#!/bin/sh
# Set router defaults runing first boot

# Ensure this script is only run once
if CONFIGED=$(uci get system.@system[0].cghmn_is_configured 2>/dev/null) && [ "$CONFIGED" = "1" ]; then
	exit 0
fi

# Get last four letters of eth0 MAC
FULL_MAC=$(ip link show eth0 | awk '/link\/ether/ { gsub(":",""); print substr($2,0,4) ":" substr($2,5,4) ":" substr($2,9,4) }')
MAC_LASTFOUR=$(echo "${FULL_MAC}" | awk -F':' '{ print $3 }')
NEW_HOSTNAME="CGHMN-Node-$MAC_LASTFOUR"

# Static variables used to configure the Wireguard tunnel
WG_PEER_ADDRESS="wg-admin.cursedsilicon.net"
WG_PEER_PUBKEY="k/QiJIbMakMKgTCHVt8/D+8k4DzRVM6U33F3gMZfRUg="
WG_PEER_PORT="42070"
#WG_MTU=1634
WG_MTU=1420

# Wireguard IPv4 variables
WG_TUNNEL_INNER_SUBNET_PREFIX4="100.89"
WG_TUNNEL_INNER_SUBNET4_SIZE="22"
WG_TUNNEL_INNER_SUBNET4="${WG_TUNNEL_INNER_SUBNET_PREFIX4}.128.0"
WG_TUNNEL_INNER_LOCAL_IP4="${WG_TUNNEL_INNER_SUBNET_PREFIX4}.255.255"
WG_TUNNEL_INNER_PEER_IP4="${WG_TUNNEL_INNER_SUBNET4}.128.1"
WG_TUNNEL_REMOTE_SUBNET4="172.23.0.0/16"

# Wireguard IPv6 variables
WG_TUNNEL_INNER_SUBNET6="fd38:f85d:a2fd::"
WG_TUNNEL_INNER_SUBNET6_SIZE="64"
WG_TUNNEL_INNER_LOCAL_IP6="${WG_TUNNEL_INNER_SUBNET6}${FULL_MAC}"
WG_TUNNEL_INNER_PEER_IP6="${WG_TUNNEL_INNER_SUBNET6}ffff:ffff:ffff:ffff"
WG_TUNNEL_REMOTE_SUBNET6="fd38:f85d:a2fe::/64"

# Generate new Wireguard private key for this node
WG_PRIVKEY="$(wg genkey)"

# Static variables used to configure the VXLAN interface
VXLAN_LOCAL_IP="${WG_TUNNEL_INNER_LOCAL_IP4}"
VXLAN_PEER_IP="172.23.4.103"
VXLAN_ID="9999"

# Before adding new config, clear old firewall zones and rules
while uci -q delete firewall.@rule[0]; do :; done
while uci -q delete firewall.@zone[0]; do :; done
while uci -q delete firewall.@forwarding[0]; do :; done

# Batch-add most UCI configuration next
uci -q batch <<EOUCI
set system.@system[0].hostname='${NEW_HOSTNAME}'

# -- Create firewall zones -- #

# WAN zone (allow input for management from regular home network)
add firewall zone
set firewall.@zone[-1].name='wan'
set firewall.@zone[-1].input='ACCEPT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
add_list firewall.@zone[-1].network='wan'

# Retro LAN zone (default deny any traffic and add firewall rule for forwardings)
add firewall zone
set firewall.@zone[-1].name='retro_lan'
set firewall.@zone[-1].input='REJECT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
add_list firewall.@zone[-1].network='cghmn_vxlan'
add_list firewall.@zone[-1].network='retro_lan'
add_list firewall.@zone[-1].device='gre4t-cghmn_gre'

# Outer transport tunnel zone outside of Retro LAN
add firewall zone
set firewall.@zone[-1].name='tunnel'
set firewall.@zone[-1].input='REJECT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
add_list firewall.@zone[-1].network='cghmn_wg'
add_list firewall.@zone[-1].network='cghmn_vxlan'

# PPP client zone
add firewall zone
set firewall.@zone[-1].name='ppp_client'
set firewall.@zone[-1].input='REJECT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
set firewall.@zone[-1].masq='1'
add_list firewall.@zone[-1].network='ppp_daemon'

# -- Create network forwarding -- #

# Allow forwarding from local PPP clients to the Retro LAN
add firewall forwarding
set      firewall.@forwarding[-1].src='ppp_client'
add_list firewall.@forwarding[-1].dest='retro_lan'

# Allow forwarding from local PPP clients to the tunnel network
add firewall forwarding
set      firewall.@forwarding[-1].src='ppp_client'
add_list firewall.@forwarding[-1].dest='tunnel'

# Allow forwarding from local PPP clients to the WAN interface
add firewall forwarding
set      firewall.@forwarding[-1].src='ppp_client'
add_list firewall.@forwarding[-1].dest='wan'

# Allow forwarding from the retro LAN to the tunnel interface
add firewall forwarding
set      firewall.@forwarding[-1].src='retro_lan'
add_list firewall.@forwarding[-1].dest='tunnel'


# -- Create firewall rules -- #

# Allow VXLAN packets from transport network
add firewall rule
set firewall.@rule[-1].name='Allow VXLAN from tunnel interface'
set firewall.@rule[-1].proto='udp'
set firewall.@rule[-1].src='tunnel'
set firewall.@rule[-1].target='ACCEPT'
set firewall.@rule[-1].family='ipv4'
set firewall.@rule[-1].dest_port='4789'
set firewall.@rule[-1].src_ip='${VXLAN_PEER_IP}'

# Allow GRE packets from transport network
add firewall rule
set firewall.@rule[-1].name='Allow GRE in from tunnel interface'
set firewall.@rule[-1].proto='gre'
set firewall.@rule[-1].src='tunnel'
set firewall.@rule[-1].target='ACCEPT'

# -- Create interfaces -- #

# Delete predefined interfaces
delete network.wan
delete network.wan6
delete network.lan

# Configure integrated network switch (MT300n only)

# Switch configuration
add network switch
set network.@switch[-1]=switch
set network.@switch[-1].name='switch0'
set network.@switch[-1].reset='1'
set network.@switch[-1].enable_vlan='1'

# LAN VLAN (eth0.1)
add network switch_vlan
set network.@switch_vlan[-1]=switch_vlan
set network.@switch_vlan[-1].device='switch0'
set network.@switch_vlan[-1].vlan='1'
set network.@switch_vlan[-1].ports='1 6t'

# WAN VLAN (eth0.2)
add network switch_vlan
set network.@switch_vlan[-1]=switch_vlan
set network.@switch_vlan[-1].device='switch0'
set network.@switch_vlan[-1].vlan='2'
set network.@switch_vlan[-1].ports='0 6t'

# Create WAN interface on default WAN network port
set network.wan=interface
set network.wan.proto='dhcp'
set network.wan.device='eth0.2'

# Create Wireguard tunnel interface
set network.cghmn_wg=interface
set network.cghmn_wg.proto='wireguard'
set network.cghmn_wg.private_key='${WG_PRIVKEY}'
set network.cghmn_wg.mtu='${WG_MTU}'
add_list network.cghmn_wg.addresses='${WG_TUNNEL_INNER_LOCAL_IP4}/${WG_TUNNEL_INNER_SUBNET4_SIZE}'
#add_list network.cghmn_wg.addresses='${WG_TUNNEL_INNER_LOCAL_IP6}/${WG_TUNNEL_INNER_SUBNET6_SIZE}'

# Create VXLAN interface on Wireguard tunnel (currently disabled in favor of GRETAP)
set network.cghmn_vxlan=interface
set network.cghmn_vxlan.proto='vxlan'
set network.cghmn_vxlan.srcportmin='4789'
set network.cghmn_vxlan.mtu='1500'
#set network.cghmn_vxlan.learning='1'
set network.cghmn_vxlan.tunlink='cghmn_wg'
set network.cghmn_vxlan.peeraddr='${VXLAN_PEER_IP}'
set network.cghmn_vxlan.vid='${VXLAN_ID}'
set network.cghmn_vxlan.disabled='1'

# Create unmanaged Retro LAN bridge interface
set network.retro_lan=interface
set network.retro_lan.proto='none'
set network.retro_lan.device='br-retrolan'

# Create PPP interface for local vmodem dialin
set network.ppp_daemon=interface
set network.ppp_daemon.proto='none'
set network.ppp_daemon.device='ppp0'

# -- Configure actual network interfaces -- #

# Create and configure Retro LAN Linux bridge spanning the VXLAN and default LAN network port
add network device
set network.@device[-1].type='bridge'
set network.@device[-1].name='br-retrolan'
add_list network.@device[-1].ports='cghmn_vxlan'
add_list network.@device[-1].ports='eth0.1'

# -- Add Wireguard remote peer -- #

# Remote CGHMN Wireguard peer
add network wireguard_cghmn_wg
set network.@wireguard_cghmn_wg[-1].description='CGHMN Server'
set network.@wireguard_cghmn_wg[-1].persistent_keepalive='15'
set network.@wireguard_cghmn_wg[-1].route_allowed_ips='1'
set network.@wireguard_cghmn_wg[-1].public_key='${WG_PEER_PUBKEY}'
set network.@wireguard_cghmn_wg[-1].endpoint_host='${WG_PEER_ADDRESS}'
set network.@wireguard_cghmn_wg[-1].endpoint_port='${WG_PEER_PORT}'
#add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_INNER_SUBNET6}/${WG_TUNNEL_INNER_SUBNET6_SIZE}'
add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_INNER_SUBNET4}/${WG_TUNNEL_INNER_SUBNET4_SIZE}'
#add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_REMOTE_SUBNET6}'
add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_REMOTE_SUBNET4}'

# -- Set some WiFi defaults -- #
delete wireless.default_radio0
set wireless.radio0.band='2g'
set wireless.radio0.channel='1'
set wireless.radio0.legacy_rates='1'
set wireless.wifinet0=wifi-iface
set wireless.wifinet0.device='radio0'
set wireless.wifinet0.mode='ap'
set wireless.wifinet0.ssid='retronet'
set wireless.wifinet0.encryption='psk-mixed'
set wireless.wifinet0.key='changemepls'
set wireless.wifinet0.network='retro_lan'
set wireless.wifinet0.disabled='1'

# -- DNSmasq config -- #
set dhcp.@dnsmasq[0].localservice='0'

set system.@system[0].cghmn_is_configured=1
EOUCI

# Enable the vmodem init script
service vmodem-cghmn enable || true