er, don\'t know?

pppd runs them with 0,1,2 => /dev/null but we actually quite like
seeing errors in the logs

default.nix

@@ -33,6 +33,7 @@ let
       ./modules/busybox.nix
       ./modules/hostname.nix
       ./modules/kernel
+      ./modules/klogd.nix
       device.module
       liminix-config
       ./modules/s6

devices/gl-ar750/default.nix

@@ -114,12 +114,27 @@
           eraseBlockSize = 65536;
         };
         rootDevice = "/dev/mtdblock5";
-        dts = {
-          src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts";
-          includes =  [
-            "${openwrt.src}/target/linux/ath79/dts"
-          ];
-        };
+        dts =
+          let
+            upstream = {
+              src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts";
+              includes =  [
+                "${openwrt.src}/target/linux/ath79/dts"
+              ];
+            };
+            cppDtSearchFlags = builtins.concatStringsSep " " (map (f: "-I${f}") upstream.includes);
+            dtcSearchFlags = builtins.concatStringsSep " " (map (f: "-i${f}") upstream.includes);
+
+            patched = pkgs.runCommand "patch-dts" {
+              nativeBuildInputs = with pkgs.pkgsBuildBuild; [pkgs.stdenv.cc dtc ];
+            }
+              ''
+                echo patching dts
+                ${pkgs.stdenv.cc.targetPrefix}cpp -nostdinc -x assembler-with-cpp ${cppDtSearchFlags} -undef -D__DTS__  -o dts.tmp ${upstream.src}
+                dtc -I dts ${dtcSearchFlags} -o $out -O dts dts.tmp
+              '';
+          in upstream // { src = patched; };
+
 
         networkInterfaces =
           let inherit (config.system.service.network) link;

examples/hello-from-qemu.nix

@@ -1,12 +1,14 @@
-{ config, pkgs, ... } :
+{ config, pkgs, lib, ... } :
 let
   svc = config.system.service;
+  inherit (pkgs.liminix.services) longrun oneshot ;
 
 in rec {
   imports = [
     ../modules/network
     ../modules/dnsmasq
     ../modules/ssh
+    ../modules/tls-certificate
   ];
 
   hostname = "hello";
@@ -17,8 +19,51 @@ in rec {
     family = "inet"; address ="10.3.0.1"; prefixLength = 16;
   };
 
+  filesystem =
+    let inherit (pkgs.pseudofile) file dir symlink;
+    in dir {
+      etc = dir {
+        hosts =  {
+          type = "f";
+          file = "127.0.0.1 localhost\n10.0.2.2 loaclhost.telent.net\n";
+          mode = "0444";
+        };
+      };
+    };
+
   services.sshd = svc.ssh.build { };
 
+  services.lan-address-for-secrets =
+    svc.network.address.build {
+      interface = config.hardware.networkInterfaces.lan;
+      family = "inet"; address ="10.0.2.15"; prefixLength = 24;
+    };
+
+  # services.client-cert = svc.tls-certificate.certifix-client.build {
+  #   caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt;
+  #   subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}";
+  #   secret = builtins.readFile ../challengePassword;
+  #   serviceUrl = "https://loaclhost.telent.net:19613/sign";
+  # };
+
+  # logging.shipping = {
+  #   enable = true;
+  #   service = longrun {
+  #     name = "ship-logs";
+  #     dependencies = [ config.services.client-cert ];
+  #     run =
+  #       let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]);
+  #       in ''
+  #         PATH=${path}:$PATH \
+  #         CAFILE=${/var/lib/certifix/certs/ca.crt} \
+  #         KEYFILE=$(output_path ${services.client-cert} key) \
+  #         CERTFILE=$(output_path ${services.client-cert} cert) \
+  #         s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \
+  #         fdmove -c 1 7 cat
+  #       '';
+  #   };
+  # };
+
   users.root = {
     # the password is "secret". Use mkpasswd -m sha512crypt to
     # create this hashed password string
@@ -38,6 +83,6 @@ in rec {
     };
 
   defaultProfile.packages = with pkgs; [
-    figlet
+    figlet openssl
   ];
 }

examples/rotuer.nix

@@ -16,11 +16,11 @@ let
     inherit (secrets) wpa_passphrase;
     wmm_enabled = 1;
   };
-
+  inherit (pkgs.liminix.services) longrun;
 in rec {
   boot = {
     tftp = {
-      freeSpaceBytes = 3 * 1024 * 1024;
+      freeSpaceBytes = 2 * 1024 * 1024;
       serverip = "10.0.0.1";
       ipaddr = "10.0.0.8";
     };
@@ -28,8 +28,24 @@ in rec {
 
   imports = [
     "${modulesPath}/profiles/gateway.nix"
+    "${modulesPath}/tls-certificate"
   ];
+
   hostname = "rotuer";
+#  rootfsType = "jffs2";
+
+  filesystem =
+    let inherit (pkgs.pseudofile) file dir symlink;
+    in dir {
+      mnt = dir {};
+      etc = dir {
+        hosts = {
+          type = "f";
+          file = "127.0.0.1 localhost\n10.0.0.1 loaclhost.telent.net\n";
+          mode = "0444";
+        };
+      };
+    };
 
   profile.gateway = {
     lan = {
@@ -106,9 +122,11 @@ in rec {
   defaultProfile.packages = with pkgs; [
     min-collect-garbage
     nftables
-    strace
-    tcpdump
+    # strace
+    # tcpdump
     s6
+    dtc
+    # certifix-client
   ];
 
   programs.busybox = {
@@ -119,4 +137,47 @@ in rec {
       FEATURE_FANCY_TAIL = "y";
     };
   };
+
+  services.wan-address-for-secrets =
+    let
+      interface = config.hardware.networkInterfaces.wan;
+      addr =
+        svc.network.address.build {
+          inherit interface;
+          family = "inet"; address ="10.0.0.10"; prefixLength = 24;
+        };
+    in svc.network.route.build {
+      target = "10.0.0.1";
+      inherit interface;
+      via = "10.0.0.10";
+      metric = 1;
+      dependencies = [ addr ];
+    };
+
+  # services.client-cert = svc.tls-certificate.certifix-client.build {
+  #   caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt;
+  #   subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}";
+  #   secret = builtins.readFile ../challengePassword;
+  #   serviceUrl = "https://loaclhost.telent.net:19613/sign";
+  #   dependencies = [ services.wan-address-for-secrets ];
+  # };
+
+  logging.pstore = true;
+  logging.shipping = {
+    enable = false;
+    service = longrun {
+      name = "ship-logs";
+      dependencies = [ config.services.client-cert ];
+      run =
+        let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]);
+        in ''
+          PATH=${path}:$PATH \
+          CAFILE=${/var/lib/certifix/certs/ca.crt} \
+          KEYFILE=$(output_path ${services.client-cert} key) \
+          CERTFILE=$(output_path ${services.client-cert} cert) \
+          s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \
+          fdmove -c 1 7 cat
+        '';
+    };
+  };
 }

modules/kernel/default.nix

@@ -92,7 +92,7 @@ in {
         PROC_FS = "y";
 
         MODULES = if modular then "y" else "n";
-        MODULE_SIG = if modular then "y" else "n";
+        MODULE_UNLOAD = if modular then "y" else "n";
         DEBUG_FS = "y";
 
         # basic networking protocols

modules/klogd.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (pkgs.liminix.services) longrun;
+in {
+  config.services.klogd = longrun {
+    name = "klogd";
+    run = ''
+      echo "1 2 1 8"  > /proc/sys/kernel/printk
+      cat /proc/kmsg
+    '';
+    finish = ''
+      echo "8 4 1 8"  > /proc/sys/kernel/printk
+    '';
+  };
+}

modules/ntp/service.nix

@@ -6,6 +6,7 @@
 }:
 params:
 let
+  name = "ntp"; # bad name, needs to be unique
   inherit (liminix.services) longrun;
   inherit (lib) concatStringsSep mapAttrsToList;
   configFile = p:
@@ -23,11 +24,15 @@ let
     ++ (lib.optional (p.bindaddress != null) "bindaddress ${p.bindaddress}")
     ++ (lib.optional (p.binddevice != null) "binddevice ${p.binddevice}")
     ++ (lib.optional (p.dumpdir != null) "dumpdir ${p.dumpdir}")
+    ++ [
+      "bindcmdaddress /" # disable unix socket
+      "pidfile /run/${name}.pid"
+    ]
     ++ [p.extraConfig];
 
   config = writeText "chrony.conf"
     (concatStringsSep "\n" (configFile params));
 in longrun {
-  name = "ntp"; # bad name, needs to be unique
+  inherit name;
   run = "${chrony}/bin/chronyd -f ${config} -d";
 }

modules/ppp/common.nix

@@ -15,25 +15,30 @@ let
   inherit (builtins) toJSON toString typeOf;
 
   ip-up = writeAshScript "ip-up" {} ''
+    exec >&5 2>&5
     . ${serviceFns} 
-    (in_outputs ${name}
-     echo $1 > ifname
-     echo $2 > tty
-     echo $3 > speed
-     echo $4 > address
-     echo $5 > peer-address
-     echo $DNS1 > ns1
-     echo $DNS2 > ns2
-    )
+    in_outputs ${name}
+    echo $1 > ifname
+    echo $2 > tty
+    echo $3 > speed
+    echo $4 > address
+    echo $5 > peer-address
+    set +o nounset
+    set +o errexit
+    if test -n "''${DNS1}" ;then echo ''${DNS1} > ns1 ; fi
+    if test -n "''${DNS2}" ;then echo ''${DNS2} > ns2 ; fi
+    set +o pipefail
+    ls -l /proc/self/fd
     echo >/proc/self/fd/10
   '';
   ip6-up = writeAshScript "ip6-up" {} ''
+    exec >&5 2>&5
     . ${serviceFns} 
-    (in_outputs ${name}
-     echo $4 > ipv6-address
-     echo $5 > ipv6-peer-address
-    )
-    echo >/proc/self/fd/10
+    in_outputs ${name}
+    set +o nounset
+    set +o errexit
+    echo $4 > ipv6-address
+    echo $5 > ipv6-peer-address
   '';
   literal_or_output =
     let v = o: ({
@@ -58,6 +63,9 @@ let
         "ipv6-up-script" ip6-up
         "ipparam" name
         "nodetach"
+        # usepeerdns requests DNS servers from peer (which is good),
+        # then attempts to write them to /nix/store/xxxx/ppp/resolv.conf
+        # which causes an unsightly but inconsequential error message
         "usepeerdns"
         "nodefaultroute"
         "logfd" "2"
@@ -69,6 +77,7 @@ let
       chmod 0700 /run/${name}
       in_outputs ${name}
       echo ${escapeShellArgs ppp-options'} | ${output-template}/bin/output-template '{{' '}}' > /run/${name}/ppp-options
+      exec fdmove -c 5 2 \
       ${command}
     '';
     notification-fd = 10;

modules/ppp/pppoe.nix

@@ -24,7 +24,7 @@ let
 in common {
   inherit name debug username password lcpEcho ppp-options;
   command = ''
-    exec ${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt}  -I $(output ${interface} ifname)" file /run/${name}/ppp-options
+    ${ppp}/bin/pppd pty "${pppoe}/bin/pppoe ${timeoutOpt}  -I $(output ${interface} ifname)" file /run/${name}/ppp-options
   '';
   dependencies = [ interface ];
 }

modules/s6/default.nix

@@ -107,17 +107,22 @@ let
       };
       notification-fd = { file = "3"; };
       run = {
-        file = ''
-              #!${execline}/bin/execlineb -P
-              ${execline}/bin/redirfd -w 1 /dev/null
-              ${execline}/bin/redirfd -rnb 0 fifo
-              ${if cfg.shipping.enable then ''
-                pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
-                pipeline { ${pkgs.logshipper}/bin/logtap ${cfg.shipping.socket} logshipper-socket-event }
-                ${s6}/bin/s6-log -- ${cfg.directory}
-              '' else ''
-                ${s6}/bin/s6-log -bpd3 -- ${cfg.script} ${cfg.directory}
-              ''}
+        file =
+          let pstore = if cfg.pstore then "pipeline { tee /dev/pmsg0 }" else "";
+          in ''
+            #!${execline}/bin/execlineb -P
+            ${execline}/bin/redirfd -w 1 /dev/null
+            ${execline}/bin/redirfd -rnb 0 fifo
+            ${if cfg.shipping.enable then ''
+              pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
+              pipeline { ${pkgs.logshipper}/bin/logtap ${cfg.shipping.socket} logshipper-socket-event }
+              ${pstore}
+              ${s6}/bin/s6-log -- ${cfg.directory}
+            '' else ''
+              pipeline { ${s6}/bin/s6-log -bpd3 -- ${cfg.script} 1 }
+              ${pstore}
+              ${s6}/bin/s6-log --  ${cfg.directory}
+            ''}
           '';
         mode = "0755";
       };
@@ -212,6 +217,7 @@ let
 in {
   options = {
     logging = {
+      pstore = mkEnableOption "system logs in pstore for retention after reboot";
       shipping = {
         enable = mkEnableOption "unix socket for log shipping";
         socket = mkOption {
@@ -263,6 +269,12 @@ in {
     )];
 
   config = {
+    kernel.config = mkIf cfg.pstore {
+      PSTORE = "y";
+      PSTORE_PMSG = "y";
+    };
+    programs.busybox.applets =  mkIf cfg.pstore [ "tee" ];
+    
     filesystem = dir {
       etc = dir {
         s6-rc = dir {

pkgs/pppoe/default.nix

@@ -22,10 +22,6 @@ stdenv.mkDerivation rec {
     export PPPD=${ppp}/sbin/pppd
   '';
 
-  configureFlags = lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
-    "rpppoe_cv_pack_bitfields=rev"
-  ];
-
   postConfigure = ''
     sed -i Makefile -e 's@DESTDIR)/etc/ppp@out)/etc/ppp@'
     sed -i Makefile -e 's@PPPOESERVER_PPPD_OPTIONS=@&$(out)@'