#!/bin/sh

yggConfig="/etc/config/yggdrasil"

first_boot_genConfig()
{
  . /usr/share/libubox/jshn.sh
  boardcfg=$(ubus call system board)
  touch ${yggConfig}
  yggdrasil -genconf -json | ygguci set

  json_load "$boardcfg"
  json_get_var kernel     kernel
  json_get_var system     system
  json_get_var model      model
  json_get_var board_name board_name
  nodeinfo='{"kernel": "'$kernel'", "hostname":"'OpenWrt'", "system": "'$system'", "model": "'$model'", "board_name": "'$board_name'"}'

  uci set yggdrasil.yggdrasil.IfName="ygg0"
  uci set yggdrasil.yggdrasil.NodeInfo="$nodeinfo"
  uci commit yggdrasil
}

if [ -e /etc/yggdrasil.conf ]; then
  echo "config: import config from /etc/yggdrasil.conf to /etc/config/yggdrasil" | logger -t yggdrasil 
  touch ${yggConfig}
  cat /etc/yggdrasil.conf | ygguci set
  mv /etc/yggdrasil.conf /etc/yggdrasil.conf.bak 
elif [ ! -e ${yggConfig} ]; then
  echo "first_boot: adding system board details to NodeInfo[] in NEW config: ${yggConfig}" | logger -t yggdrasil

  first_boot_genConfig

  # create the network interface
  uci -q batch <<-EOF >/dev/null
    set network.yggdrasil=interface
    set network.yggdrasil.device=ygg0
    set network.yggdrasil.proto=none
EOF

  # create the firewall zone
  uci -q batch <<-EOF >/dev/null
    set firewall.yggdrasil=zone
    set firewall.yggdrasil.name=yggdrasil
    add_list firewall.yggdrasil.network=yggdrasil
    set firewall.yggdrasil.input=REJECT
    set firewall.yggdrasil.output=ACCEPT
    set firewall.yggdrasil.forward=REJECT
    set firewall.yggdrasil.conntrack=1
EOF

  # allow ICMP from yggdrasil zone, e.g. ping6
  uci -q batch <<-EOF >/dev/null
    add firewall rule
    set firewall.@rule[-1].name='Allow-ICMPv6-yggdrasil'
    set firewall.@rule[-1].src=yggdrasil
    set firewall.@rule[-1].proto=icmp
    add_list firewall.@rule[-1].icmp_type=echo-request
    add_list firewall.@rule[-1].icmp_type=echo-reply
    add_list firewall.@rule[-1].icmp_type=destination-unreachable
    add_list firewall.@rule[-1].icmp_type=packet-too-big
    add_list firewall.@rule[-1].icmp_type=time-exceeded
    add_list firewall.@rule[-1].icmp_type=bad-header
    add_list firewall.@rule[-1].icmp_type=unknown-header-type
    set firewall.@rule[-1].limit='1000/sec'
    set firewall.@rule[-1].family=ipv6
    set firewall.@rule[-1].target=ACCEPT
EOF

  # allow SSH from yggdrasil zone, needs to be explicitly enabled
  uci -q batch <<-EOF >/dev/null
    add firewall rule
    set firewall.@rule[-1].enabled=0
    set firewall.@rule[-1].name='Allow-SSH-yggdrasil'
    set firewall.@rule[-1].src=yggdrasil
    set firewall.@rule[-1].proto=tcp
    set firewall.@rule[-1].dest_port=22
    set firewall.@rule[-1].target=ACCEPT
EOF

  # allow LuCI access from yggdrasil zone, needs to be explicitly enabled
  uci -q batch <<-EOF >/dev/null
    add firewall rule
    set firewall.@rule[-1].enabled=0
    set firewall.@rule[-1].name='Allow-HTTP-yggdrasil'
    set firewall.@rule[-1].src=yggdrasil
    set firewall.@rule[-1].proto=tcp
    set firewall.@rule[-1].dest_port=80
    set firewall.@rule[-1].target=ACCEPT
EOF

  # allow LuCI access with SSL from yggdrasil zone, needs to be explicitly enabled
  uci -q batch <<-EOF >/dev/null
    add firewall rule
    set firewall.@rule[-1].enabled=0
    set firewall.@rule[-1].name='Allow-HTTPS-yggdrasil'
    set firewall.@rule[-1].src=yggdrasil
    set firewall.@rule[-1].proto=tcp
    set firewall.@rule[-1].dest_port=443
    set firewall.@rule[-1].target=ACCEPT
EOF

  uci commit firewall
  uci commit network

else
  :
fi

exit 0