feat: Add OTA auto-update and guest IPv6 via Yggdrasil

OTA: build.sh writes version/profile to firmware, generates manifest.json with SHA256 per device. parahub-autoupdate script runs nightly at 3am, fetches manifest (Yggdrasil first), verifies checksum, runs sysupgrade. sysupgrade.conf preserves /etc/parahub/, yggdrasil.conf, dropbear keys. Guest IPv6: Yggdrasil 300::/64 subnet assigned to guest via SLAAC. Separate yggdrasil firewall zone (5 zones total) with guest→yggdrasil forwarding. IPv6 exempt from tc shaping — full speed to Parahub services. IPv6 to WAN blocked. Heartbeat now reads version from file, not hardcoded. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 08:09:27 +00:00
parent 6d6cffa42c
commit c5b9229ad0
6 changed files with 260 additions and 13 deletions
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -167,12 +167,14 @@ build_firmware() {
        packages="${PACKAGES_BUMBLEBEE[*]} ${PACKAGES_EXTRA:-}"
    fi

-    # Create temp FILES dir with role marker
+    # Create temp FILES dir with role marker + version/profile
    local tmpfiles
    tmpfiles=$(mktemp -d)
    cp -a "${PROJECT_DIR}/files/"* "$tmpfiles/"
    mkdir -p "$tmpfiles/etc/parahub"
    echo "$FIRMWARE_ROLE" > "$tmpfiles/etc/parahub/role"
+    echo "$OPENWRT_VERSION" > "$tmpfiles/etc/parahub/version"
+    echo "$PROFILE" > "$tmpfiles/etc/parahub/profile"

    echo "Building firmware for profile: ${PROFILE}"
    echo "Role: ${FIRMWARE_ROLE}"
@@ -192,6 +194,65 @@ build_firmware() {
    ls -lh "${PROJECT_DIR}/output/"*.bin 2>/dev/null || true
    ls -lh "${PROJECT_DIR}/output/"*.img* 2>/dev/null || true
    ls -lh "${PROJECT_DIR}/output/"*.itb 2>/dev/null || true
+
+    # Update manifest.json with this device's sysupgrade info
+    update_manifest
+}
+
+update_manifest() {
+    local manifest="${PROJECT_DIR}/output/manifest.json"
+    local sysupgrade_file sha256
+
+    # Find the sysupgrade.bin for this profile
+    sysupgrade_file=$(ls "${PROJECT_DIR}/output/"*"${PROFILE}"*-sysupgrade.bin 2>/dev/null | head -1)
+
+    if [ -z "$sysupgrade_file" ]; then
+        echo "Warning: No sysupgrade.bin found for ${PROFILE}, skipping manifest update"
+        return
+    fi
+
+    sha256=$(sha256sum "$sysupgrade_file" | cut -d' ' -f1)
+    local filename
+    filename=$(basename "$sysupgrade_file")
+
+    # Create or update manifest.json
+    if [ -f "$manifest" ]; then
+        # Update existing manifest — replace version + add/update device entry
+        local tmp
+        tmp=$(mktemp)
+        python3 -c "
+import json, sys
+with open('$manifest') as f:
+    m = json.load(f)
+m['version'] = '$OPENWRT_VERSION'
+m.setdefault('devices', {})['$PROFILE'] = {
+    'sysupgrade': '$filename',
+    'sha256': '$sha256'
+}
+json.dump(m, sys.stdout, indent=2)
+" > "$tmp" && mv "$tmp" "$manifest"
+    else
+        # Create new manifest
+        python3 -c "
+import json, sys
+m = {
+    'version': '$OPENWRT_VERSION',
+    'devices': {
+        '$PROFILE': {
+            'sysupgrade': '$filename',
+            'sha256': '$sha256'
+        }
+    }
+}
+json.dump(m, sys.stdout, indent=2)
+" > "$manifest"
+    fi
+
+    echo ""
+    echo "Manifest updated: ${manifest}"
+    echo "  Device: ${PROFILE}"
+    echo "  File:   ${filename}"
+    echo "  SHA256: ${sha256}"
 }

 # ============================================================================