#!/usr/bin/env bash set -euo pipefail echo "[1/7] Backing up existing NM profiles and dnsmasq.d" ts="$(date +%Y%m%d-%H%M%S)" sudo mkdir -p /root/backup-exosys/$ts/nm /root/backup-exosys/$ts/dnsmasq sudo cp -a /etc/NetworkManager/system-connections/*.nmconnection /root/backup-exosys/$ts/nm/ || true sudo cp -a /etc/NetworkManager/dnsmasq.d /root/backup-exosys/$ts/dnsmasq/ || true echo "[2/7] Installing NetworkManager profiles" sudo install -m 600 -o root -g root configs/networkmanager/eno8303.nmconnection /etc/NetworkManager/system-connections/eno8303.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/10-uplink-eno8403.nmconnection /etc/NetworkManager/system-connections/10-uplink-eno8403.nmconnection # Bridge/VLAN templates (disabled by default; not brought up automatically) sudo install -D -m 600 -o root -g root configs/networkmanager/bridges/br10.nmconnection /etc/NetworkManager/system-connections/br10.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/bridges/br20.nmconnection /etc/NetworkManager/system-connections/br20.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/bridges/br30.nmconnection /etc/NetworkManager/system-connections/br30.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/bridges/br40.nmconnection /etc/NetworkManager/system-connections/br40.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/bridges/eno8403.10.nmconnection /etc/NetworkManager/system-connections/eno8403.10.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/bridges/eno8403.20.nmconnection /etc/NetworkManager/system-connections/eno8403.20.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/bridges/eno8403.30.nmconnection /etc/NetworkManager/system-connections/eno8403.30.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/bridges/eno8403.40.nmconnection /etc/NetworkManager/system-connections/eno8403.40.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/bridges/slave-eno8403.10-to-br10.nmconnection /etc/NetworkManager/system-connections/slave-eno8403.10-to-br10.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/bridges/slave-eno8403.20-to-br20.nmconnection /etc/NetworkManager/system-connections/slave-eno8403.20-to-br20.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/bridges/slave-eno8403.30-to-br30.nmconnection /etc/NetworkManager/system-connections/slave-eno8403.30-to-br30.nmconnection sudo install -m 600 -o root -g root configs/networkmanager/bridges/slave-eno8403.40-to-br40.nmconnection /etc/NetworkManager/system-connections/slave-eno8403.40-to-br40.nmconnection echo "[3/7] Removing duplicate legacy eno8403 profile if present" LEGACY_UUID="6cab3447-acc9-441b-9b66-0c5ae86574df" if nmcli -g UUID con show 2>/dev/null | grep -q "$LEGACY_UUID"; then sudo nmcli con delete "$LEGACY_UUID" || true fi echo "[4/7] Installing WireGuard NM profile (kept autoconnect=false) and wg-quick override" sudo install -D -m 600 -o root -g root configs/wireguard/wg0.nmconnection /etc/NetworkManager/system-connections/wg0.nmconnection sudo mkdir -p /etc/systemd/system/wg-quick@wg0.service.d sudo install -m 644 configs/wireguard/wg-quick-override.conf /etc/systemd/system/wg-quick@wg0.service.d/override.conf sudo systemctl daemon-reload echo "[5/7] Installing minimal dnsmasq configs (cache only; no DHCP)" sudo mkdir -p /etc/NetworkManager/dnsmasq.d sudo install -m 644 configs/dnsmasq/00-global.conf /etc/NetworkManager/dnsmasq.d/00-global.conf sudo install -m 644 configs/dnsmasq/10-routing-domains.conf /etc/NetworkManager/dnsmasq.d/10-routing-domains.conf echo "[6/7] Reloading NetworkManager and bringing up primary links" sudo nmcli connection reload sudo nmcli con up eno8303 || true sudo nmcli con up 10-uplink-eno8403 || true echo "[7/7] Firewalld adjustments: remove masquerade on FedoraServer zone (keep NAT only on CPE)" if systemctl is-active --quiet firewalld; then sudo firewall-cmd --zone=FedoraServer --remove-masquerade --permanent || true sudo firewall-cmd --reload || true fi echo "Done. Verify:" echo " - ip r | sed -n '1,40p' # only one default via 192.168.0.254, no default via 144.2.68.225" echo " - resolvectl status # upstream DNS mainly from eno8303" echo " - nmcli -f NAME,DEVICE,STATE,IP4.GATEWAY con show --active"