Compare commits
5 Commits
3851698d35
...
71a1ef286e
Author | SHA1 | Date |
---|---|---|
Daniel Barlow | 71a1ef286e | |
Daniel Barlow | ffe0e9d26b | |
Daniel Barlow | 2b22c7aa91 | |
Daniel Barlow | 3c950704e1 | |
Daniel Barlow | 8578a554c7 |
19
NEWS
19
NEWS
|
@ -48,4 +48,23 @@ them afterwards as though they were "out of tree". Refer to commit
|
|||
b9c0d93670275e69df24902b05bf4aa4f0fcbe96 for a fuller explanation
|
||||
of how this simplifies things.
|
||||
|
||||
2024-02-13
|
||||
|
||||
So that we can be more consistent about services that would like their
|
||||
state to be preserved across boots (assuming a writable filesystem)
|
||||
these changes have been made
|
||||
|
||||
* /run/service-state has been moved to /run/services/outputs
|
||||
to better reflect what it's used for
|
||||
* /run/services/state is either a symlink to /persist/services/state
|
||||
(if there's a writeable fs on /persist) or a directory (if there
|
||||
isn't)
|
||||
|
||||
The change will lose your ssh host key(s) unless you copy them from
|
||||
the old location to the new one before rebooting into the new system
|
||||
|
||||
mkdir -m 02751 -p /run/services/state/dropbear
|
||||
cp /persist/secrets/dropbear/* /run/services/state/dropbear
|
||||
|
||||
The `output`, `mkoutputs` functions defined by ${serviceFns}
|
||||
have been updated for the new location.
|
||||
|
|
97
THOUGHTS.txt
97
THOUGHTS.txt
|
@ -3952,3 +3952,100 @@ I can actually use it as a CPE. This means
|
|||
|
||||
- would be quite cool to run sniproxy instead of forwarding to
|
||||
loaclhost (extra credit)
|
||||
|
||||
Sat Feb 10 18:23:54 GMT 2024
|
||||
|
||||
ARGH KERNEL
|
||||
|
||||
You can't define CONFIG_NETFILTER=y in a monolithic kernel and expect
|
||||
later to separately build some modules that use it, because there are
|
||||
a bunch of symbols that only get defined if certain other CONFIG
|
||||
options are set at the time that the monolithic kernel is built.
|
||||
|
||||
https://github.com/torvalds/linux/blob/master/net/netfilter/core.c#L689
|
||||
|
||||
Another example is
|
||||
https://github.com/torvalds/linux/blob/master/include/linux/netdevice.h#L160
|
||||
- if you decide after building the kernel that you're going to build
|
||||
some wireless modules, you can't do that without rebuilding the kernel
|
||||
so that it knows to expect them
|
||||
|
||||
The moral of the story seems to be: if you have a compiled Linux kernel source tree and you change some symbol from "is not set" to m and then run make modules, you cannot in general expect that newly compiled module to work.
|
||||
|
||||
AP advertised VHT without HT, disabling HT/VHT/HE
|
||||
|
||||
TODO
|
||||
|
||||
- [done] support kernel version as parameter to builder pkgs/kernel/default.nix
|
||||
- [done] extract the change in how module loading works from omnia device config,
|
||||
and fix the other thing that uses it
|
||||
- [axed] wlan module to take 'backported' as a parameter
|
||||
half of the omnia conditionalConfig can go into the module
|
||||
- [done] upgrade omnia to kernel v6
|
||||
- figure out what mdns we need for local hostname resolution
|
||||
(maybe bridging lan/wlan)?
|
||||
- [DONE] slow wifi because "AP advertised VHT without HT, disabling HT/VHT/HE"
|
||||
- [DONE] add local domain to secrets
|
||||
- run sniproxy instead of forwarding
|
||||
- [test] forward some port to loaclhost 22 for inbound ipv4 ssh
|
||||
|
||||
|
||||
Mon Feb 12 21:50:35 GMT 2024
|
||||
|
||||
# find /run/service-state/dhcp6c.wan.link.pppoe/address/
|
||||
/run/service-state/dhcp6c.wan.link.pppoe/address/
|
||||
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM
|
||||
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/valid
|
||||
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/preferred
|
||||
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/len
|
||||
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/address
|
||||
#
|
||||
|
||||
valid 7199 preferred 3599
|
||||
|
||||
Tue Feb 13 19:44:57 GMT 2024
|
||||
|
||||
Before we put this back live, would be good to
|
||||
|
||||
[done] 1) move the leases file into /persist
|
||||
|
||||
I think we'll do /persist/service/<name>/ and change ssh to use the same
|
||||
scheme.
|
||||
|
||||
we could put mkpersist() in serviceFns which would check for /persist
|
||||
and return a directory in /persist/service/ or /run/service-state
|
||||
|
||||
(will something bad happen if we use /run/service-state? it will also
|
||||
expose the thingy as an output, but whether it's accessible that way
|
||||
will depend on whether there's a writable fs or not, which is unexpected)
|
||||
|
||||
: rename service-state to /run/services/outputs
|
||||
: on boot
|
||||
: if /persist
|
||||
: create /persist/services/state and symlink /run/services/state to it
|
||||
: else create /run/services/state
|
||||
|
||||
|
||||
[done] 2) maybe change the local domain back to .lan? setting up
|
||||
systemd-networkd with search domains is an awful faff
|
||||
|
||||
[done] 3) work out what to do with incoming ssh from wan
|
||||
|
||||
- For noetbook and thinkpad we have a vpn anyway so can expect to
|
||||
reach loaclhost directly using ipv6
|
||||
|
||||
- stop ssh from ever trying to get to our ipv4 address.
|
||||
- we could get rid of A record for loaclhost.telent.net but
|
||||
there are a bunch of CNAMES pointing at it for web servers.
|
||||
- we could reject incoming connections to tcp4 port 22 in firewall
|
||||
and then there is a clear signal to Dont Do That Then
|
||||
|
||||
- for emergency use, dnat ipv4 2200 and 2201 to rotuer and loaclhost
|
||||
|
||||
Tue Feb 13 22:31:03 GMT 2024
|
||||
|
||||
the reason we can't reboot is that there is a service to add each lan
|
||||
device to the bridge which does ifwait $dev running, which doesn't
|
||||
return until there's something plugged in. So s6-rc hangs indefinitely
|
||||
until the lan switch is fully populated. This is definitely a
|
||||
"next milestone" thing
|
||||
|
|
|
@ -11,6 +11,6 @@ let
|
|||
script = callPackage ./acquire-wan-address.nix { };
|
||||
in longrun {
|
||||
inherit name;
|
||||
run = "${script} /run/service-state/${client.name} $(output ${interface} ifname)";
|
||||
run = "${script} $SERVICE_OUTPUTS/${client.name} $(output ${interface} ifname)";
|
||||
dependencies = [ client interface ];
|
||||
}
|
||||
|
|
|
@ -13,7 +13,7 @@ in longrun {
|
|||
inherit name;
|
||||
notification-fd = 10;
|
||||
run = ''
|
||||
export SERVICE_STATE=/run/service-state/${name}
|
||||
export SERVICE_STATE=$SERVICE_OUTPUTS/${name}
|
||||
${odhcp6c}/bin/odhcp6c -s ${odhcp-script} -e -v -p /run/${name}.pid -P0 $(output ${interface} ifname)
|
||||
)
|
||||
'';
|
||||
|
|
|
@ -11,6 +11,6 @@ let
|
|||
script = callPackage ./acquire-delegated-prefix.nix { };
|
||||
in longrun {
|
||||
inherit name;
|
||||
run = "${script} /run/service-state/${client.name} $(output ${interface} ifname)";
|
||||
run = "${script} $SERVICE_OUTPUTS/${client.name} $(output ${interface} ifname)";
|
||||
dependencies = [ client interface ];
|
||||
}
|
||||
|
|
|
@ -44,7 +44,7 @@ longrun {
|
|||
--log-debug \
|
||||
--log-queries \
|
||||
--log-facility=- \
|
||||
--dhcp-leasefile=/run/${name}.leases \
|
||||
--dhcp-leasefile=$(mkstate ${name})/leases \
|
||||
--pid-file=/run/${name}.pid
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -22,8 +22,15 @@ mount -t tmpfs none /tmp
|
|||
mkdir /dev/pts
|
||||
mount -t devpts none /dev/pts
|
||||
|
||||
mkdir -m 0751 /run/service-state
|
||||
chgrp system /run/service-state
|
||||
mkdir -m 0751 -p /run/services/outputs
|
||||
chgrp system /run/services/outputs
|
||||
|
||||
if test -d /persist; then
|
||||
mkdir -m 0751 -p /persist/services/state
|
||||
(cd /run/services && ln -s ../../persist/services/state .)
|
||||
else
|
||||
mkdir -m 0751 -p /run/services/state
|
||||
fi
|
||||
|
||||
### If your services are managed by s6-rc:
|
||||
### (replace /run/service with your scandir)
|
||||
|
|
|
@ -29,15 +29,12 @@ let
|
|||
in
|
||||
longrun {
|
||||
name = "sshd";
|
||||
# we need /run/dropbear to point to hostkey storage, as that
|
||||
# pathname is hardcoded into the binary.
|
||||
# env -i clears the environment so we don't pass anything weird to
|
||||
# ssh sessions
|
||||
run = ''
|
||||
if test -d /persist; then
|
||||
mkdir -p /persist/secrets/dropbear
|
||||
ln -s /persist/secrets/dropbear /run
|
||||
else
|
||||
mkdir -p /run/dropbear
|
||||
fi
|
||||
ln -s $(mkstate dropbear) /run
|
||||
. /etc/profile # sets PATH but do we need this? it's the same file as ashrc
|
||||
exec env -i ENV=/etc/ashrc PATH=$PATH ${dropbear}/bin/dropbear ${concatStringsSep " " options}
|
||||
'';
|
||||
|
|
|
@ -15,6 +15,6 @@ for i in run notification-fd up down consumer-for producer-for pipeline-name ; d
|
|||
test -n "$(printenv $i)" && (echo "$(printenv $i)" > $out/${name}/$i)
|
||||
done
|
||||
|
||||
( cd $out && ln -s /run/service-state/${name} ./.outputs )
|
||||
( cd $out && ln -s /run/services/outputs/${name} ./.outputs )
|
||||
for i in $out/${name}/{down,up,run} ; do test -f $i && chmod +x $i; done
|
||||
true
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
}:
|
||||
let
|
||||
inherit (builtins) concatStringsSep;
|
||||
prefix = "/run/service-state";
|
||||
prefix = "/run/services/outputs";
|
||||
output = service: name: "${prefix}/${service.name}/${name}";
|
||||
serviceScript = commands : ''
|
||||
#!/bin/sh
|
||||
|
|
|
@ -2,8 +2,15 @@
|
|||
writeText "service-fns.sh" ''
|
||||
output() { cat $1/.outputs/$2; }
|
||||
output_path() { echo $(realpath $1/.outputs)/$2; }
|
||||
SERVICE_OUTPUTS=/run/services/outputs
|
||||
SERVICE_STATE=/run/services/state
|
||||
mkoutputs() {
|
||||
d=/run/service-state/$1
|
||||
d=$SERVICE_OUTPUTS/$1
|
||||
mkdir -m 2751 -p $d && chown root:system $d
|
||||
echo $d
|
||||
}
|
||||
mkstate() {
|
||||
d=$SERVICE_STATE/$1
|
||||
mkdir -m 2751 -p $d && chown root:system $d
|
||||
echo $d
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue