FAQ and switch off

6 years ago · dfe765ac88
3 changed files with 110 additions and 18 deletions
--- a/FAQ.md
+++ b/FAQ.md
@ -624,3 +624,62 @@ If that not works ry to ping the IP of the RaspiBlitz with `ping [IP-of-RaspiBli
 - Some Routers have `IP Isolation` switched on - not allowing to devices to connect
 If that all is not working: Join the conversation on [GitHub Issue #420](https://github.com/rootzoll/raspiblitz/issues/420).
 ## How to setup port-forwarding with a SSH tunnel?
 To use a public server for port-forwarding thru a SSH tunnel you can use the following experimental script on the RaspiBlitz (since v1.2):
 `/home/admin/config.scripts/internet.sshtunnel.py`
 But first you need to make sure that the public server you are using is supporting SSH reverse tunneling and authentification by public authorized key. Check the `/etc/ssh/sshd_config` on the public server to contain the following settings:
 ```
 RSAAuthentication yes
 PubkeyAuthentication yes
 GatewayPorts yes
 AllowTcpForwarding yes
 ```
 You can add those at the end of the file, save and reboot.
 On the RaspiBlitz you can then setup for example to forward the gRPC port 10009 (internal port) to the port 20009 on the public server (external port) with the user = `test` and server address = `raspiblitz.com` with the following command:
 `/home/admin/config.scripts/internet.sshtunnel.py on test@raspiblitz.com 10009:20009`
 You can even set multiple port forwardings like with:
 `/home/admin/config.scripts/internet.sshtunnel.py on test@raspiblitz.com 10009:20009 8080:9090`
 Please beware that after you set such a port forwarding you need to set the domain of the public server as a `DynamicDNS` name (leave update url empty) and then connect mobile wallets fresh or export again the macaroons/certs. When connecting the mobile wallets you may need to adjust ports manually after QR code scan. And if you SSH tunnel the LND node port `9735` you may also need to sun the custom LND port script and maybe also a manual set of the domain in the LND service is needed. This all is very experimental at the moment ... better integration will come in the future.
 To switch this SSH tunneling off again use: 
 `/home/admin/config.scripts/internet.sshtunnel.py off` and also deactivate the DynamicDNS again. 
 ## How to setup just a port-forwarding user on my public server?
 Make sure the `/etc/ssh/sshd_config` has the following lines at the end:
 ```
 RSAAuthentication yes
 PubkeyAuthentication yes
 GatewayPorts yes
 AllowTcpForwarding yes
 AuthorizedKeysFile  /etc/ssh/authorized_keys/%u
 ```
 The last one stores all authorized_keys in one directory with a file per user. See https://serverfault.com/questions/313465/is-a-central-location-for-authorized-keys-a-good-idea#424659 To prepare this run:
 ```
 mkdir /etc/ssh/authorized_keys
 groupadd forwardings
 ```
 To add a forwarding user run:
 ```
 useradd -g forwardings -d /home [USERNAME]
 echo "command="date" [CONTENT-OF-RASPIBLITZ-ROOT-SSH-PUBKEY]" > /etc/ssh/authorized_keys/[USERNAME]
 passwd [USERNAME]
 ```
 The `[CONTENT-OF-RASPIBLITZ-ROOT-SSH-PUBKEY]` you get when running the `internet.sshtunnel.py` script on the RaspiBlitz (see above).
--- a/build_sdcard.sh
+++ b/build_sdcard.sh
@ -237,6 +237,9 @@ sudo apt-get install -y vnstat
 # prepare for BTRFS data drive raid
 sudo apt-get install -y btrfs-tools
 # prepare for ssh reverse tunneling
 sudo apt-get install -y autossh
 # prepare for display graphics mode
 # see https://github.com/rootzoll/raspiblitz/pull/334
 sudo apt-get install -y fbi
--- a/home.admin/config.scripts/internet.sshtunnel.py
+++ b/home.admin/config.scripts/internet.sshtunnel.py
@ -39,10 +39,10 @@ WantedBy=multi-user.target
 if sys.argv[1] == "on":
    # check if already running
-    #already_running = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True)
+    already_running = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True)
-    #if str(already_running).count("enabled") > 0:
+    if str(already_running).count("enabled") > 0:
-    #    print("already ON - run 'internet.sshtunnel.py off' first")
+        print("already ON - run 'internet.sshtunnel.py off' first")
-    #    sys.exit(1)
+        sys.exit(1)
    # check server address
    if len(sys.argv) < 3:
@ -87,26 +87,50 @@ if sys.argv[1] == "on":
    service_data = SERVICETEMPLATE.replace("[PLACEHOLDER]", additional_parameters)
    # DEBUG exit
-    print("****** SERVICE ******")
+    print()
    print("*** New systemd service: %s" % (SERVICENAME))
    print(service_data)
    sys.exit(0)
    # write service file
    service_file = open(SERVICEFILE, "w")
    service_file.write(service_data)
    service_file.close()
    # check if SSH keys for root user need to be created
    print()
    print("*** Checking root SSH keys")
    if Path("/home/root/.ssh/id_rsa.pub").exists() == False:
        print("Generating root SSH keys ...")
        subprocess.call("sudo -u root ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa  -q -N """, shell=True)
        print("DONE")
    else:
        print("OK - root id_rsa.pub file exists")
    ssh_pubkey=""
    with open('/home/root/.ssh/id_rsa.pub', 'r') as file:
        ssh_pubkey = file.read().replace('\n', '')
    # make sure autossh is installed
    # https://www.everythingcli.org/ssh-tunnelling-for-fun-and-profit-autossh/
    print()
    print("*** Install autossh")
    subprocess.call("sudo apt-get install -y autossh", shell=True)
    # enable service
    print("*** Enabling systemd service: SERVICENAME")
    subprocess.call("systemctl daemon-reload", shell=True)
    #subprocess.call(f"systemctl enable {SERVICENAME}", shell=True)
    print()
    print("*** Enabling systemd service: %s" % (SERVICENAME))
    subprocess.call("sudo systemctl daemon-reload", shell=True)
    subprocess.call("sudo systemctl enable %s" % (SERVICENAME), shell=True)
    # final info (can be ignored if run by other script)
-    print("*** OK - SSH TUNNEL SERVICE STARTED ***")
+    print()
-    #print("- Make sure the SSH pub key of this RaspiBlitz is in 'authorized_keys' of {} ")
+    print("*** OK - SSH TUNNEL SERVICE DONE SETUP ***")
    print("For details see chapter '' in:")
    print("https://github.com/rootzoll/raspiblitz/blob/master/FAQ.md")
    print("- Tunnel service needs final reboot to start.")
-    #print("- After reboot check logs: sudo journalctl -f -u {SERVICENAME}")
+    print("- After reboot check logs: sudo journalctl -f -u %s" % (SERVICENAME))
    print("- Make sure the SSH pub key of this RaspiBlitz is in 'authorized_keys' of %s :" % (ssh_server))
    print(ssh_pubkey)
    print()
 #
 # SWITCHING OFF
@ -115,12 +139,18 @@ if sys.argv[1] == "on":
 elif sys.argv[1] == "off":
    # check if already disabled
-    #alreadyRunning = subprocess.check_output(f"systemctl is-enabled {SERVICENAME}" ,shell=True, universal_newlines=True)
+    alreadyRunning = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True)
-    #if str(alreadyRunning).count("enabled") == 0:
+    if str(alreadyRunning).count("enabled") == 0:
-    #    print("Was already OFF")
+        print("Was already OFF")
-    #    sys.exit(0)
+        sys.exit(0)
-    print ("TODO: Switch OFF")
+    print("*** Disabling systemd service: %s" % (SERVICENAME))
    subprocess.call("sudo systemctl stop %s" % (SERVICENAME), shell=True)
    subprocess.call("sudo systemctl disable %s" % (SERVICENAME), shell=True)
    subprocess.call("sudo rm %s" % (SERVICEFILE), shell=True)
    subprocess.call("sudo systemctl daemon-reload", shell=True)
    print("OK Done")
    print()
 #
 # UNKOWN PARAMETER