docs/user/getting_started.rst

@@ -4,41 +4,61 @@ Getting Started
 Selecting the right version
 ---------------------------
 
-Gluon's releases are managed using `Git tags`_. If you're a community getting
+Gluon's releases are managed using `Git tags`_. If you are just getting
 started with Gluon we recommend to use the latest stable release of Gluon.
 
 Take a look at the `list of gluon releases`_ and notice the latest release,
-e.g. *v2014.3*.
+e.g. *v2023.2.5*. Always get Gluon using git and don't try to download it
+as a Zip archive as the archive will be missing version information.
 
-Please keep in mind that a matching site configuration for your community
-is required. Due to new features being added (or sometimes being removed)
-the format of the site configuration changes slightly between releases.
+Please keep in mind that there is no "default Gluon" build; a site configuration
+is required to adjust Gluon to your needs. Due to new features being added (or
+sometimes being removed) the format of the site configuration changes slightly
+between releases. Please refer to our release notes for instructions to update
+an old site configuration to a newer release of Gluon.
 
-Recent releases (starting with *v2014.3.1*) will come with an example
-configuration located in *docs/site-example/*.
+An example configuration can be found in the Gluon repository at *docs/site-example/*.
 
-.. _Git tags: http://git-scm.com/book/en/Git-Basics-Tagging
+.. _Git tags: https://git-scm.com/book/en/v2/Git-Basics-Tagging
 .. _list of gluon releases: https://github.com/freifunk-gluon/gluon/releases
 
 Dependencies
 ------------
 To build Gluon, several packages need to be installed on the system. On a
-freshly installed Debian Wheezy system the following packages are required:
+freshly installed Debian Bullseye system the following packages are required:
 
+* `clang`
 * `git` (to get Gluon and other dependencies)
-* `subversion`
+* `python3`
+* `python3-dev`
+* `python3-pyelftools`
+* `python3-setuptools`
 * `build-essential`
 * `gawk`
 * `unzip`
 * `libncurses-dev` (actually `libncurses5-dev`)
 * `libz-dev` (actually `zlib1g-dev`)
+* `libssl-dev`
+* `libelf-dev` (to build x86-64)
+* `llvm`
+* `wget`
+* `rsync`
+* `time` (built-in `time` doesn't work)
+* `qemu-utils`
+* `ecdsautils` (to sign firmware, see `contrib/sign.sh`)
+* `swig`
+
+We also provide a container environment that already tracks all these dependencies. It quickly gets you up and running, if you already have either Docker or Podman installed locally.
 
+::
+
+  ./scripts/container.sh
 
 Building the images
 -------------------
 
 To build Gluon, first check out the repository. Replace *RELEASE* with the
-version you'd like to checkout, e.g. *v2015.1*.
+version you'd like to checkout, e.g. *v2023.2.5*.
 
 ::
 
@@ -47,88 +67,231 @@ version you'd like to checkout, e.g. *v2015.1*.
 This command will create a directory named *gluon/*.
 It might also tell a scary message about being in a *detached state*.
 **Don't panic!** Everything's fine.
-Now, enter the freshly created directory:
-
-::
+Now, enter the freshly created directory::
 
   cd gluon
 
-It's time to add (or create) your site configuration.
-So let's create the directory *site/*:
+It's time to add (or create) your site configuration. If you already
+have a site repository, just clone it::
 
-::
+  git clone https://github.com/freifunk-alpha-centauri/site-ffac.git site
+
+If you want to build a new site, create a new git repository *site/*::
 
   mkdir site
   cd site
+  git init
 
-Copy *site.conf*, *site.mk* and *i18n* from *docs/site-example*:
-
-::
+Copy *site.conf*, *site.mk* and *i18n* from *docs/site-example*::
 
   cp ../docs/site-example/site.conf .
   cp ../docs/site-example/site.mk .
   cp -r ../docs/site-example/i18n .
 
-Edit these files to match your community, then go back to the top-level Gluon
-directory and build Gluon:
+Edit these files as you see fit and commit them into the site repository.
+Extensive documentation about the site configuration can be found at:
+:doc:`site`. The
+site directory should always be a git repository by itself; committing site-specific files
+to the Gluon main repository should be avoided, as it will make updates more complicated.
 
-::
+Next go back to the top-level Gluon directory and build Gluon\ [#make_update]_::
 
   cd ..
   make update                       # Get other repositories used by Gluon
-    make GLUON_TARGET=ar71xx-generic   # Build Gluon
+  make GLUON_TARGET=ath79-generic   # Build Gluon
 
-When calling make, the OpenWrt build environment is prepared/updated.
-In case of errors read the messages carefully and try to fix the stated issues (e.g. install tools not available yet).
+In case of errors read the messages carefully and try to fix the stated issues
+(e.g. install missing tools not available or look for Troubleshooting_ in the wiki.
 
-``ar71xx-generic`` is the most common target and will generated images for most of the supported hardware.
+.. _Troubleshooting: https://github.com/freifunk-gluon/gluon/wiki/Troubleshooting
+
+``ath79-generic`` is the most common target and will generate images for most of the supported hardware.
 To see a complete list of supported targets, call ``make`` without setting ``GLUON_TARGET``.
 
-The built images can be found in the directory `images`. Of these, the factory
+To build all targets use a loop like this::
+
+  for TARGET in $(make list-targets); do
+    make GLUON_TARGET=$TARGET
+  done
+
+You should generally reserve 5GB of disk space and additionally about 10GB for each `GLUON_TARGET`.
+
+The built images can be found in the directory `output/images`. Of these, the `factory`
 images are to be used when flashing from the original firmware a device came with,
-and sysupgrade is to upgrade from other versions of Gluon or any other OpenWRT-based
+and `sysupgrade` is to upgrade from other versions of Gluon or any other OpenWrt-based
 system.
 
-You should reserve about 10GB of disk space for each `GLUON_TARGET`.
+**Note:** The images for some models are identical; to save disk space, symlinks are generated instead
+of multiple copies of the same image. If your webserver's configuration prohibits following
+symlinks, you can use the following command to resolve these links while copying the images::
 
-There are two levels of `make clean`:
+  cp -rL output/images /var/www
 
-::
+The directory `output/debug` contains a compressed kernel image for each
+architecture.
+These can be used for debugging and should be stored along with the images to
+allow debugging of kernel problems on devices in the field.
+See :ref:`Debugging <dev-debugging-kernel-oops>` for more information.
+
+.. rubric:: Footnotes
+
+.. [#make_update] ``make update`` only needs to be called again after updating the
+  Gluon repository (using ``git pull`` or similar) or after changing branches,
+  not for each build. Running it more often than necessary is undesirable, as
+  the update will take some time, and may undo manual modifications of the
+  external repositories while developing on Gluon.
+
+  See :ref:`working-with-repositories` for more information.
+
+Cleaning the build tree
+.......................
 
-    make clean GLUON_TARGET=ar71xx-generic
+There are two levels of `make clean`::
 
-will ensure all packages are rebuilt for a single target; this is what you normally want to do after an update.
+  make clean GLUON_TARGET=ath79-generic
+
+will ensure all packages are rebuilt for a single target. This is usually not
+necessary, but may fix certain kinds of build failures.
 
 ::
 
   make dirclean
 
-will clean the entire tree, so the toolchain will be rebuilt as well, which is
-not necessary in most cases, and will take a while.
+will clean the entire tree, so the toolchain will be rebuilt as well, which will take a while.
 
+opkg repositories
+-----------------
 
-Environment variables
----------------------
+Gluon is mostly compatible with OpenWrt, so the normal OpenWrt package repositories
+can be used for Gluon as well.
 
-Gluon's build process can be controlled by various environment variables.
+This is not true for kernel modules; the Gluon kernel is incompatible with the
+kernel of the default OpenWrt images. Therefore, Gluon will not only generate images,
+but also an opkg repository containing all core packages provided by OpenWrt,
+including modules for the kernel of the generated images.
 
-GLUON_SITEDIR
-  Path to the site configuration. Defaults to ``site/``.
+Signing keys
+............
 
-GLUON_IMAGEDIR
-  Path where images will be stored. Defaults to ``images/``.
+Gluon does not support HTTPS for downloading packages; fortunately, opkg deploys
+public-key cryptography to ensure package integrity.
 
-GLUON_BUILDDIR
-  Working directory during build. Defaults to ``build/``.
+The Gluon images will contain public keys from two sources: the official OpenWrt keyring
+(to allow installing userspace packages) and a Gluon-specific key (which is used
+to sign the generated package repository).
 
+OpenWrt will handle the generation and handling of the keys itself.
+When making firmware releases based on Gluon, it might make sense to store
+the keypair, so updating the module repository later is possible.
+In fact you should take care to reuse the same opkg keypair, so you don't pollute the key
+store (see ``/etc/opkg/keys``) on the node.
 
-So all in all, to update and rebuild a Gluon build tree, the following commands should be used (repeat the
-``make clean`` and ``make`` for all targets you want to build):
+The signing-key is stored at ``openwrt/key-build.pub``, ``openwrt/key-build``,
+``key-build.ucert`` and  ``key-build.ucert.revoke``.
 
-::
+The ``openwrt`` directory is the Git checkout, that gets created after calling ``make update``.
+After making a fresh clone copy the key files to the aforementioned locations.
+
+.. _getting-started-make-variables:
 
-    git pull
-    (cd site && git pull)
-    make update
-    make clean GLUON_TARGET=ar71xx-generic
-    make GLUON_TARGET=ar71xx-generic
+Make variables
+--------------
+
+Gluon's build process can be controlled by various variables. They can
+usually be set on the command line or in ``site.mk``.
+
+Common variables
+................
+
+GLUON_AUTOUPDATER_BRANCH
+  Overrides the default branch of the autoupdater set in ``site.conf``. For the ``make manifest`` command,
+  ``GLUON_AUTOUPDATER_BRANCH`` defines the branch to generate a manifest for.
+
+GLUON_AUTOUPDATER_ENABLED
+  Set to ``1`` to enable the autoupdater by default for newly installed nodes.
+
+GLUON_DEPRECATED
+  Controls whether images for deprecated devices should be built. The following
+  values are supported:
+
+  - ``0``: Do not build any images for deprecated devices.
+  - ``upgrade``: Only build sysupgrade images for deprecated devices.
+  - ``full``: Build both sysupgrade and factory images for deprecated devices.
+
+  Usually, devices are deprecated because their flash size is insufficient to
+  support future Gluon versions. The recommended setting is ``0`` for new sites,
+  and ``upgrade`` for existing configurations (where upgrades for existing
+  deployments of low-flash devices are required). Defaults to ``0``.
+
+GLUON_LANGS
+  Space-separated list of languages to include for the config mode/advanced settings. Defaults to ``en``.
+  ``en`` should always be included, other supported languages are ``de`` and ``fr``.
+
+GLUON_PRIORITY
+  Defines the priority of an automatic update in ``make manifest``. See :doc:`../features/autoupdater` for
+  a detailed description of this value.
+
+GLUON_REGION
+  Some devices (at the moment the TP-Link Archer C7) contain a region code that restricts
+  firmware installations. Set GLUON_REGION to ``eu`` or ``us`` to make the resulting
+  images installable from the respective stock firmware.
+
+GLUON_RELEASE
+  Firmware release number: This string is displayed in the config mode, announced
+  via respondd/alfred and used by the autoupdater to decide if a newer version
+  is available. The same GLUON_RELEASE has to be passed to ``make`` and ``make manifest``
+  to generate a correct manifest.
+
+GLUON_SITE_VERSION
+  Version of the site configuration. This string is displayed in the config mode
+  and ``gluon-info``. If unset, Gluon generates a version string using ``git describe``
+  on the site folder.
+
+GLUON_TARGET
+  Target architecture to build.
+
+Special variables
+.................
+
+GLUON_AUTOREMOVE
+  Setting ``GLUON_AUTOREMOVE=1`` enables the ``CONFIG_AUTOREMOVE`` OpenWrt setting, which will delete package build
+  directories after a package build has finished to save space. This is mostly useful for CI builds from scratch. Do
+  not set this flag during development (or generally, when you want to reuse your build tree for subsequent builds),
+  as it significantly increases incremental build times.
+
+GLUON_DEBUG
+  The following values are supported:
+
+  - ``0``: Remove symbol tables and debug information as well as most section and other
+    information not strictly necessary for execution using ``sstrip``. This saves a small amount
+    of flash space over the default ``strip`` command (roughly 70kiB for ath79), but makes any
+    kind of binary analysis much more difficult, as common tools like objdump and gdb can't
+    handle such files at all.
+  - ``1``: Remove symbol tables and debug information from binaries using the standard ``strip``
+    command. This is the default.
+  - ``2``:  Include debugging symbols usable with GDB or similar tools in all binaries of the image.
+    Requires a device or target with at least 16 MB of flash space, e.g. ``x86-64``.
+
+GLUON_MINIFY
+  Setting ``GLUON_MINIFY=0`` will omit the minification of scripts during the build process. By
+  default the flag is set to ``1``. Disabling the flag is handy if human readable scripts on the
+  devices are desired for development purposes. Be aware that this will increase the size of the
+  resulting images and is therefore not suitable for devices with small flash chips.
+
+GLUON_DEVICES
+  List of devices to build. The list contains the Gluon profile name of a device, the profile
+  name is the first parameter of the ``device`` command in a target file.
+  e.g. ``GLUON_DEVICES="avm-fritz-box-4020 tp-link-tl-wdr4300-v1"``.
+  Empty by default to build all devices of a target.
+
+GLUON_IMAGEDIR
+  Path where images will be stored. Defaults to ``$(GLUON_OUTPUTDIR)/images``.
+
+GLUON_PACKAGEDIR
+  Path where the opkg package repository will be stored. Defaults to ``$(GLUON_OUTPUTDIR)/packages``.
+
+GLUON_OUTPUTDIR
+  Path where output files will be stored. Defaults to ``output``.
+
+GLUON_SITEDIR
+  Path to the site configuration. Defaults to ``site``.

docs/user/mtu.rst

+.. _mtu:
+
+MTU for Mesh-VPN
+================
+
+What is a good MTU on the mesh-vpn?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Setting the MTU on the transport interface requires careful consideration, as
+setting it too low will cause excessive fragmentation and setting it too high
+may leave peers with a broken tunnel due to packet loss.
+
+Consider these key values:
+
+- Payload: Allow for the transport of IPv6 packets, by adhering to the minimum MTU
+  of 1280 Byte specified in RFC 2460
+  - and configure `MSS clamping`_ accordingly,
+  - and announce your link MTU via Router Advertisements and DHCP
+
+  .. _MSS clamping: https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.mtu-mss.html
+
+- Encapsulation: Account for the overhead created by the configured mesh protocol
+  encapsulating the payload, which is up to 32 Byte (14 Byte Ethernet + 18 Byte
+  batman-adv).
+
+- PMTU: What MTU does the path between your gateway and each of its peers support?
+
+For reference, the complete MTU stack looks like this:
+
+.. image:: mtu-diagram_v5.png
+
+Example for Minimum MTU
+-----------------------
+
+Calculate the minimum transport MTU by adding the encapsulation overhead to the
+minimum payload MTU required. This is the lowest recommended value, since going
+lower would cause unnecessary fragmentation for clients which respect the announced
+link MTU.
+
+.. editorconfig-checker-disable
+
+Example: Our network currently uses batman-adv v15, it therefore requires up
+to 32 Bytes of encapsulation overhead on top of the minimal link MTU required for
+transporting IPv6.::
+
+  \        1312              1294          1280                                 0
+   \---------+-----------------+-------------+----------------------------------+
+    \TAP     |  batman-adv v15 |   Ethernet  |            Payload               |
+     \-------+-----------------+-------------+----------------------------------+
+      \      ^
+             |
+
+          MTU_LOW = 1280 Byte + 14 Byte + 18 Byte = 1312 Byte
+
+Example for Maximum MTU
+-----------------------
+
+Calculating the maximum transport MTU is interesting, because it increases the
+throughput, by allowing larger payloads to be transported, but also more difficult
+as you have to take into account the tunneling overhead and each peers PMTU, which
+varies between providers.
+The underlying reasons are mostly PPPoE, tunneling and IPv6 transition technologies
+like DS-Lite.
+
+Example: The peer with the smallest MTU on your network is behind DS-Lite and can
+transport IPv4 packets up to 1436 Bytes in size. Your tunnel uses IPv4 (20 Byte),
+UDP (8 Byte), Fastd (24 byte) and you require TAP (14 Byte) for Layer 2 (Ethernet)
+tunneling.::
+
+  1436                1416     1408                    1384          1370    \
+    +-------------------+--------+-----------------------+-------------+------\
+    |        IP         |  UDP   |         Fastd         |     TAP     |    bat\
+    +-------------------+--------+-----------------------+-------------+--------\
+                                                                       ^         \
+                                                                       |
+
+       MTU_HIGH = 1436 Byte - 20 Byte - 8 Byte - 24 Byte - 14 Byte = 1370 Byte
+
+.. editorconfig-checker-enable
+
+Tables for Different VPN Providers
+----------------------------------
+
+VPN Protocol Overhead (IPv4)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Overhead of the VPN protocol layers in bytes on top of an Ethernet frame.
+
++----------+-------+-----------+
+|          | fastd | WireGuard |
++==========+=======+===========+
+| IPv4     | 20    | 20        |
++----------+-------+-----------+
+| UDP      | 8     | 8         |
++----------+-------+-----------+
+| Protocol | 24    | 32        |
++----------+-------+-----------+
+| TAP      | 14    | /         |
++----------+-------+-----------+
+| Sum      | 66    | 60        |
++----------+-------+-----------+
+
+Intermediate Layer Overhead
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Overhead of additional layers on top of the VPN packet needed for different VPN
+providers.
+
++------------+-------+-----------+
+|            | fastd | WireGuard |
++============+=======+===========+
+| IPv6       | /     | 40        |
++------------+-------+-----------+
+| vxlan      | /     | 16        |
++------------+-------+-----------+
+| Ethernet   | /     | 14        |
++------------+-------+-----------+
+| Batman v15 | 18    | 18        |
++------------+-------+-----------+
+| Ethernet   | 14    | 14        |
++------------+-------+-----------+
+| Sum        | 32    | 102       |
++------------+-------+-----------+
+
+Minimum MTU
+^^^^^^^^^^^
+
+Calculation of different derived MTUs based on a 1280 byte payload to
+avoid fragmentation.
+
+Suggestions:
+
+- This configuration is only suggested for fastd.
+
+- For WireGuard, this configuration is **unsuitable**. To obtain a 1280 byte
+  payload with our protocol stack (see below), the Ethernet frame payload would
+  be 1442 bytes long (for IPv4). As we assume that the WAN network might have
+  a (worst case) MTU of only 1436 (with DSLite), this packet would be too long
+  for the WAN network.
+
++-------------------------------+-------+-----------+
+|                               | fastd | WireGuard |
++===============================+=======+===========+
+| max unfragmented payload\*    | 1280  | 1280      |
++-------------------------------+-------+-----------+
+| intermediate layer overhead   | 32    | 102       |
++-------------------------------+-------+-----------+
+| VPN MTU\*\*                   | 1312  | 1382      |
++-------------------------------+-------+-----------+
+| protocol overhead (IPv4)      | 66    | 60        |
++-------------------------------+-------+-----------+
+| min acceptable WAN MTU (IPv4) | 1378  | **1442**  |
++-------------------------------+-------+-----------+
+| min acceptable WAN MTU (IPv6) | 1398  | 1462      |
++-------------------------------+-------+-----------+
+
+\* Maximum size of payload going into the bat0 interface, that will not be
+fragmented by batman.
+
+\*\* This is the MTU that is set in the site.conf.
+
+Maximum MTU
+^^^^^^^^^^^
+
+Calculation of different derived MTUs based on a maximum WAN MTU of 1436.
+
+Suggestions:
+
+- This configuration can be used for fastd.
+
+- For WireGuard, this is the recommended configuration. batman-adv will
+  fragment larger packets transparently to avoid packet loss.
+
++-------------------------------+-------+-----------+
+|                               | fastd | WireGuard |
++===============================+=======+===========+
+| min acceptable WAN MTU (IPv4) | 1436  | 1436      |
++-------------------------------+-------+-----------+
+| protocol overhead (IPv4)      | 66    | 60        |
++-------------------------------+-------+-----------+
+| VPN MTU\*\*                   | 1370  | 1376      |
++-------------------------------+-------+-----------+
+| intermediate layer overhead   | 32    | 102       |
++-------------------------------+-------+-----------+
+| max unfragmented payload\*    | 1338  | 1274      |
++-------------------------------+-------+-----------+
+| min acceptable WAN MTU (IPv6) | 1398  | 1462      |
++-------------------------------+-------+-----------+
+
+\* Maximum size of payload going into the bat0 interface, that will not be
+fragmented by batman.
+
+\*\* This is the MTU that is set in the site.conf.
+
+Suggested MSS Values
+^^^^^^^^^^^^^^^^^^^^
+
+It is highly advised to use MSS clamping for TCP on the gateways/supernodes in
+order to avoid the fragmentation mechanism of batman whenever possible.
+Especially on small embedded devices, fragmentation costs performance.
+
+As batmans fragmentation is transparent to the TCP layer, clamping the MSS
+automatically to the PMTU does not work. Instead, the MSS must be specified
+explicitly. In iptables, this is done via :code:`-j TCPMSS --set-mss X`,
+whereby :code:`X` is the desired MSS.
+
+Since the MSS is specified in terms of payload of a TCP packet, the MSS is
+different for IPv4 and IPv6. Here are some examples for different max
+unfragmented payloads:
+
++---------------------------------+------+------+------+------+
+| max unfragmented payload        | 1274 | 1280 | 1338 | 1354 |
++=================================+======+======+======+======+
+| suggested MSS (IPv4, -40 bytes) | 1234 | 1240 | 1298 | 1314 |
++---------------------------------+------+------+------+------+
+| suggested MSS (IPv6, -60 bytes) | 1214 | 1220 | 1278 | 1294 |
++---------------------------------+------+------+------+------+
+
+Conclusion
+^^^^^^^^^^
+
+Determining the maximum MTU can be a tedious process, especially since the PMTU
+of peers could change at any time. The general recommendation for maximized
+compatibility is therefore an MTU of 1312 bytes for fastd
+and 1376 bytes for WireGuard.

docs/user/site.rst

-Site
-====
+Site configuration
+==================
 
 The ``site`` consists of the files ``site.conf`` and ``site.mk``.
 In the first community based values are defined, which both are processed
@@ -21,135 +21,449 @@ site_code
   The code of your community. It is good practice to use the TLD of
   your community here.
 
-prefix4
-    The IPv4 Subnet of your community mesh network in CIDR notation, e.g.
-    ::
+domain_seed
+  32 bytes of random data, encoded in hexadecimal, used to seed other random
+  values specific to the mesh domain. It must be the same for all nodes of one
+  mesh, but should be different for firmware that is not supposed to mesh with
+  each other.
+
+  The recommended way to generate a value for a new site is::
+
+    echo $(hexdump -v -n 32 -e '1/1 "%02x"' </dev/urandom)
+
+prefix4 \: optional
+  The IPv4 Subnet of your community mesh network in CIDR notation, e.g. ::
 
     prefix4 = '10.111.111.0/18'
 
+  Required if ``next_node.ip4`` is set.
+
 prefix6
-    The IPv6 subnet of your community mesh network, e.g.
-    ::
+  The IPv6 subnet of your community mesh network, e.g. ::
 
     prefix6 = 'fdca::ffee:babe:1::/64'
 
+node_prefix6
+  The ipv6 prefix from which the unique IP-addresses for nodes are selected
+  in olsr-based networks. This may overlap with prefix6. e.g. ::
+
+    node_prefix6 = 'fdca::ffee:babe:2::/64'
+
 timezone
-    The timezone of your community live in, e.g.
-    ::
+  The timezone of your community live in, e.g. ::
 
     -- Europe/Berlin
     timezone = 'CET-1CEST,M3.5.0,M10.5.0/3'
 
-ntp_server
-    List of NTP servers available in your community or used by your community, e.g.:
-    ::
+ntp_servers
+  List of NTP servers available in your community or used by your community, e.g.::
 
-       ntp_servers = {'1.ntp.services.ffeh','2.tnp.services.ffeh'}
+    ntp_servers = {'1.ntp.services.ffac','2.ntp.services.ffac'}
 
-opkg_repo : optional
-    Overwrite the default ``opkg`` repository server, e.g.:
-    ::
+  These NTP servers must be reachable via IPv6 from the nodes. If you don't want to set an IPv6 address
+  explicitly, but use a hostname (which is recommended), see also the :ref:`FAQ <faq-dns>`.
+
+opkg \: optional
+  ``opkg`` package manager configuration.
 
-      opkg_repo = 'http://opkg.services.ffeh/attitude_adjustment/12.09/%S/packages'
+  There are two optional fields in the ``opkg`` section:
 
-    The `%S` is a variable, which is replaced with the platform of an device
-    during the build process.
+  - ``openwrt`` overrides the default OpenWrt repository URL. The default URL would
+    correspond to ``http://downloads.openwrt.org/snapshots/packages/%A``
+    and usually doesn't need to be changed when nodes are expected to have IPv6
+    internet connectivity.
+  - ``extra`` specifies a table of additional repositories (with arbitrary keys)
 
-regdom
-    The wireless regulatory domain responsible for your area, e.g.:
   ::
 
+    opkg = {
+      openwrt = 'http://opkg.services.ffac/openwrt/snapshots/packages/%A',
+      extra = {
+        gluon = 'http://opkg.services.ffac/modules/gluon-%GS-%GR/%S',
+      },
+    }
+
+  There are various patterns which can be used in the URLs:
+
+  - ``%d`` is replaced by the OpenWrt distribution name ("openwrt")
+  - ``%v`` is replaced by the OpenWrt version number (e.g. "17.01")
+  - ``%S`` is replaced by the target board (e.g. "ath79/generic")
+  - ``%A`` is replaced by the target architecture (e.g. "mips_24kc")
+  - ``%GS`` is replaced by the Gluon site code (as specified in ``site.conf``)
+  - ``%GV`` is replaced by the Gluon version
+  - ``%GR`` is replaced by the Gluon release (as specified in ``site.mk``)
+
+regdom \: optional
+  The wireless regulatory domain responsible for your area, e.g. ::
+
     regdom = 'DE'
 
-wifi24
-    WLAN Configuration of your community in the 2.4Ghz radio. Consisting
-    of ``ssid`` of your client network, the ``channel`` your community is using,
-    ``htmode``, the adhoc ssid ``mesh_ssid`` used between devices, the adhoc
-    bssid ``mesh_bssid`` and the adhoc multicast rate ``mesh_mcast_rate``.
-    Optionally ``mesh_vlan`` can be used to setup VLAN on top of the 802.11
-    ad-hoc interface. The options ``mesh_disabled`` and ``client_disabled``
-    are optional, too. They allow to disable the SSID by default, e.g. for
-    preconfigured node. This only affects first configuraton.
-    Combined in an dictionary, e.g.:
+  Setting ``regdom`` is mandatory if ``wifi24`` or ``wifi5`` is defined.
+
+wifi24 \: optional
+  WLAN configuration for 2.4 GHz devices.
+  ``channel`` must be set to a valid wireless channel for your radio.
+  ``beacon_interval`` can be specified to set a custom beacon interval in
+  time units (TU). A time unit is equivalent to 1024 µs.
+  If not set, the default value of 100 TU (=102.4 ms) is used.
+
+  There are currently two interface types available. You may choose to
+  configure any subset of them:
+
+  - ``ap`` creates a master interface where clients may connect
+  - ``mesh`` creates an 802.11s mesh interface with forwarding disabled
+
+  Each interface may be disabled by setting ``disabled`` to ``true``.
+  This will only affect new installations.
+  Upgrades will not change the disabled state.
+
+  ``ap`` holds the client network configuration.
+  To create an unencrypted client network, a string named ``ssid`` which sets the
+  interface's ESSID is required. This is the wireless network clients connect to.
+  For an OWE secured network, the ``owe_ssid`` string has to be set. It sets the
+  SSID for the opportunistically encrypted wireless network, to which compatible
+  clients can connect to.
+  For OWE to work, the ``wireless-encryption-wpa3`` has to be enabled as a feature
+  in your site.
+  To utilize the OWE transition mode, ``owe_transition_mode`` has to be set to true.
+  When ``owe_transition_mode`` is enabled, the OWE secured SSID will be hidden.
+  Compatible devices will automatically connect to the OWE secured SSID when selecting
+  the open SSID.
+  Note that for the transition mode to work, both ``ssid`` as well as ``owe_ssid``
+  have to be enabled. Also, some devices with a broken implementation might not be able
+  to connect with a transition-mode enabled network.
+
+  ``mesh`` requires a single parameter, a string, named ``id`` which sets the
+  mesh id, also visible as an open WiFi in some network managers. Usually you
+  don't want users to connect to this mesh-SSID, so use a cryptic id that no
+  one will accidentally mistake for the client WiFi.
+
+  ``mesh`` also accepts an optional ``mcast_rate`` (kbit/s) parameter for
+  setting the multicast bitrate. Increasing the default value of 1000 to something
+  like 12000 is recommended.
+
   ::
 
     wifi24 = {
-         ssid = 'entenhausen.freifunk.net',
       channel = 11,
-         htmode = 'HT40-',
-         mesh_ssid = 'ff:ff:ff:ee:ba:be',
-         mesh_bssid = 'ff:ff:ff:ee:ba:be',
-         mesh_mcast_rate = 12000,
+      ap = {
+        ssid = 'alpha-centauri.freifunk.net',
+        owe_ssid = 'owe.alpha-centauri.freifunk.net',
+        owe_transition_mode = true,
+      },
+      mesh = {
+        id = 'ueH3uXjdp',
+        mcast_rate = 12000,
+      },
     },
 
-wifi5
-    Same as `wifi24` but for the 5Ghz radio.
+.. _user-site-wifi5:
+
+wifi5 \: optional
+  Same as `wifi24` but for the 5 GHz radio.
+
+  Additionally a range of channels that are safe to use outsides on the 5 GHz band can
+  be set up through ``outdoor_chanlist``, which allows for a space-separated list of
+  channels and channel ranges, separated by a hyphen.
+  When set this offers the outdoor mode flag for 5 GHz radios in the config mode which
+  reconfigures the AP to select its channel from outdoor chanlist, while respecting
+  regulatory specifications, and disables mesh on that radio.
+  The ``outdoors`` option in turn allows to configure when outdoor mode will be enabled.
+  When set to ``true`` all 5 GHz radios will use outdoor channels, while on ``false``
+  the outdoor mode will be completely disabled. The default setting is ``'preset'``,
+  which will enable outdoor mode automatically on outdoor-capable devices.
 
-next_node : package
+  It can be beneficial to look up the WLAN channels that are used by `weather radars`_
+  when constructing ``outdoor_chanlist`` to try and minimize the impact of DFS events.
+
+  .. _weather radars: https://homepage.univie.ac.at/albert.rafetseder/RADARs/help.html
+
+  ::
+
+    wifi5 = {
+      channel = 44,
+      outdoor_chanlist = "100-140",
+
+      [...]
+    },
+
+next_node \: package
   Configuration of the local node feature of Gluon
+
   ::
 
     next_node = {
+      name = { 'nextnode.location.community.example.org', 'nextnode', 'nn' },
       ip4 = '10.23.42.1',
       ip6 = 'fdca:ffee:babe:1::1',
-        mac = 'ca:ff:ee:ba:be:00'
+      mac = '16:41:95:40:f7:dc'
     }
 
+  All values of this section are optional. If the IPv4 or IPv6 address is
+  omitted, there will be no IPv4 or IPv6 anycast address. The MAC address
+  defaults to ``16:41:95:40:f7:dc``; this value usually doesn't need to be
+  changed, but it can be adjusted to match existing deployments that use a
+  different value.
+
+  When the nodes' next-node address is used as a DNS resolver by clients
+  (by passing it via DHCP or router advertisements), it may be useful to
+  allow resolving a next-node hostname without referring to an upstream DNS
+  server (e.g. to allow reaching the node using such a hostname via HTTP or SSH
+  in isolated mesh segments). This is possible by providing one or more names
+  in the ``name`` field.
+
+.. _user-site-mesh:
+
+mesh
+  Configuration of general mesh functionality.
+
+  To avoid inter-mesh links, Gluon can encapsulate the mesh protocol in VXLAN
+  for Mesh-on-LAN/WAN. It is recommended to set *mesh.vxlan* to ``true`` to
+  enable VXLAN in new setups. Setting it to ``false`` disables this
+  encapsulation to allow meshing with other nodes that don't support VXLAN
+  (Gluon 2017.1.x and older). In multi-domain setups, *mesh.vxlan* is optional
+  and defaults to ``true``.
+
+  Gluon generally segments layer-2 meshes so that each node becomes IGMP/MLD
+  querier for its own local clients. This is necessary for reliable multicast
+  snooping. The segmentation is realized by preventing IGMP/MLD queries from
+  passing through the mesh. See also
+  :ref:`gluon-mesh-batman-adv <igmp-mld-domain-segmentation>` for details.
+
+  By default, not only queries are filtered, but also membership report and
+  leave packets, as they add to the background noise of the mesh. As a
+  consequence, snooping switches outside the mesh that are connected to a
+  Gluon node need to be configured to forward all multicast traffic towards
+  the mesh; this is usually not a problem, as such setups are unusual. If
+  you run a special-purpose mesh that requires membership reports to be
+  working, this filtering can be disabled by setting the
+  optional *filter_membership_reports* value to ``false``.
+
+  In addition, options specific to the batman-adv routing protocol can be set
+  in the *batman_adv* section:
+
+  The mandatory value *routing_algo* selects the batman-adv protocol variant.
+  The following values are supported:
+
+  - ``BATMAN_IV``
+  - ``BATMAN_V``
+
+  The optional value *gw_sel_class* sets the gateway selection class, the
+  default is ``20`` for B.A.T.M.A.N. IV and ``5000`` kbit/s for B.A.T.M.A.N. V.
+
+  - **B.A.T.M.A.N. IV:** with the value ``20`` the gateway is selected based
+    on the link quality (TQ) only; with class ``1`` it is calculated from
+    both, the TQ and the announced bandwidth.
+  - **B.A.T.M.A.N. V:** with the value ``1500`` the gateway is selected if the
+    throughput is at least 1500 kbit/s faster than the throughput of the
+    currently selected gateway.
+
+  For details on determining the threshold, when to switch to a new gateway,
+  see `batctl manpage`_, section "gw_mode".
+
+  .. _batctl manpage: https://www.open-mesh.org/projects/batman-adv/wiki/Gateways
+
+  ::
 
-fastd_mesh_vpn
-    Remote server setup for the fastd-based mesh VPN.
+    mesh = {
+      vxlan = true,
+      filter_membership_reports = false,
+      batman_adv = {
+        routing_algo = 'BATMAN_IV',
+        gw_sel_class = 1,
+      },
+    }
 
-    The `enabled` option can be set to true to enable the VPN by default.
 
-    If `configurable` is `false` or unset, the method list will be replaced on updates
-    with the list in the site configuration. Setting `configurable` to `true` will allow the user to
-    add the method ``null`` to the front of the method list or remove ``null`` from it,
-    and make this change survive updates. Settings configurable is necessary for the
-    package `gluon-luci-mesh-vpn-fastd`, which adds a UI for this configuration.
+mesh_vpn
+  Remote server setup for the mesh VPN.
+
+  The `enabled` option can be set to true to enable the VPN by default. `mtu`
+  defines the MTU of the VPN interface, determining a proper MTU value is described
+  in :doc:`mtu`.
+
+  By default the public key of a node's VPN daemon is not added to announced respondd
+  data; this prevents malicious ISPs from correlating VPN sessions with specific mesh
+  nodes via public respondd data. If this is of no concern in your threat model,
+  this behaviour can be disabled (and thus announcing the public key be enabled) by
+  setting `pubkey_privacy` to `false`.
+
+  The `fastd` section configures settings specific to the *fastd* VPN
+  implementation.
+
+  If `configurable` is set to `false` or unset, the method list will be replaced on updates
+  with the list from the site configuration. Setting `configurable` to `true` will allow the user to
+  add the method ``null`` to the beginning of the method list or remove ``null`` from it,
+  and make this change survive updates. Setting `configurable` is necessary for the
+  package `gluon-web-mesh-vpn-fastd`, which adds a UI for this configuration.
 
   In any case, the ``null`` method should always be the first method in the list
   if it is supported at all. You should only set `configurable` to `true` if the
   configured peers support both the ``null`` method and methods with encryption.
+
+  You can set syslog_level from verbose (default) to warn to reduce syslog output.
+
+  fastd allows to configure a tree of peer groups and peers. By default, the
+  list of groups and peers configured in the *fastd* UCI config is completely
+  replaced by the list from site.conf on upgrades. To allow custom modifications
+  to the peer list, removal and modification of peers can be prevented by
+  setting the *preserve* option of a peer to ``1`` in UCI.
+
+  **Note:** It may be interesting to include the package *gluon-iptables-clamp-mss-to-pmtu*
+  in the build when using *gluon-mesh-olsrd* to work around ICMP black holes on the internet.
+
   ::
 
-      fastd_mesh_vpn = {
-        methods = {'salsa2012+umac'},
+    mesh_vpn = {
       -- enabled = true,
+      -- pubkey_privacy = true,
+
+      fastd = {
+        mtu = 1312,
+        methods = {'salsa2012+umac'},
         -- configurable = true,
-        mtu = 1426,
+        -- syslog_level = 'warn',
         groups = {
           backbone = {
-            limit = 2,
+            -- Limit number of connected peers from this group
+            limit = 1,
             peers = {
               peer1 = {
                 key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
-                remotes = {'ipv4 "vpn1.entenhausen.freifunk.net" port 10000'},
+                -- Having multiple domains prevents SPOF in freifunk.net
+                remotes = {
+                  'ipv4 "vpn1.alpha-centauri.freifunk.net" port 10000',
+                  'ipv4 "vpn1.alpha-centauri-freifunk.de" port 10000',
+                },
+              },
+              peer2 = {
+                key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
+                -- You can also omit the ipv4 to allow both connection via ipv4 and ipv6
+                remotes = {'"vpn2.alpha-centauri.freifunk.net" port 10000'},
+              },
+              peer3 = {
+                key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
+                -- In addition to domains you can also add ip addresses, which provides
+                -- resilience in case of dns outages
+                remotes = {
+                  '"vpn3.alpha-centauri.freifunk.net" port 10000',
+                  '[2001:db8::3:1]:10000',
+                  '192.0.2.3:10000',
+                },
+              },
+            },
+            -- Optional: nested peer groups
+            -- groups = {
+            --   lowend_backbone = {
+            --     limit = 1,
+            --     peers = ...
+            --   },
+            -- },
+          },
+          -- Optional: additional peer groups, possibly with other limits
+          -- peertopeer = {
+          --   limit = 10,
+          --   peers = { ... },
+          -- },
+        },
+      },
+
+      wireguard = {
+        mtu = 1376,
+        peers = {
+          vpn1 = {
+            public_key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=',
+            endpoint = 'vpn1.alpha-centauri.freifunk.net:51810',
+          },
+          vpn2 = {
+            public_key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=',
+            endpoint = 'vpn2.alpha-centauri.freifunk.net:51810',
+          },
+        },
+      },
+
+      bandwidth_limit = {
+        -- The bandwidth limit can be enabled by default here.
+        enabled = false,
+
+        -- Default upload limit (kbit/s).
+        egress = 200,
+
+        -- Default download limit (kbit/s).
+        ingress = 3000,
       },
     }
-          }
-        }
-      }
 
-mesh_on_wan : optional
-    Enables the mesh on the WAN port (``true`` or ``false``).
+.. _user-site-interfaces:
+
+interfaces \: optional
+  Default setup for Ethernet ports.
+  ::
+
+    interfaces = {
+      lan = {
+        default_roles = { 'client', 'mesh' },
+      },
+      wan = {
+        default_roles = { 'uplink', 'mesh' },
+      },
+      single = {
+        default_roles = { 'uplink', 'mesh' },
+      },
+    },
+
+  For devices that have two distinct Ethernet ports or port groups (often
+  labeled WAN and LAN), the ``lan`` and ``wan`` sections are used. When there
+  is only one port (group), ``single`` is used instead.
+
+  Available interface roles:
+
+  - ``client``: Port allows regular clients to connect to the mesh
+  - ``uplink``: Port is used to establish Mesh VPN connections
+  - ``mesh``: Wired meshing to another Gluon or Gluon-compatible node
 
-mesh_on_lan : optional
-    Enables the mesh on the LAN port (``true`` or ``false``).
+  The ``client`` role requires exclusive control over an interface. When
+  the ``client`` role is assigned to an interface at the same time as other
+  roles (like ``'client', 'mesh'`` in the above example), the other roles take
+  precedence (enabling ``mesh``, but not ``client`` in the example). In that
+  case, the ``client`` role is removed from the config of the interface.
 
-autoupdater : package
+  All interface settings are optional. If unset, the following defaults are
+  used:
+
+  - ``lan``: ``{ 'client' }``
+  - ``wan``: ``{ 'uplink' }``
+  - ``single``: Same as ``wan``
+
+poe_passthrough \: optional
+  Enable PoE passthrough by default on hardware with such a feature.
+
+.. _user-site-autoupdater:
+
+autoupdater \: package
   Configuration for the autoupdater feature of Gluon.
+
+  Specifying a default branch in *site.conf* is optional. See
+  :doc:`../features/autoupdater` for information how to change the behaviour
+  of the autoupdater during image build.
+
+  The mirrors are checked in random order until the manifest could be downloaded
+  successfully or all mirrors have been tried.
   ::
 
     autoupdater = {
-        branch = 'experimental',
+      branch = 'stable', -- optional
       branches = {
         stable = {
           name = 'stable',
           mirrors = {
             'http://[fdca:ffee:babe:1::fec1]/firmware/stable/sysupgrade/',
-              'http://[fdca:ffee:babe:1::fec2]/firmware/stable/sysupgrade/',
+            -- Requires the tls feature in image-customization.lua
+            'https://autoupdate.alpha-centauri.freifunk.net/firmware/stable/sysupgrade/',
+            -- Uses http or https depending on the tls feature in image-customization.lua
+            '//autoupdate2.alpha-centauri.freifunk.net/firmware/stable/sysupgrade/',
           },
-            probability = 0.08,
+          -- Number of good signatures required
           good_signatures = 2,
           pubkeys = {
             'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', -- someguy
@@ -159,18 +473,101 @@ autoupdater : package
       }
     }
 
-roles : optional
-    Optional role definitions. With this nodes will announce their role inside the mesh.
-    In the backend this adds the facility to distinguish between normal, backbone and
-    service nodes or even gateways (if they advertise the role, also). It is up to
+  All configured mirrors must be reachable from the nodes via IPv6. If you don't want to set an IPv6 address
+  explicitly, but use a hostname (which is recommended), see also the :ref:`FAQ <faq-dns>`.
+
+  HTTPS URLs can be used if the **tls** feature is enabled in **image-customization.lua**.
+
+  Use protocol-less ``//server/path`` URLs to use HTTPS if the **tls** feature is available,
+  but fall back to HTTP otherwise. The server **must** allow HTTPS connections and provide
+  a valid certificate in this case; the autoupdater will not fall back to HTTP if the **tls**
+  feature is enabled, but the HTTPS connection fails.
+
+  Note that the validity period of TLS certificates is checked as well, so care must be taken
+  to provide working NTP servers in addition to the update mirrors when using HTTPS.
+
+  The autoupdater will only accept images signed by as many keys as `good_signatures` specifies.
+
+  The pubkeys section must in turn contain at least that many pubkeys.
+  It's advised to provide more than that to account for human or e.g. hard-drive errors.
+
+  See :doc:`../features/autoupdater` for more information about the process.
+
+.. _user-site-config_mode:
+
+config_mode \: optional
+  Additional configuration for the configuration web interface. All values are
+  optional.
+
+  When no hostname is specified, a default hostname based on the *hostname_prefix*
+  and the node's primary MAC address is assigned. Manually setting a hostname
+  can be enforced by setting *hostname.optional* to *false*.
+
+  To not prefill the hostname-field in config-mode with the default hostname,
+  set *hostname.prefill* to *false*.
+
+  By default, no altitude field is shown by the *gluon-config-mode-geo-location*
+  package. Set *geo_location.show_altitude* to *true* if you want the altitude
+  field to be visible.
+
+  The *geo_location.osm* section is only relevant when the *gluon-config-mode-geo-location-osm*
+  package is used. The *center.lon* and *center.lat* values are mandatory in this case and
+  define the default center of the map when no position has been picked yet. The *zoom* level
+  defaults to 12 in this case.
+
+  *openlayers_url* allows to override the base URL of the
+  *build/ol.js* and *css/ol.css* files (the default is
+  ``https://cdn.jsdelivr.net/gh/openlayers/openlayers.github.io@35ffe7626ce16c372143f3c903950750075e7068/en/v5.3.0``).
+  It is also possible to replace the default tile layer (which is OpenStreetMap)
+  with a custom one using the *tile_layer* section. Only XYZ layers are supported
+  at this point.
+
+  The remote login page only shows SSH key configuration by default. A
+  password form can be displayed by setting *remote_login.show_password_form*
+  to true; in this case, *remote_login.min_password_length* defines the
+  minimum password length.
+  ::
+
+    config_mode = {
+      hostname = {
+        optional = false,
+        prefill = true,
+      },
+      geo_location = {
+        show_altitude = true,
+        osm = {
+          center = {
+            lat = 52.951947558,
+            lon = 8.744238281,
+          },
+          zoom = 13,
+          -- openlayers_url = 'http://ffac.example.org/openlayer',
+          -- tile_layer = {
+          --   type = 'XYZ',
+          --   url = 'https://{a-c}.tile.openstreetmap.org/{z}/{x}/{y}.png',
+          --   attributions = '&#169; <a href="https://www.openstreetmap.org/copyright" target="_blank">OpenStreetMap</a> contributors.',
+          -- },
+        },
+      },
+      remote_login = {
+        show_password_form = true,
+        min_password_length = 10,
+      },
+    },
+
+
+roles \: optional
+  Optional role definitions. Nodes will announce their role inside the mesh.
+  This will allow in the backend to distinguish between normal, backbone and
+  service nodes or even gateways (if they advertise that role). It is up to
   the community which roles to define. See the section below as an example.
   ``default`` takes the default role which is set initially. This value should be
   part of ``list``. If you want node owners to change the role via config mode add
-    the package ``gluon-luci-node-role`` to ``site.mk``.
+  the package ``gluon-web-node-role`` to ``site.mk``.
 
-    The strings to display in the LuCI interface can be configured per language in the
+  The strings to display in the web interface are configured per language in the
   ``i18n/en.po``, ``i18n/de.po``, etc. files of the site repository using message IDs like
-    ``gluon-luci-node-role:role:node`` and ``gluon-luci-node-role:role:backbone``.
+  ``gluon-web-node-role:role:node`` and ``gluon-web-node-role:role:backbone``.
   ::
 
     roles = {
@@ -183,20 +580,7 @@ roles : optional
       },
     },
 
-simple_tc : package
-    Uplink traffic control, ingress and egress values are specified in kbit/s.
-    ::
-
-      simple_tc = {
-        mesh_vpn = {
-          ifname = 'mesh-vpn',
-          enabled = false,
-          limit_egress = 200,
-          limit_ingress = 3000,
-        },
-      },
-
-setup_mode : package
+setup_mode \: package
   Allows skipping setup mode (config mode) at first boot when attribute
   ``skip`` is set to ``true``. This is optional and may be left out.
   ::
@@ -205,30 +589,26 @@ setup_mode : package
       skip = true,
     },
 
-legacy : package
-    Configuration for the legacy upgrade path.
-    This is only required in communities upgrading from Lübeck's LFF-0.3.x.
-    ::
-
-      legacy = {
-             version_files = {'/etc/.freifunk_version_keep', '/etc/.eff_version_keep'},
-             old_files = {'/etc/config/config_mode', '/etc/config/ffeh', '/etc/config/freifunk'},
-             config_mode_configs = {'config_mode', 'ffeh', 'freifunk'},
-             fastd_configs = {'ffeh_mesh_vpn', 'mesh_vpn'},
-             mesh_ifname = 'freifunk',
-             tc_configs = {'ffki', 'freifunk'},
-             wifi_names = {'wifi_freifunk', 'wifi_freifunk5', 'wifi_mesh', 'wifi_mesh5'},
-      }
+.. _user-site-build-configuration:
 
-Packages
---------
+Build configuration
+-------------------
 
-The ``site.mk`` is a Makefile which should define constants
+The ``site.mk`` is a Makefile which defines various values
 involved in the build process of Gluon.
 
-GLUON_SITE_PACKAGES
-    Defines a list of packages which should installed additional
-    to the ``gluon_core`` package.
+GLUON_DEPRECATED
+  Controls whether images for deprecated devices should be built. The following
+  values are supported:
+
+  - ``0``: Do not build any images for deprecated devices.
+  - ``upgrade``: Only build sysupgrade images for deprecated devices.
+  - ``full``: Build both sysupgrade and factory images for deprecated devices.
+
+  Usually, devices are deprecated because their flash size is insufficient to
+  support future Gluon versions. The recommended setting is ``0`` for new sites,
+  and ``upgrade`` for existing configurations (where upgrades for existing
+  deployments of low-flash devices are required). Defaults to ``0``.
 
 GLUON_RELEASE
   The current release version Gluon should use.
@@ -237,10 +617,225 @@ GLUON_PRIORITY
   The default priority for the generated manifests (see the autoupdater documentation
   for more information).
 
+GLUON_REGION
+  Region code to build into images where necessary. Valid values are the empty string,
+  ``us`` and ``eu``.
+
 GLUON_LANGS
-    List of languages (as two-letter-codes) to include for the web interface. Should always contain
+  List of languages (as two-letter-codes) to be included in the web interface. Should always contain
   ``en``.
 
+.. _user-site-feature-flags:
+
+Feature flags
+^^^^^^^^^^^^^
+
+With the addition of more and more features that interact in complex ways, it
+has become necessary to split certain packages into multiple parts, so it is
+possible to install just what is needed for a specific use case. One example
+is the package *gluon-status-page-mesh-batman-adv*: There are batman-adv-specific
+status page components; they should only be installed when both batman-adv and
+the status page are enabled, making the addition of a specific package for this
+combination necessary.
+
+With the ongoing modularization, e.g. for the purpose of supporting new
+routing protocols, specifying all such split packages in *site.mk* would
+soon become very cumbersome: In the future, further components like
+respondd support or languages might be split off as separate packages,
+leading to entangled package names like *gluon-mesh-vpn-fastd-respondd* or
+*gluon-status-page-mesh-batman-adv-i18n-de*.
+
+For this reason, we have introduced *feature flags*, which can be specified
+using the ``image-customization.lua`` file. These flags allow to specify
+a set of features on a higher level than individual package names.
+
+Most Gluon packages can simply be specified as feature flags by removing the ``gluon-``
+prefix: The feature flag corresponding to the package *gluon-mesh-batman-adv-15* is
+*mesh-batman-adv-15*.
+
+The file ``package/features`` in the Gluon repository (or
+``features`` in site feeds) can specify additional rules for deriving package lists
+from feature flags, e.g. specifying both *status-page* and *mesh-batman-adv-15*
+will automatically select the additional package
+*gluon-status-page-mesh-batman-adv*. In the future, selecting the flags
+*mesh-vpn-fastd* and *respondd* might automatically enable the additional
+package *gluon-mesh-vpn-fastd-respondd*, and enabling *status-page* and
+*mesh-batman-adv-15* with ``de`` in *GLUON_LANGS* could
+add the package *gluon-status-page-mesh-batman-adv-i18n-de*.
+
+In short, it is not necessary anymore to list all the individual packages that are
+relevant for a firmware; instead, the package list is derived from a list of feature
+flags using a flexible ruleset defined in the Gluon repo or site package feeds.
+To some extent, it will even allow us to further modularize existing Gluon packages,
+without necessitating changes to existing site configurations.
+
+It is still possible to override such automatic rules by removing them using
+*packages* in the ``image-customization.lua`` file
+(e.g., ``features { '-gluon-status-page-mesh-batman-adv' }`` to remove
+the automatically added package *gluon-status-page-mesh-batman-adv*).
+
+For convenience, there are two feature flags that do not directly correspond to a Gluon
+package:
+
+* web-wizard
+
+  Includes the *gluon-config-mode-...* base packages (hostname, geolocation and contact info),
+  as well as the *gluon-config-mode-autoupdater* (when *autoupdater* is an enabled feature),
+  and *gluon-config-mode-mesh-vpn* (when *mesh-vpn-fastd* or `mesh-vpn-wireguard` are
+  enabled features)
+
+* web-advanced
+
+  Includes the *gluon-web-...* base packages (admin, network, WiFi config),
+  as well as the *gluon-web-autoupdater* (when *autoupdater* is an enabled feature),
+
+We recommend to include packages for non-Gluon OpenWrt packages only and
+completely rely on features for Gluon packages, as it is shown in the
+example *site.mk*.
+
+.. _site-image-customization:
+
+Image customization
+^^^^^^^^^^^^^^^^^^^
+
+Gluon allows configuration of the build parameters for the images. This
+configuration must always exist to configure the basic features included in a
+Gluon build.
+
+The file ``image-customization.lua`` in the root of the site configuration is
+used for this purpose, making use of a Domain Specific Language based on Lua.
+See the :ref:`site-examples` section for a simple example showing both basic
+setup and a device-specific alteration.
+
+The following functions are available:
+
+device(device_name_list)
+  Returns true for devices listed in ``device_name_list``.
+  ``device_name_list`` is a table of strings.
+
+  .. code-block:: lua
+
+    if device {
+      'openmesh-a40',
+      'openmesh-a60',
+    } then
+      packages {'iperf3'}
+    end
+
+target(openwrt_target, openwrt_subtarget)
+  Returns true for devices of the specified OpenWrt target and subtarget.
+  The parameter ``openwrt_subtarget`` is optional. If it is not specified,
+  the function matches all subtargets of the given target.
+
+  .. code-block:: lua
+
+    if target('x86', '64') then
+      features {'wireless-encryption-wpa3'}
+    end
+
+device_class(dev_class)
+  Returns true in case the current device is of the specified device class.
+
+  .. code-block:: lua
+
+    if not device_class('tiny') then
+      features {'wireless-encryption-wpa3'}
+    end
+
+
+features(feature_table)
+  Includes the specified list of features in the image. ``feature_table`` is a table of strings.
+  These strings can be prefixed with a dash to exclude features included earlier in the file.
+
+  .. code-block:: lua
+
+    features {
+      'autoupdater',
+      'ebtables-filter-multicast',
+      'ebtables-filter-ra-dhcp',
+      'ebtables-limit-arp',
+      'mesh-batman-adv-15',
+      'mesh-vpn-fastd',
+      'respondd',
+      'status-page',
+      'web-advanced',
+      'web-wizard',
+    }
+
+packages(package_table)
+  Includes the specified list of packages in the image. ``package_table`` is a table of strings.
+  These strings can be prefixed with a dash to exclude packages included earlier in the file.
+
+  .. code-block:: lua
+
+    packages {'iwinfo'}
+
+broken(broken_state)
+  Overrides the broken state specified by Gluon. Can be used to mark a device as broken or
+  remove the pre-defined broken state.
+
+  .. code-block:: lua
+
+    if device {'meraki-mr33-access-point'} then
+      broken(false)
+    end
+
+disable()
+  Disables image generation.
+
+  .. code-block:: lua
+
+    if device {'tp-link-cpe220-v3'} then
+      disable()
+    end
+
+disable_factory()
+  Disables factory image generation. Sysupgrade images are still generated and stored in the image
+  output directory.
+
+  .. code-block:: lua
+
+    if device {'tp-link-cpe220-v3'} then
+      disable_factory()
+    end
+
+include(path)
+  Includes another image customization file. Relative paths are interpreted relative to the site
+  repository root.
+
+  .. code-block:: lua
+    :caption: target-settings.lua
+
+    features {'wireless-encryption-wpa3'}
+
+  .. code-block:: lua
+    :caption: image-customization.lua
+
+    if target('x86', '64') then
+      include 'target-settings.lua'
+    end
+
+  Values returned from the included file become the return value of ``include``:
+
+  .. code-block:: lua
+    :caption: matches-device.lua
+
+    return device {
+      'openmesh-a40',
+      'openmesh-a60',
+    }
+
+  .. code-block:: lua
+    :caption: image-customization.lua
+
+    if include('matches-device.lua') then
+      packages {'iperf3'}
+    end
+
+Technically, the image customization file is evaluated once for each device, allowing
+to make use of regular Lua *if* statements for device-specific configuration as
+can be seen in the examples.
+
 .. _site-config-mode-texts:
 
 Config mode texts
@@ -255,14 +850,77 @@ gluon-config-mode:welcome
 gluon-config-mode:pubkey
   Information about the public VPN key on the reboot page.
 
+gluon-config-mode:novpn
+  Information shown on the reboot page, if the mesh VPN was not selected.
+
+gluon-config-mode:contact-help
+  Description for the usage of the ``contact`` field
+
+gluon-config-mode:contact-note
+  Note shown (in small font) below the ``contact`` field
+
+gluon-config-mode:hostname-help
+  Description for the usage of the ``hostname`` field
+
+gluon-config-mode:geo-location-help
+  Description for the usage of the longitude/latitude fields (and altitude, if shown)
+
+gluon-config-mode:altitude-label
+  Label for the ``altitude`` field
+
 gluon-config-mode:reboot
-    General information about the reboot page.
+  General information shown on the reboot page.
 
 There is a POT file in the site example directory which can be used to create templates
 for the language files. The command ``msginit -l en -i ../../docs/site-example/i18n/gluon-site.pot``
 can be used from the ``i18n`` directory to create an initial PO file called ``en.po`` if the ``gettext``
 utilities are installed.
 
+.. note::
+
+  An empty ``msgstr``, as is the default after running ``msginit``, leads to
+  the ``msgid`` being printed as-is. It does *not* hide the whole text, as
+  might be expected.
+
+  Depending on the context, you might be able to use comments like
+  ``<!-- empty -->`` as translations to effectively hide the text.
+
+Site modules
+------------
+
+The file ``modules`` in the site repository is completely optional and can be used
+to supply additional package feeds from which packages are built. The git repositories
+specified here are retrieved in addition to the default feeds when ``make update``
+is called.
+
+This file's format is very similar to the top-level ``modules`` file of the Gluon
+tree, with the important different that the list of feeds must be assigned to
+the variable ``GLUON_SITE_FEEDS``. Multiple feed names must be separated by spaces,
+for example::
+
+  GLUON_SITE_FEEDS='foo bar'
+
+The feed names may only contain alphanumerical characters, underscores and slashes.
+For each of the feeds, the following variables are used to specify how to update
+the feed:
+
+PACKAGES_${feed}_REPO
+  The URL of the git repository to clone (usually ``git://`` or ``http(s)://``)
+
+PACKAGES_${feed}_COMMIT
+  The commit ID of the repository to use
+
+PACKAGES_${feed}_BRANCH
+  Optional: The branch of the repository the given commit ID can be found in.
+  Defaults to the default branch of the repository (usually ``main`` or ``master``)
+
+These variables are always all uppercase, so for an entry ``foo`` in GLUON_SITE_FEEDS,
+the corresponding configuration variables would be ``PACKAGES_FOO_REPO``,
+``PACKAGES_FOO_COMMIT`` and ``PACKAGES_FOO_BRANCH``. Slashes in feed names are
+replaced by underscores to get valid shell variable identifiers.
+
+.. _site-examples:
+
 Examples
 --------
 
@@ -278,6 +936,12 @@ site.conf
 .. literalinclude:: ../site-example/site.conf
   :language: lua
 
+image-customization.lua
+^^^^^^^^^^^^^^^^^^^^^^^
+
+.. literalinclude:: ../site-example/image-customization.lua
+  :language: lua
+
 i18n/en.po
 ^^^^^^^^^^
 
@@ -299,24 +963,5 @@ modules
 site-repos in the wild
 ^^^^^^^^^^^^^^^^^^^^^^
 
-This is a non-exhaustive list of site-repos from various communities:
-
-* `site-ffbs <https://github.com/ffbs/site-ffbs>`_ (Braunschweig)
-* `site-ffhb <https://github.com/FreifunkBremen/gluon-site-ffhb>`_ (Bremen)
-* `site-ffda <https://github.com/freifunk-darmstadt/site-ffda>`_ (Darmstadt)
-* `site-ffgoe <https://github.com/freifunk-goettingen/site-ffgoe>`_ (Göttingen)
-* `site-ffhh <https://github.com/freifunkhamburg/site-ffhh>`_ (Hamburg)
-* `site-ffhgw <https://github.com/lorenzo-greifswald/site-ffhgw>`_ (Greifswald)
-* `site-ffhl <https://github.com/freifunk-luebeck/site-ffhl>`_ (Lübeck)
-* `site-ffmd <https://github.com/FreifunkMD/site-ffmd>`_ (Magdeburg)
-* `site-ffmwu <https://github.com/freifunk-mwu/site-ffmwu>`_ (Mainz, Wiesbaden & Umgebung)
-* `site-ffmyk <https://github.com/FreifunkMYK/site-ffmyk>`_ (Mayen-Koblenz)
-* `site-ffm <https://github.com/freifunkMUC/site-ffm>`_ (München)
-* `site-ffms <https://github.com/FreiFunkMuenster/site-ffms>`_ (Münster)
-* `site-ffnw <https://git.freifunk-ol.de/root/siteconf.git>`_ (Nordwest)
-* `site-ffpb <https://git.c3pb.de/freifunk-pb/site-ffpb>`_ (Paderborn)
-* `site-ffka <https://github.com/ffka/site-ffka>`_ (Karlsruhe)
-* `site-ffrl <https://github.com/ffrl/sites-ffrl>`_ (Rheinland)
-* `site-ffrg <https://github.com/ffruhr/site-ffruhr>`_ (Ruhrgebiet)
-* `site-ffs <https://github.com/freifunk-stuttgart/site-ffs>`_ (Stuttgart)
-* `site-fftr <https://github.com/freifunktrier/site-fftr>`_ (Trier)
+A non-exhaustive list of site-repos from various communities can be found on the
+wiki: https://github.com/freifunk-gluon/gluon/wiki/Site-Configurations

docs/user/supported_devices.rst

+Supported Devices & Architectures
+=================================
+
+armsr-armv7
+-----------
+
+* Arm SystemReady (EFI) 32-bit
+
+armsr-armv8
+-----------
+
+* Arm SystemReady (EFI) 64-bit
+
+ath79-generic
+--------------
+
+* ALFA Network
+
+  - AP121F
+
+* AVM
+
+  - FRITZ!WLAN Repeater 300E [#avmflash]_
+  - Fritz!WLAN Repeater 450E [#avmflash]_
+  - Fritz!Box 4020 [#avmflash]_
+
+* Buffalo
+
+  - WZR-HP-AG300H / WZR-600DHP
+  - WZR-HP-G300NH (rtl8366s)
+
+* devolo
+
+  - WiFi pro 1200e [#lan_as_wan]_
+  - WiFi pro 1200i
+  - WiFi pro 1750c
+  - WiFi pro 1750e [#lan_as_wan]_
+  - WiFi pro 1750i
+  - WiFi pro 1750x
+
+* D-Link
+
+  - DAP-1330 A1 [#lan_as_wan]_
+  - DAP-1365 A1 [#lan_as_wan]_
+  - DAP-2660 A1 [#lan_as_wan]_
+  - DAP-2680 A1 [#lan_as_wan]_
+  - DAP-2695 A1 [#lan_as_wan]_
+  - DIR-505 A1 [#lan_as_wan]_
+  - DIR-505 A2 [#lan_as_wan]_
+  - DIR-825 B1
+
+* Enterasys
+
+  - WS-AP3705i
+
+* Extreme Networks
+
+  - WS-AP3805i
+
+* GL.iNet
+
+  - 6416A
+  - GL-AR150
+  - GL-AR300M-Lite
+  - GL-AR300M16
+  - GL-AR750
+  - GL-USB150 (Microuter)
+
+* Joy-IT
+
+  - JT-OR750i
+
+* LibreRouter
+
+  - LibreRouter v1 [#missing_radios]_
+
+* NETGEAR
+
+  - WNDR3700 (v1, v2)
+  - WNDR3800
+  - WNR2200 (8M, 16M)
+  - WNDRMAC (v2)
+
+* OCEDO
+
+  - Koala
+  - Raccoon
+
+* Onion
+
+  - Omega [#modular_ethernet]_
+
+* OpenMesh
+
+  - A40
+  - A60
+  - MR600 (v1, v2)
+  - MR900 (v1, v2)
+  - MR1750 (v1, v2)
+  - OM2P (v1, v2, v4)
+  - OM2P-HS (v1, v2, v3, v4)
+  - OM2P-LC
+  - OM5P
+  - OM5P-AC (v1, v2)
+  - OM5P-AN
+
+* Plasma Cloud
+
+  - PA300
+  - PA300E
+
+* Siemens
+
+  - WS-AP3610
+
+* Sophos
+
+  - AP15C
+  - AP100
+  - AP100c
+  - AP55
+  - AP55c
+
+* Teltonika
+
+  - RUT230 (v1)
+
+* TP-Link
+
+  - Archer A7 (v5)
+  - Archer C5 (v1)
+  - Archer C6 (v2 EU/RU/JP)
+  - Archer C7 (v2, v4, v5)
+  - Archer C59 (v1)
+  - Archer C60 (v1)
+  - CPE210 (v1.0, v1.1, v2.0, v3.0, v3.1, v3.20)
+  - CPE220 (v3.0)
+  - CPE510 (v1.0, v1.1, v2.0, v3.0)
+  - CPE710 (v1.0)
+  - EAP225-Outdoor (v1, v3)
+  - TL-WDR3500 (v1)
+  - TL-WDR3600 (v1)
+  - TL-WDR4300 (v1)
+  - TL-WR810N (v1)
+  - TL-WR842N/ND (v3)
+  - TL-WR1043N/ND (v2, v3, v4, v5)
+  - TL-WR2543N/ND (v1)
+  - WBS210 (v1.20, v2.0)
+  - WBS510 (v1.20)
+
+* Ubiquiti
+
+  - NanoBeam 5AC 19 (XC)
+  - NanoBeam M5 (XW)
+  - NanoStation Loco M2/M5 (XW)
+  - NanoStation M2/M5 (XW)
+  - UniFi AC Lite
+  - UniFi AC LR
+  - UniFi AC Mesh
+  - UniFi AC Mesh Pro
+  - UniFi AC Pro
+  - UniFi AP
+  - UniFi AP LR
+  - UniFi AP Outdoor+
+  - UniFi AP PRO
+  - UniFi Swiss Army Knife Ultra
+
+ath79-mikrotik
+--------------
+
+* Mikrotik
+
+  - RB951Ui-2nD (hAP)
+  - RBwAPR-2nD (wAP R)
+
+ath79-nand
+----------
+
+* Aerohive
+
+  - HiveAP 121
+
+* GL.iNet
+
+  - GL-AR300M
+  - GL-AR750S
+  - GL-XE300
+
+* NETGEAR
+
+  - WNDR3700 (v4)
+  - WNDR4300 (v1)
+
+* Zyxel
+
+  - NBG6716
+
+brcm2708-bcm2708
+----------------
+
+* Raspberry Pi 1
+
+brcm2708-bcm2709
+----------------
+
+* Raspberry Pi 2
+
+
+ipq40xx-generic
+---------------
+
+* 8devices
+
+  - Jalapeno
+
+* Aruba
+
+  - AP-303
+  - AP-303H
+  - AP-365
+  - Instant On AP11
+  - Instant On AP11D
+  - Instant On AP17
+
+* AVM
+
+  - FRITZ!Box 4040 [#avmflash]_
+  - FRITZ!Box 7520 (v1) [#eva_ramboot]_ [#lan_as_wan]_
+  - FRITZ!Box 7530 [#eva_ramboot]_ [#lan_as_wan]_
+  - FRITZ!Repeater 1200 [#eva_ramboot]_
+
+* Extreme Networks
+
+  - WS-AP3915i
+
+* GL.iNet
+
+  - GL-AP1300
+  - GL-B1300
+
+* Linksys
+
+  - EA6350 (v3)
+
+* NETGEAR
+
+  - EX6100 (v2)
+  - EX6150 (v2)
+
+* OpenMesh
+
+  - A42
+  - A62
+
+* Plasma Cloud
+
+  - PA1200
+  - PA2200
+
+* Zyxel
+
+  - NBG6617
+
+ipq40xx-mikrotik
+----------------
+
+* Mikrotik
+
+  - DISC Lite5 ac (RBDiscG-5acD)
+  - hAP ac2
+  - SXTsq 5 ac (RBSXTsqG-5acD)
+
+ipq806x-generic
+---------------
+
+* NETGEAR
+
+  - R7800
+
+* Ubiquiti
+
+  - UniFi AC HD
+
+lantiq-xrx200
+-------------
+
+* Arcadyan
+
+  - VGV7510KW22 (o2 Box 6431)
+
+* AVM
+
+  - FRITZ!Box 7360 (v1, v2) [#avmflash]_ [#lan_as_wan]_
+  - FRITZ!Box 7360 SL [#avmflash]_ [#lan_as_wan]_
+  - FRITZ!Box 7362 SL [#eva_ramboot]_ [#lan_as_wan]_
+  - FRITZ!Box 7412 [#eva_ramboot]_
+
+lantiq-xrx200_legacy
+--------------------
+
+* TP-Link
+
+  - TD-W8970 (v1) [#lan_as_wan]_
+
+lantiq-xway
+-----------
+
+* AVM
+
+  - FRITZ!Box 7312 [#avmflash]_
+
+* NETGEAR
+
+  - DGN3500B [#lan_as_wan]_
+
+mediatek-filogic
+----------------
+
+* ASUS
+
+  - RT-AX52
+  - TUF AX4200
+  - TUF AX6000
+
+* Cudy
+
+  - AP3000 Outdoor (v1)
+  - TR3000 (v1)
+  - WR3000 (v1)
+
+* D-Link
+
+  - AQUILA PRO AI M30 A1
+  - AQUILA PRO AI M60 A1
+
+* GL.iNet
+
+  - GL-MT2500
+  - GL-MT3000
+
+* NETGEAR
+
+  - WAX220
+
+* OpenWrt
+
+  - One
+
+* Ubiquiti
+
+  - UniFi 6 Plus
+
+* Wavlink
+
+  - WL-WN573HX3 [#lan_as_wan]_
+
+* Zyxel
+
+  - NWA50AX Pro
+
+mediatek-mt7622
+---------------
+
+* Linksys
+
+  - E8450
+
+* Ubiquiti
+
+  - UniFi 6 LR (v1)
+
+mpc85xx-p1010
+-------------
+
+* Enterasys
+
+  - WS-AP3715i
+
+* Sophos
+
+  - RED 15w Rev.1
+
+* TP-Link
+
+  - TL-WDR4900 (v1)
+
+mpc85xx-p1020
+---------------
+
+* Aerohive
+
+  - HiveAP 330
+
+* Enterasys
+
+  - WS-AP3710i
+
+* Extreme Networks
+
+  - WS-AP3825i
+
+* Hewlett-Packard
+
+  - MSM460
+
+* Ocedo
+
+  - Panda
+
+ramips-mt7620
+-------------
+
+* ASUS
+
+  - RT-AC51U
+
+* GL.iNet
+
+  - GL-MT300A
+  - GL-MT300N
+  - GL-MT750
+
+* NETGEAR
+
+  - EX3700
+  - EX3800
+  - EX6130
+
+* Nexx
+
+  - WT3020AD/F/H
+
+* TP-Link
+
+  - Archer C2 (v1)
+  - Archer C20 (v1)
+  - Archer C20i
+  - Archer C50 (v1)
+
+* Xiaomi
+
+  - MiWiFi Mini
+
+ramips-mt7621
+-------------
+
+* ASUS
+
+  - RT-AC57U (v1)
+  - RT-AX53U
+
+* Cudy
+
+  - WR1300 (v1)
+  - WR2100
+  - X6 (v1, v2)
+
+* D-Link
+
+  - COVR-X1860 (A1)
+  - DAP-X1860 (A1)
+  - DIR-860L (B1)
+  - DIR-878 (A1)
+  - DIR-882 (A1)
+
+* Genexis
+
+  - Pulse EX400
+
+* GL.iNet
+
+  - GL-MT1300
+
+* MERCUSYS
+
+  - MR70X (v1)
+
+* NETGEAR
+
+  - EX6150 (v1)
+  - R6220
+  - R6260
+  - WAC104
+  - WAX202
+
+* TP-Link
+
+  - EAX11 (v2)
+  - EAX12
+  - EAX15 (v2)
+  - EAP615-Wall (v1)
+  - RE500 (v1)
+  - RE650 (v1)
+
+* Ubiquiti
+
+  - EdgeRouter X
+  - EdgeRouter X-SFP
+  - UniFi 6 Lite
+  - UniFi nanoHD
+
+* Wavlink
+
+  - WS-WN572HP3 (4G)
+
+* Xiaomi
+
+  - Xiaomi Mi Router 3G (v1, v2)
+  - Xiaomi Mi Router 4A (Gigabit Edition v1, v2)
+
+* Zbtlink
+
+  - WG3526-16M
+  - WG3526-32M
+
+* Zyxel
+
+  - NWA50AX
+  - WSM20
+
+ramips-mt76x8
+-------------
+
+* Cudy
+
+  - TR1200 (v1)
+  - WR1000 (v1)
+
+* GL.iNet
+
+  - GL-MT300N (v2)
+  - microuter-N300
+  - VIXMINI
+
+* NETGEAR
+
+  - R6020
+  - R6120
+
+* RAVPower
+
+  - RP-WD009
+
+* TP-Link
+
+  - Archer C20 (v4, v5)
+  - Archer C50 (v3, v4)
+  - RE200 (v2, v3, v4)
+  - TL-MR3020 (v3)
+  - TL-MR3420 (v5)
+  - TL-MR6400 (v5)
+  - TL-WA801ND (v5)
+  - TL-WR841N (v13)
+  - TL-WR902AC (v3, v4)
+
+* VoCore
+
+  - VoCore2
+
+* Xiaomi
+
+  - Xiaomi Mi Router 4A (100M Edition) - MIR4A
+  - Xiaomi Mi Router 4A (100M International Edition) - R4AC
+  - Xiaomi Mi Router 4A (100M International Edition v2) - R4ACv2
+  - Xiaomi Mi Router 4C - R4CM
+
+rockchip-armv8
+--------------
+
+* FriendlyElec
+
+  - NanoPi R2S
+  - NanoPi R3S
+  - NanoPi R4S (4GB LPDDR4)
+
+sunxi-cortexa7
+--------------
+
+* LeMaker
+
+  - Banana Pi M1
+
+x86-generic
+-----------
+
+* x86-generic
+* x86-virtualbox
+* x86-vmware
+
+See also: :doc:`x86`
+
+x86-geode
+---------
+
+* x86-geode
+
+See also: :doc:`x86`
+
+x86-64
+------
+
+* x86-64-generic
+* x86-64-virtualbox
+* x86-64-vmware
+
+See also: :doc:`x86`
+
+Footnotes
+---------
+
+.. [#avmflash]
+  For instructions on how to flash AVM devices, visit https://fritz-tools.readthedocs.io
+
+.. [#eva_ramboot]
+  For instructions on how to flash AVM NAND devices, see the respective
+  commit which added support in OpenWrt.
+
+.. [#lan_as_wan]
+  All LAN ports on this device are used as WAN.
+
+.. [#missing_radios]
+  This device contains more than two WLAN radios, which is currently
+  unsupported by Gluon. Only the first two radios will work.
+
+.. [#modular_ethernet]
+  These devices follow a modular principle,
+  which means even basic functionality like ethernet is provided by an expansion-board,
+  that may not be bundled with the device itself.
+  Such expansions are recommended for the config mode, but are not strictly necessary,
+  as exposed serial ports may grant sufficient access as well.

docs/user/x86.rst

@@ -2,28 +2,33 @@ x86 support
 ===========
 
 Gluon can run on normal x86 systems, for example virtual machines
-and VPN boxes. There is no WLAN support on x86 though.
+and VPN boxes. By default, there is no WLAN support on x86 though.
 
 Targets
 ^^^^^^^
 
-There are two targets for x86 images:
+The following targets for x86 images exist:
 
-`x86-generic`
-    Generic x86 support with many different ethernet drivers; should run on
-    most x86 systems.
+`x86-64`
+    Generic x86 64-bit support with many different ethernet drivers; should run on
+    most x86 systems with 64-bit support.
 
     There are three images:
 
-    * `generic` (compressed "raw" image, can written to a disk directly or booted with qemu)
+    * `generic` (compressed "raw" image, can be written to a disk directly or booted with qemu)
     * `virtualbox` (VDI image)
     * `vmware` (VMDK image)
 
-    These images only differ in the image file format, the content is the same. Therefore there is
-    only a single `x86-generic` sysupgrade image instead of three.
+    These images differ in the image file format, the content is the same. Therefore
+    a single `x86-64` sysupgrade image is provided, only.
+
+`x86-generic`
+    32-bit version of `x86-64` for hardware not supporting 64-bit images.
+    Also comes with `virtualbox` and `vmware` factory installs.
+
+`x86-geode`
+    x86 image for Geode CPUs.
 
-    Please note that the `x86-generic` image doesn't include VirtIO support, so another virtual NIC
-    like `pcnet32` must be chosen when using VirtualBox.
+`x86-legacy`
+    x86 image for very old PC hardware like i586.
 
-`x86-kvm`
-    The `x86-kvm` image uses VirtIO as its harddisk and network driver.

include/Makefile.image

-override define BuildImage
-prepare: FORCE
-	$(call Image/Prepare)
-endef
-
-# The Makefile included here is $(TOPDIR)/target/linux/$(BOARD)/image/Makefile
-include Makefile

include/Makefile.target

-# code adjusted from openwrt/include/kernel-defaults.mk
-
-override define Kernel/Configure
-	$(LINUX_CONF_CMD) > $(LINUX_DIR)/.config.target
-# copy CONFIG_KERNEL_* settings over to .config.target
-	awk '/^(#[[:space:]]+)?CONFIG_KERNEL/{sub("CONFIG_KERNEL_","CONFIG_");print}' $(BOARD_BUILDDIR)/config-allmods >> $(LINUX_DIR)/.config.target
-	echo "# CONFIG_KALLSYMS_EXTRA_PASS is not set" >> $(LINUX_DIR)/.config.target
-	echo "# CONFIG_KALLSYMS_ALL is not set" >> $(LINUX_DIR)/.config.target
-	echo "# CONFIG_KALLSYMS_UNCOMPRESSED is not set" >> $(LINUX_DIR)/.config.target
-	echo "# CONFIG_KPROBES is not set" >> $(LINUX_DIR)/.config.target
-	$(SCRIPT_DIR)/metadata.pl kconfig $(TMP_DIR)/.packageinfo $(BOARD_BUILDDIR)/config-allmods > $(LINUX_DIR)/.config.override
-	$(SCRIPT_DIR)/kconfig.pl 'm+' '+' $(LINUX_DIR)/.config.target /dev/null $(LINUX_DIR)/.config.override > $(LINUX_DIR)/.config
-	$(call Kernel/SetNoInitramfs)
-	rm -rf $(KERNEL_BUILD_DIR)/modules
-	$(_SINGLE) [ -d $(LINUX_DIR)/user_headers ] || $(MAKE) $(KERNEL_MAKEOPTS) INSTALL_HDR_PATH=$(LINUX_DIR)/user_headers headers_install
-	cp $(GLUONDIR)/targets/$(GLUON_TARGET)/vermagic $(LINUX_DIR)/.vermagic
-endef
-
-# The Makefile included here is $(TOPDIR)/target/linux/$(BOARD)/Makefile
-include Makefile

include/config

-CONFIG_IMAGEOPT=y
-# CONFIG_PER_FEED_REPO is not set
-
-CONFIG_DEVEL=y
-
-CONFIG_BUSYBOX_CUSTOM=y
-CONFIG_BUSYBOX_CONFIG_SHA512SUM=y
-# CONFIG_BUSYBOX_CONFIG_FEATURE_PREFER_IPV4_ADDRESS is not set
-CONFIG_BUSYBOX_CONFIG_IP=y
-CONFIG_BUSYBOX_CONFIG_FEATURE_IP_ADDRESS=y
-CONFIG_BUSYBOX_CONFIG_FEATURE_IP_LINK=y
-CONFIG_BUSYBOX_CONFIG_FEATURE_IP_ROUTE=y
-CONFIG_BUSYBOX_CONFIG_FEATURE_IP_TUNNEL=y
-CONFIG_BUSYBOX_CONFIG_FEATURE_IP_RULE=y
-CONFIG_BUSYBOX_CONFIG_FEATURE_IP_SHORT_FORMS=y
-CONFIG_BUSYBOX_CONFIG_FEATURE_WGET_TIMEOUT=y
-
-CONFIG_ATH_USER_REGD=y
-CONFIG_PACKAGE_ATH_DEBUG=y
-CONFIG_ATH10K_CT_COMMUNITY_FW=y
-
-CONFIG_PACKAGE_luci-base_srcdiet=y

include/gluon.mk

-ifneq ($(__gluon_inc),1)
-__gluon_inc=1
-
-GLUON_SITEDIR ?= $(GLUONDIR)/site
-GLUON_IMAGEDIR ?= $(GLUONDIR)/images
-GLUON_BUILDDIR ?= $(GLUONDIR)/build
-
-GLUON_ORIGOPENWRTDIR := $(GLUONDIR)/openwrt
-GLUON_SITE_CONFIG := $(GLUON_SITEDIR)/site.conf
-
-export GLUONDIR GLUON_SITEDIR GLUON_SITE_CONFIG GLUON_IMAGEDIR GLUON_BUILDDIR
-
-
-BOARD_BUILDDIR = $(GLUON_BUILDDIR)/$(GLUON_TARGET)
-BOARD_KDIR = $(BOARD_BUILDDIR)/kernel
-
-export BOARD_BUILDDIR
-
-GLUON_OPENWRTDIR = $(BOARD_BUILDDIR)/openwrt
-
-
-$(GLUON_SITEDIR)/site.mk:
-	$(error There was no site configuration found. Please check out a site configuration to $(GLUON_SITEDIR))
-
--include $(GLUON_SITEDIR)/site.mk
-
-
-GLUON_VERSION := $(shell cd $(GLUONDIR) && git describe --always 2>/dev/null || echo unknown)
-export GLUON_VERSION
-
-GLUON_LANGS ?= en
-export GLUON_LANGS
-
-
-ifeq ($(OPENWRT_BUILD),1)
-ifeq ($(GLUON_TOOLS),1)
-
-CONFIG_VERSION_REPO := $(shell $(GLUONDIR)/scripts/site.sh opkg_repo || echo http://downloads.openwrt.org/barrier_breaker/14.07/%S/packages)
-export CONFIG_VERSION_REPO
-
-GLUON_SITE_CODE := $(shell $(GLUONDIR)/scripts/site.sh site_code)
-export GLUON_SITE_CODE
-
-ifeq ($(GLUON_RELEASE),)
-$(error GLUON_RELEASE not set. GLUON_RELEASE can be set in site.mk or on the command line.)
-endif
-export GLUON_RELEASE
-
-endif
-endif
-
-
-define merge-lists
-$(1) :=
-$(foreach var,$(2),$(1) := $$(filter-out -% $$(patsubst -%,%,$$(filter -%,$$($(var)))),$$($(1)) $$($(var)))
-)
-endef
-
-GLUON_TARGETS :=
-
-define GluonTarget
-gluon_target := $(1)$$(if $(2),-$(2))
-GLUON_TARGETS += $$(gluon_target)
-GLUON_TARGET_$$(gluon_target)_BOARD := $(1)
-GLUON_TARGET_$$(gluon_target)_SUBTARGET := $(2)
-endef
-
-GLUON_DEFAULT_PACKAGES := gluon-core kmod-ipv6 firewall ip6tables -uboot-envtools
-
-override DEFAULT_PACKAGES.router :=
-
-endif #__gluon_inc

include/package.mk

-include $(INCLUDE_DIR)/package.mk
-
-# Annoyingly, make's shell function replaces all newlines with spaces, so we have to do some escaping work. Yuck.
-define GluonCheckSite
-[ -z "$$GLUONDIR" ] || sed -e 's/-@/\n/g' -e 's/+@/@/g' <<'END__GLUON__CHECK__SITE' | "$$GLUONDIR"/scripts/check_site.sh
-$(shell cat $(1) | sed -ne '1h; 1!H; $$ {g; s/@/+@/g; s/\n/-@/g; p}')
-END__GLUON__CHECK__SITE
-endef
-
-
-# Languages supported by LuCi
-GLUON_SUPPORTED_LANGS := ca zh_cn en fr de el he hu it ja ms no pl pt_br pt ro ru es sv uk vi
-
-GLUON_LANG_ca := catalan
-GLUON_LANG_zh_cn := chinese
-GLUON_LANG_en := english
-GLUON_LANG_fr := french
-GLUON_LANG_de := german
-GLUON_LANG_el := greek
-GLUON_LANG_he := hebrew
-GLUON_LANG_hu := hungarian
-GLUON_LANG_it := italian
-GLUON_LANG_ja := japanese
-GLUON_LANG_ms := malay
-GLUON_LANG_no := norwegian
-GLUON_LANG_pl := polish
-GLUON_LANG_pt_br := portuguese-brazilian
-GLUON_LANG_pt := portuguese
-GLUON_LANG_ro := romanian
-GLUON_LANG_ru := russian
-GLUON_LANG_es := spanish
-GLUON_LANG_sv := swedish
-GLUON_LANG_uk := ukrainian
-GLUON_LANG_vi := vietnamese
-
-GLUON_I18N_PACKAGES := $(foreach lang,$(GLUON_SUPPORTED_LANGS),+GLUON_LANG_$(lang):luci-i18n-$(GLUON_LANG_$(lang)))
-GLUON_I18N_CONFIG := $(foreach lang,$(GLUON_SUPPORTED_LANGS),CONFIG_GLUON_LANG_$(lang))
-GLUON_ENABLED_LANGS := $(foreach lang,$(GLUON_SUPPORTED_LANGS),$(if $(CONFIG_GLUON_LANG_$(lang)),$(lang)))
-
-
-GLUON_PO2LMO := $(BUILD_DIR)/luci/build/po2lmo
-
-define GluonBuildI18N
-	mkdir -p $$(PKG_BUILD_DIR)/i18n
-	for lang in $$(GLUON_ENABLED_LANGS); do \
-		if [ -e $(2)/$$$$lang.po ]; then \
-			rm -f $$(PKG_BUILD_DIR)/i18n/$(1).$$$$lang.lmo; \
-			$(GLUON_PO2LMO) $(2)/$$$$lang.po $$(PKG_BUILD_DIR)/i18n/$(1).$$$$lang.lmo; \
-		fi; \
-	done
-endef
-
-define GluonInstallI18N
-	$$(INSTALL_DIR) $(2)/usr/lib/lua/luci/i18n
-	for lang in $$(GLUON_ENABLED_LANGS); do \
-		if [ -e $$(PKG_BUILD_DIR)/i18n/$(1).$$$$lang.lmo ]; then \
-			$$(INSTALL_DATA) $$(PKG_BUILD_DIR)/i18n/$(1).$$$$lang.lmo $(2)/usr/lib/lua/luci/i18n/$(1).$$$$lang.lmo; \
-		fi; \
-	done
-endef

include/toplevel.mk

-# Makefile for OpenWrt
-#
-# Copyright (C) 2007-2012 OpenWrt.org
-# Copyright (C) 2013-2014 Project Gluon
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-RELEASE:=Barrier Breaker
-PREP_MK= OPENWRT_BUILD= QUIET=0
-
-export IS_TTY=$(shell tty -s && echo 1 || echo 0)
-
-include $(GLUONDIR)/include/verbose.mk
-
-REVISION:=$(shell [ -d $(TOPDIR) ] && cd $(TOPDIR) && ./scripts/getver.sh 2>/dev/null)
-
-HOSTCC ?= gcc
-OPENWRTVERSION:=$(RELEASE)$(if $(REVISION), ($(REVISION)))
-export RELEASE
-export REVISION
-export OPENWRTVERSION
-export IS_TTY=$(shell tty -s && echo 1 || echo 0)
-export LD_LIBRARY_PATH:=$(subst ::,:,$(if $(LD_LIBRARY_PATH),$(LD_LIBRARY_PATH):)$(STAGING_DIR_HOST)/lib)
-export DYLD_LIBRARY_PATH:=$(subst ::,:,$(if $(DYLD_LIBRARY_PATH),$(DYLD_LIBRARY_PATH):)$(STAGING_DIR_HOST)/lib)
-export GIT_CONFIG_PARAMETERS='core.autocrlf=false'
-export MAKE_JOBSERVER=$(filter --jobserver%,$(MAKEFLAGS))
-
-# prevent perforce from messing with the patch utility
-unexport P4PORT P4USER P4CONFIG P4CLIENT
-
-# prevent user defaults for quilt from interfering
-unexport QUILT_PATCHES QUILT_PATCH_OPTS
-
-unexport C_INCLUDE_PATH CROSS_COMPILE ARCH
-
-# prevent distro default LPATH from interfering
-unexport LPATH
-
-# make sure that a predefined CFLAGS variable does not disturb packages
-export CFLAGS=
-
-ifneq ($(shell $(HOSTCC) 2>&1 | grep clang),)
-  export HOSTCC_REAL?=$(HOSTCC)
-  export HOSTCC_WRAPPER:=$(TOPDIR)/scripts/clang-gcc-wrapper
-else
-  export HOSTCC_WRAPPER:=$(HOSTCC)
-endif
-
-ifeq ($(FORCE),)
-  .config scripts/config/conf scripts/config/mconf: tmp/.prereq-build
-endif
-
-SCAN_COOKIE?=$(shell echo $$$$)
-export SCAN_COOKIE
-
-SUBMAKE:=umask 022; $(SUBMAKE)
-
-ULIMIT_FIX=_limit=`ulimit -n`; [ "$$_limit" = "unlimited" -o "$$_limit" -ge 1024 ] || ulimit -n 1024;
-
-FORCE: ;
-
-.PHONY: FORCE
-.NOTPARALLEL:
-

include/verbose.mk

-# 
-# Copyright (C) 2006 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-ifndef OPENWRT_VERBOSE
-  OPENWRT_VERBOSE:=
-endif
-ifeq ("$(origin V)", "command line")
-  OPENWRT_VERBOSE:=$(V)
-endif
-
-ifeq ($(OPENWRT_VERBOSE),1)
-  OPENWRT_VERBOSE:=w
-endif
-ifeq ($(OPENWRT_VERBOSE),99)
-  OPENWRT_VERBOSE:=s
-endif
-
-ifeq ($(NO_TRACE_MAKE),)
-NO_TRACE_MAKE := $(MAKE) V=s$(OPENWRT_VERBOSE)
-export NO_TRACE_MAKE
-endif
-
-ifeq ($(IS_TTY),1)
-  ifneq ($(strip $(NO_COLOR)),1)
-    _Y:=\\033[33m
-    _R:=\\033[31m
-    _N:=\\033[m
-  endif
-endif
-
-ifeq ($(findstring s,$(OPENWRT_VERBOSE)),)
-  define MESSAGE
-	printf "$(_Y)%s$(_N)\n" "$(1)" >&8
-  endef
-
-  define ERROR_MESSAGE
-	printf "$(_R)%s$(_N)\n" "$(1)" >&8
-  endef
-
-  ifeq ($(QUIET),1)
-    ifneq ($(CURDIR),$(TOPDIR))
-      _DIR:=$(patsubst $(TOPDIR)/%,%,${CURDIR})
-    else
-      _DIR:=
-    endif
-    _NULL:=$(if $(MAKECMDGOALS),$(shell \
-		$(call MESSAGE, make[$(MAKELEVEL)]$(if $(_DIR), -C $(_DIR)) $(MAKECMDGOALS)); \
-    ))
-    SUBMAKE=$(MAKE)
-  else
-    SILENT:=>/dev/null $(if $(findstring w,$(OPENWRT_VERBOSE)),,2>&1)
-    export QUIET:=1
-    SUBMAKE=cmd() { $(SILENT) $(MAKE) -s $$* < /dev/null || { echo "make $$*: build failed. Please re-run make with V=s to see what's going on"; false; } } 8>&1 9>&2; cmd
-  endif
-
-  .SILENT: $(MAKECMDGOALS)
-else
-  SUBMAKE=$(MAKE) -w
-  define MESSAGE
-    printf "%s\n" "$(1)"
-  endef
-  ERROR_MESSAGE=$(MESSAGE)
-endif

modules

-GLUON_FEEDS='openwrt gluon routing luci'
+GLUON_FEEDS='gluon packages routing'
 
-OPENWRT_REPO=git://git.openwrt.org/14.07/openwrt.git
-OPENWRT_COMMIT=179bab8b1700d74b28cc6cd25322f9a1ad670107
+OPENWRT_REPO=https://github.com/openwrt/openwrt.git
+OPENWRT_BRANCH=openwrt-24.10
+OPENWRT_COMMIT=63064db76599ac0455c2f7cd6309d63c61112ae1
 
-PACKAGES_OPENWRT_REPO=git://github.com/openwrt/packages.git
-PACKAGES_OPENWRT_COMMIT=01fcd1f29174a56d6ddb59901ed8c67ea42c3a8f
-PACKAGES_OPENWRT_BRANCH=for-14.07
+PACKAGES_GLUON_REPO=https://github.com/freifunk-gluon/packages.git
+PACKAGES_GLUON_COMMIT=bae34a0f53b25dbd691c57c8ab2d0b7cfe811517
 
-PACKAGES_GLUON_REPO=git://github.com/freifunk-gluon/packages.git
-PACKAGES_GLUON_COMMIT=e8ee21d116a0abc2e328b0ee181d79845654582e
+PACKAGES_PACKAGES_REPO=https://github.com/openwrt/packages.git
+PACKAGES_PACKAGES_BRANCH=openwrt-24.10
+PACKAGES_PACKAGES_COMMIT=efe4a18b129cfe7f766a9b07a2f9b856ca2d478b
 
-PACKAGES_ROUTING_REPO=git://github.com/openwrt-routing/packages.git
-PACKAGES_ROUTING_COMMIT=5d4ad63897b435d5df0f39a49bd58962c22c33b8
-PACKAGES_ROUTING_BRANCH=for-14.07
-
-PACKAGES_LUCI_REPO=git://github.com/openwrt/luci.git
-PACKAGES_LUCI_COMMIT=f81be49ae756dab82e1758a6c9de145f0d36960e
+PACKAGES_ROUTING_REPO=https://github.com/openwrt/routing.git
+PACKAGES_ROUTING_BRANCH=openwrt-24.10
+PACKAGES_ROUTING_COMMIT=85d040f28c21c116c905aa15a66255dde80336e7

package/features

+-- Feature definition file
+--
+-- See the page `dev/packages` (Developer Documentation / Package development)
+-- in the `docs` directory or on gluon.readthedocs.io for information on the
+-- file format
+
+
+feature('web-wizard', {
+	'gluon-config-mode-hostname',
+	'gluon-config-mode-geo-location',
+	'gluon-config-mode-contact-info',
+	'gluon-config-mode-outdoor',
+})
+
+when(_'web-wizard' and _'autoupdater', {
+	'gluon-config-mode-autoupdater',
+})
+
+when(_'web-wizard' and (
+	_'mesh-vpn-fastd' or
+	_'mesh-vpn-fastd-l2tp' or
+	_'mesh-vpn-wireguard'
+), {
+	'gluon-config-mode-mesh-vpn',
+})
+
+
+feature('web-advanced', {
+	'gluon-web-admin',
+	'gluon-web-network',
+	'gluon-web-wifi-config',
+})
+
+when(_'web-advanced' and _'autoupdater', {
+	'gluon-web-autoupdater',
+})
+
+
+when(_'mesh-batman-adv-15', {
+	'gluon-ebtables-limit-arp',
+	'gluon-radvd',
+})
+
+when(_'status-page' and _'mesh-batman-adv-15', {
+	'gluon-status-page-mesh-batman-adv',
+})
+
+
+when(_'mesh-olsrd', {
+	'gluon-radvd',
+})
+
+
+when(not _'wireless-encryption-wpa3', {
+	'hostapd-mini',
+})

package/gluon-alfred/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-alfred
-PKG_VERSION:=1
-PKG_RELEASE:=1
 
-PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
-
-include $(INCLUDE_DIR)/package.mk
+include ../gluon.mk
 
 define Package/gluon-alfred
-  SECTION:=gluon
-  CATEGORY:=Gluon
-  DEPENDS:=+gluon-core +gluon-announce +gluon-cron +alfred
+  DEPENDS:=+gluon-core +gluon-respondd +gluon-neighbour-info gluon-mesh-batman-adv +micrond +alfred
   TITLE:=Configure alfred
 endef
 
-define Build/Prepare
-	mkdir -p $(PKG_BUILD_DIR)
-endef
-
-define Build/Configure
-endef
-
-define Build/Compile
-endef
-
-define Package/gluon-alfred/install
-	$(CP) ./files/* $(1)/
-endef
-
-$(eval $(call BuildPackage,gluon-alfred))
+$(eval $(call BuildPackageGluon,gluon-alfred))

package/gluon-alfred/files/lib/gluon/cron/alfred

-* * * * * /lib/gluon/announce/collect.lua nodeinfo | gzip | alfred -s 158; /lib/gluon/announce/collect.lua statistics | gzip | alfred -s 159; /lib/gluon/announce/collect.lua neighbours | gzip | alfred -s 160

package/gluon-alfred/files/lib/gluon/reload.d/301-alfred-stop

+#!/bin/sh
+/etc/init.d/alfred stop

package/gluon-alfred/files/lib/gluon/reload.d/799-alfred-start

+#!/bin/sh
+/etc/init.d/alfred start

package/gluon-alfred/files/lib/gluon/upgrade/500-enable-alfred

-#!/usr/bin/lua
-
-local uci = require 'luci.model.uci'
-local c = uci.cursor()
-
-
-c:delete('alfred', 'alfred')
-c:section('alfred', 'alfred', 'alfred',
-	  {
-		  interface = 'br-client',
-		  mode = 'slave',
-		  batmanif = 'bat0',
-		  start_vis = '1',
-		  run_facters = '0',
-	  }
-)
-
-c:save('alfred')
-c:commit('alfred')