er, don\'t know?

2024-12-03 19:30:52 +00:00 · 2024-12-03 19:30:52 +00:00 · d7d2fb361a
commit d7d2fb361a
parent 1f7d6544e3
6 changed files with 164 additions and 27 deletions
--- a/devices/gl-ar750/default.nix
+++ b/devices/gl-ar750/default.nix
@ -114,12 +114,27 @@
          eraseBlockSize = 65536;
        };
        rootDevice = "/dev/mtdblock5";
-        dts = {
-          src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts";
-          includes =  [
-            "${openwrt.src}/target/linux/ath79/dts"
-          ];
-        };
+        dts =
+          let
+            upstream = {
+              src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts";
+              includes =  [
+                "${openwrt.src}/target/linux/ath79/dts"
+              ];
+            };
+            cppDtSearchFlags = builtins.concatStringsSep " " (map (f: "-I${f}") upstream.includes);
+            dtcSearchFlags = builtins.concatStringsSep " " (map (f: "-i${f}") upstream.includes);
+
+            patched = pkgs.runCommand "patch-dts" {
+              nativeBuildInputs = with pkgs.pkgsBuildBuild; [pkgs.stdenv.cc dtc ];
+            }
+              ''
+                echo patching dts
+                ${pkgs.stdenv.cc.targetPrefix}cpp -nostdinc -x assembler-with-cpp ${cppDtSearchFlags} -undef -D__DTS__  -o dts.tmp ${upstream.src}
+                dtc -I dts ${dtcSearchFlags} -o $out -O dts dts.tmp
+              '';
+          in upstream // { src = patched; };
+

        networkInterfaces =
          let inherit (config.system.service.network) link;
--- a/examples/hello-from-qemu.nix
+++ b/examples/hello-from-qemu.nix
@ -1,12 +1,14 @@
-{ config, pkgs, ... } :
+{ config, pkgs, lib, ... } :
 let
  svc = config.system.service;
+  inherit (pkgs.liminix.services) longrun oneshot ;

 in rec {
  imports = [
    ../modules/network
    ../modules/dnsmasq
    ../modules/ssh
+    ../modules/tls-certificate
  ];

  hostname = "hello";
@ -17,8 +19,51 @@ in rec {
    family = "inet"; address ="10.3.0.1"; prefixLength = 16;
  };

+  filesystem =
+    let inherit (pkgs.pseudofile) file dir symlink;
+    in dir {
+      etc = dir {
+        hosts =  {
+          type = "f";
+          file = "127.0.0.1 localhost\n10.0.2.2 loaclhost.telent.net\n";
+          mode = "0444";
+        };
+      };
+    };
+
  services.sshd = svc.ssh.build { };

+  services.lan-address-for-secrets =
+    svc.network.address.build {
+      interface = config.hardware.networkInterfaces.lan;
+      family = "inet"; address ="10.0.2.15"; prefixLength = 24;
+    };
+
+  # services.client-cert = svc.tls-certificate.certifix-client.build {
+  #   caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt;
+  #   subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}";
+  #   secret = builtins.readFile ../challengePassword;
+  #   serviceUrl = "https://loaclhost.telent.net:19613/sign";
+  # };
+
+  # logging.shipping = {
+  #   enable = true;
+  #   service = longrun {
+  #     name = "ship-logs";
+  #     dependencies = [ config.services.client-cert ];
+  #     run =
+  #       let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]);
+  #       in ''
+  #         PATH=${path}:$PATH \
+  #         CAFILE=${/var/lib/certifix/certs/ca.crt} \
+  #         KEYFILE=$(output_path ${services.client-cert} key) \
+  #         CERTFILE=$(output_path ${services.client-cert} cert) \
+  #         s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \
+  #         fdmove -c 1 7 cat
+  #       '';
+  #   };
+  # };
+
  users.root = {
    # the password is "secret". Use mkpasswd -m sha512crypt to
    # create this hashed password string
@ -38,6 +83,6 @@ in rec {
    };

  defaultProfile.packages = with pkgs; [
-    figlet
+    figlet openssl
  ];
 }
--- a/examples/rotuer.nix
+++ b/examples/rotuer.nix
@ -16,11 +16,11 @@ let
    inherit (secrets) wpa_passphrase;
    wmm_enabled = 1;
  };
-
+  inherit (pkgs.liminix.services) longrun;
 in rec {
  boot = {
    tftp = {
-      freeSpaceBytes = 3 * 1024 * 1024;
+      freeSpaceBytes = 2 * 1024 * 1024;
      serverip = "10.0.0.1";
      ipaddr = "10.0.0.8";
    };
@ -28,8 +28,24 @@ in rec {

  imports = [
    "${modulesPath}/profiles/gateway.nix"
+    "${modulesPath}/tls-certificate"
  ];
+
  hostname = "rotuer";
+#  rootfsType = "jffs2";
+
+  filesystem =
+    let inherit (pkgs.pseudofile) file dir symlink;
+    in dir {
+      mnt = dir {};
+      etc = dir {
+        hosts = {
+          type = "f";
+          file = "127.0.0.1 localhost\n10.0.0.1 loaclhost.telent.net\n";
+          mode = "0444";
+        };
+      };
+    };

  profile.gateway = {
    lan = {
@ -106,9 +122,11 @@ in rec {
  defaultProfile.packages = with pkgs; [
    min-collect-garbage
    nftables
-    strace
-    tcpdump
+    # strace
+    # tcpdump
    s6
+    dtc
+    # certifix-client
  ];

  programs.busybox = {
@ -119,4 +137,47 @@ in rec {
      FEATURE_FANCY_TAIL = "y";
    };
  };
+
+  services.wan-address-for-secrets =
+    let
+      interface = config.hardware.networkInterfaces.wan;
+      addr =
+        svc.network.address.build {
+          inherit interface;
+          family = "inet"; address ="10.0.0.10"; prefixLength = 24;
+        };
+    in svc.network.route.build {
+      target = "10.0.0.1";
+      inherit interface;
+      via = "10.0.0.10";
+      metric = 1;
+      dependencies = [ addr ];
+    };
+
+  # services.client-cert = svc.tls-certificate.certifix-client.build {
+  #   caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt;
+  #   subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}";
+  #   secret = builtins.readFile ../challengePassword;
+  #   serviceUrl = "https://loaclhost.telent.net:19613/sign";
+  #   dependencies = [ services.wan-address-for-secrets ];
+  # };
+
+  logging.pstore = true;
+  logging.shipping = {
+    enable = false;
+    service = longrun {
+      name = "ship-logs";
+      dependencies = [ config.services.client-cert ];
+      run =
+        let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]);
+        in ''
+          PATH=${path}:$PATH \
+          CAFILE=${/var/lib/certifix/certs/ca.crt} \
+          KEYFILE=$(output_path ${services.client-cert} key) \
+          CERTFILE=$(output_path ${services.client-cert} cert) \
+          s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \
+          fdmove -c 1 7 cat
+        '';
+    };
+  };
 }
--- a/modules/ppp/common.nix
+++ b/modules/ppp/common.nix
@ -24,17 +24,21 @@ let
    echo $4 > address
    echo $5 > peer-address
    set +o nounset
+    set +o errexit
    if test -n "''${DNS1}" ;then echo ''${DNS1} > ns1 ; fi
    if test -n "''${DNS2}" ;then echo ''${DNS2} > ns2 ; fi
-    test -e ipv6-address && echo >/proc/self/fd/10
+    set +o pipefail
+    ls -l /proc/self/fd
+    echo >/proc/self/fd/10
  '';
  ip6-up = writeAshScript "ip6-up" {} ''
    exec >&5 2>&5
    . ${serviceFns} 
    in_outputs ${name}
+    set +o nounset
+    set +o errexit
    echo $4 > ipv6-address
    echo $5 > ipv6-peer-address
-    test -e ifname && echo >/proc/self/fd/10
  '';
  literal_or_output =
    let v = o: ({
@ -73,7 +77,7 @@ let
      chmod 0700 /run/${name}
      in_outputs ${name}
      echo ${escapeShellArgs ppp-options'} | ${output-template}/bin/output-template '{{' '}}' > /run/${name}/ppp-options
-      fdmove -c 5 2 \
+      exec fdmove -c 5 2 \
      ${command}
    '';
    notification-fd = 10;
--- a/modules/ppp/pppoe.nix
+++ b/modules/ppp/pppoe.nix
@ -24,7 +24,7 @@ let
 in common {
  inherit name debug username password lcpEcho ppp-options;
  command = ''
-    exec ${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt}  -I $(output ${interface} ifname)" file /run/${name}/ppp-options
+    ${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt}  -I $(output ${interface} ifname)" file /run/${name}/ppp-options
  '';
  dependencies = [ interface ];
 }
--- a/modules/s6/default.nix
+++ b/modules/s6/default.nix
@ -107,17 +107,22 @@ let
      };
      notification-fd = { file = "3"; };
      run = {
-        file = ''
-              #!${execline}/bin/execlineb -P
-              ${execline}/bin/redirfd -w 1 /dev/null
-              ${execline}/bin/redirfd -rnb 0 fifo
-              ${if cfg.shipping.enable then ''
-                pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
-                pipeline { ${pkgs.logshipper}/bin/logtap ${cfg.shipping.socket} logshipper-socket-event }
-                ${s6}/bin/s6-log -- ${cfg.directory}
-              '' else ''
-                ${s6}/bin/s6-log -bpd3 -- ${cfg.script} ${cfg.directory}
-              ''}
+        file =
+          let pstore = if cfg.pstore then "pipeline { tee /dev/pmsg0 }" else "";
+          in ''
+            #!${execline}/bin/execlineb -P
+            ${execline}/bin/redirfd -w 1 /dev/null
+            ${execline}/bin/redirfd -rnb 0 fifo
+            ${if cfg.shipping.enable then ''
+              pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
+              pipeline { ${pkgs.logshipper}/bin/logtap ${cfg.shipping.socket} logshipper-socket-event }
+              ${pstore}
+              ${s6}/bin/s6-log -- ${cfg.directory}
+            '' else ''
+              pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
+              ${pstore}
+              ${s6}/bin/s6-log --  ${cfg.directory}
+            ''}
          '';
        mode = "0755";
      };
@ -212,6 +217,7 @@ let
 in {
  options = {
    logging = {
+      pstore = mkEnableOption "system logs in pstore for retention after reboot";
      shipping = {
        enable = mkEnableOption "unix socket for log shipping";
        socket = mkOption {
@ -263,6 +269,12 @@ in {
    )];

  config = {
+    kernel.config = mkIf cfg.pstore {
+      PSTORE = "y";
+      PSTORE_PMSG = "y";
+    };
+    programs.busybox.applets =  mkIf cfg.pstore [ "tee" ];
+    
    filesystem = dir {
      etc = dir {
        s6-rc = dir {