From: Silvio Rhatto Date: Sun, 13 Dec 2020 13:25:19 +0000 (-0300) Subject: Fix: provision cleanup and organize X-Git-Tag: 0.1.0~60 X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=7799e36e0f057625f29bba0394597da5645fcc30;p=kvmx.git Fix: provision cleanup and organize --- diff --git a/README.md b/README.md index 51eb5d3..6708cb7 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ sources, you'll feel welcome here :) ## Features -* Automatic provisioning for Debian guests. +* Automatic provisioning for Debian-based guests. * Serial console support. * QEMU monitor support. * Easily copy files or SSH into the guest. diff --git a/share/provision/basic b/share/provision/debian/basic similarity index 100% rename from share/provision/basic rename to share/provision/debian/basic diff --git a/share/provision/desktop-basic b/share/provision/debian/desktop-basic similarity index 100% rename from share/provision/desktop-basic rename to share/provision/debian/desktop-basic diff --git a/share/provision/desktop-full b/share/provision/debian/desktop-full similarity index 100% rename from share/provision/desktop-full rename to share/provision/debian/desktop-full diff --git a/share/provision/development b/share/provision/debian/development similarity index 100% rename from share/provision/development rename to share/provision/debian/development diff --git a/share/provision/files/desktop-basic/etc/default/keyboard b/share/provision/debian/files/desktop-basic/etc/default/keyboard similarity index 100% rename from share/provision/files/desktop-basic/etc/default/keyboard rename to share/provision/debian/files/desktop-basic/etc/default/keyboard diff --git a/share/provision/files/desktop-basic/etc/lightdm/lightdm.conf b/share/provision/debian/files/desktop-basic/etc/lightdm/lightdm.conf similarity index 100% rename from share/provision/files/desktop-basic/etc/lightdm/lightdm.conf rename to share/provision/debian/files/desktop-basic/etc/lightdm/lightdm.conf diff --git a/share/provision/files/desktop-basic/home/user/.custom/xsession b/share/provision/debian/files/desktop-basic/home/user/.custom/xsession similarity index 100% rename from share/provision/files/desktop-basic/home/user/.custom/xsession rename to share/provision/debian/files/desktop-basic/home/user/.custom/xsession diff --git a/share/provision/lsd b/share/provision/debian/lsd similarity index 100% rename from share/provision/lsd rename to share/provision/debian/lsd diff --git a/share/provision/messenger b/share/provision/debian/messenger similarity index 100% rename from share/provision/messenger rename to share/provision/debian/messenger diff --git a/share/provision/openbox b/share/provision/debian/openbox similarity index 78% rename from share/provision/openbox rename to share/provision/debian/openbox index 26a6db0..df47622 100755 --- a/share/provision/openbox +++ b/share/provision/debian/openbox @@ -28,5 +28,13 @@ APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y" # Use a stacked window manager to reduce browser fingerprinting $APT_INSTALL openbox gmrun -apps/metadot/metadot load openbox -sed -i -e 's/^WINDOW_MANAGER=.*$/WINDOW_MANAGER="openbox"/' $HOME/.custom/xsession + +# Dotfiles configuration +if [ -x "$HOME/apps/metadot/metadot" ]; then + $HOME/apps/metadot/metadot load openbox +fi + +# Custom xsession config +if [ -f "$HOME/.custom/xsession" ]; then + sed -i -e 's/^WINDOW_MANAGER=.*$/WINDOW_MANAGER="openbox"/' $HOME/.custom/xsession +fi diff --git a/share/provision/openvpn b/share/provision/debian/openvpn similarity index 100% rename from share/provision/openvpn rename to share/provision/debian/openvpn diff --git a/share/provision/tor-browser b/share/provision/debian/tor-browser similarity index 100% rename from share/provision/tor-browser rename to share/provision/debian/tor-browser diff --git a/share/provision/trashman b/share/provision/debian/trashman similarity index 100% rename from share/provision/trashman rename to share/provision/debian/trashman diff --git a/share/provision/web-basic b/share/provision/debian/web-basic similarity index 100% rename from share/provision/web-basic rename to share/provision/debian/web-basic diff --git a/share/provision/web-full b/share/provision/debian/web-full similarity index 100% rename from share/provision/web-full rename to share/provision/debian/web-full diff --git a/share/provision/webserver b/share/provision/debian/webserver similarity index 100% rename from share/provision/webserver rename to share/provision/debian/webserver diff --git a/share/provision/wireguard b/share/provision/debian/wireguard similarity index 100% rename from share/provision/wireguard rename to share/provision/debian/wireguard diff --git a/share/provision/files/njalla-openvpn/etc/ferm/ferm.conf b/share/provision/files/njalla-openvpn/etc/ferm/ferm.conf deleted file mode 100644 index a25a3d2..0000000 --- a/share/provision/files/njalla-openvpn/etc/ferm/ferm.conf +++ /dev/null @@ -1,181 +0,0 @@ -# -*- shell-script -*- -# -# Configuration file for ferm(1). -# -# V: 0.1 -# -# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -# Really make sure that these modules exist and are loaded. -@hook pre "/sbin/modprobe nf_conntrack_ftp"; -@hook pre "/sbin/modprobe nfnetlink_log"; - -# Network interfaces. -#@def $DEV_LAN = eth0; -@def $DEV_LAN = ens3; -@def $DEV_LOOPBACK = lo0; -@def $DEV_VPN = tun0; - -# Network definition for the loopback device. This is needed to allow -# DNS resolution on Ubuntu Linux where the local resolver is bound -# to 127.0.1.1 - as opposed to the default 127.0.0.1. -@def $NET_LOOPBACK = 127.0.0.0/8; - -# Common application ports. -@def $PORT_DNS = 53; -@def $PORT_FTP = ( 20 21 ); -@def $PORT_NTP = 123; -@def $PORT_SSH = 22; -@def $PORT_WEB = ( 80 443 ); - -# The ports we allow OpenVPN to connect to. IPredator allows you -# to connect on _any_ port. Simply add more ports if desired but -# stick to only those that you really need. -@def $PORT_OPENVPN = (1194 1234 1337 2342 5060); - -# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html -# Ports Transmission is allowed to use. -@def $PORT_TRANSMISSION = 16384:65535; - -# Public DNS servers and those that are only reachable via VPN. -# DNS servers are specified in the outbound DNS rules to prevent DNS leaks -# (https://www.dnsleaktest.com/). The public DNS servers configured on your -# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), -# but you need to verify this. -# -@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32); - -# Add your ISP name server to this object if you want to restrict -# which DNS servers can be queried. -@def $IP_DNS_PUBLIC = 0.0.0.0/0; - -# DNS server available within the VPN. -@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 ); - -# Make sure to use the proper VPN interface (e.g. tun0 in this case). -# Note: You cannot reference $DEV_VPN here, substition does not take -# place for commands passed to a sub shell. -@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`; - -# VPN interface conditional. If true the following rules are loaded. -@if $VPN_ACTIVE { - domain ip { - table filter { - chain INPUT { - interface $DEV_VPN { - proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT; - } - } - chain OUTPUT { - # Default allowed outbound services on the VPN interface. - # If you need more simply add your rules here. - outerface $DEV_VPN { - proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; - proto tcp dport $PORT_FTP ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT; - proto tcp dport $PORT_WEB ACCEPT; - } - } - } - } -} - -# The main IPv4 rule set. -domain ip { - table filter { - chain INPUT { - # The default policy for the chain. Usually ACCEPT or DROP or REJECT. - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic to loopback interface. - daddr $NET_LOOPBACK ACCEPT; - - # Allow inbound SSH on your LAN interface _only_. - interface $DEV_LAN { - proto tcp dport $PORT_SSH ACCEPT; - } - - # Respond to ping ... makes debugging easier. - proto icmp icmp-type echo-request ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain OUTPUT { - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic from the loopback interface. - saddr $NET_LOOPBACK ACCEPT; - - # Respond to ping. - proto icmp icmp-type echo-request ACCEPT; - - # Allowed services on the LAN interface. - outerface $DEV_LAN { - proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto (tcp udp) dport $PORT_OPENVPN ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - } - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain FORWARD { - policy DROP; - - # If you use your machine to route traffic eg. - # from a VM you have to add rules here! - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} - -# IPv6 is generally disabled, communication on the loopback device is allowed. -domain ip6 { - table filter { - chain INPUT { - policy DROP; - - # Allow local traffic. - interface $DEV_LOOPBACK ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain OUTPUT { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain FORWARD { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} diff --git a/share/provision/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules deleted file mode 100644 index 64d8bd1..0000000 --- a/share/provision/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules +++ /dev/null @@ -1,2 +0,0 @@ -KERNEL=="tun0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add" -KERNEL=="tun0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove" diff --git a/share/provision/files/njalla-openvpn/usr/local/bin/fermreload.sh b/share/provision/files/njalla-openvpn/usr/local/bin/fermreload.sh deleted file mode 100755 index cebf7cc..0000000 --- a/share/provision/files/njalla-openvpn/usr/local/bin/fermreload.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -# -# fermreload.sh -# V: 0.1 -# -# Reloads the ferm firewall ruleset and is invoked by -# the udev via /etc/udev/rules.d/81-vpn-firewall.rules. -# -# IPredator 2014 -# Released under the Kopimi license. -# -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -LOGGER=/usr/bin/logger -LOGGER_TAG=$0 - -UDEV_ACTION=$1 - -FERM=/usr/sbin/ferm -FERM_CONF=/etc/ferm/ferm.conf - -MSG_FW_RULE_ADD="Adding VPN firewall rules." -MSG_FW_RULE_REMOVE="Removing VPN firewall rules." -MSG_UDEV_ACTION_UNKNOWN="Unknown udev action." - -case "$UDEV_ACTION" in - add) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD - $FERM $FERM_CONF - ;; - remove) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE - $FERM $FERM_CONF - ;; - *) - $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN - exit 1 -esac diff --git a/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf b/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf deleted file mode 100644 index 9ef8208..0000000 --- a/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf +++ /dev/null @@ -1,179 +0,0 @@ -# -*- shell-script -*- -# -# Configuration file for ferm(1). -# -# V: 0.1 -# -# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -# Really make sure that these modules exist and are loaded. -@hook pre "/sbin/modprobe nf_conntrack_ftp"; -@hook pre "/sbin/modprobe nfnetlink_log"; - -# Network interfaces. -#@def $DEV_LAN = eth0; -@def $DEV_LAN = ens3; -@def $DEV_LOOPBACK = lo0; -@def $DEV_VPN = wg0; - -# Network definition for the loopback device. This is needed to allow -# DNS resolution on Ubuntu Linux where the local resolver is bound -# to 127.0.1.1 - as opposed to the default 127.0.0.1. -@def $NET_LOOPBACK = 127.0.0.0/8; - -# Common application ports. -@def $PORT_DNS = 53; -@def $PORT_FTP = ( 20 21 ); -@def $PORT_NTP = 123; -@def $PORT_SSH = 22; -@def $PORT_WEB = ( 80 443 ); - -# The ports we allow to connect to. -@def $PORT_WIREGUARD = ( 51820 ); - -# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html -# Ports Transmission is allowed to use. -@def $PORT_TRANSMISSION = 16384:65535; - -# Public DNS servers and those that are only reachable via VPN. -# DNS servers are specified in the outbound DNS rules to prevent DNS leaks -# (https://www.dnsleaktest.com/). The public DNS servers configured on your -# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), -# but you need to verify this. -# -@def $IP_DNS_IPR_PUBLIC = ( 95.215.19.53/32 ); - -# Add your ISP name server to this object if you want to restrict -# which DNS servers can be queried. -@def $IP_DNS_PUBLIC = 0.0.0.0/0; - -# DNS server available within the VPN. -@def $IP_DNS_VPN = ( 95.215.19.53/32 ); - -# Make sure to use the proper VPN interface (e.g. wg0 in this case). -# Note: You cannot reference $DEV_VPN here, substition does not take -# place for commands passed to a sub shell. -@def $VPN_ACTIVE = `ip link show wg0 >/dev/null 2>/dev/null && echo 1 || echo`; - -# VPN interface conditional. If true the following rules are loaded. -@if $VPN_ACTIVE { - domain ip { - table filter { - chain INPUT { - interface $DEV_VPN { - proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT; - } - } - chain OUTPUT { - # Default allowed outbound services on the VPN interface. - # If you need more simply add your rules here. - outerface $DEV_VPN { - proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; - proto tcp dport $PORT_FTP ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT; - proto tcp dport $PORT_WEB ACCEPT; - } - } - } - } -} - -# The main IPv4 rule set. -domain ip { - table filter { - chain INPUT { - # The default policy for the chain. Usually ACCEPT or DROP or REJECT. - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic to loopback interface. - daddr $NET_LOOPBACK ACCEPT; - - # Allow inbound SSH on your LAN interface _only_. - interface $DEV_LAN { - proto tcp dport $PORT_SSH ACCEPT; - } - - # Respond to ping ... makes debugging easier. - proto icmp icmp-type echo-request ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain OUTPUT { - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic from the loopback interface. - saddr $NET_LOOPBACK ACCEPT; - - # Respond to ping. - proto icmp icmp-type echo-request ACCEPT; - - # Allowed services on the LAN interface. - outerface $DEV_LAN { - proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto (tcp udp) dport $PORT_WIREGUARD ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - } - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain FORWARD { - policy DROP; - - # If you use your machine to route traffic eg. - # from a VM you have to add rules here! - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} - -# IPv6 is generally disabled, communication on the loopback device is allowed. -domain ip6 { - table filter { - chain INPUT { - policy DROP; - - # Allow local traffic. - interface $DEV_LOOPBACK ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain OUTPUT { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain FORWARD { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} diff --git a/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules deleted file mode 100644 index 8c9d744..0000000 --- a/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules +++ /dev/null @@ -1,2 +0,0 @@ -KERNEL=="wg0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add" -KERNEL=="wg0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove" diff --git a/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh b/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh deleted file mode 100755 index cebf7cc..0000000 --- a/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -# -# fermreload.sh -# V: 0.1 -# -# Reloads the ferm firewall ruleset and is invoked by -# the udev via /etc/udev/rules.d/81-vpn-firewall.rules. -# -# IPredator 2014 -# Released under the Kopimi license. -# -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -LOGGER=/usr/bin/logger -LOGGER_TAG=$0 - -UDEV_ACTION=$1 - -FERM=/usr/sbin/ferm -FERM_CONF=/etc/ferm/ferm.conf - -MSG_FW_RULE_ADD="Adding VPN firewall rules." -MSG_FW_RULE_REMOVE="Removing VPN firewall rules." -MSG_UDEV_ACTION_UNKNOWN="Unknown udev action." - -case "$UDEV_ACTION" in - add) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD - $FERM $FERM_CONF - ;; - remove) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE - $FERM $FERM_CONF - ;; - *) - $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN - exit 1 -esac diff --git a/share/provision/njalla-openvpn b/share/provision/njalla-openvpn deleted file mode 100755 index eb8d1f4..0000000 --- a/share/provision/njalla-openvpn +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env bash -# -# Full desktop provision example -# -# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published -# by the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# - -# Parameters -DIRNAME="`dirname $0`" -BASENAME="`basename $0`" -HOSTNAME="$1" -DOMAIN="$2" -MIRROR="$3" -APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y" - -# Provision the basic stuff -$DIRNAME/openvpn $HOSTNAME $DOMAIN $MIRROR - -# Firewall -$APT_INSTALL ferm ulogd2 ulogd2-pcap -sudo cp $DIRNAME/files/njalla-openvpn/etc/ferm/ferm.conf /etc/ferm -sudo cp $DIRNAME/files/njalla-openvpn/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d -sudo cp $DIRNAME/files/njalla-openvpn/usr/local/bin/fermreload.sh /usr/local/bin -sudo chmod 555 /usr/local/bin/fermreload.sh -sudo sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm -sudo service ferm restart - -# Njalla -#sudo cp $DIRNAME/files/njalla/etc/openvpn/njalla.conf /etc/openvpn -#sudo touch /etc/openvpn/njalla.auth -#sudo chown root:root /etc/openvpn/njalla.conf -#sudo chown root:root /etc/openvpn/njalla.auth -#sudo chmod 400 /etc/openvpn/njalla.conf -#sudo chmod 400 /etc/openvpn/njalla.auth -#echo "Please set user/password at /etc/openvpn/njalla.auth" -echo "Please configure /etc/openvpn/njalla.conf" diff --git a/share/provision/njalla-wireguard b/share/provision/njalla-wireguard deleted file mode 100755 index df364bf..0000000 --- a/share/provision/njalla-wireguard +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env bash -# -# Full desktop provision example -# -# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published -# by the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# - -# Parameters -DIRNAME="`dirname $0`" -BASENAME="`basename $0`" -HOSTNAME="$1" -DOMAIN="$2" -MIRROR="$3" -APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y" - -# Provision the basic stuff -$DIRNAME/wireguard $HOSTNAME $DOMAIN $MIRROR - -# Firewall -$APT_INSTALL ferm ulogd2 ulogd2-pcap -sudo cp $DIRNAME/files/njalla-wireguard/etc/ferm/ferm.conf /etc/ferm -sudo cp $DIRNAME/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d -sudo cp $DIRNAME/files/njalla-wireguard/usr/local/bin/fermreload.sh /usr/local/bin -sudo chmod 555 /usr/local/bin/fermreload.sh -sudo sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm -sudo service ferm restart - -# Njalla -echo "Please configure /etc/wireguard/ng0.conf"