.githooks/pre-push

@@ -41,13 +41,13 @@ while read -r local_ref local_sha1 remote_ref remote_sha1; do
 			push_develop="$local_sha1"
 			;;
 		hotfix/*)
-			if compare_ancestors "$local_sha1" master develop; then
+			if ! compare_ancestors "$local_sha1" develop master; then
 				echo "Reference has invalid ancestor, please base it on top of master: $local_ref" >&2
 				exit 1
 			fi
 			;;
 		feature/*|bugfix/*|refactor/*|hack/*)
-			if compare_ancestors "$local_sha1" develop master; then
+			if ! compare_ancestors "$local_sha1" master develop; then
 				echo "Reference has invalid ancestor, please base it on top of develop: $local_ref" >&2
 				exit 1
 			fi
@@ -65,12 +65,16 @@ done
 
 if [ -n "$push_master" ]; then
 	if [ -z "$push_develop" ]; then
-		echo "Develop branch has to be always updated with master branch." >&2
-		echo "Push both at the same time with: git push origin master develop" >&2
-		exit 1
-	fi
-	if ! git merge-base --is-ancestor "$push_master" "$push_develop"; then
-		echo "Tip commit of master is not merged to develop branch." >&2
-		exit 1
+		# We allow push only master if it is a fast-forward
+		if ! git merge-base --is-ancestor "$push_master" "$(git rev-parse "$remote_name/develop")"; then
+			echo "Develop branch has to be always updated with master branch." >&2
+			echo "Push both at the same time with: git push origin master develop" >&2
+			exit 1
+		fi
+	else
+		if ! git merge-base --is-ancestor "$push_master" "$push_develop"; then
+			echo "Tip commit of master is not merged to develop branch." >&2
+			exit 1
+		fi
 	fi
 fi

.github/workflows/multi-arch-test-build.yml

@@ -13,18 +13,18 @@ jobs:
           - powerpc_8540
         version:
           - master
-          - 19.07.7
-          - 21.02-SNAPSHOT
+          - 19.07.8
+          - 21.02.0
         runtime_test: [false]
         include:
           - arch: aarch64_cortex-a53
             version: master
             runtime_test: true
           - arch: aarch64_cortex-a53
-            version: 19.07.7
+            version: 19.07.8
             runtime_test: true
           - arch: aarch64_cortex-a53
-            version: 21.02-SNAPSHOT
+            version: 21.02.0
             runtime_test: true
 
     name: Target ${{ matrix.arch }} - OpenWrt ${{ matrix.version }}
@@ -37,13 +37,13 @@ jobs:
       - name: Determine changed packages
         run: |
           # only detect packages with changed Makefiles
-          PACKAGES="$(git diff --diff-filter=d --name-only origin/develop \
+          PACKAGES="$(git diff --diff-filter=d --name-only origin/master \
             | grep -E 'Makefile$|test.sh$' | grep -Ev '/files/|/src/' \
             | awk -F/ '{ print $(NF-1) }' | tr '\n' ' ')"
 
           # fallback to test packages if nothing explicitly changes this is
           # should run if other mechanics changed
-          PACKAGES="${PACKAGES:-notification-system netmetr lighttpd}"
+          PACKAGES="${PACKAGES:-vim netmetr unbound}"
 
           echo "Building $PACKAGES"
           echo "PACKAGES=$PACKAGES" >> $GITHUB_ENV

.gitscripts/new-mr

 #!/bin/bash
-repo="https://gitlab.nic.cz/turris/turris-os-packages"
+repo="https://gitlab.nic.cz/turris/os/packages"
 cur_branch="$(git branch --show-current)"
 
 

README.adoc

@@ -7,4 +7,4 @@ To understand what are files in this repository you can read appropriate
 https://openwrt.org/docs/guide-developer/packages[OpenWrt documentation].
 
 If you are looking for Turris OS itself see
-https://gitlab.labs.nic.cz/turris/turris-build[turris-build] repository.
+https://gitlab.nic.cz/turris/os/build[turris-build] repository.

WORKFLOW.adoc

@@ -2,7 +2,7 @@ Turris OS packages repository workflow
 ======================================
 
 Before you start reading please be sure that you have read and understood workflow
-for https://gitlab.labs.nic.cz/turris/turris-build/blob/hbk/WORKFLOW.adoc[turris-build].
+for https://gitlab.nic.cz/turris/os/build/blob/hbk/WORKFLOW.adoc[turris-build].
 This workflow is referencing it as this repository is used as part of release
 cycle of that one.
 

admin/cronie/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=cronie
-PKG_VERSION:=1.5.5
-PKG_RELEASE:=6
+PKG_VERSION:=1.5.7
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/cronie-crond/cronie/archive
-PKG_HASH:=22c2a2b22577c0f776c1268d0e0f305c5c041e10155022a345b43b665da0ffe9
+PKG_HASH:=30190b791c79bd72a43eb7cd6fced00be850e2e27e60852dec6dbacb82ecf21e
 
 PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz>
 PKG_LICENSE:=ISC
@@ -41,6 +41,7 @@ define Package/cronie/description
   security and configuration enhancements like the ability to use pam and SELinux.
 endef
 
+# the default editor is /usr/bin/vi, but OpenWrt has vi in /bin/vi
 CONFIGURE_ARGS += \
 	--enable-syscrontab \
 	--without-selinux \
@@ -48,6 +49,7 @@ CONFIGURE_ARGS += \
 	--with-inotify \
 	--with-daemon_username=cron \
 	--with-daemon_groupname=cron \
+	--with-editor=/bin/vi \
 	--disable-anacron
 CONFIGURE_VARS += \
 		SPOOL_DIR=/var/spool/cron/crontabs

collect/haas-proxy/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=haas-proxy
 PKG_VERSION:=2.0.2
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=proxy-v$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://gitlab.nic.cz/haas/proxy/-/archive/v$(PKG_VERSION)/

collect/haas-proxy/files/haas-proxy.init

 #!/bin/sh /etc/rc.common
 
 USE_PROCD=1
-START=99
+START=96
 STOP=10
 
 DEFAULT_LOCAL_PORT=2525

collect/pakon/Makefile

@@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=pakon
 PKG_VERSION:=1.2.1
-PKG_RELEASE:=2
+PKG_RELEASE:=4
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/pakon-light.git
+PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/pakon.git
 PKG_MIRROR_HASH:=19ab1643d0133b6324eda6df2c5c4d2cf90cc3994ca8cb7e03fb3f265dcc72d2
 PKG_SOURCE_VERSION:=v$(PKG_VERSION)
 

collect/pakon/files/pakon-monitor-init

@@ -25,7 +25,7 @@ start_service() {
   procd_close_instance
 }
 
-stop_service() {
+service_stopped() {
   mkdir -p /srv/pakon/
   [ -f /var/lib/pakon.db ] && /usr/libexec/pakon-light/backup_sqlite.sh /var/lib/pakon.db /srv/pakon/pakon.db.xz
 }

collect/pakon/patches/cleanup-faster.patch

+
+From 997bc0d12fa3dbbf21582d41f657a6caff25c583 Mon Sep 17 00:00:00 2001
+From: Michal Hrusecky <michal.hrusecky@turris.com>
+Date: Mon, 6 Sep 2021 15:46:25 +0200
+Subject: [PATCH] Trigger cleanup faster
+
+Call cleanup of the database faster to allow smaller databases.
+---
+ monitor.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/monitor.py
++++ b/monitor.py
+@@ -343,7 +343,7 @@ def main():
+     # it's recommended not to touch this, unless you know really well what you're doing
+     # filling all available space in /var/lib (tmpfs) will probably break your router
+     hard_limit = int(uci_get('pakon.monitor.database_limit') or 3000000)
+-    run_check = everyN(100000)
++    run_check = everyN(1000)
+     while True:
+         try:
+             line = data_source.get_message()

collect/sentinel/sentinel-dynfw-client/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sentinel-dynfw-client
 PKG_VERSION:=1.4.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/sentinel/dynfw-client.git

collect/sentinel/sentinel-dynfw-client/files/sentinel-firewall.sh

@@ -3,6 +3,10 @@ set -e
 . "${0%/*}/common.sh"
 . /lib/functions.sh
 
+IPSET="turris-sn-dynfw-block"
+
+# Always create IP set to prevent iptables error about missing ipset.
+ipset create "$IPSET" hash:ip -exist
 
 dynfw_block() {
 	local config_section="$1"
@@ -22,7 +26,7 @@ dynfw_block() {
 		[ "${chain}" == "input" ] && bypass_mark="-m mark ! --mark 0x10/0x10"
 
 		iptables_drop "${zone}" "${chain}" \
-			-m set --match-set 'turris-sn-dynfw-block' src \
+			-m set --match-set "$IPSET" src \
 			${bypass_mark} \
 			-m conntrack --ctstate NEW \
 			-m comment --comment "!sentinel: dynamic firewall block"

collect/sentinel/sentinel-fwlogs/Makefile

 #
-## Copyright (C) 2020 CZ.NIC z.s.p.o. (https://www.nic.cz/)
+## Copyright (C) 2020, 2022 CZ.NIC z.s.p.o. (https://www.nic.cz/)
 #
 ## This is free software, licensed under the GNU General Public License v3.
 # See /LICENSE for more information.
@@ -8,13 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sentinel-fwlogs
-PKG_VERSION:=0.1.0
+PKG_VERSION:=0.3.0
 PKG_RELEASE:=1
 
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/sentinel/fwlogs.git
-PKG_MIRROR_HASH:=fdb2dae1d7f62d5f57ccf70232a7b1aeededea3844845002167701272340029b
-PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://gitlab.nic.cz/api/v4/projects/976/packages/generic/sentinel-fwlogs/$(PKG_VERSION)
+PKG_HASH:=e9df14ac2d2fef15b02a6291f0a580e998b74c9a5fe1c85cb6becbcbc167c8c7
 
 PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz>
 PKG_LICENSE:=GPL-3.0-or-later
@@ -23,9 +22,9 @@ PKG_LICENSE_FILES:=LICENSE
 PKG_BUILD_DEPENDS:=argp-standalone
 
 PKG_INSTALL:=1
-PKG_FIXUP:=autoreconf
 
 include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/autotools.mk
 
 define Package/sentinel-fwlogs
   SECTION:=collect
@@ -36,7 +35,7 @@ define Package/sentinel-fwlogs
   DEPENDS:=\
     +czmq \
     +msgpack-c \
-    +logc +logc-argp \
+    +logc +logc-argp +logc-czmq \
     +libnetfilter-log \
     +sentinel-firewall +iptables-mod-nflog \
     +sentinel-proxy
@@ -64,6 +63,9 @@ define Package/sentinel-fwlogs/install
 
 	$(INSTALL_DIR) $(1)/usr/libexec/sentinel/reload_hooks.d
 	$(INSTALL_BIN) ./files/restart-proxy-hook.sh $(1)/usr/libexec/sentinel/reload_hooks.d/50_nikola.sh
+
+	$(INSTALL_DIR) $(1)/usr/libexec/sentinel/status.d
+	$(INSTALL_BIN) ./files/sentinel-status.sh $(1)/usr/libexec/sentinel/status.d/20-fwlogs.sh
 endef
 
 $(eval $(call BuildPackage,sentinel-fwlogs))

collect/sentinel/sentinel-fwlogs/files/init

 #!/bin/sh /etc/rc.common
 
 USE_PROCD=1
-START=99
+START=96
 STOP=10
 
 

collect/sentinel/sentinel-fwlogs/files/sentinel-status.sh

+#!/bin/sh
+set -e
+. "${0%/*}/common.sh"
+. /lib/functions/sentinel.sh
+
+
+if service_is_running "sentinel-fwlogs"; then
+	state="$RUNNING"
+	# TODO check if connected to proxy
+else
+	allowed_to_run "fwlogs" 2>/dev/null \
+		&& state="$FAILED" \
+		|| state="$DISABLED"
+fi
+
+echo_res "FWLogs" "$state"

collect/sentinel/sentinel-i_agree_with_eula/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sentinel-i_agree_with_eula
 PKG_VERSION:=1
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz>
 
 include $(INCLUDE_DIR)/package.mk
@@ -32,12 +32,12 @@ endef
 define Package/sentinel-i_agree_with_eula/prerm
 #!/bin/sh
 [ -n "$${IPKG_INSTROOT}" ] || {
-  if [ "$$(uci -q get sentinel.main.agreed_with_eula_version)" = $(PKG_VERSION) ]; then
-    uci -q batch <<EOF
-      delete sentinel.main.agreed_with_eula_version
-      commit sentinel.main
-    EOF
-  fi
+	if [ "$$(uci -q get sentinel.main.agreed_with_eula_version)" = "$(PKG_VERSION)" ]; then
+		uci -q batch <<-EOF
+			delete sentinel.main.agreed_with_eula_version
+			commit sentinel.main
+		EOF
+	fi
 }
 endef
 

collect/sentinel/sentinel-minipot/Makefile

 #
-## Copyright (C) 2018-2020 CZ.NIC z.s.p.o. (https://www.nic.cz/)
+## Copyright (C) 2018-2021 CZ.NIC z.s.p.o. (https://www.nic.cz/)
 #
 ## This is free software, licensed under the GNU General Public License v3.
 # See /LICENSE for more information.
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sentinel-minipot
-PKG_VERSION:=2.0.1
-PKG_RELEASE:=2
+PKG_VERSION:=2.3.0
+PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/sentinel/minipot.git
-PKG_MIRROR_HASH:=472eeeddd7f0541caac23d6046c6f8b4e9c28cf99803024848b5bc45efd37901
+PKG_MIRROR_HASH:=01f6ff3e95c277c692aba589718cd8eafc44c3a6304cd402df7b37d2bdb14592
 PKG_SOURCE_VERSION:=v$(PKG_VERSION)
 
 PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz>
@@ -35,6 +35,10 @@ define Package/sentinel-minipot
   DEPENDS:=\
     +czmq \
     +libevent2 \
+    +logc \
+    +logc-argp \
+    +logc-czmq \
+    +logc-libevent \
     +msgpack-c \
     +base64c \
     +sentinel-firewall \
@@ -62,6 +66,9 @@ define Package/sentinel-minipot/install
 
 	$(INSTALL_DIR) $(1)/usr/libexec/sentinel/reload_hooks.d
 	$(INSTALL_BIN) ./files/restart-minipot-hook.sh $(1)/usr/libexec/sentinel/reload_hooks.d/60_minipot.sh
+
+	$(INSTALL_DIR) $(1)/usr/libexec/sentinel/status.d
+	$(INSTALL_BIN) ./files/sentinel-status.sh $(1)/usr/libexec/sentinel/status.d/21-minipots.sh
 endef
 
 $(eval $(call BuildPackage,sentinel-minipot))

collect/sentinel/sentinel-minipot/files/init

 #!/bin/sh /etc/rc.common
 
 USE_PROCD=1
-START=99
+START=96
 STOP=10
 
 

collect/sentinel/sentinel-minipot/files/sentinel-status.sh

+#!/bin/sh
+set -e
+. "${0%/*}/common.sh"
+. /lib/functions/sentinel.sh
+
+
+if service_is_running "sentinel-minipot"; then
+	state="$RUNNING"
+	# TODO check if connected to proxy
+else
+	allowed_to_run "minipot" 2>/dev/null \
+		&& state="$FAILED" \
+		|| state="$DISABLED"
+fi
+
+echo_res "Minipot" "$state"
+# TODO every single minipot?