diff --git a/salt/pillars/hostapd.sls b/salt/pillars/hostapd.sls new file mode 100644 index 0000000..70c0903 --- /dev/null +++ b/salt/pillars/hostapd.sls @@ -0,0 +1,5 @@ +hostapd: + country_code: SE + ssid: Transportable Lab Unit + channel: 6 + wpa_passphrase: linux2linux diff --git a/salt/pillars/network.sls b/salt/pillars/network.sls index f25c408..4c4c533 100644 --- a/salt/pillars/network.sls +++ b/salt/pillars/network.sls @@ -4,11 +4,10 @@ network: netaddress: 192.168.0.0 netmask: 24 ip: 192.168.0.1 - ap: 192.168.0.2 - wifipass: linux2linux interface: internal: eth0 + bridge: br0 external: eth1 wireless: wlan0 diff --git a/salt/pillars/top.sls b/salt/pillars/top.sls index c1deed5..de48519 100644 --- a/salt/pillars/top.sls +++ b/salt/pillars/top.sls @@ -8,6 +8,7 @@ base: - remote-desktop - ssh - wireguard + - hostapd {% if salt['pillar.file_exists']('local.sls') %} - local {% endif %} diff --git a/salt/states/firewalld/init.sls b/salt/states/firewalld/init.sls index d02d634..7fb0a12 100644 --- a/salt/states/firewalld/init.sls +++ b/salt/states/firewalld/init.sls @@ -28,6 +28,7 @@ Configure firewalld for internal network: - interfaces: - {{ pillar['network']['interface']['internal'] }} - {{ pillar['wireguard']['iface'] }} + - {{ pillar['network']['interface']['wireless'] }} - sources: - {{ pillar['network']['netaddress'] }}/{{ pillar['network']['netmask'] }} - services: diff --git a/salt/states/hostapd/files/hostapd.conf.jinja b/salt/states/hostapd/files/hostapd.conf.jinja new file mode 100644 index 0000000..e8dc03a --- /dev/null +++ b/salt/states/hostapd/files/hostapd.conf.jinja @@ -0,0 +1,16 @@ +country_code={{ pillar['hostapd']['country_code'] }} +interface={{ pillar['network']['interface']['wireless'] }} +bridge={{ pillar['network']['interface']['bridge'] }} +ssid={{ pillar['hostapd']['ssid'] }} +hw_mode=g +channel={{ pillar['hostapd']['channel'] }} +macaddr_acl=0 +auth_algs=1 +ignore_broadcast_ssid=0 +wpa=2 +wpa_passphrase={{ pillar['hostapd']['wpa_passphrase'] }} +wpa_key_mgmt=WPA-PSK +wpa_pairwise=TKIP +rsn_pairwise=CCMP +own_ip_addr={{ pillar['network']['ip'] }} +wpa_group_rekey=86400 diff --git a/salt/states/hostapd/init.sls b/salt/states/hostapd/init.sls new file mode 100644 index 0000000..bf875fd --- /dev/null +++ b/salt/states/hostapd/init.sls @@ -0,0 +1,46 @@ +Set {{ pillar['network']['interface']['wireless'] }} to not be managed by NetworkManager: + cmd.run: + - name: nmcli device set {{ pillar['network']['interface']['wireless'] }} managed no + - unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['interface']['wireless'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 0; else exit 1; fi" + +Delete {{ pillar['network']['interface']['internal'] }} connection: + cmd.run: + - name: nmcli connection delete {{ pillar['network']['interface']['internal'] }} + - unless: nmcli connection show {{ pillar['network']['interface']['internal'] }} > /dev/null + +Install hostapd: + pkg.installed: + - name: hostapd + +Configure hostapd: + file.managed: + - name: /etc/hostapd.conf + - source: salt://hostapd/files/hostapd.conf.jinja + - template: jinja + - user: root + - group: root + - mode: "0600" + +Start hostapd: + service.running: + - name: hostapd + - enable: True + - watch: + - file: Configure hostapd + +Set {{ pillar['network']['interface']['bridge'] }} to be managed by NetworkManager: + cmd.run: + - name: nmcli device set {{ pillar['network']['interface']['bridge'] }} managed yes + - unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['interface']['bridge'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 1; else exit 0; fi" + +Configure {{ pillar['network']['interface']['bridge'] }} connection: + cmd.run: + - name: nmcli connection add con-name {{ pillar['network']['interface']['bridge'] }} type bridge ifname {{ pillar['network']['interface']['bridge'] }} ipv4.method manual ipv4.addresses {{ pillar['network']['ip'] }}/{{ pillar['network']['netmask'] }} ipv4.dns "127.0.0.1, 1.1.1.1, 1.1.1.2" ipv6.method disabled connection.autoconnect yes stp no + - unless: nmcli connection show {{ pillar['network']['interface']['bridge'] }} > /dev/null + +Add {{ pillar['network']['interface']['internal'] }} to bridge {{ pillar['network']['interface']['bridge'] }}: + cmd.run: + - name: nmcli connection add con-name {{ pillar['network']['interface']['bridge'] }}-{{ pillar['network']['interface']['internal'] }} ifname {{ pillar['network']['interface']['internal'] }} type bridge-slave master {{ pillar['network']['interface']['bridge'] }} connection.autoconnect yes + - unless: nmcli connection show {{ pillar['network']['interface']['bridge'] }}-{{ pillar['network']['interface']['internal'] }} > /dev/null + + diff --git a/update.sh b/update.sh index 844f45f..0edcc94 100755 --- a/update.sh +++ b/update.sh @@ -9,7 +9,7 @@ function printHelp(){ cat << EOF Usage ${0##*/} [options..] -h,-?, --help Show help and exit --N, --network configure network settings +-N, --network-vlan configure network settings -s, --salt run a masterless salt-call -y, --yes answer 'yes' on all questions -i, --image-load pull images so they hits the local proxy @@ -103,7 +103,7 @@ function do_salt_call(){ $salt state.apply pillar="{username: $USER}" } -function configure_network(){ +function configure_network_vlan(){ new_log "Configure network" if asktobreak; then return @@ -112,27 +112,6 @@ function configure_network(){ if [[ -f salt/pillars/local.sls ]];then eval $(parse_yaml salt/pillars/local.sls "SALT_") fi - #configure internal interface - sudo nmcli connection modify "$SALT_network_interface_internal" ipv4.addresses "${SALT_network_ip}/${SALT_network_netmask}" - sudo nmcli connection modify "$SALT_network_interface_internal" ipv4.dns "127.0.0.1, 1.1.1.1, 1.1.1.2" - sudo nmcli connection modify "$SALT_network_interface_internal" ipv4.method manual - sudo nmcli connection down "$SALT_network_interface_internal" - sudo nmcli connection up "$SALT_network_interface_internal" - - #configure wireless AP - sudo nmcli connection add type wifi ifname "$SALT_network_interface_wireless" mode ap con-name tlu-ap ssid "Transportable Lab Unit" - sudo nmcli connection modify tlu-ap 802-11-wireless.band bg - sudo nmcli connection modify tlu-ap 802-11-wireless.channel 6 - sudo nmcli connection modify tlu-ap 802-11-wireless-security.key-mgmt wpa-psk - sudo nmcli connection modify tlu-ap 802-11-wireless-security.proto rsn - sudo nmcli connection modify tlu-ap 802-11-wireless-security.group ccmp - sudo nmcli connection modify tlu-ap 802-11-wireless-security.pairwise ccmp - sudo nmcli connection modify tlu-ap 802-11-wireless-security.psk "$SALT_network_wifipass" - sudo nmcli connection modify tlu-ap ipv4.addr "${SALT_network_ap}/${SALT_network_netmask}" - sudo nmcli connection modify tlu-ap ipv4.gateway "${SALT_network_ip}" - sudo nmcli connection modify tlu-ap ipv4.dns "${SALT_network_ip}" - sudo nmcli connection modify tlu-ap ipv4.method manual - sudo nmcli connection up tlu-ap #configure external interface sudo nmcli connection modify "$SALT_network_interface_external" ipv4.method auto @@ -325,7 +304,7 @@ function airgap(){ #initialize all options ALL=true SALT=false -NETWORK=false +NETWORK_VLAN=false ANSWER_YES=false RMT_SYNC=false RMT_MIRROR=false @@ -344,8 +323,8 @@ while :; do SALT=true ALL=false ;; - -N|--network) - NETWORK=true + -N|--network-vlan) + NETWORK_VLAN=true ALL=false ;; -y|--yes) @@ -393,7 +372,7 @@ for cmd in git salt-minion curl;do check_prerequisites "$cmd" done -[[ $ALL == true ]] || [[ $NETWORK == true ]] && configure_network +[[ $ALL == true ]] || [[ $NETWORK_VLAN == true ]] && configure_network_vlan [[ $ALL == true ]] || [[ $SALT == true ]] && do_salt_call [[ $ALL == true ]] || [[ $RMT_SYNC == true ]] && rmt_sync [[ $ALL == true ]] || [[ $RMT_ENABLE_PRODUCTS == true ]] && rmt_enable_products