feat: use emissary v2023.5.23-4311cf6

Jenkinsfile

@@ -29,27 +29,38 @@ pipeline {
             }
             steps {
                 script {
-                    steps {
+                    currentEmissaryRelease = readFile('emissary_release.txt').trim()
-                        currentEmissaryRelease = readFile('emissary_release.txt')
 
-                        if (currentEmissaryRelease == params.emissaryRelease) {
+                    if (currentEmissaryRelease == params.emissaryRelease) {
-                            currentBuild.result = 'SUCCESS'
+                        currentBuild.result = 'SUCCESS'
-                            return
+                        return
-                        }
+                    }
 
+                    withCredentials([
+                        usernamePassword([
+                        credentialsId: 'forge-jenkins',
+                        usernameVariable: 'GIT_USERNAME',
+                        passwordVariable: 'GIT_PASSWORD'
+                        ])
+                    ]) {
                         sh """
+                        git config user.email "jenkins@cadoles.com"
+                        git config user.name "Jenkins"
+                        git config credential.https://forge.cadoles.com.username "\$GIT_USERNAME"
+                        git config credential.https://forge.cadoles.com.helper '!f() { test "\$1" = get && echo "password=\$GIT_PASSWORD"; }; f'
+
                         echo '${params.emissaryRelease}' > emissary_release.txt
                         git add emissary_release.txt
                         git commit -m "feat: use emissary ${params.emissaryRelease}"
                         git pull --rebase
-                        git push
+                        git push origin \$(git rev-parse HEAD):${env.GIT_BRANCH}
                         """
                     }
                 }
             }
         }
 
-        stage('Build') {
+        stage('Build and release') {
             steps {
                 script {
                     withCredentials([

Makefile

@@ -22,7 +22,7 @@ IMAGEBUILDER_CUSTOM_FILES_DIR_PATH := $(IMAGEBUILDER_DIR_PATH)/files
 
 BIN_DIR := "$(shell readlink -f bin)/$(OPENWRT_VERSION)/$(OPENWRT_TARGET)/$(OPENWRT_PROFILE)$(BIN_DIR_NAME_SUFFIX)"
 
-GITEA_DOWNLOAD_RELEASE_NAME ?= $(shell cat emissary_release.txt)
+EMISSARY_RELEASE ?= $(shell cat emissary_release.txt)
 EMISSARY_ARCH ?= armv6
 
 EMISSARY_RECONCILIATION_INTERVAL ?=
@@ -109,8 +109,8 @@ gitea-release: tools/gitea-release/bin/gitea-release.sh
 		GITEA_RELEASE_NAME="$(FULL_VERSION)" \
 		GITEA_RELEASE_COMMITISH_TARGET="$(GIT_VERSION)" \
 		GITEA_RELEASE_IS_DRAFT="false" \
-		GITEA_RELEASE_BODY="" \
+		GITEA_RELEASE_BODY="With Emissary $(EMISSARY_RELEASE)" \
-		GITEA_RELEASE_ATTACHMENTS="$(shell find .gitea-release/* -type f)" \
+		GITEA_RELEASE_ATTACHMENTS="$$(find .gitea-release/* -type f)" \
 		tools/gitea-release/bin/gitea-release.sh
 
 .PHONY: download-emissary-release
@@ -119,7 +119,7 @@ download-emissary-release: tools/gitea-download/bin/gitea-download.sh
 	GITEA_DOWNLOAD_PROJECT="emissary" \
 		GITEA_DOWNLOAD_ORG="arcad" \
 		GITEA_DOWNLOAD_BASE_URL="https://forge.cadoles.com" \
-		GITEA_DOWNLOAD_RELEASE_NAME="$(GITEA_DOWNLOAD_RELEASE_NAME)" \
+		GITEA_DOWNLOAD_RELEASE_NAME="$(EMISSARY_RELEASE)" \
 		GITEA_DOWNLOAD_ATTACHMENTS_FILTER="\.tar\.gz$$" \
 		tools/gitea-download/bin/gitea-download.sh
 

emissary_release.txt

@@ -1 +1 @@
-v2023.3.29-e5b6c5e
+v2023.5.23-4311cf6

install/raspberrypi.mk

@@ -0,0 +1,7 @@
+install-rpi-network-config:
+	mkdir -p files/etc/config
+	cp misc/rpi/uci/network files/etc/config/network
+
+install-rpi-uci-defaults:
+	mkdir -p files/etc/uci-defaults
+	cp misc/rpi/uci-defaults/* files/etc/uci-defaults/

install/turris-omnia.mk

@@ -0,0 +1,3 @@
+install-turris-omnia-uci-defaults:
+	mkdir -p files/etc/uci-defaults
+	cp misc/turris/omnia/uci-defaults/* files/etc/uci-defaults/

misc/emissary/keep.d/emissary

@@ -1,4 +1,3 @@
 /etc/machine-id
 /data/emissary/agent-key.json
-/data/emissary/agent-state.json
 /data/emissary/apps/data

misc/rpi/uci-defaults/99-x86-uci-custom.sh

@@ -0,0 +1,37 @@
+#/bin/sh
+
+set -e
+
+main() {
+    # Update default firewall ruleset
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow SSH on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='22'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow HTTP on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='80'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow HTTPS on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='443'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci commit firewall
+    
+    # Disable DNS-rebind protection
+    uci set dhcp.@dnsmasq[0].rebind_protection='0'
+    uci commit dhcp
+
+    reload_config
+}
+
+main

misc/rpi/uci/network

@@ -0,0 +1,9 @@
+config interface 'loopback'
+	option ifname 'lo'
+	option proto 'static'
+	option ipaddr '127.0.0.1'
+	option netmask '255.0.0.0'
+
+config interface 'wan'
+	option ifname 'eth0'
+	option proto 'dhcp'

misc/turris/omnia/uci-defaults/98-turris-omnia-uci-custom.sh

@@ -0,0 +1,37 @@
+#/bin/sh
+
+set -e
+
+main() {
+    # Update default firewall ruleset
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow SSH on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='22'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow HTTP on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='80'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci add firewall rule
+    uci set firewall.@rule[-1].name='Allow HTTPS on WAN'
+    uci set firewall.@rule[-1].src='wan'
+    uci set firewall.@rule[-1].proto='tcp'
+    uci set firewall.@rule[-1].dest_port='443'
+    uci set firewall.@rule[-1].target='ACCEPT'
+
+    uci commit firewall
+    
+    # Disable DNS-rebind protection
+    uci set dhcp.@dnsmasq[0].rebind_protection='0'
+    uci commit dhcp
+
+    reload_config
+}
+
+main

misc/turris/omnia/uci-defaults/99-resize-disk.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -eo pipefail
+
+block info
+
+DISK=/dev/mmcblk0
+PARTITION="${DISK}p2"
+
+parted -s -a opt "$DISK" "resizepart 2 100%"
+
+FS_SIZE="$(unsquashfs -s "$PARTITION" | grep -o 'Filesystem size [0-9]* bytes' | grep -o '[0-9][0-9]*')"
+FS_OFFSET="$(expr '(' "$FS_SIZE" + 65535 ')' / 65536 '*' 65536)"
+LOOP_DEVICE="$(losetup -f --show -o "$FS_OFFSET" "$PARTITION")"
+
+e2fsck -y -f "$LOOP_DEVICE"
+resize2fs "$LOOP_DEVICE"
+
+rm -f /etc/uci-defaults/99-resize-disk.sh
+
+reboot

targets/raspberrypi.mk

@@ -2,7 +2,7 @@ all: rpi-4 rpi-3
 
 rpi-4:
 	$(MAKE) \
-		ADDITIONAL_INSTALL="" \
+		ADDITIONAL_INSTALL="install-rpi-network-config install-rpi-uci-defaults" \
 		OPENWRT_TARGET="bcm27xx/bcm2711" \
 		EMISSARY_ARCH="arm64" \
 		OPENWRT_PROFILE="rpi-4" \
@@ -10,7 +10,7 @@ rpi-4:
 
 rpi-3:
 	$(MAKE) \
-		ADDITIONAL_INSTALL="" \
+		ADDITIONAL_INSTALL="install-rpi-network-config install-rpi-uci-defaults" \
 		OPENWRT_TARGET="bcm27xx/bcm2710" \
 		EMISSARY_ARCH="arm64" \
 		OPENWRT_PROFILE="rpi-3" \

targets/turris.mk

@@ -4,7 +4,8 @@ turris: omnia
 
 omnia:
 	$(MAKE) \
-		ADDITIONAL_INSTALL="" \
+		ADDITIONAL_INSTALL="install-turris-omnia-uci-defaults" \
+		ADDITIONAL_OPENWRT_PACKAGES="losetup squashfs-tools-unsquashfs resize2fs e2fsprogs parted block-mount" \
 		OPENWRT_TARGET="mvebu/cortexa9" \
 		EMISSARY_ARCH="armv7" \
 		OPENWRT_PROFILE="cznic_turris-omnia" \