prevent avahi from serving support_tunnel addresses

micro-nova · Aug 8, 2024 · a9d39b2 · a9d39b2
1 parent dd8d3a3
commit a9d39b2
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,8 @@
   * Fix internet radio search on IOS app
   * Update styling on Settings pages, ensure they fit all mobile screens properly
   * Change "<- Back to App" button on the updater page to redirect to the settings page rather than the homepage
+* System
+  * Fixed a bug where support tunnel addresses would be served when querying for amplipi.local
 
 ## 0.4.2
 * Streams

diff --git a/config/support_tunnel_config.ini b/config/support_tunnel_config.ini
@@ -0,0 +1,3 @@
+[device]
+post-up-script=/usr/local/bin/support_tunnel_post_up.sh {iface}
+post-down-script=/usr/local/bin/support_tunnel_post_down.sh {iface}
diff --git a/scripts/configure.py b/scripts/configure.py
@@ -131,6 +131,21 @@
                 'from': 'config/support_group_sudoers',
                 'to': '/etc/sudoers.d/099_support-nopasswd',
                 'sudo': 'true'
+            },
+            {   # support tunnel scripts must be only be writable by root
+                'from': 'scripts/support_tunnel_post_up.sh',
+                'to': '/usr/local/bin/support_tunnel_post_up.sh',
+                'sudo': 'true'
+            },
+            {
+                'from': 'scripts/support_tunnel_post_down.sh',
+                'to': '/usr/local/bin/support_tunnel_post_down.sh',
+                'sudo': 'true'
+            },
+            {
+                'from': 'config/support_tunnel_config.ini',
+                'to': '/etc/support_tunnel/config.ini',
+                'sudo': 'true'
             }
         ],
         'script': [
@@ -441,6 +456,9 @@ def print_progress(tasks):
     if _to[0] != '/':
       _to = f"{env['base_dir']}/{_to}"
     _sudo = "sudo " if 'sudo' in file else ""
+    _parent_dir = pathlib.Path(_to).parent
+    if not _parent_dir.exists():
+      tasks += print_progress([Task(f"creating parent dir(s) for {_from}", f"{_sudo}mkdir -p {_parent_dir}".split()).run()])
     tasks += print_progress([Task(f"copy -f {_from} to {_to}", f"{_sudo}cp -f {_from} {_to}".split()).run()])  # shairport needs the -f if it is running
   if env['is_amplipi'] or env['is_ci']:
     # copy alsa configuration file

diff --git a/scripts/support_tunnel_post_down.sh b/scripts/support_tunnel_post_down.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+# This script runs after a support tunnel comes down. Right now, 
+# it only prevents Avahi from advertising using the wireguard interface
+# $1 is the wireguard interface to remove
+
+# The avahi-daemon.conf follows an ini-style convention; Python's
+# configparser makes it easy to safely add & remove contents in a particular
+# section, and "shelling out" gives us an opportunity to use `sudo`.
+echo "import configparser
+import sys
+config = configparser.ConfigParser()
+config.read('/etc/avahi/avahi-daemon.conf')
+if not config.has_section('server'):
+  config.add_section('server')
+deny = set(config['server'].get('deny-interfaces').split(','))
+try:
+  deny.remove('${1}')
+except KeyError as e:
+  print(f'${1} not in config; exiting early.')
+  sys.exit(1)
+deny_str = ''
+for i, d in enumerate(deny):
+  deny_str += f'{d}'
+  deny_str += ',' if i != (len(deny) - 1) else ''
+config['server']['deny-interfaces'] = deny_str
+with open('/etc/avahi/avahi-daemon.conf', 'w') as f:
+  config.write(f, space_around_delimiters=False)
+" | sudo python3 -
+
+sudo systemctl restart avahi-daemon
diff --git a/scripts/support_tunnel_post_up.sh b/scripts/support_tunnel_post_up.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# This script runs after a support tunnel comes up. Right now, 
+# it only prevents Avahi from advertising using the wireguard interface
+# $1 is the wireguard interface name
+
+# The avahi-daemon.conf follows an ini-style convention; Python's
+# configparser makes it easy to add & remove contents in a particular
+# section, and "shelling out" gives us an opportunity to use `sudo`
+echo "import configparser
+config = configparser.ConfigParser()
+config.read('/etc/avahi/avahi-daemon.conf')
+if not config.has_section('server'):
+  config.add_section('server')
+deny = config['server'].get('deny-interfaces', '').split(',')
+deny = [d for d in deny if d] # removes falsy ''
+deny.append('${1}')
+deny = set(deny) # remove duplicates
+deny_str = ''
+for i, d in enumerate(deny):
+  deny_str += f'{d}'
+  deny_str += ',' if i != (len(deny) - 1) else ''
+config['server']['deny-interfaces'] = deny_str
+with open('/etc/avahi/avahi-daemon.conf', 'w') as f:
+  config.write(f, space_around_delimiters=False)
+" | sudo python3 -
+sudo systemctl restart avahi-daemon