dan/liminix
1
0
Fork 5
Code

Compare commits

base: dan:3851698d35e355c2a4d2758ecc9cc9636e669588
Branches Tags
dan:main
dan:nftables-turned
dan:firescape
dan:runciter
dan:wip-pstore-tls
dan:fallover
dan:lte
dan:gateway-profile
dan:tftpboot-append-dtb
dan:mainline-omnia-wip
dan:armv7
dan:hark-how-all-the-belkin-rings
dan:first-do-no-arm
dan:doc-do-over
dan:module-based-network
dan:v1.0.0
...
compare: dan:71a1ef286e9b45ea8b9c8ed10e94e10ea713a3fe
Branches Tags
dan:main
dan:nftables-turned
dan:firescape
dan:runciter
dan:wip-pstore-tls
dan:fallover
dan:lte
dan:gateway-profile
dan:tftpboot-append-dtb
dan:mainline-omnia-wip
dan:armv7
dan:hark-how-all-the-belkin-rings
dan:first-do-no-arm
dan:doc-do-over
dan:module-based-network
dan:v1.0.0

5 Commits
3851698d35 ... 71a1ef286e

Author SHA1 Message Date
Daniel Barlow
71a1ef286e deep thoughts 2024-02-13 22:32:57 +00:00
Daniel Barlow
ffe0e9d26b use mkstate for dropbear keys 2024-02-13 22:12:26 +00:00
Daniel Barlow
2b22c7aa91 dnsmasq: store dhcp lease file on /persist 2024-02-13 21:54:45 +00:00
Daniel Barlow
3c950704e1 rename /run/service-state to /run/services/outputs 2024-02-13 21:41:43 +00:00
Daniel Barlow
8578a554c7 deep thoughts 2024-02-13 21:11:30 +00:00
11 changed files with 142 additions and 15 deletions
Show Stats Expand all files Collapse all files

19
NEWS
View File

@ -48,4 +48,23 @@ them afterwards as though they were "out of tree". Refer to commit
b9c0d93670275e69df24902b05bf4aa4f0fcbe96 for a fuller explanation b9c0d93670275e69df24902b05bf4aa4f0fcbe96 for a fuller explanation
of how this simplifies things. of how this simplifies things.
2024-02-13
So that we can be more consistent about services that would like their
state to be preserved across boots (assuming a writable filesystem)
these changes have been made
* /run/service-state has been moved to /run/services/outputs
to better reflect what it's used for
* /run/services/state is either a symlink to /persist/services/state
(if there's a writeable fs on /persist) or a directory (if there
isn't)
The change will lose your ssh host key(s) unless you copy them from
the old location to the new one before rebooting into the new system
mkdir -m 02751 -p /run/services/state/dropbear
cp /persist/secrets/dropbear/* /run/services/state/dropbear
The `output`, `mkoutputs` functions defined by ${serviceFns}
have been updated for the new location.

97
THOUGHTS.txt
View File

@ -3952,3 +3952,100 @@ I can actually use it as a CPE. This means
- would be quite cool to run sniproxy instead of forwarding to - would be quite cool to run sniproxy instead of forwarding to
loaclhost (extra credit) loaclhost (extra credit)
Sat Feb 10 18:23:54 GMT 2024
ARGH KERNEL
You can't define CONFIG_NETFILTER=y in a monolithic kernel and expect
later to separately build some modules that use it, because there are
a bunch of symbols that only get defined if certain other CONFIG
options are set at the time that the monolithic kernel is built.
https://github.com/torvalds/linux/blob/master/net/netfilter/core.c#L689
Another example is
https://github.com/torvalds/linux/blob/master/include/linux/netdevice.h#L160
- if you decide after building the kernel that you're going to build
some wireless modules, you can't do that without rebuilding the kernel
so that it knows to expect them
The moral of the story seems to be: if you have a compiled Linux kernel source tree and you change some symbol from "is not set" to m and then run make modules, you cannot in general expect that newly compiled module to work.
AP advertised VHT without HT, disabling HT/VHT/HE
TODO
- [done] support kernel version as parameter to builder pkgs/kernel/default.nix
- [done] extract the change in how module loading works from omnia device config,
and fix the other thing that uses it
- [axed] wlan module to take 'backported' as a parameter
half of the omnia conditionalConfig can go into the module
- [done] upgrade omnia to kernel v6
- figure out what mdns we need for local hostname resolution
(maybe bridging lan/wlan)?
- [DONE] slow wifi because "AP advertised VHT without HT, disabling HT/VHT/HE"
- [DONE] add local domain to secrets
- run sniproxy instead of forwarding
- [test] forward some port to loaclhost 22 for inbound ipv4 ssh
Mon Feb 12 21:50:35 GMT 2024
# find /run/service-state/dhcp6c.wan.link.pppoe/address/
/run/service-state/dhcp6c.wan.link.pppoe/address/
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/valid
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/preferred
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/len
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/address
#
valid 7199 preferred 3599
Tue Feb 13 19:44:57 GMT 2024
Before we put this back live, would be good to
[done] 1) move the leases file into /persist
I think we'll do /persist/service/<name>/ and change ssh to use the same
scheme.
we could put mkpersist() in serviceFns which would check for /persist
and return a directory in /persist/service/ or /run/service-state
(will something bad happen if we use /run/service-state? it will also
expose the thingy as an output, but whether it's accessible that way
will depend on whether there's a writable fs or not, which is unexpected)
: rename service-state to /run/services/outputs
: on boot
: if /persist
: create /persist/services/state and symlink /run/services/state to it
: else create /run/services/state
[done] 2) maybe change the local domain back to .lan? setting up
systemd-networkd with search domains is an awful faff
[done] 3) work out what to do with incoming ssh from wan
- For noetbook and thinkpad we have a vpn anyway so can expect to
reach loaclhost directly using ipv6
- stop ssh from ever trying to get to our ipv4 address.
- we could get rid of A record for loaclhost.telent.net but
there are a bunch of CNAMES pointing at it for web servers.
- we could reject incoming connections to tcp4 port 22 in firewall
and then there is a clear signal to Dont Do That Then
- for emergency use, dnat ipv4 2200 and 2201 to rotuer and loaclhost
Tue Feb 13 22:31:03 GMT 2024
the reason we can't reboot is that there is a service to add each lan
device to the bridge which does ifwait $dev running, which doesn't
return until there's something plugged in. So s6-rc hangs indefinitely
until the lan switch is fully populated. This is definitely a
"next milestone" thing

2
modules/dhcp6c/address.nix
View File

@ -11,6 +11,6 @@ let
script = callPackage ./acquire-wan-address.nix { }; script = callPackage ./acquire-wan-address.nix { };
in longrun { in longrun {
inherit name; inherit name;
run = "${script} /run/service-state/${client.name} $(output ${interface} ifname)"; run = "${script} $SERVICE_OUTPUTS/${client.name} $(output ${interface} ifname)";
dependencies = [ client interface ]; dependencies = [ client interface ];
} }

2
modules/dhcp6c/client.nix
View File

@ -13,7 +13,7 @@ in longrun {
inherit name; inherit name;
notification-fd = 10; notification-fd = 10;
run = '' run = ''
export SERVICE_STATE=/run/service-state/${name} export SERVICE_STATE=$SERVICE_OUTPUTS/${name}
${odhcp6c}/bin/odhcp6c -s ${odhcp-script} -e -v -p /run/${name}.pid -P0 $(output ${interface} ifname) ${odhcp6c}/bin/odhcp6c -s ${odhcp-script} -e -v -p /run/${name}.pid -P0 $(output ${interface} ifname)
) )
''; '';

2
modules/dhcp6c/prefix.nix
View File

@ -11,6 +11,6 @@ let
script = callPackage ./acquire-delegated-prefix.nix { }; script = callPackage ./acquire-delegated-prefix.nix { };
in longrun { in longrun {
inherit name; inherit name;
run = "${script} /run/service-state/${client.name} $(output ${interface} ifname)"; run = "${script} $SERVICE_OUTPUTS/${client.name} $(output ${interface} ifname)";
dependencies = [ client interface ]; dependencies = [ client interface ];
} }

2
modules/dnsmasq/service.nix
View File

@ -44,7 +44,7 @@ longrun {
--log-debug \ --log-debug \
--log-queries \ --log-queries \
--log-facility=- \ --log-facility=- \
--dhcp-leasefile=/run/${name}.leases \ --dhcp-leasefile=$(mkstate ${name})/leases \
--pid-file=/run/${name}.pid --pid-file=/run/${name}.pid
''; '';
} }

11
modules/s6/scripts/rc.init
View File

@ -22,8 +22,15 @@ mount -t tmpfs none /tmp
mkdir /dev/pts mkdir /dev/pts
mount -t devpts none /dev/pts mount -t devpts none /dev/pts
mkdir -m 0751 /run/service-state mkdir -m 0751 -p /run/services/outputs
chgrp system /run/service-state chgrp system /run/services/outputs
if test -d /persist; then
mkdir -m 0751 -p /persist/services/state
(cd /run/services && ln -s ../../persist/services/state .)
else
mkdir -m 0751 -p /run/services/state
fi
### If your services are managed by s6-rc: ### If your services are managed by s6-rc:
### (replace /run/service with your scandir) ### (replace /run/service with your scandir)

9
modules/ssh/ssh.nix
View File

@ -29,15 +29,12 @@ let
in in
longrun { longrun {
name = "sshd"; name = "sshd";
# we need /run/dropbear to point to hostkey storage, as that
# pathname is hardcoded into the binary.
# env -i clears the environment so we don't pass anything weird to # env -i clears the environment so we don't pass anything weird to
# ssh sessions # ssh sessions
run = '' run = ''
if test -d /persist; then ln -s $(mkstate dropbear) /run
mkdir -p /persist/secrets/dropbear
ln -s /persist/secrets/dropbear /run
else
mkdir -p /run/dropbear
fi
. /etc/profile # sets PATH but do we need this? it's the same file as ashrc . /etc/profile # sets PATH but do we need this? it's the same file as ashrc
exec env -i ENV=/etc/ashrc PATH=$PATH ${dropbear}/bin/dropbear ${concatStringsSep " " options} exec env -i ENV=/etc/ashrc PATH=$PATH ${dropbear}/bin/dropbear ${concatStringsSep " " options}
''; '';

2
pkgs/liminix-tools/services/builder.sh
View File

@ -15,6 +15,6 @@ for i in run notification-fd up down consumer-for producer-for pipeline-name ; d
test -n "$(printenv $i)" && (echo "$(printenv $i)" > $out/${name}/$i) test -n "$(printenv $i)" && (echo "$(printenv $i)" > $out/${name}/$i)
done done
( cd $out && ln -s /run/service-state/${name} ./.outputs ) ( cd $out && ln -s /run/services/outputs/${name} ./.outputs )
for i in $out/${name}/{down,up,run} ; do test -f $i && chmod +x $i; done for i in $out/${name}/{down,up,run} ; do test -f $i && chmod +x $i; done
true true

2
pkgs/liminix-tools/services/default.nix
View File

@ -9,7 +9,7 @@
}: }:
let let
inherit (builtins) concatStringsSep; inherit (builtins) concatStringsSep;
prefix = "/run/service-state"; prefix = "/run/services/outputs";
output = service: name: "${prefix}/${service.name}/${name}"; output = service: name: "${prefix}/${service.name}/${name}";
serviceScript = commands : '' serviceScript = commands : ''
#!/bin/sh #!/bin/sh

9
pkgs/service-fns/default.nix
View File

@ -2,8 +2,15 @@
writeText "service-fns.sh" '' writeText "service-fns.sh" ''
output() { cat $1/.outputs/$2; } output() { cat $1/.outputs/$2; }
output_path() { echo $(realpath $1/.outputs)/$2; } output_path() { echo $(realpath $1/.outputs)/$2; }
SERVICE_OUTPUTS=/run/services/outputs
SERVICE_STATE=/run/services/state
mkoutputs() { mkoutputs() {
d=/run/service-state/$1 d=$SERVICE_OUTPUTS/$1
mkdir -m 2751 -p $d && chown root:system $d
echo $d
}
mkstate() {
d=$SERVICE_STATE/$1
mkdir -m 2751 -p $d && chown root:system $d mkdir -m 2751 -p $d && chown root:system $d
echo $d echo $d
} }