From 3c1d6d2fd0306033ac80390b2b9aabb84734190f Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Tue, 3 Feb 2026 08:06:54 +0100
Subject: [PATCH] feat(lyrion): Add WAN access checkbox for firewall rules

Add wan_access UCI option and LuCI checkbox to optionally open Lyrion
ports (9000, 9090, 3483 TCP+UDP) on the WAN interface. WAN rules are
automatically removed when the option is disabled.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../resources/view/lyrion/settings.js         |  5 ++
 .../files/etc/config/lyrion                   |  1 +
 .../files/usr/sbin/lyrionctl                  | 73 ++++++++++++++++++-
 3 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/package/secubox/luci-app-lyrion/htdocs/luci-static/resources/view/lyrion/settings.js b/package/secubox/luci-app-lyrion/htdocs/luci-static/resources/view/lyrion/settings.js
index 2c06782a..344a2bf4 100644
--- a/package/secubox/luci-app-lyrion/htdocs/luci-static/resources/view/lyrion/settings.js
+++ b/package/secubox/luci-app-lyrion/htdocs/luci-static/resources/view/lyrion/settings.js
@@ -56,6 +56,11 @@ return view.extend({
 		o.default = 'UTC';
 		o.placeholder = 'UTC';
 
+		o = s.option(form.Flag, 'wan_access', _('WAN Access'),
+			_('Also open Lyrion ports on the WAN interface (remote access)'));
+		o.default = '0';
+		o.rmempty = false;
+
 		o = s.option(form.Value, 'image', _('Docker Image'),
 			_('Docker image to use (only for Docker runtime)'));
 		o.default = 'ghcr.io/lms-community/lyrionmusicserver:stable';
diff --git a/package/secubox/secubox-app-lyrion/files/etc/config/lyrion b/package/secubox/secubox-app-lyrion/files/etc/config/lyrion
index 3e127423..b52181bc 100644
--- a/package/secubox/secubox-app-lyrion/files/etc/config/lyrion
+++ b/package/secubox/secubox-app-lyrion/files/etc/config/lyrion
@@ -7,3 +7,4 @@ config lyrion 'main'
 	option port '9000'
 	option timezone 'UTC'
 	option memory_limit '256M'
+	option wan_access '0'
diff --git a/package/secubox/secubox-app-lyrion/files/usr/sbin/lyrionctl b/package/secubox/secubox-app-lyrion/files/usr/sbin/lyrionctl
index 5c59a5ad..c4db9e0b 100755
--- a/package/secubox/secubox-app-lyrion/files/usr/sbin/lyrionctl
+++ b/package/secubox/secubox-app-lyrion/files/usr/sbin/lyrionctl
@@ -56,6 +56,7 @@ load_config() {
 	timezone="$(uci_get timezone || cat /etc/TZ 2>/dev/null || echo UTC)"
 	memory_limit="$(uci_get memory_limit || echo 256M)"
 	lxc_rootfs_url="$(uci_get lxc_rootfs_url || echo '')"
+	wan_access="$(uci_get wan_access || echo 0)"
 }
 
 ensure_dir() { [ -d "$1" ] || mkdir -p "$1"; }
@@ -116,10 +117,80 @@ firewall_ensure_rules() {
 		changed=1
 	fi
 
+	# WAN rules (optional, controlled by wan_access UCI option)
+	if [ "$wan_access" = "1" ]; then
+		# Lyrion Web UI on WAN
+		if ! uci show firewall 2>/dev/null | grep -q "Lyrion-WAN-Web"; then
+			log_info "Creating WAN firewall rule for Lyrion Web UI (TCP $port)..."
+			uci add firewall rule
+			uci set firewall.@rule[-1].name='Lyrion-WAN-Web'
+			uci set firewall.@rule[-1].src='wan'
+			uci set firewall.@rule[-1].dest_port="$port"
+			uci set firewall.@rule[-1].proto='tcp'
+			uci set firewall.@rule[-1].target='ACCEPT'
+			uci set firewall.@rule[-1].enabled='1'
+			changed=1
+		fi
+
+		# Lyrion CLI on WAN
+		if ! uci show firewall 2>/dev/null | grep -q "Lyrion-WAN-CLI"; then
+			log_info "Creating WAN firewall rule for Lyrion CLI (TCP 9090)..."
+			uci add firewall rule
+			uci set firewall.@rule[-1].name='Lyrion-WAN-CLI'
+			uci set firewall.@rule[-1].src='wan'
+			uci set firewall.@rule[-1].dest_port='9090'
+			uci set firewall.@rule[-1].proto='tcp'
+			uci set firewall.@rule[-1].target='ACCEPT'
+			uci set firewall.@rule[-1].enabled='1'
+			changed=1
+		fi
+
+		# Slim Protocol TCP on WAN
+		if ! uci show firewall 2>/dev/null | grep -q "Lyrion-WAN-Slim-TCP"; then
+			log_info "Creating WAN firewall rule for Slim Protocol (TCP 3483)..."
+			uci add firewall rule
+			uci set firewall.@rule[-1].name='Lyrion-WAN-Slim-TCP'
+			uci set firewall.@rule[-1].src='wan'
+			uci set firewall.@rule[-1].dest_port='3483'
+			uci set firewall.@rule[-1].proto='tcp'
+			uci set firewall.@rule[-1].target='ACCEPT'
+			uci set firewall.@rule[-1].enabled='1'
+			changed=1
+		fi
+
+		# Slim Protocol UDP on WAN
+		if ! uci show firewall 2>/dev/null | grep -q "Lyrion-WAN-Slim-UDP"; then
+			log_info "Creating WAN firewall rule for Slim Discovery (UDP 3483)..."
+			uci add firewall rule
+			uci set firewall.@rule[-1].name='Lyrion-WAN-Slim-UDP'
+			uci set firewall.@rule[-1].src='wan'
+			uci set firewall.@rule[-1].dest_port='3483'
+			uci set firewall.@rule[-1].proto='udp'
+			uci set firewall.@rule[-1].target='ACCEPT'
+			uci set firewall.@rule[-1].enabled='1'
+			changed=1
+		fi
+	else
+		# Remove WAN rules if wan_access is disabled
+		local i=0
+		while uci -q get firewall.@rule[$i] >/dev/null 2>&1; do
+			local name=$(uci -q get firewall.@rule[$i].name)
+			case "$name" in
+				Lyrion-WAN-*)
+					uci delete "firewall.@rule[$i]"
+					changed=1
+					# Don't increment - array shifted after delete
+					continue
+					;;
+			esac
+			i=$((i + 1))
+		done
+	fi
+
 	if [ "$changed" = "1" ]; then
 		uci commit firewall
 		/etc/init.d/firewall reload 2>/dev/null || true
-		log_info "Firewall rules updated - Lyrion ports open on LAN"
+		log_info "Firewall rules updated - Lyrion ports open on LAN${wan_access:+/WAN}"
 	fi
 }