1
0

er, don\'t know?

This commit is contained in:
Daniel Barlow 2024-12-03 19:30:52 +00:00
parent 1f7d6544e3
commit d7d2fb361a
6 changed files with 164 additions and 27 deletions

View File

@ -114,12 +114,27 @@
eraseBlockSize = 65536;
};
rootDevice = "/dev/mtdblock5";
dts = {
src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts";
includes = [
"${openwrt.src}/target/linux/ath79/dts"
];
};
dts =
let
upstream = {
src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts";
includes = [
"${openwrt.src}/target/linux/ath79/dts"
];
};
cppDtSearchFlags = builtins.concatStringsSep " " (map (f: "-I${f}") upstream.includes);
dtcSearchFlags = builtins.concatStringsSep " " (map (f: "-i${f}") upstream.includes);
patched = pkgs.runCommand "patch-dts" {
nativeBuildInputs = with pkgs.pkgsBuildBuild; [pkgs.stdenv.cc dtc ];
}
''
echo patching dts
${pkgs.stdenv.cc.targetPrefix}cpp -nostdinc -x assembler-with-cpp ${cppDtSearchFlags} -undef -D__DTS__ -o dts.tmp ${upstream.src}
dtc -I dts ${dtcSearchFlags} -o $out -O dts dts.tmp
'';
in upstream // { src = patched; };
networkInterfaces =
let inherit (config.system.service.network) link;

View File

@ -1,12 +1,14 @@
{ config, pkgs, ... } :
{ config, pkgs, lib, ... } :
let
svc = config.system.service;
inherit (pkgs.liminix.services) longrun oneshot ;
in rec {
imports = [
../modules/network
../modules/dnsmasq
../modules/ssh
../modules/tls-certificate
];
hostname = "hello";
@ -17,8 +19,51 @@ in rec {
family = "inet"; address ="10.3.0.1"; prefixLength = 16;
};
filesystem =
let inherit (pkgs.pseudofile) file dir symlink;
in dir {
etc = dir {
hosts = {
type = "f";
file = "127.0.0.1 localhost\n10.0.2.2 loaclhost.telent.net\n";
mode = "0444";
};
};
};
services.sshd = svc.ssh.build { };
services.lan-address-for-secrets =
svc.network.address.build {
interface = config.hardware.networkInterfaces.lan;
family = "inet"; address ="10.0.2.15"; prefixLength = 24;
};
# services.client-cert = svc.tls-certificate.certifix-client.build {
# caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt;
# subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}";
# secret = builtins.readFile ../challengePassword;
# serviceUrl = "https://loaclhost.telent.net:19613/sign";
# };
# logging.shipping = {
# enable = true;
# service = longrun {
# name = "ship-logs";
# dependencies = [ config.services.client-cert ];
# run =
# let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]);
# in ''
# PATH=${path}:$PATH \
# CAFILE=${/var/lib/certifix/certs/ca.crt} \
# KEYFILE=$(output_path ${services.client-cert} key) \
# CERTFILE=$(output_path ${services.client-cert} cert) \
# s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \
# fdmove -c 1 7 cat
# '';
# };
# };
users.root = {
# the password is "secret". Use mkpasswd -m sha512crypt to
# create this hashed password string
@ -38,6 +83,6 @@ in rec {
};
defaultProfile.packages = with pkgs; [
figlet
figlet openssl
];
}

View File

@ -16,11 +16,11 @@ let
inherit (secrets) wpa_passphrase;
wmm_enabled = 1;
};
inherit (pkgs.liminix.services) longrun;
in rec {
boot = {
tftp = {
freeSpaceBytes = 3 * 1024 * 1024;
freeSpaceBytes = 2 * 1024 * 1024;
serverip = "10.0.0.1";
ipaddr = "10.0.0.8";
};
@ -28,8 +28,24 @@ in rec {
imports = [
"${modulesPath}/profiles/gateway.nix"
"${modulesPath}/tls-certificate"
];
hostname = "rotuer";
# rootfsType = "jffs2";
filesystem =
let inherit (pkgs.pseudofile) file dir symlink;
in dir {
mnt = dir {};
etc = dir {
hosts = {
type = "f";
file = "127.0.0.1 localhost\n10.0.0.1 loaclhost.telent.net\n";
mode = "0444";
};
};
};
profile.gateway = {
lan = {
@ -106,9 +122,11 @@ in rec {
defaultProfile.packages = with pkgs; [
min-collect-garbage
nftables
strace
tcpdump
# strace
# tcpdump
s6
dtc
# certifix-client
];
programs.busybox = {
@ -119,4 +137,47 @@ in rec {
FEATURE_FANCY_TAIL = "y";
};
};
services.wan-address-for-secrets =
let
interface = config.hardware.networkInterfaces.wan;
addr =
svc.network.address.build {
inherit interface;
family = "inet"; address ="10.0.0.10"; prefixLength = 24;
};
in svc.network.route.build {
target = "10.0.0.1";
inherit interface;
via = "10.0.0.10";
metric = 1;
dependencies = [ addr ];
};
# services.client-cert = svc.tls-certificate.certifix-client.build {
# caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt;
# subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}";
# secret = builtins.readFile ../challengePassword;
# serviceUrl = "https://loaclhost.telent.net:19613/sign";
# dependencies = [ services.wan-address-for-secrets ];
# };
logging.pstore = true;
logging.shipping = {
enable = false;
service = longrun {
name = "ship-logs";
dependencies = [ config.services.client-cert ];
run =
let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]);
in ''
PATH=${path}:$PATH \
CAFILE=${/var/lib/certifix/certs/ca.crt} \
KEYFILE=$(output_path ${services.client-cert} key) \
CERTFILE=$(output_path ${services.client-cert} cert) \
s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \
fdmove -c 1 7 cat
'';
};
};
}

View File

@ -24,17 +24,21 @@ let
echo $4 > address
echo $5 > peer-address
set +o nounset
set +o errexit
if test -n "''${DNS1}" ;then echo ''${DNS1} > ns1 ; fi
if test -n "''${DNS2}" ;then echo ''${DNS2} > ns2 ; fi
test -e ipv6-address && echo >/proc/self/fd/10
set +o pipefail
ls -l /proc/self/fd
echo >/proc/self/fd/10
'';
ip6-up = writeAshScript "ip6-up" {} ''
exec >&5 2>&5
. ${serviceFns}
in_outputs ${name}
set +o nounset
set +o errexit
echo $4 > ipv6-address
echo $5 > ipv6-peer-address
test -e ifname && echo >/proc/self/fd/10
'';
literal_or_output =
let v = o: ({
@ -73,7 +77,7 @@ let
chmod 0700 /run/${name}
in_outputs ${name}
echo ${escapeShellArgs ppp-options'} | ${output-template}/bin/output-template '{{' '}}' > /run/${name}/ppp-options
fdmove -c 5 2 \
exec fdmove -c 5 2 \
${command}
'';
notification-fd = 10;

View File

@ -24,7 +24,7 @@ let
in common {
inherit name debug username password lcpEcho ppp-options;
command = ''
exec ${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt} -I $(output ${interface} ifname)" file /run/${name}/ppp-options
${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt} -I $(output ${interface} ifname)" file /run/${name}/ppp-options
'';
dependencies = [ interface ];
}

View File

@ -107,17 +107,22 @@ let
};
notification-fd = { file = "3"; };
run = {
file = ''
#!${execline}/bin/execlineb -P
${execline}/bin/redirfd -w 1 /dev/null
${execline}/bin/redirfd -rnb 0 fifo
${if cfg.shipping.enable then ''
pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
pipeline { ${pkgs.logshipper}/bin/logtap ${cfg.shipping.socket} logshipper-socket-event }
${s6}/bin/s6-log -- ${cfg.directory}
'' else ''
${s6}/bin/s6-log -bpd3 -- ${cfg.script} ${cfg.directory}
''}
file =
let pstore = if cfg.pstore then "pipeline { tee /dev/pmsg0 }" else "";
in ''
#!${execline}/bin/execlineb -P
${execline}/bin/redirfd -w 1 /dev/null
${execline}/bin/redirfd -rnb 0 fifo
${if cfg.shipping.enable then ''
pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
pipeline { ${pkgs.logshipper}/bin/logtap ${cfg.shipping.socket} logshipper-socket-event }
${pstore}
${s6}/bin/s6-log -- ${cfg.directory}
'' else ''
pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
${pstore}
${s6}/bin/s6-log -- ${cfg.directory}
''}
'';
mode = "0755";
};
@ -212,6 +217,7 @@ let
in {
options = {
logging = {
pstore = mkEnableOption "system logs in pstore for retention after reboot";
shipping = {
enable = mkEnableOption "unix socket for log shipping";
socket = mkOption {
@ -263,6 +269,12 @@ in {
)];
config = {
kernel.config = mkIf cfg.pstore {
PSTORE = "y";
PSTORE_PMSG = "y";
};
programs.busybox.applets = mkIf cfg.pstore [ "tee" ];
filesystem = dir {
etc = dir {
s6-rc = dir {