deep thoughts

use mkstate for dropbear keys
dnsmasq: store dhcp lease file on /persist
2024-02-13 22:32:57 +00:00 · 2024-02-13 22:12:26 +00:00 · 2024-02-13 21:54:45 +00:00 · 2024-02-13 21:41:43 +00:00 · 2024-02-13 21:11:30 +00:00
11 changed files with 142 additions and 15 deletions
--- a/19
+++ b/19
@ -48,4 +48,23 @@ them afterwards as though they were "out of tree". Refer to commit
 b9c0d93670275e69df24902b05bf4aa4f0fcbe96 for a fuller explanation
 of how this simplifies things.

+2024-02-13

+So that we can be more consistent about services that would like their
+state to be preserved across boots (assuming a writable filesystem)
+these changes have been made
+
+* /run/service-state has been moved to /run/services/outputs
+ to better reflect what it's used for
+* /run/services/state is either a symlink to /persist/services/state
+ (if there's a writeable fs on /persist) or a directory (if there
+ isn't)
+
+The change will lose your ssh host key(s) unless you copy them from
+the old location to the new one before rebooting into the new system
+
+   mkdir -m 02751 -p /run/services/state/dropbear
+   cp /persist/secrets/dropbear/* /run/services/state/dropbear
+
+The `output`, `mkoutputs` functions defined by ${serviceFns}
+have been updated for the new location.
--- a/THOUGHTS.txt
+++ b/THOUGHTS.txt
@ -3952,3 +3952,100 @@ I can actually use it as a CPE. This means

 - would be quite cool to run sniproxy instead of forwarding to
  loaclhost (extra credit)
+
+Sat Feb 10 18:23:54 GMT 2024
+
+ARGH KERNEL
+
+You can't define CONFIG_NETFILTER=y in a monolithic kernel and expect
+later to separately build some modules that use it, because there are
+a bunch of symbols that only get defined if certain other CONFIG
+options are set at the time that the monolithic kernel is built.
+
+https://github.com/torvalds/linux/blob/master/net/netfilter/core.c#L689
+
+Another example is
+https://github.com/torvalds/linux/blob/master/include/linux/netdevice.h#L160
+- if you decide after building the kernel that you're going to build
+some wireless modules, you can't do that without rebuilding the kernel
+so that it knows to expect them
+
+The moral of the story seems to be: if you have a compiled Linux kernel source tree and you change some symbol from "is not set" to m and then run  make modules, you cannot in general expect that newly compiled  module to work.
+
+AP advertised VHT without HT, disabling HT/VHT/HE
+
+TODO
+
+- [done] support kernel version as parameter to builder pkgs/kernel/default.nix
+- [done] extract the change in how module loading works from omnia device config,
+  and fix the other thing that uses it
+- [axed] wlan module to take 'backported' as a parameter
+  half of the omnia conditionalConfig can go into the module
+- [done] upgrade omnia to kernel v6
+- figure out what mdns we need for local hostname resolution
+  (maybe bridging lan/wlan)?
+- [DONE] slow wifi because "AP advertised VHT without HT, disabling HT/VHT/HE"
+- [DONE] add local domain to secrets
+- run sniproxy instead of forwarding
+- [test] forward some port to loaclhost 22 for inbound ipv4 ssh
+
+
+Mon Feb 12 21:50:35 GMT 2024
+
+# find  /run/service-state/dhcp6c.wan.link.pppoe/address/
+/run/service-state/dhcp6c.wan.link.pppoe/address/
+/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM
+/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/valid
+/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/preferred
+/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/len
+/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/address
+#
+
+valid 7199 preferred 3599
+
+Tue Feb 13 19:44:57 GMT 2024
+
+Before we put this back live, would be good to
+
+[done] 1) move the leases file into /persist
+
+I think we'll do /persist/service/<name>/ and change ssh to use the same
+scheme.
+
+we could put mkpersist() in serviceFns which would check for /persist
+and return a directory in /persist/service/ or /run/service-state
+
+(will something bad happen if we use /run/service-state? it will also
+expose the thingy as an output, but whether it's accessible that way
+will depend on whether there's a writable fs or not, which is unexpected)
+
+: rename service-state to  /run/services/outputs
+: on boot
+:  if /persist
+:    create /persist/services/state and symlink /run/services/state to it
+:  else create /run/services/state
+
+
+[done] 2) maybe change the local domain back to .lan?  setting up
+  systemd-networkd with search domains is an awful faff
+
+[done] 3) work out what to do with incoming ssh from wan
+
+- For noetbook and thinkpad we have a vpn anyway so can expect to
+  reach loaclhost directly using ipv6
+
+- stop ssh from ever trying to get to our ipv4 address.
+  - we could get rid of A record for loaclhost.telent.net but
+    there are a bunch of CNAMES pointing at it for web servers.
+  - we could reject incoming connections to tcp4 port 22 in firewall
+    and then there is a clear signal to Dont Do That Then
+
+- for emergency use, dnat ipv4 2200 and 2201 to rotuer and loaclhost
+
+Tue Feb 13 22:31:03 GMT 2024
+
+the reason we can't reboot is that there is a service to add each lan
+device to the bridge which does ifwait $dev running, which doesn't
+return until there's something plugged in. So s6-rc hangs indefinitely
+until the lan switch is fully populated. This is definitely a
+"next milestone" thing
--- a/modules/dhcp6c/address.nix
+++ b/modules/dhcp6c/address.nix
@ -11,6 +11,6 @@ let
  script = callPackage ./acquire-wan-address.nix {  };
 in longrun {
  inherit name;
-  run = "${script} /run/service-state/${client.name} $(output ${interface} ifname)";
+  run = "${script} $SERVICE_OUTPUTS/${client.name} $(output ${interface} ifname)";
  dependencies = [ client interface ];
 }
--- a/modules/dhcp6c/client.nix
+++ b/modules/dhcp6c/client.nix
@ -13,7 +13,7 @@ in longrun {
  inherit name;
  notification-fd = 10;
  run = ''
-    export SERVICE_STATE=/run/service-state/${name}
+    export SERVICE_STATE=$SERVICE_OUTPUTS/${name}
    ${odhcp6c}/bin/odhcp6c -s ${odhcp-script} -e -v -p /run/${name}.pid -P0 $(output ${interface} ifname)
    )
  '';
--- a/modules/dhcp6c/prefix.nix
+++ b/modules/dhcp6c/prefix.nix
@ -11,6 +11,6 @@ let
  script = callPackage ./acquire-delegated-prefix.nix {  };
 in longrun {
  inherit name;
-  run = "${script} /run/service-state/${client.name} $(output ${interface} ifname)";
+  run = "${script} $SERVICE_OUTPUTS/${client.name} $(output ${interface} ifname)";
  dependencies = [ client interface ];
 }
--- a/modules/dnsmasq/service.nix
+++ b/modules/dnsmasq/service.nix
@ -44,7 +44,7 @@ longrun {
    --log-debug \
    --log-queries \
    --log-facility=- \
-    --dhcp-leasefile=/run/${name}.leases \
+    --dhcp-leasefile=$(mkstate ${name})/leases \
    --pid-file=/run/${name}.pid
  '';
 }
--- a/modules/s6/scripts/rc.init
+++ b/modules/s6/scripts/rc.init
@ -22,8 +22,15 @@ mount -t tmpfs none /tmp
 mkdir /dev/pts
 mount -t devpts none /dev/pts

-mkdir -m 0751 /run/service-state
-chgrp system /run/service-state
+mkdir -m 0751 -p /run/services/outputs
+chgrp system /run/services/outputs
+
+if test -d /persist; then
+    mkdir -m 0751  -p /persist/services/state
+    (cd /run/services && ln -s ../../persist/services/state .)
+else
+    mkdir -m 0751 -p /run/services/state
+fi

 ### If your services are managed by s6-rc:
 ### (replace /run/service with your scandir)
--- a/modules/ssh/ssh.nix
+++ b/modules/ssh/ssh.nix
@ -29,15 +29,12 @@ let
 in
 longrun {
  name = "sshd";
+  # we need /run/dropbear to point to hostkey storage, as that
+  # pathname is hardcoded into the binary.
  # env -i clears the environment so we don't pass anything weird to
  # ssh sessions
  run = ''
-    if test -d /persist; then
-      mkdir -p /persist/secrets/dropbear
-      ln -s /persist/secrets/dropbear /run
-    else
-      mkdir -p /run/dropbear
-    fi
+    ln -s $(mkstate dropbear) /run
    . /etc/profile # sets PATH but do we need this?  it's the same file as ashrc
    exec env -i ENV=/etc/ashrc PATH=$PATH ${dropbear}/bin/dropbear ${concatStringsSep " " options}
  '';
--- a/pkgs/liminix-tools/services/builder.sh
+++ b/pkgs/liminix-tools/services/builder.sh
@ -15,6 +15,6 @@ for i in run notification-fd up down consumer-for producer-for pipeline-name ; d
    test -n "$(printenv $i)" && (echo "$(printenv $i)" > $out/${name}/$i)
 done

-( cd $out && ln -s /run/service-state/${name} ./.outputs )
+( cd $out && ln -s /run/services/outputs/${name} ./.outputs )
 for i in $out/${name}/{down,up,run} ; do test -f $i && chmod +x $i; done
 true
--- a/pkgs/liminix-tools/services/default.nix
+++ b/pkgs/liminix-tools/services/default.nix
@ -9,7 +9,7 @@
 }:
 let
  inherit (builtins) concatStringsSep;
-  prefix = "/run/service-state";
+  prefix = "/run/services/outputs";
  output = service: name: "${prefix}/${service.name}/${name}";
  serviceScript = commands : ''
    #!/bin/sh
--- a/pkgs/service-fns/default.nix
+++ b/pkgs/service-fns/default.nix
@ -2,8 +2,15 @@
 writeText "service-fns.sh" ''
  output() { cat $1/.outputs/$2; }
  output_path() { echo $(realpath $1/.outputs)/$2; }
+  SERVICE_OUTPUTS=/run/services/outputs
+  SERVICE_STATE=/run/services/state
  mkoutputs() {
-    d=/run/service-state/$1
+    d=$SERVICE_OUTPUTS/$1
+    mkdir -m 2751 -p $d && chown root:system $d
+    echo $d
+  }
+  mkstate() {
+    d=$SERVICE_STATE/$1
    mkdir -m 2751 -p $d && chown root:system $d
    echo $d
  }
Author	SHA1	Message	Date
Daniel Barlow	71a1ef286e	deep thoughts	2024-02-13 22:32:57 +00:00
Daniel Barlow	ffe0e9d26b	use mkstate for dropbear keys	2024-02-13 22:12:26 +00:00
Daniel Barlow	2b22c7aa91	dnsmasq: store dhcp lease file on /persist	2024-02-13 21:54:45 +00:00
Daniel Barlow	3c950704e1	rename /run/service-state to /run/services/outputs	2024-02-13 21:41:43 +00:00
Daniel Barlow	8578a554c7	deep thoughts	2024-02-13 21:11:30 +00:00