#!/bin/sh yggConfig="/etc/config/yggdrasil" first_boot_genConfig() { . /usr/share/libubox/jshn.sh boardcfg=$(ubus call system board) touch ${yggConfig} yggdrasil -genconf -json | ygguci set json_load "$boardcfg" json_get_var kernel kernel json_get_var system system json_get_var model model json_get_var board_name board_name nodeinfo='{"kernel": "'$kernel'", "hostname":"'OpenWrt'", "system": "'$system'", "model": "'$model'", "board_name": "'$board_name'"}' uci set yggdrasil.yggdrasil.IfName="ygg0" uci set yggdrasil.yggdrasil.NodeInfo="$nodeinfo" uci commit yggdrasil } if [ -e /etc/yggdrasil.conf ]; then echo "config: import config from /etc/yggdrasil.conf to /etc/config/yggdrasil" | logger -t yggdrasil touch ${yggConfig} cat /etc/yggdrasil.conf | ygguci set mv /etc/yggdrasil.conf /etc/yggdrasil.conf.bak elif [ ! -e ${yggConfig} ]; then echo "first_boot: adding system board details to NodeInfo[] in NEW config: ${yggConfig}" | logger -t yggdrasil first_boot_genConfig # create the network interface uci -q batch <<-EOF >/dev/null set network.yggdrasil=interface set network.yggdrasil.ifname=ygg0 set network.yggdrasil.proto=none EOF # create the firewall zone uci -q batch <<-EOF >/dev/null set firewall.yggdrasil=zone set firewall.yggdrasil.name=yggdrasil add_list firewall.yggdrasil.network=yggdrasil set firewall.yggdrasil.input=REJECT set firewall.yggdrasil.output=ACCEPT set firewall.yggdrasil.forward=REJECT set firewall.yggdrasil.conntrack=1 EOF # allow ICMP from yggdrasil zone, e.g. ping6 uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].name='Allow-ICMPv6-yggdrasil' set firewall.@rule[-1].src=yggdrasil set firewall.@rule[-1].proto=icmp add_list firewall.@rule[-1].icmp_type=echo-request add_list firewall.@rule[-1].icmp_type=echo-reply add_list firewall.@rule[-1].icmp_type=destination-unreachable add_list firewall.@rule[-1].icmp_type=packet-too-big add_list firewall.@rule[-1].icmp_type=time-exceeded add_list firewall.@rule[-1].icmp_type=bad-header add_list firewall.@rule[-1].icmp_type=unknown-header-type set firewall.@rule[-1].limit='1000/sec' set firewall.@rule[-1].family=ipv6 set firewall.@rule[-1].target=ACCEPT EOF # allow SSH from yggdrasil zone, needs to be explicitly enabled uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled=0 set firewall.@rule[-1].name='Allow-SSH-yggdrasil' set firewall.@rule[-1].src=yggdrasil set firewall.@rule[-1].proto=tcp set firewall.@rule[-1].dest_port=22 set firewall.@rule[-1].target=ACCEPT EOF # allow LuCI access from yggdrasil zone, needs to be explicitly enabled uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled=0 set firewall.@rule[-1].name='Allow-HTTP-yggdrasil' set firewall.@rule[-1].src=yggdrasil set firewall.@rule[-1].proto=tcp set firewall.@rule[-1].dest_port=80 set firewall.@rule[-1].target=ACCEPT EOF # allow LuCI access with SSL from yggdrasil zone, needs to be explicitly enabled uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled=0 set firewall.@rule[-1].name='Allow-HTTPS-yggdrasil' set firewall.@rule[-1].src=yggdrasil set firewall.@rule[-1].proto=tcp set firewall.@rule[-1].dest_port=443 set firewall.@rule[-1].target=ACCEPT EOF uci commit firewall uci commit network else : fi exit 0