chore: initial repo setup with baseline config backup

- Pull current config from router (OpenWRT 24.10.2) - Add backup, safe-apply, and push-all scripts - Add CLAUDE.md with workflow rules and context - Add network-map.md with current topology and planned VLANs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 13:54:16 +00:00
commit 4ee41bf881
17 changed files with 1601 additions and 0 deletions
--- a/config/dhcp
+++ b/config/dhcp
@@ -0,0 +1,80 @@
+
+config dnsmasq
+	option domainneeded '1'
+	option localise_queries '1'
+	option rebind_protection '1'
+	option rebind_localhost '1'
+	option local '/lan/'
+	option domain 'lan'
+	option expandhosts '1'
+	option cachesize '1000'
+	option authoritative '1'
+	option readethers '1'
+	option leasefile '/tmp/dhcp.leases'
+	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
+	option localservice '1'
+	option ednspacket_max '1232'
+
+config dhcp 'lan'
+	option interface 'lan'
+	option start '100'
+	option limit '150'
+	option leasetime '12h'
+	option dhcpv4 'server'
+	option dhcpv6 'server'
+	option ra 'server'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
+
+config dhcp 'wan'
+	option interface 'wan'
+	option ignore '1'
+
+config odhcpd 'odhcpd'
+	option maindhcp '0'
+	option leasefile '/tmp/hosts/odhcpd'
+	option leasetrigger '/usr/sbin/odhcpd-update'
+	option loglevel '4'
+
+config host
+	option name 'everlost.lan'
+	list mac '2C:CF:67:22:B0:52'
+	option ip '10.0.0.2'
+	option leasetime 'infinite'
+
+config host
+	option name 'homeassistant.lan'
+	list mac '2C:CF:67:71:81:82'
+	option ip '10.0.0.11'
+	option leasetime 'infinite'
+
+config host
+	option name 'doorbell.lan'
+	list mac 'D0:76:02:1B:0E:26'
+	option ip '10.0.0.41'
+	option leasetime 'infinite'
+
+config host
+	option name 'frigate.lan'
+	list mac '2C:CF:67:71:91:F0'
+	option ip '10.0.0.12'
+	option leasetime 'infinite'
+
+config host
+	option name 'jester.lan'
+	list mac '10:C3:7B:4E:B2:3F'
+	option ip '10.0.0.21'
+	option leasetime 'infinite'
+
+config host
+	option name 'wayfaerer.lan'
+	list mac 'B8:27:EB:F1:F4:FC'
+	option ip '10.0.0.22'
+	option leasetime 'infinite'
+
+config dhcp 'guest'
+	option interface 'guest'
+	option start '100'
+	option limit '150'
+	option leasetime '12h'
+
--- a/config/dropbear
+++ b/config/dropbear
@@ -0,0 +1,7 @@
+
+config dropbear 'main'
+	option enable '1'
+	option PasswordAuth '0'
+	option RootPasswordAuth '0'
+	option Port '22'
+
--- a/config/firewall
+++ b/config/firewall
@@ -0,0 +1,259 @@
+
+config defaults
+	option input 'REJECT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+	option synflood_protect '1'
+	option flow_offloading '1'
+	option flow_offloading_hw '1'
+
+config zone
+	option name 'lan'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'ACCEPT'
+	list network 'lan'
+
+config zone
+	option name 'wan'
+	option input 'REJECT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+	option masq '1'
+	option mtu_fix '1'
+	list network 'wan'
+
+config forwarding
+	option src 'lan'
+	option dest 'wan'
+
+config rule
+	option name 'Allow-DHCP-Renew'
+	option src 'wan'
+	option proto 'udp'
+	option dest_port '68'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-Ping'
+	option src 'wan'
+	option proto 'icmp'
+	option icmp_type 'echo-request'
+	option family 'ipv4'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-IGMP'
+	option src 'wan'
+	option proto 'igmp'
+	option family 'ipv4'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-DHCPv6'
+	option src 'wan'
+	option proto 'udp'
+	option dest_port '546'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-MLD'
+	option src 'wan'
+	option proto 'icmp'
+	option src_ip 'fe80::/10'
+	list icmp_type '130/0'
+	list icmp_type '131/0'
+	list icmp_type '132/0'
+	list icmp_type '143/0'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ICMPv6-Input'
+	option src 'wan'
+	option proto 'icmp'
+	list icmp_type 'echo-request'
+	list icmp_type 'echo-reply'
+	list icmp_type 'destination-unreachable'
+	list icmp_type 'packet-too-big'
+	list icmp_type 'time-exceeded'
+	list icmp_type 'bad-header'
+	list icmp_type 'unknown-header-type'
+	list icmp_type 'router-solicitation'
+	list icmp_type 'neighbour-solicitation'
+	list icmp_type 'router-advertisement'
+	list icmp_type 'neighbour-advertisement'
+	option limit '1000/sec'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ICMPv6-Forward'
+	option src 'wan'
+	option dest '*'
+	option proto 'icmp'
+	list icmp_type 'echo-request'
+	list icmp_type 'echo-reply'
+	list icmp_type 'destination-unreachable'
+	list icmp_type 'packet-too-big'
+	list icmp_type 'time-exceeded'
+	list icmp_type 'bad-header'
+	list icmp_type 'unknown-header-type'
+	option limit '1000/sec'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-IPSec-ESP'
+	option src 'wan'
+	option dest 'lan'
+	option proto 'esp'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ISAKMP'
+	option src 'wan'
+	option dest 'lan'
+	option dest_port '500'
+	option proto 'udp'
+	option target 'ACCEPT'
+
+config redirect
+	option dest 'lan'
+	option target 'DNAT'
+	option name 'HTTP'
+	list proto 'tcp'
+	option src 'wan'
+	option src_dport '80'
+	option dest_ip '10.0.0.2'
+	option dest_port '80'
+
+config redirect
+	option dest 'lan'
+	option target 'DNAT'
+	option name 'HTTPS'
+	list proto 'tcp'
+	option src 'wan'
+	option src_dport '443'
+	option dest_ip '10.0.0.2'
+	option dest_port '443'
+
+config redirect
+	option dest 'lan'
+	option target 'DNAT'
+	option name 'SSH - Everlost'
+	list proto 'tcp'
+	option src 'wan'
+	option src_dport '22563'
+	option dest_ip '10.0.0.2'
+	option dest_port '22563'
+
+config redirect
+	option dest 'lan'
+	option target 'DNAT'
+	option name 'SSH - Home Assistant'
+	list proto 'tcp'
+	option src 'wan'
+	option src_dport '22553'
+	option dest_ip '10.0.0.11'
+	option dest_port '22553'
+
+config redirect
+	option dest 'lan'
+	option target 'DNAT'
+	option name 'SSH - Frigate'
+	list proto 'tcp'
+	option src 'wan'
+	option src_dport '22583'
+	option dest_ip '10.0.0.12'
+	option dest_port '22583'
+
+config redirect
+	option dest 'lan'
+	option target 'DNAT'
+	option name 'SSH - Jester'
+	list proto 'tcp'
+	option src 'wan'
+	option src_dport '22573'
+	option dest_ip '10.0.0.21'
+	option dest_port '22573'
+
+config redirect
+	option dest 'lan'
+	option target 'DNAT'
+	option name 'SSH - Wayfaerer'
+	list proto 'tcp'
+	option src 'wan'
+	option src_dport '22593'
+	option dest_ip '10.0.0.22'
+	option dest_port '22593'
+
+config redirect
+	option dest 'lan'
+	option target 'DNAT'
+	option name 'Wireguard'
+	list proto 'udp'
+	option src 'wan'
+	option src_dport '51820'
+	option dest_ip '10.0.0.2'
+	option dest_port '51820'
+
+config redirect
+	option dest 'lan'
+	option target 'DNAT'
+	option name 'Plex - Jester'
+	list proto 'tcp'
+	option src 'wan'
+	option src_dport '32400'
+	option dest_ip '10.0.0.21'
+	option dest_port '32400'
+
+config redirect
+	option dest 'lan'
+	option target 'DNAT'
+	option name 'Plex - Wayfaerer'
+	list proto 'tcp'
+	option src 'wan'
+	option src_dport '32450'
+	option dest_ip '10.0.0.22'
+	option dest_port '32450'
+
+config zone
+	option name 'guest'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'ACCEPT'
+	list network 'guest'
+	option masq '1'
+
+config forwarding
+	option src 'guest'
+	option dest 'wan'
+
+config rule
+	option src 'guest'
+	option name 'Guest DHCP and DNS'
+	option dest_port '53 67 68'
+	option target 'ACCEPT'
+
+config rule
+	option src 'guest'
+	option dest 'lan'
+	option name 'Guest Pihole access'
+	option src_port '53'
+	list dest_ip '10.0.0.2'
+	option dest_port '54'
+	option target 'ACCEPT'
+
+config redirect
+	option dest 'lan'
+	option target 'DNAT'
+	option name 'SSH - Gitea'
+	list proto 'tcp'
+	option src 'wan'
+	option src_dport '2222'
+	option dest_ip '10.0.0.2'
+	option dest_port '2222'
+
--- a/config/network
+++ b/config/network
@@ -0,0 +1,59 @@
+
+config interface 'loopback'
+	option device 'lo'
+	option proto 'static'
+	option ipaddr '127.0.0.1'
+	option netmask '255.0.0.0'
+
+config globals 'globals'
+	option ula_prefix 'fde4:b048:39cd::/48'
+	option packet_steering '1'
+
+config device
+	option name 'br-lan'
+	option type 'bridge'
+	list ports 'lan1'
+	list ports 'lan2'
+	list ports 'lan3'
+	list ports 'lan4'
+	option ipv6 '1'
+
+config interface 'lan'
+	option device 'br-lan'
+	option proto 'static'
+	option ipaddr '10.0.0.1'
+	option netmask '255.255.255.0'
+	option ip6assign '60'
+	list dns '10.0.0.2'
+
+config interface 'wan'
+	option device 'wan'
+	option proto 'pppoe'
+	option username 'suburbanme@plusdsl.net'
+	option password 'Fo4oD7naqzHpEdnO'
+	option ipv6 '0'
+	option force_link '1'
+	option sourcefilter '0'
+	option delegate '0'
+
+config device
+	option name 'pppoe-wan'
+	option ipv6 '0'
+
+config device
+	option name 'eth0'
+
+config device
+	option type 'bridge'
+	option name 'br-guest'
+	option bridge_empty '1'
+	option ipv6 '0'
+
+config interface 'guest'
+	option proto 'static'
+	option device 'br-guest'
+	option ipaddr '10.10.10.1'
+	option netmask '255.255.255.0'
+	list dns '10.0.0.2'
+	option delegate '0'
+
--- a/config/system
+++ b/config/system
@@ -0,0 +1,31 @@
+
+config system
+	option hostname 'OpenWrt'
+	option timezone 'UTC'
+	option ttylogin '0'
+	option log_size '128'
+	option urandom_seed '0'
+	option compat_version '1.1'
+
+config timeserver 'ntp'
+	option enabled '1'
+	option enable_server '0'
+	list server '0.openwrt.pool.ntp.org'
+	list server '1.openwrt.pool.ntp.org'
+	list server '2.openwrt.pool.ntp.org'
+	list server '3.openwrt.pool.ntp.org'
+
+config led 'led_lan'
+	option name 'LAN'
+	option sysfs 'green:lan'
+	option trigger 'netdev'
+	option mode 'link tx rx'
+	option dev 'br-lan'
+
+config led 'led_wan'
+	option name 'WAN'
+	option sysfs 'green:wan'
+	option trigger 'netdev'
+	option mode 'link tx rx'
+	option dev 'wan'
+
--- a/config/wireless
+++ b/config/wireless
@@ -0,0 +1,57 @@
+
+config wifi-device 'radio0'
+	option type 'mac80211'
+	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
+	option band '2g'
+	option channel 'auto'
+	option htmode 'HE20'
+	option country 'GB'
+	option cell_density '0'
+	option disabled '0'
+
+config wifi-device 'radio1'
+	option type 'mac80211'
+	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
+	option band '5g'
+	option channel 'auto'
+	option htmode 'HE80'
+	option country 'GB'
+	option cell_density '0'
+	option disabled '0'
+
+config wifi-iface 'wifinet0'
+	option device 'radio0'
+	option mode 'ap'
+	option ssid 'Moonshield'
+	option encryption 'sae-mixed'
+	option key 'REDACTED'
+	option ocv '0'
+	option wpa_disable_eapol_key_retries '1'
+	option network 'lan'
+
+config wifi-iface 'wifinet1'
+	option device 'radio1'
+	option mode 'ap'
+	option ssid 'Moonshield'
+	option encryption 'sae-mixed'
+	option key 'REDACTED'
+	option ocv '0'
+	option wpa_disable_eapol_key_retries '1'
+	option network 'lan'
+
+config wifi-iface 'wifinet2'
+	option device 'radio0'
+	option mode 'ap'
+	option ssid 'Stow on the Wireless'
+	option encryption 'psk2'
+	option key 'REDACTED'
+	option network 'guest'
+
+config wifi-iface 'wifinet3'
+	option device 'radio1'
+	option mode 'ap'
+	option ssid 'Stow on the Wireless'
+	option encryption 'psk2'
+	option key 'REDACTED'
+	option network 'guest'
+