install self, boot even faster, gen subnets

ipitio · ipitio · commit 34158b0752df · 2025-05-18T09:53:23.000-04:00
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
 
 ---
 
-[![build](https://github.com/ipitio/closure/actions/workflows/release.yml/badge.svg)](https://github.com/ipitio/closure/pkgs/container/closure)
+[![build](https://github.com/ipitio/closure/actions/workflows/release.yml/badge.svg)](https://github.com/ipitio/closure/releases/latest)
 
 </div>
 
@@ -16,7 +16,7 @@ You can run WireGuard with Docker or on the host. If you run it with Docker (ava
 
 ## Getting Started
 
-Just edit some variables and go!
+Install. Configure. Reboot.
 
 ### Definitions
 
@@ -47,39 +47,39 @@ Keep in mind that:
 - To configure Pi-hole more extensively, such as by enabling DHCP, see the [Pi-hole documentation](https://github.com/pi-hole/docker-pi-hole/tree/2024.07.0?tab=readme-ov-file#environment-variables).
 - The hooks may be useful, for example, if you'd like to coordinate with an external, outbound VPN on a Hub or SaaH. All arguments given to `start.sh`and `stop.sh` are passed to their respective hooks.
 
-To customize iptables, modify the relevant lines in `start.sh` and `stop.sh`.
-
-> [!WARNING]
+> [!NOTE]
 > The WireGuard service in the Compose file must be configured whether or not you'll use Docker ([docs](https://docs.linuxserver.io/images/docker-wireguard)).
 
-> [!CAUTION]
+> [!WARNING]
 > If a user you specify in `env.sh` doesn't exist, it will be created. By default, the password will be the same as the username; change it!
 
 ### Deployment
 
 Create or update a node in two or three steps:
 
-1. Move this repo to the target or install the [package](https://github.com/ipitio/closure/releases):
+1. Either install the [package](https://github.com/ipitio/closure/releases) directly...
 
 ```{bash}
 sudo apt-get update
 sudo DEBIAN_FRONTEND=noninteractive apt-get install -qq gpg wget
 sudo mkdir -m 0755 -p /etc/apt/keyrings/
 wget -qO- https://ipitio.github.io/closure/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/closure.gpg > /dev/null
 sudo chmod 644 /etc/apt/keyrings/closure.gpg
-echo "deb [signed-by=/etc/apt/keyrings/closure.gpg] https://ipitio.github.io/closure master main" | sudo tee /etc/apt/sources.list.d/closure.list
+echo "deb [signed-by=/etc/apt/keyrings/closure.gpg] https://ipitio.github.io/closure master main" | sudo tee /etc/apt/sources.list.d/closure.list &>/dev/null
 sudo chmod 644 /etc/apt/sources.list.d/closure.list
 sudo apt-get update
 sudo DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq closure
 ```
 
-2. Edit the files above (in `/opt/closure` if you installed the package). If you didn't install the package, change the path in `rc.local` and move it to `/etc`. Ensure the target is connected to the internet and reboot.
-3. On a Hub or HaaS, add a Spoke or SaaH peer by running `add.sh` (as described below). Then, for a SaaH, add an `SERVER_ALLOWEDIPS_PEER_[SaaH]=` environment variable -- using the peer's name sans the brackets -- for the wireguard service with the difference of `0.0.0.0/1,128.0.0.0/1,::/1,8000::/1` and the peer's IP, and run `sudo kickstart.sh`. This [AllowedIPs Calculator](https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator) is pretty nifty. Follow a similar process for a Spoke, if needed.
+...Or copy this repo to `/opt/closure` on the target. Then verify the path inside `rc.local`, make it executable, and move it to `/etc`. The package will be installed after the next step.
+
+2. Edit the files above and reboot. This boot, as well as those after upgrading, may take a while as everything is set up, but the subsequent ones will be much faster.
+3. On a Hub or HaaS, add a Spoke or SaaH peer by running `add.sh` (as described below). Then, for a SaaH, add an `SERVER_ALLOWEDIPS_PEER_[SaaH]=` environment variable -- using the peer's name sans the brackets -- for the wireguard service with the difference of `0.0.0.0/1,128.0.0.0/1,::/1,8000::/1` and the peer's IP, and run `sudo bash restart.sh`. This [AllowedIPs Calculator](https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator) is pretty nifty. Follow a similar process for a Spoke, if needed.
 
 Set a Hub or HaaS up first, so you can generate the necessary peer configuration for a Spoke or SaaH, then drop it in the Spoke's or SaaH's `wireguard/config/wg_confs` directory before their reboot.
 
 > [!NOTE]
-> Any arguments passed to `kickstart.sh` are passed to `init.sh` and `start.sh`, and `init.sh` can add or edit wifi networks -- useful on a Raspberry Pi Zero (2) W! See the top of `init.sh` for the arguments it takes.
+> Any arguments passed to `kickstart.sh` are passed to `start.sh`, which can add or edit wifi networks -- useful on a Raspberry Pi Zero (2) W! See the top of `start.sh` for the arguments it takes.
 
 > [!IMPORTANT]
 > Remember to forward a port to your Hub or HaaS, which listens on 51820 by default. Use 443 on your router to bypass some basic firewall filters.
@@ -101,7 +101,8 @@ By default, `add.sh` sets the peer to route outgoing traffic through the VPN. Yo
 -o, --outgoing    Route outgoing traffic through the VPN
 ```
 
-While `start.sh` brings everything up, `stop.sh` only stops WireGuard. `restart.sh` simply calls these two scripts, passing all of its arguments to them. Therefore, when stopping, if you're using Docker, you must also run `sudo docker compose down` to bring the other services down. Happy stargazing!
+> [!NOTE]
+> While `start.sh` brings everything up, `restart.sh` only restarts WireGuard.
 
 > [!TIP]
 > Don't forget to share an updated config with its peer.
diff --git a/debian/control b/debian/control
@@ -4,9 +4,9 @@ Homepage: https://github.com/ipitio/closure
 Standards-Version: 3.9.2
 
 Package: closure
-Version: 1.6.5
+Version: 1.6.6
 Maintainer: ipitio <21136719+ipitio@users.noreply.github.com>
-Depends: curl, flatpak, hostapd, isc-dhcp-server, iw, macchanger, netplan.io, network-manager, net-tools, qrencode, rfkill, wireguard, wireless-tools, wget
+Depends: curl, flatpak, gpg, hostapd, isc-dhcp-server, iw, macchanger, netplan.io, network-manager, net-tools, qrencode, rfkill, wireguard, wireless-tools, wget
 Recommends: containerd.io, docker-ce, docker-ce-cli, docker-buildx-plugin, docker-compose-plugin
 Suggests: build-essential, byobu, dkms, iperf3, nmap, tmux, traceroute, wmctrl
 Copyright: debian/copyright
diff --git a/debian/postinst b/debian/postinst
@@ -2,6 +2,7 @@
 # shellcheck disable=SC1003
 
 # Reinstall if no installed
+[ -f /opt/closure/installed ] || rm -rf /opt/closure/installed
 [ -f /etc/rc.local ] || echo "#\!/bin/bash" | tr -d '\\' | tee /etc/rc.local >/dev/null
-grep -q closure /etc/rc.local || echo "[ -f /opt/closure/installed ] || bash /opt/closure/kickstart.sh" | tee -a /etc/rc.local >/dev/null
+grep -q closure /etc/rc.local || echo "[ -f /opt/closure/installed ] || bash /opt/closure/init.sh" | tee -a /etc/rc.local >/dev/null
 chmod +x /etc/rc.local
diff --git a/examples/dhcp/dhcpd.conf b/examples/dhcp/dhcpd.conf
@@ -6,8 +6,11 @@ max-lease-time 7200;
 ddns-update-style none;
 authoritative;
 
-# as many routers as APs
+# subnets for netplan ethernets, just keep incrementing the third octet
+
 subnet 10.42.1.0 netmask 255.255.255.0 {
-    range 10.42.1.4 10.42.1.254;
-    option routers 10.42.1.1, 10.42.1.2, 10.42.1.3;
+    option routers 10.42.1.1;
+    range 10.42.1.2 10.42.1.254;
 }
+
+# subnets for hostapd are generated automatically
diff --git a/init.sh b/init.sh
@@ -55,12 +55,20 @@ if ! dpkg -l docker-ce >/dev/null 2>&1; then
     echo "deb [trusted=yes arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
 fi
 
+if ! dpkg -l closure >/dev/null 2>&1; then
+    sudo mkdir -m 0755 -p /etc/apt/keyrings/
+    wget -qO- https://ipitio.github.io/closure/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/closure.gpg > /dev/null
+    echo "deb [signed-by=/etc/apt/keyrings/closure.gpg] https://ipitio.github.io/closure master main" | sudo tee /etc/apt/sources.list.d/closure.list &>/dev/null
+    sudo chmod 644 /etc/apt/keyrings/closure.gpg
+    sudo chmod 644 /etc/apt/sources.list.d/closure.list
+fi
+
 [ ! -f /etc/apt/preferences.d/nosnap.pref ] || sudo mv /etc/apt/preferences.d/nosnap.pref /etc/apt/preferences.d/nosnap.pref.bak
 sudo systemctl disable --now whoopsie.path &>/dev/null
 sudo systemctl mask whoopsie.path &>/dev/null
 sudo apt-get purge -y ubuntu-report popularity-contest apport whoopsie
 # shellcheck disable=SC2046
-apt_install $(grep -oP '((?<=^Depends: )|(?<=^Recommends: )|(?<=^Suggests: )).*' debian/control | tr -d ',' | tr '\n' ' ')
+apt_install closure $(grep -oP '((?<=^Depends: )|(?<=^Recommends: )|(?<=^Suggests: )).*' debian/control | tr -d ',' | tr '\n' ' ')
 sudo apt autoremove -y
 yq -V | grep -q mikefarah &>/dev/null || {
     [ ! -f /usr/bin/yq ] || sudo mv -f /usr/bin/yq /usr/bin/yq.bak
diff --git a/kickstart.sh b/kickstart.sh
@@ -4,7 +4,6 @@
 script_path="$(dirname "$(readlink -f "$0")")"
 sudo -i bash <<EOF
 pushd "$script_path" || exit 1
-sudo bash stop.sh ${@@Q} > ks.log
-sudo bash start.sh ${@@Q} >> ks.log
+sudo bash start.sh ${@@Q} > ks.log
 popd || exit 1
 EOF
diff --git a/lib.sh b/lib.sh
@@ -83,11 +83,11 @@ restart_isc() {
 
 stop_hostapd() {
     local aps
-    aps=$(sudo find /var/run/hostapd -type s | grep -oP '(?<=/var/run/hostapd/).+')
+    aps=$(sudo find /var/run/hostapd -type s 2>&1 | grep -oP '(?<=/var/run/hostapd/).+')
     ps -aux | grep -P "^[^-]+hostapd$2" | awk '{print $2}' | while read -r pid; do sudo kill -9 "$pid" &>/dev/null; done
 
-    for wiface in $aps; do
-        [[ -z "$1" || "$1" == "${wiface//*@/}" ]] || continue
+    for wiface in $1 $aps; do
+        [[ -z "$1" || "$1" == "$wiface" ]] || continue
         sudo rm -rf /var/run/hostapd/"$wiface" &>/dev/null
         [[ ! "$wiface" =~ @ ]] || sudo iw dev "$wiface" del &>/dev/null
     done
@@ -118,6 +118,7 @@ start_hostapd() {
         for wiface in "${!wifaces_configs[@]}"; do
             config="${wifaces_configs[$wiface]}"
             [ "$config" != "." ] || config="$wiface"
+            echo "Starting hostapd on $wiface with config $config"
             [ -f hostapd/"$config".conf ] && ! yq '(.network.wifis | keys)[]' netplan.yml | grep -qFx "$wiface" && iw dev | grep -qzP "Interface ${wiface//*@/}\n" && ! iw dev "$wiface" info | grep -q ssid || continue
             # https://raw.githubusercontent.com/MkLHX/AP_STA_RPI_SAME_WIFI_CHIP/refs/heads/master/ap_sta_config2.sh
             [[ ! "$wiface" =~ @ ]] || until [ -n "$freq" ]; do freq=$(iwconfig "${wiface//*@/}" | grep -oP '(?<=Frequency:)\S+' | tr -d '.'); done
@@ -134,7 +135,13 @@ start_hostapd() {
                         [[ ! "$wiface" =~ @ ]] || sudo iw dev "${wiface//*@/}" interface add "$wiface" type __ap
                         sudo hostapd -i "$wiface" -P /run/hostapd.pid -B hostapd/"$config".conf
                         sudo iw dev "$wiface" set power_save off
-                        sudo ifconfig "$wiface" 10.42.1.$((1 + $( (ifconfig | grep -oP '(?<=10\.42\.1\.)\S+'; echo 1) | grep -v 255 | sort -ru | head -n1))) netmask 255.255.255.0
+                        local octet
+                        octet=$((1 + $( (
+                            ifconfig | grep -oP '(?<=10\.42\.)\S+(?=\.1)'
+                            echo 1
+                        ) | grep -v 255 | sort -ru | head -n1)))
+                        sudo ifconfig "$wiface" 10.42.$octet.1 netmask 255.255.255.0
+                        grep -qF "subnet 10.42.$octet.0 netmask 255.255.255.0" dhcp/dhcpd.conf || echo -e "\nsubnet 10.42.$octet.0 netmask 255.255.255.0 {\n    option routers 10.42.$octet.1;\n    range 10.42.$octet.2 10.42.$octet.254;\n}" | sudo tee -a dhcp/dhcpd.conf
                         restart_isc
                         sleep 15
                     done
@@ -171,7 +178,7 @@ direct_domain() {
     local ichi
     ichi=$(dig +short "$1")
     for ip in $ichi; do ip r | grep -q "$ip" || sudo ip route add "$ip" via "$CLS_GATEWAY" dev "$CLS_LOCAL_IFACE" &>/dev/null; done
-    $2
+    $2 &>/dev/null
     for ip in $ichi; do ! ip r | grep -q "$ip" || sudo ip route del "$ip" &>/dev/null; done
 }
 
diff --git a/rc.local b/rc.local
@@ -4,4 +4,4 @@
 CLS_PATH="/opt/closure"
 
 # don't change it here
-[ -f /opt/closure/installed ] || bash "$CLS_PATH"/kickstart.sh
+[ -f /opt/closure/installed ] || bash "$CLS_PATH"/init.sh
diff --git a/restart.sh b/restart.sh
@@ -31,4 +31,5 @@ for tables in iptables ip6tables; do
 done
 
 eval "cast post-down ${*@Q}"
+bash start.sh ${@@Q}
 popd || exit
diff --git a/start.sh b/start.sh
@@ -33,6 +33,8 @@ fi
 sudo cp -f netplan.yml /etc/netplan/99_config.yaml
 sudo chmod 0600 /etc/netplan/99_config.yaml
 stop_hostapd
+sudo sed -i '/# subnets for hostapd/,$d' dhcp/dhcpd.conf
+echo -e "# subnets for hostapd are generated automatically" | sudo tee -a dhcp/dhcpd.conf >/dev/null
 sudo netplan apply
 start_hostapd
 sudo iw dev "$CLS_WIFACE" set power_save off
@@ -60,6 +62,8 @@ if $CLS_DOCKER; then
             sudo ip6tables -L -t "$table" | grep -q "$chain" || sudo ip6tables -N "$chain" -t "$table"
         done
     done
+else
+    sudo wg-quick down "$CLS_INTERN_IFACE"
 fi
 
 eval "cast pre-up ${*@Q}"
@@ -101,7 +105,7 @@ sudo cp -f /etc/resolv.conf.bak /etc/resolv.conf
         sleep 5
     done
 
-    exec sudo bash restart.sh "$@"
+    exec sudo bash restart.sh ${@@Q}
 ) &
 
 if $CLS_DOCKER; then
