From df763ef49ae89e913b2dbd23b3d382730c7c6d8d Mon Sep 17 00:00:00 2001
From: William Petit <wpetit@cadoles.com>
Date: Tue, 25 Apr 2023 14:03:30 +0200
Subject: [PATCH] feat(turris,omnia): add uci-defaults scripts

---
 install/turris-omnia.mk                       |  4 ++
 .../98-turris-omnia-uci-custom.sh             | 37 +++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 misc/turris/omnia/uci-defaults/98-turris-omnia-uci-custom.sh

diff --git a/install/turris-omnia.mk b/install/turris-omnia.mk
index d66a025..cb485cb 100644
--- a/install/turris-omnia.mk
+++ b/install/turris-omnia.mk
@@ -1,3 +1,7 @@
+install-turris-omnia-uci-defaults:
+	mkdir -p files/etc/uci-defaults
+	cp misc/turris/omnia/uci-defaults/* files/etc/uci-defaults/
+
 install-turris-omnia-uci-defaults:
 	mkdir -p files/etc/uci-defaults
 	cp misc/turris/omnia/uci-defaults/* files/etc/uci-defaults/
\ No newline at end of file
diff --git a/misc/turris/omnia/uci-defaults/98-turris-omnia-uci-custom.sh b/misc/turris/omnia/uci-defaults/98-turris-omnia-uci-custom.sh
new file mode 100644
index 0000000..ab96e76
--- /dev/null
+++ b/misc/turris/omnia/uci-defaults/98-turris-omnia-uci-custom.sh
@@ -0,0 +1,37 @@
+#/bin/sh
+
+set -e
+
+main() {
+    # Update default firewall ruleset
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow SSH on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='22'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow HTTP on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='80'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow HTTPS on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='443'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci commit firewall
+    
+    # Disable DNS-rebind protection
+    uci set dhcp.@dnsmasq[0].rebind_protection='0'
+    uci commit dhcp
+
+    reload_config
+}
+
+main
\ No newline at end of file