diff --git a/setup-base.sh b/setup-base.sh index 70156a7..7eb2bbe 100755 --- a/setup-base.sh +++ b/setup-base.sh @@ -40,23 +40,6 @@ echo "════════════════════════ echo " setup-base.sh für MBP $MODEL\" startet" echo "════════════════════════════════════════════" -# ── 0. sudoers reparieren (macOS-Installer hinterlässt macOS-sudoers) ────── -echo -e "\n=== 0/11 sudoers ===" -cat > /etc/sudoers <<'SUDOEOF' -Defaults env_reset -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - -root ALL=(ALL:ALL) ALL -%sudo ALL=(ALL:ALL) ALL - -@includedir /etc/sudoers.d -SUDOEOF -chmod 440 /etc/sudoers -# Passwordless sudo fuer rene -echo "rene ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/rene -chmod 440 /etc/sudoers.d/rene -ok "sudoers: Linux-Standard + NOPASSWD fuer rene" - # ── 1. Kritische Hardware-Fixes ZUERST (vor allem anderen) ─────────────── echo -e "\n=== 1/11 Hardware-Fixes ===" @@ -172,55 +155,16 @@ else chmod +x /usr/local/bin/temp-watch.sh || warn "temp-watch.sh Download fehlgeschlagen" fi -# WireGuard via NetworkManager (.nmconnection direkt schreiben, kein nmcli noetig) -WG_CONF="$REPO_DIR/wireguard/m${MODEL}.conf" -if [[ -n "$REPO_DIR" && -f "$WG_CONF" ]]; then - # Alte wg-quick-Config entfernen falls vorhanden - systemctl disable --now wg-quick@wg0 2>/dev/null || true - # Werte aus der WireGuard-Conf lesen - WG_PRIVKEY=$(grep -oP 'PrivateKey\s*=\s*\K.*' "$WG_CONF") - WG_LISTEN=$(grep -oP 'ListenPort\s*=\s*\K.*' "$WG_CONF") - WG_ADDR=$(grep -oP 'Address\s*=\s*\K.*' "$WG_CONF") - WG_PUBKEY=$(grep -oP 'PublicKey\s*=\s*\K.*' "$WG_CONF") - WG_PSK=$(grep -oP 'PresharedKey\s*=\s*\K.*' "$WG_CONF") - WG_ALLOWED=$(grep -oP 'AllowedIPs\s*=\s*\K.*' "$WG_CONF" | tr -d ' ') - WG_ENDPOINT=$(grep -oP 'Endpoint\s*=\s*\K.*' "$WG_CONF") - WG_KEEPALIVE=$(grep -oP 'PersistentKeepalive\s*=\s*\K.*' "$WG_CONF") - # NM-Verbindungsdatei direkt schreiben (laeuft als root, Keys persistent) - NM_CONN_DIR="/etc/NetworkManager/system-connections" - mkdir -p "$NM_CONN_DIR" - cat > "$NM_CONN_DIR/wg0.nmconnection" </dev/null || true - nmcli connection up wg0 2>/dev/null || true - ok "WireGuard wg0.nmconnection geschrieben (DNS: 10.47.11.20, 10.47.11.1, autoconnect)" +# WireGuard-Config +if [[ -n "$REPO_DIR" && -f "$REPO_DIR/wireguard/m${MODEL}.conf" ]]; then + mkdir -p /etc/wireguard + cp "$REPO_DIR/wireguard/m${MODEL}.conf" /etc/wireguard/wg0.conf + chmod 600 /etc/wireguard/wg0.conf + systemctl enable wg-quick@wg0 2>/dev/null || true + # systemd-resolved Stub funktioniert nicht mit WireGuard DNS catch-all (~.) + # → resolv.conf direkt auf die upstream-Server zeigen lassen + ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf + ok "WireGuard m${MODEL}.conf → /etc/wireguard/wg0.conf" else warn "WireGuard: keine lokale Config gefunden — manuell einrichten" fi diff --git a/wireguard/m13.conf b/wireguard/m13.conf index 66e7d39..f2688ca 100755 --- a/wireguard/m13.conf +++ b/wireguard/m13.conf @@ -2,6 +2,7 @@ PrivateKey = sIxh2D50+9bpWe6O6ezrfybW9Iy6QKcrwr9hmFpuGn0= ListenPort = 51820 Address = 10.13.13.8/24 +DNS = 10.47.11.20,10.47.11.1 [Peer] PublicKey = 7WrqHPof31gcCYMjLWPoP1EIxPR2896/3KL1pQ3YZGs= diff --git a/wireguard/m16.conf b/wireguard/m16.conf index d20dde8..b2a1652 100755 --- a/wireguard/m16.conf +++ b/wireguard/m16.conf @@ -2,6 +2,7 @@ PrivateKey = OA5IiSzPglSY8GdobOYMlaOaG+QqNjHIACBRe7MvK04= ListenPort = 51820 Address = 10.13.13.7/24 +DNS = 10.47.11.20,10.47.11.1 [Peer] PublicKey = J/dD1t3Bo9Zbcvxg6PvGP78kgMlL4s4yYfrUMpcoS2w=