Wifi dongles and documentation fixes

.github/workflows/release.yml

@@ -104,11 +104,7 @@ jobs:
 
       - name: Extract ChangeLog entry ...
         run: |
-          awk '/^-----*$/{if (x == 1) exit; x=1;next}x' doc/ChangeLog.md \
-              |head -n -1 > release.md
-          echo "" >> release.md
-          echo "> [!TIP]" >> release.md
-          echo "> **Try Infix in GNS3!** Download the appliance from the [GNS3 Marketplace](https://gns3.com/marketplace/appliances/infix) to test Infix in a virtual network environment without hardware." >> release.md
+          cat doc/ChangeLog.md | ./utils/extract-changelog.sh > release.md
           cat release.md
 
       - uses: ncipollo/release-action@v1

README.md

@@ -16,10 +16,12 @@ if something goes wrong.  Deploy once, trust forever.
 
 **🤝 Friendly**  
 Actually easy to use. Auto-generated CLI from standard YANG models comes
-with built-in help for every command — just hit `?` or TAB for
-context-aware assistance.  Familiar NETCONF/RESTCONF APIs and
-[comprehensive documentation][4] mean you're never stuck.  Whether
-you're learning networking or managing enterprise infrastructure.
+with built-in help for every command — just hit <kbd>?</kbd> or
+<kbd>TAB</kbd> for context-aware assistance.
+
+Familiar NETCONF & RESTCONF APIs and [comprehensive documentation][4]
+mean you're never stuck.  Whether you're learning networking or managing
+enterprise infrastructure.
 
 **🛡️ Secure**  
 Built with security as a foundation, not an afterthought.  Minimal
@@ -53,27 +55,24 @@ your device, your rules.
    Consistent tooling from development to production deployment.  
    How about a digital twin using raw Qemu or [GNS3](https://gns3.com/infix)!
 
-## See It In Action
+## Quick Example
 
 Configure an interface in seconds - the CLI guides you with built-in help:
 
-<details><summary><b>Click Here for an example CLI Session</b></summary>
-
-```bash
-admin@infix-12-34-56:/> configure
-admin@infix-12-34-56:/config/> edit interface eth0
-admin@infix-12-34-56:/config/interface/eth0/> set ipv4 <TAB>
-      address     autoconf bind-ni-name      enabled
-      forwarding  mtu      neighbor
-admin@infix-12-34-56:/config/interface/eth0/> set ipv4 address 192.168.2.200 prefix-length 24
-admin@infix-12-34-56:/config/interface/eth0/> show
+<pre><code>admin@infix-12-34-56:/> <b>configure</b>
+admin@infix-12-34-56:/config/> <b>edit interface eth0</b>
+admin@infix-12-34-56:/config/interface/eth0/> <b>set ipv4</b> <kbd>TAB</kbd>
+      address     autoconf      bind-ni-name     dhcp 
+      enabled     forwarding    mtu              neighbor
+admin@infix-12-34-56:/config/interface/eth0/> <b>set ipv4 address 192.168.2.200 prefix-length 24</b>
+admin@infix-12-34-56:/config/interface/eth0/> <b>show</b>
 type ethernet;
 ipv4 {
   address 192.168.2.200 {
     prefix-length 24;
   }
 }
-admin@infix-12-34-56:/config/interface/eth0/> diff
+admin@infix-12-34-56:/config/interface/eth0/> <b>diff</b>
 interfaces {
   interface eth0 {
 +    ipv4 {
@@ -83,25 +82,23 @@ interfaces {
 +    }
   }
 }
-admin@infix-12-34-56:/config/interface/eth0/> leave
-admin@infix-12-34-56:/> show interfaces
-INTERFACE       PROTOCOL   STATE       DATA
+admin@infix-12-34-56:/config/interface/eth0/> <b>leave</b>
+admin@infix-12-34-56:/> <b>show interfaces</b>
+<u>INTERFACE       PROTOCOL   STATE       DATA                                  </u>
 eth0            ethernet   UP          52:54:00:12:34:56
                 ipv4                   192.168.2.200/24 (static)
                 ipv6                   fe80::5054:ff:fe12:3456/64 (link-layer)
 lo              ethernet   UP          00:00:00:00:00:00
                 ipv4                   127.0.0.1/8 (static)
                 ipv6                   ::1/128 (static)
-admin@infix-12-34-56:/> copy running-config startup-config
-```
-
-Notice how TAB completion shows available options, `show` displays
-current config, and `diff` shows exactly what changed before you
-commit your changes with the `leave` command.
+admin@infix-12-34-56:/> <b>copy running startup</b>
+</code></pre>
 
-</details>
+Notice how <kbd>TAB</kbd> completion shows available options, `show`
+displays current config, and `diff` shows exactly what changed before
+you commit your changes with the `leave` command.
 
-> [Full CLI documentation →][3]
+For more information, see [CLI documentation][3].
 
 ## Get Started
 
@@ -111,7 +108,7 @@ containers for any custom functionality you need.
 
 ### Supported Platforms
 
-- **Raspberry Pi 4B** - Perfect for home labs, learning, and prototyping
+- **Raspberry Pi 2B/3B/4B/CM4** - Perfect for home labs, learning, and prototyping
 - **Banana Pi-R3** - Your next home router and gateway
 - **NanoPi R2S** - Compact dual-port router in a tiny package
 - **x86_64** - Run in VMs or on mini PCs for development and testing

board/README.md

@@ -0,0 +1,18 @@
+Board Support
+=============
+
+The board support for an architecture always starts with Qemu support,
+this is what each `linux_defconfig` at the very least sets up.  Then
+each `$BR2_ARCH` has additional BSPs, e.g., Banana Pi BPI-R3.
+
+The `board/` directory is matched with the `configs/*_defconfigs` and
+the only execption is `board/common/`, which holds all shared files for
+Infix builds.
+
+Each `board/$BR2_ARCH/` can then have vendor/product sub-directories
+for the BSPs which may contain "fixups" to the base kernel config and
+any additional device tree files that should be included as well.
+
+To rebuild a board-specific package, e.g. NanoPi R2S:
+
+    make friendlyarm-nanopi-r2s-rebuild all

board/aarch32/linux_defconfig

@@ -353,6 +353,7 @@ CONFIG_SND_SOC=y
 CONFIG_SND_BCM2835_SOC_I2S=y
 CONFIG_HID_GENERIC=m
 CONFIG_USB=y
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
 CONFIG_USB_OTG=y
 CONFIG_USB_STORAGE=y
 CONFIG_USB_DWC2=y

board/aarch32/raspberrypi-rpi2/rootfs/usr/share/product/raspberrypi,2-model-b/etc/factory-config.cfg

@@ -88,13 +88,24 @@
   },
   "ietf-netconf-acm:nacm": {
     "enable-nacm": true,
+    "read-default": "permit",
+    "write-default": "permit",
+    "exec-default": "permit",
     "groups": {
       "group": [
         {
           "name": "admin",
           "user-name": [
             "admin"
           ]
+        },
+        {
+          "name": "operator",
+          "user-name": []
+        },
+        {
+          "name": "guest",
+          "user-name": []
         }
       ]
     },
@@ -114,18 +125,63 @@
           }
         ]
       },
+      {
+        "name": "operator-acl",
+        "group": [
+          "operator"
+        ],
+        "rule": [
+          {
+            "name": "permit-system-rpcs",
+            "module-name": "ietf-system",
+            "rpc-name": "*",
+            "access-operations": "exec",
+            "action": "permit",
+            "comment": "Operators can reboot, shutdown, and set system time."
+          }
+        ]
+      },
+      {
+        "name": "guest-acl",
+        "group": [
+          "guest"
+        ],
+        "rule": [
+          {
+            "name": "deny-all-write+exec",
+            "module-name": "*",
+            "access-operations": "create update delete exec",
+            "action": "deny",
+            "comment": "Guests cannot change anything or exec rpcs."
+          }
+        ]
+      },
       {
         "name": "default-deny-all",
         "group": [
           "*"
         ],
         "rule": [
           {
-            "name": "deny-password-read",
-            "module-name": "ietf-system",
+            "name": "deny-password-access",
             "path": "/ietf-system:system/authentication/user/password",
             "access-operations": "*",
-            "action": "deny"
+            "action": "deny",
+            "comment": "No user except admins can access password hashes."
+          },
+          {
+            "name": "deny-keystore-access",
+            "module-name": "ietf-keystore",
+            "access-operations": "*",
+            "action": "deny",
+            "comment": "No user except admins can access cryptographic keys."
+          },
+          {
+            "name": "deny-truststore-access",
+            "module-name": "ietf-truststore",
+            "access-operations": "*",
+            "action": "deny",
+            "comment": "No user except admins can access trust store."
           }
         ]
       }

board/aarch64/bananapi-bpi-r3/rootfs/usr/share/product/bananapi,bpi-r3/etc/factory-config.cfg

@@ -226,13 +226,24 @@
   },
   "ietf-netconf-acm:nacm": {
     "enable-nacm": true,
+    "read-default": "permit",
+    "write-default": "permit",
+    "exec-default": "permit",
     "groups": {
       "group": [
         {
           "name": "admin",
           "user-name": [
             "admin"
           ]
+        },
+        {
+          "name": "operator",
+          "user-name": []
+        },
+        {
+          "name": "guest",
+          "user-name": []
         }
       ]
     },
@@ -252,18 +263,63 @@
           }
         ]
       },
+      {
+        "name": "operator-acl",
+        "group": [
+          "operator"
+        ],
+        "rule": [
+          {
+            "name": "permit-system-rpcs",
+            "module-name": "ietf-system",
+            "rpc-name": "*",
+            "access-operations": "exec",
+            "action": "permit",
+            "comment": "Operators can reboot, shutdown, and set system time."
+          }
+        ]
+      },
+      {
+        "name": "guest-acl",
+        "group": [
+          "guest"
+        ],
+        "rule": [
+          {
+            "name": "deny-all-write+exec",
+            "module-name": "*",
+            "access-operations": "create update delete exec",
+            "action": "deny",
+            "comment": "Guests cannot change anything or exec rpcs."
+          }
+        ]
+      },
       {
         "name": "default-deny-all",
         "group": [
           "*"
         ],
         "rule": [
           {
-            "name": "deny-password-read",
-            "module-name": "ietf-system",
+            "name": "deny-password-access",
             "path": "/ietf-system:system/authentication/user/password",
             "access-operations": "*",
-            "action": "deny"
+            "action": "deny",
+            "comment": "No user except admins can access password hashes."
+          },
+          {
+            "name": "deny-keystore-access",
+            "module-name": "ietf-keystore",
+            "access-operations": "*",
+            "action": "deny",
+            "comment": "No user except admins can access cryptographic keys."
+          },
+          {
+            "name": "deny-truststore-access",
+            "module-name": "ietf-truststore",
+            "access-operations": "*",
+            "action": "deny",
+            "comment": "No user except admins can access trust store."
           }
         ]
       }