65 @@ +; Change this to match your domain/sub-domain (don't include www.). +[localhost] + +; Change the following lines to match your site user & group. +; you can run id -gn the_user_name_here to find out the group. + +; You only need to change this if you have your site folders/files +; owned by a different user. +user = www-data +group = www-data + +; This group must match your server group. +; The default www-data usually works fine provided your server software +; is in that group (it usually is). +listen.group = www-data + +; Best to keep this as root. +listen.owner = root + +; The $pool value is replaced with whatever you've entered in the +; section header [site.com] above. +; Your webserver needs to be setup to talk to the socket at this +; location. +listen = /run/php/$pool.sock + +; Be sure to change these path values to match where your sites are. +; Leave the /$pool bit where it is. +; You only need to change /var/www/ to where you've placed your sites. +; e.g you have your sites in /var/srv, you'd enter /var/srv/$pool. +; +; Remember to change all the paths (if you need to)!! +prefix = /var/www/$pool + +; session save_path needs a full path value. +php_admin_value[session.save_path] = $prefix/sessions + +; These also need full path values. +env[TMP] = $prefix/tmp +env[TMPDIR] = $prefix/tmp +env[TEMP] = $prefix/tmp + +; You generally don't need to edit anything else below this line. + +listen.mode = 0660 + +php_admin_value[open_basedir] = $prefix:/usr/share/php:/etc/ssl/certs + +php_admin_value[disable_functions] = dl,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source +php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f noreply@$pool +php_admin_value[memory_limit] = 256M +php_admin_value[upload_max_filesize] = 100M +php_admin_value[upload_tmp_dir] = $prefix/tmp +php_admin_value[error_log] = $prefix/tmp/php-error.log +php_admin_flag[log_errors] = on +php_flag[display_errors] = off + +access.log = $prefix/tmp/php-access.log +access.format = "[%t] %m %{REQUEST_SCHEME}e://%{HTTP_HOST}e%{REQUEST_URI}e %f pid:%p took:%ds mem:%{mega}Mmb cpu:%C%% status:%s {%{REMOTE_ADDR}e|%{HTTP_X_FORWARDED_FOR}e|%{HTTP_USER_AGENT}e}" + +pm = ondemand +pm.max_children = 100 +pm.process_idle_timeout = 600s +pm.max_requests = 1000 +catch_workers_output = yes + diff --git a/php/README.debian.md b/php/README.debian.md new file mode 100755 index 0000000..e7d1c17 --- /dev/null +++ b/php/README.debian.md @@ -0,0 +1,96 @@ +# PHP + +Installing PHP on Debian is easy as... + +``` +apt install php-fpm php-readline php-mbstring php-gd \ +php-curl php-zip php-mysql php-dom php-json php-pdo php-fileinfo \ +php-bz2 php-intl php-gmp php-apcu php-pear php-cli php-imagick +``` + +If you need a newer version, use the sury.org repos, take +a look at [this readme](https://packages.sury.org/php/README.txt) or +use the `php8.1-sury-install.sh` script in this directory... + +``` +sudo bash php8.1-sury-install.sh +``` + +--- + +Now you have php installed you need to copy the `localhost.conf.example` +file (See [notes 1](#Notes)) in this directory to where your php-fpm +pool files are. + +**If you have multiple PHP versions installed you'll need to pick the +version you want your site to run on.** + +So, for PHP-FPM 7.4 using the example file... + +``` +cp -v localhost.conf.example /etc/php/7.4/fpm/pool.d/yoursite.com.conf +``` + +For PHP 8.1... + +``` +cp -v localhost.conf.example /etc/php/8.1/fpm/pool.d/yoursite.com.conf +``` + +**You'll need to rename and modify the values (within the copied file) +to match your site. I've left the main things to change at the top +of the config file.** + + +--- + +Got your config modified and sorted? Great! Now we need to restart +php-fpm. This varies depending on your version, but just you change +the PHP version number in the command below... + +For 7.4... + +``` +systemctl restart php7.4-fpm +``` + +And 8.1... + +``` +systemctl restart php8.1-fpm +``` + +fpm is now ready to serve your php files via the socket +`/run/php/yoursite.com.sock`. You'll need to configure your webserver to +send any PHP requests along to it. If you're using Caddy with my +Caddyfile you're already set. + +TIP: You can use `systemctl status php7.4` to check for errors! + +## Disabling configurations & what about `www.conf`? + +The included `www.conf` won't hurt and can be left alone, although if +you want to disable it, just rename it to `www.conf.disabled`. You can +do the same for any other configs you don't want used... + +``` +cd /etc/php/7.4/fpm/pool.d/ +mv -v www.conf www.conf.disabled +``` + +And to enable it again... + +``` +cd /etc/php/7.4/fpm/pool.d/ +mv -v www.conf.disabled www.conf +``` + +PHP-FPM needs to be reloaded, you can do that with... + +``` +systemctl reload php7.4-fpm +``` + +## Notes + +[1] It's a symlink to the one I use with 7.4. It works fine on PHP 8.1. diff --git a/php/php-7.4-install.sh b/php/php-7.4-install.sh new file mode 100755 index 0000000..5281bd9 --- /dev/null +++ b/php/php-7.4-install.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# Run this script with "(sudo) bash ". + +# Exit on error. +set -e + +apt install apt install php-fpm php-readline php-mbstring php-gd \ +php-curl php-zip php-mysql php-dom php-json php-pdo php-fileinfo \ +php-bz2 php-intl php-gmp php-apcu php-pear php-cli php-imagick + +mv -v /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.conf.disabled + +systemctl restart php7.4-fpm diff --git a/systemd/network/10-eth0.network b/systemd/network/10-eth0.network new file mode 100755 index 0000000..30838e8 --- /dev/null +++ b/systemd/network/10-eth0.network @@ -0,0 +1,53 @@ +[Match] +Name=eth0 + +## Only use one of these blocks!! + +### DHCP (default most want) +[Network] +DHCP=yes + +DNSOverTLS=opportunistic + +DNS=1.1.1.1 + +DNS=1.0.0.1 + +# Link discovery causes some issues so disable it. +LLDP=no + +## dhcp config end + +## LAN +# Uncomment all below if you want to use eth0 as a lan network. +#[Network] +# IP address range. +#Address=192.168.156.1/24 + +# Packet forwarding. +#IPForward=yes + +# Masquerade. +#IPMasquerade=both + +# Link discovery causes some issues so disable it. +#LLDP=no + +#[DHCPServer] + +# Lease time +#DefaultLeaseTimeSec=300 + +# DNS to serve +#DNS=1.1.1.1 +#DNS=1.0.0.1 + +# Enable serving of DHCP addresses from the network range. +#DHCPServer=yes + +# Below not supported systemd < 250 +#[DHCPServerStaticLease] +#MACAddress=xx:xx:xx:xx:xx:xx +#Address=192.168.156.2 + +## lan end diff --git a/systemd/network/30-wwan0.network b/systemd/network/30-wwan0.network new file mode 100755 index 0000000..8f7d55c --- /dev/null +++ b/systemd/network/30-wwan0.network @@ -0,0 +1,19 @@ +[Match] +Name=wwan0 + +[Network] +DHCP=yes + +DNSOverTLS=opportunistic + +DNS=1.1.1.1 + +DNS=1.0.0.1 + +# Link discovery causes some issues so disable it. +LLDP=no + +[DHCP] +# Make sure connection/route is chosen last! +RouteMetric=2048 + diff --git a/systemd/network/50-usb0.network b/systemd/network/50-usb0.network new file mode 100755 index 0000000..adbc2ba --- /dev/null +++ b/systemd/network/50-usb0.network @@ -0,0 +1,14 @@ +[Match] +Name=usb0 + +[Network] +DHCP=yes + +DNSOverTLS=opportunistic + +DNS=1.1.1.1 + +DNS=1.0.0.1 + +# Link discovery causes some issues so disable it. +LLDP=no diff --git a/systemd/network/60-wlan0.network b/systemd/network/60-wlan0.network new file mode 100755 index 0000000..8dc88b5 --- /dev/null +++ b/systemd/network/60-wlan0.network @@ -0,0 +1,15 @@ +# Requires /etc/wpa_supplicant/wpa_supplicant-wlan0.conf to exist. +[Match] +Name=wlan0 + +[Network] +DHCP=yes + +DNSOverTLS=opportunistic + +DNS=1.1.1.1 + +DNS=1.0.0.1 + +# Link discovery causes some issues so disable it. +LLDP=no diff --git a/systemd/network/70-wgs0.netdev b/systemd/network/70-wgs0.netdev new file mode 100755 index 0000000..2dead1e --- /dev/null +++ b/systemd/network/70-wgs0.netdev @@ -0,0 +1,41 @@ +[NetDev] +Name=wgs0 + +Description=Wireguard Server Peer + +Kind=wireguard + +[WireGuard] + +# Port to listen on. +ListenPort=500 + +# I usually set this to the port number above it's not really needed +# but useful for firewalls. +FirewallMark=500 + +# The Base64 encoded private key for the interface. It can be generated +# using the wg genkey command (see wg(8)). This option or +# PrivateKeyFile= is mandatory to use WireGuard. Note that because this +# information is secret, you may want to set the permissions of the +# .netdev file to be owned by "root:systemd-network" with a "0640" file +# mode. +PrivateKey= + +# Public key for the above private key. Only here as a reminder. +# systemd will ignore if uncommented. +#PublicKey= + +# Your Peers. +[WireGuardPeer] + +# Base64 encoded public key calculated by wg pubkey (see wg(8)) from a +# private key, and usually transmitted out of band to the author of the +# configuration file. This option is mandatory for this section. +PublicKey= + +# Comma-separated list of IP addresses with CIDR masks from which this +# peer is allowed to send incoming traffic and to which outgoing traffic +# for this peer is directed. +AllowedIPs=10.0.0.1.2/32 + diff --git a/systemd/network/71-wgs0.network b/systemd/network/71-wgs0.network new file mode 100755 index 0000000..ac3de3c --- /dev/null +++ b/systemd/network/71-wgs0.network @@ -0,0 +1,17 @@ +# Needs netdev for wgs0, wireguard & wireguard-tools installed to work. +[Match] +Name=wgs0 + +[Network] +# Packet forwarding. +IPForward=yes + +# Link discovery causes some issues so disable it. +LLDP=no + +# IPv4 +[Network] + +Address=10.0.0.1/24 + +IPMasquerade=yes diff --git a/systemd/network/80-wg0.netdev b/systemd/network/80-wg0.netdev new file mode 100755 index 0000000..4641610 --- /dev/null +++ b/systemd/network/80-wg0.netdev @@ -0,0 +1,42 @@ +[NetDev] +Name=wg0 + +Description=Wireguard Client Peer + +Kind=wireguard + +[WireGuard] + +# I usually set this to the port number of the main peer it's not really +# needed but useful for firewalls. +FirewallMark=500 + +# The Base64 encoded private key for the interface. It can be generated +# using the wg genkey command (see wg(8)). This option or +# PrivateKeyFile= is mandatory to use WireGuard. Note that because this +# information is secret, you may want to set the permissions of the +# .netdev file to be owned by "root:systemd-network" with a "0640" file +# mode. +PrivateKey= + +# Public key for the above private key. Only here as a reminder. +#PublicKey= + + +# Your Peers. +[WireGuardPeer] + +# Base64 encoded public key calculated by wg pubkey (see wg(8)) from a +# private key, and usually transmitted out of band to the author of the +# configuration file. This option is mandatory for this section. +PublicKey= + +# Comma-separated list of IP addresses with CIDR masks from which this +# peer is allowed to send incoming traffic and to which outgoing traffic +# for this peer is directed. +AllowedIPs=0.0.0.0/0, ::/0 + +PersistentKeepalive=20 + +# Endpoint of a peer (for clients). +#Endpoint=: diff --git a/systemd/network/81-wg0.network b/systemd/network/81-wg0.network new file mode 100755 index 0000000..cd50f4e --- /dev/null +++ b/systemd/network/81-wg0.network @@ -0,0 +1,12 @@ +# Needs wg0.netdev & wireguard & wireguard-tools installed to work. + +[Match] +Name=wg0 + +[Address] +Address=10.0.0.2/24 + +[Route] +Gateway=10.0.0.1 + +GatewayOnlink=true diff --git a/systemd/network/README.md b/systemd/network/README.md new file mode 100755 index 0000000..d98d987 --- /dev/null +++ b/systemd/network/README.md @@ -0,0 +1,46 @@ +# Usage + +Copy the device files that you need to `/etc/systemd/network/`. + +Be sure the file-names, folders and configuration values (within the files) are changed to match your devices ([note 1](#Notes)). Wifi (wlan) devices also need wpa_supplicant configured to work. + +## Example + +Say I have eth0 and want network access (and an IP via DHCP) from my router; I would do the following... + +``` +sudo -s # Drop to root. +cp -rv 10-eth0* /etc/systemd/network/ # Copy the files. + +systemctl enable --now systemd-networkd # Enable networkd now. + +networkctl reload # Reload the configuration. + +networkctl status # Check the log for any errors. +``` + +If there are NO **and I mean NO errors** from the commands above... + +``` +networkctl reconfigure eth0 # Tell networkd to reconfigure the device. + +mv /etc/network/ /etc/network.disabled/ Move the old network configuration. + +reboot # Restart to be sure. +``` + +## Enabling systemd-resolved + +I like to use systemd-resolved for DNS.. + +``` +sudo -s # Drop to root. + +ln -sfv /var/run/systemd/resolve/stub-resolv.conf /etc/resolv.conf # Create a symlink. + +systemctl enable --now systemd-resolved # Enable resolved now. +``` + +## Notes + +**1**: This is very important otherwise things won't work. For example, if you have eth1 and not eth0 you'll have to copy and/or rename `eth0.network` to `eth1.network`. Check, and then check again. diff --git a/systemd/network/wwan-simcom7600.md b/systemd/network/wwan-simcom7600.md new file mode 100755 index 0000000..6a465aa --- /dev/null +++ b/systemd/network/wwan-simcom7600.md @@ -0,0 +1,51 @@ +# SIMCOM 7600G modem On A Raspberry Pi 4 + +This is using [The Waveshare 4G dongle from ThePiHut][4G Dongle]. + +**A warning about power** + +No matter which mode used USB disconnects were frequent, mostly when +moving the device. I incorrectly assumed the default mode QMI was +causing the issue, but it was the modem drawing more current +(than the Pi 4 could supply) to latch/keep connected onto a 4G mast. +This was with the official Raspberry Pi UK 5.1v 3a power supply too. + +The current method I use to power both the Pi 4 & modem is via this +[USB Hub]. There is a warning at first boot about the device not +responding but after a automatic bus reset it is fine and works as +expected. + +## Switching Modes + +The modem has many modes (see the [PDF Manual] pages 50-51), You can use +the mode you prefer. I recommend the USB standard MBIM mode or QMI if +you have issues. + +### USB Mode + +Connect to SIMCOM7600 AT com port using minicom... +``` +apt install minicom + +minicom -D /dev/ttyUSB2 +``` + +In minicom get default mode (to revert later if needed)... +``` +AT+CUSBPIDSWITCH +``` + +Set USB mode... + +``` +AT+CUSBPIDSWITCH=9011,1,1 +``` + +After the device has rebooted connect to minicom again & issue... +``` +AT+CLANMODE=1 +``` + +[PDF Manual]: https://usermanual.wiki/m/e87a5540256c1ed0390232e8663c1f46570ff85b21c470d98dce792ecedd3525.pdf +[USB Hub]: https://smile.amazon.co.uk/gp/product/B08K3GFD3Q +[4G Dongle]: https://thepihut.com/products/sim7600g-h-4g-usb-dongle diff --git a/systemd/system/lan-http-proxy.service b/systemd/system/lan-http-proxy.service new file mode 100755 index 0000000..a792be5 --- /dev/null +++ b/systemd/system/lan-http-proxy.service @@ -0,0 +1,9 @@ +[Unit] +Description=Proxy internal lan HTTP + +[Service] +Type=simple +ExecStart=socat -v tcp-listen:8080,reuseaddr,fork tcp:192.168.156.2:80 + +[Install] +WantedBy=multi-user.target diff --git a/systemd/system/mnt-sda1.mount b/systemd/system/mnt-sda1.mount new file mode 100755 index 0000000..9cec1ea --- /dev/null +++ b/systemd/system/mnt-sda1.mount @@ -0,0 +1,9 @@ +[Unit] +Description=mnt-sda1 + +[Mount] +What=/dev/sda1 +Where=/mnt/sda1 + +[Install] +WantedBy=multi-user.target diff --git a/systemd/system/qmi-network@.service b/systemd/system/qmi-network@.service new file mode 100755 index 0000000..c6a9a42 --- /dev/null +++ b/systemd/system/qmi-network@.service @@ -0,0 +1,61 @@ +# apt install --no-install-recommends libqmi-utils +# cp -v ./qmi-network@.service /etc/systemd/system/ +# systemctl daemon-reload +# systemctl enable --now qmi-network@0 + +# This will NOT work without a .network for your wwan device. +[Unit] +Description=qmi-network for cdc-wdm%i device + +Before=freepbx.service +Before=asterisk.service + +After=sys-subsystem-net-devices-wwan%i.device +Wants=sys-subsystem-net-devices-wwan%i.device + +[Service] +Type=simple +Restart=always +TimeoutSec=300s + +# Leave the following blank/as-is for auto-detection. +# Internet APN. +Environment=APN="" +# APN Username. +Environment=APN_USER="" +# APN Password. +Environment=APN_PASS="" +# IP type is usually 4, 6 or 4|6. +Environment=IP_TYPE="4|6" +# Change to yes to use qmi proxy. +Environment=PROXY="no" + +# Make sure the state is cleared before starting. +ExecStartPre=-rm /tmp/qmi-network-state-cdc-wdm%i + +# Stop wwan so it can be reconfigured. +ExecStartPre=networkctl down wwan%i + +# Raw IP must be enabled. +ExecStartPre=sh -c "echo 'Y' | tee /sys/class/net/wwan%i/qmi/raw_ip" + +# Start the network via qmi-network scripts. +# As some networks and/or devices take a long time to connect we should +# give it some time to be ready before starting the connection process. +ExecStartPre=-sh -e -c "sleep 60; qmi-network /dev/cdc-wdm%i start" + +# Bring up the network. +ExecStartPre=networkctl up wwan%i + +# Small loop as the main process to watchdog the connection. +# (NOTE: DHCP must be given a little time to settle before pinging). +ExecStart=sh -e -c "sleep 10; while true; do ping -w 120 -I wwan%i -c 5 one.one.one.one; sleep 300; done;" + +# Stop.. DOWN TIME! +ExecStop=networkctl down wwan%i +ExecStop=qmi-network /dev/cdc-wdm%i stop +# Be sure the network state is cleared on stop too. +ExecStop=-rm /tmp/qmi-network-state-cdc-wdm%i + +[Install] +WantedBy=sys-subsystem-net-devices-wwan%i.device diff --git a/systemd/system/wifi-power@.service b/systemd/system/wifi-power@.service new file mode 100755 index 0000000..826bd05 --- /dev/null +++ b/systemd/system/wifi-power@.service @@ -0,0 +1,17 @@ +# !! Requires a netdev configured to work +# +# $ cp -v ./wifi-power\@.service /etc/systemd/system/ +# $ systemctl daemon-reload +# +# +# $ systemctl enable --now wifi-power@wlan0 +[Unit] +Description=Toggle %i power saving + +[Service] +Type=oneshot +ExecStart=iw %i set power_save on +ExecStop=iw %i set power_save off + +[Install] +WantedBy=sys-subsystem-net-devices-%i.device diff --git a/wpa_supplicant/README.debian.md b/wpa_supplicant/README.debian.md new file mode 100755 index 0000000..705f453 --- /dev/null +++ b/wpa_supplicant/README.debian.md @@ -0,0 +1,76 @@ +# WPA Supplicant + +You must be root `sudo -s`! + +All wireless devices need wpa_supplicant to work correctly, so let's +install it... + +``` +apt install wpa_supplicant +``` + +--- + +To avoid issues with rogue wpa_supplicant processes disable the default +service... + +``` +systemctl disable wpa_supplicant.service +``` + +--- + +Now using the example `wpa_supplicant-wlan0.conf` file; Copy it into +`/etc/wpa_supplicant`... + +``` +cp -iv wpa_supplicant-wlan0.conf /etc/wpa_supplicant-wlan0.conf +``` + +**You must rename it to match your wireless device if different, or if +you already have a `/etc/wpa_supplicant/wpa_supplicant-wlan0.conf` file +and you don't want to overwrite it. You can use `ip addr` to find it.** + +``` +cp -iv wpa_supplicant-wlan0.conf /etc/wpa_supplicant-wlan1.conf +``` + +--- + +We only want root to be able to read the configuration as it contains +passwords... + +``` +chmod -Rv 600 /etc/wpa_supplicant/*.conf +``` + +--- + +Start the service for our device... + +``` +systemctl enable --now wpa_supplicant@wlan0.service +``` + +**Make sure you change the name of the device if yours is different!** + +``` +systemctl enable --now wpa_supplicant@wlan1.service +``` + +--- + +Finally we need to restart the device... + +**Once again make sure you get the right device!** + +``` +networkctl down wlan0 +networkctl up wlan0 +``` + +And check everything is working.. + +``` +networkctl status wlan0 +``` diff --git a/wpa_supplicant/wpa_supplicant-wlan0.conf b/wpa_supplicant/wpa_supplicant-wlan0.conf new file mode 100755 index 0000000..ebdd129 --- /dev/null +++ b/wpa_supplicant/wpa_supplicant-wlan0.conf @@ -0,0 +1,26 @@ +# $ systemctl disable wpa_supplicant.service +# $ cp -v ./wpa_supplicant-wlan0.conf /etc/wpa_supplicant/ +# $ chmod -Rv 600 /etc/wpa_supplicant/*.conf +# $ systemctl enable --now wpa_supplicant@wlan0.service +ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev +update_config=1 + +# Change to match your country. +country=GB + +network={ +# Modify these two lines to match your wifi settings! + ssid="Internet" + psk="password" + +# "WPA2/WPA3 PSK, SAE" mixed uncomment the lines below. + key_mgmt=WPA-PSK-SHA256 + ieee80211w=2 + +# If you use WPA-PSK / PSK2 uncomment the lines below. +# proto=RSN +# key_mgmt=WPA-PSK +# pairwise=CCMP +# group=CCMP +# auth_alg=OPEN +}