write combined-image into a directory not $out directly

this makes the tftp workflow a bit easier

README.md

@@ -116,6 +116,22 @@ Assuming you have nixpkgs checked out in a peer directory of this one,
 
 Some of the tests require the emulated upstream connection to be running.
 
+## Hardware
+
+How you get the thing onto hardware will vary according to the device,
+but is likely to involve U-Boot and TFTP.
+
+There is a rudimentary TFTP server bundled with the system which runs
+from the command line, has an allowlist for client connections, and
+follows symlinks, so you can have your device download images direct
+from the `./result` directory without exposing `/nix/store/` to the
+internet or mucking about copying files to `/tftproot`. If the
+permitted device is to be given the IP address 192.168.8.251 you might
+do something like this:
+
+    $ NIX_PATH=nixpkgs=../nixpkgs:$NIX_PATH NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix-build -I liminix-config=./tests/smoke/configuration.nix --arg device "import ./devices/gl-ar750.nix" -A outputs.tftpd -o tftpd
+    $  ./tftpd/bin/tufted -a 192.168.8.251 result
+
 
 ## Troubleshooting
 

default.nix

@@ -16,19 +16,34 @@ let
   kernel = callPackage ./kernel {
     inherit (config.kernel) config checkedConfig;
   };
-in {
-  outputs = {
+  outputs = rec {
     inherit squashfs kernel;
-    default = nixpkgs.pkgs.runCommand "both-kinds" {} ''
+    uimage = kernel.uimage {
+      inherit (device.boot) loadAddress entryPoint;
+      inherit (kernel) vmlinux;
+    };
+
+    combined-image = nixpkgs.pkgs.runCommand "firmware.bin" {
+      nativeBuildInputs = [ nixpkgs.buildPackages.ubootTools ];
+    } ''
       mkdir $out
-      cd $out
-      ln -s ${squashfs} squashfs
-      ln -s ${kernel.vmlinux} vmlinux
-   '';
+      dd if=${uimage} of=$out/firmware.bin bs=128k conv=sync
+      dd if=${squashfs} of=$out/firmware.bin bs=128k conv=sync,nocreat,notrunc oflag=append
+    '';
+    directory = nixpkgs.pkgs.runCommand "both-kinds" {} ''
+       mkdir $out
+       cd $out
+       ln -s ${squashfs} squashfs
+       ln -s ${kernel.vmlinux} vmlinux
+    '';
     # this exists so that you can run "nix-store -q --tree" on it and find
     # out what's in the image, which is nice if it's unexpectedly huge
     manifest = writeText "manifest.json" (builtins.toJSON config.filesystem.contents);
+    tftpd = nixpkgs.pkgs.buildPackages.tufted;
   };
+in {
+  outputs = outputs // { default = outputs.${device.outputs.default}; };
+
   # this is just here as a convenience, so that we can get a
   # cross-compiling nix-shell for any package we're customizing
   inherit (nixpkgs) pkgs;

devices/gl-ar750.nix

@@ -1,3 +1,21 @@
+# GL.INet GL-AR750 "Creta" travel router
+#  - QCA9531 @650Mhz SoC
+#  - dual band wireless: IEEE 802.11a/b/g/n/ac
+#  - two 10/100Mbps LAN ports and one WAN
+#  - 128MB DDR2 RAM / 16MB  NOR Flash
+#  - "ath79" soc family
+# https://www.gl-inet.com/products/gl-ar750/
+
+# I like GL.iNet devices because they're relatively accessible to
+# DIY users: the serial port connections have headers preinstalled
+# and don't need soldering
+
+# The default output is a combined image containing a kernel
+# packaged as a "uimage" and initrd filesystem. This can be
+# downloaded to the device using TFTP and then written into
+# flash, or if PHRAM suport is enabled (handy for development)
+# unpacked and run directly into RAM
+
 {
   system = {
     crossSystem = {
@@ -8,4 +26,55 @@
       };
     };
   };
+  kernel = {
+    checkedConfig = {
+      "MIPS_RAW_APPENDED_DTB" = "y";
+    };
+    config = {
+      # this is all copied from nixwrt ath79 config. Clearly not all
+      # of it is device config, some of it is wifi config or
+      # installation method config or ...
+      "BLK_DEV_INITRD" = "n";
+      "CMDLINE_PARTITION" = "y";
+      "DEBUG_INFO" = "y";
+      "DEVTMPFS" = "y";
+      "EARLY_PRINTK" = "y";
+      "FW_LOADER" = "y";
+      # we don't have a user helper, so we get multiple 60s pauses
+      # at boot time unless we disable trying to call it
+      "FW_LOADER_USER_HELPER" = "n";
+      "IMAGE_CMDLINE_HACK" = "n";
+      "IP_PNP" = "y";
+      "JFFS2_FS" = "n";
+      "MIPS_RAW_APPENDED_DTB" = "y";
+      "MODULE_SIG" = "y";
+      "MTD_CMDLINE_PARTS" = "y";
+      "MTD_SPLIT_FIRMWARE" = "y";
+      "PARTITION_ADVANCED" = "y";
+      "PRINTK_TIME" = "y";
+      "SQUASHFS" = "y";
+      "SQUASHFS_XZ" = "y";
+      "ASN1" = "y";
+      "ASYMMETRIC_KEY_TYPE" = "y";
+      "ASYMMETRIC_PUBLIC_KEY_SUBTYPE" = "y";
+      "CRC_CCITT" = "y";
+      "CRYPTO" = "y";
+      "CRYPTO_ARC4" = "y";
+      "CRYPTO_CBC" = "y";
+      "CRYPTO_CCM" = "y";
+      "CRYPTO_CMAC" = "y";
+      "CRYPTO_GCM" = "y";
+      "CRYPTO_HASH_INFO" = "y";
+      "CRYPTO_LIB_ARC4" = "y";
+      "CRYPTO_RSA" = "y";
+      "CRYPTO_SHA1" = "y";
+      "ENCRYPTED_KEYS" = "y";
+      "KEYS" = "y";
+    };
+  };
+  outputs.default = "combined-image";
+  boot = {
+    loadAddress = "0x80060000";
+    entryPoint  = "0x80060000";
+  };
 }

devices/qemu.nix

@@ -1,3 +1,7 @@
+# This "device" generates images that can be used with the QEMU
+# emulator. The default output is a directory containing separate
+# kernel (uncompressed vmlinux) and initrd (squashfs) images
+
 {
   system = {
     crossSystem = {
@@ -446,4 +450,5 @@
       VIRTIO_NET = "y";
     };
   };
+  outputs.default = "directory";
 }

kernel/default.nix

@@ -34,9 +34,9 @@ let
       cp -a . $out
     '';
   };
-in
-{
+in rec {
   vmlinux = callPackage ./vmlinux.nix {
     inherit tree config checkedConfig;
   };
+  uimage = callPackage ./uimage.nix { };
 }

kernel/uimage.nix

@@ -0,0 +1,42 @@
+{
+  lzma
+, stdenv
+, ubootTools
+} :
+let
+  objcopy = "${stdenv.cc.bintools.targetPrefix}objcopy";
+in {
+  vmlinux
+# , commandLine
+# , fdt ? null
+, entryPoint
+# , extraName ? ""                # e.g. socFamily
+, loadAddress
+} :
+  # patchDtbCommand = if (fdt != null) then ''
+  #   ( cat vmlinux.stripped ${fdt} > vmlinux.tmp ) && mv vmlinux.tmp vmlinux.stripped
+  # '' else ''
+  #   echo patch-cmdline vmlinux.stripped '${commandLine}'
+  #   patch-cmdline vmlinux.stripped '${commandLine}'
+  #   echo
+  # '';
+stdenv.mkDerivation {
+  name = "kernel.image";
+  phases = [ "buildPhase" "installPhase" ];
+  nativeBuildInputs = [
+    # patchImage
+    lzma
+    stdenv.cc
+    ubootTools
+  ];
+  buildPhase = ''
+    ${objcopy} -O binary -R .reginfo -R .notes -R .note -R .comment -R .mdebug -R .note.gnu.build-id -S ${vmlinux} vmlinux.stripped
+    # {patchDtbCommand}
+    rm -f vmlinux.stripped.lzma
+    lzma -k -z  vmlinux.stripped
+    mkimage -A mips -O linux -T kernel -C lzma -a ${loadAddress} -e ${entryPoint} -n 'MIPS Liminix Linux ' -d vmlinux.stripped.lzma kernel.image
+  '';
+  installPhase = ''
+    cp kernel.image $out
+  '';
+}

modules/base.nix

@@ -31,6 +31,7 @@ in {
       };
       checkedConfig = mkOption {
         type = types.attrsOf types.nonEmptyStr;
+        default = {};
       };
     };
     groups =  mkOption {

overlay.nix

@@ -16,6 +16,8 @@ final: prev: {
     dbusSupport = false;
   };
 
+  tufted = final.callPackage ./pkgs/tufted {};
+
   pppoe = final.callPackage ./pkgs/pppoe {};
   ppp =
     (prev.ppp.override {

pkgs/tufted/default.nix

@@ -0,0 +1,44 @@
+{
+  lua5_3
+, stdenv
+, fennel
+, fetchFromGitHub
+, makeWrapper
+} :
+let
+  tufty-lua = lua.pkgs.buildLuaPackage {
+    pname = "tufty";
+    version = "1";
+    src = fetchFromGitHub {
+      owner = "telent";
+      repo = "tufty";
+      sha256 = "sha256-m5UEfcCNdG0Ku380cPhu1inNQmSfQJ5NcRIxLohUOh8=";
+      rev = "75c6d38713a82f4197f91dcb182a2e34f255bf7c";
+    };
+    buildPhase = ":";
+    installPhase = ''
+        mkdir -p "$out/share/lua/${lua5_3.luaversion}"
+        cp src/*.lua "$out/share/lua/${lua5_3.luaversion}/"
+      '';
+  };
+  lua = lua5_3.withPackages (ps: with ps; [
+    tufty-lua luasocket luaposix
+  ]);
+  fennel_ = (fennel.override { inherit lua; });
+in stdenv.mkDerivation {
+  pname = "tufted";
+  version = "1";
+  phases =  [ "unpackPhase" "installPhase" ];
+  buildInputs = [ lua fennel_ ];
+  nativeBuildInputs = [ makeWrapper ];
+  src = ./.;
+  installPhase = ''
+    mkdir -p $out/lib
+    cp tufted.fnl $out/lib
+    makeWrapper ${fennel_}/bin/fennel \
+      $out/bin/tufted \
+      --add-flags "--add-fennel-path $out/lib/?.fnl" \
+      --add-flags "--add-package-path $out/lib/?.lua" \
+      --add-flags "$out/lib/tufted.fnl"
+  '';
+}

pkgs/tufted/tufted.fnl

@@ -0,0 +1,51 @@
+(local tftp (require :tftp))
+(local { : realpath} (require :posix.stdlib))
+(local { : view } (require :fennel))
+
+(local options
+       (match arg
+         ["-a" ip-address dir]
+         { :allow ip-address :base-directory (realpath dir)}
+
+         [dir]
+         { :allow nil :base-directory (realpath dir)}
+
+         []
+         (error "missing command line parameters")
+         ))
+
+(print (.. "TFTP serving from " options.base-directory))
+
+(fn merge-pathname [directory filename]
+  (if (directory:match "/$")
+      (.. directory  filename)
+      (.. directory "/" filename)))
+
+(->
+ (tftp:listen
+  (fn [file host port]
+    (if (or (not options.allow) (= host options.allow))
+        (let [pathname (merge-pathname options.base-directory file)
+              f (io.open pathname "rb")
+              size (f:seek "end")]
+          (f:seek "set" 0)
+          (var eof? false)
+          (values
+           (fn handler [reqlen]
+             (let [bytes (f:read reqlen)]
+               (if eof?
+                   false
+                   bytes
+                   (values true bytes)
+                   (do
+                     ;; if the file length is divisible by the block
+                     ;; length, need to send an empty block at eof
+                     (set eof? true)
+                     (values true "")))))
+           size))
+        (error "host not allowed")))
+  nil
+  ["*"]
+  69)
+
+(os.exit))