114 changed files with 276 additions and 173 deletions
--- a/ci.nix
+++ b/ci.nix
@ -4,6 +4,7 @@
 , liminix
 , ... }:
 let
  inherit (builtins) map;
  pkgs = (import nixpkgs {});
  borderVmConf =  ./bordervm.conf-example.nix;
  inherit (pkgs.lib.attrsets) genAttrs;
@ -43,6 +44,12 @@ let
                  imports = [ ./modules/all-modules.nix ];
                };
              }).outputs.optionsJson;
            installers = map (f: "system.outputs.${f}") [
              "vmroot"
              "mtdimage"
              "ubimage"
            ];
            inherit (pkgs.lib) concatStringsSep;
        in pkgs.stdenv.mkDerivation {
          name = "liminix-doc";
          nativeBuildInputs = with pkgs; [
--- a/devices/belkin-rt3200/default.nix
+++ b/devices/belkin-rt3200/default.nix
@ -213,6 +213,7 @@
        networkInterfaces =
          let
            inherit (config.system.service.network) link;
            inherit (config.system.service) bridge;
          in rec {
            wan = link.build { ifname = "wan"; };
            lan1 = link.build { ifname = "lan1"; };
--- a/devices/gl-ar750/default.nix
+++ b/devices/gl-ar750/default.nix
@ -92,6 +92,7 @@
        '';
      };
      inherit (pkgs.pseudofile) dir symlink;
      inherit (pkgs.liminix.networking) interface;
    in {
      imports = [
        ../../modules/network
--- a/devices/gl-mt300a/default.nix
+++ b/devices/gl-mt300a/default.nix
@ -45,6 +45,7 @@
  module = { pkgs, config, lib, lim, ...}:
    let
      inherit (pkgs.liminix.networking) interface;
      inherit (pkgs) openwrt;
      mac80211 = pkgs.kmodloader.override {
        targets = ["rt2800soc"];
@ -89,6 +90,19 @@
          let
            inherit (config.system.service.network) link;
            inherit (config.system.service) vlan;
            inherit (pkgs.liminix.services) oneshot;
            swconfig = oneshot {
              name = "swconfig";
              up = ''
                PATH=${pkgs.swconfig}/bin:$PATH
                swconfig dev switch0 set reset
                swconfig dev switch0 set enable_vlan 1
                swconfig dev switch0 vlan 1 set ports '1 2 3 4 6t'
                swconfig dev switch0 vlan 2 set ports '0 6t'
                swconfig dev switch0 set apply
              '';
              down = "${pkgs.swconfig}/bin/swconfig dev switch0 set reset";
            };
          in rec {
            eth = link.build { ifname = "eth0"; };
            # lan and wan ports are both behind a switch on eth0
--- a/devices/gl-mt300n-v2/default.nix
+++ b/devices/gl-mt300n-v2/default.nix
@ -38,6 +38,7 @@
  module = { pkgs, config, lib, lim, ...}:
    let
      inherit (pkgs.liminix.networking) interface;
      inherit (pkgs.liminix.services) oneshot;
      inherit (pkgs.pseudofile) dir symlink;
      inherit (pkgs) openwrt;
--- a/devices/qemu-aarch64/default.nix
+++ b/devices/qemu-aarch64/default.nix
@ -26,7 +26,7 @@
  # this device is described by the "qemu" device
  installer = "vmroot";
-  module = { config, lim, ... }: {
+  module = {pkgs, config, lim, ... }: {
    imports = [
      ../../modules/arch/aarch64.nix
      ../families/qemu.nix
--- a/devices/qemu-armv7l/default.nix
+++ b/devices/qemu-armv7l/default.nix
@ -24,7 +24,7 @@
  '';
  installer = "vmroot";
-  module = { config, lim, ... }: {
+  module = {pkgs, config, lim, ... }: {
    imports = [
      ../../modules/arch/arm.nix
      ../families/qemu.nix
--- a/devices/qemu/default.nix
+++ b/devices/qemu/default.nix
@ -36,7 +36,7 @@
    in the Development manual.
  '';
-  module = { config, lib, lim, ... }: {
+  module = {pkgs, config, lib, lim, ... }: {
    imports = [
      ../../modules/arch/mipseb.nix
      ../families/qemu.nix
--- a/devices/tp-archer-ax23/default.nix
+++ b/devices/tp-archer-ax23/default.nix
@ -419,6 +419,7 @@
          networkInterfaces =
            let
              inherit (config.system.service.network) link;
              inherit (config.system.service) bridge;
            in rec {
              lan1 = link.build { ifname = "lan1"; };
              lan2 = link.build { ifname = "lan2"; };
--- a/devices/turris-omnia/default.nix
+++ b/devices/turris-omnia/default.nix
@ -155,6 +155,8 @@
  module = {pkgs, config, lib, lim, ... }:
    let
      openwrt = pkgs.openwrt;
      inherit (lib) mkOption types;
      inherit (pkgs.liminix.services) oneshot;
      inherit (pkgs) liminix;
      mtd_by_name_links = pkgs.liminix.services.oneshot rec  {
@ -356,6 +358,7 @@
          networkInterfaces =
            let
              inherit (config.system.service.network) link;
              inherit (config.system.service) bridge;
            in rec {
              en70000 = link.build {
                # in armada-38x.dtsi this is eth0.
--- a/devices/zyxel-nwa50ax/default.nix
+++ b/devices/zyxel-nwa50ax/default.nix
@ -103,6 +103,8 @@
  module = { pkgs, config, lib, lim, ...}:
    let
      inherit (pkgs.liminix.networking) interface;
      inherit (pkgs.liminix.services) oneshot;
      inherit (pkgs.pseudofile) dir symlink;
      inherit (pkgs) openwrt;
--- a/doc/extract-options.nix
+++ b/doc/extract-options.nix
@ -1,5 +1,6 @@
 { eval, lib, pkgs }:
 let
  inherit (lib) types;
  conf = eval.config;
  rootDir = builtins.toPath ./..;
  stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix)
--- a/doc/hardware.nix
+++ b/doc/hardware.nix
@ -9,6 +9,14 @@ let
        d' = {
          description = "${n}\n${substring 0 (stringLength n) "********************************"}\n";
        } // d;
        installer =
          if d ? description && d ? installer
          then ''
            The default installation route for this device is
            :ref:`system-outputs-${d.installer}`
          ''
          else "";
    in d'.description)
    devices;
 in
--- a/examples/arhcive.nix
+++ b/examples/arhcive.nix
@ -11,9 +11,9 @@
  ...
 }: let
  secrets = import ./extneder-secrets.nix;
-  inherit (pkgs.liminix.services) oneshot longrun target;
+  inherit (pkgs.liminix.services) oneshot longrun bundle target;
  inherit (pkgs.pseudofile) dir symlink;
-  inherit (pkgs) writeText serviceFns;
+  inherit (pkgs) writeText dropbear ifwait serviceFns;
  svc = config.system.service;
 in rec {
  boot = {
--- a/examples/demo.nix
+++ b/examples/demo.nix
@ -5,9 +5,9 @@
 # wherever the text "EDIT" appears - please consult the tutorial
 # documentation for details.
-{ config, pkgs, ... } :
+{ config, pkgs, lib, ... } :
 let
-  inherit (pkgs.liminix.services) bundle oneshot;
+  inherit (pkgs.liminix.services) bundle oneshot longrun;
  inherit (pkgs) serviceFns;
  # EDIT: you can pick your preferred RFC1918 address space
  # for NATted connections, if you don't like this one.
--- a/examples/hello-from-mt300.nix
+++ b/examples/hello-from-mt300.nix
@ -1,5 +1,6 @@
-{ config, pkgs, ... } :
+{ config, pkgs, lib, ... } :
 let
  inherit (pkgs) serviceFns;
  svc = config.system.service;
 in rec {
--- a/examples/hello-from-qemu.nix
+++ b/examples/hello-from-qemu.nix
@ -1,5 +1,6 @@
-{ config, pkgs, ... } :
+{ config, pkgs, lib, ... } :
 let
  inherit (pkgs) serviceFns;
  svc = config.system.service;
 in rec {
--- a/examples/l2tp.nix
+++ b/examples/l2tp.nix
@ -6,29 +6,10 @@
 }: let
  secrets = import ./extneder-secrets.nix;
  rsecrets = import ./rotuer-secrets.nix;
-
+  lns = "l2tp.aaisp.net.uk";
-  # https://support.aa.net.uk/Category:Incoming_L2TP says:
+  inherit (pkgs.liminix.services) oneshot longrun bundle target;
  # "Please use the DNS name (l2tp.aa.net.uk) instead of hardcoding an
  # IP address; IP addresses can and do change. If you have to use an
  # IP, use 194.4.172.12, but do check the DNS for l2tp.aa.net.uk in
  # case it changes."
  # but (1) we don't want to use the wwan stick's dns as our main
  # resolver: it's provided by some mobile ISP and they aren't
  # necessarily the best at providing unfettered services without
  # deciding to do something weird; (2) it's not simple to arrange
  # that xl2tpd gets a different resolver than every other process;
  # (3) there's no way to specify an lns address to xl2tpd at runtime
  # except by rewriting its config file. So what we will do is lookup
  # the lns hostname using the mobile ISP's dns server and then refuse
  # to start l2tp unless the expected lns address is one of the
  # addresses returned. I think this satisfies "do check the DNS"
  lns = { hostname = "l2tp.aaisp.net.uk"; address = "194.4.172.12"; };
  inherit (pkgs.liminix.services) oneshot target;
  inherit (pkgs.pseudofile) dir symlink;
-  inherit (pkgs) serviceFns;
+  inherit (pkgs) writeText dropbear ifwait serviceFns;
  svc = config.system.service;
 in rec {
  boot = {
@ -65,14 +46,13 @@ in rec {
  services.sshd = svc.ssh.build { };
  services.resolvconf = oneshot rec {
-    dependencies = [ services.l2tp ];
+    dependencies = [ services.dhcpc ];
    name = "resolvconf";
    up = ''
      . ${serviceFns}
      ( in_outputs ${name}
-        for i in ns1 ns2 ; do
+      for i in $(output ${services.dhcpc} dns); do
-          ns=$(output ${services.l2tp} $i)
+        echo "nameserver $i" > resolv.conf
          echo "nameserver $ns" >> resolv.conf
      done
      )
    '';
@ -81,59 +61,31 @@ in rec {
    etc = dir {
      "resolv.conf" = symlink "${services.resolvconf}/.outputs/resolv.conf";
    };
    srv = dir {};
  };
-  services.lns-address = let
+  services.lnsroute = svc.network.route.build {
    ns = "$(output_word ${services.dhcpc} dns 1)";
    route-to-bootstrap-nameserver = svc.network.route.build {
    via = "$(output ${services.dhcpc} router)";
-      target = ns;
+    target = lns;
    dependencies = [services.dhcpc];
  };
  in oneshot rec {
    name = "resolve-l2tp-server";
    dependencies = [ services.dhcpc route-to-bootstrap-nameserver ];
    up = ''
      (in_outputs ${name}
       DNSCACHEIP="${ns}" ${pkgs.s6-dns}/bin/s6-dnsip4 ${lns.hostname} \
        > addresses
      )
    '';
  };
-  services.l2tp =
+  services.l2tp = svc.l2tp.build {
-    let
+    inherit lns;
      check-address = oneshot rec {
        name = "check-lns-address";
        up = ''
          grep -Fx ${lns.address} $(output_path ${services.lns-address} addresses)
        '';
        dependencies = [ services.lns-address ];
      };
      route = svc.network.route.build {
        via = "$(output ${services.dhcpc} router)";
        target = lns.address;
        dependencies = [services.dhcpc check-address];
      };
    in svc.l2tp.build {
      lns = lns.address;
    ppp-options = [
      "debug" "+ipv6" "noauth"
      "name" rsecrets.l2tp.name
        "connect-delay" "5000"
      "password" rsecrets.l2tp.password
    ];
-      dependencies = [config.services.lns-address route check-address];
+    dependencies = [ services.lnsroute ];
  };
  services.defaultroute4 = svc.network.route.build {
-    via = "$(output ${services.l2tp} peer-address)";
+    via = "$(output ${services.l2tp} router)";
    target = "default";
    dependencies = [services.l2tp];
  };
 #  defaultProfile.packages = [ pkgs.go-l2tp ];
  users.root = {
    passwd = lib.mkForce secrets.root.passwd;
    openssh.authorizedKeys.keys = secrets.root.keys;
--- a/examples/nwa50ax-ap.nix
+++ b/examples/nwa50ax-ap.nix
@ -1,6 +1,7 @@
 { config, pkgs, ... } :
 let
-  inherit (pkgs.liminix.services) target;
+  inherit (pkgs.liminix.services) oneshot longrun bundle target;
  inherit (pkgs) writeText;
  svc = config.system.service;
  secrets-1 = {
    ssid = "Zyxel 2G (N)";
--- a/examples/recovery.nix
+++ b/examples/recovery.nix
@ -3,7 +3,7 @@ let
  inherit (pkgs) serviceFns;
  svc = config.system.service;
  inherit (pkgs.pseudofile) dir symlink;
-  inherit (pkgs.liminix.services) oneshot target;
+  inherit (pkgs.liminix.services) oneshot longrun bundle target;
  some-util-linux = pkgs.runCommand "some-util-linux" {} ''
    mkdir -p $out/bin
    cd ${pkgs.util-linux-small}/bin
--- a/examples/rotuer.nix
+++ b/examples/rotuer.nix
@ -12,6 +12,8 @@ let
    domainName = "fake.liminix.org";
    firewallRules = {};
  } // (import ./rotuer-secrets.nix);
  inherit (pkgs.liminix.services) oneshot bundle;
  inherit (pkgs) serviceFns;
  svc = config.system.service;
  wirelessConfig =  {
    country_code = "GB";
--- a/examples/turris.nix
+++ b/examples/turris.nix
@ -1,5 +1,6 @@
-{ config, pkgs, lim, ... } :
+{ config, pkgs, lib, lim, ... } :
 let
  inherit (pkgs) serviceFns;
  svc = config.system.service;
 in rec {
--- a/modules/arch/aarch64.nix
+++ b/modules/arch/aarch64.nix
@ -1,4 +1,4 @@
-{ lim, pkgs, config, ...}:
+{ lib, lim, pkgs, config, ...}:
 {
  config = {
    kernel.config = {
--- a/modules/arch/arm.nix
+++ b/modules/arch/arm.nix
@ -1,4 +1,4 @@
-{ lim, pkgs, config, ...}:
+{ lib, lim, pkgs, config, ...}:
 {
  config = {
    kernel.config = {
--- a/modules/arch/mips.nix
+++ b/modules/arch/mips.nix
@ -1,4 +1,4 @@
-{ config, lim, ...}:
+{ lib, pkgs, config, lim, ...}:
 {
  config = {
    kernel.config = {
--- a/modules/arch/mipseb.nix
+++ b/modules/arch/mipseb.nix
@ -1,4 +1,4 @@
-{ pkgs, config, ...}:
+{ lib, pkgs, config, ...}:
 {
  imports = [ ./mips.nix ];
  config = {
--- a/modules/arch/mipsel.nix
+++ b/modules/arch/mipsel.nix
@ -1,4 +1,4 @@
-{ config, ...}:
+{ lib, pkgs, config, ...}:
 {
  imports = [ ./mips.nix ];
  config = {
--- a/modules/base.nix
+++ b/modules/base.nix
@ -4,8 +4,10 @@
 { lib, pkgs, config, ...}:
 let
-  inherit (lib) mkOption types ;
+  inherit (lib) mkEnableOption mkOption types isDerivation hasAttr ;
  inherit (pkgs.pseudofile) dir symlink;
  inherit (pkgs.liminix.networking) address interface;
  inherit (pkgs.liminix.services) bundle;
  type_service = pkgs.liminix.lib.types.service;
--- a/modules/bridge/default.nix
+++ b/modules/bridge/default.nix
@ -10,6 +10,7 @@
 { lib, pkgs, config, ...}:
 let
  inherit (lib) mkOption types;
  inherit (pkgs.liminix.services) oneshot;
  inherit (pkgs) liminix;
 in
 {
--- a/modules/bridge/members.nix
+++ b/modules/bridge/members.nix
@ -1,6 +1,7 @@
 {
  liminix
 , ifwait
 , lib
 , svc
 }:
 { members, primary } :
@ -8,6 +9,7 @@
 let
  inherit (liminix.networking) interface;
  inherit (liminix.services) bundle oneshot;
  inherit (lib) mkOption types;
  addif = member :
    # how do we get sight of services from here? maybe we need to
    # implement ifwait as a regualr derivation instead of a
--- a/modules/bridge/primary.nix
+++ b/modules/bridge/primary.nix
@ -1,10 +1,12 @@
 {
  liminix
 , ifwait
 , lib
 }:
 { ifname } :
 let
-  inherit (liminix.services) oneshot;
+  inherit (liminix.services) bundle oneshot;
  inherit (lib) mkOption types;
 in oneshot rec {
  name = "${ifname}.link";
  up = ''
--- a/modules/busybox.nix
+++ b/modules/busybox.nix
@ -8,7 +8,7 @@
 { lib, pkgs, config, ...}:
 let
-  inherit (lib) mkOption types mapAttrsToList;
+  inherit (lib) mkOption mkEnableOption types mapAttrsToList;
  inherit (pkgs.pseudofile) dir symlink;
  inherit (lib.strings) toUpper;
--- a/modules/cdc-ncm/default.nix
+++ b/modules/cdc-ncm/default.nix
@ -2,6 +2,7 @@
 let
  inherit (pkgs) liminix;
  inherit (lib) mkOption types;
  svc = config.system.service;
 in {
  imports = [
    ../service-trigger
--- a/modules/cdc-ncm/wwan.nix
+++ b/modules/cdc-ncm/wwan.nix
@ -8,7 +8,7 @@
 }:
 { apn, username, password, authType }:
 let
-  inherit (liminix.services) oneshot;
+  inherit (liminix.services) bundle longrun oneshot;
  authTypeNum = if authType == "pap" then "1" else "2";
  chat = lib.escapeShellArgs [
    # Your usb modem thing might present as a tty that you run PPP
--- a/modules/dhcp6c/acquire-delegated-prefix.nix
+++ b/modules/dhcp6c/acquire-delegated-prefix.nix
@ -2,6 +2,7 @@
  writeFennel
 , linotify
 , anoia
 , lua
 , lualinux
 }:
 writeFennel "acquire-delegated-prefix" {
--- a/modules/dhcp6c/address.nix
+++ b/modules/dhcp6c/address.nix
@ -1,10 +1,12 @@
 {
  liminix
 , lib
 , callPackage
 }:
 { client, interface } :
 let
  inherit (liminix.services) longrun;
  inherit (lib) mkOption types;
  name = "dhcp6c.addr.${client.name}.${interface.name}";
  script = callPackage ./acquire-wan-address.nix {  };
 in longrun {
--- a/modules/dhcp6c/client.nix
+++ b/modules/dhcp6c/client.nix
@ -1,11 +1,13 @@
 {
  liminix
 , lib
 , odhcp6c
 , odhcp-script
 }:
 { interface } :
 let
  inherit (liminix.services) longrun;
  inherit (lib) mkOption types;
  name = "dhcp6c.${interface.name}";
 in longrun {
  inherit name;
--- a/modules/dhcp6c/default.nix
+++ b/modules/dhcp6c/default.nix
@ -12,6 +12,7 @@
 { lib, pkgs, config, ...}:
 let
  inherit (lib) mkOption types;
  inherit (pkgs.liminix.services) oneshot;
  inherit (pkgs) liminix;
 in
 {
--- a/modules/dhcp6c/prefix.nix
+++ b/modules/dhcp6c/prefix.nix
@ -1,10 +1,12 @@
 {
  liminix
 , lib
 , callPackage
 }:
 { client, interface } :
 let
  inherit (liminix.services) longrun;
  inherit (lib) mkOption types;
  name = "dhcp6c.prefix.${client.name}.${interface.name}";
  script = callPackage ./acquire-delegated-prefix.nix {  };
 in longrun {
--- a/modules/dnsmasq/service.nix
+++ b/modules/dnsmasq/service.nix
@ -18,7 +18,7 @@ let
  name = "${interface.name}.dnsmasq";
  inherit (liminix.services) longrun;
  inherit (lib) concatStrings concatStringsSep mapAttrsToList;
-  hostOpt = name : { mac, v4, v6, leasetime }:
+  hostOpt = name : { mac, v4, v6, leasetime } @ attrs:
    let v6s = concatStrings (map (a : ",[${a}]") v6);
    in "--dhcp-host=${mac},${v4}${v6s},${name},${builtins.toString leasetime}";
 in
--- a/modules/firewall/default.nix
+++ b/modules/firewall/default.nix
@ -8,6 +8,7 @@
 let
  inherit (lib) mkOption types;
  inherit (pkgs) liminix;
  inherit (pkgs.liminix.services) oneshot;
  kmodules = pkgs.kmodloader.override {
    inherit (config.system.outputs) kernel;
--- a/modules/firewall/service.nix
+++ b/modules/firewall/service.nix
@ -7,6 +7,8 @@
 { rules, extraRules }:
 let
  inherit (liminix.services) oneshot;
  inherit (liminix.lib) typeChecked;
  inherit (lib) mkOption types;
  script = firewallgen "firewall.nft" (lib.recursiveUpdate rules extraRules);
 in oneshot {
  name = "firewall";
--- a/modules/hardware.nix
+++ b/modules/hardware.nix
@ -6,9 +6,9 @@
 ## :file:`devices/manuf-model/default.nix`
-{ lib, ...}:
+{ lib, pkgs, config, ...}:
 let
-  inherit (lib) mkOption types ;
+  inherit (lib) mkEnableOption mkOption types isDerivation hasAttr ;
 in {
  options = {
    boot = {
--- a/modules/hostapd/service.nix
+++ b/modules/hostapd/service.nix
@ -8,6 +8,8 @@
 let
  inherit (liminix.services) longrun;
  inherit (lib) concatStringsSep mapAttrsToList;
  inherit (liminix.lib) typeChecked;
  inherit (lib) mkOption types;
  # This is not a friendly interface to configuring a wireless AP: it
  # just passes everything straight through to the hostapd config.
--- a/modules/ifwait/ifwait.nix
+++ b/modules/ifwait/ifwait.nix
@ -9,7 +9,7 @@ let
 in longrun {
  name = "ifwait.${interface.name}";
  buildInputs = [ service ];
-  restart-on-upgrade = true;
+  isTrigger = true;
  run = ''
    ${ifwait}/bin/ifwait -s ${service.name}  $(output ${interface} ifname) ${state}
  '';
--- a/modules/kernel/default.nix
+++ b/modules/kernel/default.nix
@ -5,9 +5,14 @@
 { lib, pkgs, config, ...}:
 let
-  inherit (lib) mkOption types ;
+  inherit (lib) mkEnableOption mkOption types isDerivation hasAttr ;
  inherit (pkgs.pseudofile) dir symlink;
  inherit (pkgs.liminix.networking) address interface;
  inherit (pkgs.liminix.services) bundle;
  inherit (pkgs) liminix;
  type_service = pkgs.liminix.lib.types.service;
  mergeConditionals = conf : conditions :
    # for each key in conditions, if it is present in conf
    # then merge the associated value into conf
--- a/modules/mdevd.nix
+++ b/modules/mdevd.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ...} :
+{ config, pkgs, lib, ...} :
 let inherit (pkgs.liminix.services) oneshot longrun;
 in {
  config = {
--- a/modules/mount/default.nix
+++ b/modules/mount/default.nix
@ -7,6 +7,11 @@
 let
  inherit (lib) mkOption types;
  inherit (pkgs) liminix;
  mkBoolOption = description : mkOption {
    type = types.bool;
    inherit description;
    default = true;
  };
 in {
  options = {
--- a/modules/mount/service.nix
+++ b/modules/mount/service.nix
@ -5,7 +5,7 @@
 }:
 { partlabel, mountpoint, options, fstype }:
 let
-  inherit (liminix.services) oneshot;
+  inherit (liminix.services) longrun oneshot;
  device = "/dev/disk/by-partlabel/${partlabel}";
  name = "mount.${lib.strings.sanitizeDerivationName (lib.escapeURL mountpoint)}";
  options_string =
--- a/modules/network/address.nix
+++ b/modules/network/address.nix
@ -1,5 +1,6 @@
 {
  liminix
 , ifwait
 , serviceFns
 , lib
 }:
--- a/modules/network/forward.nix
+++ b/modules/network/forward.nix
@ -1,5 +1,7 @@
 {
  liminix
 , ifwait
 , serviceFns
 , lib
 }:
 { enableIPv4, enableIPv6 }:
--- a/modules/network/link.nix
+++ b/modules/network/link.nix
@ -1,5 +1,7 @@
 {
  liminix
 , ifwait
 , serviceFns
 , lib
 }:
 {
@ -9,7 +11,8 @@
 # if devpath is supplied, we rename the interface at that
 # path to have the specified name.
 let
-  inherit (liminix.services) oneshot;
+  inherit (liminix.services) longrun oneshot;
  inherit (lib) concatStringsSep;
  name = "${ifname}.link";
  rename = if devpath != null
           then ''
--- a/modules/network/route.nix
+++ b/modules/network/route.nix
@ -1,15 +1,15 @@
 {
  liminix
 , ifwait
 , serviceFns
 , lib
 }:
 { target, via, interface ? null, metric }:
 let
  inherit (liminix.services) oneshot;
  with_dev = if interface != null then "dev $(output ${interface} ifname)" else "";
  target_hash = builtins.substring 0 12 (builtins.hashString "sha256" target);
  via_hash = builtins.substring 0 12 (builtins.hashString "sha256" via);
 in oneshot {
-  name = "route-${target_hash}-${builtins.substring 0 12 (builtins.hashString "sha256" "${via_hash}-${if interface!=null then interface.name else ""}")}";
+  name = "route-${target}-${builtins.substring 0 12 (builtins.hashString "sha256" "${via}-${if interface!=null then interface.name else ""}")}";
  up = ''
    ip route add ${target} via ${via} metric ${toString metric} ${with_dev}
  '';
--- a/modules/ntp/service.nix
+++ b/modules/ntp/service.nix
@ -1,6 +1,7 @@
 {
  liminix
 , chrony
 , serviceFns
 , lib
 , writeText
 }:
@ -8,6 +9,10 @@ params:
 let
  inherit (liminix.services) longrun;
  inherit (lib) concatStringsSep mapAttrsToList;
  inherit (liminix.lib) typeChecked;
  inherit (lib) mkOption types;
  serverOpts = types.listOf types.str;
  configFile = p:
    (mapAttrsToList (name: opts: "server ${name} ${concatStringsSep "" opts}")
      p.servers)
--- a/modules/outputs.nix
+++ b/modules/outputs.nix
@ -6,7 +6,7 @@
 }:
 let
  inherit (lib) mkOption types concatStringsSep;
-  inherit (pkgs) liminix writeText;
+  inherit (pkgs) liminix callPackage writeText;
  o = config.system.outputs;
 in
 {
--- a/modules/outputs/btrfs.nix
+++ b/modules/outputs/btrfs.nix
@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkIf;
+  inherit (lib) mkIf mkOption types;
  o = config.system.outputs;
 in
 {
--- a/modules/outputs/ext4fs.nix
+++ b/modules/outputs/ext4fs.nix
@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkIf;
+  inherit (lib) mkIf mkOption types;
  o = config.system.outputs;
 in
 {
--- a/modules/outputs/initramfs.nix
+++ b/modules/outputs/initramfs.nix
@ -6,7 +6,7 @@
 }:
 let
  inherit (lib) mkEnableOption mkOption mkIf types;
-  inherit (pkgs) runCommand;
+  inherit (pkgs) runCommand callPackage writeText;
 in
 {
  options = {
--- a/modules/outputs/jffs2.nix
+++ b/modules/outputs/jffs2.nix
@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkIf;
+  inherit (lib) mkIf mkOption types;
  o = config.system.outputs;
 in
 {
--- a/modules/outputs/kexecboot.nix
+++ b/modules/outputs/kexecboot.nix
@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkOption types concatStringsSep;
+  inherit (lib) mkOption mkForce types concatStringsSep;
 in {
  imports = [ ../ramdisk.nix ];
  options.system.outputs = {
@ -42,7 +42,8 @@ in {
      boot-sh =
        let
-          inherit (config.system.outputs) rootfs;
+          inherit (pkgs.lib.trivial) toHexString;
          inherit (config.system.outputs) rootfs kernel;
          cmdline = concatStringsSep " " config.boot.commandLine;
        in
          pkgs.buildPackages.runCommand "boot.sh.sh" {
--- a/modules/outputs/mbrimage.nix
+++ b/modules/outputs/mbrimage.nix
@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkOption types;
+  inherit (lib) mkOption types concatStringsSep;
  o = config.system.outputs;
  phram_address = lib.toHexString (config.hardware.ram.startAddress + 256 * 1024 * 1024);
 in {
--- a/modules/outputs/tftpboot.nix
+++ b/modules/outputs/tftpboot.nix
@ -58,6 +58,7 @@ in {
    system.outputs = rec {
      tftpboot =
        let
          inherit (pkgs.lib.trivial) toHexString;
          o = config.system.outputs;
          image = let choices = {
            uimage = o.uimage;
--- a/modules/outputs/tplink-safeloader.nix
+++ b/modules/outputs/tplink-safeloader.nix
@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkOption types;
+  inherit (lib) mkOption types concatStringsSep;
  o = config.system.outputs;
  cfg = config.tplink-safeloader;
 in {
--- a/modules/outputs/ubimage.nix
+++ b/modules/outputs/ubimage.nix
@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkIf mkOption types;
+  inherit (lib) mkIf mkEnableOption mkOption types concatStringsSep;
  cfg = config.boot.tftp;
  instructions = pkgs.writeText "env.scr" ''
    setenv serverip ${cfg.serverip}
--- a/modules/outputs/ubivolume.nix
+++ b/modules/outputs/ubivolume.nix
@ -5,6 +5,7 @@
 , ...
 }:
 let
  inherit (pkgs) liminix;
  inherit (lib) mkIf mkOption types concatStringsSep optionalString;
 in
  {
--- a/modules/outputs/zyxel-nwa-fit.nix
+++ b/modules/outputs/zyxel-nwa-fit.nix
@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkIf mkOption types;
+  inherit (lib) mkIf mkEnableOption mkOption types concatStringsSep;
  models = "6b e1 6f e1 ff ff ff ff ff ff";
 in {
  options.system.outputs = {
--- a/modules/ppp/l2tp.nix
+++ b/modules/ppp/l2tp.nix
@ -1,5 +1,8 @@
 {
  liminix
 , lib
 , ppp
 , pppoe
 , writeAshScript
 , writeText
 , serviceFns
--- a/modules/profiles/gateway.nix
+++ b/modules/profiles/gateway.nix
@ -2,7 +2,7 @@
 let
  svc = config.system.service;
  cfg = config.profile.gateway;
-  inherit (lib) mkOption mkEnableOption mkIf types;
+  inherit (lib) mkOption mkEnableOption mkIf mdDoc types optional optionals;
  inherit (pkgs) liminix serviceFns;
  inherit (liminix.services) bundle oneshot;
  hostaps =
--- a/modules/profiles/wap.nix
+++ b/modules/profiles/wap.nix
@ -5,9 +5,9 @@
  ...
 }: let
  inherit (pkgs) liminix;
-  inherit (lib) mkOption types ;
+  inherit (lib) mkEnableOption mkOption types isDerivation hasAttr ;
-  inherit (pkgs.liminix.services) oneshot target;
+  inherit (pkgs.liminix.services) oneshot longrun bundle target;
  inherit (pkgs.pseudofile) dir symlink;
  inherit (pkgs) serviceFns;
  svc = config.system.service;
--- a/modules/ramdisk.nix
+++ b/modules/ramdisk.nix
@ -1,10 +1,11 @@
 {
  config
 , pkgs
 , lib
 , ...
 }:
 let
-  inherit (lib) mkIf mkEnableOption; # types concatStringsSep;
+  inherit (lib) mkIf mkEnableOption mkOption; # types concatStringsSep;
 in {
  options = {
    boot = {
--- a/modules/schnapps/default.nix
+++ b/modules/schnapps/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... } :
+{ config, pkgs, lib, ... } :
 {
  config = {
    programs.busybox = {
--- a/modules/service-trigger/rule.nix
+++ b/modules/service-trigger/rule.nix
@ -1,6 +1,7 @@
 {
  liminix
 , uevent-watch
 , serviceFns
 , lib }:
 {
  serviceName, terms, symlink
@ -18,6 +19,6 @@ let
  termsString = stringify terms;
 in longrun {
  name = "watch-for-${serviceName}";
-  restart-on-upgrade = true;
+  isTrigger = true;
  run = "${uevent-watch}/bin/uevent-watch ${if symlink != null then "-n ${symlink}" else ""} -s ${serviceName} ${termsString}";
 }
--- a/modules/ssh/ssh.nix
+++ b/modules/ssh/ssh.nix
@ -1,6 +1,7 @@
 {
  liminix
 , dropbear
 , serviceFns
 , lib
 }:
 p :
--- a/modules/usb.nix
+++ b/modules/usb.nix
@ -1,7 +1,7 @@
 # support for USB block devices and the common filesystems
 # they're likely to provide
-{ config, ... }:
+{lib, config, ... }:
 {
  kernel = {
    config = {
--- a/modules/users.nix
+++ b/modules/users.nix
@ -16,7 +16,7 @@ let
  inherit (lib)
    concatStrings concatStringsSep mapAttrsToList mkOption types;
  inherit (builtins) toString;
-  inherit (pkgs.pseudofile) dir;
+  inherit (pkgs.pseudofile) dir symlink;
  passwd-file  =
    let lines =  mapAttrsToList (name: u: "${name}:${if u ? passwd  then u.passwd else "!!"}:${toString u.uid}:${toString u.gid}:${u.gecos}:${u.dir}:${u.shell}\n" )
      config.users;
--- a/modules/vlan/default.nix
+++ b/modules/vlan/default.nix
@ -13,6 +13,7 @@
 { lib, pkgs, config, ...}:
 let
  inherit (lib) mkOption types;
  inherit (pkgs.liminix.services) oneshot;
  inherit (pkgs) liminix;
 in
 {
--- a/modules/wlan.nix
+++ b/modules/wlan.nix
@ -1,5 +1,6 @@
 { lib, pkgs, config, ...}:
 let
  inherit (lib) mkEnableOption mkOption types isDerivation hasAttr ;
  inherit (pkgs.pseudofile) dir symlink;
  inherit (pkgs) stdenv wireless-regdb;
  regulatory = stdenv.mkDerivation {
--- a/modules/zyxel-dual-image/service.nix
+++ b/modules/zyxel-dual-image/service.nix
@ -3,7 +3,7 @@
 , lib
 , zyxel-bootconfig
 }:
-{ ensureActiveImage, bootConfigurationMtdPartition, kernelCommandLineSource }:
+{ ensureActiveImage, primaryMtdPartition, secondaryMtdPartition, bootConfigurationMtdPartition, kernelCommandLineSource }:
 let
  inherit (liminix.services) oneshot;
  activeImageIndex = if ensureActiveImage == "primary" then 0 else 1;
--- a/pkgs/devout/default.nix
+++ b/pkgs/devout/default.nix
@ -1,4 +1,6 @@
-{ nellie
+{
  lua
 , nellie
 , writeFennel
 , anoia
 , fennel
--- a/pkgs/fennelrepl/default.nix
+++ b/pkgs/fennelrepl/default.nix
@ -1,4 +1,9 @@
-{ lib
+{
  runCommand
 , runtimeShell
 , fetchurl
 , lib
 , luaPackages
 , lua
 , lualinux
 , writeScriptBin
--- a/pkgs/firewallgen/default.nix
+++ b/pkgs/firewallgen/default.nix
@ -7,8 +7,8 @@ name : ruleset :
 let
  inherit (lib.strings) concatStringsSep splitString hasInfix substring;
  inherit (lib.lists) groupBy;
-  inherit (lib.attrsets) mapAttrsToList;
+  inherit (lib.attrsets) mapAttrsToList nameValuePair;
-  inherit (builtins) map head tail;
+  inherit (builtins) map listToAttrs replaceStrings head tail;
  indentLines = offset : lines :
    if lines == []
@ -31,7 +31,7 @@ let
  indent = text : indentLines 0 (splitString "\n" text);
-  dochain = { name, type, rules,
+  dochain = { name, type, family, rules,
              policy ? null,
              priority ? "filter",
              hook ? null } : ''
--- a/pkgs/ifwait/default.nix
+++ b/pkgs/ifwait/default.nix
@ -1,4 +1,6 @@
-{ netlink-lua
+{
  lua
 , netlink-lua
 , writeFennelScript
 , runCommand
 , anoia
--- a/pkgs/kernel-backport/default.nix
+++ b/pkgs/kernel-backport/default.nix
@ -3,7 +3,9 @@
 , python2
 , which
 , fetchgit
 , fetchpatch
 , fetchFromGitHub
 , autoreconfHook
 , coccinelle
 }:
 let
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@ -1,5 +1,6 @@
 {  stdenv
 , buildPackages
 , runCommand
 , writeText
 , lib
--- a/pkgs/liminix-tools/builders/squashfs.nix
+++ b/pkgs/liminix-tools/builders/squashfs.nix
@ -1,4 +1,7 @@
-{ buildPackages
+{
  stdenv
 , busybox
 , buildPackages
 , callPackage
 , pseudofile
 , runCommand
--- a/pkgs/liminix-tools/services/default.nix
+++ b/pkgs/liminix-tools/services/default.nix
@ -1,11 +1,14 @@
 {
  stdenvNoCC
 , s6-rc
 , s6
 , lib
 , callPackage
 , writeScript
 , serviceFns
 }:
 let
  inherit (builtins) concatStringsSep any map;
  prefix = "/run/services/outputs";
  output = service: name: "${prefix}/${service.name}/${name}";
  serviceScript = commands : ''
@ -25,6 +28,7 @@ let
    , up ? null
    , down ? null
    , finish ? null
    , outputs ? []
    , notification-fd ? null
    , producer-for ? null
    , consumer-for ? null
@ -34,15 +38,15 @@ let
    , dependencies ? []
    , contents ? []
    , buildInputs ? []
-    , restart-on-upgrade ? false
+    , isTrigger ? false
    , controller ? null
-  }:
+  } @ args:
    stdenvNoCC.mkDerivation {
      # we use stdenvNoCC to avoid generating derivations with names
      # like foo.service-mips-linux-musl
      inherit name serviceType up down run finish notification-fd
-        producer-for consumer-for pipeline-name timeout-up timeout-down
+        producer-for consumer-for pipeline-name timeout-up timeout-down;
-        restart-on-upgrade;
+      restart-on-upgrade = isTrigger;
      buildInputs = buildInputs ++ dependencies ++ contents ++ lib.optional (controller != null) controller;
      inherit controller dependencies contents;
      builder = ./builder.sh;
@ -51,7 +55,9 @@ let
  longrun = {
    name
    , run
    , outputs ? []
    , notification-fd ? null
    , dependencies ? []
    , buildInputs ? []
    , ...
  } @ args:
@ -75,6 +81,8 @@ let
    name
    , up
    , down ? ""
    , outputs ? []
    , dependencies ? []
    , ...
  } @ args : service (args  // {
    serviceType = "oneshot";
@ -83,7 +91,9 @@ let
      "${name}-down"
      "${serviceScript down}\n${cleanupScript name}";
  });
-  bundle = { contents ? []
+  bundle = {
    name
    , contents ? []
    , dependencies ? []
    , ...
  } @ args: service (args // {
--- a/pkgs/linotify/default.nix
+++ b/pkgs/linotify/default.nix
@ -1,4 +1,4 @@
-{ lua, fetchFromGitHub }:
+{ lua, lib, fetchFromGitHub }:
 let pname = "linotify";
 in lua.pkgs.buildLuaPackage {
  inherit pname;
--- a/pkgs/lualinux/default.nix
+++ b/pkgs/lualinux/default.nix
@ -1,4 +1,4 @@
-{ lua, fetchFromGitHub }:
+{ lua, lib, fetchFromGitHub }:
 let
  pname = "lualinux";
  src = fetchFromGitHub {
--- a/pkgs/mac80211/default.nix
+++ b/pkgs/mac80211/default.nix
@ -22,7 +22,7 @@ let
    rev = "a5265497a4f6da158e95d6a450cb2cb6dc085cab";
    hash = "sha256-YYi4gkpLjbOK7bM2MGQjAyEBuXJ9JNXoz/JEmYf8xE8=";
  };
-  inherit (liminix.services) oneshot;
+  inherit (liminix.services) oneshot longrun;
  inherit (lib.lists) foldl;
  configs = {
    ath9k.kconfig = {
--- a/pkgs/min-collect-garbage/default.nix
+++ b/pkgs/min-collect-garbage/default.nix
@ -1,8 +1,12 @@
 {
  stdenv
 , nix
 , cpio
 , openssh
 }: stdenv.mkDerivation {
  name = "min-collect-garbage";
  buildInputs = [ ];
 #  propagatedBuildInputs = [ openssh ];
  src = ./.;
  makeFlags = [ "min-list-garbage" ];
  installPhase = ''
--- a/pkgs/minisock/default.nix
+++ b/pkgs/minisock/default.nix
@ -1,4 +1,4 @@
-{ lua, fetchFromGitHub }:
+{ lua, lib, fetchFromGitHub }:
 let
  pname = "minisock";
  src = fetchFromGitHub {
--- a/pkgs/nellie/default.nix
+++ b/pkgs/nellie/default.nix
@ -1,4 +1,4 @@
-{ lua, stdenv }:
+{ lua, lib, fetchpatch, fetchFromGitHub, stdenv }:
 let pname = "nellie";
 in lua.pkgs.buildLuaPackage {
--- a/pkgs/netlink-lua/default.nix
+++ b/pkgs/netlink-lua/default.nix
@ -1,4 +1,4 @@
-{ lua, fetchFromGitHub, libmnl }:
+{ lua, lib, fetchpatch, fetchFromGitHub, libmnl }:
 let pname = "netlink";
 in lua.pkgs.buildLuaPackage {
  inherit pname;
--- a/pkgs/odhcp-script/default.nix
+++ b/pkgs/odhcp-script/default.nix
@ -1,6 +1,7 @@
 {
  writeFennelScript
 , anoia
 , lua
 , lualinux
 }:
 writeFennelScript  "odhcpc-script" [anoia lualinux] ./odhcp6-script.fnl
--- a/pkgs/odhcp6c/default.nix
+++ b/pkgs/odhcp6c/default.nix
@ -1,4 +1,5 @@
 { stdenv
 , buildPackages
 , cmake
 , fetchFromGitHub
 , ...} :
--- a/pkgs/openwrt/default.nix
+++ b/pkgs/openwrt/default.nix
@ -1,5 +1,6 @@
 {
  fetchFromGitHub
 , writeShellScript
 , pkgsBuildBuild
 }:
 let
--- a/pkgs/pppoe/default.nix
+++ b/pkgs/pppoe/default.nix
@ -2,6 +2,8 @@
 , stdenv
 , fetchFromGitHub
 , ppp } :
 let
 in
 stdenv.mkDerivation rec {
  pname = "rp-pppoe";
  version = "3.15";
--- a/pkgs/preinit/default.nix
+++ b/pkgs/preinit/default.nix
@ -1,7 +1,14 @@
 {
  stdenv
 , fetchzip
 , gdb
 }:
 let kernel = fetchzip {
      name = "linux";
      url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.71.tar.gz";
      hash = "sha256-pq6QNa0PJVeheaZkuvAPD0rLuEeKrViKk65dz+y4kqo=";
    };
 in
 stdenv.mkDerivation {
  name = "preinit";
  src = ./.;
--- a/pkgs/service-fns/default.nix
+++ b/pkgs/service-fns/default.nix
@ -1,18 +1,6 @@
 {writeText}:
 writeText "service-fns.sh" ''
  output() { cat $1/.outputs/$2; }
  output_word() {
    set -f
    local i=1
    for var in $(cat $1/.outputs/$2); do
      if test "$i" == "$3" ; then
        echo $var
      fi
      i=$(expr $i + 1)
    done
    set +f
  }
  output_path() { echo $(realpath $1/.outputs)/$2; }
  SERVICE_OUTPUTS=/run/services/outputs
  SERVICE_STATE=/run/services/state
--- a/pkgs/tufted/default.nix
+++ b/pkgs/tufted/default.nix
@ -1,6 +1,7 @@
 {
  lua5_3
 , stdenv
 , fetchFromGitHub
 , makeWrapper
 } :
 let
--- a/Show More
+++ b/Show More