From b519001641b2dac6cff4c5c6523fb814f2249733 Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Tue, 13 Jul 2021 00:13:39 -0400
Subject: [PATCH] root2 partitions, various improvements

---
 README                                        |   8 +
 dsfull                                        |   3 +-
 fai/config/distro-install-common/devbyid      |   7 +-
 .../distro-install-common/libreboot_grub.cfg  |   3 +-
 fai/config/files/boot/chboot/DEFAULT          |   4 +-
 fai/config/hooks/partition.DEFAULT            | 151 +++++++++++++-----
 fai/config/package_config/STANDARD            |   2 +
 faiserver-setup                               |   7 +-
 wrt-setup-local                               |  17 +-
 9 files changed, 157 insertions(+), 45 deletions(-)

diff --git a/README b/README
index 95eca1d..a1cb54d 100644
--- a/README
+++ b/README
@@ -180,6 +180,14 @@ reboot
 
 # Expected output in fai logs
 
+On focal,
+fai.log:updatebase.UBUNTU    FAILED with exit code 1.
+the real error is dpkg-reconfigure locales, seems to be related
+to a workaround for < 20.04, relevant comment:
+# in case the locales are already included inside the base file (Ubuntu)
+in config/hooks/instsoft.DEBIAN
+
+
 For flidas, when installing systemd, this error happens, and it's
 a superflous upstream bug based on reading the post install script:
 
diff --git a/dsfull b/dsfull
index 91ab8ec..593e7d6 100755
--- a/dsfull
+++ b/dsfull
@@ -98,7 +98,8 @@ fi
 while [[ $(ser is-active btrbk.service) == active ]]; do
     sleep 5
 done
-btrbk-run -t $host
+bbk -t $host archive
+bbk -t $host
 #ssh $host /a/bin/distro-setup/distro-begin
 # this should be done instead of distro-begin, but
 # keeping it to 2 steps for now
diff --git a/fai/config/distro-install-common/devbyid b/fai/config/distro-install-common/devbyid
index e344389..056a83f 100755
--- a/fai/config/distro-install-common/devbyid
+++ b/fai/config/distro-install-common/devbyid
@@ -5,10 +5,11 @@
 
 short_dev=$1
 
-# devices are identified by model+serial num,
-# and wwn. model+serial gives me more info, so use that.
+# devices are identified by model+serial num
+# and for ssd/hdd: wwn, and for nvme: eui.
+# model+serial gives me more info, so use that.
 shopt -s extglob
-for id in /dev/disk/by-id/!(wwn*); do
+for id in /dev/disk/by-id/!(nvme-eui*|wwn*); do
     [[ -e $id ]] || break # if we matched nothing
     if [[ $(readlink -f $id) == "$short_dev" ]]; then
         printf '%s\n' "$id"
diff --git a/fai/config/distro-install-common/libreboot_grub.cfg b/fai/config/distro-install-common/libreboot_grub.cfg
index 16fec9c..54cf468 100644
--- a/fai/config/distro-install-common/libreboot_grub.cfg
+++ b/fai/config/distro-install-common/libreboot_grub.cfg
@@ -28,7 +28,8 @@ function save_chosen {
 set default=/debianbuster_bootstrap # could use 0 here.
 set timeout=1
 
-for part in (ahci*5) (ata*5); do
+# grub_extn
+for part in (ahci*7) (ata*7); do
     envfile=$part/grubenv
     if [ -s $envfile ]; then
         load_env --file $envfile
diff --git a/fai/config/files/boot/chboot/DEFAULT b/fai/config/files/boot/chboot/DEFAULT
index 6354ed9..adfbe1c 100755
--- a/fai/config/files/boot/chboot/DEFAULT
+++ b/fai/config/files/boot/chboot/DEFAULT
@@ -127,8 +127,10 @@ done
 if [[ $(blockdev --getsize64 ${boot_disk}4) == 8388608 ]]; then
   # old partition scheme
   grub_dev=${boot_disk}4
-else
+elif [[ $(blockdev --getsize64 ${boot_disk}5) == 8388608 ]]; then
   grub_dev=${boot_disk}5
+else
+  grub_dev=${boot_disk}7
 fi
 
 e mount $grub_dev $mount_point
diff --git a/fai/config/hooks/partition.DEFAULT b/fai/config/hooks/partition.DEFAULT
index 534e1fa..0dc4c7d 100755
--- a/fai/config/hooks/partition.DEFAULT
+++ b/fai/config/hooks/partition.DEFAULT
@@ -26,16 +26,17 @@ fi
 
 # for calling outside of FAI:
 # fai-redep
-# s
+#
 # source /b/fai/fai-wrapper
 # - set any appropriate classes with: fai-setclass OPT1... which sets CLASS_OPT1=true...
 #   or run eval-fai-classfile FILE.
-# - Set a VOL_DISTROVER, eg:
+# - Set a VOL_DISTROVER (if not doing mkroot2) eg:
 #   fai-setclass VOL_NABIA
-# - export luks_dir=/q/root/luks
 #
 # OPTIONS:
 #
+# mkroot2: for running outside of fai and setting up the root2/boot2 luks and btrfs
+#
 # environment variables:
 #
 # HOSTNAME: if frodo, we exclude 2 devices from the /boot array, which
@@ -63,6 +64,19 @@ fi
 # raid10.
 # RAID1: forces raid1 filesystem.
 
+mkroot2=false
+case $1 in
+  mkroot2)
+    mkroot2=true
+    ;;
+  *)
+    echo "$0: error: unsupported arg: $1" >&2
+    exit 1
+    ;;
+esac
+
+
+
 if [[ $SPECIAL_DISK ]]; then
   export CLASS_REPARTITION=true
 fi
@@ -104,18 +118,20 @@ fi
 # boot
 
 rootn=1
-swapn=2
-bootn=3
-efin=4
+root2n=2
+swapn=3
+bootn=4
+boot2n=5
+efin=6
 # ext partition so grub can write persistent variables,
 # so it can do a one time boot. grub can't write to
 # btrfs or any cow fs because it's more
 # more complicated to do and they don't want to.
-grub_extn=5
+grub_extn=7
 # bios boot partition,
 # https://wiki.archlinux.org/index.php/GRUB
-bios_grubn=6
-even_bign=7
+bios_grubn=8
+even_bign=9
 lastn=$bios_grubn
 
 
@@ -135,9 +151,11 @@ add-part() { # add partition suffix to $dev
   echo $d-part$part
 }
 
-bootdev() { add-part $@ $bootn; }
 rootdev() { add-part $@ $rootn; }
+root2dev() { add-part $@ $root2n; }
 swapdev() { add-part $@ $swapn; }
+bootdev() { add-part $@ $bootn; }
+boot2dev() { add-part $@ $boot2n; }
 efidev() { add-part $@ $efin; }
 grub_extdev() { add-part $@ $grub_extn; }
 bios_grubdev() { add-part $@ $bios_grubn; }
@@ -146,8 +164,10 @@ even_bigdev() { add-part $@ $even_bign; }
 crypt-dev() { echo /dev/mapper/crypt_dev_${1##*/}; }
 crypt-name() { echo crypt_dev_${1##*/}; }
 root-cryptdev() { crypt-dev $(rootdev $@); }
+root2-cryptdev() { crypt-dev $(root2dev $@); }
 swap-cryptdev() { crypt-dev $(swapdev $@); }
 root-cryptname() { crypt-name $(rootdev $@); }
+root2-cryptname() { crypt-name $(root2dev $@); }
 swap-cryptname() { crypt-name $(swapdev $@); }
 
 dev-mib() {
@@ -200,7 +220,7 @@ if (($(nproc) > 2)); then
 fi
 
 declare -A disk_excludes
-if ! ifclass USE_MOUNTED; then
+if ! $mkroot2 && ! ifclass USE_MOUNTED; then
   ## ignore disks that are mounted, eg when running from fai-cd
   while read -r l; do
     eval "$l"
@@ -274,6 +294,7 @@ fi
 boot_space=0
 first=true
 boot_devs=()
+boot2_devs=()
 for dev in ${devs[@]}; do
   if ifclass frodo; then
     # I ran into a machine where the bios doesn't know about some disks,
@@ -299,11 +320,15 @@ for dev in ${devs[@]}; do
         break
       fi
     done
-    $bad_disk || boot_devs+=($(bootdev))
+    if ! $bad_disk; then
+      boot_devs+=($(bootdev))
+      boot2_devs+=($(boot2dev))
+    fi
   else
     boot_space=$(( boot_space + $(parted -m $dev unit MiB print | \
                                     sed -nr "s#^/dev/[^:]+:([0-9]+).*#\1#p") - 1))
     boot_devs+=($(bootdev))
+    boot2_devs+=($(boot2dev))
   fi
   if $first && [[ $boot_devs ]]; then
     first_efi=$(efidev)
@@ -335,17 +360,26 @@ if (( boot_space > 60000 )); then
   # becuase I keep a minimal debian install on it for
   # recovery needs and for doing pxe-kexec.
   boot_mib=10000
+  root2_mib=200000
+  boot2_mib=500
 elif (( boot_space > 30000 )); then
   boot_mib=$(( 5000 + (boot_space - 30000) / 2 ))
+  root2_mib=100
+  boot2_mib=100
 else
   # Small vms don't have room for /boot recovery.  With 3 kernels
   # installed, i'm using 132M on t8, so this seems like plenty of
   # room. note: rhel 8 recomments 1g for /boot.
   boot_mib=500
-  #
+  root2_mib=100
+  boot2_mib=100
 fi
 case $raid_level in
-  1*) boot_mib=$(( boot_mib * 2 )) ;;
+  1*)
+    boot_mib=$(( boot_mib * 2 ))
+    boot2_mib=$(( boot2_mib * 2 ))
+    root2_mib=$(( root2_mib * 2 ))
+    ;;
 esac
 ### end calculate boot partition space
 
@@ -374,6 +408,8 @@ if [[ ! $DISTRO ]]; then
     DISTRO=trisqueletiona
   elif ifclass VOL_NABIA; then
     DISTRO=trisquelnabia
+  elif $mkroot2; then
+    :
   else
     echo "PARTITIONER ERROR: no distro class/var set" >&2
     exit 1
@@ -393,6 +429,13 @@ bpart() { # btrfs a partition
 if [[ ! $luks_dir ]]; then
   # see README for docs about how to create these
   luks_dir=$FAI/distro-install-common/luks
+  if [[ ! -d $luks_dir ]]; then
+    luks_dir=/q/root/luks
+  fi
+  if [[ ! -d $luks_dir ]]; then
+    echo "$0: error: no luks_dir found" >&2
+    exit 1
+  fi
 fi
 
 luks_file=$luks_dir/host-$HOSTNAME
@@ -430,8 +473,33 @@ for dev in ${devs[@]}; do
   root_devs+=($(rootdev))
 done
 shopt -s nullglob
-if $partition; then
 
+rm -f /mnt/root/root2-{fs,crypt}tab
+if $mkroot2; then
+  if $partition; then
+    echo $0: error: found partition=true but have mkroot2 arg
+    exit 1
+  fi
+  for dev in ${devs[@]}; do
+    luks_file=$luks_dir/host-amy
+    lukspw=$(cat $luks_dir/amy)
+    luks-setup $(root2dev)
+    cat >>/mnt/root/root2-crypttab <<EOF
+$(root2-cryptname) $(root2dev)  $luks_file  discard,luks,initramfs
+EOF
+  done
+  bpart $(for dev in ${devs[@]}; do root2-cryptdev; done)
+  bpart ${boot2_devs[@]}
+  mkdir -p /mnt/root2 /mnt/boot2
+  cat >>/mnt/root/root2-fstab <<EOF
+$(root2-cryptdev ${devs[0]}) /mnt/root2  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,subvolid=0$mopts  0 0
+${boot2_devs[0]} /mnt/boot2  btrfs    nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,subvolid=0  0 0
+EOF
+  exit 0
+fi
+
+
+if $partition; then
   ### begin wipefs
   if [[ ! $SPECIAL_DISK ]]; then
     for dev in ${devs[@]}; do
@@ -486,9 +554,14 @@ if $partition; then
     if ! $even_raid; then
       disk_mib=$(dev-mib)
     fi
-    efi_mib=512
-    root_end=$(( disk_mib - swap_mib - boot_mib /  ${#boot_devs[@]} - efi_mib ))
-    swap_end=$(( root_end + swap_mib))
+
+    boot_part_mib=$(( boot_mib / ${#boot_devs[@]} ))
+    boot2_part_mib=$(( boot2_mib / ${#boot_devs[@]} ))
+    root2_part_mib=$(( root2_mib / ${#root_devs[@]} ))
+    root_end=$(( disk_mib - root2_part_mib - swap_mib - boot_part_mib - boot2_part_mib ))
+    root2_end=$(( root_end + root2_part_mib ))
+    swap_end=$(( root2_end + swap_mib ))
+    boot_end=$(( swap_end + boot_part_mib ))
 
     parted -s $dev mklabel gpt
     # MiB because parted complains about alignment otherwise.
@@ -498,14 +571,20 @@ if $partition; then
     # without naming, systemd gives us misc errors like:
     # dev-disk-by\x2dpartlabel-primary.device: Dev dev-disk-by\x2dpartlabel-primary.device appeared twice
     $pcmd name $rootn root
+    # root2 partition
+    $pcmd mkpart primary ext3 ${root_end}MiB ${root2_end}MiB
+    $pcmd name $root2n root2
     # normally a swap is type "linux-swap", but this is encrypted swap. using that
     # label will confuse systemd.
     # swap partition
-    $pcmd mkpart primary "" ${root_end}MiB ${swap_end}MiB
+    $pcmd mkpart primary "" ${root2_end}MiB ${swap_end}MiB
     $pcmd name $swapn swap
     # boot partition
-    $pcmd mkpart primary "" ${swap_end}MiB ${disk_mib}MiB
+    $pcmd mkpart primary "" ${swap_end}MiB ${boot_end}MiB
     $pcmd name $bootn boot
+    # boot2 partition
+    $pcmd mkpart primary "" ${boot_end}MiB ${disk_mib}MiB
+    $pcmd name $boot2n boot2
     # uefi partition. efi sucks, half a gig, rediculous.
     $pcmd mkpart primary "fat32" 12MiB 524MiB
     $pcmd name $efin efi
@@ -514,6 +593,7 @@ if $partition; then
     # but not mentioned https://wiki.archlinux.org/index.php/EFI_system_partition
     # probably not needed
     $pcmd set $bootn boot on
+    $pcmd set $boot2n boot on
     # i only need a few k, but googling min size,
     # I found someone saying that gparted required
     # required at least 8 because of their hard drive cylinder size.
@@ -529,8 +609,7 @@ if $partition; then
     $pcmd mkpart primary "" 1MiB 4MiB
     $pcmd name $bios_grubn biosgrub
     $pcmd set $bios_grubn bios_grub on
-    $pcmd set $bootn boot on # generally not needed on modern systems
-    if $even_big_part  && [[ $dev == $even_big_dev ]]; then
+    if $even_big_part  && [[ $dev == "$even_big_dev" ]]; then
       $pcmd mkpart primary ext3 ${disk_mib}MiB ${even_big_mib}MiB
       $pcmd name $even_bign even_big
     fi
@@ -553,7 +632,7 @@ if $partition; then
 
     mkfs.fat -F32 $(efidev)
 
-    if $even_big_part  && [[ $dev == $even_big_dev ]]; then
+    if $even_big_part  && [[ $dev == "$even_big_dev" ]]; then
       luks-setup $(even_bigdev)
       mkfs.btrfs -f $(crypt-dev $(even_bigdev))
     fi
@@ -652,10 +731,11 @@ grub-editenv /mnt/grubenv set did_fai_check=true
 grub-editenv /mnt/grubenv set last_boot=/$boot_vol
 umount /mnt
 
+fstabstd=x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s
 if [[ $DISTRO == debianbuster_bootstrap ]]; then
   cat > /tmp/fai/fstab <<EOF
 $first_boot_dev  /  btrfs  noatime,subvol=$boot_vol  0 0
-$first_efi  /boot/efi  vfat          nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s  0 0
+$first_efi  /boot/efi  vfat          nofail,$fstabstd  0 0
 EOF
   cat >/tmp/fai/disk_var.sh <<EOF
 BOOT_DEVICE="${short_devs[@]}"
@@ -664,11 +744,11 @@ EOF
 else
   # note, fai creates the mountpoints listed here
   cat > /tmp/fai/fstab <<EOF
-$first_root_crypt  /  btrfs          x-systemd.device-timeout=90s,x-systemd.mount-timeout=90s,noatime,subvol=root_$DISTRO$mopts  0 0
-$first_root_crypt  /mnt/root  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,subvolid=0$mopts  0 0
-$first_boot_dev  /boot  btrfs        nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,subvol=$boot_vol  0 0
-$first_efi  /boot/efi  vfat          nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s  0 0
-$first_boot_dev  /mnt/boot  btrfs    nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,subvolid=0  0 0
+$first_root_crypt  /  btrfs $fstabstdopts,noatime,subvol=root_$DISTRO$mopts  0 0
+$first_root_crypt  /mnt/root  btrfs  nofail,$fstabstd,noatime,subvolid=0$mopts  0 0
+$first_boot_dev  /boot  btrfs        nofail,$fstabstd,noatime,subvol=$boot_vol  0 0
+$first_efi  /boot/efi  vfat          nofail,$fstabstd  0 0
+$first_boot_dev  /mnt/boot  btrfs    nofail,$fstabstd,noatime,subvolid=0  0 0
 EOF
   swaps=()
   rm -f /tmp/fai/crypttab
@@ -679,7 +759,7 @@ $(root-cryptname) $(rootdev)  none  keyscript=/root/keyscript,discard,luks,initr
 $(swap-cryptname) $(swapdev)  /dev/urandom  swap,cipher=aes-xts-plain64,size=256,hash=ripemd160
 EOF
     cat >> /tmp/fai/fstab <<EOF
-$(swap-cryptdev)  none  swap  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,sw  0 0
+$(swap-cryptdev)  none  swap  nofail,$fstabstd,sw  0 0
 EOF
   done
 
@@ -696,21 +776,20 @@ ROOT_PARTITION=\${ROOT_PARTITION:-$first_root_crypt}
 SWAPLIST=\${SWAPLIST:-"${swaps[@]}"}
 EOF
 
-
   if [[ $HOSTNAME == kd ]]; then
     # note, having these with keyscript and initramfs causes a luks error in fai.log,
     # but it is safely ignorable and gets us the ability to just type our password
     # in once at boot. A downside is that they are probably needed to be plugged in to boot.
     cat >>/tmp/fai/crypttab <<EOF
-crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7 /dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7  none  keyscript=decrypt_keyctl,discard,luks,initramfs
+crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part${even_bign} /dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7  none  keyscript=decrypt_keyctl,discard,luks,initramfs
 crypt_dev_ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1 /dev/disk/by-id/ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1  none  keyscript=decrypt_keyctl,discard,luks,initramfs
 crypt_dev_ata-ST6000DM001-1XY17Z_Z4D29EBL-part1 /dev/disk/by-id/ata-ST6000DM001-1XY17Z_Z4D29EBL-part1  none  keyscript=decrypt_keyctl,discard,luks,initramfs
 EOF
     cat >> /tmp/fai/fstab <<EOF
-# r7 = root partition7
-/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7  /mnt/r7  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0  0 0
-/dev/mapper/crypt_dev_ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1  /mnt/rust1  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0  0 0
-/dev/mapper/crypt_dev_ata-ST6000DM001-1XY17Z_Z4D29EBL-part1  /mnt/rust2  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvolid=0  0 0
+# r7 = root partition7. it isnt actually #7 anymore, not a great name, but whatever
+/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part${even_bign}  /mnt/r7  btrfs  nofail,$fstabstd,noatime,compress=zstd,subvolid=0  0 0
+/dev/mapper/crypt_dev_ata-TOSHIBA_MD04ACA500_84R2K773FS9A-part1  /mnt/rust1  btrfs  nofail,$fstabstd,noatime,compress=zstd,subvolid=0  0 0
+/dev/mapper/crypt_dev_ata-ST6000DM001-1XY17Z_Z4D29EBL-part1  /mnt/rust2  btrfs  nofail,$fstabstd,noatime,compress=zstd,subvolid=0  0 0
 EOF
   fi
 
diff --git a/fai/config/package_config/STANDARD b/fai/config/package_config/STANDARD
index 12ef2b0..00376cb 100644
--- a/fai/config/package_config/STANDARD
+++ b/fai/config/package_config/STANDARD
@@ -66,6 +66,8 @@ iso-codes
 cryptsetup-initramfs
 # https://wiki.debian.org/UsrMerge
 usrmerge
+# for btrbk
+zstd
 
 # iank, copied from DEBIAN so it goes into ubuntu too
 PACKAGES install GRUB_PC
diff --git a/faiserver-setup b/faiserver-setup
index b6d36d0..42ecb3b 100755
--- a/faiserver-setup
+++ b/faiserver-setup
@@ -131,7 +131,7 @@ fi
 # kernel, or the ability to install it.
 # xorriso is for running fai-cd -a, not strictly need for fai-server
 # perl-tk is for fai-monitor-gui
-pkgs=(fai-doc tftpd-hpa tar reprepro squashfs-tools binutils xorriso)
+pkgs=(fai-doc tftpd-hpa tar reprepro squashfs-tools binutils xorriso perl-tk)
 if modprobe nfsd &>/dev/null; then
   pkgs+=(nfs-kernel-server)
 else
@@ -295,7 +295,10 @@ EOF
 fi
 
 rm -f /srv/fai/nfsroot/root/.ssh/known_hosts
-key=$(ssh-keyscan localhost |& grep -o "ecdsa-sha2-nistp256.*")
+if [[ $HOSTNAME == kd ]]; then
+  keyscan_arg="-p 8989"
+  fi
+key=$(ssh-keyscan $keyscan_arg localhost |& grep -o "ecdsa-sha2-nistp256.*")
 for ip in faiserver $(ip addr show up| grep -w '^ *inet' | awk '{print $2}'| cut -d / -f 1 | grep -vF 127.0.0.1); do
   echo "$ip $key" >>/srv/fai/nfsroot/root/.ssh/known_hosts
 done
diff --git a/wrt-setup-local b/wrt-setup-local
index d900897..3388952 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -594,7 +594,7 @@ config rule
  option dest_port        22
 
 config redirect
- option name sshtp
+ option name sshkd
  option src              wan
  option src_dport        2202
  option dest_port        22
@@ -605,6 +605,20 @@ config rule
  option target           ACCEPT
  option dest_port        2202
 
+
+config redirect
+ option name sshkdalt
+ option src              wan
+ option src_dport        8989
+ option dest_port        8989
+ option dest_ip          $l.2
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        8989
+
+
 config redirect
  option name sshx2
  option src              wan
@@ -1042,6 +1056,7 @@ dhcp-host=80:fa:5b:1c:6e:cf,set:amy,$l.8,amy
 # and copying the generated mac, so it should be randomish.
 dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
 dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
+#dhcp-host=62:03:cb:a8:3e:a3,set:onep9,$1.14,onep9
 dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
 # BRN001BA98CA823 in dhcp logs
 dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
-- 
2.30.2