diff --git a/README.md b/README.md index e1f78dff..0c01357a 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ![](https://i.imgur.com/xeKD93p.png) -[![Release 2.3](https://img.shields.io/badge/Release-2.3-green.svg)](https://github.com/billz/raspap-webgui/releases) [![Awesome](https://awesome.re/badge.svg)](https://github.com/thibmaek/awesome-raspberry-pi) [![Financial Contributors on Open Collective](https://opencollective.com/raspap/all/badge.svg?label=financial+contributors)](https://opencollective.com/raspap) ![https://travis-ci.com/billz/raspap-webgui/](https://img.shields.io/travis/com/billz/raspap-webgui/master) [![Twitter URL](https://img.shields.io/twitter/url?label=%40RaspAP&logoColor=%23d8224c&url=https%3A%2F%2Ftwitter.com%2Frasp_ap)](https://twitter.com/rasp_ap) [![Subreddit subscribers](https://img.shields.io/reddit/subreddit-subscribers/RaspAP?style=social)](https://www.reddit.com/r/RaspAP/) +[![Release 2.3.1](https://img.shields.io/badge/Release-2.3.1-green.svg)](https://github.com/billz/raspap-webgui/releases) [![Awesome](https://awesome.re/badge.svg)](https://github.com/thibmaek/awesome-raspberry-pi) [![Financial Contributors on Open Collective](https://opencollective.com/raspap/all/badge.svg?label=financial+contributors)](https://opencollective.com/raspap) ![https://travis-ci.com/billz/raspap-webgui/](https://img.shields.io/travis/com/billz/raspap-webgui/master) [![Twitter URL](https://img.shields.io/twitter/url?label=%40RaspAP&logoColor=%23d8224c&url=https%3A%2F%2Ftwitter.com%2Frasp_ap)](https://twitter.com/rasp_ap) [![Subreddit subscribers](https://img.shields.io/reddit/subreddit-subscribers/RaspAP?style=social)](https://www.reddit.com/r/RaspAP/) RaspAP lets you quickly get a WiFi access point up and running to share the internet connectivity of a Raspberry Pi. Our famous [Quick installer](#quick-installer) creates a known-good default configuration that "just works" on all current Raspberry Pis with onboard wireless. A handsome responsive interface gives you control over the relevant services and networking options. OpenVPN client support, SSL, security audits, themes and multilingual options round out the package. @@ -21,6 +21,7 @@ We hope you enjoy using RaspAP as much as we do creating it. Tell us how you use - [Support us](#support-us) - [Manual installation](#manual-installation) - [802.11ac 5GHz support](#80211ac-5ghz-support) + - [Supported operating systems](#supported-operating-systems) - [Multilingual support](#multilingual-support) - [HTTPS support](#https-support) - [OpenVPN support](#openvpn-support) @@ -86,6 +87,20 @@ Detailed manual setup instructions are provided [on our wiki](https://github.com ## 802.11ac 5GHz support RaspAP provides an 802.11ac wireless mode option for supported hardware (currently the RPi 3B+/4) and wireless regulatory domains. See [this FAQ](https://github.com/billz/raspap-webgui/wiki/FAQs#80211ac) for more information. +## Supported operating systems +RaspAP was originally made for Raspbian, but now also installs on the following Debian-based distros. + +| Distribution | Release | Architecture | Support | +|---|:---:|:---:|:---:| +| Raspbian | Buster | ARM | Official | +| Armbian | Buster | [ARM](https://docs.armbian.com/#supported-chips) | Official | +| Debian | Buster | ARM / x86_64 | Beta | +| Ubuntu | 18.04 LTS / 19.10 | ARM / x86_64 | Beta | + +![](https://i.imgur.com/luiyYNw.png) + +We find Armbian particularly well-suited for this project. Please note that "supported" is not a guarantee. If you are able to improve support for your preferred distro, we encourage you to [actively contribute](#how-to-contribute) to the project. + ## Multilingual support RaspAP uses [GNU Gettext](https://www.gnu.org/software/gettext/) to manage multilingual messages. In order to use RaspAP with one of our supported translations, you must configure a corresponding language package on your RPi. To list languages currently installed on your system, use `locale -a` at the shell prompt. To generate new locales, run `sudo dpkg-reconfigure locales` and select any other desired locales. Details are provided on our [wiki](https://github.com/billz/raspap-webgui/wiki/Translations#raspap-in-your-language). diff --git a/config/config.php b/config/config.php index df525a7c..ef853bd8 100755 --- a/config/config.php +++ b/config/config.php @@ -1,6 +1,6 @@ '2.3', + 'RASPI_VERSION' => '2.3.1', 'RASPI_CONFIG_NETWORKING' => RASPI_CONFIG.'/networking', 'RASPI_ADMIN_DETAILS' => RASPI_CONFIG.'/raspap.auth', 'RASPI_WIFI_CLIENT_INTERFACE' => 'wlan0', @@ -33,7 +33,7 @@ $defaults = [ 'RASPI_HOTSPOT_ENABLED' => true, 'RASPI_NETWORK_ENABLED' => true, 'RASPI_DHCP_ENABLED' => true, - 'RASPI_ADBLOCK_ENABLED' => true, + 'RASPI_ADBLOCK_ENABLED' => false, 'RASPI_OPENVPN_ENABLED' => false, 'RASPI_TORPROXY_ENABLED' => false, 'RASPI_CONFAUTH_ENABLED' => true, diff --git a/index.php b/index.php index 7dcdacb8..247baed4 100755 --- a/index.php +++ b/index.php @@ -13,7 +13,7 @@ * @author Lawrence Yau * @author Bill Zimmerman * @license GNU General Public License, version 3 (GPL-3.0) - * @version 2.3 + * @version 2.3.1 * @link https://github.com/billz/raspap-webgui * @see http://sirlagz.net/2013/02/08/raspap-webgui/ */ diff --git a/installers/common.sh b/installers/common.sh index 2ef4370f..cf3ec8f7 100755 --- a/installers/common.sh +++ b/installers/common.sh @@ -1,54 +1,48 @@ #!/bin/bash # -# RaspAP installation functions. -# author: @billz -# license: GNU General Public License v3.0 +# RaspAP installation functions +# Author: @billz +# License: GNU General Public License v3.0 +# +# You are not obligated to bundle the LICENSE file with your RaspAP projects as long +# as you leave these references intact in the header comments of your source files. -raspap_dir="/etc/raspap" -raspap_user="www-data" +# Exit on error +set -o errexit +# Exit on error inside functions +set -o errtrace +# Turn on traces, disabled by default +# set -o xtrace + +# Set defaults +readonly raspap_dir="/etc/raspap" +readonly raspap_user="www-data" +readonly raspap_sudoers="/etc/sudoers.d/090_raspap" +readonly raspap_dnsmasq="/etc/dnsmasq.d/090_raspap.conf" +readonly raspap_sysctl="/etc/sysctl.d/90_raspap.conf" +readonly rulesv4="/etc/iptables/rules.v4" webroot_dir="/var/www/html" -version=`sed 's/\..*//' /etc/debian_version` git_source_url="https://github.com/$repo" # $repo from install.raspap.com -# Determine Raspbian version, set default home location for lighttpd and -# php package to install -if [ "$version" -eq "10" ]; then - version_msg="Raspbian 10.0 (Buster)" - php_package="php7.3-cgi" -elif [ "$version" -eq "9" ]; then - version_msg="Raspbian 9.0 (Stretch)" - php_package="php7.0-cgi" -elif [ "$version" -eq "8" ]; then - install_error "Raspbian 8.0 (Jessie) and php5 are deprecated. Please upgrade." -elif [ "$version" -lt "8" ]; then - install_error "Raspbian ${version} is unsupported. Please upgrade." -fi +# NOTE: all the below functions are overloadable for system-specific installs -phpcgiconf="" -if [ "$php_package" = "php7.3-cgi" ]; then - phpcgiconf="/etc/php/7.3/cgi/php.ini" -elif [ "$php_package" = "php7.0-cgi" ]; then - phpcgiconf="/etc/php/7.0/cgi/php.ini" -fi - -### NOTE: all the below functions are overloadable for system-specific installs - -# Prompts user to set options for installation -function config_installation() { - install_log "Configure installation" - echo "Detected ${version_msg}" +# Prompts user to set installation options +function _config_installation() { + _install_log "Configure installation" + _get_linux_distro + echo "Detected OS: ${DESC}" + echo "Using GitHub repository: ${repo} ${branch} branch" echo "Install directory: ${raspap_dir}" - echo -n "Install to Lighttpd root directory: ${webroot_dir}? [Y/n]: " + echo -n "Install to lighttpd root: ${webroot_dir}? [Y/n]: " if [ "$assume_yes" == 0 ]; then read answer < /dev/tty if [ "$answer" != "${answer#[Nn]}" ]; then - read -e -p < /dev/tty "Enter alternate Lighttpd directory: " -i "/var/www/html" webroot_dir + read -e -p < /dev/tty "Enter alternate lighttpd directory: " -i "/var/www/html" webroot_dir fi else echo -e fi - echo "Install to Lighttpd directory: ${webroot_dir}" - + echo "Installing to lighttpd directory: ${webroot_dir}" echo -n "Complete installation with these values? [Y/n]: " if [ "$assume_yes" == 0 ]; then read answer < /dev/tty @@ -61,132 +55,230 @@ function config_installation() { fi } +# Determines host Linux distrubtion details +function _get_linux_distro() { + if type lsb_release >/dev/null 2>&1; then # linuxbase.org + OS=$(lsb_release -si) + RELEASE=$(lsb_release -sr) + CODENAME=$(lsb_release -sc) + DESC=$(lsb_release -sd) + elif [ -f /etc/os-release ]; then # freedesktop.org + . /etc/os-release + OS=$ID + RELEASE=$VERSION_ID + CODENAME=$VERSION_CODENAME + DESC=$PRETTY_NAME + else + _install_error "Unsupported Linux distribution" + fi +} + +# Sets php package option based on Linux version, abort if unsupported distro +function _set_php_package() { + case $RELEASE in + "18.04"|"19.10") # Ubuntu Server + php_package="php7.4-cgi" + phpcgiconf="/etc/php/7.4/cgi/php.ini" ;; + "10") + php_package="php7.3-cgi" + phpcgiconf="/etc/php/7.3/cgi/php.ini" ;; + "9") + php_package="php7.0-cgi" + phpcgiconf="/etc/php/7.0/cgi/php.ini" ;; + "8") + _install_error "${DESC} and php5 are not supported. Please upgrade." ;; + *) + _install_error "${DESC} is unsupported. Please install on a supported distro." ;; + esac +} + # Runs a system software update to make sure we're using all fresh packages -function install_dependencies() { - install_log "Installing required packages" - sudo apt-get install $apt_option lighttpd $php_package git hostapd dnsmasq vnstat qrencode || install_error "Unable to install dependencies" +function _install_dependencies() { + _install_log "Installing required packages" + _set_php_package + if [ "$php_package" = "php7.4-cgi" ]; then + echo "Adding apt-repository ppa:ondrej/php" + sudo apt-get install software-properties-common || _install_error "Unable to install dependency" + sudo add-apt-repository ppa:ondrej/php || _install_error "Unable to add-apt-repository ppa:ondrej/php" + fi + if [ ${OS,,} = "debian" ] || [ ${OS,,} = "ubuntu" ]; then + dhcpcd_package="dhcpcd5" + fi + # Set dconf-set-selections + echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections + echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections + sudo apt-get install $apt_option lighttpd git hostapd dnsmasq iptables-persistent $php_package $dhcpcd_package vnstat qrencode || _install_error "Unable to install dependencies" } # Enables PHP for lighttpd and restarts service for settings to take effect -function enable_php_lighttpd() { - install_log "Enabling PHP for lighttpd" - +function _enable_php_lighttpd() { + _install_log "Enabling PHP for lighttpd" sudo lighttpd-enable-mod fastcgi-php sudo service lighttpd force-reload - sudo systemctl restart lighttpd.service || install_error "Unable to restart lighttpd" + sudo systemctl restart lighttpd.service || _install_error "Unable to restart lighttpd" } # Verifies existence and permissions of RaspAP directory -function create_raspap_directories() { - install_log "Creating RaspAP directories" +function _create_raspap_directories() { + _install_log "Creating RaspAP directories" if [ -d "$raspap_dir" ]; then - sudo mv $raspap_dir "$raspap_dir.`date +%F-%R`" || install_error "Unable to move old '$raspap_dir' out of the way" + sudo mv $raspap_dir "$raspap_dir.`date +%F-%R`" || _install_error "Unable to move old '$raspap_dir' out of the way" fi - sudo mkdir -p "$raspap_dir" || install_error "Unable to create directory '$raspap_dir'" + sudo mkdir -p "$raspap_dir" || _install_error "Unable to create directory '$raspap_dir'" # Create a directory for existing file backups. sudo mkdir -p "$raspap_dir/backups" # Create a directory to store networking configs + echo "Creating $raspap_dir/networking" sudo mkdir -p "$raspap_dir/networking" # Copy existing dhcpcd.conf to use as base config - cat /etc/dhcpcd.conf | sudo tee -a /etc/raspap/networking/defaults - - sudo chown -R $raspap_user:$raspap_user "$raspap_dir" || install_error "Unable to change file ownership for '$raspap_dir'" + echo "Adding /etc/dhcpcd.conf as base configuration" + cat /etc/dhcpcd.conf | sudo tee -a /etc/raspap/networking/defaults > /dev/null + echo "Changing file ownership of $raspap_dir" + sudo chown -R $raspap_user:$raspap_user "$raspap_dir" || _install_error "Unable to change file ownership for '$raspap_dir'" } # Generate hostapd logging and service control scripts -function create_hostapd_scripts() { - install_log "Creating hostapd logging & control scripts" - sudo mkdir $raspap_dir/hostapd || install_error "Unable to create directory '$raspap_dir/hostapd'" +function _create_hostapd_scripts() { + _install_log "Creating hostapd logging & control scripts" + sudo mkdir $raspap_dir/hostapd || _install_error "Unable to create directory '$raspap_dir/hostapd'" # Move logging shell scripts - sudo cp "$webroot_dir/installers/"*log.sh "$raspap_dir/hostapd" || install_error "Unable to move logging scripts" + sudo cp "$webroot_dir/installers/"*log.sh "$raspap_dir/hostapd" || _install_error "Unable to move logging scripts" # Move service control shell scripts - sudo cp "$webroot_dir/installers/"service*.sh "$raspap_dir/hostapd" || install_error "Unable to move service control scripts" + sudo cp "$webroot_dir/installers/"service*.sh "$raspap_dir/hostapd" || _install_error "Unable to move service control scripts" # Make enablelog.sh and disablelog.sh not writable by www-data group. - sudo chown -c root:"$raspap_user" "$raspap_dir/hostapd/"*.sh || install_error "Unable change owner and/or group" - sudo chmod 750 "$raspap_dir/hostapd/"*.sh || install_error "Unable to change file permissions" + sudo chown -c root:"$raspap_user" "$raspap_dir/hostapd/"*.sh || _install_error "Unable change owner and/or group" + sudo chmod 750 "$raspap_dir/hostapd/"*.sh || _install_error "Unable to change file permissions" } # Generate lighttpd service control scripts -function create_lighttpd_scripts() { - install_log "Creating lighttpd control scripts" - sudo mkdir $raspap_dir/lighttpd || install_error "Unable to create directory '$raspap_dir/lighttpd" +function _create_lighttpd_scripts() { + _install_log "Creating lighttpd control scripts" + sudo mkdir $raspap_dir/lighttpd || _install_error "Unable to create directory '$raspap_dir/lighttpd" # Move service control shell scripts - sudo cp "$webroot_dir/installers/"configport.sh "$raspap_dir/lighttpd" || install_error "Unable to move service control scripts" + sudo cp "$webroot_dir/installers/"configport.sh "$raspap_dir/lighttpd" || _install_error "Unable to move service control scripts" # Make configport.sh writable by www-data group - sudo chown -c root:"$raspap_user" "$raspap_dir/lighttpd/"*.sh || install_error "Unable change owner and/or group" - sudo chmod 750 "$raspap_dir/lighttpd/"*.sh || install_error "Unable to change file permissions" + sudo chown -c root:"$raspap_user" "$raspap_dir/lighttpd/"*.sh || _install_error "Unable change owner and/or group" + sudo chmod 750 "$raspap_dir/lighttpd/"*.sh || _install_error "Unable to change file permissions" +} + +# Prompt to install adblock +function _prompt_install_adblock() { + if [ "$install_adblock" == 1 ]; then + _install_log "Configure ad blocking (Beta)" + echo -n "Download blocklists and enable ad blocking? [Y/n]: " + if [ "$assume_yes" == 0 ]; then + read answer < /dev/tty + if [ "$answer" != "${answer#[Nn]}" ]; then + echo -e + else + _install_adblock + fi + fi + fi +} + +# Download notracking adblock lists and enable option +function _install_adblock() { + _install_log "Creating ad block base configuration (Beta)" + notracking_url="https://raw.githubusercontent.com/notracking/hosts-blocklists/master/" + if [ ! -d "$raspap_dir/adblock" ]; then + echo "Creating $raspap_dir/adblock" + sudo mkdir -p "$raspap_dir/adblock" + fi + if [ ! -f /tmp/hostnames.txt ]; then + echo "Fetching latest hostnames list" + wget ${notracking_url}hostnames.txt -O /tmp/hostnames.txt || _install_error "Unable to download notracking hostnames" + fi + if [ ! -f /tmp/domains.txt ]; then + echo "Fetching latest domains list" + wget ${notracking_url}domains.txt -O /tmp/domains.txt || _install_error "Unable to download notracking domains" + fi + echo "Adding blocklists to $raspap_dir/adblock" + sudo cp /tmp/hostnames.txt $raspap_dir/adblock || _install_error "Unable to move notracking hostnames" + sudo cp /tmp/domains.txt $raspap_dir/adblock || _install_error "Unable to move notracking domains" + + echo "Moving and setting permissions for blocklist update script" + sudo cp "$webroot_dir/installers/"update_blocklist.sh "$raspap_dir/adblock" || _install_error "Unable to move blocklist update script" + + # Make blocklists and update script writable by www-data group + sudo chown -c root:"$raspap_user" "$raspap_dir/adblock/"*.* || _install_error "Unable to change owner/group" + sudo chmod 750 "$raspap_dir/adblock/"*.sh || install_error "Unable to change file permissions" + + echo "Enabling ad blocking management option" + sudo sed -i "s/\('RASPI_ADBLOCK_ENABLED', \)false/\1true/g" "$webroot_dir/includes/config.php" || _install_error "Unable to modify config.php" + echo "Done." } # Prompt to install openvpn -function prompt_install_openvpn() { - install_log "Setting up OpenVPN support (beta)" +function _prompt_install_openvpn() { + _install_log "Setting up OpenVPN support" echo -n "Install OpenVPN and enable client configuration? [Y/n]: " if [ "$assume_yes" == 0 ]; then read answer < /dev/tty if [ "$answer" != "${answer#[Nn]}" ]; then echo -e else - install_openvpn + _install_openvpn fi elif [ "$ovpn_option" == 1 ]; then - install_openvpn + _install_openvpn fi } # Install openvpn and enable client configuration option -function install_openvpn() { - install_log "Installing OpenVPN and enabling client configuration" - sudo apt-get install -y openvpn || install_error "Unable to install openvpn" - sudo sed -i "s/\('RASPI_OPENVPN_ENABLED', \)false/\1true/g" "$webroot_dir/includes/config.php" || install_error "Unable to modify config.php" +function _install_openvpn() { + _install_log "Installing OpenVPN and enabling client configuration" + sudo apt-get install -y openvpn || _install_error "Unable to install openvpn" + sudo sed -i "s/\('RASPI_OPENVPN_ENABLED', \)false/\1true/g" "$webroot_dir/includes/config.php" || _install_error "Unable to modify config.php" echo "Enabling openvpn-client service on boot" - sudo systemctl enable openvpn-client@client || install_error "Unable to enable openvpn-client daemon" - create_openvpn_scripts || install_error "Unable to create openvpn control scripts" + sudo systemctl enable openvpn-client@client || _install_error "Unable to enable openvpn-client daemon" + _create_openvpn_scripts || _install_error "Unable to create openvpn control scripts" } # Generate openvpn logging and auth control scripts -function create_openvpn_scripts() { - install_log "Creating OpenVPN control scripts" - sudo mkdir $raspap_dir/openvpn || install_error "Unable to create directory '$raspap_dir/openvpn'" +function _create_openvpn_scripts() { + _install_log "Creating OpenVPN control scripts" + sudo mkdir $raspap_dir/openvpn || _install_error "Unable to create directory '$raspap_dir/openvpn'" # Move service auth control shell scripts - sudo cp "$webroot_dir/installers/"configauth.sh "$raspap_dir/openvpn" || install_error "Unable to move auth control script" + sudo cp "$webroot_dir/installers/"configauth.sh "$raspap_dir/openvpn" || _install_error "Unable to move auth control script" # Make configauth.sh writable by www-data group - sudo chown -c root:"$raspap_user" "$raspap_dir/openvpn/"*.sh || install_error "Unable change owner and/or group" - sudo chmod 750 "$raspap_dir/openvpn/"*.sh || install_error "Unable to change file permissions" + sudo chown -c root:"$raspap_user" "$raspap_dir/openvpn/"*.sh || _install_error "Unable change owner and/or group" + sudo chmod 750 "$raspap_dir/openvpn/"*.sh || _install_error "Unable to change file permissions" } # Fetches latest files from github to webroot -function download_latest_files() { +function _download_latest_files() { if [ ! -d "$webroot_dir" ]; then - sudo mkdir -p $webroot_dir || install_error "Unable to create new webroot directory" + sudo mkdir -p $webroot_dir || _install_error "Unable to create new webroot directory" fi if [ -d "$webroot_dir" ]; then - sudo mv $webroot_dir "$webroot_dir.`date +%F-%R`" || install_error "Unable to remove old webroot directory" + sudo mv $webroot_dir "$webroot_dir.`date +%F-%R`" || _install_error "Unable to remove old webroot directory" fi - install_log "Cloning latest files from github" - git clone --branch $branch --depth 1 $git_source_url /tmp/raspap-webgui || install_error "Unable to download files from github" + _install_log "Cloning latest files from github" + git clone --branch $branch --depth 1 $git_source_url /tmp/raspap-webgui || _install_error "Unable to download files from github" - sudo mv /tmp/raspap-webgui $webroot_dir || install_error "Unable to move raspap-webgui to web root" + sudo mv /tmp/raspap-webgui $webroot_dir || _install_error "Unable to move raspap-webgui to web root" } # Sets files ownership in web root directory -function change_file_ownership() { +function _change_file_ownership() { if [ ! -d "$webroot_dir" ]; then - install_error "Web root directory doesn't exist" + _install_error "Web root directory doesn't exist" fi - install_log "Changing file ownership in web root directory" - sudo chown -R $raspap_user:$raspap_user "$webroot_dir" || install_error "Unable to change file ownership for '$webroot_dir'" + _install_log "Changing file ownership in web root directory" + sudo chown -R $raspap_user:$raspap_user "$webroot_dir" || _install_error "Unable to change file ownership for '$webroot_dir'" } -# Check for existing /etc/network/interfaces and /etc/hostapd/hostapd.conf files -function check_for_old_configs() { +# Check for existing configuration files +function _check_for_old_configs() { if [ -f /etc/network/interfaces ]; then sudo cp /etc/network/interfaces "$raspap_dir/backups/interfaces.`date +%F-%R`" sudo ln -sf "$raspap_dir/backups/interfaces.`date +%F-%R`" "$raspap_dir/backups/interfaces" @@ -197,8 +289,8 @@ function check_for_old_configs() { sudo ln -sf "$raspap_dir/backups/hostapd.conf.`date +%F-%R`" "$raspap_dir/backups/hostapd.conf" fi - if [ -f /etc/dnsmasq.conf ]; then - sudo cp /etc/dnsmasq.conf "$raspap_dir/backups/dnsmasq.conf.`date +%F-%R`" + if [ -f $raspap_dnsmasq ]; then + sudo cp $raspap_dnsmasq "$raspap_dir/backups/dnsmasq.conf.`date +%F-%R`" sudo ln -sf "$raspap_dir/backups/dnsmasq.conf.`date +%F-%R`" "$raspap_dir/backups/dnsmasq.conf" fi @@ -207,11 +299,6 @@ function check_for_old_configs() { sudo ln -sf "$raspap_dir/backups/dhcpcd.conf.`date +%F-%R`" "$raspap_dir/backups/dhcpcd.conf" fi - if [ -f /etc/rc.local ]; then - sudo cp /etc/rc.local "$raspap_dir/backups/rc.local.`date +%F-%R`" - sudo ln -sf "$raspap_dir/backups/rc.local.`date +%F-%R`" "$raspap_dir/backups/rc.local" - fi - for file in /etc/systemd/network/raspap-*.net*; do if [ -f "${file}" ]; then filename=$(basename $file) @@ -222,58 +309,76 @@ function check_for_old_configs() { } # Move configuration file to the correct location -function move_config_file() { +function _move_config_file() { if [ ! -d "$raspap_dir" ]; then - install_error "'$raspap_dir' directory doesn't exist" + _install_error "'$raspap_dir' directory doesn't exist" fi - install_log "Moving configuration file to '$raspap_dir'" - sudo cp "$webroot_dir"/raspap.php "$raspap_dir" || install_error "Unable to move files to '$raspap_dir'" - sudo chown -R $raspap_user:$raspap_user "$raspap_dir" || install_error "Unable to change file ownership for '$raspap_dir'" + _install_log "Moving configuration file to '$raspap_dir'" + sudo cp "$webroot_dir"/raspap.php "$raspap_dir" || _install_error "Unable to move files to '$raspap_dir'" + sudo chown -R $raspap_user:$raspap_user "$raspap_dir" || _install_error "Unable to change file ownership for '$raspap_dir'" } # Set up default configuration -function default_configuration() { - install_log "Setting up hostapd" +function _default_configuration() { + _install_log "Applying default configuration to installed services" if [ -f /etc/default/hostapd ]; then - sudo mv /etc/default/hostapd /tmp/default_hostapd.old || install_error "Unable to remove old /etc/default/hostapd file" + sudo mv /etc/default/hostapd /tmp/default_hostapd.old || _install_error "Unable to remove old /etc/default/hostapd file" fi - sudo cp $webroot_dir/config/default_hostapd /etc/default/hostapd || install_error "Unable to move hostapd defaults file" - sudo cp $webroot_dir/config/hostapd.conf /etc/hostapd/hostapd.conf || install_error "Unable to move hostapd configuration file" - sudo cp $webroot_dir/config/dnsmasq.conf /etc/dnsmasq.conf || install_error "Unable to move dnsmasq configuration file" - sudo cp $webroot_dir/config/dhcpcd.conf /etc/dhcpcd.conf || install_error "Unable to move dhcpcd configuration file" + sudo cp $webroot_dir/config/default_hostapd /etc/default/hostapd || _install_error "Unable to move hostapd defaults file" + sudo cp $webroot_dir/config/hostapd.conf /etc/hostapd/hostapd.conf || _install_error "Unable to move hostapd configuration file" + sudo cp $webroot_dir/config/dnsmasq.conf $raspap_dnsmasq || _install_error "Unable to move dnsmasq configuration file" + sudo cp $webroot_dir/config/dhcpcd.conf /etc/dhcpcd.conf || _install_error "Unable to move dhcpcd configuration file" [ -d /etc/dnsmasq.d ] || sudo mkdir /etc/dnsmasq.d sudo systemctl stop systemd-networkd sudo systemctl disable systemd-networkd - sudo cp $webroot_dir/config/raspap-bridge-br0.netdev /etc/systemd/network/raspap-bridge-br0.netdev || install_error "Unable to move br0 netdev file" - sudo cp $webroot_dir/config/raspap-br0-member-eth0.network /etc/systemd/network/raspap-br0-member-eth0.network || install_error "Unable to move br0 member file" + sudo cp $webroot_dir/config/raspap-bridge-br0.netdev /etc/systemd/network/raspap-bridge-br0.netdev || _install_error "Unable to move br0 netdev file" + sudo cp $webroot_dir/config/raspap-br0-member-eth0.network /etc/systemd/network/raspap-br0-member-eth0.network || _install_error "Unable to move br0 member file" if [ ! -f "$webroot_dir/includes/config.php" ]; then sudo cp "$webroot_dir/config/config.php" "$webroot_dir/includes/config.php" fi +} - # Generate required lines for Rasp AP to place into rc.local file. - # #RASPAP is for removal script - lines=( - 'echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward #RASPAP' - 'iptables -t nat -A POSTROUTING -j MASQUERADE #RASPAP' - 'iptables -t nat -A POSTROUTING -s 192.168.50.0\/24 ! -d 192.168.50.0\/24 -j MASQUERADE #RASPAP' +# Install and enable RaspAP daemon +function _enable_raspap_daemon() { + _install_log "Enabling RaspAP daemon" + echo "Disable with: sudo systemctl disable raspapd.service" + sudo cp $webroot_dir/installers/raspapd.service /lib/systemd/system/ || _install_error "Unable to move raspap.service file" + sudo systemctl daemon-reload + sudo systemctl enable raspapd.service || _install_error "Failed to enable raspap.service" +} + +# Configure IP forwarding, set IP tables rules, prompt to install RaspAP daemon +function _configure_networking() { + _install_log "Configuring networking" + echo "Enabling IP forwarding" + echo "net.ipv4.ip_forward=1" | sudo tee $raspap_sysctl > /dev/null || _install_error "Unable to set IP forwarding" + sudo sysctl -p $raspap_sysctl || _install_error "Unable to execute sysctl" + sudo /etc/init.d/procps restart || _install_error "Unable to execute procps" + + echo "Checking iptables rules" + rules=( + "-A POSTROUTING -j MASQUERADE" + "-A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE" ) - - for line in "${lines[@]}"; do - if grep "$line" /etc/rc.local > /dev/null; then - echo "$line: Line already added" + for rule in "${rules[@]}"; do + if grep -- "$rule" $rulesv4 > /dev/null; then + echo "Rule already exits: ${rule}" else - sudo sed -i "s/^exit 0$/$line\nexit 0/" /etc/rc.local - echo "Adding line $line" + rule=$(sed -e 's/^\(-A POSTROUTING\)/-t nat \1/' <<< $rule) + echo "Adding rule: ${rule}" + sudo iptables $rule || _install_error "Unable to execute iptables" + added=true fi done - - # Force a reload of new settings in /etc/rc.local - sudo systemctl restart rc-local.service - sudo systemctl daemon-reload + # Persist rules if added + if [ "$added" = true ]; then + echo "Persisting IP tables rules" + sudo iptables-save | sudo tee $rulesv4 > /dev/null || _install_error "Unable to execute iptables-save" + fi # Prompt to install RaspAP daemon echo -n "Enable RaspAP control service (Recommended)? [Y/n]: " @@ -282,106 +387,42 @@ function default_configuration() { if [ "$answer" != "${answer#[Nn]}" ]; then echo -e else - enable_raspap_daemon + _enable_raspap_daemon fi else echo -e - enable_raspap_daemon + _enable_raspap_daemon fi -} + } -# Install and enable RaspAP daemon -function enable_raspap_daemon() { - install_log "Enabling RaspAP daemon" - echo "Disable with: sudo systemctl disable raspap.service" - sudo cp $webroot_dir/installers/raspap.service /lib/systemd/system/ || install_error "Unable to move raspap.service file" - sudo systemctl enable raspap.service || install_error "Failed to enable raspap.service" -} +# Add sudoers file to /etc/sudoers.d/ and set file permissions +function _patch_system_files() { -# Add a single entry to the sudoers file -function sudo_add() { - sudo bash -c "echo \"$raspap_user ALL=(ALL) NOPASSWD:$1\" | (EDITOR=\"tee -a\" visudo)" \ - || install_error "Unable to patch /etc/sudoers" -} - -# Adds www-data user to the sudoers file with restrictions on what the user can execute -function patch_system_files() { - - # Set commands array - cmds=( - "/sbin/ifdown" - "/sbin/ifup" - "/bin/cat /etc/wpa_supplicant/wpa_supplicant.conf" - "/bin/cat /etc/wpa_supplicant/wpa_supplicant-wlan[0-9].conf" - "/bin/cp /tmp/wifidata /etc/wpa_supplicant/wpa_supplicant.conf" - "/bin/cp /tmp/wifidata /etc/wpa_supplicant/wpa_supplicant-wlan[0-9].conf" - "/sbin/wpa_cli -i wlan[0-9] scan_results" - "/sbin/wpa_cli -i wlan[0-9] scan" - "/sbin/wpa_cli -i wlan[0-9] reconfigure" - "/sbin/wpa_cli -i wlan[0-9] select_network" - "/bin/cp /tmp/hostapddata /etc/hostapd/hostapd.conf" - "/bin/systemctl start hostapd.service" - "/bin/systemctl stop hostapd.service" - "/bin/systemctl start dnsmasq.service" - "/bin/systemctl stop dnsmasq.service" - "/bin/systemctl start openvpn-client@client" - "/bin/systemctl enable openvpn-client@client" - "/bin/systemctl stop openvpn-client@client" - "/bin/systemctl disable openvpn-client@client" - "/bin/cp /tmp/ovpnclient.ovpn /etc/openvpn/client/client.conf" - "/bin/cp /tmp/authdata /etc/openvpn/client/login.conf" - "/bin/cp /tmp/dnsmasqdata /etc/dnsmasq.conf" - "/bin/cp /tmp/dhcpddata /etc/dhcpcd.conf" - "/sbin/shutdown -h now" - "/sbin/reboot" - "/sbin/ip link set wlan[0-9] down" - "/sbin/ip link set wlan[0-9] up" - "/sbin/ip -s a f label wlan[0-9]" - "/bin/cp /etc/raspap/networking/dhcpcd.conf /etc/dhcpcd.conf" - "/etc/raspap/hostapd/enablelog.sh" - "/etc/raspap/hostapd/disablelog.sh" - "/etc/raspap/hostapd/servicestart.sh" - "/etc/raspap/lighttpd/configport.sh" - "/etc/raspap/openvpn/configauth.sh" - "/bin/chmod o+r /tmp/hostapd.log" - "/bin/chmod o+r /tmp/dnsmasq.log" - ) - - # Check if sudoers needs patching - if [ $(sudo grep -c $raspap_user /etc/sudoers) -ne ${#cmds[@]} ] - then - # Sudoers file has incorrect number of commands. Wiping them out. - install_log "Cleaning system sudoers file" - sudo sed -i "/$raspap_user/d" /etc/sudoers - install_log "Patching system sudoers file" - # patch /etc/sudoers file - for cmd in "${cmds[@]}" - do - sudo_add $cmd - IFS=$'\n' - done - else - install_log "Sudoers file already patched" + # Create sudoers if not present + if [ ! -f $raspap_sudoers ]; then + _install_log "Adding raspap.sudoers to ${raspap_sudoers}" + sudo cp "$webroot_dir/installers/raspap.sudoers" $raspap_sudoers || _install_error "Unable to apply raspap.sudoers to $raspap_sudoers" + sudo chmod 0440 $raspap_sudoers || _install_error "Unable to change file permissions for $raspap_sudoers" fi # Add symlink to prevent wpa_cli cmds from breaking with multiple wlan interfaces - install_log "Symlinked wpa_supplicant hooks for multiple wlan interfaces" + _install_log "Symlinked wpa_supplicant hooks for multiple wlan interfaces" if [ ! -f /usr/share/dhcpcd/hooks/10-wpa_supplicant ]; then sudo ln -s /usr/share/dhcpcd/hooks/10-wpa_supplicant /etc/dhcp/dhclient-enter-hooks.d/ fi # Unmask and enable hostapd.service - install_log "Unmasking and enabling hostapd service" + _install_log "Unmasking and enabling hostapd service" sudo systemctl unmask hostapd.service sudo systemctl enable hostapd.service } # Optimize configuration of php-cgi. -function optimize_php() { - install_log "Optimize PHP configuration" +function _optimize_php() { + _install_log "Optimize PHP configuration" if [ ! -f "$phpcgiconf" ]; then - install_warning "PHP configuration could not be found." + _install_warning "PHP configuration could not be found." return fi @@ -423,15 +464,14 @@ function optimize_php() { if [ -f "/usr/sbin/phpenmod" ]; then sudo phpenmod opcache else - install_warning "phpenmod not found." + _install_warning "phpenmod not found." fi fi fi } -function install_complete() { - install_log "Installation completed!" - +function _install_complete() { + _install_log "Installation completed!" if [ "$assume_yes" == 0 ]; then # Prompt to reboot if wired ethernet (eth0) is connected. # With default_configuration this will create an active AP on restart. @@ -442,27 +482,29 @@ function install_complete() { echo "Installation reboot aborted." exit 0 fi - sudo shutdown -r now || install_error "Unable to execute shutdown" + sudo shutdown -r now || _install_error "Unable to execute shutdown" fi fi } -function install_raspap() { - display_welcome - config_installation - update_system_packages - install_dependencies - enable_php_lighttpd - create_raspap_directories - optimize_php - check_for_old_configs - download_latest_files - change_file_ownership - create_hostapd_scripts - create_lighttpd_scripts - move_config_file - default_configuration - prompt_install_openvpn - patch_system_files - install_complete +function _install_raspap() { + _display_welcome + _config_installation + _update_system_packages + _install_dependencies + _enable_php_lighttpd + _create_raspap_directories + _optimize_php + _check_for_old_configs + _download_latest_files + _change_file_ownership + _create_hostapd_scripts + _create_lighttpd_scripts + _move_config_file + _default_configuration + _configure_networking + _prompt_install_openvpn + _prompt_install_adblock + _patch_system_files + _install_complete } diff --git a/installers/configauth.sh b/installers/configauth.sh index 1300f8c3..166c657b 100755 --- a/installers/configauth.sh +++ b/installers/configauth.sh @@ -6,9 +6,17 @@ # @author billz # license: GNU General Public License v3.0 +# Exit on error +set -o errexit +# Exit on error inside functions +set -o errtrace +# Turn on traces, disabled by default +#set -o xtrace + file=$1 auth=$2 interface=$3 +readonly rulesv4="/etc/iptables/rules.v4" if [ "$auth" = 1 ]; then echo "Enabling auth-user-pass in OpenVPN client.conf" @@ -22,26 +30,27 @@ if [ "$auth" = 1 ]; then fi fi -# Generate iptables entries to place into rc.local file. -# #RASPAP is for uninstall script -echo "Checking iptables rules for $interface" - -lines=( -"iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE #RASPAP" -"iptables -A FORWARD -i tun0 -o $interface -m state --state RELATED,ESTABLISHED -j ACCEPT #RASPAP" -"iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT #RASPAP" +# Configure NAT and forwarding with iptables +echo "Checking iptables rules" +rules=( +"-A POSTROUTING -o tun0 -j MASQUERADE" +"-A FORWARD -i tun0 -o ${interface} -m state --state RELATED,ESTABLISHED -j ACCEPT" +"-A FORWARD -i wlan0 -o tun0 -j ACCEPT" ) -for line in "${lines[@]}"; do - if grep "$line" /etc/rc.local > /dev/null; then - echo "$line: Line already added" +for rule in "${rules[@]}"; do + if grep -- "$rule" $rulesv4 > /dev/null; then + echo "Rule already exits: ${rule}" else - sudo sed -i "s/^exit 0$/$line\nexit 0/" /etc/rc.local - echo "Adding rule: $line" + rule=$(sed -e 's/^\(-A POSTROUTING\)/-t nat \1/' <<< $rule) + echo "Adding rule: ${rule}" + sudo iptables $rule + added=true fi done -# Force a reload of new settings in /etc/rc.local -sudo systemctl restart rc-local.service -sudo systemctl daemon-reload +if [ "$added" = true ]; then + echo "Persisting IP tables rules" + sudo iptables-save | sudo tee $rulesv4 > /dev/null +fi diff --git a/installers/mkcert.sh b/installers/mkcert.sh index 73487b65..f583e775 100755 --- a/installers/mkcert.sh +++ b/installers/mkcert.sh @@ -1,19 +1,31 @@ #!/bin/bash # # RaspAP SSL certificate installation functions -# author: @billz -# license: GNU General Public License v3.0 +# Author: @billz +# License: GNU General Public License v3.0 +# +# You are not obligated to bundle the LICENSE file with your RaspAP projects as long +# as you leave these references intact in the header comments of your source files. +# Exit on error +set -o errexit +# Exit on error inside functions +set -o errtrace +# Turn on traces, disabled by default +# set -o xtrace + +# Set defaults certname=$HOSTNAME."local" lighttpd_ssl="/etc/lighttpd/ssl" lighttpd_conf="/etc/lighttpd/lighttpd.conf" webroot_dir="/var/www/html" -mkcert_version="1.4.1" +readonly mkcert_version="1.4.1" +readonly git_source_url="https://github.com/FiloSottile/mkcert/releases/download/v${mkcert_version}" ### NOTE: all the below functions are overloadable for system-specific installs -function config_installation() { - install_log "Configure a new SSL certificate" +function _config_installation() { + _install_log "Configure a new SSL certificate" echo "Current system hostname is $HOSTNAME" echo -n "Create an SSL certificate for ${certname}? (Recommended) [y/N]" if [ $assume_yes == 0 ]; then @@ -35,10 +47,10 @@ function config_installation() { echo -e fi - install_divider + _install_divider echo "A new SSL certificate for: ${certname}" echo "will be installed to lighttpd SSL directory: ${lighttpd_ssl}" - install_divider + _install_divider echo -n "Complete installation with these values? [y/N]: " if [ $assume_yes == 0 ]; then read answer < /dev/tty @@ -52,43 +64,43 @@ function config_installation() { } # Installs pre-built mkcert binary for Arch Linux ARM -function install_mkcert() { - install_log "Fetching mkcert binary" - sudo wget -q https://github.com/FiloSottile/mkcert/releases/download/v${mkcert_version}/mkcert-v${mkcert_version}-linux-arm -O /usr/local/bin/mkcert || install_error "Unable to download mkcert" +function _install_mkcert() { + _install_log "Fetching mkcert binary" + sudo wget -q ${git_source_url}/mkcert-v${mkcert_version}-linux-arm -O /usr/local/bin/mkcert || _install_error "Unable to download mkcert" sudo chmod +x /usr/local/bin/mkcert - install_log "Installing mkcert" - mkcert -install || install_error "Failed to install mkcert" + _install_log "Installing mkcert" + mkcert -install || _install_error "Failed to install mkcert" } # Generate a certificate for host -function generate_certificate() { - install_log "Generating a new certificate for $certname" +function _generate_certificate() { + _install_log "Generating a new certificate for $certname" cd $HOME - mkcert $certname "*.${certname}.local" $certname || install_error "Failed to generate certificate for $certname" + mkcert $certname "*.${certname}.local" $certname || _install_error "Failed to generate certificate for $certname" - install_log "Combining private key and certificate" - cat $certname+2-key.pem $certname+2.pem > $certname.pem || install_error "Failed to combine key and certificate" + _install_log "Combining private key and certificate" + cat $certname+2-key.pem $certname+2.pem > $certname.pem || _install_error "Failed to combine key and certificate" echo "OK" } # Create a directory for the combined .pem file in lighttpd -function create_lighttpd_dir() { - install_log "Creating SLL directory for lighttpd" +function _create_lighttpd_dir() { + _install_log "Creating SLL directory for lighttpd" if [ ! -d "$lighttpd_ssl" ]; then - sudo mkdir -p "$lighttpd_ssl" || install_error "Failed to create lighttpd directory" + sudo mkdir -p "$lighttpd_ssl" || _install_error "Failed to create lighttpd directory" fi echo "OK" - install_log "Setting permissions and moving .pem file" - chmod 400 "$HOME/$certname".pem || install_error "Unable to set permissions for .pem file" - sudo mv "$HOME/$certname".pem /etc/lighttpd/ssl || install_error "Unable to move .pem file" + _install_log "Setting permissions and moving .pem file" + chmod 400 "$HOME/$certname".pem || _install_error "Unable to set permissions for .pem file" + sudo mv "$HOME/$certname".pem /etc/lighttpd/ssl || _install_error "Unable to move .pem file" echo "OK" } # Generate config to enable SSL in lighttpd -function configure_lighttpd() { - install_log "Configuring lighttpd for SSL" +function _configure_lighttpd() { + _install_log "Configuring lighttpd for SSL" lines=( 'server.modules += ("mod_openssl")' '$SERVER["socket"] == ":443" {' @@ -110,22 +122,22 @@ function configure_lighttpd() { } # Copy rootCA.pem to RaspAP web root -function copy_rootca() { - install_log "Copying rootCA.pem to RaspAP web root" - sudo cp ${HOME}/.local/share/mkcert/rootCA.pem ${webroot_dir} || install_error "Unable to copy rootCA.pem to ${webroot_dir}" +function _copy_rootca() { + _install_log "Copying rootCA.pem to RaspAP web root" + sudo cp ${HOME}/.local/share/mkcert/rootCA.pem ${webroot_dir} || _install_error "Unable to copy rootCA.pem to ${webroot_dir}" echo "OK" } # Restart lighttpd service -function restart_lighttpd() { - install_log "Restarting lighttpd service" - sudo systemctl restart lighttpd.service || install_error "Unable to restart lighttpd service" +function _restart_lighttpd() { + _install_log "Restarting lighttpd service" + sudo systemctl restart lighttpd.service || _install_error "Unable to restart lighttpd service" sudo systemctl status lighttpd.service } -function install_complete() { - install_log "SSL certificate install completed!" - install_divider +function _install_complete() { + _install_log "SSL certificate install completed!" + _install_divider printf '%s\n' \ "Open a browser and enter the address: http://$certname/rootCA.pem" \ "Download the root certificate to your client and add it to your system keychain." \ @@ -133,18 +145,18 @@ function install_complete() { "Finally, enter the address https://$certname in your browser." \ "Enjoy an encrypted SSL connection to RaspAP 🔒" \ "For advanced options, run mkcert -help" - install_divider + _install_divider } -function install_certificate() { - display_welcome - config_installation - install_mkcert - generate_certificate - create_lighttpd_dir - configure_lighttpd - copy_rootca - restart_lighttpd - install_complete +function _install_certificate() { + _display_welcome + _config_installation + _install_mkcert + _generate_certificate + _create_lighttpd_dir + _configure_lighttpd + _copy_rootca + _restart_lighttpd + _install_complete } diff --git a/installers/raspap.service b/installers/raspap.service deleted file mode 100644 index 32430b14..00000000 --- a/installers/raspap.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=RaspAP daemon -After=multi-user.target - -[Service] -Type=idle -ExecStart=/bin/bash /etc/raspap/hostapd/servicestart.sh --interface uap0 --seconds 3 - -[Install] -WantedBy=multi-user.target diff --git a/installers/raspap.sudoers b/installers/raspap.sudoers new file mode 100644 index 00000000..517fbdef --- /dev/null +++ b/installers/raspap.sudoers @@ -0,0 +1,40 @@ +www-data ALL=(ALL) NOPASSWD:/sbin/ifdown +www-data ALL=(ALL) NOPASSWD:/sbin/ifup +www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wpa_supplicant/wpa_supplicant.conf +www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wpa_supplicant/wpa_supplicant-wlan[0-9].conf +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/wifidata /etc/wpa_supplicant/wpa_supplicant.conf +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/wifidata /etc/wpa_supplicant/wpa_supplicant-wlan[0-9].conf +www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] scan_results +www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] scan +www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] reconfigure +www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] select_network +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/hostapddata /etc/hostapd/hostapd.conf +www-data ALL=(ALL) NOPASSWD:/bin/systemctl start hostapd.service +www-data ALL=(ALL) NOPASSWD:/bin/systemctl stop hostapd.service +www-data ALL=(ALL) NOPASSWD:/bin/systemctl start dnsmasq.service +www-data ALL=(ALL) NOPASSWD:/bin/systemctl stop dnsmasq.service +www-data ALL=(ALL) NOPASSWD:/bin/systemctl restart dnsmasq.service +www-data ALL=(ALL) NOPASSWD:/bin/systemctl start openvpn-client@client +www-data ALL=(ALL) NOPASSWD:/bin/systemctl enable openvpn-client@client +www-data ALL=(ALL) NOPASSWD:/bin/systemctl stop openvpn-client@client +www-data ALL=(ALL) NOPASSWD:/bin/systemctl disable openvpn-client@client +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/ovpnclient.ovpn /etc/openvpn/client/client.conf +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/authdata /etc/openvpn/client/login.conf +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/dnsmasqdata /etc/dnsmasq.d/090_raspap.conf +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/dhcpddata /etc/dhcpcd.conf +www-data ALL=(ALL) NOPASSWD:/sbin/shutdown -h now +www-data ALL=(ALL) NOPASSWD:/sbin/reboot +www-data ALL=(ALL) NOPASSWD:/sbin/ip link set wlan[0-9] down +www-data ALL=(ALL) NOPASSWD:/sbin/ip link set wlan[0-9] up +www-data ALL=(ALL) NOPASSWD:/sbin/ip -s a f label wlan[0-9] +www-data ALL=(ALL) NOPASSWD:/bin/cp /etc/raspap/networking/dhcpcd.conf /etc/dhcpcd.conf +www-data ALL=(ALL) NOPASSWD:/etc/raspap/hostapd/enablelog.sh +www-data ALL=(ALL) NOPASSWD:/etc/raspap/hostapd/disablelog.sh +www-data ALL=(ALL) NOPASSWD:/etc/raspap/hostapd/servicestart.sh +www-data ALL=(ALL) NOPASSWD:/etc/raspap/lighttpd/configport.sh +www-data ALL=(ALL) NOPASSWD:/etc/raspap/openvpn/configauth.sh +www-data ALL=(ALL) NOPASSWD:/bin/chmod o+r /tmp/hostapd.log +www-data ALL=(ALL) NOPASSWD:/bin/chmod o+r /tmp/dnsmasq.log +www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/dnsmasqdata /etc/dnsmasq.d/090_adblock.conf +www-data ALL=(ALL) NOPASSWD:/etc/raspap/adblock/update_blocklist.sh + diff --git a/installers/raspapd.service b/installers/raspapd.service new file mode 100644 index 00000000..c5738465 --- /dev/null +++ b/installers/raspapd.service @@ -0,0 +1,24 @@ +### BEGIN INIT INFO +# Provides: raspapd +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: S 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start RaspAP daemon at boot time +# Description: Enable service provided by daemon +### END INIT INFO +# Author: BillZ + +[Unit] +Description=RaspAP Service Daemon +DefaultDependencies=no +After=multi-user.target + +[Service] +Type=oneshot +ExecStart=/bin/bash /etc/raspap/hostapd/servicestart.sh --interface uap0 --seconds 3 +RemainAfterExit=no + +[Install] +WantedBy=multi-user.target + diff --git a/installers/raspbian.sh b/installers/raspbian.sh index ea828999..5f45f4bf 100755 --- a/installers/raspbian.sh +++ b/installers/raspbian.sh @@ -1,8 +1,8 @@ #!/bin/bash # # RaspAP Quick Installer -# author: @billz -# license: GNU General Public License v3.0 +# Author: @billz +# License: GNU General Public License v3.0 # # Usage: # @@ -27,13 +27,16 @@ # https://raw.githubusercontent.com/billz/raspap-webgui/master/installers/common.sh # - or - # https://raw.githubusercontent.com/billz/raspap-webgui/master/installers/mkcert.sh +# +# You are not obligated to bundle the LICENSE file with your RaspAP projects as long +# as you leave these references intact in the header comments of your source files. # Set defaults repo="billz/raspap-webgui" branch="master" -VERSION=$(curl -s "https://api.github.com/repos/$repo/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")' ) assume_yes=0 ovpn_option=1 +readonly RASPAP_LATEST=$(curl -s "https://api.github.com/repos/$repo/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")' ) # Define usage notes usage=$(cat << EOF @@ -59,6 +62,9 @@ while :; do ovpn_option="$2" shift ;; + -a|--adblock) + install_adblock=1 + ;; -c|--cert|--certificate) install_cert=1 ;; @@ -75,7 +81,7 @@ while :; do exit 1 ;; -v|--version) - printf "RaspAP v${VERSION} - simple AP setup and wifi mangement for the RaspberryPi\n" + printf "RaspAP v${RASPAP_LATEST} - simple AP setup and wifi mangement for the RaspberryPi\n" exit 1 ;; -*|--*) @@ -93,7 +99,7 @@ done UPDATE_URL="https://raw.githubusercontent.com/$repo/$branch/" # Outputs a welcome message -function display_welcome() { +function _display_welcome() { raspberry='\033[0;35m' green='\033[1;32m' @@ -105,35 +111,35 @@ function display_welcome() { echo -e " 88 88 88. .88 88 88. .88 88 88 88" echo -e " dP dP 88888P8 88888P 88Y888P 88 88 dP" echo -e " 88" - echo -e " dP version ${VERSION}" + echo -e " dP version ${RASPAP_LATEST}" echo -e "${green}" echo -e "The Quick Installer will guide you through a few easy steps\n\n" } # Outputs a RaspAP Install log line -function install_log() { +function _install_log() { echo -e "\033[1;32mRaspAP Install: $*\033[m" } # Outputs a RaspAP Install Error log line and exits with status code 1 -function install_error() { +function _install_error() { echo -e "\033[1;37;41mRaspAP Install Error: $*\033[m" exit 1 } # Outputs a RaspAP Warning line -function install_warning() { +function _install_warning() { echo -e "\033[1;33mWarning: $*\033[m" } # Outputs a RaspAP divider -function install_divider() { +function _install_divider() { echo -e "\033[1;32m***************************************************************$*\033[m" } -function update_system_packages() { - install_log "Updating sources" - sudo apt-get update || install_error "Unable to update package list" +function _update_system_packages() { + _install_log "Updating sources" + sudo apt-get update || _install_error "Unable to update package list" } # Fetch required installer functions @@ -141,11 +147,11 @@ if [ "${install_cert:-}" = 1 ]; then source="mkcert" wget -q ${UPDATE_URL}installers/${source}.sh -O /tmp/raspap_${source}.sh source /tmp/raspap_${source}.sh && rm -f /tmp/raspap_${source}.sh - install_certificate || install_error "Unable to install certificate" + _install_certificate || _install_error "Unable to install certificate" else source="common" wget -q ${UPDATE_URL}installers/${source}.sh -O /tmp/raspap_${source}.sh source /tmp/raspap_${source}.sh && rm -f /tmp/raspap_${source}.sh - install_raspap || install_error "Unable to install RaspAP" + _install_raspap || _install_error "Unable to install RaspAP" fi diff --git a/installers/servicestart.sh b/installers/servicestart.sh index 710d2b4b..3e7cbadd 100755 --- a/installers/servicestart.sh +++ b/installers/servicestart.sh @@ -1,12 +1,12 @@ #!/bin/bash -# When wireless client AP mode is enabled, this script handles starting +# When wireless client AP or Bridge mode is enabled, this script handles starting # up network services in a specific order and timing to avoid race conditions. PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -NAME=raspap +NAME=raspapd DESC="Service control for RaspAP" CONFIGFILE="/etc/raspap/hostapd.ini" -DAEMONPATH="/lib/systemd/system/raspap.service" +DAEMONPATH="/lib/systemd/system/raspapd.service" OPENVPNENABLED=$(pidof openvpn | wc -l) positional=() @@ -22,21 +22,33 @@ case $key in ;; -s|--seconds) seconds="$2" - shift # past argument - shift # past value + shift + shift + ;; + -a|--action) + action="$2" + shift + shift ;; esac done set -- "${positional[@]}" echo "Stopping network services..." -systemctl stop openvpn-client@client +if [ $OPENVPNENABLED -eq 1 ]; then + systemctl stop openvpn-client@client +fi systemctl stop systemd-networkd systemctl stop hostapd.service systemctl stop dnsmasq.service systemctl stop dhcpcd.service -if [ -f "$DAEMONPATH" ]; then +if [ "${action}" = "stop" ]; then + echo "Services stopped. Exiting." + exit 0 +fi + +if [ -f "$DAEMONPATH" ] && [ ! -z "$interface" ]; then echo "Changing RaspAP Daemon --interface to $interface" sed -i "s/\(--interface \)[[:alnum:]]*/\1$interface/" "$DAEMONPATH" fi @@ -49,6 +61,9 @@ if [ -r "$CONFIGFILE" ]; then if [ "${config[BridgedEnable]}" = 1 ]; then if [ "${interface}" = "br0" ]; then + echo "Stopping systemd-networkd" + systemctl stop systemd-networkd + echo "Restarting eth0 interface..." ip link set down eth0 ip link set up eth0 @@ -64,14 +79,21 @@ if [ -r "$CONFIGFILE" ]; then echo "Disabling systemd-networkd" systemctl disable systemd-networkd - echo "Removing br0 interface..." - ip link set down br0 - ip link del dev br0 + ip link ls up | grep -q 'br0' &> /dev/null + if [ $? == 0 ]; then + echo "Removing br0 interface..." + ip link set down br0 + ip link del dev br0 + fi if [ "${config[WifiAPEnable]}" = 1 ]; then if [ "${interface}" = "uap0" ]; then - echo "Removing uap0 interface..." - iw dev uap0 del + + ip link ls up | grep -q 'uap0' &> /dev/null + if [ $? == 0 ]; then + echo "Removing uap0 interface..." + iw dev uap0 del + fi echo "Adding uap0 interface to ${config[WifiManaged]}" iw dev ${config[WifiManaged]} interface add uap0 type __ap