router.home.lan

archive

#!/bin/bash

if [ -z "$PASS" ]; then
  echo "Please setup password for the archive"
  exit 0
fi

ROOT=/mnt/data/backups/archives
SOURCE=/mnt/data/workspace

archive () {
  NAME=$1

  rm -f $ROOT/$NAME.log
  rm -f $ROOT/$NAME.tar.gz

  tar --exclude=/lost+found -P --one-file-system --use-compress-program pigz -cvpf - $SOURCE/$NAME 2> $ROOT/$NAME.log | \
    openssl aes-256-cbc -pbkdf2 -out $ROOT/$NAME.tar.gz -pass pass:$PASS
  HASH=`md5sum $ROOT/$NAME.tar.gz | awk '{ print $1 }'`
  echo "HASH: $HASH" >> $ROOT/$NAME.log
}

archive chuntent
archive kuna
archive ourgame
archive RGGame
archive tynon
archive wmss
archive xunbaola
archive gnues

split -b 10G -d wmss.tar.gz wmss.tar.gz.

dynv6

#!/bin/sh -e
# based on https://gist.github.com/corny/7a07f5ac901844bd20c9

hostname=k9982874.dns.navy
device=ppp0
token=<YOUR TOKEN>

v4_file=/tmp/${hostname}

[ -e $v4_file ] && old=`cat $v4_file`

if [ -z "$hostname" -o -z "$token" ]; then
  echo "Usage: token=<your-authentication-token> $0 your-name.dynv6.net [device]"
  exit 1
fi

if [ -n "$device" ]; then
  device="dev $device"
fi

v4_address=$(ip -4 addr list $device | grep "global" | sed -n 's/.*inet \([0-9.]\+\).*/\1/p' | head -n 1);

echo $v4_address

if [ -e /usr/bin/curl ]; then
  bin="curl -fsS"
elif [ -e /usr/bin/wget ]; then
  bin="wget -O-"
else
  echo "neither curl nor wget found"
  exit 1
fi

if [ -z "$v4_address" ]; then
  echo "no IPv4 address found"
  exit 1
fi

current=$v4_address

if [ "$old" = "$current" ]; then
  # when running via cron we do not need that kind of verbosity.
  # echo "IPv4 address unchanged"
  exit
fi

echo "new ipv4 address detected ${v4_address}, updating"

# send addresses to dynv6
$bin "http://ipv4.dynv6.com/api/update?hostname=$hostname&ipv4=$v4_address&token=$token"

# save current address
echo $current > $v4_file

gitea-backup

#!/bin/bash

if [ -z "$RESTIC_REPOSITORY" ]; then
  echo "Please specify path for the restic repository"
  exit 0
fi

if [ -z "$RESTIC_PASSWORD" ]; then
  echo "Please input password for the archive"
  exit 0
fi

if [ -z "$MYSQL_USER" ]; then
  echo "Please specify user for the mysql"
  exit 0
fi

if [ -z "$MYSQL_PASSWORD" ]; then
  echo "Please input password for the mysql"
  exit 0
fi

mysqldump --opt --complete-insert --add-drop-database -u$MYSQL_USER -p$MYSQL_PASSWORD --databases gitea |
  restic backup --tag="gitea on mysql" --stdin --stdin-filename gitea.sql

restic backup --tag="source code" --exclude="lost+found" --one-file-system /mnt/data/gitea

iptables.rules

#*mangle
#:PREROUTING ACCEPT [0:0]
#:INPUT ACCEPT [0:0]
#:FORWARD ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
#:POSTROUTING ACCEPT [0:0]
#COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Keep all established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow loopback interface (lo0) and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Drop Invalid Packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Allow Established and Related Incoming Connections
-A INPUT -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow Established Outgoing Connections
-A OUTPUT -o ppp0 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Clamp mss to pmtu for pppoe
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Forward internal and external
-A FORWARD -i ppp0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o ppp0 -j ACCEPT

# Forward for wireguard
-A FORWARD -i ppp0 -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg0 -o ppp0 -j ACCEPT

# Allow ping and ICMP error returns.
-A INPUT -p icmp -m conntrack --ctstate NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Allow ssh
#-A INPUT -i ppp0 -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -o ppp0 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow HTTP
-A INPUT -i ppp0 -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp0 -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow HTTPS
-A INPUT -i ppp0 -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp0 -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow gost proxy
-A INPUT -i ppp0 -p tcp --dport 8388 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp0 -p tcp --sport 8388 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow Transmission Port
-A INPUT -i ppp0 -p tcp --dport 51413 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp0 -p tcp --sport 51413 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow WireGuard port
-A INPUT -i ppp0 -p udp --dport 51820 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp0 -p udp --sport 51820 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# ydc
#-A INPUT -i ppp0 -p tcp -m multiport --dport 1896,6881,6882,38894 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#-A INPUT -i ppp0 -p udp -m multiport --dport 1896,6881,6882,38894 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -o ppp0 -p tcp -m multiport --sport 1896,6881,6882,38894 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#-A OUTPUT -o ppp0 -p udp -m multiport --sport 1896,6881,6882,38894 -m conntrack --ctstate ESTABLISHED -j ACCEPT

#-A INPUT -i ppp0 -p tcp -m multiport --dport 9092 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -o ppp0 -p tcp -m multiport --sport 9092 -m conntrack --ctstate ESTABLISHED -j ACCEPT

#-A INPUT -i ppp0 -p tcp --dport 51414 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -o ppp0 -p tcp --sport 51414 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Drop all other traffic for external
-A INPUT -i ppp0 -j DROP

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o ppp0 -j MASQUERADE

-A PREROUTING -d 127.0.0.1/24 -j RETURN
-A PREROUTING -d 255.255.0.0/8 -j RETURN
-A PREROUTING -d 224.0.0.0/4 -j RETURN
-A PREROUTING -d 192.168.1.0/24 -j RETURN
-A PREROUTING -d 10.8.0.0/24 -j RETURN

# GFW list
-A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 1080
-A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 1080

# ydc
#-A PREROUTING -p tcp --dport 1896 -j DNAT --to-destination 192.168.1.107:1896
#-A PREROUTING -p tcp --dport 6881 -j DNAT --to-destination 192.168.1.107:6881
#-A PREROUTING -p tcp --dport 6882 -j DNAT --to-destination 192.168.1.107:6882
#-A PREROUTING -p tcp --dport 38894 -j DNAT --to-destination 192.168.1.107:38894

COMMIT

ppp-redial

#!/bin/bash

PPPD_PID=$(/usr/bin/pidof pppd)
kill -s HUP $PPPD_PID

restore

#!/bin/bash

BACKUP_FILE=$1
RESTORE_PATH=$2

restore () {
    START_AT=`date +%s`

    openssl aes-256-cbc -d -pbkdf2 -in $BACKUP_FILE -pass pass:$1 | tar -xvp --use-compress-program pigz -C $RESTORE_PATH --numeric-owner

    END_AT=`date +%s`

    echo "Done. $((END_AT-START_AT)) seconds elapsed."
}

if [ -z "$BACKUP_FILE" -o -z "$RESTORE_PATH" ]; then
    echo "Usage: system-restore <BACKUP FILE> <PATH TO RESTORE>"
    exit 1
fi

if [ ! -f "$BACKUP_FILE" ]; then
    echo "Specified backup file does not exist"
    exit 1
fi

if [ ! -d "$RESTORE_PATH" ]; then
    echo "Specified path does not exist"
    exit 1
fi

echo "Please enter your password"
stty -echo
read PASS
stty echo

echo "Do you wish to restore $BACKUP_FILE to $RESTORE_PATH?"
select yn in "Yes" "No"; do
    case $yn in
        Yes ) restore $PASS; break;;
        * ) exit;;
    esac
done

system-backup

#!/bin/bash

if [ -z "$RESTIC_REPOSITORY" ]; then
  echo "Please specify path for the restic repository"
  exit 0
fi

if [ -z "$RESTIC_PASSWORD" ]; then
  echo "Please input password for the archive"
  exit 0
fi

restic backup \
  --exclude="/proc" \
  --exclude="/tmp" \
  --exclude="/mnt" \
  --exclude="/dev" \
  --exclude="/sys" \
  --exclude="/run" \
  --exclude="/media" \
  --exclude="/var/log" \
  --exclude="/var/cache" \
  --exclude="lost+found" \
  --exclude="*.sock" \
  --one-file-system \
  /

website-backup

#!/bin/bash

if [ -z "$RESTIC_REPOSITORY" ]; then
  echo "Please specify path for the restic repository"
  exit 0
fi

if [ -z "$RESTIC_PASSWORD" ]; then
  echo "Please input password for the archive"
  exit 0
fi

if [ -z "$MYSQL_USER" ]; then
  echo "Please specify user for the mysql"
  exit 0
fi

if [ -z "$MYSQL_PASSWORD" ]; then
  echo "Please input password for the mysql"
  exit 0
fi

mysqldump --opt --complete-insert --add-drop-database -u$MYSQL_USER -p$MYSQL_PASSWORD --databases nextcloud |
  restic backup --tag="nextcloud on mysql" --stdin --stdin-filename nextcloud.sql

restic backup --tag="website" --exclude="lost+found" --one-file-system /mnt/data/web