example sni proxy using nginx

because it's empty, these are input rules for the local machine

boot.expect

@@ -2,19 +2,37 @@
 # use expect as its "Script program" instead of runscript.  Try
 # Ctrl+A O -> Filenames and paths -> D
 
+fconfigure stderr -buffering  none
+fconfigure stdout -buffering  none
+
+proc waitprompt { } {
+    expect {
+      "BusyBox" { puts stderr  "DONE\r"; exit 0 }
+      "READY" { puts stderr ";;; READY\r"; }
+      timeout { puts stderr ";;; timed out waiting after $line\r" }
+    }
+}
+
+proc sendline { line } {
+     send "$line; echo \$ready \r"
+}
+
 log_user 0
 log_file -a -open stderr
+
 set f [open "result/boot.scr"]
-send "version\r"
+
-set timeout 60
+send "setenv ready REA\rsetenv ready \${ready}DY\r"
+
+set timeout 300
+expect_before timeout abort
 while {[gets $f line] >= 0} {
-    puts stderr "next line $line\r"
+    puts stderr ";;; next line $line\r"
-    puts stderr "waiting for prompt\r"	
+    puts stderr ";;; waiting for prompt\r"
-    expect {
+    puts stderr ";;; sending\r"	
-      "ath>" {}
+    sendline $line
-      "BusyBox" { puts stderr  "DONE"; exit 0 }
+    waitprompt
-    }
-    send "$line\r\n"
 }
+
 puts stderr "done\r\n"
 close $f

devices/belkin-rt3200/default.nix

@@ -192,11 +192,6 @@
         NET_DSA_MT7530="y";
         NET_DSA_TAG_MTK="y";
 
-        PSTORE = "y";
-        PSTORE_RAM = "y";
-        PSTORE_CONSOLE = "y";
-        PSTORE_DEFLATE_COMPRESS = "n";
-
         SERIAL_8250 = "y";
         SERIAL_8250_CONSOLE = "y";
         SERIAL_8250_MT6577="y";
@@ -220,8 +215,9 @@
       commandLine = [ "console=ttyS0,115200" ];
       tftp.loadAddress = lim.parseInt "0x4007ff28";
       imageFormat = "fit";
+      loader.fit.enable = lib.mkDefault true; # override this if you are building tftpboot
     };
-    rootfsType = lib.mkDefault "ubifs";
+    rootfsType = lib.mkDefault "ubifs"; # override this if you are building tftpboot
     filesystem =
       let inherit (pkgs.pseudofile) dir symlink;
            in

examples/module-https-proxy.nix

@@ -0,0 +1,81 @@
+# This is "contrib"-level code. This module solves a particular
+# problem for my particular setup and is provided as is, as an example
+# of how you might write something similar if you had a similar
+# problem. Don't expect it to work unmolested in your setup (you will
+# at the absolute minimum have to change the domain name), nor even to
+# continue to exist without possibly being changed beyond recognition.
+
+# The computers on my LAN have globally unique routable IPv6
+# addresses, but I have only one public IPv4 address. I want to expose
+# HTTPS services to the Internet _whatever_ machine is hosting them,
+# so I publish an AAAA record to the machine itself, and an A record
+# to the public v4 address of the router which is running this nginx.
+# This nginx checks the SNI in the incoming connection and forwards
+# the connection to the (IPv6 address of the) same hostname
+
+# See https://ww.telent.net/2020/12/2/six_into_4_won_t_go for
+# the original solution to this problem, which used sniproxy (now
+# unmaintained) instead of nginx
+
+{ config, pkgs, ... }:
+let
+  inherit (pkgs.liminix.services)  longrun;
+  inherit (pkgs) writeText;
+in {
+  config = {
+    users.nginx = {
+      uid = 52; gid= 52;
+      dir = "/run/";
+      shell = "/bin/false";
+    };
+    groups.nginx = {
+      gid= 52;
+      usernames = ["nginx"];
+    };
+
+    services.sniproxy =
+      let
+        nginx = pkgs.nginx-small.override {
+          pcre = null;
+          zlib = null;
+          options = [
+            "stream"
+            "stream_ssl_module" "stream_ssl_preread_module"
+            "stream_map_module"
+          ];
+        };
+        conf = writeText "nginx.conf" ''
+          worker_processes auto;
+          error_log /proc/self/fd/1 info;
+          pid /dev/null;
+          user nginx;
+          daemon off;
+          events {
+              worker_connections 1024;
+          }
+
+          stream {
+              log_format proxy '$remote_addr -> $ssl_target';
+              access_log /proc/self/fd/1 proxy;
+              map $ssl_preread_server_name $ssl_target {
+                  hostnames;
+                  .telent.net    $ssl_preread_server_name:443;
+              }
+
+              server {
+                  listen 443;
+                  resolver 127.0.0.1 ipv6=on ipv4=off;
+                  resolver_timeout 1s;
+                  proxy_pass $ssl_target;
+                  ssl_preread on;
+              }
+          }
+      '';
+      in longrun {
+        name = "sniproxy";
+        run = ''
+          ${nginx}/bin/nginx -c ${conf}
+        '';
+      };
+  };
+}

modules/firewall/default-rules.nix

@@ -131,12 +131,12 @@ in {
       "iifname int jump input-ip6-lan"
       "iifname ppp0 jump input-ip6-wan"
       (if allow-incoming
-       then accept "oifname \"int\" iifname \"ppp0\""
+       then accept "iifname \"ppp0\""
-       else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
+       else "iifname \"ppp0\" jump incoming-allowed-ip6"
       )
       # how does this even make sense in an input chain?
-      (accept "oifname \"int\" iifname \"ppp0\"  ct state established,related")
+      (accept "iifname \"ppp0\"  ct state established,related")
-      (accept "iifname \"int\" oifname \"ppp0\" ")
+      (accept "iifname \"int\" ")
       "log prefix \"DENIED CHAIN=input-ip6 \""
     ];
   };

modules/outputs.nix

@@ -12,6 +12,7 @@ in
 {
   imports = [
     ./outputs/squashfs.nix
+    ./outputs/jffs2.nix
     ./outputs/vmroot.nix
     ./outputs/boot-extlinux.nix
     ./outputs/boot-fit.nix

modules/outputs/tftpboot.nix

@@ -57,6 +57,8 @@ in {
 
     system.outputs = rec {
       tftpboot =
+        # no ubifs on an mtd directly, it needs ubi volumes
+        assert config.rootfsType != "ubifs";
         let
           o = config.system.outputs;
           image = let choices = {

modules/ssh/default.nix

@@ -7,6 +7,7 @@
 let
   inherit (lib) mkOption types;
   inherit (pkgs) liminix;
+  inherit (pkgs.pseudofile) dir file;
   mkBoolOption = description : mkOption {
     type = types.bool;
     inherit description;
@@ -20,6 +21,13 @@ in {
     };
   };
   config.programs.busybox.options.FEATURE_FANCY_ECHO = "y";
+  config.filesystem = dir {
+    etc = dir {
+      shells = {
+        file = "/bin/sh\n";
+      };
+    };
+  };
   config.system.service = {
     ssh = config.system.callService ./ssh.nix {
       address = mkOption {

pkgs/default.nix

@@ -96,6 +96,7 @@ in {
   minisock = callPackage ./minisock { };
   nellie = callPackage ./nellie { };
   netlink-lua = callPackage ./netlink-lua { };
+  nginx-small = callPackage ./nginx-small { };
   odhcp-script = callPackage ./odhcp-script { };
   odhcp6c = callPackage ./odhcp6c { };
   openwrt = callPackage ./openwrt { };

pkgs/dropbear/add-authkeyfile-option.patch

@@ -1,20 +1,28 @@
-commit bd51aae2e40814ac2ae5801fd9f83f6a4a886fb1
+From 9c0ac9e41a393e0f16a57e36d9369d61d39e9aa5 Mon Sep 17 00:00:00 2001
-Author: Daniel Barlow <dan@telent.net>
+From: Daniel Barlow <dan@telent.net>
-Date:   Fri Aug 23 11:33:24 2024 +0100
+Date: Fri, 23 Aug 2024 11:33:24 +0100
+Subject: [PATCH] add -U otion to set path to authorized_keys file
 
-    add -U otion to set path to authorized_keys file
+based on https://github.com/mkj/dropbear/pull/35
+by Salvador Fandino sfandino@yahoo.com
 
-    based on https://github.com/mkj/dropbear/pull/35
+- Allow authorized keys inside dirs with the sticky bit set
-    by Salvador Fandino sfandino@yahoo.com
 
-    - Allow authorized keys inside dirs with the sticky bit set
+- Add option -U for customizing authorized_keys path
 
-    - Add option -U for customizing authorized_keys path
+- Updated for dropbear 2024.85 (source files moved to src/)
 
-    - Updated for dropbear 2024.85 (source files moved to src/)
+- allow %u, %d, %n "format specifiers" in pathname so that the user's
-    
-    - allow %u, %d, %n "format specifiers" in pathname so that the user's
   username/homedir/uid can be embedded into the path
+---
+ Makefile.in          |   2 +-
+ manpages/dropbear.8  |   3 +
+ src/pathexpand.c     | 149 +++++++++++++++++++++++++++++++++++++++++++
+ src/runopts.h        |   3 +-
+ src/svr-authpubkey.c |  86 +++++++++++--------------
+ src/svr-runopts.c    |  10 +++
+ 6 files changed, 203 insertions(+), 50 deletions(-)
+ create mode 100644 src/pathexpand.c
 
 diff --git a/Makefile.in b/Makefile.in
 index 5ebfca2..686fbfb 100644
@@ -45,15 +53,16 @@ index bdb2ea0..c8d450d 100644
  .TP
 diff --git a/src/pathexpand.c b/src/pathexpand.c
 new file mode 100644
-index 0000000..2028733
+index 0000000..07e6955
 --- /dev/null
 +++ b/src/pathexpand.c
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,149 @@
 +#include <limits.h>
 +#include <string.h>
 +#include <stdio.h>
 +
 +#ifdef TEST_PATHEXPAND
++#include <stdlib.h>
 +
 +/* to run tests:
 +  gcc -Wall -o pathexpand -D TEST_PATHEXPAND=1 src/pathexpand.c && ./pathexpand
@@ -64,6 +73,17 @@ index 0000000..2028733
 +
 +#define m_malloc(c) malloc(c)
 +#define m_strdup(c) strdup(c)
++#define TRACE(c) dropbear_trace1 c
++#include <stdarg.h>
++
++inline static void dropbear_trace1(const char* format, ...) {
++        va_list param;
++
++        va_start(param, format);
++        /* vfprintf(stderr, format, param); */
++	/* fprintf(stderr, "\n"); */
++}
++
 +
 +struct session {
 +    struct AuthState {
@@ -124,6 +144,8 @@ index 0000000..2028733
 +    /* unrecognised specifiers are discarded */
 +    expect_expansion("/hi/%q/.ssh", "/hi//.ssh");
 +
++
++    expect_expansion("%d/.ssh/authorized_keys", "/home/dan/.ssh/authorized_keys");
 +    exit(exit_status);
 +}
 +
@@ -155,10 +177,13 @@ index 0000000..2028733
 +    char *out = filename;
 +    char *p = relfilename;
 +    do {
-+	p = strchrnul(start, '%');
++	p = strchr(start, '%');
-+	strncat(out, start, p - start);
 +
-+	if(*p == '\0') break;
++	if(!p) {
++	    strcat(out, start);
++	    break;
++	}
++	strncat(out, start, p - start);
 +
 +	switch(*(p+1)) {
 +	case '\0':
@@ -384,3 +409,6 @@ index c4f83c1..faddfa2 100644
  		}
  	}
  
+-- 
+2.47.0
+

pkgs/nginx-small/default.nix

@@ -0,0 +1,118 @@
+# There is stuff in the nixpkgs nginx that's quite difficult to
+# disable if you want the smallest possible nginx for a single use, so
+# herewith a derivation that allows fine-grained control of all the
+# --with and --without options. The patches are from nixpkgs (or from
+# openwrt via nixpkgs, it looks like) and at least one of them is
+# essential for making the package cross-compilable
+
+{
+  stdenv
+, openssl
+, fetchzip
+, fetchpatch
+, pcre
+, zlib
+, lib
+, options ? []
+}:
+let
+  # nginx configure script does not accept a with-foo_module flag for
+  # a foo_module that's already included, nor a without-foo_module
+  # for a module that isn't. Ho hum
+  #  grep -E 'without.+\)' auto/options | sed -e 's/).*$//g' -e 's/.*--without-//g'
+  defaultEnabled = [
+    "select_module"
+    "poll_module"
+    "quic_bpf_module"
+    "http"
+    "http-cache"
+    "http_charset_module"
+    "http_gzip_module"
+    "http_ssi_module"
+    "http_userid_module"
+    "http_access_module"
+    "http_auth_basic_module"
+    "http_mirror_module"
+    "http_autoindex_module"
+    "http_status_module"
+    "http_geo_module"
+    "http_map_module"
+    "http_split_clients_module"
+    "http_referer_module"
+    "http_rewrite_module"
+    "http_proxy_module"
+    "http_fastcgi_module"
+    "http_uwsgi_module"
+    "http_scgi_module"
+    "http_grpc_module"
+    "http_memcached_module"
+    "http_limit_conn_module"
+    "http_limit_req_module"
+    "http_empty_gif_module"
+    "http_browser_module"
+    "http_upstream_hash_module"
+    "http_upstream_ip_hash_module"
+    "http_upstream_least_conn_module"
+    "http_upstream_random_module"
+    "http_upstream_keepalive_module"
+    "http_upstream_zone_module"
+    "mail_pop3_module"
+    "mail_imap_module"
+    "mail_smtp_module"
+    "stream_limit_conn_module"
+    "stream_access_module"
+    "stream_geo_module"
+    "stream_map_module"
+    "stream_split_clients_module"
+    "stream_return_module"
+    "stream_pass_module"
+    "stream_set_module"
+    "stream_upstream_hash_module"
+    "stream_upstream_least_conn_module"
+    "stream_upstream_random_module"
+    "stream_upstream_zone_module"
+    "pcre"
+    "pcre2"
+  ];
+  # for each in defaultEnabled that are not in withFlags,
+  # add a --without option
+  # for each in withFlags that are not in defaultEnabled,
+  # add a --with option
+  withouts = lib.subtractLists options defaultEnabled;
+  withs = lib.subtractLists defaultEnabled options;
+
+in stdenv.mkDerivation {
+  pname = "nginx-small";
+  version  = "";
+  buildInputs = [ openssl pcre zlib ];
+  configureFlags =
+    (map (f: "--with-${f}") withs)
+    ++ (map (f: "--without-${f}") withouts)
+    ++ lib.optional (pcre == null)
+      "--without-http_rewrite_module"
+    ++ lib.optional (zlib == null)
+      "--without-http_gzip_module";
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; # musl
+
+  configurePlatforms = [];
+  patches = [
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/102-sizeof_test_fix.patch";
+      sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a";
+    })
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/101-feature_test_fix.patch";
+      sha256 = "0v6890a85aqmw60pgj3mm7g8nkaphgq65dj4v9c6h58wdsrc6f0y";
+    })
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/103-sys_nerr.patch";
+      sha256 = "0s497x6mkz947aw29wdy073k8dyjq8j99lax1a1mzpikzr4rxlmd";
+    })
+  ];
+
+  src = fetchzip {
+    url = "https://nginx.org/download/nginx-1.26.2.tar.gz";
+    hash = "sha256-CQbvqISgca+LBpmTUuF8IuJZC9GNn8kT0hQwzfz+wH8=";
+  };
+}