source: hybrid/branches/releng-11/nanobsd/cfg/nanobsd.wleiden@ 13742

Last change on this file since 13742 was 13742, checked in by rick, 8 years ago

Try to beat captive portal requests for already autorized devices.

Dummy framework for tool which reads arp requests and based on the response
checks if the MAC is already whitelisted and hence adds it's IP to the
whitelist table.

This will avoid issues with captive portal checkers at phone, which assume a
captive portal, yet their request in and on itself will already activate the
known lease again.

Secondly this framework is also required to allow 'roaming' from users between
accesspoints without the need of re-authentication (or IoT devices for
example).

File size: 14.8 KB
Line 
1## Dit is een NanoBSD configuratie-template voor WirelessLeiden.
2## Instellingen weergegeven binnen dit bestand gelden als
3## standaard binnen de organisatie.
4
5# Little hack to allow proper secify of KERNL/PKG location
6if [ -n "$NANO_CFG_FILE" ]; then
7 NANO_CONF_DIR=$(cd $(dirname $NANO_CFG_FILE); pwd -P)
8else
9 NANO_CONF_DIR=$(cd $(dirname $2); pwd -P)
10fi
11
12# object naam in /usr/obj/nanobsd.{obj}
13NANO_NAME=wleiden-hybrid
14NANO_SRC=/usr/src # nanobsd source tree
15NANO_TOOLS=$(pwd)
16NANO_KERNEL=$NANO_CONF_DIR/kernel.wleiden # naam van het kernel configuratiebestand
17NANO_IMAGES=2 # aantal nanobsd code slices/installs (1/2)
18
19NANO_CONFSIZE=20480 # Volume van de config slice (10MB) in 512bs
20NANO_DATASIZE=0 # volume van de data slice, 0 = not configured
21NANO_CODESIZE=819200 # Let buildscript the operating system slice as large as posible
22
23# Size of the /etc ramdisk in 512 bytes sectors
24NANO_RAM_ETCSIZE=20480
25
26NANO_RAM_TMPVARSIZE=102400 # Volume of combined var & tmp slice (50MB) in 512bs
27
28NANO_LABEL=WLIMG
29NANO_NEWFS="-b 4096 -f 512 -i 8192" # Overwrite the default stettings to disable Soft-updates
30
31
32#XXX: Eeks, fixed packages, needs building a hook to allow building the package
33# of the shelfs if needed, copy to right directory, done. With only input needed
34# a list of ports in the format like net/net-snmp
35NANO_PACKAGE_DIR=$NANO_CONF_DIR/../pkg/All
36NANO_PACKAGE_LIST="*"
37
38VERSION=$(uname -r | sed -e 's/-.*//g' -e 's/\./_/')
39NANO_PACKAGE_REPOS="/usr/local/poudriere/data/packages/wlpkgbuild${VERSION}-default-node/"
40
41
42# Wireless Leiden ports from $WL_PORTSDIR are copied OVER $PORTSDIR
43PORTSDIR='/usr/ports'
44WL_PORTSDIR="$NANO_CONF_DIR/../ports/"
45
46# Dirty quirk to allow comments in part below
47PACKAGE_LIST=`cat <<EOF | sed -e 's/#.*$//g' | xargs
48benchmarks/iperf
49devel/py-Jinja2
50devel/py-yaml
51editors/vim-lite
52dns/dnsmasq
53dns/nsd
54dns/unbound
55ftp/curl
56lang/python2
57lang/python
58net/ladvd
59net-mgmt/iftop
60net-mgmt/net-snmp
61net/mtr
62net/isc-dhcp43-server
63net/pen
64net/py-speedtest-cli
65ports-mgmt/pkg
66security/sudo
67security/ca_root_nss
68sysutils/daemontools
69sysutils/screen
70sysutils/ucspi-tcp
71sysutils/wait_on
72www/apache24
73www/tinyproxy
74
75# Extra WL ports
76net/lvrouted
77`
78# Package target
79PKG_MAKE_ARGS="PACKAGES=$(dirname $NANO_PACKAGE_DIR) BATCH=yes PACKAGE_BUILDING=yes"
80
81PKG_MAKE_CONF="
82# www/py-cherrypy - include apache templating
83# net-mgmt/net-snmp - no perl please (size)
84# net-mgmt/nagios-plugins - no threading (single CPU)
85# shells/bash-static - logging via syslog
86# net/mtr - no X11 (no screen)
87# lang/ocaml - no TK support (requires X11)
88# devel/ocaml-findlib - no TOOLBOX support (requires ocaml with TK support)
89OPTIONS_SET= APACHE FPING SYSLOG
90OPTIONS_UNSET= PERL PERL_EMBEDDED X11 TK TOOLBOX
91"
92
93##NANO_PACKAGE_LIST=
94
95# Warning: set to 1 to debug make build errors
96# Number of recurrent parrallel make builds
97if `grep -q 'acpi0: <PRLS PRLS_OEM> on motherboard' /var/run/dmesg.boot`; then
98 # Mac OS X Parallels virtual machine
99 NANO_PMAKE="make -B"
100else
101 # Default 2 times number of CPU's inside machine
102 NANO_PARALLEL_MAKE=`expr $(sysctl -n hw.ncpu) \* 2`
103 NANO_PMAKE="make -j ${NANO_PARALLEL_MAKE}"
104fi
105
106# Starting from soekris bios version 1.31 upwards boot0sio does not seems work
107# anymore, but boot0 does (weird)
108NANO_BOOTLOADER="boot/boot0"
109
110# Strip down to a more acceptable size
111# hints from http://people.freebsd.org/~phk/nanobsd/soekris_4x26/make.soekris_4x26.conf (46MB)
112NANO_PRUNE="$NANO_PRUNE usr/share/examples"
113NANO_PRUNE="$NANO_PRUNE usr/share/syscons"
114NANO_PRUNE="$NANO_PRUNE usr/share/calendar"
115# NB! usr/share/misc contains termcap, vi(1) etc fails to work without it.
116# NANOBSD_PRUNE += usr/share/misc
117NANO_PRUNE="$NANO_PRUNE usr/share/pcvt"
118NANO_PRUNE="$NANO_PRUNE usr/share/me"
119NANO_PRUNE="$NANO_PRUNE usr/share/doc"
120# Debugging removal
121NANO_PRUNE="$NANO_PRUNE usr/lib/debug"
122NANO_PRUNE="$NANO_PRUNE usr/tests"
123# Installed ports strip down
124NANO_PRUNE="$NANO_PRUNE usr/local/share/doc"
125NANO_PRUNE="$NANO_PRUNE usr/local/share/examples"
126
127
128
129
130
131# Opties parsed gedurende build & install world
132# Also check man 5 src.conf for details
133# Some flags are misleading, e.g. could only be installworld (e.g.), for details:
134# http://phk.freebsd.dk/misc/build_options/
135# For details on make options also check:
136# /usr/src/share/mk/bsd.own.mk
137CONF_COMMON='
138# Specific enabled options
139#WITHOUT_ACPI=YES # geen advanced configuration power interface
140#WITHOUT_BIND=YES # geen bind tools, dns/named geinstalleerd
141#WITHOUT_CXX=YES # Set to not build g++(1) and related libraries.
142#WITHOUT_GROFF=YES # Set to not build groff(1).
143#WITHOUT_INET6=YES # geen ondersteuning inet versie 6 architectuur
144#WITHOUT_INFO=YES # geen info bestanden, readable online docs
145#WITHOUT_IPFILTER=YES # geen ip filtering geinstalleerd
146#WITHOUT_KLDLOAD=YES # do not allow loading of kernel modules
147#WITHOUT_MAILWRAPPER=YES # geen mailwrapper bij gebruik sendmail
148#WITHOUT_MAN=YES # geen handleidingen gecompileerd
149#WITHOUT_MISC=YES # geen misc sub directory
150#WITHOUT_MODULES=YES # geen ondersteuning toevoegen modules
151#WITHOUT_PAM=YES # geen ondersteuning pa modules
152#WITHOUT_PF=YES # geen packet filtering geinstalleerd
153#WITHOUT_SHARE=YES # geen share sub directory
154#WITHOUT_USB=YES # geen ondersteuning usb modules
155# Specific disabled options
156WITHOUT_ATM=YES # geen ondersteuning Asynchronous Transfer Mode
157WITHOUT_AUDIT=YES # geen event auditing / audit trails
158WITHOUT_AUTHPF=YES # geen authenticating gateway user shell
159WITHOUT_BLUETOOTH=YES # geen ondersteuning Bluetooth modules
160WITHOUT_CALENDAR=YES # geen calendar reminder service gecompileerd
161WITHOUT_CDDL=YES # Set to not build code licensed under Sun CDDL. (also ZFS)
162WITHOUT_CPP=YES # Set to not build cpp(1).
163WITHOUT_CXX=YES # Set to not build c++(1) and related libraries.
164WITHOUT_CLANG=YES # Set to not build the Clang C/C++ compiler.
165WITHOUT_CVS=YES # geen cvs tools geinstalleerd
166WITHOUT_DICT=YES # geen dictionary ondersteuning
167WITHOUT_EXAMPLES=YES # geen voorbeeld configuratiebestanden
168WITHOUT_FORTRAN=YES # geen ondersteuning fortran compilers
169WITHOUT_GAMES=YES # geen games gecompileerd
170WITHOUT_GCOV=YES # geen gcov test coverage program
171WITHOUT_GDB=YES # geen gnu debugger gecompileerd
172WITHOUT_GPIB=YES # geen ondersteuning gpib kaarten
173WITHOUT_HTML=YES # geen html help bestanden gecompileerd
174WITHOUT_I4B=YES # geen ondersteuning voor isdn
175WITHOUT_ICONV=YES # No iconv support (no need to support native files)
176WITHOUT_IPX=YES # geen ondersteuning ipx protocols
177WITHOUT_KERBEROS=YES # geen ondersteuning Kerberos authenticatie
178WITHOUT_LOCALES=YES # geen ondersteuning lokalisatie
179WITHOUT_LPR=YES # geen ondersteuning print services
180WITHOUT_NIS=YES # geen ondersteuning network information system
181WITHOUT_PROFILE=YES # Set to avoid compiling profiled libraries.
182WITHOUT_RCMDS=YES # geen ondersteuning rcmds,
183WITHOUT_RESCUE=YES # geen rescue bestanden gecompileerd
184WITHOUT_SENDMAIL=YES # geen sendmail geinstalleerd
185WITHOUT_SHAREDOCS=YES # geen share/docs directories
186WITHOUT_SSP=YES # Set to not build world with propolice stack smashing protection.
187WITHOUT_SYSCONS=YES # geen syscon devices gecompileerd
188WITHOUT_UNBOUND=YES # Port version will be used if any is used
189WITHOUT_LOCALES=YES # No localization support
190'
191
192CONF_BUILD="
193${CONF_COMMON}
194"
195
196CONF_INSTALL="
197${CONF_COMMON}
198WITHOUT_TOOLCHAIN=YES # geen freebsd toolchain
199"
200
201
202# Flash disks arrived, sandisk 1g seems to match the geometry of the (blanc) cards
203#FlashDevice sandisk 1g # nanobsd flashdevice entry
204#FlashDevice sandisk 512mb # nanobsd flashdevice entry
205#FlashDevice transcend 2g # nanobsd flashdevice entry
206# Calculated value of PEAK hardware 1GB CF card
207# C/H/S phys 1954/16/63, logical 977/32/63
208# Mediasize is calculated as C*H*S*512
209
210# Using logical values reported by ALIX board
211# values for PCEngines blanc 1 GB cards
212# C/H/S phys 1966/16/63, logical 983/32/63
213NANO_MEDIASIZE=`expr 1008451584 / 512`
214NANO_HEADS=32
215NANO_SECTS=63
216
217
218# Version tagging
219cust_version_tag() (
220 VERSION_FILE="${NANO_WORLDDIR}/tools/wl-release.txt"
221 (
222 echo "Generated by `id -un`@`hostname -f` at `date`"
223 echo ""
224 echo "=== CONFIG specifics ==="
225 svn info ${NANO_CONF_DIR}/../ || exit 0
226 svn diff ${NANO_CONF_DIR}/../ || exit 0
227 echo "=== BEGIN CONFIG specifics ==="
228 ) > $VERSION_FILE
229)
230
231# Takes a very long time (10+) minutes to generate this file on an ALIX board,
232# not practical for quick debugging and configuration.
233cust_openvpn_dhparam() (
234 if [ -r ${NANO_CONF_DIR}/usr/local/bin/openvpn ]; then
235 DHFILE=${NANO_WORLDDIR}/etc/easy-rsa-keys/dh1024.pem
236 mkdir -p `dirname $DHFILE`
237 openssl dhparam -out $DHFILE 1024
238 fi
239)
240
241# Unbound is running in alternative chroot location (port default) how-ever
242# this directory needs to be writeable by unbound for key generation etc.
243cust_unbound_rights() (
244 if [ -r ${NANO_WORLDDIR}/usr/local/etc/unbound ]; then
245 chroot ${NANO_WORLDDIR} sh -c "chown unbound:unbound /usr/local/etc/unbound"
246 fi
247)
248
249
250# Assuming we are running a safe envirionment where snooping could occur during or after the build
251cust_set_root_password() (
252 if [ -n "${CFG_ROOT_PASSWORD}" ]; then
253 pprint 2 "Set root password using CFG_ROOT_PASSWORD variable"
254 chroot ${NANO_WORLDDIR} sh -c "echo '${CFG_ROOT_PASSWORD}' | pw usermod -h 0 -n root"
255 else
256 pprint 2 "Root password is <blank>, no password provided at variable CFG_ROOT_PASSWORD"
257 fi
258)
259
260
261
262# EXPERIMENTAL patch like envirionment
263# Using '*-nanobsd.patch' files to only specify the bare differences between the base/default file to
264# keep us as close as possible to the base OS
265# Patches are applied to the directory they live in
266#cust_apply_nanobsd_patches() (
267# for PATCHFILE in `find ${NANO_WORLDDIR} -regex '.*-nanobsd\.patch$'`; do
268# cd `dirname ${PATCHFILE}`
269# patch -t -N -p0 -i `basename ${PATCHFILE}`
270# #XX: What to with installed patch files? Delete them for the time beeing
271# rm -v ${PATCHFILE}
272#done
273
274
275
276#)
277
278
279
280# Customize ntpd
281cust_ntpd() (
282 chroot ${NANO_WORLDDIR} sh -c "ln -fs /usr/local/etc/ntp.drift /var/db/ntp.drift"
283)
284
285
286# Enable Serial TTYs
287cust_serial_ttys() (
288 chroot ${NANO_WORLDDIR} sed -i '' -e '/ttyv[0-9]/s/on /off/' -e '/ttyu0/s/off/on/' -e '/ttyu0/s/dialup/ansi/' /etc/ttys
289
290 # Serial login is consided to be phycically secured, so no credentials are required
291 chroot ${NANO_WORLDDIR} sed -i '' -e '/ttyu0/s/std.9600/al.9600/' /etc/ttys
292)
293
294# Customize sudoers files
295cust_sudo_rules() {
296 chroot ${NANO_WORLDDIR} find /usr/local/etc/sudoers.d/ -type f -exec chmod 0640 {} \+
297}
298
299
300
301# Install files from specific relative location
302cust_install_files () (
303 cd ${NANO_CONF_DIR}/../files
304 find . -print | grep -v -e /CVS -e .svn | cpio -dumpv ${NANO_WORLDDIR}
305)
306
307
308# Make tools available for root by default
309cust_root_bin_to_tools() {
310 ln -s /tools ${NANO_WORLDDIR}/root/bin
311}
312
313
314# Prune no needed directories of image
315cust_nano_prune () (
316 cd ${NANO_WORLDDIR}
317 for ENTRY in ${NANO_PRUNE}; do
318 rm -vfR ${ENTRY}
319 done
320)
321
322# We actually do need an seperate /tmp, so undo the symlinking done in
323# setup_nanobsd()
324late_cust_unset_common_var_and_tmp() (
325 cd ${NANO_WORLDDIR}
326 rm tmp
327 mkdir -m 1777 tmp
328)
329
330
331# Fill /cfg wmth custom files, based on 'create_i386_diskimage ( )'
332last_nano_fill_cfg () (
333 # Variables to be used
334 IMG=${NANO_DISKIMGDIR}/${NANO_IMGNAME}
335 MNT=${MAKEOBJDIRPREFIX}/_.mnt
336
337 # Mount '/cfg' slize in image
338 MD=`mdconfig -a -t vnode -f ${IMG}`
339 mount /dev/${MD}s3 ${MNT}
340
341 # Location of '/cfg' directory
342 cd ${NANO_CONF_DIR}/../cfg-files
343 find . -print | grep -v -e /CVS -e .svn | cpio -dumpv ${MNT}
344
345
346 # Leave in nice end state
347 umount ${MNT}
348 mdconfig -d -u ${MD}
349) > ${MAKEOBJDIRPREFIX}/_.fc 2>&1
350
351last_nano_disk_usage () (
352 # Variables to be used
353 IMG=${NANO_DISKIMGDIR}/${NANO_IMGNAME}
354 MNT=${MAKEOBJDIRPREFIX}/_.mnt
355
356 # Mount root slize
357 MD=`mdconfig -a -t vnode -f ${IMG}`
358 mount /dev/${MD}s1a ${MNT}
359
360 # Show disk usage (percent free) inc header
361 pprint 2 $(df -h | head -1)
362 pprint 2 "$(df -h | grep /dev/${MD})"
363
364 # Leave in nice end state
365 umount ${MNT}
366 mdconfig -d -u ${MD}
367)
368
369
370cust_pkgng () (
371
372 # If the package directory doesn't exist, we're done.
373 if [ ! -d ${NANO_PACKAGE_REPOS} ]; then
374 echo "DONE 0 packages"
375 return 0
376 fi
377
378 # Find a pkg-* package
379 if [ -z "${NANO_PACKAGE_REPOS}/Latest/pkg.txz" ]; then
380 echo "FAILED: need a pkg/ package for bootstrapping"
381 exit 2
382 fi
383
384 # Replicate the packages into the NanoBSD world (as hard links) so we can
385 # access them from the chroot in which pkg is being run.
386 cp -lpR ${NANO_PACKAGE_REPOS} ${NANO_WORLDDIR}/Repos
387
388 #Bootstrap pkg
389 CR env ASSUME_ALWAYS_YES=YES SIGNATURE_TYPE=none /usr/sbin/pkg add /Repos/Latest/pkg.txz
390 CR pkg -N >/dev/null 2>&1
391 if [ "$?" -ne "0" ]; then
392 echo "FAILED: pkg bootstrapping faied"
393 exit 2
394 fi
395
396 mkdir -p ${NANO_WORLDDIR}/usr/local/etc/pkg/repos
397 echo "FreeBSD: { enabled: no }" > ${NANO_WORLDDIR}/usr/local/etc/pkg/repos/FreeBSD.conf
398
399 # Generate a reference to our local repository
400 cat > ${NANO_WORLDDIR}/usr/local/etc/pkg/repos/LOCAL.conf <<-EOF
401 LOCAL: {
402 url : file:///Repos
403 enabled : yes
404 mirror_type : none
405 signature_type : none
406 }
407 EOF
408
409
410 # Count & report how many we have to install
411 todo=`echo ${PACKAGE_LIST} | /usr/bin/wc -l`
412 todo=$(expr $todo + 1) # add one for pkg since it is installed already
413 echo "=== TODO: $todo"
414 echo "${PACKAGE_LIST}"
415 echo "==="
416 for PKG in ${PACKAGE_LIST}
417 do
418 CR env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $PKG
419 done
420 rm -rf ${NANO_WORLDDIR}/Repos
421)
422
423last_orders () (
424 last_nano_fill_cfg
425 last_nano_disk_usage
426)
427
428# Ugly hack to 'escaping' pprint from inside a customize_cmd to output
429# instead of a file
430exec 3>/dev/stdout
431# Progress Print
432# Print $2 at level $1
433pprint() {
434 if [ "$1" -le $PPLEVEL ]; then
435 printf "%.${1}s %s\n" "#####" "$2" 1>&3
436 fi
437}
438
439# Cust macro`s gestart in onderstaande volgorde
440# XXX: Determine size before installing all find of additions to see how much
441# base we are actually using ## du -h -d 0
442customize_cmd cust_pkgng
443customize_cmd cust_install_files
444customize_cmd cust_ntpd
445customize_cmd cust_serial_ttys
446customize_cmd cust_version_tag
447customize_cmd cust_root_bin_to_tools
448customize_cmd cust_allow_ssh_root
449customize_cmd cust_openvpn_dhparam
450customize_cmd cust_nano_prune
451customize_cmd cust_set_root_password
452customize_cmd cust_sudo_rules
453customize_cmd cust_unbound_rights
454#customize_cmd cust_apply_nanobsd_patches
455late_customize_cmd late_cust_unset_common_var_and_tmp
456
457# Standard overwrite
458if [ -r "$NANO_CONF_DIR/nanobsd.local" ]; then
459 . $NANO_CONF_DIR/nanobsd.local
460fi
461
462# Extra config if existing is not suffient
463if [ -n "$EXTRA_NANOBSD_CONFIG" ]; then
464 for FILE in $EXTRA_NANOBSD_CONFIG; do
465 # File relative to config directory
466 if [ "`echo $FILE | cut -c1`" != "/" ]; then
467 FILE=$NANO_CONF_DIR/$FILE
468 fi
469 pprint 1 "Loading $FILE"
470 . $FILE || exit 1
471 done
472fi
Note: See TracBrowser for help on using the repository browser.