From 23452a06ff9e9a370878ffabd36facb175b4c271 Mon Sep 17 00:00:00 2001
From: William Petit <wpetit@cadoles.com>
Date: Fri, 21 Apr 2023 18:17:33 +0200
Subject: [PATCH] feat(rpi): default firmware ok

---
 install/raspberrypi.mk                      |  7 ++++
 misc/rpi/uci-defaults/99-x86-uci-custom.sh  | 37 +++++++++++++++++++++
 misc/rpi/uci/network                        |  9 +++++
 targets/{raspberry-pi.mk => raspberrypi.mk} |  4 +--
 4 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100644 install/raspberrypi.mk
 create mode 100644 misc/rpi/uci-defaults/99-x86-uci-custom.sh
 create mode 100644 misc/rpi/uci/network
 rename targets/{raspberry-pi.mk => raspberrypi.mk} (62%)

diff --git a/install/raspberrypi.mk b/install/raspberrypi.mk
new file mode 100644
index 0000000..8de58de
--- /dev/null
+++ b/install/raspberrypi.mk
@@ -0,0 +1,7 @@
+install-rpi-network-config:
+	mkdir -p files/etc/config
+	cp misc/rpi/uci/network files/etc/config/network
+
+install-rpi-uci-defaults:
+	mkdir -p files/etc/uci-defaults
+	cp misc/rpi/uci-defaults/* files/etc/uci-defaults/
\ No newline at end of file
diff --git a/misc/rpi/uci-defaults/99-x86-uci-custom.sh b/misc/rpi/uci-defaults/99-x86-uci-custom.sh
new file mode 100644
index 0000000..ab96e76
--- /dev/null
+++ b/misc/rpi/uci-defaults/99-x86-uci-custom.sh
@@ -0,0 +1,37 @@
+#/bin/sh
+
+set -e
+
+main() {
+    # Update default firewall ruleset
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow SSH on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='22'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow HTTP on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='80'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow HTTPS on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='443'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci commit firewall
+    
+    # Disable DNS-rebind protection
+    uci set dhcp.@dnsmasq[0].rebind_protection='0'
+    uci commit dhcp
+
+    reload_config
+}
+
+main
\ No newline at end of file
diff --git a/misc/rpi/uci/network b/misc/rpi/uci/network
new file mode 100644
index 0000000..8f6834d
--- /dev/null
+++ b/misc/rpi/uci/network
@@ -0,0 +1,9 @@
+config interface 'loopback'
+	option ifname 'lo'
+	option proto 'static'
+	option ipaddr '127.0.0.1'
+	option netmask '255.0.0.0'
+
+config interface 'wan'
+	option ifname 'eth0'
+	option proto 'dhcp'
\ No newline at end of file
diff --git a/targets/raspberry-pi.mk b/targets/raspberrypi.mk
similarity index 62%
rename from targets/raspberry-pi.mk
rename to targets/raspberrypi.mk
index 61c76e8..2e51fd9 100644
--- a/targets/raspberry-pi.mk
+++ b/targets/raspberrypi.mk
@@ -2,7 +2,7 @@ all: rpi-4 rpi-3
 
 rpi-4:
 	$(MAKE) \
-		ADDITIONAL_INSTALL="" \
+		ADDITIONAL_INSTALL="install-rpi-network-config install-rpi-uci-defaults" \
 		OPENWRT_TARGET="bcm27xx/bcm2711" \
 		EMISSARY_ARCH="arm64" \
 		OPENWRT_PROFILE="rpi-4" \
@@ -10,7 +10,7 @@ rpi-4:
 
 rpi-3:
 	$(MAKE) \
-		ADDITIONAL_INSTALL="" \
+		ADDITIONAL_INSTALL="install-rpi-network-config install-rpi-uci-defaults" \
 		OPENWRT_TARGET="bcm27xx/bcm2710" \
 		EMISSARY_ARCH="arm64" \
 		OPENWRT_PROFILE="rpi-3" \