console

#!/usr/bin/bash

# GLOBAL VAR
# IPv6 ULA fc00::/7
# https://howto.lintel.in/speed-ssh-multiplexing/
# curl -s -X GET "https://fw-update.ubnt.com/api/firmware-latest?filter=eq~~platform~~edgerouter&filter=eq~~channel~~release&filter=eq~~product~~e300"

# menu

function menu () {
	local LEVEL="${1}"

	case "${LEVEL}" in
		0)
			echo
			echo -e $0 "-I (Local Domain Name)"
			echo
		;;
		1)
            echo
            echo -e $0 "-I ${LDN} -SO [openbsd|mikrotik|edgeos|raspi|ALL] [o]"
            echo -e $0 "-I ${LDN} -SO [workstation] -> tools on the workstation"
            echo
		;;
		2)
			echo
			echo -e $0 "-I ${LDN} -SO [openbsd|mikrotik|edgeos|raspi|ALL] -T -> tmux and SSH to hosts [o]"
			echo -e $0 "-I ${LDN} -SO [openbsd|mikrotik|edgeos|raspi|ALL] -P -> syspatch [o]"
			echo -e $0 "-I ${LDN} -SO [openbsd|mikrotik|edgeos|ALL] -N -> newhost OpenBSD host [o]"
			echo -e $0 "-I ${LDN} -SO [openbsd|mikrotik|edgeos|ALL] -C -> cleanlast [o]"
			echo -e $0 "-I ${LDN} -SO [openbsd|edgeos|ALL] -F -> single file update [o]"
			echo -e $0 "-I ${LDN} -SO [ALL] -KD  -> print all IPsec certificates deadlines [o]"
            echo -e $0 "-I ${LDN} -SO [openbsd] -G -> git pull [o]"
            echo -e $0 "-I ${LDN} -SO [openbsd] -S -> scripts [o]"
            echo -e $0 "-I ${LDN} -SO [openbsd] -D -> dyndnspop [o]"
			echo -e $0 "-I ${LDN} -SO [openbsd] -7 -> changes to 7.0 release [o]"
			echo -e $0 "-I ${LDN} -SO [openbsd] -PF -> changes to PF firewall [o]"
			echo -e $0 "-I ${LDN} -SO [mikrotik] -LTE -> new RouterOS LTE Router instance [o]"
			echo -e $0 "-I ${LDN} -SO [mikrotik] -CHR -> new RouterOS Cloud Hosted Router istance [o] "
			echo -e $0 "-I ${LDN} -SO [workstation] -GR6 -> add IPv6 ULA to gre tunnel interfaces [o]"
			echo -e $0 "-I ${LDN} -SO [workstation] -RS  -> repository ssh update [o]"
			echo -e $0 "-I ${LDN} -SO [workstation] -Z   -> global network domains setup [o]"
			echo -e $0 "-I ${LDN} -SO [workstation] -GEO -> get IP address geo group [o]"
			echo -e $0 "-I ${LDN} -SO [workstation] -CU  -> single certificate upgrade / change [o]"
			echo -e $0 "-I ${LDN} -SO [workstation] -U   -> update the workstation's user EdDSA certificate [o]"
			echo -e $0 "-I ${LDN} -SO [workstation] -CI  -> custom installation templates [o]"
			echo -e $0 "-I ${LDN} -SO [workstation] -K   -> new IKED pk12 archive [o]"
			echo -e $0 "-I ${LDN} -SO [workstation] -NDS -> encrypt TXT DNS record [o]"
			echo
		;;
	esac

	exit 1
}

# variables

userna=$(id -nu ${UID})
proghome="${HOME}/Sources/Git/OpenBSD"
daterelease=$(date +"%d%m%Y%H%m%S")
TODAY=$(date +"%d%m")
RD="/run/user/${UID}/guerrilla"


# variables from command lines and consequent processing or quit

(: "${1?}") 2>/dev/null || menu 0
(: "${2?}") 2>/dev/null && LDN="${2}"
PDN=$(dig "${LDN}" TXT +short | sed "s|\"||g") && [[ "${PDN}" ]] || ( echo "internal domain name daemon misconfigured or local domain name error" ; exit 1 )
(: "${3?}") 2>/dev/null || menu 1
(: "${3?}") 2>/dev/null && ( [ "${3}" == "-SO" ]  || [ "${3}" == "-W" ] ) || menu 1 && (: "${4?}") 2>/dev/null &&  [ "${4}" == "openbsd"  -o "${4}" == "mikrotik" -o "${4}" == "edgeos" -o "${4}" == "raspi" -o "${4}" == "workstation" -o "${4}" == "ALL" ] && SO="${4}" || menu 1
(: "${5?}") 2>/dev/null || menu 2
(: "${5?}") 2>/dev/null &&  (
	[ "${5}" == "-P" -o "${5}" == "-T" ] || \
	( [ "${5}" == "-N"  -o "${5}" == "-C" -o "${5}" == "-P" ] && [ "${4}" == "openbsd"  -o "${4}" == "mikrotik" -o "${4}" == "edgeos" -o "${4}" == "ALL" ] ) || \
	( [ "${5}" == "-F" ] && [ "${4}" == "openbsd"  -o "${4}" == "edgeos" -o "${4}" == "ALL" ] ) || \
	( [ "${5}" == "-KD" ] && [ "${4}" == "ALL" ] ) || \
	( [ "${5}" == "-G"  -o "${5}" == "-S" -o "${5}" == "-D" -o "${5}" == "-PF" ] && [ "${4}" == "openbsd" ] ) || \
	( [ "${5}" == "-LTE"  -o "${5}" == "-CHR" ] && [ "${4}" == "mikrotik" ] ) || \
	( [ "${5}" == "-GR6"  -o "${5}" == "-RS" -o "${5}" == "-Z" -o "${5}" == "-GEO"  -o "${5}" == "-CU" -o "${5}" == "-U" -o "${5}" == "-CI" -o "${5}" == "-K"  -o "${5}" == "-NSD" ] && [ "${4}" == "workstation" ] )
) && OPT="${5}" || menu 2



# functions

source "lib/foo.sh"


# a work array and a pair of strings

([[ $(typeofvar wa) == "array" ]] && [[ $(echo ${#wa[@]}) != "0" ]]) && ( unset wa && declare -a wa ) || declare -a wa
[[ $(typeofvar ws) == "string" ]] && [[ $(echo ${#ws}) != "0" ]] && ( unset ws && ws="" ) || ws=""
[[ $(typeofvar tf) == "string" ]] && [[ $(echo ${#tf}) != "0" ]] && ( unset tf && tf="" ) || tf=""


# temp files

tf=$(tempfile)

# add another fd to hack a little bit

exec 5>&1


if [[ "${UID}" -eq 0 ]]; then
	echo -e $0 "you cannot run $0 as root \n"
	exit 1
fi


case "${SO}" in
	openbsd|edgeos|mikrotik|raspi|lte)
		dnsquery wa "${SO}"
	;;
	"ALL")
		dnsquery wa "-FL"
	;;
esac
case "${OPT}" in
	# [openbsd|mikrotik|edgeos|raspi|ALL] #
	"-T")
		TS="${RD}/tmux$RANDOM"
		echo -e "Launching TMUX"
		tmux -S "${TS}" new-session -d -s "LOBBY"
		tmux -S "${TS}" set -g status-justify left
		tmux -S "${TS}" set -g status-left-length 40
		tmux -S "${TS}" set -g history-limit 5000
		#tmux -S "${TS}" set -g default-terminal "xterm-256color"
		tmux -S "${TS}" set-option -g status-left '#[fg=white,bold] guerrilla ⚡️ '
		tmux -S "${TS}" set-option -g status-right 'Europe/Madrid #[fg=agua]%I:%M:%S'
		#tmux -S "${TS}" set -g mouse on
		#tmux -S "${TS}" bind -n WheelUpPane if-shell -F -t = "#{mouse_any_flag}" "send-keys -M" "if -Ft= '#{pane_in_mode}' 'send-keys -M' 'copy-mode -e; send-keys -M'"
		tmux -S "${TS}" bind -n S-Pageup copy-mode -u
		tmux -S "${TS}" bind -n S-Pagedown send-keys Pagedown
		# color status bar
		tmux -S "${TS}" set -g status-bg black
			tmux -S "${TS}" set -g status-fg cyan

		# highlight current window
		tmux -S "${TS}" setw -g window-status-current-style bg=black,fg=magenta,bold


		for (( j=0; j<${#wa[@]}; j++ )); do
			echo -e "Creating ${wa[j]} TMUX windows"
			tmux -S "${TS}" rename-window "${wa[j]}"
			tmux -S "${TS}" send -t "LOBBY:${wa[j]}" ssh SPACE "${wa[j]}.${LDN}" ENTER
			tmux -S "${TS}" new-window
		done
		tmux -S "${TS}" rename-window "CA"
		tmux -S "${TS}" send -t "LOBBY:CA" ssh SPACE "ca.${LDN}" ENTER
		tmux -S "${TS}" new-window
		tmux -S "${TS}" rename-window $(hostname -s)
		tmux -S "${TS}" -2 attach-session -t "LOBBY"
	;;
	"-P")
		for (( j=0; j<${#wa[@]}; j++ )); do
			c=$(capa3 ${wa[j]}.${LDN} "wan")
			[[ "${c}" == 1 ]] && (
				case $(dnsquery -T ${wa[j]}) in
					"openbsd")
							li=$(ssh ${wa[j]}.${LDN} syspatch -l | tail -n 1)
							lw=$(curl -s https://www.openbsd.org/errata70.html | grep patches | tail -n 1)
							[[ "${lw}" =~ "${li}" ]] || (echo "New  OpenBSD patches found to apply for ${wa[j]}.${LDN}" ; ssh ${wa[j]}.${LDN} doas syspatch) && echo "No OpenBSD patches found to apply for ${wa[j]}.${LDN} "
					;;
					"edgeos")
						echo
						li=$(ssh -q ${wa[j]}.${LDN} sudo /usr/bin/ubnt-upgrade --show | grep v[0-9] | awk '{print $1}')
						lw=$(curl -s -X GET "https://fw-update.ubnt.com/api/firmware-latest?filter=eq~~platform~~edgerouter&filter=eq~~channel~~release&filter=eq~~product~~e300" |  tr \, '\n' | grep -w \"version\": | cut -d : -f2 | sed "s|\"||g")
						[[ "${lw}" != "${li}" ]] || echo "No EdgeOS patches found" && ( \
							echo "New EdgeOS patches found for ${wa[j]}.${LDN}"
							read -p "Download ${lw}?: yes/no " ctrl
							case "${ctrl}" in
								"yes")
									fwuri=$(curl -s -X GET "https://fw-update.ubnt.com/api/firmware-latest?filter=eq~~platform~~edgerouter&filter=eq~~channel~~release&filter=eq~~product~~e300" |  tr \, '\n' | grep -w \"data\": | cut -d : -f4 | sed "s|\"||g" | sed -e "s|^//||" -e "s|}$||")
									[[ -d "${RD}/download" ]] || mkdir "${RD}/download"
									[[ -e "${RD}/download/${lw}.tar" ]] || wget "${fwuri}" -O "${RD}/download/${lw}.tar" && echo "${lw}.tar already downloaded"
									sha256w=$(curl -s -X GET "https://fw-update.ubnt.com/api/firmware-latest?filter=eq~~platform~~edgerouter&filter=eq~~channel~~release&filter=eq~~product~~e300" |  tr \, '\n'| grep -w \"sha256_checksum\": | cut -d : -f2 | sed "s|\"||g")
									sha256l=$(sha256sum "${RD}/download/${lw}.tar" | awk '{print $1}')
									[[ "${sha256w}" == "${sha256l}" ]] && echo "SHA256 verified" || (echo "SHA256 incorrect!" ; exit 1)
									em=$(ssh -q ${wa[j]}.${LDN} df -m | head -n 2 | tail -n 1 | awk '{print $4}')
									fm=$(du -h "${RD}/download/${lw}.tar" | awk '{print $1}' | sed "s|[^0-9]*||g")
									(( em > fm )) && (echo "There's sufficient space uploading..." ; scp  "${RD}/download/${lw}.tar" ${wa[j]}.${LDN}:/tmp) || (echo "There's insufficient space aborting!" ; exit 1)
									#echo "Adding to EdgeOS vyatta subsystem.."
									#ssh -q ${wa[j]}.${LDN} "sudo /usr/bin/ubnt-upgrade --upgrade /tmp/${lw}.tar"
								;;
								"no")
									echo "Please read https://help.ui.com/hc/en-us/articles/205146110-EdgeRouter-How-to-Upgrade-the-EdgeOS-Firmware on how to upgrade EdgeOS."
								;;
							esac
						)
					;;
					"mikrotik")
						echo
						check=$(ssh -q ${wa[j]}.${LDN} system package update check-for-updates  | grep status | tail -n 1 | grep -c "New version is available")
						[[ "${check}" ]] && (
							iros=$(ssh -q ${wa[j]}.${LDN} system package update check-for-updates  | grep installed | sed "s|[^0-9.]*||g" | uniq)
							aros=$(ssh -q ${wa[j]}.${LDN} system package update check-for-updates  | grep latest | sed "s|[^0-9.]*||g" | tail -n 1)
							echo "new RouterOS version found for ${wa[j]}.${LDN}, installed ${iros}, latest ${aros}"
							read -p "Download ${aros}?: yes/no " ctrl
							case "${ctrl}" in
								"yes")
									ssh -q ${wa[j]}.${LDN} system package update download
									echo "Remember to reboot ${wa[j]}.${LDN}"
								;;
								"no")
									echo "Remember to manually upgrade ${wa[j]}.${LDN}"
								;;
							esac
						)
					;;
					"raspi")
						echo
						echo "Upgrading Raspbian OS onto ${wa[j]}.${LDN}..."
						check=$(ssh -q ${wa[j]}.${LDN} sudo apt update 2>/dev/null | grep packages | cut -d '.' -f 1 | tee /dev/fd/5)
						[[ "upgraded" =~ "${check}" ]] && (
							read -p "Upgrade?: yes/no " ctrl
							case "${ctrl}" in
								"yes")
									ssh -q ${wa[j]}.${LDN} sudo apt upgrade 2>/dev/null
									echo "Remember to reboot if necessary"
								;;
								"no")
									echo "Remember to manually upgrade ${wa[j]}.${LDN}"
								;;
							esac
						)
					;;
				esac
			) || echo "${wa[j]}.${LDN} unreachable"
		done
	;;
	#[openbsd|mikrotik|edgeos|ALL]
	"-N")
		for (( j=0; j<${#wa[@]}; j++ )); do
			echo -e "Connecting to ${wa[j]}.${LDN}..."
			c=$(capa3 ${wa[j]}.${LDN} "wan")
			[[ "${c}" == 1 ]] && (
				case $(dnsquery -T ${wa[j]}) in
					"openbsd")
						ssh ${wa[j]}.${LDN} doas ksh "/home/taglio/Sources/Git/OpenBSD/setup_node -U newhost"
					;;
					"mikrotik")
						openbsd=
						while [ -z $openbsd ]
						do
							echo 'Type the new OpenBSD internal hostname '
							read openbsd
						done
						mkaddr=$(dig A "$(dnsquery -M ${wa[j]}).${PDN}" +short)
						mkpublichost="$(dnsquery -M ${wa[j]}).${PDN}"
						wget "http://$openbsd.${LDN}/$mkpublichost/$mkpublichost.rsc" -O "/tmp/$mkpublichost.rsc"
						scp "/tmp/$mkpublichost.rsc" " ${wa[j]}.${LDN}:/$mkpublichost.rsc"
						ssh  ${wa[j]}.${LDN} /import file-name=$mkpublichost.rsc
						echo -e "Host ${wa[j]}.${LDN} configured into Mikrotik  ${wa[j]}.${LDN}"
					;;
					"edgeos")
						openbsd=
						while [ -z $openbsd ]
						do
							echo 'Type the new OpenBSD internal hostname '
							read openbsd
						done
						publicip=$(dig A "$(dnsquery -M ${openbsd}).${PDN}" +short)
						publichost=$(dnsquery -M ${openbsd})".${PDN}"
						#publicdomainname=$(dig -x $publicip +short | sed "s/$publichost.//" | sed 's/.$//')
						publichostname=$(dnsquery -M "${wa[j]}")
						phn=$(dnsquery -M "${wa[j]}")
						wget "http://$openbsd.$2/$edgehost.tar" -O "/tmp/$edgehost.tar"
						cd /tmp
						if [[ ! -d "${phn}.${PDN}" ]]; then
							mkdir "${phn}.${PDN}"
						fi
						tar xvf "/tmp/${phn}.${PDN}.tar" -C "/tmp/${phn}.${PDN}"
						cd ${phn}.${PDN}
						for file in $(ls .); do
							if [[ $file = "gre.sh" || $file = "ospf.sh" ]]; then
								cat $file | ssh -q ${wa[j]}.${LDN}
							elif [[ $file = *updown.sh ]]; then
								a=$(echo $file | sed "s/-updown.sh//")
								c=$(echo $a | sed "s/-//")
								v=$(echo $file | sed "s/$a/$c/")
								metric=$(ssh -q ${wa[j]}.${LDN} /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show protocols static | grep table | awk '{print $2}' | wc -l)
								let metric+=1
								others=""
								for prefix in $(ssh -q ${wa[j]}.${LDN} /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show protocols static | grep table | awk '{print $2}'); do
									others+=$(printf '\t\t%s\\n' '/sbin/ip route add table '"${prefix}"' metric '"${metric}"' scope link default nexthop dev "${TUN_IFACE}"')
								done
								sed -i "s|/OTHERS/|${others}|" $file
								scp -q $file "${wa[j]}.${LDN}:/tmp"
								ssh -q ${wa[j]}.${LDN} "sudo mv /tmp/$file /config/ipsec/$v ; chmod +x /config/ipsec/$v"
							elif [[ $file = *_netwatch.sh ]]; then
								a=$(echo $file | sed "s/_netwatch.sh//")
								c=$(echo $a | sed "s/-//")
								v=$(echo $file | sed "s/$a/$c/")
								scp -q $file "${wa[j]}.${LDN}:/tmp"
								ssh -q ${wa[j]}.${LDN} "sudo mv /tmp/$file /config/scripts/$v; chmod +x /config/scripts/$v"
							elif [[ $file = *.crt ]]; then
								scp -q $file "${wa[j]}.${LDN}:/tmp"
								ssh -q ${wa[j]}.${LDN} sudo cp "/tmp/$file" /config/auth; sudo mv "/tmp/$file" /etc/ipsec.d/certs/
							elif [[ $file = *.conf ]]; then
								if [[ $(ssh -q ${wa[j]}.${LDN} grep -c telecomlobby-$(head -n 1 $file | cut -d \- -f2) /config/ipsec.conf) -eq 0 ]]; then
									cat $file | ssh -qt ${wa[j]}.${LDN} "cat - >> /config/ipsec.conf"
								fi
							fi
						done
						ssh -q ${wa[j]}.${LDN} echo "cp /config/auth/$publichostname.crt /etc/ipsec.d/certs/" >> /config/scripts/post-config.d/files.sh
						ctrl=
						while [ -z $ctrl ]
						do
							echo "Do you want to reread ipsec "
							read ctrl
						done
						rm -rf "/tmp/${phn}.${PDN}"
						case $ctrl in
							"yes")
								ssh -q ${wa[j]}.${LDN} ipsec rereadall
								ssh -q ${wa[j]}.${LDN} ipsec reload
							;;
							"no")
							;;
							*)
								echo 'Reply yes or no'
							;;
						esac
					;;
				esac
			) || echo "${wa[j]}.${LDN} unreachable"
		done
	;;
	"-C")
		read -p "Type the internal hostname to clean: " ihtc
		phtc=$(dnsquery -M "${ihtc}")".${PDN}"
		[[  "${phtc}" == "" ]]  && read -p "Type the external hostname because was deleted: " phtc
		for (( j=0; j<${#wa[@]}; j++ )); do
			echo -e "Connecting to ${wa[j]}.${LDN}..."
			c=$(capa3 ${wa[j]}.${LDN} "wan")
			[[ "${c}" == 1 ]] && (
				case $(dnsquery -T ${wa[j]}) in
					"openbsd")
						echo "${phtc}"
						ghtc=$(ssh ${wa[j]}.${LDN} ifconfig gre | grep -wB 1 "${phtc}" | head -n 1 | awk '{print $1}' | sed "s|:$||")
						echo "${ghtc}"
						ssh ${wa[j]}.${LDN} "echo ${ghtc} > /tmp/cleantmp"
						ssh ${wa[j]}.${LDN} doas ksh "/home/taglio/Sources/Git/OpenBSD/setup_node -A cleanlast"
					;;
					"mikrotik")
						#ghtc=$(ssh ${wa[j]}.${LDN} ":put [/int gre get [find comment=xolotl] name;]" | tr -d '\r\n')
						cat src/mikrotik/tools/clean_last.rsc > "${tf}"
						sed -i "s|/HOSTNAME/|${ihtc}|g" "${tf}"
						scp  "${tf}" "${wa[j]}"."${LDN}":/clean.rsc
						eval "ssh ${wa[j]}.${LDN} :execute \{/import clean.rsc\}"
					;;
					"edgeos")
						echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin" > "${tf}"
						typeset -u uphtc=$(echo "${phtc}" | sed "s|.${PDN}||")
						pip=$(dig A "${phtc}" +short)
						[[ "${pip}" == "" ]] && read -p "Type the external ip address because was deleted: " pip
						irid=$(dig A "${ihtc}".${LDN} +short)
						[[ "${irid}" == "" ]] && read -p "Type the router id because was deleted: " irid
						for i in $(ssh -q ${wa[j]}.${LDN}  /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show firewall group | grep address-group | awk '{print $2}'); do
							ssh -q ${wa[j]}.${LDN}  sudo ipset list "${i}" | grep "${pip}"  &> /dev/null
							if [ $? -eq 0 ]; then
								echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete firewall group address-group ${i} address ${pip}" >> $tf
								type="${i}"
							fi
						done
						ssh -q ${wa[j]}.${LDN}  sudo ipset list ROUTERID | grep "${irid}" &> /dev/null
						if [ $? -eq 0 ]; then
							echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete firewall group address-group ROUTERID address ${irid}" >> $tf
						fi
						if [ $(ssh -q ${wa[j]}.${LDN} /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show firewall modify DMZMARK-"${uphtc}" | wc -l) -gt 1 ]; then
							echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete firewall modify DMZMARK-${uphtc}" >> $tf
						fi
						ssh -q ${wa[j]}.${LDN} /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show firewall modify PBR | grep -wB 3 "${uphtc}" &> /dev/null
						if [ $? -eq 0 ]; then
							ruleid=$(ssh -q ${wa[j]}.${LDN} /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show firewall modify PBR | grep -wB 3 "${uphtc}" | head -n 1 | awk '{print $2}')
							tableid=$(ssh -q ${wa[j]}.${LDN} /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show firewall modify PBR | grep -wB 1 "${uphtc}" | grep -v "${uphtc}" | awk '{print $2}')
							echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete firewall modify PBR rule ${ruleid}" >> $tf
						fi
						ssh -q ${wa[j]}.${LDN} /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show policy access-list 10 | grep -wB 3 "${irid}" &> /dev/null
						if [ $? -eq 0 ]; then
							ruleid=$(ssh -q ${wa[j]}.${LDN} /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show policy access-list 10 | grep -wB 3 "${irid}" | head -n 1 | awk '{print $2}')
							echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete policy access-list 10 rule ${ruleid}" >> $tf
						fi
						greint=$(ssh -q ${wa[j]}.${LDN} ip link show | grep -wB 2 "${phtc}" | head -n 1 | awk '{print $2}' | cut -d @ -f1)
						if [[ "${greint}" == tun*[0-9] ]]; then
							grenet=$(ssh -q ${wa[j]}.${LDN} ip route | grep -w "dev ${greint} proto kernel"| awk '{print $1}')
							if [[ "${grenet}" == "" ]]; then
								IFS=. read -r i1 i2 i3 i4 <<< $(ssh -q i${wa[j]}.${LDN} /sbin/ifconfig -a tun5 | grep inet | awk '{print $2}')
								IFS=. read -r m1 m2 m3 m4 <<< "255.255.255.252"
								grenet=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")"/30"
							fi
							echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete protocols ospf area 0.0.0.0 network ${grenet}" >> $tf
							echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete protocols ospf passive-interface-exclude ${greint}" >> $tf
							echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete interfaces tunnel ${greint}" >> $tf
						fi
						ssh -q ${wa[j]}.${LDN} ip route | grep -w "${pip}" &> /dev/null
						if [ $? -eq 0 ]; then
							echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete protocols static interface-route ${pip}/32" >> $tf
						fi
						if [ $(ssh -q ${wa[j]}.${LDN} /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show protocols static table "${tableid}" | wc -l) -gt 1 ]; then
							echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete protocols static table ${tableid}" >> $tf
						fi
						if [ $(ssh -q ${wa[j]}.${LDN} /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show system task-scheduler task ES${uphtc} | wc -l) -gt 1 ]; then
							echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete system task-scheduler task ES${uphtc}" >> $tf
						fi
						echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit" >> $tf
						echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper save" >> $tf
						cat "${tf}"
						read -p "OK? yes/no " ctrl
						case "${ctrl}" in
							"yes")
								cat "${tf}" | ssh -q ${wa[j]}.${LDN}
							;;
							"no")
								exit 1
							;;
							*)
								exit 1
							;;
						esac
						case "${type}" in
							"OPENBSD")
								ssh -q ${wa[j]}.${LDN} sudo sed -i -e "/telecomlobby-${uphtc}/,+13d" /config/ipsec.conf
							;;
							"MIKROTIK")
								ssh -q ${wa[j]}.${LDN}sudo sed -i -e "/telecomlobby-${uphtc}/,+11d" /config/ipsec.conf
							;;
						esac
						ssh -q ${wa[j]}.${LDN} sudo cp /config/ipsec.conf /etc
						if [ $(ssh -q i${wa[j]}.${LDN} sudo ipsec status telecomlobby-${uphtc} | grep -v Security | grep -c ESTABLISHED) -gt 0 ]; then
							ssh -q ${wa[j]}.${LDN} sudo ipsec down telecomlobby-${uphtc}
						fi
						ssh -q ${wa[j]}.${LDN} [[ -e "/config/ipsec/ES${uphtc}-updown.sh" ]] && rm -rf "/config/ipsec/ES${uphtc}-updown.sh"
						ssh -q ${wa[j]}.${LDN} [[ -e "/config/auth/${phtc}.crt" ]] && rm -rf "/config/auth/${phtc}.crt"
						ssh -q ${wa[j]}.${LDN} [[ -e "/etc/ipsec.d/certs/${phtc}.crt" ]]
						if [ $? -eq 0 ]; then
							ssh -q ${wa[j]}.${LDN} sudo rm -rf "/etc/ipsec.d/certs/${phtc}.crt"
						fi
						if [ $(ssh -q ${wa[j]}.${LDN} grep -wc ${phtc} /config/scripts/post-config.d/files.sh) -gt 0 ]; then
							ssh -q ${wa[j]}.${LDN} sudo sed -i "/${phtc}.crt/d" /config/scripts/post-config.d/files.sh
						fi
						ssh -q ${wa[j]}.${LDN} sudo ipsec rereadall
						ssh -q ${wa[j]}.${LDN} sudo ipsec reload
					;;
				esac
			) || echo "${wa[j]}.${LDN} unreachable"
		done
	;;
	#[openbsd|edgeos|ALL]
	"-F")
		for (( j=0; j<${#wa[@]}; j++ )); do
			echo -e "Connecting to ${wa[j]}.${LDN}..."
			c=$(capa3 ${wa[j]}.${LDN} "wan")
			[[ "${c}" == 1 ]] && (
			case $(dnsquery -T ${wa[j]}) in
				"openbsd")
					ssh ${wa[j]}.${LDN} doas ksh "/home/taglio/Sources/Git/OpenBSD/setup_node -U file"
				;;
				"edgeos")
					read -p "Type the src/edgeos/config file to update into ${wa[j]}.${LDN}: " fedge
					[[ -e "src/edgeos/config/${fedge}" ]] || (echo "file not found" ; exit 1)
					scp "src/edgeos/config/${fedge}" "${wa[j]}.${LDN}:/tmp/${fedge}"
					ssh "${wa[j]}.${LDN} sudo mv /tmp/${fedge} /config/${fedge}"
					echo "Depending on which file you've updated you'll copy to /etc and reload daemons"
				;;
			esac
			) || echo "${wa[j]}.${LDN} unreachable"
		done
	;;
	#[ALL]
	"-KD")
		echo "Current GMT time is: $(LANG=uk_UK date -u '+%b %d %H:%M:%S %Y GMT')"
		echo "Current epoch time is: $(date +"%s")"
		echo "Looking at OpenBSD hosts..."
		currrentepoch=$(date +"%s")
		for (( j=0; j<${#wa[@]}; j++ )); do
			echo -e "Connecting to ${wa[j]}.${LDN}..."
			c=$(capa3 ${wa[j]}.${LDN} "wan")
			[[ "${c}" == 1 ]] && (
			case $(dnsquery -T ${wa[j]}) in
				"openbsd")
				;;
				"mikrotik")
				;;
				"edgeos")
				;;
			esac
			) || echo "${wa[j]}.${LDN} unreachable"
		done
		for vpnc_host in $(dig openbsd.${LDN} TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do
			deadline=$(ssh -o LogLevel=QUIET -t $vpnc_host.${LDN} openssl x509 -in "/etc/iked/certs/local.crt" -noout -enddate | sed "s|^notAfter=||")
			echo "IPsec SSL certificate deadline of $vpnc_host is: $deadline"
			echo "IPsec SSL certificate epoch deadline of $vpnc_host is: $(date --date "${deadline}" "+%s")"
			deadlineepoch=$(date --date "${deadline}" "+%s")
			if [ "$deadlineepoch" -lt "$currrentepoch" ]; then
				openbsdiked+=("$vpnc_host")
				echo "$vpnc_host IPsec SSL certificate has to be upgraded"
			fi
		done
		echo "Looking at Ubiquiti EdgeOS hosts..."
		for vpnc_host in $(dig edgeos.${LDN} TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d' | cut -d : -f1); do
			deadline=$(ssh -o LogLevel=QUIET -t $vpnc_host.${LDN} openssl x509 -in "/config/auth/local/*.crt" -noout -enddate | sed "s|^notAfter=||")
			echo "IPsec SSL certificate deadline of $vpnc_host is: $deadline"
			echo "IPsec SSL certificate epoch deadline of $vpnc_host is: $(date --date "${deadline}" "+%s")"
			deadlineepoch=$(date --date "${deadline}" "+%s")
			if [ "$deadlineepoch" -lt "$currrentepoch" ]; then
				edgeosiked+=("$vpnc_host")
				echo "$vpnc_host IPsec SSL certificate has to be upgraded"
			fi
		done
		if [ ${#edgeosiked[@]} -gt 0 ]; then
			echo "edgeos"
		fi
		if [ ${#openbsdiked[@]} -gt 0 ]; then
			echo "openbsd"
			for i in "${openbsdiked[@]}"; do
				echo "Working into $i Ipsec SSL certificate upgrade"
				ikedpub=
				while [ -z $ikedpub ]
				do
					echo "Type the PATH to the upgraded iked PK12 file for $i "
					read ikedpub
				done
				tmpdir=$(mktemp -d)
				pk12=$(basename $ikedpub)
				publichost=$(echo $pk12 | sed 's/.p12//')
				publichostname=$(echo $publichost | cut -d . -f1)
				domainname=$(echo $publichost | sed "s/$publichostname.//")
				for a in $(dig ipsec20591.$domainname TXT +short @8.8.8.8 | sed "s/\"//g" | tr \; '\n' | sed '$d'); do
					b=$(echo $a | cut -d : -f1)
					if [[ "$b" -eq "$publichostname" ]]; then
					srcid=$(echo $a | cut -d : -f2)
					fi
				done
				echo "uploading P12 to /tmp onto $i"
				scp $ikedpub "$i.${LDN}:/tmp"
				ssh -t $i.${LDN} doas ksh "/home/taglio/Sources/Git/OpenBSD/tools/ikedsslupgade"
				scp  ca.telecom.lobby:/etc/ssl/ca.telecomlobby.com/certs/$publichost.crt "$tmpdir/$publichost.crt"
				echo "uploading .crt to EdgeOS hosts"
				for vpnc_host in $(dig edgeos.${LDN} TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d' | cut -d : -f1); do
					scp "$tmpdir/$publichost.crt" "$vpnc_host.${LDN}:/config/auth"
					ssh $vpnc_host.${LDN} "sudo cp /config/auth/${publichost}.crt /etc/ipsec.d/certs/"
					ssh $vpnc_host.${LDN} "sudo ipsec rereadall"
					ssh $vpnc_host.${LDN} "sudo ipsec reload"
				done
				openssl x509 -legacy -pubkey -noout -passin pass:123456789 -in "$tmpdir/$publichost.crt"  > src/etc/iked/pubkeys/ufqdn/"$srcid@ca.$domainname"
				srm -r "${tmpdir}"
				echo -e "$srcid@ca.$domainname created please update repository and all the others Openbsd hosts"
			done
		fi
	;;
	#[openbsd]
	"-G"|"-S"|"-D"|"-PF"|"-7")
		ws="doas ksh /home/taglio/Sources/Git/OpenBSD/setup_node"
		[[ "${5}" == "-G" ]] && rcmd="git -C "$proghome" pull"
		[[ "${5}" == "-S" ]] && rcmd="${ws} -U scripts"
		[[ "${5}" == "-D" ]] && rcmd="${ws} -U dyndnspop"
		[[ "${5}" == "-PF" ]] && rcmd="${ws} -U pf"
		[[ "${5}" == "-7" ]] && rcmd="doas ksh /home/taglio/Sources/Git/OpenBSD/tools/seven"
		for (( j=0; j<${#wa[@]}; j++ )); do
			echo -e "Connecting to ${wa[j]}.${LDN}"
			eval "ssh ${wa[j]}.${LDN} ${rcmd}"
		done
	;;
	#[mikrotik]
	"-CHR")
		read -p "Type LTE public hostname: " chr
		publichostname=$(echo "${chr}" | cut -d . -f1)
		chrpubip=$(dig A "${chr}" +short)
		lhn=$(dnsquery -MR $(echo "${publichostname}" | sed "s|.${PDN}||"))
		let counter=0
		counter=$(expr $counter + $(capa3 "${chr}" "wan"))
		if (( counter = 1 )); then
			echo "Layer three test passed..."
			pwd=$(passcheck "${chr}")
			ssh-keygen -f "$HOME/.ssh/known_hosts" -R "${chr}"
			if [[ $pwd = "0" ]]; then
				echo "no password present"
				echo "follow README.md of github" ; exit 1
			elif [[ $pwd = "143" ]]; then
				echo "with password"
				password=$(systemd-ask-password "Enter ${chr} ${userna} password: ")
				sshcmd="sshpass -p ${password} ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5"
				scpcmd="sshpass -p ${password} scp -o StrictHostKeyChecking=no -o ConnectTimeout=5"
			fi
			echo "resetting default values"
			eval "${scpcmd} src/mikrotik/CHR-reset.rsc ${userna}@${chr}:/"
			eval "${sshcmd} ${userna}@${chr} :execute \{/import file-name=CHR-reset.rsc\}"
			echo "configuring hostname, timezone, date, time"
			eval "${sshcmd} ${userna}@${chr} /sys id set name=${lhn}.${LDN}"
			chrtz=$(curl -s "http://ipinfo.io/${chrpubip}" | sed '/readme/d' | grep timezone | awk '{print $2}' | sed -e "s|\"||g" -e "s|,||")
			eval "${sshcmd} ${userna}@${chr} /sys clock set time-zone-name=${chrtz}"
			chrdate=$(date +%b/%d/%Y)
			eval "${sshcmd} ${userna}@${chr} /system clock set date=${chrdate}"
			chrtime=$(TZ="${chrtz}" date | awk '{print $5}')
			eval "${sshcmd} ${userna}@${chr} /system clock set time=${chrtime}"
			echo "adding ${userna} RSA ssh key"
			[[ -e "$HOME/.ssh/id_rsa.pub" ]] || ssh-keygen -t rsa -C "${userna}@${LDN}"
			eval "${scpcmd} $HOME/.ssh/id_rsa.pub ${userna}@${chr}:/"
			eval "${sshcmd} ${userna}@${chr} /user ssh-keys remove [find user=${userna}] \; /user ssh-keys import user=${userna} public-key-file=id_rsa.pub"
			sshcmd="ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5"
			scpcmd="scp -o StrictHostKeyChecking=no -o ConnectTimeout=5"
			echo "adding ${chr} common IPSEC settings"
			eval "${sshcmd} ${userna}@${chr} /ip ipsec policy group add name=group_ikev2_cert"
			eval "${sshcmd} ${userna}@${chr} /ip ipsec profile add dh-group=ecp384,modp3072 dpd-interval=30s dpd-maximum-failures=1 enc-algorithm=aes-256 hash-algorithm=sha256 name=NSA-RECOMMENDED nat-traversal=no"
			eval "${sshcmd} ${userna}@${chr} /ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=NSA pfs-group=none"
			ipsecpeers=$(tempfile)
			mkr=$(dnsquery -R "mikrotik")
			echo ":foreach P in=[/ip ipsec peer find] do={ /ip ipsec peer remove \$P }" > ${ipsecpeers}
			eval "${sshcmd} ${userna}@${mkr}.${LDN} /ip ipsec peer export >> ${ipsecpeers}"
			sed -i "s|45.32.144.15|${chrpubip}|g" "${ipsecpeers}"
			echo "/ip ipsec peer add name=uma_ikev2_cert address=45.32.144.15 local-address=${chrpubip} exchange-mode=ike2 profile=NSA-RECOMMENDED" >> ${ipsecpeers}
			eval "${scpcmd} ${ipsecpeers} ${userna}@${chr}:/ipsec_peers.rsc"
			srm "${ipsecpeers}"
			eval "${sshcmd} ${userna}@${chr} /import file-name=ipsec_peers.rsc"
			echo "installing local private and public key and peers public keys"
			read -p "Type local directory with p12 exported IPsec certificates: " p12dir
			ssh "${userna}@${chr}" ":foreach C in=[/certificate find] do={/certificate remove \$C}"
			eval "${scpcmd} ${p12dir}/${srcid}/${chr}.p12 ${userna}@${chr}:/"
			eval "${sshcmd} ${userna}@${chr} /certificate import file-name=${chr}.p12 name=${chr} passphrase=123456789"
			eval "${sshcmd} ${userna}@${chr} /certificate set [find name=${chr}_1] name=ca.telecomlobby.com"
			for certpath in $(find "${p12dir}" -name "*.p12"); do
				certfile=$(basename "${certpath}")
				peerpublichostname=$(echo "${certfile}" |  sed "s|.p12||")
				certdir=$(dirname "${certpath}")
				peerlocalhostname=$(echo "${certdir}" | sed "s|${p12dir}/||")
				tmpdir=$(mktemp -d)
				openssl pkcs12 -nodes -in "${certpath}" -clcerts -nokeys -passin pass:123456789 -passout pass:123456789 -out "$tmpdir/$peerlocalhostname.crt"
				eval "${scpcmd} $tmpdir/$peerlocalhostname.crt ${userna}@${chr}:/"
				eval "${sshcmd} ${userna}@${chr} /certificate import file-name=$peerlocalhostname.crt name=${peerpublichostname} passphrase=123456789"
				srm -r "${tmpdir}"
			done
			ipsecpeers=$(mktemp)
			echo ":foreach P in=[/ip ipsec identity find] do={ /ip ipsec identity remove \$P }" > ${ipsecpeers}
			eval "${sshcmd} ${userna}@uma.telecom.lobby /ip ipsec identity export >> ${ipsecpeers}"
			sed -i "s|fr.telecomlobby.com|ixp.telecomlobby.com|g" "${ipsecpeers}"
			eval "${scpcmd} ${ipsecpeers} ${userna}@${chr}:/ipsec_identity.rsc"
			eval "${sshcmd} ${userna}@${chr} /import file-name=ipsec_identity.rsc"
			eval "${sshcmd} ${userna}@${chr} /ip ipsec identity add peer=uma_ikev2_cert auth-method=digital-signature remote-id=user-fqdn:uma@ca.telecomlobby.com match-by=certificate certificate=ixp.telecomlobby.com remote-certificate=fr.telecomlobby.com generate-policy=no policy-template-group=group_ikev2_cert"
			srm "${ipsecpeers}"
			ipsecpolicy=$(mktemp)
			eval "${sshcmd} ${userna}@uma.telecom.lobby /ip ipsec policy export > ${ipsecpolicy}"
			sed -i '/set/d' "${ipsecpolicy}"
			sed -i '/policy\ group/d' "${ipsecpolicy}"
			sed -i '/group_ikev2_cert/d' "${ipsecpolicy}"
			sed -i "s|45.32.144.15|${chrpubip}|g" "${ipsecpolicy}"
			echo "/ip ipsec policy add dst-address=45.32.144.15/32 peer=uma_ikev2_cert proposal=NSA protocol=gre src-address=${chrpubip}" >> "${ipsecpolicy}"
			eval "${scpcmd} ${ipsecpolicy} ${userna}@${chr}:/ipsec_policy.rsc"
			eval "${sshcmd} ${userna}@${chr} /import file-name=ipsec_policy.rsc"
			echo "IPSec configured, going ahead..."
			srm "${ipsecpolicy}"
			echo "Cleaning files"
			eval "${scpcmd} src/mikrotik/file_clean.rsc ${userna}@${chr}:/"
			eval "${sshcmd} ${userna}@${chr} :execute \{/import file_clean.rsc\}"
		fi
		echo "start to configure GRE interfaces"
		grepeers=$(mktemp)
		eval "${sshcmd} ${userna}@uma.telecom.lobby /interface gre export >> ${grepeers}"
		sed -i "s|45.32.144.15|${chrpubip}|g" "${grepeers}"
		echo "/interface gre add allow-fast-path=no clamp-tcp-mss=no comment=uma keepalive=5s,2 local-address=${chrpubip} mtu=1392 remote-address=45.32.144.15" >> "${grepeers}"
		eval "${scpcmd} ${grepeers} ${userna}@${chr}:/interface_gre.rsc"
		eval "${sshcmd} ${userna}@${chr} :execute \{/import interface_gre.rsc\}"
		srm "${grepeers}"
		echo "configuring routing OSPF filters"
		rtfilter=$(mktemp)
		echo "/routing filter" > "${rtfilter}"
		echo "add action=accept chain=ospf-in comment=\"insert HOST 192.168.13.0/24\" prefix=192.168.13.0/24 prefix-length=32" >> "${rtfilter}"
		echo "add action=accept chain=ospf-in comment=\"insert NET 172.16.16.0/22\" prefix=172.16.16.0/22 prefix-length=24" >> "${rtfilter}"
		echo "add action=accept chain=ospf-in comment=\"insert NET 10.0.0.0/8\" prefix=10.0.0.0/8 prefix-length=8" >> "${rtfilter}"
		randomop=$(dig TXT openbsd.telecom.lobby +short | sed "s|\"||g" | tr ";" "\n" | awk NF | shuf -n 1)
		for host in $(ssh "${randomop}.telecom.lobby" cat /etc/pf.conf.table.{clientes,ipsec} | grep -v \# | awk NF | uniq); do
			echo "add action=accept chain=ospf-in comment=\"insert HOST ${host}\" prefix=${host} prefix-length=32" >> "${rtfilter}"
		done
		echo "add action=discard chain=ospf-in comment=\"discard ALL\"" >> "${rtfilter}"
		echo "add action=accept chain=ospf-out comment=\"insert HOST 192.168.13.0/24\" prefix=192.168.13.0/24 prefix-length=32" >> "${rtfilter}"
		echo "add action=accept chain=ospf-out comment=\"insert NET 172.16.16.0/22\" prefix=172.16.16.0/22 prefix-length=24" >> "${rtfilter}"
		echo "add action=accept chain=ospf-out comment=\"insert NET 10.0.0.0/8\" prefix=10.0.0.0/8 prefix-length=8" >> "${rtfilter}"
		for host in $(ssh "${randomop}.telecom.lobby" cat /etc/pf.conf.table.{clientes,ipsec} | grep -v \# | awk NF | uniq); do
			echo "add action=accept chain=ospf-out comment=\"insert HOST ${host}\" prefix=${host} prefix-length=32" >> "${rtfilter}"
		done
		echo "add action=discard chain=ospf-out comment=\"discard ALL\"" >> "${rtfilter}"
		eval "${scpcmd} ${rtfilter} ${userna}@${chr}:/rtfilter.rsc"
		eval "${sshcmd} ${userna}@${chr} :execute \{/import rtfilter.rsc\}"
		srm "${rtfilter}"
		read -p "Type the CHR routerid: " chrid
		echo "configuring OSPF daemon"
		eval "${sshcmd} ${userna}@${chr} /routing ospf instance set [ find default=yes ] redistribute-connected=as-type-2 redistribute-other-ospf=as-type-1 redistribute-static=as-type-2 router-id=${chrid}"
		eval "${sshcmd} ${userna}@${chr} /int bri add name=lo1 comment=\"router-id\" protocol-mode=none"
		eval "${sshcmd} ${userna}@${chr} /ip addr add address=${chrid}/32 interface=lo1"
		eval "${sshcmd} ${userna}@${chr} /routing ospf interface add authentication-key-id=100 cost=1 interface=lo1 network-type=broadcast passive=yes"
		eval "${sshcmd} ${userna}@${chr} /interface list add name=GRE"
		let lastnetwork=$(dig TXT gre7058."${domainname}" +short | sed "s|\"||g")+0
		ospfinterface=$(mktemp)
		for chrgre in $(ssh "${userna}@${chr}" :foreach i in=[/interface gre find] do=\{:put [/interface gre get \$i name]\; \}); do
			lastnetwork=$(expr $lastnetwork - 4)
			firstip=$(expr $lastnetwork + 1)
			eval "${sshcmd} ${userna}@${chr} /ip addr add address=10.10.10.${firstip}/30 interface=${chrgre}"
			eval "${sshcmd} ${userna}@${chr} /routing ospf network add area=backbone network=10.10.10.${lastnetwork}/30"
			ospfmd5=$(tr -cd '[:alnum:],.' < /dev/random | fold -w 15 | head -n 1)
			ssh ${userna}@${chr} routing ospf interface add authentication=md5 authentication-key=${ospfmd5} network-type=point-to-point interface="${chrgre}"
			eval "${sshcmd} ${userna}@${chr} /interface list member add list=GRE interface=${chrgre}"
		done
		echo "configuring RouterOS web server access list and firewall address list"
		randomop=$(dig TXT openbsd.telecom.lobby +short | sed "s|\"||g" | tr ";" "\n" | awk NF | shuf -n 1)
		acweb=""
		for host in $(ssh "${randomop}.telecom.lobby" cat /etc/pf.conf.table.ipsec | grep -v \# | awk NF | uniq); do
		 	acweb+="${host},"
			eval "${sshcmd} ${userna}@${chr} /ip firewall address-list add list=servers address=${host}"
		done
		for host in $(ssh "${randomop}.telecom.lobby" cat /etc/pf.conf.table.clientes | grep -v \# | awk NF | uniq); do
			eval "${sshcmd} ${userna}@${chr} /ip firewall address-list add list=otherswan address=${host}"
		done
		acweb=${acweb::-1}
		eval "${sshcmd} ${userna}@${chr} /ip service set www address=${acweb}"
		eval "${sshcmd} ${userna}@${chr} /ip firewall address-list add list=lan address=196.168.13.0/24"
		eval "${sshcmd} ${userna}@${chr} /ip firewall address-list add list=lan address=172.16.17.0/24"
		eval "${sshcmd} ${userna}@${chr} /ip firewall address-list add list=lan address=172.16.18.0/24"
		eval "${sshcmd} ${userna}@${chr} /ip firewall address-list add list=lan address=172.16.19.0/24"
		eval "${sshcmd} ${userna}@${chr} /ip firewall address-list add list=lan address=10.10.10.0/24"
		cp src/mikrotik/filter.rsc /tmp
		sed -i "s|/PUBLICIP/|${chrpubip}|g" /tmp/filter.rsc
		eval "${scpcmd} /tmp/filter.rsc ${userna}@${chr}:/filter.rsc"
		eval "${sshcmd} ${userna}@${chr} :execute \{/import filter.rsc\}"
		srm /tmp/filter.rsc
		echo "configuring routing domains"
		for chrgre in $(ssh "${userna}@${chr}" :foreach i in=[/interface gre find] do=\{:put [/interface gre get \$i name]\; \}); do
			gre=$(echo "${chrgre}"| sed 's/\r//g')
			com=$(ssh ixp.telecomlobby.com /int gre print where name="${gre}");
			comm=$(echo "${com}" | sed 's/\r//g')
			poplocalhostname=$(echo "${comm}" | awk 'NR==2' | sed "s|^.*;;; ||")
			echo "/ip firewall mangle add action=mark-connection chain=input connection-mark=no-mark  passthrough=yes dst-address=${chrid} in-interface=${gre} new-connection-mark=${poplocalhostname}"
			eval "${sshcmd} ${userna}@${chr} /ip firewall mangle add action=mark-connection chain=input connection-mark=no-mark  passthrough=yes dst-address=${chrid} in-interface=${gre} new-connection-mark=${poplocalhostname}"
			echo "/ip firewall mangle add action=mark-routing chain=output connection-mark=${poplocalhostname} new-routing-mark=${poplocalhostname} out-interface=!${gre} passthrough=yes src-address=${chrid}"
			eval "${sshcmd} ${userna}@${chr} /ip firewall mangle add action=mark-routing chain=output connection-mark=${poplocalhostname} new-routing-mark=${poplocalhostname} out-interface=!${gre} passthrough=yes src-address=${chrid}"
			echo "/ip route rule add routing-mark=${poplocalhostname} table=${poplocalhostname} action=lookup-only-in-table"
			eval "${sshcmd} ${userna}@${chr} /ip route rule add routing-mark=${poplocalhostname} table=${poplocalhostname} action=lookup-only-in-table"
			echo "/ip route add distance=1 gateway=${gre} routing-mark=${poplocalhostname} comment=\"from ${poplocalhostname} to ${chrid}\""
			eval "${sshcmd} ${userna}@${chr} /ip route add distance=1 gateway=${gre} routing-mark=${poplocalhostname} comment=\"from ${poplocalhostname} to ${chrid}\""
		done
		echo "starting remote install"
		for poplocalhostname in $(dig TXT openbsd.telecom.lobby +short | sed "s|\"||g" | tr ";" "\n" | awk NF); do
			ssh "${poplocalhostname}".telecom.lobby install -o "${userna}" -g wheel -m 0750 "${HOME}/Sources/Git/OpenBSD/src/mikrotik/openbsd/newchr.sh ${HOME}/Bin/"
			#[[ "${poplocalhostname}" == "varuna" ]] && poplocalhostname="neo"
			pophost=$(dig ipsec20591.${domainname} TXT +short @8.8.8.8 | sed "s/\"//g" | tr \; '\n' | sed '$d' | grep "${poplocalhostname}" | cut -d : -f1)".${domainname}"
			popip=$(dig A "${pophost}" +short)
			x="7"
			#[[ "${poplocalhostname}" == "neo" ]] && poplocalhostname="varuna"
			[[ "${poplocalhostname}" == "bhagavati" ]] && x="8"
			popgre=$(ssh ${userna}@${chr} int gre print where comment="${poplocalhostname}" | grep -E "gre-tunnel[0-9]{1,2}" | awk '{print $1}' | sed -e "s|name=||" -e "s|\"||g")
			let a=$(ssh ${userna}@${chr} ip addr print where interface="${popgre}" | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | head -n 1 | cut -d . -f4)+0
			md5=$(ssh ${userna}@${chr} routing ospf interface pr where interface="${popgre}" | awk '{print $7}' | grep -E '^.{15}$')
			greip="10.10.10."${a}
			b=$(expr $a + 1)
			popgreip="10.10.10."${b}
			mkdir "/tmp/${poplocalhostname}"
			cp "src/mikrotik/openbsd/"{iked.conf,hostname.enc,hostname.gre,ospfd.conf} "/tmp/${poplocalhostname}"
			mv "/tmp/${poplocalhostname}/hostname.gre" "/tmp/${poplocalhostname}/hostname.gre${x}"
			mv "/tmp/${poplocalhostname}/hostname.enc" "/tmp/${poplocalhostname}/hostname.enc${x}"
			for file in $(find "/tmp/${poplocalhostname}" -maxdepth 1 -type f); do
				sed -i "s|/PUBLICHOST/|${chr}|g" $file
				sed -i "s|/POPIP/|${popip}|g" $file
				sed -i "s|/PUBLICIP/|${chrpubip}|g" $file
				sed -i "s|/POPHOST/|${pophost}|g" $file
				sed -i "s|/POPLOCALHOSTNAME/|${poplocalhostname}|g" $file
				sed -i "s|/HOSTNAME/|${srcid}|g" $file
				sed -i "s|/POPGREIP/|${popgreip}|g" $file
				sed -i "s|/GREIP/|${greip}|g" $file
				sed -i "s|/X/|${x}|g" $file
				sed -i "s|/MD5/|${md5}|g" $file
			done

			tar -cvf /tmp/calli.tar -C /tmp "/tmp/${poplocalhostname}/"
			srm -r "/tmp/${poplocalhostname}"
			echo "uploading to ${poplocalhostname}..."
			scp /tmp/calli.tar "${poplocalhostname}.${localdomainname}:/tmp"
			srm "/tmp/calli.tar"
			#ssh "${poplocalhostname}.${localdomainname}" doas ksh /home/taglio/Bin/newchr.sh
		done
	;;
	"-LTE")
		read -p "Local or remote configuration?: [local|remote|next] " ctrl
		case "${ctrl}" in
			"local")
				read -p "In what world sector do you plan to install the LTE CPE?: [12|34|56] " geo
				declare -a ps
				dnsquery wa "openbsd"
				latencyquery wa ps
				ssh-keygen -f "${HOME}/.ssh/known_hosts" -R "192.168.88.1"

				cat "src/mikrotik/LTE/lte_basic.rsc" > "${tf}"
				read -p "Type the LTE router hostname: " hostname
				sed -i "s|/HOSTNAME/|${hostname}|g" "${tf}"
				read -p "Type the LTE router LTE provider: [digi|xenet] " provider
				sed -i "s|/PROVIDER/|${provider}|g" "${tf}"
				case "${provider}" in
					"digi")
						sed -i "s|/APN/|internet.digimobil.es|g" "${tf}"
						sed -i "s|/MMCMNC/|21407|g" "${tf}"
						sed -i "s|/MVNO/|DIGI|g" "${tf}"
					;;
					"xenet")
						sed -i "s|/APN/|datos|g" "${tf}"
						sed -i "s|/MMCMNC/|21403|g" "${tf}"
						sed -i "s|/MVNO/|PTVTELECOM|g" "${tf}"
					;;
					*)
					 	echo "Available MVNO Mobile Virtual Network Operator in Spain are DIGI or XENET"
					 	exit 1
					;;
				esac
				read -p "Type the LTE SIM PIN: " simpin
				sed -i "s|/SIMPIN/|${simpin}|g" "${tf}"
				read -p "Type the L2TP POP public hostname: " l2tppop
				sed -i "s|/L2TPPOP/|$(dig A ${l2tppop} +short | tr -d '\n')|g" "${tf}"
				read -p "Type the L2TP IPv4 binded: " l2tpip
				sed -i "s|/L2TPIP/${l2tpip}|g" "${tf}"
				sed -i "s|/L2TPPOP/|$(dig A ${l2tppop} +short | tr -d '\n')|g" "${tf}"
				l2tppwd=$(systemd-ask-password "Type the L2TP user password: ")
				sed -i "s|/L2TPPWD/|${l2tppwd}|g" "${tf}"
				l2tpipsec=$(systemd-ask-password "Type the L2TP IPSEC key: ")
				sed -i "s|/L2TPIPSEC/|${l2tpipsec}|g" "${tf}"
				usrpwd=$(systemd-ask-password "Type the router user password: ")
				sed -i "s|/USRPWD/|${usrpwd}|g" "${tf}"
				cat "${tf}"
			 	read -p "Go Ahead? [yes/no]: " ctrl
				[[ "${ctrl}" == "yes" ]] && (
					echo -e "Connecting to ${hostname} for first configuration..."
					c=$(capa3 "192.168.88.1" "wan")
					[[ "${c}" == 1 ]] && (
						scp -q -o StrictHostKeyChecking=no "${tf}" admin@192.168.88.1:/lte_basic.rsc
						scp -q -o StrictHostKeyChecking=no "${HOME}/.ssh/id_rsa.pub" admin@192.168.88.1:/
						eval "ssh -q -o StrictHostKeyChecking=no admin@192.168.88.1 :execute \{/import lte_basic.rsc\}"

					) || echo "${hostname} unreachable at default 192.168.88.1"
				)|| exit 1
			;;
			"next")
				echo -e "Getting variables..."
				ssh-keygen -f "/home/taglio/.ssh/known_hosts" -R "10.1.10.1"
				ddns=$(ssh 10.1.10.1 /ip cloud pr | grep -w dns\-name | awk '{print $2}' | tr -d '\n\r') ; echo -e "DDNS --> ${ddns}"
				imei=$(ssh 10.1.10.1 /int lte info lte1 once  | grep imei | awk '{print $2}' | tr -d '\n\r') ; echo -e "IMEI --> ${imei}"
				imsi=$(ssh 10.1.10.1 /int lte info lte1 once  | grep imsi | awk '{print $2}' | tr -d '\n\r') ; echo -e "IMSI --> ${imsi}"
				iccid=$(ssh 10.1.10.1 /int lte info lte1 once  | grep uicc | awk '{print $2}' | tr -d '\n\r' | sed "s|.$||") ; echo -e "ICCID --> ${iccid}"
				hostname=$(ssh 10.1.10.1 /sys id pr | awk '{print $2}' | sed '$d' | cut -d . -f1 | tr -d '\n\r')
				l2tppop=$(ssh 10.1.10.1 ":put [/int l2tp-client get [find user=${hostname}] comment;]" | tr -d '\n\r')
				l2tpphn=$(echo "${l2tppop}" | cut -d . -f1)
				read -p "Type the MSISDN: " msisdn
				echo -e "adding DDNS to ${l2tppop}"
				l2tplhn=$(dnsquery -MR "${l2tpphn}")
				counter=$(ssh "${l2tplhn}"."${LDN}" ":put [/ip firewall address-list get [find comment=${hostname}]] | grep -v such | wc -l")
				(( counter = 0 )) && (
					ssh "${l2tplhn}"."${LDN}" "/ip fire address-list add list=lte address=${ddns} comment=${hostname}"
				) || (
					ssh "${l2tplhn}"."${LDN}" "/ip fire address-list remove [ find comment=${hostname} ]"
					ssh "${l2tplhn}"."${LDN}" "/ip fire address-list add list=lte address=${ddns} comment=${hostname}"
				)
				echo "adding comment to MOTD onto ${hostname}"
				ssh 10.1.10.1 "/sys note set note=\"\nIMEI: ${imei}\nIMSI: ${imsi}\nICCID: ${iccid}\nMSISDN: ${msisdn}\""
				echo "Producing values..."
				phn=$(cat /dev/urandom | tr -dc '[:alpha:]' | fold -w 3 | head -n 1 |  tr '[:upper:]' '[:lower:]')
				echo "The public hostname is ${phn}.${PDN} and must resolve $(ssh 10.1.10.1 /ip addr pr where interface=l2tp-out1 | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | head -n 1 | tr -d '\n\r')"
				routerid="192.168.13.$(shuf -i 1-255 -n 1)"
				echo "The routerid is ${routerid}"
				read -p "Is ${hostname} a LTE router or a LTE CPE?: [router|cpe] " ctrl
				case "${ctrl}" in
					"router")
						lteadm="172.16.$(shuf -i 1-255 -n 1).0/24"
						echo "The LTE router ADM vlan is ${lteadm}"
						ltedata="172.16.$(shuf -i 1-255 -n 1).0/24"
						echo "The LTE router DATA vlan is ${ltedata}"
						lteham="172.16.$(shuf -i 1-255 -n 1).0/24"
						echo "The LTE router HAM vlan is ${lteham}"

					;;
					"cpe")
						echo "In this case ${hostname} will configured in the remote step as NAT router using 10.1.10.0/24 as ether1 network."
					;;
					*)
						echo "Type router or cpe!" ; exit 1
					;;
				esac

			;;
			"remote")
				read -p "Type LTE router public hostname: " lte
				phn=$(echo "${lte}" | cut -d . -f1)
				ltepubip=$(dig A "${lte}" +short)
				lhn=$(dnsquery -MR "${phn}")
				let counter=0
				counter=$(expr $counter + $(capa3 "${lte}" "wan"))
				if (( counter = 1 )); then
					echo "Layer three test passed..."
					pwd=$(passcheck "${lte}")
					ssh-keygen -f "$HOME/.ssh/known_hosts" -R "${lte}"
					if [[ $pwd = "0" ]]; then
						echo "SSH key present and valid"
						sshcmd="ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5"
						scpcmd="scp -o StrictHostKeyChecking=no -o ConnectTimeout=5"
					elif [[ $pwd = "143" ]]; then
						echo "with password"
						password=$(systemd-ask-password "Enter ${lte} ${userna} password: ")
						sshcmd="sshpass -p ${password} ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5"
						scpcmd="sshpass -p ${password} scp -o StrictHostKeyChecking=no -o ConnectTimeout=5"
					fi
				fi
				eval "${scpcmd} src/mikrotik/LTE-reset.rsc ${userna}@${lte}:/LTEreset.rsc"
				eval "${sshcmd} ${userna}@${lte} /import file-name=LTEreset.rsc"
				echo "configuring hostname, timezone, date, time"
				eval "${sshcmd} ${userna}@${lte} /sys id set name=${lhn}.${LDN}"
				eval "${sshcmd} ${userna}@${lte} /sys clock set time-zone-name=Europe/Madrid"
				ltedate=$(date +%b/%d/%Y)
				eval "${sshcmd} ${userna}@${lte} /system clock set date=${ltedate}"
				ltetime=$(TZ="Europe/Madrid" date | awk '{print $5}')
				eval "${sshcmd} ${userna}@${lte} /system clock set time=${ltetime}"
				echo "adding ${userna} RSA ssh key"
				[[ -e "$HOME/.ssh/id_rsa.pub" ]] || ssh-keygen -t rsa -C "${userna}@${localdomainname}"
				eval "${scpcmd} $HOME/.ssh/id_rsa.pub ${userna}@${lte}:/"
				eval "${sshcmd} ${userna}@${lte} /user ssh-keys remove [find user=${userna}] \; /user ssh-keys import user=${userna} public-key-file=id_rsa.pub"
				sshcmd="ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5"
				scpcmd="scp -o StrictHostKeyChecking=no -o ConnectTimeout=5"
				echo "adding ${lte} common IPSEC settings"
				eval "${sshcmd} ${userna}@${lte} /ip ipsec policy group add name=group_ikev2_cert"
				eval "${sshcmd} ${userna}@${lte} /ip ipsec profile add dh-group=ecp384,modp3072 dpd-interval=30s dpd-maximum-failures=1 enc-algorithm=aes-256 hash-algorithm=sha256 name=LTE nat-traversal=yes"
				eval "${sshcmd} ${userna}@${lte} /ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=NSA pfs-group=none"
				rtdomain=$(tempfile)
				mk=$(dnsquery -R "mikrotik")
				mkphn=$(dnsquery -M "${mk}")
				mkip=$(dig A "${mkphn}.${PDN}" +short)
				for ipipsec in $(ssh ${userna}@${mk}.${LDN} /ip fire addr pr where list=ipsec | sed -e "s|^.*${mkip}.*$||" | awk '{print $3}' |  sed -e "/^$/d" | tail -n +3); do
					[[ $(dnsquery -TT "${ipipsec}" "openbsd") ]] && echo "/ip fire address-list add list=ipsec address=${ipipsec}" >> "${rtdomain}"
				done
				echo "/ip firewall mangle add action=mark-connection chain=output dst-address-list=ipsec new-connection-mark=ipsec passthrough=yes" >> "${rtdomain}"
				echo "/ip firewall mangle add action=mark-routing chain=output connection-mark=ipsec new-routing-mark=ipsec passthrough=no" >> "${rtdomain}"
				echo "/ip route rule add action=lookup-only-in-table routing-mark=ipsec table=ipsec" >> "${rtdomain}"
				echo "/ip route add comment=ipsec distance=1 gateway=lte1 routing-mark=ipsec" >> "${rtdomain}"
				eval "${scpcmd} ${rtdomain} ${userna}@${lte}:/rtdomains.rsc"
				eval "${sshcmd} ${userna}@${lte} /import file-name=rtdomains.rsc"
				srm "${rtdomain}"
				ipsecpeers=$(tempfile)
				echo ":foreach P in=[/ip ipsec peer find where dynamic=no] do={ /ip ipsec peer remove \$P }" > ${ipsecpeers}
				eval "${sshcmd} ${userna}@${mk}.${LDN} /ip ipsec peer export >> ${ipsecpeers}"
				sed -i "s|local-address=${mkip}||g" "${ipsecpeers}"
				sed -i "s|NSA-RECOMMENDED|LTE|g" "${ipsecpeers}"
				dnsquery wa "edgeos"
				for (( j=0; j<${#wa[@]}; j++ )); do
					tac "${ipsecpeers}"| sed '/'"${wa[j]}"'/{n;d;}' | tac | sed '/'"${wa[j]}"'/d' > "${ipsecpeers}"
				done
				#echo "/ip ipsec peer add name=calli_ikev2_cert address=5.134.119.135 local-address=${ltepubip} exchange-mode=ike2 profile=NSA-RECOMMENDED" >> ${ipsecpeers}
				eval "${scpcmd} ${ipsecpeers} ${userna}@${lte}:/ipsec_peers.rsc"
				srm "${ipsecpeers}"
				eval "${sshcmd} ${userna}@${lte} /import file-name=ipsec_peers.rsc"
				echo "installing local private and public key and peers public keys"
				read -p "Type local directory with p12 exported IPsec certificates: " p12dir
				ssh "${userna}@${lte}" ":foreach C in=[/certificate find] do={/certificate remove \$C}"
				eval "${scpcmd} ${p12dir}/${lhn}/${lte}.p12 ${userna}@${lte}:/"
				eval "${sshcmd} ${userna}@${lte} /certificate import file-name=${lte}.p12 name=${lte} passphrase=123456789"
				eval "${sshcmd} ${userna}@${lte} /certificate set [find name=${lte}_1] name=ca.telecomlobby.com"
				for certpath in $(find "${p12dir}" -name "*.p12"); do
					certfile=$(basename "${certpath}")
					peerpublichostname=$(echo "${certfile}" |  sed "s|.p12||")
					certdir=$(dirname "${certpath}")
					peerlocalhostname=$(echo "${certdir}" | sed "s|${p12dir}/||")
					tmpdir=$(mktemp -d)
					openssl pkcs12 -nodes -in "${certpath}" -clcerts -nokeys -passin pass:123456789 -passout pass:123456789 -out "$tmpdir/$peerlocalhostname.crt"
					eval "${scpcmd} $tmpdir/$peerlocalhostname.crt ${userna}@${lte}:/"
					eval "${sshcmd} ${userna}@${lte} /certificate import file-name=$peerlocalhostname.crt name=${peerpublichostname} passphrase=123456789"
					srm -r "${tmpdir}"
				done
				ipsecpeers=$(tempfile)
				echo ":foreach P in=[/ip ipsec identity find where dynamic=no] do={ /ip ipsec identity remove \$P }" > ${ipsecpeers}
				eval "${sshcmd} ${userna}@${mk}.${LDN} /ip ipsec identity export >> ${ipsecpeers}"
				sed -i "s|${mkphn}.${PDN}|${lte}|g" "${ipsecpeers}"
				sed -i "s|${mk}@|${lhn}@|g" "${ipsecpeers}"
				sed -i "s|.p12_[0-9]||" "${ipsecpeers}"
				eval "${scpcmd} ${ipsecpeers} ${userna}@${lte}:/ipsec_identity.rsc"
				eval "${sshcmd} ${userna}@${lte} /import file-name=ipsec_identity.rsc"
				#eval "${sshcmd} ${userna}@${lte} /ip ipsec identity add peer=calli_ikev2_cert auth-method=digital-signature remote-id=user-fqdn:calli@ca.telecomlobby.com match-by=certificate certificate="${lte}"remote-certificate=ixp.telecomlobby.com generate-policy=no policy-template-group=group_ikev2_cert"
				srm "${ipsecpeers}"
				ipsecpolicy=$(tempfile)
				eval "${sshcmd} ${userna}@${mk}.${LDN} /ip ipsec policy export > ${ipsecpolicy}"
				sed -i '/set/d' "${ipsecpolicy}"
				sed -i '/policy\ group/d' "${ipsecpolicy}"
				sed -i '/group_ikev2_cert/d' "${ipsecpolicy}"
				sed -i "s|src-address=${mkip}/32||g" "${ipsecpolicy}"
				for (( j=0; j<${#wa[@]}; j++ )); do
					sed -i '/'"${wa[j]}"'/{n;d;}' "${ipsecpolicy}"
					sed -i '/'"${wa[j]}"'/d' "${ipsecpolicy}"
				done
				#echo "/ip ipsec policy add dst-address=5.134.119.135/32 peer=calli_ikev2_cert proposal=NSA protocol=gre src-address=${ltepubip}" >> "${ipsecpolicy}"
				eval "${scpcmd} ${ipsecpolicy} ${userna}@${lte}:/ipsec_policy.rsc"
				eval "${sshcmd} ${userna}@${lte} /import file-name=ipsec_policy.rsc"
				echo "IPSec configured, going ahead..."
				srm "${ipsecpolicy}"
				#echo "Cleaning files"
				#eval "${scpcmd} src/mikrotik/file_clean.rsc ${userna}@${lte}:/"
				#eval "${sshcmd} ${userna}@${lte} :execute \{/import file_clean.rsc\}"
				echo "start to configure GRE interfaces"
				grepeers=$(tempfile)
				eval "${sshcmd} ${userna}@${mk}.${LDN} /interface gre export >> ${grepeers}"
				sed -i "s|local-address=${mkip}||g" "${grepeers}"
				for (( j=0; j<${#wa[@]}; j++ )); do
					sed -i '/'"${wa[j]}"'/{n;d;}' "${grepeers}"
					sed -i '/'"${wa[j]}"'/d' "${grepeers}"
				done
				eval "${scpcmd} ${grepeers} ${userna}@${lte}:/interface_gre.rsc"
				eval "${sshcmd} ${userna}@${lte} :execute \{/import interface_gre.rsc\}"
				srm "${grepeers}"
				echo "configuring routing OSPF filters"
				rtfilter=$(mktemp)
				echo "/routing filter" > "${rtfilter}"
				echo "add action=accept chain=ospf-in comment=\"insert HOST 192.168.13.0/24\" prefix=192.168.13.0/24 prefix-length=32" >> "${rtfilter}"
				echo "add action=accept chain=ospf-in comment=\"insert NET 172.16.16.0/22\" prefix=172.16.16.0/22 prefix-length=24" >> "${rtfilter}"
				echo "add action=accept chain=ospf-in comment=\"insert NET 10.0.0.0/8\" prefix=10.0.0.0/8 prefix-length=8" >> "${rtfilter}"
				randomop=$(dnsquery -R "openbsd")
				for host in $(ssh "${randomop}.${LDN}" cat /etc/pf.conf.table.{clientes,ipsec} | grep -v \# | awk NF | uniq | sed "s|${mkip}/32||" | sed "/^$/d"); do
					echo "add action=accept chain=ospf-in comment=\"insert HOST ${host}\" prefix=${host} prefix-length=32" >> "${rtfilter}"
				done
				echo "add action=discard chain=ospf-in comment=\"discard ALL\"" >> "${rtfilter}"
				echo "add action=accept chain=ospf-out comment=\"insert HOST 192.168.13.0/24\" prefix=192.168.13.0/24 prefix-length=32" >> "${rtfilter}"
				echo "add action=accept chain=ospf-out comment=\"insert NET 172.16.16.0/22\" prefix=172.16.16.0/22 prefix-length=24" >> "${rtfilter}"
				echo "add action=accept chain=ospf-out comment=\"insert NET 10.0.0.0/8\" prefix=10.0.0.0/8 prefix-length=8" >> "${rtfilter}"
				for host in $(ssh "${randomop}.telecom.lobby" cat /etc/pf.conf.table.{clientes,ipsec} | grep -v \# | awk NF | uniq | sed "s|${mkip}/32||" | sed "/^$/d"); do
					echo "add action=accept chain=ospf-out comment=\"insert HOST ${host}\" prefix=${host} prefix-length=32" >> "${rtfilter}"
				done
				echo "add action=discard chain=ospf-out comment=\"discard ALL\"" >> "${rtfilter}"
				eval "${scpcmd} ${rtfilter} ${userna}@${lte}:/rtfilter.rsc"
				eval "${sshcmd} ${userna}@${lte} :execute \{/import rtfilter.rsc\}"
				srm "${rtfilter}"
				read -p "Type the 100 vlan network prefix: " lteadm
				read -p "Type the 111 vlan network prefix: " ltedata
				read -p "Type the 43 vlan network prefix: " lteham
				echo "configuring layer 2 VLANs (router will be .254)"
				lteadmip=$(printf '%s' $(echo $lteadm | sed "s|0/24||")'254/24')
				ltedataip=$(printf '%s' $(echo $ltedata | sed "s|0/24||")'254/24')
				ltehamip=$(printf '%s' $(echo $lteham | sed "s|0/24||")'254/24')
				eval "${sshcmd} ${userna}@${lte} /int vlan add interface=ether1 vlan-id=100 comment=ADM"
				eval "${sshcmd} ${userna}@${lte}  /ip addr add interface=[/interface get [/interface vlan find where comment=\"ADM\"] name] address=${lteadmip} comment=ADM"
				eval "${sshcmd} ${userna}@${lte} /int vlan add interface=ether1 vlan-id=111 comment=DATA"
				eval "${sshcmd} ${userna}@${lte}  /ip addr add interface=[/interface get [/interface vlan find where comment=\"DATA\"] name] address=${ltedataip} comment=DATA"
				eval "${sshcmd} ${userna}@${lte} /int vlan add interface=ether1 vlan-id=43 comment=HAM"
				eval "${sshcmd} ${userna}@${lte}  /ip addr add interface=[/interface get [/interface vlan find where comment=\"HAM\"] name] address=${ltehamip} comment=HAM"
				eval "${sshcmd} ${userna}@${lte} /int vlan add interface=ether1 vlan-id=131 comment=PPPOE"
				eval "${sshcmd} ${userna}@${lte} /routing ospf interface add interface=[/interface get [/interface vlan find where comment=\"ADM\"] name] network-type=broadcast passive=yes"
				eval "${sshcmd} ${userna}@${lte} /routing ospf interface add interface=[/interface get [/interface vlan find where comment=\"DATA\"] name] network-type=broadcast passive=yes"
			    eval "${sshcmd} ${userna}@${lte} /routing ospf interface add interface=[/interface get [/interface vlan find where comment=\"HAM\"] name] network-type=broadcast passive=yes"
				read -p "Type the LTE routerid: " lteid
				echo "configuring OSPF daemon"
				eval "${sshcmd} ${userna}@${lte} /routing ospf instance set [ find default=yes ] redistribute-connected=as-type-2 redistribute-other-ospf=as-type-1 redistribute-static=as-type-2 router-id=${lteid}"
				eval "${sshcmd} ${userna}@${lte} /int bri add name=lo1 comment=\"router-id\" protocol-mode=none"
				eval "${sshcmd} ${userna}@${lte} /ip addr add address=${lteid}/32 interface=lo1"
				eval "${sshcmd} ${userna}@${lte} /routing ospf interface add authentication-key-id=100 cost=1 interface=lo1 network-type=broadcast passive=yes"
				eval "${sshcmd} ${userna}@${lte}  /routing ospf network add area=backbone network=${lteadm}"
				eval "${sshcmd} ${userna}@${lte}  /routing ospf network add area=backbone network=${ltedata}"
				eval "${sshcmd} ${userna}@${lte}  /routing ospf network add area=backbone network=${lteham}"
				eval "${sshcmd} ${userna}@${lte} /interface list add name=GRE"
				read -p "Type last broadcast or query the name server database? [bcast|dns]: " ctrl
				case "${ctrl}" in
					"bcast")
						read -p "Enter the last octet [0-255]: " lastnetwork
					;;
					"dns")
						lastnetwork=$(dig TXT gre7058."${PDN}" +short @8.8.8.8 | sed "s|\"||g")
					;;
				esac
				ospfinterface=$(mktemp)
				for ltegre in $(ssh "${userna}@${lte}" :foreach i in=[/interface gre find] do=\{:put [/interface gre get \$i name]\; \} | tr -d '\r'); do
					((lastnetwork == 255 )) && ((lastnetwork-=3)) || ((lastnetwork-=4))
					echo $lastnetwork
					firstip=$((lastnetwork + 1))
					secondip=$((lastnetwork + 2))
					a=$(eval "${sshcmd} ${userna}@${lte} :put [/int gre get [find name=${ltegre}] comment]" | tr -d '\r')"_ikev2_cert"
					eval "${sshcmd} ${userna}@${lte} /ip addr add address=10.10.9.${firstip}/30 interface=${ltegre}"
					eval "${sshcmd} ${userna}@${lte} /int gre set ${ltegre} local-address=203.0.113.${firstip} remote-address=203.0.113.${secondip}"
					eval "${sshcmd} ${userna}@${lte} /ip ipsec policy set [find peer=${a}] src-address=203.0.113.${firstip} dst-address=203.0.113.${secondip} tunnel=yes"
					eval "${sshcmd} ${userna}@${lte} /ip addr add address=203.0.113.${firstip}/30 interface=lo1"
					eval "${sshcmd} ${userna}@${lte} /routing ospf network add area=backbone network=10.10.9.${lastnetwork}/30"
					ospfmd5=$(tr -cd '[:alnum:],.' < /dev/random | fold -w 15 | head -n 1)
					eval "${sshcmd} ${userna}@${lte} /routing ospf interface add authentication=md5 authentication-key=${ospfmd5} network-type=point-to-point interface=${ltegre}"
					eval "${sshcmd} ${userna}@${lte} /interface list member add list=GRE interface=${ltegre}"
				done
				echo "configuring RouterOS web server access list and firewall address list"
				randomop=$(dnsquery -R "openbsd")
				echo "AAA ${randomop}"
				acweb=""
				for host in $(ssh "${randomop}.${LDN}" cat /etc/pf.conf.table.ipsec | grep -v \# | awk NF | uniq); do
				 	acweb+="${host},"
					eval "${sshcmd} ${userna}@${lte} /ip firewall address-list add list=servers address=${host}"
				done
				for host in $(ssh "${randomop}.${LDN}"  cat /etc/pf.conf.table.clientes | grep -v \# | awk NF | uniq); do
					eval "${sshcmd} ${userna}@${lte} /ip firewall address-list add list=otherswan address=${host}"
				done
				acweb=${acweb::-1}
				eval "${sshcmd} ${userna}@${lte} /ip service set www address=${acweb}"
				eval "${sshcmd} ${userna}@${lte} /ip firewall address-list add list=lan address=196.168.13.0/24"
				eval "${sshcmd} ${userna}@${lte} /ip firewall address-list add list=lan address=172.16.17.0/24"
				eval "${sshcmd} ${userna}@${lte} /ip firewall address-list add list=lan address=172.16.18.0/24"
				eval "${sshcmd} ${userna}@${lte} /ip firewall address-list add list=lan address=172.16.19.0/24"
				eval "${sshcmd} ${userna}@${lte} /ip firewall address-list add list=lan address=10.10.10.0/24"
				eval "${sshcmd} ${userna}@${lte} /ip firewall address-list add list=lan address=10.1.10.0/24"
				cp src/mikrotik/LTE/filter.rsc /tmp
				sed -i "s|/PUBLICIP/|${ltepubip}|g" /tmp/filter.rsc
				eval "${scpcmd} /tmp/filter.rsc ${userna}@${lte}:/filter.rsc"
				eval "${sshcmd} ${userna}@${lte} :execute \{/import filter.rsc\}"
				srm /tmp/filter.rsc
				echo "configuring routing domains"
				for ltegre in $(ssh "${userna}@${lte}" :foreach i in=[/interface gre find] do=\{:put [/interface gre get \$i name]\; \}); do
					gre=$(echo "${ltegre}"| sed 's/\r//g')
					com=$(ssh "${mk}.${LDN}" /int gre print where name="${gre}");
					comm=$(echo "${com}" | sed 's/\r//g')
					poplocalhostname=$(echo "${comm}" | awk 'NR==2' | sed "s|^.*;;; ||")
					echo "/ip firewall mangle add action=mark-connection chain=input connection-mark=no-mark  passthrough=yes dst-address=${lteid} in-interface=${gre} new-connection-mark=${poplocalhostname}" >> "${tf}"
					#eval "${sshcmd} ${userna}@${lte} /ip firewall mangle add action=mark-connection chain=input connection-mark=no-mark  passthrough=yes dst-address=${lteid} in-interface=${gre} new-connection-mark=${poplocalhostname}"
					echo "/ip firewall mangle add action=mark-routing chain=output connection-mark=${poplocalhostname} new-routing-mark=${poplocalhostname} out-interface=!${gre} passthrough=yes src-address=${lteid}" >> "${tf}"
					#eval "${sshcmd} ${userna}@${lte} /ip firewall mangle add action=mark-routing chain=output connection-mark=${poplocalhostname} new-routing-mark=${poplocalhostname} out-interface=!${gre} passthrough=yes src-address=${lteid}"
					echo "/ip route rule add routing-mark=${poplocalhostname} table=${poplocalhostname} action=lookup-only-in-table" >> "${tf}"
					#eval "${sshcmd} ${userna}@${lte} /ip route rule add routing-mark=${poplocalhostname} table=${poplocalhostname} action=lookup-only-in-table"
					echo "/ip route add distance=1 gateway=${gre} routing-mark=${poplocalhostname} comment=\"from ${poplocalhostname} to ${lteid}\"" >> "${tf}"
					#eval "${sshcmd} ${userna}@${lte} /ip route add distance=1 gateway=${gre} routing-mark=${poplocalhostname} comment=\"from ${poplocalhostname} to ${lteid}\""
				done
				eval "${scpcmd} "${tf}" ${userna}@${lte}:/rd.rsc"
				eval "${sshcmd} ${userna}@${lte} :execute \{/import rd.rsc\}"
				echo "starting OpenBSD remote install"
				([[ $(typeofvar wa) == "array" ]] && [[ $(echo ${#wa[@]}) != "0" ]]) && ( unset wa && declare -a wa ) || declare -a wa
				dnsquery wa "openbsd"
				for (( j=0; j<${#wa[@]}; j++ )); do
					c=0
					for i in $(ssh "${wa[j]}.${LDN}" ifconfig gre | grep gre*[0-9] | cut -d : -f1 |sed "s|gre||g"); do
						((c < i)) && c=$i
					done
					((c+=1))
					pophn=$(dnsquery -M "${wa[j]}")
					pip=$(dnsquery -R "${wa[j]}")
				 	mkgre=$(ssh ${userna}@${lte} int gre print where comment="${wa[j]}" | grep -E "gre-tunnel[0-9]{1,2}" | awk '{print $1}' | sed -e "s|name=||" -e "s|\"||g" | tr -d '\n\r')
					mkut=$(ssh ${userna}@${lte} ip addr print where interface="${mkgre}" | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | head -n 1 | cut -d . -f4 | tr -d '\n\r')
					md5=$(ssh ${userna}@${lte} routing ospf interface pr where interface="${mkgre}" | awk '{print $7}' | grep -E '^.{15}$')
					mynetname=$(ssh ${userna}@${lte}  ":put [/ip cloud get dns-name;]")
					poput=$((mkut + 1))
					[[ -e "/tmp/${wa[j]}" ]] || mkdir "/tmp/${wa[j]}" && (rm -rf /tmp/${wa[j]} ; mkdir "/tmp/${wa[j]}")
					cp "src/mikrotik/LTE/"{iked.conf,hostname.enc,hostname.gre,ospfd.conf} "/tmp/${wa[j]}"
					mv "/tmp/${wa[j]}/hostname.gre" "/tmp/${wa[j]}/hostname.gre${c}"
					mv "/tmp/${wa[j]}/hostname.enc" "/tmp/${wa[j]}/hostname.enc${c}"
					for file in $(find "/tmp/${wa[j]}/" -maxdepth 1 -type f); do
						sed -i "s|/PUBLICHOST/|${lte}|g" $file
						sed -i "s|/POPIP/|${pip}|g" $file
						sed -i "s|/PUBLICIP/|${ltepubip}|g" $file
						sed -i "s|/POPHOST/|${pophn}.${PDN}|g" $file
						sed -i "s|/POPLOCALHOSTNAME/|${wa[j]}|g" $file
						sed -i "s|/HOSTNAME/|${lhn}|g" $file
						sed -i "s|/POPGREIP/|10.10.9.${poput}|g" $file
						sed -i "s|/ENCPOPIP/|203.0.113.${poput}|g" $file
						sed -i "s|/GREIP/|10.10.9.${mkut}|g" $file
						sed -i "s|/ENCLTEIP/|203.0.113.${mkut}|g" $file
						sed -i "s|/X/|${c}|g" $file
						sed -i "s|/MD5/|${md5}|g" $file
						sed -i "s|/MYNETNAME/|${mynetname}|g" $file
					done
					tar -cvf /tmp/"${lhn}".tar -C /tmp "/tmp/${wa[j]}/"
					srm -r "/tmp/${wa[j]}"
					echo "uploading to ${wa[j]}..."
					scp /tmp/"${lhn}".tar "${wa[j]}.${LDN}:/tmp"
					#ssh "${wa[j]}.${LDN}" cp "src/etc/iked/pubkeys/${lhn}@ca.telecomlobby.com" /etc/iked/pubkeys

				done
				read -p "Have you updated lte pf table? [yes|no]: " ctrl
				case "${ctrl}" in
					"yes")
						for (( j=0; j<${#wa[@]}; j++ )); do
							ssh "${wa[j]}.${LDN}" cp "/home/${userna}/Sources/Git/OpenBSD/src/mikrotik/openbsd/newchr.sh" /home/"${userna}"/Bin
							ssh "${wa[j]}.${LDN}" doas ksh /home/"${userna}"/Bin/newchr.sh
						done

					;;
					"no")
						exit 1
					;;
					*)
						exit 1
					;;
				esac


			;;
		esac
	;;
	#[workstation]
	"-RS")
		lanhost=
		while [ -z $lanhost ]
		do
			echo 'Type the LAN hostname '
			read lanhost
		done
		pubhost=
		while [ -z $pubhost ]
		do
			echo 'Type the public hostname '
			read pubhost
		done
		hash=
		while [ -z $hash ]
		do
			echo 'Type the ED25519 hash '
			read hash
		done
		if [[ $(grep -c $lanhost src/etc/ssh/remote_install/authorized_keys) -gt 0 ]]; then
			for linenum in $(grep -n $lanhost src/etc/ssh/remote_install/authorized_keys | cut -d : -f1); do
				sed -i "$linenum"d src/etc/ssh/remote_install/authorized_keys
			done
		fi

		echo "ssh-ed25519 $hash root@$lanhost" >> src/etc/ssh/remote_install/authorized_keys
		#	if [[ $(grep -c $pubhost src/etc/ssh/ssh_known_hosts) -gt 0 ]]; then
		#		for linenum in $(grep -n $pubhost src/etc/ssh/ssh_known_hosts | cut -d : -f1); do
		#			sed -i "$linenum"d src/etc/ssh/ssh_known_hosts
		#		done
		#	fi
		#
		#	echo "# $pubhost:31137 SSH-2.0-OpenSSH_8.6" >> src/etc/ssh/ssh_known_hosts
		#	echo "[$pubhost]:31137 ssh-ed25519 $hash" >> src/etc/ssh/ssh_known_hosts
		echo -e "remote_install/authorized_keys and ssh_known_hosts UPDATED
		\n please use git_openbsd.sh to update the public GIT"
	;;
	"-K")
		ikedpub=
		while [ -z $ikedpub ]
		do
			echo 'Type the PATH to the new iked PK12 file '
			read ikedpub
		done
		tmpdir=$(mktemp -d)
		pk12=$(basename $ikedpub)
		publichost=$(echo $pk12 | sed 's/.p12//')
		phn=$(echo $publichost | cut -d . -f1)
		lhn=$(dnsquery -MR "${phn}")
		ssh-keygen -f "${HOME}/.ssh/known_hosts" -R "$publichost"
		scp $ikedpub "${userna}@$publichost:/tmp"
		openssl pkcs12 -nodes -in $ikedpub -nocerts -passin pass:123456789 -passout pass:123456789 -out "$tmpdir/local.key"
		openssl pkcs12 -nodes -in $ikedpub -clcerts -nokeys -passin pass:123456789 -passout pass:123456789 -out "src/etc/iked/certs/${publichost}.crt"
		openssl x509 -pubkey -noout -passin pass:123456789 -in "src/etc/iked/certs/${publichost}.crt"  > src/etc/iked/pubkeys/ufqdn/"$lhn@ca.$PDN"
		cp "src/etc/iked/pubkeys/ufqdn/$lhn@ca.$PDN" "src/etc/iked/pubkeys/fqdn/${publichost}"
		rm -rf $tmpdir
		echo -e "$lhn@ca.$PDN created please update repository and all the others Openbsd hosts"
	;;
	"-Z")
		comdomains=
		echo -e "Type the two .com domains (the principle and the secondary) divided by a comma: "
		read comdomains
		principledomain=$(printf $comdomains | cut -d , -f1)
		secondarydomain=$(printf $comdomains | cut -d , -f2)
		for domain in $(printf "$comdomains" | xargs -d, -n1); do
			echo -e "\n$domain: "
			whois $domain | grep "Name Server" | grep -v "^Name"
			dnssec=$(whois $domain| grep DNSSEC | grep -c "unsigned")
			[[ $dnssec > 0 ]] && echo -e "\nDNSSEC not enable onto $domain!" || echo -e "\nDNSSEC enabled onto $domain!"
			echo "<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>"
		done
		echo -e "You've got servers in:\n"
		for vpnc_host in $(dig openbsd.${LDN} TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do

			local=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q $vpnc_host.${LDN} readlink /etc/localtime  | sed "s/\/usr\/share\/zoneinfo\///")
			zonetab=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q $vpnc_host.${LDN} cat /usr/share/zoneinfo/zone.tab | grep $local)
			[[ $zonetab ]] && echo -e "\n$zonetab\n" || echo -e "\n$local\n"
			publicip=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q $vpnc_host.${LDN} ifconfig egress | grep inet |grep -v inet6 | cut -d ' ' -f2)
			curl -s "http://ipinfo.io/$publicip" | sed '/readme/d'
			loc=$(curl -s "http://ipinfo.io/$publicip" | grep loc | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g")
			long=$(echo $loc | cut -d , -f2 | cut -d . -f1)
			lat=$(echo $loc | cut -d , -f1 | cut -d . -f1)
			country=$(curl -s "http://ipinfo.io/$publicip" | grep country | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g")
			continent=$(grep "${country}" cndb/* | cut -d / -f2 | cut -d : -f1)
			echo -e "\nLAT --> $lat"
			echo -e "LONG --> $long\n"
			if [[ $long -ge -180 && $long -le -60 && $lat -ge 0 ]]; then group=12 && ospfarea="0.0.1.2" && G12+=("$vpnc_host"); fi
			if [[ $long -ge -60 && $long -le 60 && $lat -ge 0 ]]; then group=34 && ospfarea="0.0.3.4" && G34+=("$vpnc_host"); fi
			if [[ $long -ge 60 && $long -le 180 && $lat -ge 0 ]]; then group=56 && ospfarea="0.0.5.6" && G56+=("$vpnc_host"); fi
			if [[ $long -ge -180 && $long -le -60 && $lat -le 0 ]]; then group=12 && ospfarea="0.0.1.2" && G12+=("$vpnc_host"); fi
			if [[ $long -ge -60 && $long -le 60 && $lat -le 0 ]]; then group=34 && ospfarea="0.0.3.4" && G34+=("$vpnc_host"); fi
			if [[ $long -ge 60 && $long -le 180 && $lat -le 0 ]]; then group=56 && ospfarea="0.0.5.6" && G56+=("$vpnc_host"); fi
			echo -e "GROUP --> $group"
			echo -e "BACKBONE OSPFAREA 0.0.0.0"
			echo -e "GEO OSPFAREA --> $ospfarea"
			echo -e "CONTINENT --> $continent\n"
		done
		[[ ${#G12[@]} > 1 ]] && rand12p=$[$RANDOM % ${#G12[@]}] || rand12p="${G12[0]}"
		[[ ${#G34[@]} > 1 ]] && rand34p=$[$RANDOM % ${#G34[@]}] || rand34p="${G34[0]}"
		[[ ${#G56[@]} > 1 ]] && rand56p=$[$RANDOM % ${#G56[@]}] || rand56p="${G56[0]}"
		echo -e "The master PowerDNS server for $principledomain in the group 34 is ${G34[$rand34p]} in the group 12 is ${G12[$rand12p]} and in the group 56 is ${G56[$rand56p]}"
		publicip=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q ${G34[$rand34p]}.${LDN} ifconfig egress | grep inet |grep -v inet6 | cut -d ' ' -f2)
		nsd34p=$(curl -s "http://ipinfo.io/$publicip" | grep hostname | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g" | sed "s/$principledomain/$secondarydomain/" | tr '[:lower:]' '[:upper:]')
		routerid34p=$(dig "${G34[$rand34p]}.${LDN}" A +short)
		publicip=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q ${G12[$rand12p]}.${LDN} ifconfig egress | grep inet |grep -v inet6 | cut -d ' ' -f2)
		nsd12p=$(curl -s "http://ipinfo.io/$publicip" | grep hostname | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g" | sed "s/$principledomain/$secondarydomain/" | tr '[:lower:]' '[:upper:]')
		routerid12p=$(dig "${G12[$rand12p]}.${LDN}" A +short)
		publicip=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q ${G56[$rand56p]}.${LDN} ifconfig egress | grep inet |grep -v inet6 | cut -d ' ' -f2)
		nsd56p=$(curl -s "http://ipinfo.io/$publicip" | grep hostname | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g" | sed "s/$principledomain/$secondarydomain/" | tr '[:lower:]' '[:upper:]')
		routerid56p=$(dig "${G56[$rand56p]}.${LDN}" A +short)
		#masterp34slave12=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G34[$rand34p]}.${LDN}" ospfctl show fib | grep "$routerid12p" | awk '{print $4}')
		#masterp34gre12=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G34[$rand34p]}.${LDN}" ifconfig | grep $masterp34slave12 | awk '{print $2}')
		#masterp34slave56=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G34[$rand34p]}.${LDN}" ospfctl show fib | grep "$routerid56p" | awk '{print $4}')
		#masterp34gre56=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G34[$rand34p]}.${LDN}" ifconfig | grep $masterp34slave56 | awk '{print $2}')
		#slavep12master34=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G12[$rand12p]}.${LDN}" ospfctl show fib | grep "$routerid34p" | awk '{print $4}')
		#slavep12gre34=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G12[$rand12p]}.${LDN}" ifconfig | grep $slavep12master34 | awk '{print $2}')
		#slavep56master34=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G56[$rand56p]}.${LDN}" ospfctl show fib | grep "$routerid34p" | awk '{print $4}')
		#slavep56gre34=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G56[$rand56p]}.${LDN}" ifconfig | grep $slavep56master34 | awk '{print $2}')
		epoch=$(date +%s)
		if [[ ! -e "../db/domains.sqlite3" ]]; then
			echo -e "initialize sqlite3 domains local database"
			sqlite3 "../db/domains.sqlite3" < "src/openbsd/db.sql"

		else
			echo -e "erasing and initializing sqlite3 domains local database"
			sqlite3 "../db/domains.sqlite3" "DROP TABLE domains;"
			sqlite3 "../db/domains.sqlite3" < "src/openbsd/db.sql"
		fi
		sqlite3 "../db/domains.sqlite3" "INSERT INTO domains (name,ns34,ns12,ns56,last_update)  values (\"$principledomain\",\"$routerid34p\",\"$routerid12p\",\"$routerid56p\",$epoch);"
		if [ $dnssec = 0 ]; then
			dnssec_keyid=$(whois "${principledomain}" | grep DNSSEC\ DS | awk '{print $4}' | head -n 1)
			sqlite3 "../db/domains.sqlite3" "UPDATE domains SET dnssec = 0, dnssec_keyid = ${dnssec_keyid} WHERE name = ${principledomain};"
		fi
		echo -e "Please configure WHOIS server for $principledomain with:"
		printf '%s\n' $nsd34p
		printf '%s\n' $nsd12p
		printf '%s\n' $nsd56p
		echo -e "Useful PowerDNS parameters:"
		printf '%s\t%s\t%s\n' $routerid34p #$masterp34gre12 $masterp34gre56
		printf '%s\t%s\n' $routerid12p #$slavep12gre34
		printf '%s\t%s\n' $routerid56p #$slavep56gre34
		[[ ${#G12[@]} > 1 ]] && rand12s=$[$RANDOM % ${#G12[@]}] || rand12s="${G12[0]}"
		[[ ${#G34[@]} > 1 ]] && rand34s=$[$RANDOM % ${#G34[@]}] || rand34s="${G34[0]}"
		[[ ${#G56[@]} > 1 ]] && rand56s=$[$RANDOM % ${#G56[@]}] || rand56s="${G56[0]}"
		echo -e "The master PowerDNS server for $secondarydomain in the group 34 is ${G34[$rand34s]} slaves are in the group 12 ${G12[$rand12s]} and in the group 56 ${G56[$rand56s]}"
		publicip=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q ${G34[$rand34s]}.${LDN} ifconfig egress | grep inet |grep -v inet6 | cut -d ' ' -f2)
		nsd34s=$(curl -s "http://ipinfo.io/$publicip" | grep hostname | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g" | tr '[:lower:]' '[:upper:]')
		routerid34s=$(dig "${G34[$rand34s]}.${LDN}" A +short)
		publicip=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q ${G12[$rand12s]}.${LDN} ifconfig egress | grep inet |grep -v inet6 | cut -d ' ' -f2)
		nsd12s=$(curl -s "http://ipinfo.io/$publicip" | grep hostname | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g" | tr '[:lower:]' '[:upper:]')
		routerid12s=$(dig "${G12[$rand12s]}.${LDN}" A +short)
		publicip=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q ${G56[$rand56s]}.${LDN} ifconfig egress | grep inet |grep -v inet6 | cut -d ' ' -f2)
		nsd56s=$(curl -s "http://ipinfo.io/$publicip" | grep hostname | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g" | tr '[:lower:]' '[:upper:]')
		routerid56s=$(dig "${G56[$rand56s]}.${LDN}" A +short)
		#masters34slave12=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G34[$rand34s]}.${LDN}" ospfctl show fib | grep "$routerid12s" | awk '{print $4}')
		#masters34gre12=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G34[$rand34s]}.${LDN}" ifconfig | grep $masters34slave12 | awk '{print $2}')
		#masters34slave56=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G34[$rand34s]}.${LDN}" ospfctl show fib | grep "$routerid56s" | awk '{print $4}')
		#masters34gre56=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G34[$rand34s]}.${LDN}" ifconfig | grep $masters34slave56 | awk '{print $2}')
		#slaves12master34=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G12[$rand12s]}.${LDN}" ospfctl show fib | grep "$routerid34s" | awk '{print $4}')
		#slaves12gre34=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G12[$rand12s]}.${LDN}" ifconfig | grep $slaves12master34 | awk '{print $2}')
		#slaves56master34=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G56[$rand56s]}.${LDN}" ospfctl show fib | grep "$routerid34s" | awk '{print $4}')
		#slaves56gre34=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q "${G56[$rand56s]}.${LDN}" ifconfig | grep $slaves56master34 | awk '{print $2}')
		echo -e "Please configure WHOIS server for $secondarydomain with:"
		printf '%s\n' $nsd34s
		printf '%s\n' $nsd12s
		printf '%s\n' $nsd56s
		echo -e "Useful PowerDNS parameters:"
		printf '%s\t%s\t%s\n' $routerid34s #$masters34gre12 $masters34gre56
		printf '%s\t%s\n' $routerid12s #$slaves12gre34
		printf '%s\t%s\n' $routerid56s #$slaves56gre34
		tsig256s=$(dd if=/dev/urandom of=/dev/stdout count=1 bs=64 status=none | openssl base64)
		tmpupload=$(mktemp)
		ctrl=
		while true; do
			read -p "Start configuring $secondarydomain onto native PowerDNS for ${G34[$rand34s]}? yes/no: " ctrl
			case $ctrl in
				[yY]*)
					echo $routerid12s > $tmpupload && echo $routerid56s >> $tmpupload && echo ${tsig256s} | tr -d ' ' >> $tmpupload && echo $secondarydomain >> $tmpupload
					scp $tmpupload "${G34[$rand34s]}.${LDN}:/tmp/powernsd_distributed"
					ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -t "${G34[$rand34s]}.${LDN}"  doas ksh "/home/taglio/Sources/Git/OpenBSD/setup_node" -D powerdns #distributed
					break
				;;
				[nN]*)
					echo 'Ok, going ahead'
					break
				;;
				*)
					echo 'Invalid input' >&2
			esac
		done
		ctrl=
		while true; do
			read -p "Continue with configuring $secondarydomain onto native PowerDNS for ${G12[$rand12s]}? yes/no: " ctrl
			case $ctrl in
				[yY]*)
					echo $masters34slave12 > $tmpupload && echo ${tsig256s} | tr -d ' ' >> $tmpupload && echo $secondarydomain >> $tmpupload
					scp $tmpupload "${G12[$rand12s]}.${LDN}:/tmp/powerdns_distributed"
					ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -t "${G12[$rand12s]}.${LDN}"  doas ksh "/home/taglio/Sources/Git/OpenBSD/setup_node" -D powerdns #distributed
					break
				;;
				[nN]*)
					echo 'Ok, going ahead'
					break
				;;
				*)
					echo 'Invalid input' >&2
			esac
		done
		ctrl=
		while true; do
			read -p "Continue with configuring $secondarydomain onto native PowerDNS for ${G56[$rand56s]}? yes/no: " ctrl
			case $ctrl in
				[yY]*)
					echo $masters34slave56 > $tmpupload && echo ${tsig256s} | tr -d ' ' >> $tmpupload && echo $secondarydomain >> $tmpupload
					scp $tmpupload "${G56[$rand56s]}.${LDN}:/tmp/powernsd_distributed"
					ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -t "${G56[$rand56s]}.${LDN}"  doas ksh "/home/taglio/Sources/Git/OpenBSD/setup_node" -D powerdns #distributed
					break
				;;
				[nN]*)
					echo 'Ok, going ahead'
					break
				;;
				*)
					echo 'Invalid input' >&2
			esac
		done
		echo -e "Secondary domain $secondarydomain configured"
	;;
	"-U")
		if [[ ! -d "$HOME/.ssh/Backup$daterelease" ]]; then
			mkdir "$HOME/.ssh/Backup$daterelease"
		else
			rm -rf "$HOME/.ssh/Backup$daterelease"
			mkdir "$HOME/.ssh/Backup$daterelease"
		fi
		if [[ -e "$HOME/.ssh/id_ed25519" ]]; then
			mv $HOME/.ssh/{id_ed25519,id_ed25519.pub,id_ed25519-cert.pub} "$HOME/.ssh/Backup$daterelease"
		fi
		ssh-keygen -t ed25519 -C "taglio@${LDN}"
		cat "$HOME/.ssh/id_ed25519.pub" > "$HOME/Work/telecom.lobby/altBSD_network/src/etc/ssh/authorized_keys"
		sed -i "s|^Public.*|Public ssh key for user = $(cat $HOME/.ssh/id_ed25519.pub)|" installation/install-vps.conf
		pwdfile=$(mktemp)
		# Read Password
		password=$(systemd-ask-password "Enter CA password: ")
		# Run Command
		echo $password > $pwdfile
		echo -n Type the mounted FAT32 pen drive directory:
		read fat32pen
		if [[ ! -d "$fat32pen" ]]; then
			mkdir "$fat32pen/CA_update"
		else
			rm -rf  "$fat32pen/CA_update"
			mkdir "$fat32pen/CA_update"
		fi
		cp "$HOME/.ssh/id_ed25519.pub" "$fat32pen/CA_update"
		cp  $pwdfile "$fat32pen/CA_update/capwd.txt"
		srm $pwdfile
		umount $fat32pen
		ctrl=
		while [ -z $ctrl ]
		do
			echo -e "Ready? type 1 "
			read ctrl
		done
		cp "$fat32pen/CA_update/id_ed25519-cert.pub" "$HOME/.ssh/"
		srm "$fat32pen/CA_update/"
	;;

	"-CI")
		read -p "Build IPv4 static custom installation template? yes/no: " ctrl
		if [[ "${ctrl}" == "yes" ]]; then
			template=$(mktemp)
			read -p "Type IPv4 address for vio0: " ip
			cat installation/template-static.conf > "${template}"
			sed -i "s|/IP/|${ip}|" "${template}"
			read -p "Type netmask for vio0: " netmask
			sed -i "s|/NETMASK/|${netmask}|" "${template}"
			read -p "Type default IPv4 route: " router
			sed -i "s|/ROUTER/|${router}|" "${template}"
			sed -i "s|/EDDSA/|$(cat $HOME/.ssh/id_ed25519.pub)|" "${template}"
			mv "${template}" installation/install-static.conf
			ctrl=""
		fi
		read -p "Build custom size disklabel? yes/no: " ctrl
		if [[ "${ctrl}" == "yes" ]]; then
			template=$(mktemp)
			cat installation/disk-template > "${template}"
			read -p "Type size in GB: " root
			let root-=1
			sed -i "s|/ROOT/|${root}|" "${template}"
			mv "${template}" installation/customdisklabel
		fi
		echo -e "Files added, please update the repository and remember to use https://bit.ly/3HD0Wne"
	;;
	"-GEO")
		read -p "Type public IP: " geoip
		curl -s "http://ipinfo.io/$geoip" | sed '/readme/d'
		loc=$(curl -s "http://ipinfo.io/$geoip" | grep loc | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g")
		long=$(echo $loc | cut -d , -f2 | cut -d . -f1)
		lat=$(echo $loc | cut -d , -f1 | cut -d . -f1)
		country=$(curl -s "http://ipinfo.io/$geoip" | grep country | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g")
		continent=$(grep "${country}" cndb/* | cut -d / -f2 | cut -d : -f1)
		echo -e "\nLAT --> $lat"
		echo -e "LONG --> $long\n"
		[[ $long -ge -180 && $long -le -60 && $lat -ge 0 ]] && group=12
		[[ $long -ge -60 && $long -le 60 && $lat -ge 0 ]] && group=34
		[[ $long -ge 60 && $long -le 180 && $lat -ge 0 ]] && group=56
		[[ $long -ge -180 && $long -le -60 && $lat -le 0 ]] && group=12
		[[ $long -ge -60 && $long -le 60 && $lat -le 0 ]] && group=34
		[[ $long -ge 60 && $long -le 180 && $lat -le 0 ]] && group=56
		echo -e "GROUP --> $group"
		read -p "Do you want to add it to correct firewall address-group into EdgeOS: yes/no " ctrl
		case "${ctrl}" in
			"yes")
				edgescript=$(mktemp)
				echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin" > "${edgescript}"
				ssh -q indra.telecom.lobby sudo ipset list "${group}" | grep "${geoip}"  &> /dev/null
				if [ $? -eq 0 ]; then
					echo "already present"
					exit 0
				fi
				echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set firewall group address-group ${group} address ${geoip}" >> $edgescript
				echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit" >> $edgescript
				echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper save" >> $edgescript
				cat "${edgescript}"
				read -p "OK? yes/no " c
				case "${c}" in
					"yes")
						cat "${edgescript}" | ssh -q indra.telecom.lobby
					;;
					"no")
						exit 1
					;;
					*)
						exit 1
					;;
				esac
			;;
			"no")
				exit 0
			;;
			*)
				exit 1
			;;
		esac
	;;
	"-GR6")
		for vpnc_host in $(dig openbsd.${LDN} TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do
			ssh $vpnc_host.${LDN}  [[ -e /tmp/ipv6 ]]
			[ $? -eq 0 ] && ssh  $vpnc_host.${LDN} rm -rf /tmp/ipv6
		done
		for vpnc_host in $(dig openbsd.${LDN} TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do
			ssh $vpnc_host.${LDN}  [[ -e /tmp/ipv6 ]]
			[ $? -eq 1 ] && ssh  $vpnc_host.${LDN} touch /tmp/ipv6
			echo -e "Calculating IPv6 RouterID of $vpnc_host"
			echo "fd13:$(printf "%x\n" $(ssh $vpnc_host.${LDN} ifconfig vether0 | grep -w inet | awk '{print $2}' | cut -d . -f4))::/128"
			routeridv6=$(echo "fd13:$(printf "%x\n" $(ssh $vpnc_host.${LDN} ifconfig vether0 | grep -w inet | awk '{print $2}' | cut -d . -f4))::/128")
			[[ $(ssh $vpnc_host.${LDN} grep -c vether0 /tmp/ipv6) -eq 0 ]] && ssh $vpnc_host.${LDN} "echo vether0 ${routeridv6} >> /tmp/ipv6"
			for gre in $(ssh $vpnc_host.${LDN} ls /etc/hostname.gre? | cut -d . -f2); do
				ssh $vpnc_host.${LDN} cat /tmp/ipv6 | grep "${gre}" &>/dev/null
				if [ $? -eq 1 ]; then
					if [ $(ssh $vpnc_host.${LDN} grep -c inet6 /etc/hostname."${gre}") -eq 0 ]; then
						id=$(echo "${gre}" | sed "s|gre||")
						endpoint=$(ssh $vpnc_host.${LDN} cat /etc/hostname."${gre}" | grep description | sed -e "s|description ||" -e 's|"||g')
						echo -e "ULA for ${gre} for $vpnc_host for tunnel with ${endpoint} is $(echo "${routeridv6}" | sed "s|::/128||"):$(printf "%x\n" "${id}")::/127"
						[[ $(ssh $vpnc_host.${LDN} grep -c ${gre} /tmp/ipv6) -eq 0 ]] && ssh $vpnc_host.${LDN} "echo ${gre} $(echo "${routeridv6}" | sed "s|::/128||"):$(printf "%x\n" "${id}")::/127 >> /tmp/ipv6"
						ephm=$(echo "${endpoint}" | sed "s|.telecomlobby.com||")
						for phn in $(dig ipsec20591.telecomlobby.com TXT +short @8.8.8.8 | sed "s/\"//g" | tr \; '\n' | sed '$d' |  cut -d : -f1); do
								if [[ "${ephm}" == "${phn}" ]]; then
								lhm=$(dig ipsec20591.telecomlobby.com TXT +short @8.8.8.8 | sed "s/\"//g" | tr \; '\n' | sed '$d' |  grep "${phn}" | cut -d : -f2)
							#	[[ "${lhm}" == "neo" ]] && lhm="varuna"
								os=$(nc -w1 $lhm.${LDN} 22)
								echo -e "ULA ptp for $vpnc_host for $lhm is $(echo "${routeridv6}" | sed "s|::/128||"):$(printf "%x\n" "${id}")::1/127"
								case "${os}" in
									*Debian*)
										edgescript=$(mktemp)
										echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin" > $edgescript
										tun=$(ssh -q $lhm.${LDN} /sbin/ip link | grep -wB2 "${phn}.telecomlobby.com" | head -n 1 | awk '{print $2}' | sed "s|@NONE:||")
										echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces tunnel "${tun}" address $(echo "${routeridv6}" | sed "s|::/128||"):$(printf "%x\n" "${id}")::1/127" >> $edgescript
										echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit" >> $edgescript
										echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper save" >> $edgescript
										cat $edgescript
									;;
									*ROS*)
										mkscript=$(mktemp)
										gretun=$(ssh -q $lhm.${LDN} ":put [/int gre get [find comment=$vpnc_host] name;]")
										echo "/ipv6 address add interface=${gretun::-1} address="$(echo "${routeridv6}" | sed "s|::/128||"):$(printf "%x\n" "${id}")"::1/127 advertise=no no-dad=yes" > $mkscript
										cat $mkscript
									;;
									*)
										#[[ "${vpnc_host}" == "varuna" ]] && vpnc_host="neo"
										g=$(dig ipsec20591.telecomlobby.com TXT +short @8.8.8.8 | sed "s/\"//g" | tr \; '\n' | sed '$d' |  grep "${vpnc_host}" | cut -d : -f1)
										rgre=$(ssh $lhm.${LDN} grep -w "${g}.telecomlobby.com" /etc/hostname.gre? | cut -d : -f1 | sed "s|/etc/hostname.||")
										ssh $lhm.${LDN}  [[ -e /tmp/ipv6 ]]
										[ $? -eq 1 ] && ssh $lhm.${LDN} touch /tmp/ipv6
										[[ $(ssh $lhm.${LDN} grep -c ${rgre} /tmp/ipv6) -eq 0 ]] && ssh $lhm.${LDN} "echo ${rgre} $(echo "${routeridv6}" | sed "s|::/128||"):$(printf "%x\n" "${id}")::1/127 >> /tmp/ipv6"
										#[[ "${vpnc_host}" == "neo" ]] && vpnc_host="varuna"
									;;
								esac

							fi
						done
					fi
				fi
			done
		done
	;;
	"-CU")
		echo "Single certificate upgrade"
		ikedpub=
		while [ -z $ikedpub ]
		do
			echo "Type the PATH to the upgraded iked PK12 file"
			read ikedpub
		done
		tmpdir=$(mktemp -d)
		pk12=$(basename $ikedpub)
		publichost=$(echo $pk12 | sed 's/.p12//')
		phn=$(echo $publichost | cut -d . -f1)
		domainname=$(echo $publichost | sed "s/$publichostname.//")
		echo "uploading P12 to /tmp onto ${lhn}"

		lhn=$(dnsquery -M "${phn}")
		t=$(dnsquery -T "${lhn}")
		case "${t}" in
			"openbsd")
				scp $ikedpub "$lhn.${LDN}:/tmp"
				ssh -t $lhn.${LDN} doas ksh "/home/taglio/Sources/Git/OpenBSD/tools/ikedsslupgade"
			;;
			"mikrotik")
				scp $ikedpub "$lhn.${LDN}:/"
			;;
			"edgeos")
				scp $ikedpub "$lhn.${LDN}:/tmp"
			;;
		esac
		echo "OpenBSD time..."
		dnsquery wa "openbsd"
		echo "Mikrotik time..."
		echo "EdgeOS time..."




		echo "uploading P12 to Mikrotik hosts"
		for vpnc_host in $(dig mikrotik.${LDN} TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do
			scp $ikedpub "${vpnc_host}.${LDN}"
			echo "/certificate remove [/certificate find where name=${publichost}]" > /tmp/i.rsc
			echo "/certificate import passphrase=123456789 file-name=$pk12 name=${publichost}" >> /tmp/i.rsc
			echo "/ip ipsec identity set [/ip ipsec identity find where certificate=${publichost}] certificate=${publichost}" >> /tmp/i.rsc
			scp /tmp/i.rsc "${vpnc_host}.${LDN}"
			cat  /tmp/i.rsc
			sleep 40
			#eval "ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 ${vpnc_host}.${LDN} :execute \{/import i.rsc\}"
		done
		openssl pkcs12 -nodes -in $ikedpub -clcerts -nokeys -passin pass:123456789 -passout pass:123456789 -out "$tmpdir/$publichost.crt"
		echo "uploading .crt to EdgeOS hosts"
		for vpnc_host in $(dig edgeos.${LDN} TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d' | cut -d : -f1); do
			scp "$tmpdir/$publichost.crt" "$vpnc_host.${LDN}:/config/auth"
			ssh $vpnc_host.${LDN} "sudo cp /config/auth/${publichost}.crt /etc/ipsec.d/certs/"
			ssh $vpnc_host.${LDN} "sudo ipsec rereadall"
			ssh $vpnc_host.${LDN} "sudo ipsec reload"
		done
		openssl x509 -pubkey -noout -passin pass:123456789 -in "$tmpdir/$publichost.crt"  > src/etc/iked/pubkeys/ufqdn/"$srcid@ca.$domainname"
		srm -r "${tmpdir}"
		echo -e "$srcid@ca.$domainname created please update repository and all the others Openbsd hosts"
	;;
	"-NO")
		for vpnc_host in $(dig openbsd.${LDN} TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do
			echo -e "Connecting to $vpnc_host"
			ssh -t $vpnc_host.${LDN} doas ksh "/home/taglio/Sources/Git/OpenBSD/setup_node" -U newospf
		done
		mk=
		echo -e "Type the internal hostname of the Mikrotik: "
		read mk
		mkscript=$(mktemp)
		mkpubip=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q admin@$mk /ip addr pr where dynamic | awk '{print $3}' | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b")
		loc=$(curl -s "http://ipinfo.io/$mkpubip" | grep loc | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g")
		long=$(echo $loc | cut -d , -f2 | cut -d . -f1)
		lat=$(echo $loc | cut -d , -f1 | cut -d . -f1)
		echo -e "\nLAT --> $lat"
		echo -e "LONG --> $long\n"
		if [[ $long -ge -180 && $long -le -60 && $lat -ge 0 ]]; then group=12 && ospfarea="0.0.1.2"; fi
		if [[ $long -ge -60 && $long -le 60 && $lat -ge 0 ]]; then group=34 && ospfarea="0.0.3.4"; fi
		if [[ $long -ge 60 && $long -le 180 && $lat -ge 0 ]]; then group=56 && ospfarea="0.0.5.6"; fi
		if [[ $long -ge -180 && $long -le -60 && $lat -le 0 ]]; then group=12 && ospfarea="0.0.1.2"; fi
		if [[ $long -ge -60 && $long -le 60 && $lat -le 0 ]]; then group=34 && ospfarea="0.0.3.4"; fi
		if [[ $long -ge 60 && $long -le 180 && $lat -le 0 ]]; then group=56 && ospfarea="0.0.5.6"; fi
		echo "/routing ospf area add name=$group area-id=$ospfarea" > $mkscript
		for grepubip in $(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q admin@$mk /interface gre pr | grep remote-address | awk '{print $1}' | cut -d \= -f2); do
			grenetwork=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q admin@$mk "/ip address print where interface=[/interface get [/interface gre find where remote-address=$grepubip] name];" | awk '{print $3}' | awk 'FNR == 3')"/30"
			remoteloc=$(curl -s "http://ipinfo.io/$grepubip" | grep loc | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g")
			remotelong=$(echo $remoteloc | cut -d , -f2 | cut -d . -f1)
			remotelat=$(echo $remoteloc | cut -d , -f1 | cut -d . -f1)
			if [[ $remotelong -ge -180 && $remotelong -le -60 && $remotelat -ge 0 ]]; then remotegroup=12 ; fi
			if [[ $remotelong -ge -60 && $remotelong -le 60 && $remotelat -ge 0 ]]; then remotegroup=34 ; fi
			if [[ $remotelong -ge 60 && $remotelong -le 180 && $remotelat -ge 0 ]]; then remotegroup=56 ; fi
			if [[ $remotelong -ge -180 && $remotelong -le -60 && $remotelat -le 0 ]]; then remotegroup=12 ; fi
			if [[ $remotelong -ge -60 && $remotelong -le 60 && $remotelat -le 0 ]]; then remotegroup=34 ; fi
			if [[ $remotelong -ge 60 && $remotelong -le 180 && $remotelat -le 0 ]]; then remotegroup=56 ; fi
			[[ $group = $remotegroup ]] && \
				echo "/routing ospf network set network=\"$grenetwork\" area=$group" >> $mkscript
		done
		cat $mkscript
		#scp $mkscript "admin@$mk:/newospfd.rsc"
		ssh admin@$mk /import file-name=newospfd.rsc
		edgeos=
		echo -e "Type the internal hostname of the EdgeOS: "
		read edgeos
		edgescript=$(mktemp)
		auxscript=$(mktemp)
		edgepublicip=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q $edgeos /sbin/ip addr show dev pppoe0 | awk 'FNR == 3' | awk {'print $2'})
		loc=$(curl -s "http://ipinfo.io/$edgepublicip" | grep loc | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g")
		long=$(echo $loc | cut -d , -f2 | cut -d . -f1)
		lat=$(echo $loc | cut -d , -f1 | cut -d . -f1)
		echo -e "\nLAT --> $lat"
		echo -e "LONG --> $long\n"
		if [[ $long -ge -180 && $long -le -60 && $lat -ge 0 ]]; then group=12 && ospfarea="0.0.1.2"; fi
		if [[ $long -ge -60 && $long -le 60 && $lat -ge 0 ]]; then group=34 && ospfarea="0.0.3.4"; fi
		if [[ $long -ge 60 && $long -le 180 && $lat -ge 0 ]]; then group=56 && ospfarea="0.0.5.6"; fi
		if [[ $long -ge -180 && $long -le -60 && $lat -le 0 ]]; then group=12 && ospfarea="0.0.1.2"; fi
		if [[ $long -ge -60 && $long -le 60 && $lat -le 0 ]]; then group=34 && ospfarea="0.0.3.4"; fi
		if [[ $long -ge 60 && $long -le 180 && $lat -le 0 ]]; then group=56 && ospfarea="0.0.5.6"; fi
		echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin" > $edgescript
		for tunedge in $(ssh -q $edgeos /sbin/ip link | grep tun | awk {'print $2'} | sed "s/@NONE://"); do
			tunpublicip=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q $edgeos /sbin/ip link list dev $tunedge | awk 'FNR == 2' | awk '{print $4}')
			tunprivateip=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3  -o ConnectionAttempts=1 -q $edgeos /sbin/ip addr show dev $tunedge | awk 'FNR == 3' | awk '{print $2}')
			tunnetwork=$(ipcalc -c $tunprivateip | grep Network | awk '{print $2}')
			remoteloc=$(curl -s "http://ipinfo.io/$tunpublicip" | grep loc | awk '{print $2}' | sed 's/.$//' | sed "s/\"//g")
			remotelong=$(echo $remoteloc | cut -d , -f2 | cut -d . -f1)
			remotelat=$(echo $remoteloc | cut -d , -f1 | cut -d . -f1)
			if [[ $remotelong -ge -180 && $remotelong -le -60 && $remotelat -ge 0 ]]; then remotegroup=12 ; fi
			if [[ $remotelong -ge -60 && $remotelong -le 60 && $remotelat -ge 0 ]]; then remotegroup=34 ; fi
			if [[ $remotelong -ge 60 && $remotelong -le 180 && $remotelat -ge 0 ]]; then remotegroup=56 ; fi
			if [[ $remotelong -ge -180 && $remotelong -le -60 && $remotelat -le 0 ]]; then remotegroup=12 ; fi
			if [[ $remotelong -ge -60 && $remotelong -le 60 && $remotelat -le 0 ]]; then remotegroup=34 ; fi
			if [[ $remotelong -ge 60 && $remotelong -le 180 && $remotelat -le 0 ]]; then remotegroup=56 ; fi
			[[ $group = $remotegroup ]] && \
				echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols ospf area $ospfarea network $tunnetwork" >>  $auxscript || \
				echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols ospf area 0.0.0.0 network $tunnetwork" >>  $auxscript
		done
		echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete protocols ospf area 0.0.0.0" >> $edgescript
		echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols ospf area $ospfarea" >> $edgescript
		cat $auxscript | grep $ospfarea >> $edgescript
		echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols ospf area 0.0.0.0" >> $edgescript
		cat $auxscript | grep "0.0.0.0" >> $edgescript
		echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit" >> $edgescript
		echo "/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper save" >> $edgescript
		cat $edgescript
	;;
	"-NSD")
		password=$(systemd-ask-password "Enter TXT record password: ")
		openbsd=$(dig TXT openbsd."${LDN}" +short | sed "s|\"||g" | openssl enc -e -A -des3 -base64 -pass pass:"${password}" -pbkdf2)
		mikrotik=$(dig TXT mikrotik."${LDN}" +short | sed "s|\"||g" | openssl enc -e -A -des3 -base64 -pass pass:"${password}" -pbkdf2)
		edgeos=$(dig TXT edgeos."${LDN}" +short | sed "s|\"||g" | openssl enc -e -A -des3 -base64 -pass pass:"${password}" -pbkdf2)
		lte=$(dig TXT lte."${LDN}" +short | sed "s|\"||g" | openssl enc -e -A -des3 -base64 -pass pass:"${password}" -pbkdf2)
		echo "openbsd                  IN TXT    \"${openbsd}\""
		echo "mikrotik                 IN TXT    \"${mikrotik}\""
		echo "edgeos                   IN TXT    \"${edgeos}\""
		echo "lte                      IN TXT    \"${lte}\""

	;;
esac

exit 0