rotate macs, fix setting env and starting wg

ipitio · ipitio · commit 2ad2c0fdc15b · 2025-05-27T04:26:55.000-04:00
diff --git a/README.md b/README.md
@@ -93,15 +93,15 @@ Set a Hub or HaaS up first, so you can generate the necessary peer configuration
 
 ### Maintenance
 
-You can (re)configure WireGuard peers (on bare metal as well, thanks to code shared by [LinuxServer.io](https://github.com/linuxserver/docker-wireguard)):
+You can (re)configure WireGuard peers (on bare metal as well, thanks to code shared by [LinuxServer.io](https://github.com/linuxserver/docker-wireguard)). Add WireGuard peers or modify the AllowedIPs of existing ones, show peer config QR codes, and delete peers with:
 
-- Add WireGuard peers, or modify the AllowedIPs of existing ones, with `sudo bash wireguard/add.sh <peer_name> [option]`.
-- Show peer config QR codes with `sudo bash wireguard/get.sh <peer_name>`.
-- Delete peers with `sudo bash wireguard/del.sh <peer_name>`.
-
-To complete adding a SaaH, create an `SERVER_ALLOWEDIPS_PEER_[SaaH]=` environment variable -- using the peer's name sans the brackets -- for the WireGuard service with the difference of `0.0.0.0/1,128.0.0.0/1,::/1,8000::/1` and the peer's IP. This [AllowedIPs Calculator](https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator) is pretty nifty.
+```{bash}
+sudo bash wireguard/add.sh <peer_name> [option]
+sudo bash wireguard/get.sh <peer_name>
+sudo bash wireguard/del.sh <peer_name>
+```
 
-Complete the above or any other CUD operation by running `sudo bash restart.sh`. By default, `add.sh` sets the peer to route outgoing traffic through the VPN. You can change this default by modifying AllowedIPs in `compose.yml`. The option it takes may be one of:
+By default, `add.sh` sets the peer to route outgoing traffic through the VPN. You can change this default by modifying AllowedIPs in `compose.yml`. The option it takes may be one of:
 
 ```{bash}
 -e, --internet    Route all traffic through the VPN
@@ -110,6 +110,8 @@ Complete the above or any other CUD operation by running `sudo bash restart.sh`.
 -o, --outgoing    Route outgoing traffic through the VPN
 ```
 
+After running `add.sh` on a HaaS to create its SaaH peer, create an `SERVER_ALLOWEDIPS_PEER_[SaaH]` environment variable -- using the peer's name sans the brackets -- for the WireGuard service with the difference of `0.0.0.0/1,128.0.0.0/1,::/1,8000::/1` and the peer's IP. This [AllowedIPs Calculator](https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator) is pretty nifty.
+
 > [!NOTE]
 > While `start.sh` brings everything up, `restart.sh` only restarts WireGuard unless you first export `CLS_WG_ONLY=false`.
 
diff --git a/debian/control b/debian/control
@@ -4,7 +4,7 @@ Homepage: https://github.com/ipitio/closure
 Standards-Version: 3.9.2
 
 Package: closure
-Version: 1.6.10
+Version: 1.6.11
 Maintainer: ipitio <21136719+ipitio@users.noreply.github.com>
 Depends: curl, flatpak, gpg, hostapd, isc-dhcp-server, iw, macchanger, netplan.io, network-manager, net-tools, qrencode, rfkill, wireguard, wireless-tools, wget
 Recommends: containerd.io, docker-ce, docker-ce-cli, docker-buildx-plugin, docker-compose-plugin
diff --git a/debian/postinst b/debian/postinst
@@ -1,8 +1,15 @@
 #!/bin/bash
 # shellcheck disable=SC1003
 
-# Reinstall if no installed
-[ -f /opt/closure/installed ] || rm -rf /opt/closure/installed
-[ -f /etc/rc.local ] || echo "#\!/bin/bash" | tr -d '\\' | tee /etc/rc.local >/dev/null
-grep -q closure /etc/rc.local || echo "[ -f /opt/closure/installed ] || bash /opt/closure/init.sh" | tee -a /etc/rc.local >/dev/null
+pushd /opt/closure || exit 1
+
+if [ -f /etc/rc.local ]; then
+    grep -q '^# closure' /etc/rc.local || cp /etc/rc.local rc.local.bak
+else
+    echo "#\!/bin/bash" | tr -d '\\' | tee /etc/rc.local >/dev/null
+fi
+
+grep -q '^# closure' /etc/rc.local || sed 1,1d rc.local | tee -a /etc/rc.local >/dev/null
 chmod +x /etc/rc.local
+[ -f /opt/closure/installed ] || rm -rf /opt/closure/installed
+popd || exit 1
diff --git a/init.sh b/init.sh
@@ -44,7 +44,7 @@ fi
 
 if ! dpkg -l closure >/dev/null 2>&1; then
     sudonot mkdir -m 0755 -p /etc/apt/keyrings/
-    wget -qO- https://ipitio.github.io/closure/gpg.key | gpg --dearmor | sudonot tee /etc/apt/keyrings/closure.gpg > /dev/null
+    wget -qO- https://ipitio.github.io/closure/gpg.key | gpg --dearmor | sudonot tee /etc/apt/keyrings/closure.gpg >/dev/null
     echo "deb [signed-by=/etc/apt/keyrings/closure.gpg] https://ipitio.github.io/closure master main" | sudonot tee /etc/apt/sources.list.d/closure.list &>/dev/null
     sudonot chmod 644 /etc/apt/keyrings/closure.gpg
     sudonot chmod 644 /etc/apt/sources.list.d/closure.list
@@ -137,8 +137,8 @@ fi
 # Autostart on login
 sudo sed -i "s,script_path=.*$,script_path=$PWD," kickstart.sh
 active_path=/home/"$CLS_ACTIVE_USER"/.closure/kickstart.sh
-allow_active="$CLS_ACTIVE_USER$(echo -e '\t')ALL=(ALL) NOPASSWD:$active_path"
-allow_script="$CLS_SCRIPT_USER$(echo -e '\t')ALL=(ALL) NOPASSWD:$PWD/*"
+allow_active="$CLS_ACTIVE_USER$(echo -e '\t')ALL=(ALL) NOPASSWD:SETENV:$active_path"
+allow_script="$CLS_SCRIPT_USER$(echo -e '\t')ALL=(ALL) NOPASSWD:SETENV:$PWD/*"
 sudo chown "$CLS_SCRIPT_USER":"$CLS_SCRIPT_USER" kickstart.sh
 sudo chmod +x kickstart.sh
 sudo mkdir -p "$(dirname "$active_path")"
diff --git a/kickstart.sh b/kickstart.sh
@@ -4,6 +4,6 @@
 script_path="$(dirname "$(readlink -f "$0")")"
 sudo -i bash <<EOF
 pushd "$script_path" || exit 1
-sudo bash start.sh ${@@Q} > ks.log
+CLS_WG_ONLY=${CLS_WG_ONLY:-false} bash start.sh ${@@Q} > ks.log
 popd || exit 1
 EOF
diff --git a/lib.sh b/lib.sh
@@ -156,11 +156,16 @@ start_hostapd() {
                         sudo hostapd -i "$wiface" -P /run/hostapd.pid -B hostapd/"$config".conf
                         sudo iw dev "$wiface" set power_save off
                         local octet
-                        octet=$((1 + $( (
-                            ifconfig | grep -oP '(?<=10\.42\.)\S+(?=\.1)'
-                            echo 1
-                        ) | grep -v 255 | sort -ru | head -n1)))
-                        sudo ifconfig "$wiface" 10.42.$octet.1 netmask 255.255.255.0
+                        octet=$(ifconfig "$wiface" | grep -zoP '(?<=inet 10\.42\.)\S+(?=\.1)')
+
+                        if [ -z "$octet" ]; then
+                            octet=$((1 + $( (
+                                ifconfig | grep -zoP '(?<=10\.42\.)\S+(?=\.1)'
+                                echo 1
+                            ) | grep -v 255 | sort -ru | head -n1)))
+                            sudo ifconfig "$wiface" 10.42."$octet".1 netmask 255.255.255.0
+                        fi
+
                         grep -qF "subnet 10.42.$octet.0 netmask 255.255.255.0" dhcp/dhcpd.conf || echo -e "\nsubnet 10.42.$octet.0 netmask 255.255.255.0 {\n    option routers 10.42.$octet.1;\n    range 10.42.$octet.2 10.42.$octet.254;\n}" | sudo tee -a dhcp/dhcpd.conf
                         restart_isc
                         sleep 15
diff --git a/rc.local b/rc.local
@@ -1,3 +1,9 @@
 #!/bin/bash
 
+# closure
 [ -f /opt/closure/installed ] || bash /opt/closure/init.sh
+ifconfig | grep -oP '^\S+(?=:)' | xargs -P0 -I{} bash -c '
+    ifconfig "{}" down &>/dev/null
+    macchanger -r "{}" &>/dev/null
+    ifconfig "{}" up &>/dev/null
+'
diff --git a/start.sh b/start.sh
@@ -61,31 +61,36 @@ if ! ${CLS_WG_ONLY:-false}; then
     sudo chmod 0600 /etc/netplan/99_config.yaml
     stop_hostapd
     sudo netplan apply
+    start_hostapd &
     [ -z "$CLS_WIFACE" ] || sudo iw dev "$CLS_WIFACE" set power_save off
-    [ ! -f /etc/resolv.conf ] || sudo rm -f /etc/resolv.conf
     (
-        cat resolv.conf
-        (
-            nmcli dev show "$CLS_LOCAL_IFACE" | grep DNS | grep -oP '\S+$'
-        ) | while read -r ip; do echo "nameserver $ip"; done
-        (
-            nmcli dev show "$CLS_LOCAL_IFACE" | grep DOMAIN | grep -oP '\S+$' || echo .
-        ) | while read -r name; do echo "search $name"; done
-    ) | sudo tee /etc/resolv.conf >/dev/null
-    [ -z "$CLS_LOCAL_IFACE" ] || sudo tc qdisc del dev "$CLS_LOCAL_IFACE" root &>/dev/null
-    [ -z "$CLS_LOCAL_IFACE" ] || sudo tc qdisc replace dev "$CLS_LOCAL_IFACE" root cake "$([ -z "$CLS_BANDWIDTH" ] && echo diffserv8 || echo "bandwidth $CLS_BANDWIDTH diffserv8")" nat docsis ack-filter
-    sudo busctl --system set-property org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager ConnectivityCheckEnabled "b" 0 2>/dev/null
-    (crontab -l 2>/dev/null | grep -Fv "/ddns.sh &") | crontab -
-
-    if [ -n "$CLS_DYN_DNS" ]; then
+        until [ -n "$CLS_LOCAL_IFACE" ]; do
+            get_local_ip
+            sleep 1
+        done
+        [ ! -f /etc/resolv.conf ] || sudo rm -f /etc/resolv.conf
         (
-            crontab -l 2>/dev/null
-            echo "0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/bin/sleep 10 ; /usr/bin/bash $this_dir/ddns.sh &"
-        ) | crontab -
-        sudo bash ddns.sh &
-    fi
-
-    start_hostapd
+            cat resolv.conf
+            (
+                nmcli dev show "$CLS_LOCAL_IFACE" | grep DNS | grep -oP '\S+$'
+            ) | while read -r ip; do echo "nameserver $ip"; done
+            (
+                nmcli dev show "$CLS_LOCAL_IFACE" | grep DOMAIN | grep -oP '\S+$' || echo .
+            ) | while read -r name; do echo "search $name"; done
+        ) | sudo tee /etc/resolv.conf >/dev/null
+        sudo tc qdisc del dev "$CLS_LOCAL_IFACE" root &>/dev/null
+        sudo tc qdisc replace dev "$CLS_LOCAL_IFACE" root cake "$([ -z "$CLS_BANDWIDTH" ] && echo diffserv8 || echo "bandwidth $CLS_BANDWIDTH diffserv8")" nat docsis ack-filter
+        sudo busctl --system set-property org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager ConnectivityCheckEnabled "b" 0 2>/dev/null
+        (crontab -l 2>/dev/null | grep -Fv "/ddns.sh &") | crontab -
+
+        if [ -n "$CLS_DYN_DNS" ]; then
+            (
+                crontab -l 2>/dev/null
+                echo "0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/bin/sleep 10 ; /usr/bin/bash $this_dir/ddns.sh &"
+            ) | crontab -
+            sudo bash ddns.sh &
+        fi
+    ) &
 fi
 
 if $CLS_DOCKER; then
@@ -100,10 +105,9 @@ if $CLS_DOCKER; then
 else
     sudo sysctl -w net.ipv4.ip_forward=0
     sudo sysctl -w net.ipv6.conf.all.forwarding=0
-    sudo wg-quick down "$CLS_INTERN_IFACE"
+    for iface in $(sudo wg | grep -oP '(?<=interface: ).+'); do sudo wg-quick down "$iface"; done
 fi
 
-get_local_ip # set variables
 eval "cast pre-up ${*@Q}"
 
 (
@@ -159,7 +163,10 @@ if $CLS_DOCKER; then
     if ! ip a show "$CLS_INTERN_IFACE" | grep -q UP; then
         sudo systemctl restart docker
         sudo docker network prune -f
-        until [ -n "$CLS_LOCAL_IP" ]; do get_local_ip; sleep 1; done
+        until [ -n "$CLS_LOCAL_IP" ]; do
+            get_local_ip
+            sleep 1
+        done
         sed -i "s/#\?- FTLCONF_LOCAL_IPV4=.*$/- FTLCONF_LOCAL_IPV4=$CLS_LOCAL_IP/" compose.yml
         sudo docker compose --profile prod up -d --force-recreate --remove-orphans
     elif ! sudo docker ps | grep -qE "wireguard.*Up"; then
@@ -169,11 +176,16 @@ if $CLS_DOCKER; then
 else
     sudo bash wireguard/etc/run
     sudo mkdir -p /etc/wireguard
-    sudo rm -f /etc/wireguard/"$CLS_INTERN_IFACE".conf &>/dev/null
-    sudo cp -f wireguard/config/wg_confs/"$CLS_INTERN_IFACE".conf /etc/wireguard/"$CLS_INTERN_IFACE".conf
-    sudo chmod 600 /etc/wireguard/"$CLS_INTERN_IFACE".conf
-    sudo chown root:root /etc/wireguard/"$CLS_INTERN_IFACE".conf
-    sudo wg-quick up "$CLS_INTERN_IFACE"
+    sudo rm -f /etc/wireguard/*.conf &>/dev/null
+    sudo ls wireguard/config/wg_confs | grep -oP '.+\.conf$' | while read -r conf; do
+        [ -s "wireguard/config/wg_confs/$conf" ] || continue
+        config="/etc/wireguard/$conf"
+        iface="${conf%.conf}"
+        sudo cp -f "wireguard/config/wg_confs/$conf" "$config"
+        sudo chmod 600 "$config"
+        sudo chown root:root "$config"
+        sudo wg-quick up "$iface"
+    done
 fi
 
 for tables in iptables ip6tables; do
diff --git a/wireguard/add.sh b/wireguard/add.sh
@@ -53,7 +53,8 @@ esac
 echo "$conf" >"$path.conf"
 
 if $CLS_DOCKER; then
-    sudo docker exec wireguard bash -c "wg-quick down $CLS_INTERN_IFACE ; wg-quick up $CLS_INTERN_IFACE"
+    sudo docker compose restart wireguard
+    sudo docker exec wireguard bash -c "wg-quick down wg0 ; wg-quick up wg0"
     sudo docker compose up -d wireguard
 else
     sudo wg-quick down "$CLS_INTERN_IFACE" ; sudo wg-quick up "$CLS_INTERN_IFACE"
diff --git a/wireguard/del.sh b/wireguard/del.sh
@@ -10,9 +10,14 @@ if grep -q "$1" <<<"$peers"; then
     sed -i "s/$peers/$(sed "s/,\?$1//" <<<"$peers")/" compose.yml
     sudo rm -rf wireguard/config/peer_"$1"
     sudo mv -f wireguard/config/wg_confs/wg0.conf wireguard/config/wg_confs/wg0.conf.bak
-    sudo docker compose restart wireguard
-    sudo docker exec wireguard bash -c "wg-quick down wg0 ; wg-quick up wg0"
-    sudo docker compose up -d wireguard
+
+    if $CLS_DOCKER; then
+        sudo docker compose restart wireguard
+        sudo docker exec wireguard bash -c "wg-quick down wg0 ; wg-quick up wg0"
+        sudo docker compose up -d wireguard
+    else
+        sudo wg-quick down "$CLS_INTERN_IFACE" ; sudo wg-quick up "$CLS_INTERN_IFACE"
+    fi
 fi
 
 popd &>/dev/null || exit
