Compare commits
10 Commits
24151425b8
...
2e513eb4a7
Author | SHA1 | Date | |
---|---|---|---|
2e513eb4a7 | |||
f2e4e77d73 | |||
48dfbe0c01 | |||
6f697db57c | |||
fe1ee12e3d | |||
4d273a9469 | |||
40db175b41 | |||
ab07212a7e | |||
f5e08ac9d9 | |||
0cb18eabcd |
36
boot.expect
36
boot.expect
@ -2,19 +2,37 @@
|
||||
# use expect as its "Script program" instead of runscript. Try
|
||||
# Ctrl+A O -> Filenames and paths -> D
|
||||
|
||||
fconfigure stderr -buffering none
|
||||
fconfigure stdout -buffering none
|
||||
|
||||
proc waitprompt { } {
|
||||
expect {
|
||||
"BusyBox" { puts stderr "DONE\r"; exit 0 }
|
||||
"READY" { puts stderr ";;; READY\r"; }
|
||||
timeout { puts stderr ";;; timed out waiting after $line\r" }
|
||||
}
|
||||
}
|
||||
|
||||
proc sendline { line } {
|
||||
send "$line; echo \$ready \r"
|
||||
}
|
||||
|
||||
log_user 0
|
||||
log_file -a -open stderr
|
||||
|
||||
set f [open "result/boot.scr"]
|
||||
send "version\r"
|
||||
set timeout 60
|
||||
|
||||
send "setenv ready REA\rsetenv ready \${ready}DY\r"
|
||||
|
||||
set timeout 300
|
||||
expect_before timeout abort
|
||||
while {[gets $f line] >= 0} {
|
||||
puts stderr "next line $line\r"
|
||||
puts stderr "waiting for prompt\r"
|
||||
expect {
|
||||
"ath>" {}
|
||||
"BusyBox" { puts stderr "DONE"; exit 0 }
|
||||
}
|
||||
send "$line\r\n"
|
||||
puts stderr ";;; next line $line\r"
|
||||
puts stderr ";;; waiting for prompt\r"
|
||||
puts stderr ";;; sending\r"
|
||||
sendline $line
|
||||
waitprompt
|
||||
}
|
||||
|
||||
puts stderr "done\r\n"
|
||||
close $f
|
@ -192,11 +192,6 @@
|
||||
NET_DSA_MT7530="y";
|
||||
NET_DSA_TAG_MTK="y";
|
||||
|
||||
PSTORE = "y";
|
||||
PSTORE_RAM = "y";
|
||||
PSTORE_CONSOLE = "y";
|
||||
PSTORE_DEFLATE_COMPRESS = "n";
|
||||
|
||||
SERIAL_8250 = "y";
|
||||
SERIAL_8250_CONSOLE = "y";
|
||||
SERIAL_8250_MT6577="y";
|
||||
@ -220,8 +215,9 @@
|
||||
commandLine = [ "console=ttyS0,115200" ];
|
||||
tftp.loadAddress = lim.parseInt "0x4007ff28";
|
||||
imageFormat = "fit";
|
||||
loader.fit.enable = lib.mkDefault true; # override this if you are building tftpboot
|
||||
};
|
||||
rootfsType = lib.mkDefault "ubifs";
|
||||
rootfsType = lib.mkDefault "ubifs"; # override this if you are building tftpboot
|
||||
filesystem =
|
||||
let inherit (pkgs.pseudofile) dir symlink;
|
||||
in
|
||||
|
81
examples/module-https-proxy.nix
Normal file
81
examples/module-https-proxy.nix
Normal file
@ -0,0 +1,81 @@
|
||||
# This is "contrib"-level code. This module solves a particular
|
||||
# problem for my particular setup and is provided as is, as an example
|
||||
# of how you might write something similar if you had a similar
|
||||
# problem. Don't expect it to work unmolested in your setup (you will
|
||||
# at the absolute minimum have to change the domain name), nor even to
|
||||
# continue to exist without possibly being changed beyond recognition.
|
||||
|
||||
# The computers on my LAN have globally unique routable IPv6
|
||||
# addresses, but I have only one public IPv4 address. I want to expose
|
||||
# HTTPS services to the Internet _whatever_ machine is hosting them,
|
||||
# so I publish an AAAA record to the machine itself, and an A record
|
||||
# to the public v4 address of the router which is running this nginx.
|
||||
# This nginx checks the SNI in the incoming connection and forwards
|
||||
# the connection to the (IPv6 address of the) same hostname
|
||||
|
||||
# See https://ww.telent.net/2020/12/2/six_into_4_won_t_go for
|
||||
# the original solution to this problem, which used sniproxy (now
|
||||
# unmaintained) instead of nginx
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
inherit (pkgs.liminix.services) longrun;
|
||||
inherit (pkgs) writeText;
|
||||
in {
|
||||
config = {
|
||||
users.nginx = {
|
||||
uid = 52; gid= 52;
|
||||
dir = "/run/";
|
||||
shell = "/bin/false";
|
||||
};
|
||||
groups.nginx = {
|
||||
gid= 52;
|
||||
usernames = ["nginx"];
|
||||
};
|
||||
|
||||
services.sniproxy =
|
||||
let
|
||||
nginx = pkgs.nginx-small.override {
|
||||
pcre = null;
|
||||
zlib = null;
|
||||
options = [
|
||||
"stream"
|
||||
"stream_ssl_module" "stream_ssl_preread_module"
|
||||
"stream_map_module"
|
||||
];
|
||||
};
|
||||
conf = writeText "nginx.conf" ''
|
||||
worker_processes auto;
|
||||
error_log /proc/self/fd/1 info;
|
||||
pid /dev/null;
|
||||
user nginx;
|
||||
daemon off;
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
stream {
|
||||
log_format proxy '$remote_addr -> $ssl_target';
|
||||
access_log /proc/self/fd/1 proxy;
|
||||
map $ssl_preread_server_name $ssl_target {
|
||||
hostnames;
|
||||
.telent.net $ssl_preread_server_name:443;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443;
|
||||
resolver 127.0.0.1 ipv6=on ipv4=off;
|
||||
resolver_timeout 1s;
|
||||
proxy_pass $ssl_target;
|
||||
ssl_preread on;
|
||||
}
|
||||
}
|
||||
'';
|
||||
in longrun {
|
||||
name = "sniproxy";
|
||||
run = ''
|
||||
${nginx}/bin/nginx -c ${conf}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
@ -131,12 +131,12 @@ in {
|
||||
"iifname int jump input-ip6-lan"
|
||||
"iifname ppp0 jump input-ip6-wan"
|
||||
(if allow-incoming
|
||||
then accept "oifname \"int\" iifname \"ppp0\""
|
||||
else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
|
||||
then accept "iifname \"ppp0\""
|
||||
else "iifname \"ppp0\" jump incoming-allowed-ip6"
|
||||
)
|
||||
# how does this even make sense in an input chain?
|
||||
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
|
||||
(accept "iifname \"int\" oifname \"ppp0\" ")
|
||||
(accept "iifname \"ppp0\" ct state established,related")
|
||||
(accept "iifname \"int\" ")
|
||||
"log prefix \"DENIED CHAIN=input-ip6 \""
|
||||
];
|
||||
};
|
||||
|
@ -12,6 +12,7 @@ in
|
||||
{
|
||||
imports = [
|
||||
./outputs/squashfs.nix
|
||||
./outputs/jffs2.nix
|
||||
./outputs/vmroot.nix
|
||||
./outputs/boot-extlinux.nix
|
||||
./outputs/boot-fit.nix
|
||||
|
@ -57,6 +57,8 @@ in {
|
||||
|
||||
system.outputs = rec {
|
||||
tftpboot =
|
||||
# no ubifs on an mtd directly, it needs ubi volumes
|
||||
assert config.rootfsType != "ubifs";
|
||||
let
|
||||
o = config.system.outputs;
|
||||
image = let choices = {
|
||||
|
@ -7,6 +7,7 @@
|
||||
let
|
||||
inherit (lib) mkOption types;
|
||||
inherit (pkgs) liminix;
|
||||
inherit (pkgs.pseudofile) dir file;
|
||||
mkBoolOption = description : mkOption {
|
||||
type = types.bool;
|
||||
inherit description;
|
||||
@ -20,6 +21,13 @@ in {
|
||||
};
|
||||
};
|
||||
config.programs.busybox.options.FEATURE_FANCY_ECHO = "y";
|
||||
config.filesystem = dir {
|
||||
etc = dir {
|
||||
shells = {
|
||||
file = "/bin/sh\n";
|
||||
};
|
||||
};
|
||||
};
|
||||
config.system.service = {
|
||||
ssh = config.system.callService ./ssh.nix {
|
||||
address = mkOption {
|
||||
|
@ -96,6 +96,7 @@ in {
|
||||
minisock = callPackage ./minisock { };
|
||||
nellie = callPackage ./nellie { };
|
||||
netlink-lua = callPackage ./netlink-lua { };
|
||||
nginx-small = callPackage ./nginx-small { };
|
||||
odhcp-script = callPackage ./odhcp-script { };
|
||||
odhcp6c = callPackage ./odhcp6c { };
|
||||
openwrt = callPackage ./openwrt { };
|
||||
|
@ -1,20 +1,28 @@
|
||||
commit bd51aae2e40814ac2ae5801fd9f83f6a4a886fb1
|
||||
Author: Daniel Barlow <dan@telent.net>
|
||||
Date: Fri Aug 23 11:33:24 2024 +0100
|
||||
From 9c0ac9e41a393e0f16a57e36d9369d61d39e9aa5 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Barlow <dan@telent.net>
|
||||
Date: Fri, 23 Aug 2024 11:33:24 +0100
|
||||
Subject: [PATCH] add -U otion to set path to authorized_keys file
|
||||
|
||||
add -U otion to set path to authorized_keys file
|
||||
|
||||
based on https://github.com/mkj/dropbear/pull/35
|
||||
by Salvador Fandino sfandino@yahoo.com
|
||||
|
||||
- Allow authorized keys inside dirs with the sticky bit set
|
||||
|
||||
- Add option -U for customizing authorized_keys path
|
||||
|
||||
- Updated for dropbear 2024.85 (source files moved to src/)
|
||||
|
||||
- allow %u, %d, %n "format specifiers" in pathname so that the user's
|
||||
username/homedir/uid can be embedded into the path
|
||||
based on https://github.com/mkj/dropbear/pull/35
|
||||
by Salvador Fandino sfandino@yahoo.com
|
||||
|
||||
- Allow authorized keys inside dirs with the sticky bit set
|
||||
|
||||
- Add option -U for customizing authorized_keys path
|
||||
|
||||
- Updated for dropbear 2024.85 (source files moved to src/)
|
||||
|
||||
- allow %u, %d, %n "format specifiers" in pathname so that the user's
|
||||
username/homedir/uid can be embedded into the path
|
||||
---
|
||||
Makefile.in | 2 +-
|
||||
manpages/dropbear.8 | 3 +
|
||||
src/pathexpand.c | 149 +++++++++++++++++++++++++++++++++++++++++++
|
||||
src/runopts.h | 3 +-
|
||||
src/svr-authpubkey.c | 86 +++++++++++--------------
|
||||
src/svr-runopts.c | 10 +++
|
||||
6 files changed, 203 insertions(+), 50 deletions(-)
|
||||
create mode 100644 src/pathexpand.c
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 5ebfca2..686fbfb 100644
|
||||
@ -45,15 +53,16 @@ index bdb2ea0..c8d450d 100644
|
||||
.TP
|
||||
diff --git a/src/pathexpand.c b/src/pathexpand.c
|
||||
new file mode 100644
|
||||
index 0000000..2028733
|
||||
index 0000000..07e6955
|
||||
--- /dev/null
|
||||
+++ b/src/pathexpand.c
|
||||
@@ -0,0 +1,132 @@
|
||||
@@ -0,0 +1,149 @@
|
||||
+#include <limits.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+
|
||||
+#ifdef TEST_PATHEXPAND
|
||||
+#include <stdlib.h>
|
||||
+
|
||||
+/* to run tests:
|
||||
+ gcc -Wall -o pathexpand -D TEST_PATHEXPAND=1 src/pathexpand.c && ./pathexpand
|
||||
@ -64,6 +73,17 @@ index 0000000..2028733
|
||||
+
|
||||
+#define m_malloc(c) malloc(c)
|
||||
+#define m_strdup(c) strdup(c)
|
||||
+#define TRACE(c) dropbear_trace1 c
|
||||
+#include <stdarg.h>
|
||||
+
|
||||
+inline static void dropbear_trace1(const char* format, ...) {
|
||||
+ va_list param;
|
||||
+
|
||||
+ va_start(param, format);
|
||||
+ /* vfprintf(stderr, format, param); */
|
||||
+ /* fprintf(stderr, "\n"); */
|
||||
+}
|
||||
+
|
||||
+
|
||||
+struct session {
|
||||
+ struct AuthState {
|
||||
@ -124,6 +144,8 @@ index 0000000..2028733
|
||||
+ /* unrecognised specifiers are discarded */
|
||||
+ expect_expansion("/hi/%q/.ssh", "/hi//.ssh");
|
||||
+
|
||||
+
|
||||
+ expect_expansion("%d/.ssh/authorized_keys", "/home/dan/.ssh/authorized_keys");
|
||||
+ exit(exit_status);
|
||||
+}
|
||||
+
|
||||
@ -155,10 +177,13 @@ index 0000000..2028733
|
||||
+ char *out = filename;
|
||||
+ char *p = relfilename;
|
||||
+ do {
|
||||
+ p = strchrnul(start, '%');
|
||||
+ strncat(out, start, p - start);
|
||||
+ p = strchr(start, '%');
|
||||
+
|
||||
+ if(*p == '\0') break;
|
||||
+ if(!p) {
|
||||
+ strcat(out, start);
|
||||
+ break;
|
||||
+ }
|
||||
+ strncat(out, start, p - start);
|
||||
+
|
||||
+ switch(*(p+1)) {
|
||||
+ case '\0':
|
||||
@ -384,3 +409,6 @@ index c4f83c1..faddfa2 100644
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.47.0
|
||||
|
||||
|
118
pkgs/nginx-small/default.nix
Normal file
118
pkgs/nginx-small/default.nix
Normal file
@ -0,0 +1,118 @@
|
||||
# There is stuff in the nixpkgs nginx that's quite difficult to
|
||||
# disable if you want the smallest possible nginx for a single use, so
|
||||
# herewith a derivation that allows fine-grained control of all the
|
||||
# --with and --without options. The patches are from nixpkgs (or from
|
||||
# openwrt via nixpkgs, it looks like) and at least one of them is
|
||||
# essential for making the package cross-compilable
|
||||
|
||||
{
|
||||
stdenv
|
||||
, openssl
|
||||
, fetchzip
|
||||
, fetchpatch
|
||||
, pcre
|
||||
, zlib
|
||||
, lib
|
||||
, options ? []
|
||||
}:
|
||||
let
|
||||
# nginx configure script does not accept a with-foo_module flag for
|
||||
# a foo_module that's already included, nor a without-foo_module
|
||||
# for a module that isn't. Ho hum
|
||||
# grep -E 'without.+\)' auto/options | sed -e 's/).*$//g' -e 's/.*--without-//g'
|
||||
defaultEnabled = [
|
||||
"select_module"
|
||||
"poll_module"
|
||||
"quic_bpf_module"
|
||||
"http"
|
||||
"http-cache"
|
||||
"http_charset_module"
|
||||
"http_gzip_module"
|
||||
"http_ssi_module"
|
||||
"http_userid_module"
|
||||
"http_access_module"
|
||||
"http_auth_basic_module"
|
||||
"http_mirror_module"
|
||||
"http_autoindex_module"
|
||||
"http_status_module"
|
||||
"http_geo_module"
|
||||
"http_map_module"
|
||||
"http_split_clients_module"
|
||||
"http_referer_module"
|
||||
"http_rewrite_module"
|
||||
"http_proxy_module"
|
||||
"http_fastcgi_module"
|
||||
"http_uwsgi_module"
|
||||
"http_scgi_module"
|
||||
"http_grpc_module"
|
||||
"http_memcached_module"
|
||||
"http_limit_conn_module"
|
||||
"http_limit_req_module"
|
||||
"http_empty_gif_module"
|
||||
"http_browser_module"
|
||||
"http_upstream_hash_module"
|
||||
"http_upstream_ip_hash_module"
|
||||
"http_upstream_least_conn_module"
|
||||
"http_upstream_random_module"
|
||||
"http_upstream_keepalive_module"
|
||||
"http_upstream_zone_module"
|
||||
"mail_pop3_module"
|
||||
"mail_imap_module"
|
||||
"mail_smtp_module"
|
||||
"stream_limit_conn_module"
|
||||
"stream_access_module"
|
||||
"stream_geo_module"
|
||||
"stream_map_module"
|
||||
"stream_split_clients_module"
|
||||
"stream_return_module"
|
||||
"stream_pass_module"
|
||||
"stream_set_module"
|
||||
"stream_upstream_hash_module"
|
||||
"stream_upstream_least_conn_module"
|
||||
"stream_upstream_random_module"
|
||||
"stream_upstream_zone_module"
|
||||
"pcre"
|
||||
"pcre2"
|
||||
];
|
||||
# for each in defaultEnabled that are not in withFlags,
|
||||
# add a --without option
|
||||
# for each in withFlags that are not in defaultEnabled,
|
||||
# add a --with option
|
||||
withouts = lib.subtractLists options defaultEnabled;
|
||||
withs = lib.subtractLists defaultEnabled options;
|
||||
|
||||
in stdenv.mkDerivation {
|
||||
pname = "nginx-small";
|
||||
version = "";
|
||||
buildInputs = [ openssl pcre zlib ];
|
||||
configureFlags =
|
||||
(map (f: "--with-${f}") withs)
|
||||
++ (map (f: "--without-${f}") withouts)
|
||||
++ lib.optional (pcre == null)
|
||||
"--without-http_rewrite_module"
|
||||
++ lib.optional (zlib == null)
|
||||
"--without-http_gzip_module";
|
||||
|
||||
env.NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; # musl
|
||||
|
||||
configurePlatforms = [];
|
||||
patches = [
|
||||
(fetchpatch {
|
||||
url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/102-sizeof_test_fix.patch";
|
||||
sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a";
|
||||
})
|
||||
(fetchpatch {
|
||||
url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/101-feature_test_fix.patch";
|
||||
sha256 = "0v6890a85aqmw60pgj3mm7g8nkaphgq65dj4v9c6h58wdsrc6f0y";
|
||||
})
|
||||
(fetchpatch {
|
||||
url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/103-sys_nerr.patch";
|
||||
sha256 = "0s497x6mkz947aw29wdy073k8dyjq8j99lax1a1mzpikzr4rxlmd";
|
||||
})
|
||||
];
|
||||
|
||||
src = fetchzip {
|
||||
url = "https://nginx.org/download/nginx-1.26.2.tar.gz";
|
||||
hash = "sha256-CQbvqISgca+LBpmTUuF8IuJZC9GNn8kT0hQwzfz+wH8=";
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user