mirror of
https://git.libreschool.org/paspo/brasatore.git
synced 2024-11-25 15:48:44 +00:00
202 lines
6.1 KiB
Bash
202 lines
6.1 KiB
Bash
|
#!/bin/bash
|
||
|
|
||
|
LAN_IFACE=ens224
|
||
|
WAN_IFACE=ens192
|
||
|
HOSTNAME=brasatore
|
||
|
DHCP_START=172.16.77.50
|
||
|
DHCP_END=172.16.77.150
|
||
|
LAN_IP=172.16.77.1
|
||
|
LAN_SUBNET=255.255.255.0
|
||
|
|
||
|
# pacchetti
|
||
|
cat >/etc/apt/sources.list <<EOF
|
||
|
deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
|
||
|
deb http://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
|
||
|
deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
|
||
|
EOF
|
||
|
apt update
|
||
|
apt install -y dnsmasq nginx iptables ipxe syslinux-common unzip nfs-kernel-server
|
||
|
|
||
|
# directory
|
||
|
mkdir -p /srv/pxe/iso /srv/pxe/mount /srv/tftp
|
||
|
|
||
|
# nginx config
|
||
|
cat > /etc/nginx/sites-available/pxe <<EOF
|
||
|
server {
|
||
|
listen 80 default_server;
|
||
|
listen [::]:80 default_server;
|
||
|
root /srv/pxe;
|
||
|
location / {
|
||
|
autoindex on;
|
||
|
}
|
||
|
}
|
||
|
EOF
|
||
|
[ -f /etc/nginx/sites-enabled/default ] && rm /etc/nginx/sites-enabled/default
|
||
|
[ ! -f /etc/nginx/sites-enabled/pxe ] && ln -s /etc/nginx/sites-available/pxe /etc/nginx/sites-enabled/pxe
|
||
|
service nginx restart
|
||
|
|
||
|
# hostname
|
||
|
echo "$HOSTNAME" > /etc/hostname
|
||
|
hostname -F /etc/hostname
|
||
|
cat > /etc/hosts <<EOF
|
||
|
127.0.0.1 localhost
|
||
|
127.0.1.1 $HOSTNAME
|
||
|
# The following lines are desirable for IPv6 capable hosts
|
||
|
::1 localhost ip6-localhost ip6-loopback
|
||
|
ff02::1 ip6-allnodes
|
||
|
ff02::2 ip6-allrouters
|
||
|
EOF
|
||
|
|
||
|
# network
|
||
|
cat > /etc/network/interfaces.d/lan <<EOF
|
||
|
auto $LAN_IFACE
|
||
|
iface $LAN_IFACE inet static
|
||
|
address $LAN_IP
|
||
|
netmask $LAN_SUBNET
|
||
|
EOF
|
||
|
ifup $LAN_IFACE
|
||
|
|
||
|
# routing/firewall
|
||
|
iptables -t nat -F
|
||
|
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
|
||
|
iptables -F
|
||
|
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -p icmp -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW ! -i $LAN_IFACE -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 67 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 69 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 111 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 111 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 2049 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 2049 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 4047 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 4047 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p tcp --dport 4048 -j ACCEPT
|
||
|
iptables -A INPUT -m state --state NEW -i $LAN_IFACE -p udp --dport 4048 -j ACCEPT
|
||
|
iptables -A FORWARD -i $LAN_IFACE -o $LAN_IFACE -j REJECT
|
||
|
iptables -P INPUT DROP
|
||
|
iptables-save > /etc/iptables.rules
|
||
|
cat > /etc/network/if-pre-up.d/iptables <<EOF
|
||
|
#!/bin/sh
|
||
|
iptables-restore < /etc/iptables.rules
|
||
|
exit 0
|
||
|
EOF
|
||
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||
|
echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ipv4_forward.conf
|
||
|
|
||
|
|
||
|
# dnsmasq config
|
||
|
cat > /etc/dnsmasq.d/tftp <<EOF
|
||
|
enable-tftp
|
||
|
tftp-root=/srv/tftp
|
||
|
tftp-no-fail
|
||
|
EOF
|
||
|
cat > /etc/dnsmasq.d/dhcp <<EOF
|
||
|
dhcp-range=$DHCP_START,$DHCP_END,4h
|
||
|
dhcp-option=option:router,$LAN_IP
|
||
|
dhcp-option=option:dns-server,$LAN_IP
|
||
|
dhcp-authoritative
|
||
|
log-dhcp
|
||
|
EOF
|
||
|
cat > /etc/dnsmasq.d/dns <<EOF
|
||
|
bogus-priv
|
||
|
no-resolv
|
||
|
server=9.9.9.9
|
||
|
server=1.1.1.2
|
||
|
expand-hosts
|
||
|
log-queries
|
||
|
EOF
|
||
|
service dnsmasq restart
|
||
|
|
||
|
|
||
|
# netboot.xyz (alternativa 1)
|
||
|
#cat > /etc/dnsmasq.d/pxe <<EOF
|
||
|
#dhcp-match=set:bios,option:client-arch,0
|
||
|
#dhcp-boot=tag:bios,netboot.xyz.kpxe
|
||
|
#dhcp-boot=tag:!bios,netboot.xyz.efi
|
||
|
#EOF
|
||
|
#wget -c -O /srv/tftp/netboot.xyz.kpxe http://boot.netboot.xyz/ipxe/netboot.xyz.kpxe
|
||
|
#wget -c -O /srv/tftp/netboot.xyz.efi http://boot.netboot.xyz/ipxe/netboot.xyz.efi
|
||
|
#service dnsmasq restart
|
||
|
|
||
|
# ipxe (alternativa 2)
|
||
|
#cat > /etc/dnsmasq.d/pxe <<EOF
|
||
|
#dhcp-match=set:bios,option:client-arch,0
|
||
|
#dhcp-boot=tag:bios,undionly.kpxe
|
||
|
#dhcp-boot=tag:!bios,ipxe.efi
|
||
|
#dhcp-match=ipxe,175
|
||
|
#dhcp-boot=net:ipxe,http://$LAN_IP/boot-netboot.txt
|
||
|
#EOF
|
||
|
#cat > /srv/pxe/boot-netboot.txt <<EOF
|
||
|
##!ipxe
|
||
|
#dhcp
|
||
|
#chain --autofree http://boot.netboot.xyz
|
||
|
#EOF
|
||
|
#[ ! -f /srv/tftp/undionly.kpxe ] && cp /usr/lib/ipxe/undionly.kpxe /srv/tftp/undionly.kpxe
|
||
|
#[ ! -f /srv/tftp/ipxe.efi ] && cp /usr/lib/ipxe/ipxe.efi /srv/tftp/ipxe.efi
|
||
|
#service dnsmasq restart
|
||
|
|
||
|
# nfs
|
||
|
sed -i 's/^RPCMOUNTDOPTS.*/RPCMOUNTDOPTS="--manage-gids --port 4047"/' /etc/default/nfs-kernel-server
|
||
|
cat > /etc/exports <<EOF
|
||
|
/srv/pxe ${LAN_IP}/${LAN_SUBNET}(ro,async,no_root_squash,no_subtree_check,crossmnt)
|
||
|
EOF
|
||
|
exportfs -r
|
||
|
# questo è da fare meglio in modo che sia ripetibile
|
||
|
cat >> /etc/services <<EOF
|
||
|
mountd 4047/tcp
|
||
|
mountd 4047/udp
|
||
|
lockd 4048/tcp
|
||
|
lockd 4048/udp
|
||
|
EOF
|
||
|
|
||
|
|
||
|
# ipxe OK
|
||
|
cat > /etc/dnsmasq.d/pxe <<EOF
|
||
|
dhcp-match=set:bios,option:client-arch,0
|
||
|
dhcp-boot=tag:bios,undionly.kpxe
|
||
|
dhcp-boot=tag:!bios,ipxe.efi
|
||
|
dhcp-match=ipxe,175
|
||
|
dhcp-boot=net:ipxe,http://$LAN_IP/boot.txt
|
||
|
EOF
|
||
|
[ ! -f /srv/tftp/undionly.kpxe ] && cp /usr/lib/ipxe/undionly.kpxe /srv/tftp/undionly.kpxe
|
||
|
[ ! -f /srv/tftp/ipxe.efi ] && cp /usr/lib/ipxe/ipxe.efi /srv/tftp/ipxe.efi
|
||
|
[ ! -f /srv/pxe/memdisk ] && cp /usr/lib/syslinux/memdisk /srv/pxe/memdisk
|
||
|
if [ ! -f /srv/pxe/iso/freedos.iso] ; then
|
||
|
wget -c -O /tmp/FD13-LiveCD.zip https://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.3/official/FD13-LiveCD.zip
|
||
|
unzip /tmp/FD13-LiveCD.zip -d /srv/pxe/iso/ *.iso && rm /tmp/FD13-LiveCD.zip
|
||
|
fi
|
||
|
|
||
|
|
||
|
|
||
|
# memtest: https://www.memtest.org/download/v6.20/mt86plus_6.20.binaries.zip
|
||
|
|
||
|
# mount on boot
|
||
|
cat > /etc/systemd/system/mount-isos.service <<EOF
|
||
|
[Unit]
|
||
|
Description=Mount ISOs
|
||
|
|
||
|
[Service]
|
||
|
ExecStart=/srv/pxe/mount/mount-all.sh
|
||
|
|
||
|
[Install]
|
||
|
WantedBy=multi-user.target
|
||
|
EOF
|
||
|
cat > /srv/pxe/mount/mount-all.sh <<EOF
|
||
|
#!/bin/bash
|
||
|
|
||
|
montami() {
|
||
|
B=\$(basename \$1)
|
||
|
mount "/srv/pxe/iso/\$B" "/srv/pxe/mount/\$B"
|
||
|
echo "mounted '/srv/pxe/iso/\$B' on '/srv/pxe/mount/\$B'"
|
||
|
}
|
||
|
export -f montami
|
||
|
find /srv/pxe/mount/ -mindepth 1 -maxdepth 1 -type d -exec bash -c 'montami "\$0"' {} \;
|
||
|
|
||
|
EOF
|
||
|
chmod u+x /srv/pxe/mount/mount-all.sh
|
||
|
systemctl enable mount-isos
|