er, don\'t know?

devices/gl-ar750/default.nix

@@ -114,12 +114,27 @@
           eraseBlockSize = 65536;
         };
         rootDevice = "/dev/mtdblock5";
-        dts = {
+        dts =
-          src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts";
+          let
-          includes =  [
+            upstream = {
-            "${openwrt.src}/target/linux/ath79/dts"
+              src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts";
-          ];
+              includes =  [
-        };
+                "${openwrt.src}/target/linux/ath79/dts"
+              ];
+            };
+            cppDtSearchFlags = builtins.concatStringsSep " " (map (f: "-I${f}") upstream.includes);
+            dtcSearchFlags = builtins.concatStringsSep " " (map (f: "-i${f}") upstream.includes);
+
+            patched = pkgs.runCommand "patch-dts" {
+              nativeBuildInputs = with pkgs.pkgsBuildBuild; [pkgs.stdenv.cc dtc ];
+            }
+              ''
+                echo patching dts
+                ${pkgs.stdenv.cc.targetPrefix}cpp -nostdinc -x assembler-with-cpp ${cppDtSearchFlags} -undef -D__DTS__  -o dts.tmp ${upstream.src}
+                dtc -I dts ${dtcSearchFlags} -o $out -O dts dts.tmp
+              '';
+          in upstream // { src = patched; };
+
 
         networkInterfaces =
           let inherit (config.system.service.network) link;

examples/hello-from-qemu.nix

@@ -1,12 +1,14 @@
-{ config, pkgs, ... } :
+{ config, pkgs, lib, ... } :
 let
   svc = config.system.service;
+  inherit (pkgs.liminix.services) longrun oneshot ;
 
 in rec {
   imports = [
     ../modules/network
     ../modules/dnsmasq
     ../modules/ssh
+    ../modules/tls-certificate
   ];
 
   hostname = "hello";
@@ -17,8 +19,51 @@ in rec {
     family = "inet"; address ="10.3.0.1"; prefixLength = 16;
   };
 
+  filesystem =
+    let inherit (pkgs.pseudofile) file dir symlink;
+    in dir {
+      etc = dir {
+        hosts =  {
+          type = "f";
+          file = "127.0.0.1 localhost\n10.0.2.2 loaclhost.telent.net\n";
+          mode = "0444";
+        };
+      };
+    };
+
   services.sshd = svc.ssh.build { };
 
+  services.lan-address-for-secrets =
+    svc.network.address.build {
+      interface = config.hardware.networkInterfaces.lan;
+      family = "inet"; address ="10.0.2.15"; prefixLength = 24;
+    };
+
+  # services.client-cert = svc.tls-certificate.certifix-client.build {
+  #   caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt;
+  #   subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}";
+  #   secret = builtins.readFile ../challengePassword;
+  #   serviceUrl = "https://loaclhost.telent.net:19613/sign";
+  # };
+
+  # logging.shipping = {
+  #   enable = true;
+  #   service = longrun {
+  #     name = "ship-logs";
+  #     dependencies = [ config.services.client-cert ];
+  #     run =
+  #       let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]);
+  #       in ''
+  #         PATH=${path}:$PATH \
+  #         CAFILE=${/var/lib/certifix/certs/ca.crt} \
+  #         KEYFILE=$(output_path ${services.client-cert} key) \
+  #         CERTFILE=$(output_path ${services.client-cert} cert) \
+  #         s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \
+  #         fdmove -c 1 7 cat
+  #       '';
+  #   };
+  # };
+
   users.root = {
     # the password is "secret". Use mkpasswd -m sha512crypt to
     # create this hashed password string
@@ -38,6 +83,6 @@ in rec {
     };
 
   defaultProfile.packages = with pkgs; [
-    figlet
+    figlet openssl
   ];
 }

examples/rotuer.nix

@@ -16,11 +16,11 @@ let
     inherit (secrets) wpa_passphrase;
     wmm_enabled = 1;
   };
-
+  inherit (pkgs.liminix.services) longrun;
 in rec {
   boot = {
     tftp = {
-      freeSpaceBytes = 3 * 1024 * 1024;
+      freeSpaceBytes = 2 * 1024 * 1024;
       serverip = "10.0.0.1";
       ipaddr = "10.0.0.8";
     };
@@ -28,8 +28,24 @@ in rec {
 
   imports = [
     "${modulesPath}/profiles/gateway.nix"
+    "${modulesPath}/tls-certificate"
   ];
+
   hostname = "rotuer";
+#  rootfsType = "jffs2";
+
+  filesystem =
+    let inherit (pkgs.pseudofile) file dir symlink;
+    in dir {
+      mnt = dir {};
+      etc = dir {
+        hosts = {
+          type = "f";
+          file = "127.0.0.1 localhost\n10.0.0.1 loaclhost.telent.net\n";
+          mode = "0444";
+        };
+      };
+    };
 
   profile.gateway = {
     lan = {
@@ -106,9 +122,11 @@ in rec {
   defaultProfile.packages = with pkgs; [
     min-collect-garbage
     nftables
-    strace
+    # strace
-    tcpdump
+    # tcpdump
     s6
+    dtc
+    # certifix-client
   ];
 
   programs.busybox = {
@@ -119,4 +137,47 @@ in rec {
       FEATURE_FANCY_TAIL = "y";
     };
   };
+
+  services.wan-address-for-secrets =
+    let
+      interface = config.hardware.networkInterfaces.wan;
+      addr =
+        svc.network.address.build {
+          inherit interface;
+          family = "inet"; address ="10.0.0.10"; prefixLength = 24;
+        };
+    in svc.network.route.build {
+      target = "10.0.0.1";
+      inherit interface;
+      via = "10.0.0.10";
+      metric = 1;
+      dependencies = [ addr ];
+    };
+
+  # services.client-cert = svc.tls-certificate.certifix-client.build {
+  #   caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt;
+  #   subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}";
+  #   secret = builtins.readFile ../challengePassword;
+  #   serviceUrl = "https://loaclhost.telent.net:19613/sign";
+  #   dependencies = [ services.wan-address-for-secrets ];
+  # };
+
+  logging.pstore = true;
+  logging.shipping = {
+    enable = false;
+    service = longrun {
+      name = "ship-logs";
+      dependencies = [ config.services.client-cert ];
+      run =
+        let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]);
+        in ''
+          PATH=${path}:$PATH \
+          CAFILE=${/var/lib/certifix/certs/ca.crt} \
+          KEYFILE=$(output_path ${services.client-cert} key) \
+          CERTFILE=$(output_path ${services.client-cert} cert) \
+          s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \
+          fdmove -c 1 7 cat
+        '';
+    };
+  };
 }

modules/ppp/common.nix

@@ -24,17 +24,21 @@ let
     echo $4 > address
     echo $5 > peer-address
     set +o nounset
+    set +o errexit
     if test -n "''${DNS1}" ;then echo ''${DNS1} > ns1 ; fi
     if test -n "''${DNS2}" ;then echo ''${DNS2} > ns2 ; fi
-    test -e ipv6-address && echo >/proc/self/fd/10
+    set +o pipefail
+    ls -l /proc/self/fd
+    echo >/proc/self/fd/10
   '';
   ip6-up = writeAshScript "ip6-up" {} ''
     exec >&5 2>&5
     . ${serviceFns} 
     in_outputs ${name}
+    set +o nounset
+    set +o errexit
     echo $4 > ipv6-address
     echo $5 > ipv6-peer-address
-    test -e ifname && echo >/proc/self/fd/10
   '';
   literal_or_output =
     let v = o: ({
@@ -73,7 +77,7 @@ let
       chmod 0700 /run/${name}
       in_outputs ${name}
       echo ${escapeShellArgs ppp-options'} | ${output-template}/bin/output-template '{{' '}}' > /run/${name}/ppp-options
-      fdmove -c 5 2 \
+      exec fdmove -c 5 2 \
       ${command}
     '';
     notification-fd = 10;

modules/ppp/pppoe.nix

@@ -24,7 +24,7 @@ let
 in common {
   inherit name debug username password lcpEcho ppp-options;
   command = ''
-    exec ${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt}  -I $(output ${interface} ifname)" file /run/${name}/ppp-options
+    ${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt}  -I $(output ${interface} ifname)" file /run/${name}/ppp-options
   '';
   dependencies = [ interface ];
 }

modules/s6/default.nix

@@ -107,17 +107,22 @@ let
       };
       notification-fd = { file = "3"; };
       run = {
-        file = ''
+        file =
-              #!${execline}/bin/execlineb -P
+          let pstore = if cfg.pstore then "pipeline { tee /dev/pmsg0 }" else "";
-              ${execline}/bin/redirfd -w 1 /dev/null
+          in ''
-              ${execline}/bin/redirfd -rnb 0 fifo
+            #!${execline}/bin/execlineb -P
-              ${if cfg.shipping.enable then ''
+            ${execline}/bin/redirfd -w 1 /dev/null
-                pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
+            ${execline}/bin/redirfd -rnb 0 fifo
-                pipeline { ${pkgs.logshipper}/bin/logtap ${cfg.shipping.socket} logshipper-socket-event }
+            ${if cfg.shipping.enable then ''
-                ${s6}/bin/s6-log -- ${cfg.directory}
+              pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
-              '' else ''
+              pipeline { ${pkgs.logshipper}/bin/logtap ${cfg.shipping.socket} logshipper-socket-event }
-                ${s6}/bin/s6-log -bpd3 -- ${cfg.script} ${cfg.directory}
+              ${pstore}
-              ''}
+              ${s6}/bin/s6-log -- ${cfg.directory}
+            '' else ''
+              pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
+              ${pstore}
+              ${s6}/bin/s6-log --  ${cfg.directory}
+            ''}
           '';
         mode = "0755";
       };
@@ -212,6 +217,7 @@ let
 in {
   options = {
     logging = {
+      pstore = mkEnableOption "system logs in pstore for retention after reboot";
       shipping = {
         enable = mkEnableOption "unix socket for log shipping";
         socket = mkOption {
@@ -263,6 +269,12 @@ in {
     )];
 
   config = {
+    kernel.config = mkIf cfg.pstore {
+      PSTORE = "y";
+      PSTORE_PMSG = "y";
+    };
+    programs.busybox.applets =  mkIf cfg.pstore [ "tee" ];
+    
     filesystem = dir {
       etc = dir {
         s6-rc = dir {