]>
Commit | Line | Data |
---|---|---|
acf47bfa | 1 | #!/bin/bash |
66c36198 PM |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
acf47bfa MT |
21 | |
22 | . /etc/sysconfig/rc | |
23 | . ${rc_functions} | |
24 | ||
25 | # Set PATH to find our own executables | |
26 | export PATH=/usr/local/sbin:/usr/local/bin:${PATH} | |
27 | ||
28 | get() { | |
29 | local file="${1}" | |
30 | ||
5b17fea8 | 31 | wget --timeout=3 --tries=3 -qO - --header="Metadata:true" "http://169.254.169.254/metadata/instance/${file}?api-version=2019-06-01&format=text" |
acf47bfa MT |
32 | } |
33 | ||
34 | format_mac() { | |
35 | local mac="${1,,}" | |
36 | ||
abccd997 | 37 | echo "${mac:0:2}:${mac:2:2}:${mac:4:2}:${mac:6:2}:${mac:8:2}:${mac:10:2}" |
acf47bfa MT |
38 | } |
39 | ||
40 | to_address() { | |
41 | local n="${1}" | |
42 | ||
43 | local o1=$(( (n & 0xff000000) >> 24 )) | |
44 | local o2=$(( (n & 0xff0000) >> 16 )) | |
45 | local o3=$(( (n & 0xff00) >> 8 )) | |
46 | local o4=$(( (n & 0xff) )) | |
47 | ||
48 | printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}" | |
49 | } | |
50 | ||
51 | to_integer() { | |
52 | local address="${1}" | |
53 | ||
54 | local integer=0 | |
55 | ||
56 | local i | |
57 | for i in ${address//\./ }; do | |
58 | integer=$(( (integer << 8) + i )) | |
59 | done | |
60 | ||
61 | printf "%d\n" "${integer}" | |
62 | } | |
63 | ||
64 | prefix2netmask() { | |
65 | local prefix=${1} | |
66 | ||
67 | local zeros=$(( 32 - prefix )) | |
68 | local netmask=0 | |
69 | ||
70 | local i | |
71 | for (( i=0; i<${zeros}; i++ )); do | |
72 | netmask=$(( (netmask << 1) ^ 1 )) | |
73 | done | |
74 | ||
75 | to_address "$(( netmask ^ 0xffffffff ))" | |
76 | } | |
77 | ||
78 | import_azure_configuration() { | |
79 | local instance_id="$(get compute/vmId)" | |
26eab1fe MT |
80 | if [ -z "${instance_id}" ]; then |
81 | return 0 | |
82 | fi | |
acf47bfa MT |
83 | |
84 | boot_mesg "Importing Microsoft Azure configuration for instance ${instance_id}..." | |
85 | ||
86 | # Store instance ID | |
87 | echo "${instance_id}" > /var/run/azure-instance-id | |
88 | ||
89 | # Initialise system settings | |
90 | local hostname=$(get compute/name) | |
91 | ||
92 | # Set hostname | |
93 | if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then | |
94 | echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings | |
95 | fi | |
96 | ||
97 | # Set domainname | |
98 | if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then | |
99 | echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings | |
100 | fi | |
101 | ||
102 | # Import SSH keys for setup user | |
103 | local line | |
104 | for line in $(get "compute/publicKeys/"); do | |
105 | # Remove trailing slash | |
106 | local key_no="${line//\//}" | |
107 | ||
108 | # Get the path where this key should be installed | |
109 | local path="$(get "compute/publicKeys/${key_no}/path")" | |
110 | local key="$(get "compute/publicKeys/${key_no}/keyData")" | |
111 | ||
112 | local user | |
113 | if [[ "${path}" =~ ^/home ]]; then | |
114 | user="${path:6}" | |
115 | user="${user%%/*}" | |
116 | else | |
117 | # Cannot process this user | |
118 | continue | |
119 | fi | |
120 | ||
121 | # Create user if it does not exist | |
122 | if ! getent passwd "${user}" &>/dev/null; then | |
123 | useradd "${user}" -s /usr/bin/run-setup -g nobody -m | |
124 | ||
125 | # Unlock the account | |
126 | usermod -p "x" "${user}" | |
127 | fi | |
128 | ||
129 | if [ -n "${key}" ] && ! grep -q "^${key}$" "${path}" 2>/dev/null; then | |
130 | local dir="$(dirname "${path}")" | |
131 | ||
132 | # Install directory | |
133 | mkdir -p "${dir}" | |
134 | chmod 700 "${dir}" | |
135 | chown "${user}.nobody" "${dir}" | |
136 | ||
137 | # Install the key | |
138 | echo "${key}" >> "${path}" | |
139 | chmod 600 "${path}" | |
140 | chown "${user}.nobody" "${path}" | |
141 | fi | |
142 | done | |
143 | ||
144 | # Download the user-data script only on the first boot | |
145 | if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then | |
146 | # Download user-data | |
147 | local user_data="$(get customData)" | |
148 | ||
149 | # Save user-data script to be executed later | |
150 | if [ "${user_data:0:2}" = "#!" ]; then | |
151 | echo "${user_data}" > /tmp/azure-user-data.script | |
152 | chmod 700 /tmp/azure-user-data.script | |
153 | ||
154 | # Run the user-data script | |
155 | local now="$(date -u +"%s")" | |
156 | /tmp/azure-user-data.script &>/var/log/user-data.log.${now} | |
157 | ||
158 | # Delete the script right away | |
159 | rm /tmp/azure-user-data.script | |
160 | fi | |
161 | fi | |
162 | ||
acf47bfa MT |
163 | # Import network configuration |
164 | # After this, no network connectivity will be available from this script due to the | |
165 | # renaming of the network interfaces for which they have to be shut down | |
166 | local config_type=1 | |
167 | : > /var/ipfire/ethernet/settings | |
168 | ||
169 | local device_number | |
170 | for device_number in $(get network/interface); do | |
171 | # Remove trailing slash | |
172 | device_number="${device_number//\//}" | |
173 | ||
174 | local mac="$(get "network/interface/${device_number}/macAddress")" | |
175 | mac="$(format_mac "${mac}")" | |
176 | ||
177 | # First IPv4 address | |
178 | local ipv4_address="$(get "network/interface/${device_number}/ipv4/ipAddress/0/privateIpAddress")" | |
179 | local ipv4_address_num="$(to_integer "${ipv4_address}")" | |
180 | local prefix="$(get "network/interface/${device_number}/ipv4/subnet/0/prefix")" | |
181 | local netmask="$(prefix2netmask "${prefix}")" | |
acf47bfa | 182 | |
b67f02d5 | 183 | # Get the network address |
acf47bfa MT |
184 | local netaddress="$(get "network/interface/${device_number}/ipv4/subnet/0/address")" |
185 | local netaddress_num="$(to_integer "${netaddress}")" | |
acf47bfa MT |
186 | |
187 | case "${device_number}" in | |
188 | # RED | |
189 | 0) | |
190 | local interface_name="red0" | |
191 | ||
192 | # The gateway is always the first IP address in the subnet | |
193 | local gateway="$(to_address $(( netaddress_num + 1 )))" | |
194 | ||
acf47bfa MT |
195 | ( |
196 | echo "RED_TYPE=STATIC" | |
197 | echo "RED_DEV=${interface_name}" | |
198 | echo "RED_MACADDR=${mac}" | |
199 | echo "RED_DESCRIPTION='${interface_id}'" | |
200 | echo "RED_ADDRESS=${ipv4_address}" | |
201 | echo "RED_NETMASK=${netmask}" | |
202 | echo "RED_NETADDRESS=${netaddress}" | |
acf47bfa | 203 | echo "DEFAULT_GATEWAY=${gateway}" |
acf47bfa MT |
204 | ) >> /var/ipfire/ethernet/settings |
205 | ||
206 | # Import aliases for RED | |
207 | local address_no | |
208 | for address_no in $(get "network/interface/0/ipv4/ipAddress"); do | |
209 | # Remove trailing slash | |
210 | address_no="${address_no//\//}" | |
211 | ||
212 | # Skip the first address | |
213 | [ "${address_no}" = "0" ] && continue | |
214 | ||
215 | # Fetch the IP address | |
216 | local alias="$(get "network/interface/0/ipv4/ipAddress/${address_no}/privateIpAddress")" | |
217 | echo "${alias},on," | |
218 | done > /var/ipfire/ethernet/aliases | |
219 | ;; | |
220 | ||
221 | # GREEN | |
222 | 1) | |
223 | local interface_name="green0" | |
224 | ||
225 | ( | |
226 | echo "GREEN_DEV=${interface_name}" | |
227 | echo "GREEN_MACADDR=${mac}" | |
228 | echo "GREEN_DESCRIPTION='${interface_id}'" | |
229 | echo "GREEN_ADDRESS=${ipv4_address}" | |
230 | echo "GREEN_NETMASK=${netmask}" | |
231 | echo "GREEN_NETADDRESS=${netaddress}" | |
acf47bfa MT |
232 | ) >> /var/ipfire/ethernet/settings |
233 | ;; | |
234 | ||
235 | # ORANGE | |
236 | 2) | |
237 | local interface_name="orange0" | |
238 | config_type=2 | |
239 | ||
240 | ( | |
241 | echo "ORANGE_DEV=${interface_name}" | |
242 | echo "ORANGE_MACADDR=${mac}" | |
243 | echo "ORANGE_DESCRIPTION='${interface_id}'" | |
244 | echo "ORANGE_ADDRESS=${ipv4_address}" | |
245 | echo "ORANGE_NETMASK=${netmask}" | |
246 | echo "ORANGE_NETADDRESS=${netaddress}" | |
acf47bfa MT |
247 | ) >> /var/ipfire/ethernet/settings |
248 | ;; | |
249 | esac | |
250 | done | |
251 | ||
252 | # Save CONFIG_TYPE | |
253 | echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings | |
254 | ||
255 | # Actions performed only on the very first start | |
256 | if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then | |
88cb5eb1 MT |
257 | # Disable using ISP nameservers |
258 | sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings | |
259 | ||
acf47bfa MT |
260 | # Enable SSH |
261 | sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings | |
262 | ||
263 | # Disable SSH password authentication | |
264 | sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings | |
265 | ||
266 | # Enable SSH key authentication | |
267 | sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings | |
268 | ||
269 | # Apply SSH settings | |
270 | /usr/local/bin/sshctrl | |
271 | ||
272 | # Mark SSH to start immediately (but not right now) | |
273 | touch /var/ipfire/remote/enablessh | |
274 | chown nobody:nobody /var/ipfire/remote/enablessh | |
275 | ||
276 | # Firewall rules for SSH and WEBIF | |
277 | ( | |
278 | echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" | |
279 | echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" | |
280 | ) >> /var/ipfire/firewall/input | |
281 | ||
282 | # This script has now completed the first steps of setup | |
283 | touch /var/ipfire/main/firstsetup_ok | |
284 | fi | |
285 | ||
286 | # All done | |
287 | echo_ok | |
288 | } | |
289 | ||
290 | case "${reason}" in | |
291 | PREINIT) | |
292 | # Bring up the interface | |
293 | ip link set "${interface}" up | |
294 | ;; | |
295 | ||
296 | BOUND|RENEW|REBIND|REBOOT) | |
297 | # Remove any previous IP addresses | |
298 | ip addr flush dev "${interface}" | |
299 | ||
300 | # Add (or re-add) the new IP address | |
301 | ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}" | |
302 | ||
303 | # Add the default route | |
304 | ip route add default via "${new_routers}" | |
305 | ||
306 | # Setup DNS | |
307 | for domain_name_server in ${new_domain_name_servers}; do | |
308 | echo "nameserver ${domain_name_server}" | |
309 | done > /etc/resolv.conf | |
310 | ||
311 | # The system is online now | |
312 | touch /var/ipfire/red/active | |
313 | ||
314 | # Import Azure configuration | |
315 | import_azure_configuration | |
316 | ;; | |
317 | ||
318 | EXPIRE|FAIL|RELEASE|STOP) | |
319 | # The system is no longer online | |
320 | rm -f /var/ipfire/red/active | |
321 | ||
322 | # Remove all IP addresses | |
323 | ip addr flush dev "${interface}" | |
324 | ||
325 | # Shut down the interface | |
326 | ip link set "${interface}" down | |
327 | ;; | |
328 | ||
329 | *) | |
330 | echo "Unhandled reason: ${reason}" >&2 | |
331 | exit 2 | |
332 | ;; | |
333 | esac | |
334 | ||
335 | # Terminate | |
336 | exit 0 |