10 changed files with 40 additions and 293 deletions
--- a/boot.expect
+++ b/boot.expect
@ -2,37 +2,19 @@
 # use expect as its "Script program" instead of runscript.  Try
 # Ctrl+A O -> Filenames and paths -> D

-fconfigure stderr -buffering  none
-fconfigure stdout -buffering  none
-
-proc waitprompt { } {
-    expect {
-      "BusyBox" { puts stderr  "DONE\r"; exit 0 }
-      "READY" { puts stderr ";;; READY\r"; }
-      timeout { puts stderr ";;; timed out waiting after $line\r" }
-    }
-}
-
-proc sendline { line } {
-     send "$line; echo \$ready \r"
-}
-
 log_user 0
 log_file -a -open stderr
-
 set f [open "result/boot.scr"]
-
-send "setenv ready REA\rsetenv ready \${ready}DY\r"
-
-set timeout 300
-expect_before timeout abort
+send "version\r"
+set timeout 60
 while {[gets $f line] >= 0} {
-    puts stderr ";;; next line $line\r"
-    puts stderr ";;; waiting for prompt\r"
-    puts stderr ";;; sending\r"	
-    sendline $line
-    waitprompt
+    puts stderr "next line $line\r"
+    puts stderr "waiting for prompt\r"	
+    expect {
+      "ath>" {}
+      "BusyBox" { puts stderr  "DONE"; exit 0 }
+    }
+    send "$line\r\n"
 }
-
 puts stderr "done\r\n"
 close $f
--- a/devices/belkin-rt3200/default.nix
+++ b/devices/belkin-rt3200/default.nix
@ -192,6 +192,11 @@
        NET_DSA_MT7530="y";
        NET_DSA_TAG_MTK="y";

+        PSTORE = "y";
+        PSTORE_RAM = "y";
+        PSTORE_CONSOLE = "y";
+        PSTORE_DEFLATE_COMPRESS = "n";
+
        SERIAL_8250 = "y";
        SERIAL_8250_CONSOLE = "y";
        SERIAL_8250_MT6577="y";
@ -215,9 +220,8 @@
      commandLine = [ "console=ttyS0,115200" ];
      tftp.loadAddress = lim.parseInt "0x4007ff28";
      imageFormat = "fit";
-      loader.fit.enable = lib.mkDefault true; # override this if you are building tftpboot
    };
-    rootfsType = lib.mkDefault "ubifs"; # override this if you are building tftpboot
+    rootfsType = lib.mkDefault "ubifs";
    filesystem =
      let inherit (pkgs.pseudofile) dir symlink;
           in
--- a/examples/module-https-proxy.nix
+++ b/examples/module-https-proxy.nix
@ -1,81 +0,0 @@
-# This is "contrib"-level code. This module solves a particular
-# problem for my particular setup and is provided as is, as an example
-# of how you might write something similar if you had a similar
-# problem. Don't expect it to work unmolested in your setup (you will
-# at the absolute minimum have to change the domain name), nor even to
-# continue to exist without possibly being changed beyond recognition.
-
-# The computers on my LAN have globally unique routable IPv6
-# addresses, but I have only one public IPv4 address. I want to expose
-# HTTPS services to the Internet _whatever_ machine is hosting them,
-# so I publish an AAAA record to the machine itself, and an A record
-# to the public v4 address of the router which is running this nginx.
-# This nginx checks the SNI in the incoming connection and forwards
-# the connection to the (IPv6 address of the) same hostname
-
-# See https://ww.telent.net/2020/12/2/six_into_4_won_t_go for
-# the original solution to this problem, which used sniproxy (now
-# unmaintained) instead of nginx
-
-{ config, pkgs, ... }:
-let
-  inherit (pkgs.liminix.services)  longrun;
-  inherit (pkgs) writeText;
-in {
-  config = {
-    users.nginx = {
-      uid = 52; gid= 52;
-      dir = "/run/";
-      shell = "/bin/false";
-    };
-    groups.nginx = {
-      gid= 52;
-      usernames = ["nginx"];
-    };
-
-    services.sniproxy =
-      let
-        nginx = pkgs.nginx-small.override {
-          pcre = null;
-          zlib = null;
-          options = [
-            "stream"
-            "stream_ssl_module" "stream_ssl_preread_module"
-            "stream_map_module"
-          ];
-        };
-        conf = writeText "nginx.conf" ''
-          worker_processes auto;
-          error_log /proc/self/fd/1 info;
-          pid /dev/null;
-          user nginx;
-          daemon off;
-          events {
-              worker_connections 1024;
-          }
-
-          stream {
-              log_format proxy '$remote_addr -> $ssl_target';
-              access_log /proc/self/fd/1 proxy;
-              map $ssl_preread_server_name $ssl_target {
-                  hostnames;
-                  .telent.net    $ssl_preread_server_name:443;
-              }
-
-              server {
-                  listen 443;
-                  resolver 127.0.0.1 ipv6=on ipv4=off;
-                  resolver_timeout 1s;
-                  proxy_pass $ssl_target;
-                  ssl_preread on;
-              }
-          }
-      '';
-      in longrun {
-        name = "sniproxy";
-        run = ''
-          ${nginx}/bin/nginx -c ${conf}
-        '';
-      };
-  };
-}
--- a/modules/firewall/default-rules.nix
+++ b/modules/firewall/default-rules.nix
@ -131,12 +131,12 @@ in {
      "iifname int jump input-ip6-lan"
      "iifname ppp0 jump input-ip6-wan"
      (if allow-incoming
-       then accept "iifname \"ppp0\""
-       else "iifname \"ppp0\" jump incoming-allowed-ip6"
+       then accept "oifname \"int\" iifname \"ppp0\""
+       else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
      )
      # how does this even make sense in an input chain?
-      (accept "iifname \"ppp0\"  ct state established,related")
-      (accept "iifname \"int\" ")
+      (accept "oifname \"int\" iifname \"ppp0\"  ct state established,related")
+      (accept "iifname \"int\" oifname \"ppp0\" ")
      "log prefix \"DENIED CHAIN=input-ip6 \""
    ];
  };
--- a/modules/outputs.nix
+++ b/modules/outputs.nix
@ -12,7 +12,6 @@ in
 {
  imports = [
    ./outputs/squashfs.nix
-    ./outputs/jffs2.nix
    ./outputs/vmroot.nix
    ./outputs/boot-extlinux.nix
    ./outputs/boot-fit.nix
--- a/modules/outputs/tftpboot.nix
+++ b/modules/outputs/tftpboot.nix
@ -57,8 +57,6 @@ in {

    system.outputs = rec {
      tftpboot =
-        # no ubifs on an mtd directly, it needs ubi volumes
-        assert config.rootfsType != "ubifs";
        let
          o = config.system.outputs;
          image = let choices = {
--- a/modules/ssh/default.nix
+++ b/modules/ssh/default.nix
@ -7,7 +7,6 @@
 let
  inherit (lib) mkOption types;
  inherit (pkgs) liminix;
-  inherit (pkgs.pseudofile) dir file;
  mkBoolOption = description : mkOption {
    type = types.bool;
    inherit description;
@ -21,13 +20,6 @@ in {
    };
  };
  config.programs.busybox.options.FEATURE_FANCY_ECHO = "y";
-  config.filesystem = dir {
-    etc = dir {
-      shells = {
-        file = "/bin/sh\n";
-      };
-    };
-  };
  config.system.service = {
    ssh = config.system.callService ./ssh.nix {
      address = mkOption {
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -96,7 +96,6 @@ in {
  minisock = callPackage ./minisock { };
  nellie = callPackage ./nellie { };
  netlink-lua = callPackage ./netlink-lua { };
-  nginx-small = callPackage ./nginx-small { };
  odhcp-script = callPackage ./odhcp-script { };
  odhcp6c = callPackage ./odhcp6c { };
  openwrt = callPackage ./openwrt { };
--- a/pkgs/dropbear/add-authkeyfile-option.patch
+++ b/pkgs/dropbear/add-authkeyfile-option.patch
@ -1,28 +1,20 @@
-From 9c0ac9e41a393e0f16a57e36d9369d61d39e9aa5 Mon Sep 17 00:00:00 2001
-From: Daniel Barlow <dan@telent.net>
-Date: Fri, 23 Aug 2024 11:33:24 +0100
-Subject: [PATCH] add -U otion to set path to authorized_keys file
+commit bd51aae2e40814ac2ae5801fd9f83f6a4a886fb1
+Author: Daniel Barlow <dan@telent.net>
+Date:   Fri Aug 23 11:33:24 2024 +0100

-based on https://github.com/mkj/dropbear/pull/35
-by Salvador Fandino sfandino@yahoo.com
-
- Allow authorized keys inside dirs with the sticky bit set
-
- Add option -U for customizing authorized_keys path
-
- Updated for dropbear 2024.85 (source files moved to src/)
-
- allow %u, %d, %n "format specifiers" in pathname so that the user's
-  username/homedir/uid can be embedded into the path
---
- Makefile.in          |   2 +-
- manpages/dropbear.8  |   3 +
- src/pathexpand.c     | 149 +++++++++++++++++++++++++++++++++++++++++++
- src/runopts.h        |   3 +-
- src/svr-authpubkey.c |  86 +++++++++++--------------
- src/svr-runopts.c    |  10 +++
- 6 files changed, 203 insertions(+), 50 deletions(-)
- create mode 100644 src/pathexpand.c
+    add -U otion to set path to authorized_keys file
+    
+    based on https://github.com/mkj/dropbear/pull/35
+    by Salvador Fandino sfandino@yahoo.com
+    
+    - Allow authorized keys inside dirs with the sticky bit set
+    
+    - Add option -U for customizing authorized_keys path
+    
+    - Updated for dropbear 2024.85 (source files moved to src/)
+    
+    - allow %u, %d, %n "format specifiers" in pathname so that the user's
+      username/homedir/uid can be embedded into the path

 diff --git a/Makefile.in b/Makefile.in
 index 5ebfca2..686fbfb 100644
@ -53,16 +45,15 @@ index bdb2ea0..c8d450d 100644
 .TP
 diff --git a/src/pathexpand.c b/src/pathexpand.c
 new file mode 100644
-index 0000000..07e6955
+index 0000000..2028733
 --- /dev/null
 +++ b/src/pathexpand.c
-@@ -0,0 +1,149 @@
+@@ -0,0 +1,132 @@
 +#include <limits.h>
 +#include <string.h>
 +#include <stdio.h>
 +
 +#ifdef TEST_PATHEXPAND
-+#include <stdlib.h>
 +
 +/* to run tests:
 +  gcc -Wall -o pathexpand -D TEST_PATHEXPAND=1 src/pathexpand.c && ./pathexpand
@ -73,17 +64,6 @@ index 0000000..07e6955
 +
 +#define m_malloc(c) malloc(c)
 +#define m_strdup(c) strdup(c)
-+#define TRACE(c) dropbear_trace1 c
-+#include <stdarg.h>
-+
-+inline static void dropbear_trace1(const char* format, ...) {
-+        va_list param;
-+
-+        va_start(param, format);
-+        /* vfprintf(stderr, format, param); */
-+	/* fprintf(stderr, "\n"); */
-+}
-+
 +
 +struct session {
 +    struct AuthState {
@ -144,8 +124,6 @@ index 0000000..07e6955
 +    /* unrecognised specifiers are discarded */
 +    expect_expansion("/hi/%q/.ssh", "/hi//.ssh");
 +
-+
-+    expect_expansion("%d/.ssh/authorized_keys", "/home/dan/.ssh/authorized_keys");
 +    exit(exit_status);
 +}
 +
@ -177,14 +155,11 @@ index 0000000..07e6955
 +    char *out = filename;
 +    char *p = relfilename;
 +    do {
-+	p = strchr(start, '%');
-+
-+	if(!p) {
-+	    strcat(out, start);
-+	    break;
-+	}
+	p = strchrnul(start, '%');
 +	strncat(out, start, p - start);
 +
+	if(*p == '\0') break;
+
 +	switch(*(p+1)) {
 +	case '\0':
 +	    p++; break;
@ -409,6 +384,3 @@ index c4f83c1..faddfa2 100644
 		}
 	}
 
-- 
-2.47.0
-
--- a/pkgs/nginx-small/default.nix
+++ b/pkgs/nginx-small/default.nix
@ -1,118 +0,0 @@
-# There is stuff in the nixpkgs nginx that's quite difficult to
-# disable if you want the smallest possible nginx for a single use, so
-# herewith a derivation that allows fine-grained control of all the
-# --with and --without options. The patches are from nixpkgs (or from
-# openwrt via nixpkgs, it looks like) and at least one of them is
-# essential for making the package cross-compilable
-
-{
-  stdenv
-, openssl
-, fetchzip
-, fetchpatch
-, pcre
-, zlib
-, lib
-, options ? []
-}:
-let
-  # nginx configure script does not accept a with-foo_module flag for
-  # a foo_module that's already included, nor a without-foo_module
-  # for a module that isn't. Ho hum
-  #  grep -E 'without.+\)' auto/options | sed -e 's/).*$//g' -e 's/.*--without-//g'
-  defaultEnabled = [
-    "select_module"
-    "poll_module"
-    "quic_bpf_module"
-    "http"
-    "http-cache"
-    "http_charset_module"
-    "http_gzip_module"
-    "http_ssi_module"
-    "http_userid_module"
-    "http_access_module"
-    "http_auth_basic_module"
-    "http_mirror_module"
-    "http_autoindex_module"
-    "http_status_module"
-    "http_geo_module"
-    "http_map_module"
-    "http_split_clients_module"
-    "http_referer_module"
-    "http_rewrite_module"
-    "http_proxy_module"
-    "http_fastcgi_module"
-    "http_uwsgi_module"
-    "http_scgi_module"
-    "http_grpc_module"
-    "http_memcached_module"
-    "http_limit_conn_module"
-    "http_limit_req_module"
-    "http_empty_gif_module"
-    "http_browser_module"
-    "http_upstream_hash_module"
-    "http_upstream_ip_hash_module"
-    "http_upstream_least_conn_module"
-    "http_upstream_random_module"
-    "http_upstream_keepalive_module"
-    "http_upstream_zone_module"
-    "mail_pop3_module"
-    "mail_imap_module"
-    "mail_smtp_module"
-    "stream_limit_conn_module"
-    "stream_access_module"
-    "stream_geo_module"
-    "stream_map_module"
-    "stream_split_clients_module"
-    "stream_return_module"
-    "stream_pass_module"
-    "stream_set_module"
-    "stream_upstream_hash_module"
-    "stream_upstream_least_conn_module"
-    "stream_upstream_random_module"
-    "stream_upstream_zone_module"
-    "pcre"
-    "pcre2"
-  ];
-  # for each in defaultEnabled that are not in withFlags,
-  # add a --without option
-  # for each in withFlags that are not in defaultEnabled,
-  # add a --with option
-  withouts = lib.subtractLists options defaultEnabled;
-  withs = lib.subtractLists defaultEnabled options;
-
-in stdenv.mkDerivation {
-  pname = "nginx-small";
-  version  = "";
-  buildInputs = [ openssl pcre zlib ];
-  configureFlags =
-    (map (f: "--with-${f}") withs)
-    ++ (map (f: "--without-${f}") withouts)
-    ++ lib.optional (pcre == null)
-      "--without-http_rewrite_module"
-    ++ lib.optional (zlib == null)
-      "--without-http_gzip_module";
-
-  env.NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; # musl
-
-  configurePlatforms = [];
-  patches = [
-    (fetchpatch {
-      url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/102-sizeof_test_fix.patch";
-      sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a";
-    })
-    (fetchpatch {
-      url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/101-feature_test_fix.patch";
-      sha256 = "0v6890a85aqmw60pgj3mm7g8nkaphgq65dj4v9c6h58wdsrc6f0y";
-    })
-    (fetchpatch {
-      url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/103-sys_nerr.patch";
-      sha256 = "0s497x6mkz947aw29wdy073k8dyjq8j99lax1a1mzpikzr4rxlmd";
-    })
-  ];
-
-  src = fetchzip {
-    url = "https://nginx.org/download/nginx-1.26.2.tar.gz";
-    hash = "sha256-CQbvqISgca+LBpmTUuF8IuJZC9GNn8kT0hQwzfz+wH8=";
-  };
-}