diff --git a/setup-base.sh b/setup-base.sh index 7eb2bbe..70156a7 100755 --- a/setup-base.sh +++ b/setup-base.sh @@ -40,6 +40,23 @@ echo "════════════════════════ echo " setup-base.sh für MBP $MODEL\" startet" echo "════════════════════════════════════════════" +# ── 0. sudoers reparieren (macOS-Installer hinterlässt macOS-sudoers) ────── +echo -e "\n=== 0/11 sudoers ===" +cat > /etc/sudoers <<'SUDOEOF' +Defaults env_reset +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +root ALL=(ALL:ALL) ALL +%sudo ALL=(ALL:ALL) ALL + +@includedir /etc/sudoers.d +SUDOEOF +chmod 440 /etc/sudoers +# Passwordless sudo fuer rene +echo "rene ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/rene +chmod 440 /etc/sudoers.d/rene +ok "sudoers: Linux-Standard + NOPASSWD fuer rene" + # ── 1. Kritische Hardware-Fixes ZUERST (vor allem anderen) ─────────────── echo -e "\n=== 1/11 Hardware-Fixes ===" @@ -155,16 +172,55 @@ else chmod +x /usr/local/bin/temp-watch.sh || warn "temp-watch.sh Download fehlgeschlagen" fi -# WireGuard-Config -if [[ -n "$REPO_DIR" && -f "$REPO_DIR/wireguard/m${MODEL}.conf" ]]; then - mkdir -p /etc/wireguard - cp "$REPO_DIR/wireguard/m${MODEL}.conf" /etc/wireguard/wg0.conf - chmod 600 /etc/wireguard/wg0.conf - systemctl enable wg-quick@wg0 2>/dev/null || true - # systemd-resolved Stub funktioniert nicht mit WireGuard DNS catch-all (~.) - # → resolv.conf direkt auf die upstream-Server zeigen lassen - ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf - ok "WireGuard m${MODEL}.conf → /etc/wireguard/wg0.conf" +# WireGuard via NetworkManager (.nmconnection direkt schreiben, kein nmcli noetig) +WG_CONF="$REPO_DIR/wireguard/m${MODEL}.conf" +if [[ -n "$REPO_DIR" && -f "$WG_CONF" ]]; then + # Alte wg-quick-Config entfernen falls vorhanden + systemctl disable --now wg-quick@wg0 2>/dev/null || true + # Werte aus der WireGuard-Conf lesen + WG_PRIVKEY=$(grep -oP 'PrivateKey\s*=\s*\K.*' "$WG_CONF") + WG_LISTEN=$(grep -oP 'ListenPort\s*=\s*\K.*' "$WG_CONF") + WG_ADDR=$(grep -oP 'Address\s*=\s*\K.*' "$WG_CONF") + WG_PUBKEY=$(grep -oP 'PublicKey\s*=\s*\K.*' "$WG_CONF") + WG_PSK=$(grep -oP 'PresharedKey\s*=\s*\K.*' "$WG_CONF") + WG_ALLOWED=$(grep -oP 'AllowedIPs\s*=\s*\K.*' "$WG_CONF" | tr -d ' ') + WG_ENDPOINT=$(grep -oP 'Endpoint\s*=\s*\K.*' "$WG_CONF") + WG_KEEPALIVE=$(grep -oP 'PersistentKeepalive\s*=\s*\K.*' "$WG_CONF") + # NM-Verbindungsdatei direkt schreiben (laeuft als root, Keys persistent) + NM_CONN_DIR="/etc/NetworkManager/system-connections" + mkdir -p "$NM_CONN_DIR" + cat > "$NM_CONN_DIR/wg0.nmconnection" </dev/null || true + nmcli connection up wg0 2>/dev/null || true + ok "WireGuard wg0.nmconnection geschrieben (DNS: 10.47.11.20, 10.47.11.1, autoconnect)" else warn "WireGuard: keine lokale Config gefunden — manuell einrichten" fi diff --git a/wireguard/m13.conf b/wireguard/m13.conf index f2688ca..66e7d39 100755 --- a/wireguard/m13.conf +++ b/wireguard/m13.conf @@ -2,7 +2,6 @@ PrivateKey = sIxh2D50+9bpWe6O6ezrfybW9Iy6QKcrwr9hmFpuGn0= ListenPort = 51820 Address = 10.13.13.8/24 -DNS = 10.47.11.20,10.47.11.1 [Peer] PublicKey = 7WrqHPof31gcCYMjLWPoP1EIxPR2896/3KL1pQ3YZGs= diff --git a/wireguard/m16.conf b/wireguard/m16.conf index b2a1652..d20dde8 100755 --- a/wireguard/m16.conf +++ b/wireguard/m16.conf @@ -2,7 +2,6 @@ PrivateKey = OA5IiSzPglSY8GdobOYMlaOaG+QqNjHIACBRe7MvK04= ListenPort = 51820 Address = 10.13.13.7/24 -DNS = 10.47.11.20,10.47.11.1 [Peer] PublicKey = J/dD1t3Bo9Zbcvxg6PvGP78kgMlL4s4yYfrUMpcoS2w=