rene/macbook-setup
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

WireGuard via NM .nmconnection + sudoers-Fix fuer macOS-Installer

Browse source 
- sudoers: macOS-Version durch Linux-Standard ersetzen (secure_path,
  @includedir /etc/sudoers.d), NOPASSWD fuer rene
- WireGuard: statt wg-quick .nmconnection direkt schreiben mit DNS,
  dns-search ~., autoconnect, persistent Keys (private-key-flags=0)
- m13.conf/m16.conf: PostUp/PostDown entfernt (wg-quick-spezifisch)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
rene 2026-03-13 19:35:42 +01:00
parent 72a177e0e5
commit 13177aba11
3 changed files with 66 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

76
setup-base.sh
View file

@ -40,6 +40,23 @@ echo "════════════════════════
echo " setup-base.sh für MBP $MODEL\" startet" echo " setup-base.sh für MBP $MODEL\" startet"
echo "════════════════════════════════════════════" echo "════════════════════════════════════════════"
# ── 0. sudoers reparieren (macOS-Installer hinterlässt macOS-sudoers) ──────
echo -e "\n=== 0/11 sudoers ==="
cat > /etc/sudoers <<'SUDOEOF'
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
root ALL=(ALL:ALL) ALL
%sudo ALL=(ALL:ALL) ALL
@includedir /etc/sudoers.d
SUDOEOF
chmod 440 /etc/sudoers
# Passwordless sudo fuer rene
echo "rene ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/rene
chmod 440 /etc/sudoers.d/rene
ok "sudoers: Linux-Standard + NOPASSWD fuer rene"
# ── 1. Kritische Hardware-Fixes ZUERST (vor allem anderen) ─────────────── # ── 1. Kritische Hardware-Fixes ZUERST (vor allem anderen) ───────────────
echo -e "\n=== 1/11 Hardware-Fixes ===" echo -e "\n=== 1/11 Hardware-Fixes ==="
@ -155,16 +172,55 @@ else
chmod +x /usr/local/bin/temp-watch.sh || warn "temp-watch.sh Download fehlgeschlagen" chmod +x /usr/local/bin/temp-watch.sh || warn "temp-watch.sh Download fehlgeschlagen"
fi fi
# WireGuard-Config # WireGuard via NetworkManager (.nmconnection direkt schreiben, kein nmcli noetig)
if [[ -n "$REPO_DIR" && -f "$REPO_DIR/wireguard/m${MODEL}.conf" ]]; then WG_CONF="$REPO_DIR/wireguard/m${MODEL}.conf"
mkdir -p /etc/wireguard if [[ -n "$REPO_DIR" && -f "$WG_CONF" ]]; then
cp "$REPO_DIR/wireguard/m${MODEL}.conf" /etc/wireguard/wg0.conf # Alte wg-quick-Config entfernen falls vorhanden
chmod 600 /etc/wireguard/wg0.conf systemctl disable --now wg-quick@wg0 2>/dev/null || true
systemctl enable wg-quick@wg0 2>/dev/null || true # Werte aus der WireGuard-Conf lesen
# Stub-Resolver noetig fuer Flatpak-Apps (Brave, PrusaSlicer) WG_PRIVKEY=$(grep -oP 'PrivateKey\s*=\s*\K.*' "$WG_CONF")
# DNS wird per PostUp/PostDown in der wg-Config via resolvectl gesetzt WG_LISTEN=$(grep -oP 'ListenPort\s*=\s*\K.*' "$WG_CONF")
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf WG_ADDR=$(grep -oP 'Address\s*=\s*\K.*' "$WG_CONF")
ok "WireGuard m${MODEL}.conf → /etc/wireguard/wg0.conf" WG_PUBKEY=$(grep -oP 'PublicKey\s*=\s*\K.*' "$WG_CONF")
WG_PSK=$(grep -oP 'PresharedKey\s*=\s*\K.*' "$WG_CONF")
WG_ALLOWED=$(grep -oP 'AllowedIPs\s*=\s*\K.*' "$WG_CONF" | tr -d ' ')
WG_ENDPOINT=$(grep -oP 'Endpoint\s*=\s*\K.*' "$WG_CONF")
WG_KEEPALIVE=$(grep -oP 'PersistentKeepalive\s*=\s*\K.*' "$WG_CONF")
# NM-Verbindungsdatei direkt schreiben (laeuft als root, Keys persistent)
NM_CONN_DIR="/etc/NetworkManager/system-connections"
mkdir -p "$NM_CONN_DIR"
cat > "$NM_CONN_DIR/wg0.nmconnection" <<WGEOF
[connection]
id=wg0
type=wireguard
interface-name=wg0
autoconnect=true
[wireguard]
listen-port=$WG_LISTEN
private-key=$WG_PRIVKEY
private-key-flags=0
[wireguard-peer.${WG_PUBKEY}]
preshared-key=$WG_PSK
preshared-key-flags=0
allowed-ips=$WG_ALLOWED;
endpoint=$WG_ENDPOINT
persistent-keepalive=$WG_KEEPALIVE
[ipv4]
method=manual
address1=$WG_ADDR
dns=10.47.11.20;10.47.11.1;
dns-search=~.;
[ipv6]
method=ignore
WGEOF
chmod 600 "$NM_CONN_DIR/wg0.nmconnection"
nmcli connection reload 2>/dev/null || true
nmcli connection up wg0 2>/dev/null || true
ok "WireGuard wg0.nmconnection geschrieben (DNS: 10.47.11.20, 10.47.11.1, autoconnect)"
else else
warn "WireGuard: keine lokale Config gefunden — manuell einrichten" warn "WireGuard: keine lokale Config gefunden — manuell einrichten"
fi fi

2
wireguard/m13.conf
View file

@ -2,8 +2,6 @@
PrivateKey = sIxh2D50+9bpWe6O6ezrfybW9Iy6QKcrwr9hmFpuGn0= PrivateKey = sIxh2D50+9bpWe6O6ezrfybW9Iy6QKcrwr9hmFpuGn0=
ListenPort = 51820 ListenPort = 51820
Address = 10.13.13.8/24 Address = 10.13.13.8/24
PostUp = resolvectl dns %i 10.47.11.20 10.47.11.1
PostDown = resolvectl revert %i
[Peer] [Peer]
PublicKey = 7WrqHPof31gcCYMjLWPoP1EIxPR2896/3KL1pQ3YZGs= PublicKey = 7WrqHPof31gcCYMjLWPoP1EIxPR2896/3KL1pQ3YZGs=

2
wireguard/m16.conf
View file

@ -2,8 +2,6 @@
PrivateKey = OA5IiSzPglSY8GdobOYMlaOaG+QqNjHIACBRe7MvK04= PrivateKey = OA5IiSzPglSY8GdobOYMlaOaG+QqNjHIACBRe7MvK04=
ListenPort = 51820 ListenPort = 51820
Address = 10.13.13.7/24 Address = 10.13.13.7/24
PostUp = resolvectl dns %i 10.47.11.20 10.47.11.1
PostDown = resolvectl revert %i
[Peer] [Peer]
PublicKey = J/dD1t3Bo9Zbcvxg6PvGP78kgMlL4s4yYfrUMpcoS2w= PublicKey = J/dD1t3Bo9Zbcvxg6PvGP78kgMlL4s4yYfrUMpcoS2w=