Add luci-proto-wireguard

- I don't need it after all

.buildbot/openwrt/build.sh

@@ -9,6 +9,8 @@
 # now I noticed there is actually a Makefile for openwrt in the repo already:
 # https://github.com/IchthysMaranatha/asterisk-chan-quectel/tree/master/openwrt
 
+set -x
+
 tar -xJf /Downloads/openwrt-sdk-${OPENWRT_VERSION}-*.tar.xz
 
 cp -r feed openwrt-sdk-*/
@@ -23,11 +25,11 @@ cat ${pwd}/feeds.conf >> feeds.conf
 ./scripts/feeds install -a
 
 make defconfig
-echo 'CONFIG_PACKAGE_python3-packages=y' >> .config
+# Enable collectd network encryption
-echo 'CONFIG_PACKAGE_python3-packages-list="CherryPy==18.8.0"' >> .config
+echo "CONFIG_PACKAGE_COLLECTD_ENCRYPTED_NETWORK=y" >> .config
 
-make package/python3-packages/compile
 make package/asterisk-chan-quectel/compile
+make package/collectd/compile
 # no signing key
 make package/index
 
@@ -44,23 +46,24 @@ cp ${sdkdir}/bin/packages/aarch64_cortex-a72/quectel/*.ipk packages/
 
 make info
 
-# Double the size of the root partition
+# Increase the size of the root partition
-echo "CONFIG_TARGET_ROOTFS_PARTSIZE=208" >> .config
+echo "CONFIG_TARGET_ROOTFS_PARTSIZE=308" >> .config
 # Disable ext4 images
 echo "CONFIG_TARGET_ROOTFS_EXT4FS=n" >> .config
 
 # Setup files
-mkdir -p files/root/.ssh
+mkdir -p files/etc/dropbear
-cp ${pwd}/authorized_keys files/root/.ssh/
+chmod 0750 files/etc/dropbear
+cp ${pwd}/authorized_keys files/etc/dropbear
+chmod 0400 files/etc/dropbear/authorized_keys
 mkdir -p files/etc/uci-defaults
-cp ${pwd}/uci_defaults files/etc/uci-defaults/99-custom
+cp ${pwd}/defaults/* files/etc/uci-defaults
 
 PACKAGES="kmod-nf-nathelper-extra kmod-rtc-ds1307 \
 	  kmod-usb-audio kmod-usb-net-rtl8152 \
 	  alsa-lib pciutils usbutils \
 	  kmod-usb-net-qmi-wwan libqmi qmi-utils uqmi luci-proto-qmi \
 	  shadow-usermod \
-	  adguardhome \
 	  asterisk \
 	  asterisk-app-sms asterisk-pjsip asterisk-bridge-simple \
 	  asterisk-codec-alaw asterisk-codec-ulaw \
@@ -68,7 +71,7 @@ PACKAGES="kmod-nf-nathelper-extra kmod-rtc-ds1307 \
 	  asterisk-chan-quectel \
 	  ca-certificates \
 	  collectd collectd-mod-contextswitch collectd-mod-cpu \
-	  collectd-mod-curl \
+	  collectd-mod-curl collectd-mod-df \
 	  collectd-mod-dhcpleases collectd-mod-disk \
 	  collectd-mod-dns collectd-mod-entropy \
 	  collectd-mod-ethstat collectd-mod-exec \
@@ -85,11 +88,13 @@ PACKAGES="kmod-nf-nathelper-extra kmod-rtc-ds1307 \
 	  collectd-mod-users collectd-mod-vmem \
 	  collectd-mod-wireless \
 	  curl etherwake fail2ban \
-	  luci-app-https-dns-proxy luci-app-mwan3 luci-app-upnp \
+	  luci-app-mwan3 luci-app-upnp \
+	  luci-proto-wireguard \
 	  luci-ssl-nginx luci-app-acme \
 	  python3-packages python3-yaml \
+	  openssh-sftp-server tcpdump \
+	  iptables-nft ip6tables-nft \
 	  wireguard-tools wget-ssl \
-	  openssh-server \
 	 "
 
 make image PROFILE=rpi-4 \

defaults/00-defaults

@@ -0,0 +1,4 @@
+touch /etc/config/defaults
+
+/sbin/uci get defaults.version || /sbin/uci set defaults.version=version && \
+  /sbin/uci commit defaults

defaults/49-network

@@ -0,0 +1,28 @@
+VERSION=1
+
+[ "$(uci -q get defaults.version.network)" -ge "$VERSION" ] & exit 
+
+# save version
+/sbin/uci set defaults.version.network="$VERSION"
+
+# switch LAN to eth1
+/sbin/uci set network.@device[0].ports='eth1'
+
+# set WAN to eth0
+/sbin/uci set network.wan=interface
+/sbin/uci set network.wan.device=eth0
+/sbin/uci set network.wan.proto=dhcp
+
+# firewall allow SSH
+/sbin/uci add firewall rule
+/sbin/uci set firewall.@rule[-1].name='Allow-SSH'
+/sbin/uci set firewall.@rule[-1].src='wan'
+/sbin/uci set firewall.@rule[-1].dest_port='22'
+/sbin/uci set firewall.@rule[-1].proto='tcp'
+/sbin/uci set firewall.@rule[-1].target='ACCEPT'
+
+/sbin/uci commit
+
+/sbin/service network restart
+/sbin/service firewall restart
+/sbin/service dnsmasq restart

defaults/50-dropbear

@@ -0,0 +1,23 @@
+VERSION=1
+
+if [ "$(uci -q get defaults.version.dropbear)" -ge "$VERSION" ]
+then
+	# may leave dropbear off after an upgrade
+	/sbin/service dropbear enable
+	/sbin/service dropbear restart
+	exit 0
+fi
+
+# save version
+/sbin/uci set defaults.version.dropbear="$VERSION"
+
+/sbin/uci -q batch << EOF
+set defaults.version.dropbear="$VERSION"
+commit defaults
+set dropbear.@dropbear[0].PasswordAuth='off'
+set dropbear.@dropbear[0].RootPasswordAuth='off'
+commit dropbear
+EOF
+
+/sbin/service dropbear enable
+/sbin/service dropbear restart

uci_defaults

@@ -1,2 +0,0 @@
-echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
-/sbin/service sshd restart