From 5d83c6acb50fa8b16dd7acf6882e2fcec787a026 Mon Sep 17 00:00:00 2001
From: John Dorman <dorman@ataxia.cloud>
Date: Sun, 31 May 2020 06:40:04 -0700
Subject: [PATCH] First push of docs

---
 .gitattributes                                |  3 +
 on-boot-script/README.md                      | 69 +++++++++++++++++++
 on-boot-script/examples/udm-files/on_boot.sh  |  3 +
 on-boot-script/examples/unifi-os-files/udm.sh |  2 +
 .../examples/unifi-os-files/udmboot.service   |  9 +++
 run-pihole/README.md                          | 35 ++++++++++
 run-pihole/install-cni-plugins.sh             |  5 ++
 run-pihole/udm-files/20-dns.conflist          | 26 +++++++
 run-pihole/udm-files/on_boot.sh               | 19 +++++
 9 files changed, 171 insertions(+)
 create mode 100644 on-boot-script/README.md
 create mode 100644 on-boot-script/examples/udm-files/on_boot.sh
 create mode 100644 on-boot-script/examples/unifi-os-files/udm.sh
 create mode 100644 on-boot-script/examples/unifi-os-files/udmboot.service
 create mode 100644 run-pihole/README.md
 create mode 100644 run-pihole/install-cni-plugins.sh
 create mode 100644 run-pihole/udm-files/20-dns.conflist
 create mode 100644 run-pihole/udm-files/on_boot.sh

diff --git a/.gitattributes b/.gitattributes
index fb1171a..c287b4f 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,5 @@
 *.md filter=lfs diff=lfs merge=lfs -text
+*.sh filter=lfs diff=lfs merge=lfs -text
+*.service filter=lfs diff=lfs merge=lfs -text
+*.conflist filter=lfs diff=lfs merge=lfs -text
 * text !filter !merge !diff
diff --git a/on-boot-script/README.md b/on-boot-script/README.md
new file mode 100644
index 0000000..392b22b
--- /dev/null
+++ b/on-boot-script/README.md
@@ -0,0 +1,69 @@
+# UDM / UDMPro Boot Script
+### Features
+1. Allows you to run a shell script at S95 anytime your UDM starts / reboots
+
+All files described here are in the examples folder, automation is coming soon.
+
+
+Steps
+# 1. Make your script on the UDM/UDMPRO
+```
+vi /mnt/data/on_boot.sh 
+chmod u+x /mnt/data/on_boot.sh
+```
+Example: see examples/udm-files/on_boot.sh
+```
+#!/bin/sh
+podman start wpa_supplicant-udmpro
+
+iptables -t nat -C PREROUTING -p udp ! --source 10.0.0.x ! --destination 10.0.0.x --dport 53 -j DNAT --to 10.0.0.x || iptables -t nat -A PREROUTING -p udp ! --source 10.0.0.x ! --destination 10.0.0.x --dport 53 -j DNAT --to 10.0.0.x
+iptables -t nat -C PREROUTING -p tcp ! --source 10.0.0.x ! --destination 10.0.0.x --dport 53 -j DNAT --to 10.0.0.x || iptables -t nat -A PREROUTING -p tcp ! --source 10.0.0.x ! --destination 10.0.0.x --dport 53 -j DNAT --to 10.0.0.x
+iptables -t nat -C POSTROUTING -j MASQUERADE || iptables -t nat -A POSTROUTING -j MASQUERADE
+```
+
+# 2. Make the unifios docker container execute this script on startup, this has to be done after every firmware update.  It does persist through reboots.
+```
+podman exec -it unifi-os sh
+
+ssh root@127.0.01 # this is to accept the fingerprint of the udm
+exit # back to the container shell
+```
+
+### make a script that sshs to the udm and runs on our boot script
+Example: examples/unifi-os-files/udm.sh
+```
+echo "#!/bin/sh
+ssh root@127.0.1.1 '/mnt/data/on_boot.sh'" > /etc/init.d/udm.sh # 127.0.1.1 always points to the UDM
+```
+#### make said script executable
+```
+chmod u+x /etc/init.d/udm.sh
+```
+### make a service that runs on startup, after we have networking
+Example: examples/unifi-os-files/udmboot.service
+```
+echo "[Unit]
+Description=Run On Startup UDM
+
+[Service]
+After=network.target
+ExecStart=/etc/init.d/udm.sh
+
+[Install]
+WantedBy=multi-user.target" > /etc/systemd/system/udmboot.service
+```
+
+### enable it and test
+```
+systemctl enable udmboot
+systemctl start udmboot
+```
+### back to the udm
+```
+exit
+```
+# reboot your udm/udmpro and make sure it worked
+```
+reboot
+exit
+```
diff --git a/on-boot-script/examples/udm-files/on_boot.sh b/on-boot-script/examples/udm-files/on_boot.sh
new file mode 100644
index 0000000..9a98f78
--- /dev/null
+++ b/on-boot-script/examples/udm-files/on_boot.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+podman start wpa_supplicant-udmpro
+
diff --git a/on-boot-script/examples/unifi-os-files/udm.sh b/on-boot-script/examples/unifi-os-files/udm.sh
new file mode 100644
index 0000000..a59b76e
--- /dev/null
+++ b/on-boot-script/examples/unifi-os-files/udm.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+ssh root@ubnt '/mnt/data/on_boot.sh'
diff --git a/on-boot-script/examples/unifi-os-files/udmboot.service b/on-boot-script/examples/unifi-os-files/udmboot.service
new file mode 100644
index 0000000..ca9abb3
--- /dev/null
+++ b/on-boot-script/examples/unifi-os-files/udmboot.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run On Startup UDM
+
+[Service]
+After=network.target
+ExecStart=/etc/init.d/udm.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/run-pihole/README.md b/run-pihole/README.md
new file mode 100644
index 0000000..61561a9
--- /dev/null
+++ b/run-pihole/README.md
@@ -0,0 +1,35 @@
+# Run PiHole on your UDM PRo
+
+### Features
+1. Run PiHole on your UDM with a completely isolated network stack.  This will not port conflict or be influenced by any changes on by Ubiquiti
+
+### Requirements
+1. You have setup the on boot script described in this repo
+
+### Steps
+1. Make a network with no DHCP server and give it a vlan.  The files in this repo assume VLAN5
+2. Install the CNI plugins with install-cni-plugins.sh
+3. Update your on_boot.sh to include the commands in udm-files/on_boot.sh.  You can leave out the iptables stuff if you don't want to DNAT all DNS calls to your PiHole
+4. Execute on_boot.sh
+5. Run the pihole docker container, be sure to make the directories for your persistent pihole configuration.  They are mounted as volumes in the commmand below.
+
+```
+ podman run -d --network dns \
+    --name pihole \
+    -e TZ="America/Los Angeles" \
+    -v "/mnt/data/etc-pihole/:/etc/pihole/" \
+    -v "/mnt/data/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" \
+    --dns=127.0.0.1 --dns=1.1.1.1 \
+    --hostname pi.hole \
+    -e VIRTUAL_HOST="pi.hole" \
+    -e PROXY_LOCATION="pi.hole" \
+    -e ServerIP="10.0.5.3" \
+    pihole/pihole:latest
+```
+
+6. Set pihole password
+```
+podman exec -it pihole pihole -a -p YOURNEWPASSHERE
+```
+6. Update your DNS Servers to 10.0.5.3 in all your DHCP configs.
+7. Access the pihole like you would normally.  http://10.0.5.3/
diff --git a/run-pihole/install-cni-plugins.sh b/run-pihole/install-cni-plugins.sh
new file mode 100644
index 0000000..6bd6d78
--- /dev/null
+++ b/run-pihole/install-cni-plugins.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+curl -L https://github.com/containernetworking/plugins/releases -o cni.tgz
+
+mkdir -p /mnt/data/podman/cni/
+tar xf cni.tgz /mnt/data/podman/cni/
diff --git a/run-pihole/udm-files/20-dns.conflist b/run-pihole/udm-files/20-dns.conflist
new file mode 100644
index 0000000..45b24e7
--- /dev/null
+++ b/run-pihole/udm-files/20-dns.conflist
@@ -0,0 +1,26 @@
+{
+  "cniVersion": "0.4.0",
+  "name": "dns",
+  "plugins": [
+    {
+      "type": "macvlan",
+      "mode": "bridge",
+      "master": "br5",
+      "ipam": {
+        "type": "static",
+        "addresses": [
+          {
+            "address": "10.0.5.3/24",
+            "gateway": "10.0.5.1"
+          }
+        ],
+        "dns":  {
+                       "nameservers": ["127.0.0.1","10.0.0.1"]
+               },
+        "routes": [
+          {"dst": "0.0.0.0/0"}
+        ]
+      }
+    }
+  ]
+}
diff --git a/run-pihole/udm-files/on_boot.sh b/run-pihole/udm-files/on_boot.sh
new file mode 100644
index 0000000..d38c072
--- /dev/null
+++ b/run-pihole/udm-files/on_boot.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+mkdir -p /opt/cni
+ln -s /mnt/data/podman/cni/ /opt/cni/bin
+ln -s /mnt/data/podman/cni/20-dns.conflist  /etc/cni/net.d/20-dns.conflist
+
+# Assumes your Podman network made in the controller is on VLAN 5
+# Adjust the IP to match the address in your cni configuration
+ip link add br5.mac link br5 type macvlan mode bridge
+ip addr add 10.0.5.2/24 dev br5.mac
+ip link set br5.mac up
+ip route add 10.0.5.3/32 dev br5.mac proto static scope link
+podman start pihole
+
+#Adjust these rules to your setup
+iptables -t nat -C PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3
+iptables -t nat -C PREROUTING -i br10 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br10 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3
+iptables -t nat -C PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3
+iptables -t nat -C PREROUTING -i br10 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br10 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3