From d7d2fb361aeab1d7613d082b5829a919ac08b5a6 Mon Sep 17 00:00:00 2001 From: Daniel Barlow Date: Tue, 3 Dec 2024 19:30:52 +0000 Subject: [PATCH] er, don\'t know? --- devices/gl-ar750/default.nix | 27 ++++++++++---- examples/hello-from-qemu.nix | 49 +++++++++++++++++++++++-- examples/rotuer.nix | 69 +++++++++++++++++++++++++++++++++--- modules/ppp/common.nix | 10 ++++-- modules/ppp/pppoe.nix | 2 +- modules/s6/default.nix | 34 ++++++++++++------ 6 files changed, 164 insertions(+), 27 deletions(-) diff --git a/devices/gl-ar750/default.nix b/devices/gl-ar750/default.nix index dd58f1d..ce80398 100644 --- a/devices/gl-ar750/default.nix +++ b/devices/gl-ar750/default.nix @@ -114,12 +114,27 @@ eraseBlockSize = 65536; }; rootDevice = "/dev/mtdblock5"; - dts = { - src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts"; - includes = [ - "${openwrt.src}/target/linux/ath79/dts" - ]; - }; + dts = + let + upstream = { + src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts"; + includes = [ + "${openwrt.src}/target/linux/ath79/dts" + ]; + }; + cppDtSearchFlags = builtins.concatStringsSep " " (map (f: "-I${f}") upstream.includes); + dtcSearchFlags = builtins.concatStringsSep " " (map (f: "-i${f}") upstream.includes); + + patched = pkgs.runCommand "patch-dts" { + nativeBuildInputs = with pkgs.pkgsBuildBuild; [pkgs.stdenv.cc dtc ]; + } + '' + echo patching dts + ${pkgs.stdenv.cc.targetPrefix}cpp -nostdinc -x assembler-with-cpp ${cppDtSearchFlags} -undef -D__DTS__ -o dts.tmp ${upstream.src} + dtc -I dts ${dtcSearchFlags} -o $out -O dts dts.tmp + ''; + in upstream // { src = patched; }; + networkInterfaces = let inherit (config.system.service.network) link; diff --git a/examples/hello-from-qemu.nix b/examples/hello-from-qemu.nix index 6ee2c10..5fc9103 100644 --- a/examples/hello-from-qemu.nix +++ b/examples/hello-from-qemu.nix @@ -1,12 +1,14 @@ -{ config, pkgs, ... } : +{ config, pkgs, lib, ... } : let svc = config.system.service; + inherit (pkgs.liminix.services) longrun oneshot ; in rec { imports = [ ../modules/network ../modules/dnsmasq ../modules/ssh + ../modules/tls-certificate ]; hostname = "hello"; @@ -17,8 +19,51 @@ in rec { family = "inet"; address ="10.3.0.1"; prefixLength = 16; }; + filesystem = + let inherit (pkgs.pseudofile) file dir symlink; + in dir { + etc = dir { + hosts = { + type = "f"; + file = "127.0.0.1 localhost\n10.0.2.2 loaclhost.telent.net\n"; + mode = "0444"; + }; + }; + }; + services.sshd = svc.ssh.build { }; + services.lan-address-for-secrets = + svc.network.address.build { + interface = config.hardware.networkInterfaces.lan; + family = "inet"; address ="10.0.2.15"; prefixLength = 24; + }; + + # services.client-cert = svc.tls-certificate.certifix-client.build { + # caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt; + # subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}"; + # secret = builtins.readFile ../challengePassword; + # serviceUrl = "https://loaclhost.telent.net:19613/sign"; + # }; + + # logging.shipping = { + # enable = true; + # service = longrun { + # name = "ship-logs"; + # dependencies = [ config.services.client-cert ]; + # run = + # let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]); + # in '' + # PATH=${path}:$PATH \ + # CAFILE=${/var/lib/certifix/certs/ca.crt} \ + # KEYFILE=$(output_path ${services.client-cert} key) \ + # CERTFILE=$(output_path ${services.client-cert} cert) \ + # s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \ + # fdmove -c 1 7 cat + # ''; + # }; + # }; + users.root = { # the password is "secret". Use mkpasswd -m sha512crypt to # create this hashed password string @@ -38,6 +83,6 @@ in rec { }; defaultProfile.packages = with pkgs; [ - figlet + figlet openssl ]; } diff --git a/examples/rotuer.nix b/examples/rotuer.nix index 1d2a726..77c960a 100644 --- a/examples/rotuer.nix +++ b/examples/rotuer.nix @@ -16,11 +16,11 @@ let inherit (secrets) wpa_passphrase; wmm_enabled = 1; }; - + inherit (pkgs.liminix.services) longrun; in rec { boot = { tftp = { - freeSpaceBytes = 3 * 1024 * 1024; + freeSpaceBytes = 2 * 1024 * 1024; serverip = "10.0.0.1"; ipaddr = "10.0.0.8"; }; @@ -28,8 +28,24 @@ in rec { imports = [ "${modulesPath}/profiles/gateway.nix" + "${modulesPath}/tls-certificate" ]; + hostname = "rotuer"; +# rootfsType = "jffs2"; + + filesystem = + let inherit (pkgs.pseudofile) file dir symlink; + in dir { + mnt = dir {}; + etc = dir { + hosts = { + type = "f"; + file = "127.0.0.1 localhost\n10.0.0.1 loaclhost.telent.net\n"; + mode = "0444"; + }; + }; + }; profile.gateway = { lan = { @@ -106,9 +122,11 @@ in rec { defaultProfile.packages = with pkgs; [ min-collect-garbage nftables - strace - tcpdump + # strace + # tcpdump s6 + dtc + # certifix-client ]; programs.busybox = { @@ -119,4 +137,47 @@ in rec { FEATURE_FANCY_TAIL = "y"; }; }; + + services.wan-address-for-secrets = + let + interface = config.hardware.networkInterfaces.wan; + addr = + svc.network.address.build { + inherit interface; + family = "inet"; address ="10.0.0.10"; prefixLength = 24; + }; + in svc.network.route.build { + target = "10.0.0.1"; + inherit interface; + via = "10.0.0.10"; + metric = 1; + dependencies = [ addr ]; + }; + + # services.client-cert = svc.tls-certificate.certifix-client.build { + # caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt; + # subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}"; + # secret = builtins.readFile ../challengePassword; + # serviceUrl = "https://loaclhost.telent.net:19613/sign"; + # dependencies = [ services.wan-address-for-secrets ]; + # }; + + logging.pstore = true; + logging.shipping = { + enable = false; + service = longrun { + name = "ship-logs"; + dependencies = [ config.services.client-cert ]; + run = + let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]); + in '' + PATH=${path}:$PATH \ + CAFILE=${/var/lib/certifix/certs/ca.crt} \ + KEYFILE=$(output_path ${services.client-cert} key) \ + CERTFILE=$(output_path ${services.client-cert} cert) \ + s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \ + fdmove -c 1 7 cat + ''; + }; + }; } diff --git a/modules/ppp/common.nix b/modules/ppp/common.nix index 15d5492..ed5b5aa 100644 --- a/modules/ppp/common.nix +++ b/modules/ppp/common.nix @@ -24,17 +24,21 @@ let echo $4 > address echo $5 > peer-address set +o nounset + set +o errexit if test -n "''${DNS1}" ;then echo ''${DNS1} > ns1 ; fi if test -n "''${DNS2}" ;then echo ''${DNS2} > ns2 ; fi - test -e ipv6-address && echo >/proc/self/fd/10 + set +o pipefail + ls -l /proc/self/fd + echo >/proc/self/fd/10 ''; ip6-up = writeAshScript "ip6-up" {} '' exec >&5 2>&5 . ${serviceFns} in_outputs ${name} + set +o nounset + set +o errexit echo $4 > ipv6-address echo $5 > ipv6-peer-address - test -e ifname && echo >/proc/self/fd/10 ''; literal_or_output = let v = o: ({ @@ -73,7 +77,7 @@ let chmod 0700 /run/${name} in_outputs ${name} echo ${escapeShellArgs ppp-options'} | ${output-template}/bin/output-template '{{' '}}' > /run/${name}/ppp-options - fdmove -c 5 2 \ + exec fdmove -c 5 2 \ ${command} ''; notification-fd = 10; diff --git a/modules/ppp/pppoe.nix b/modules/ppp/pppoe.nix index 61957b9..c8072be 100644 --- a/modules/ppp/pppoe.nix +++ b/modules/ppp/pppoe.nix @@ -24,7 +24,7 @@ let in common { inherit name debug username password lcpEcho ppp-options; command = '' - exec ${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt} -I $(output ${interface} ifname)" file /run/${name}/ppp-options + ${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt} -I $(output ${interface} ifname)" file /run/${name}/ppp-options ''; dependencies = [ interface ]; } diff --git a/modules/s6/default.nix b/modules/s6/default.nix index 1a98f41..7047481 100644 --- a/modules/s6/default.nix +++ b/modules/s6/default.nix @@ -107,17 +107,22 @@ let }; notification-fd = { file = "3"; }; run = { - file = '' - #!${execline}/bin/execlineb -P - ${execline}/bin/redirfd -w 1 /dev/null - ${execline}/bin/redirfd -rnb 0 fifo - ${if cfg.shipping.enable then '' - pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 } - pipeline { ${pkgs.logshipper}/bin/logtap ${cfg.shipping.socket} logshipper-socket-event } - ${s6}/bin/s6-log -- ${cfg.directory} - '' else '' - ${s6}/bin/s6-log -bpd3 -- ${cfg.script} ${cfg.directory} - ''} + file = + let pstore = if cfg.pstore then "pipeline { tee /dev/pmsg0 }" else ""; + in '' + #!${execline}/bin/execlineb -P + ${execline}/bin/redirfd -w 1 /dev/null + ${execline}/bin/redirfd -rnb 0 fifo + ${if cfg.shipping.enable then '' + pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 } + pipeline { ${pkgs.logshipper}/bin/logtap ${cfg.shipping.socket} logshipper-socket-event } + ${pstore} + ${s6}/bin/s6-log -- ${cfg.directory} + '' else '' + pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 } + ${pstore} + ${s6}/bin/s6-log -- ${cfg.directory} + ''} ''; mode = "0755"; }; @@ -212,6 +217,7 @@ let in { options = { logging = { + pstore = mkEnableOption "system logs in pstore for retention after reboot"; shipping = { enable = mkEnableOption "unix socket for log shipping"; socket = mkOption { @@ -263,6 +269,12 @@ in { )]; config = { + kernel.config = mkIf cfg.pstore { + PSTORE = "y"; + PSTORE_PMSG = "y"; + }; + programs.busybox.applets = mkIf cfg.pstore [ "tee" ]; + filesystem = dir { etc = dir { s6-rc = dir {