disable security for bordervm "liminix" share

tftp needs to be able to follow symlinks into the store

NEWS

@@ -83,4 +83,23 @@ sponsoring this development (and funding the hardware)
 2024-02-21
 
 New port! Thanks to Raito Bezarius, Liminix now runs on the Zyxel NWA50AX,
-an MT7621 (MIPS EL) dual radio WiFi AP. 
+an MT7621 (MIPS EL) dual radio WiFi AP.
+
+2024-04-29
+
+The setup for using `levitate` has changed: now it accepts an entire
+config fragment, not just a list of services.  Hopefully this makes it
+a bit more useful :-)
+
+  defaultProfile.packages = with pkgs; [
+    ... 
+    (levitate.override {
+      config  = {
+        services = {
+          inherit (config.services) dhcpc sshd watchdog;
+        };
+        defaultProfile.packages = [ mtdutils ];
+        users.root.openssh.authorizedKeys.keys = secrets.root.keys;
+      };
+    })
+  ];

boot.expect

@@ -0,0 +1,20 @@
+# This is for use with minicom, but needs you to configure it to
+# use expect as its "Script program" instead of runscript.  Try
+# Ctrl+A O -> Filenames and paths -> D
+
+log_user 0
+log_file -a -open stderr
+set f [open "result/boot.scr"]
+send "version\r"
+set timeout 60
+while {[gets $f line] >= 0} {
+    puts stderr "next line $line\r"
+    puts stderr "waiting for prompt\r"	
+    expect {
+      "ath>" {}
+      "BusyBox" { puts stderr  "DONE"; exit 0 }
+    }
+    send "$line\r\n"
+}
+puts stderr "done\r\n"
+close $f

bordervm-configuration.nix

@@ -4,6 +4,10 @@ let
   inherit (lib) mkOption mkEnableOption mdDoc types optional optionals;
 in {
   options.bordervm = {
+    keys = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+    };
     l2tp = {
       host = mkOption {
         description = mdDoc ''
@@ -51,18 +55,17 @@ in {
     <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
   ];
   config = {
-    boot.kernelParams = [
-      "loglevel=9"
-    ];
+    boot.kernelParams = [ "loglevel=9" ];
     systemd.services.pppoe =
-      let conf = pkgs.writeText "kpppoed.toml"
-        ''
-      interface_name = "eth1"
-      services = [ "myservice" ]
-      lns_ipaddr = "${cfg.l2tp.host}:${builtins.toString cfg.l2tp.port}"
-      ac_name = "kpppoed-1.0"
-    '';
-      in  {
+      let
+        conf = pkgs.writeText "kpppoed.toml" ''
+          interface_name = "eth1"
+          services = [ "myservice" ]
+          lns_ipaddr = "${cfg.l2tp.host}:${builtins.toString cfg.l2tp.port}"
+          ac_name = "kpppoed-1.0"
+        '';
+      in
+      {
         wantedBy = [ "multi-user.target" ];
         after = [ "network-online.target" ];
         serviceConfig = {
@@ -76,24 +79,36 @@ in {
       };
     };
     services.openssh.enable = true;
+    services.dnsmasq = {
+      enable = true;
+      resolveLocalQueries = false;
+      settings = {
+        # domain-needed = true;
+        dhcp-range = [ "10.0.0.10,10.0.0.240" ];
+        interface = "eth1";
+      };
+    };
+
     systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
 
     virtualisation = {
       qemu = {
-        networkingOptions = [];
-        options = [] ++
-          optional cfg.ethernet.pci.enable
-            "-device vfio-pci,host=${cfg.ethernet.pci.id}" ++
-          optionals cfg.ethernet.usb.enable [
+        networkingOptions = [ ];
+        options =
+          [ ]
+          ++ optional cfg.ethernet.pci.enable "-device vfio-pci,host=${cfg.ethernet.pci.id}"
+          ++ optionals cfg.ethernet.usb.enable [
             "-device usb-ehci,id=ehci"
             "-device usb-host,bus=ehci.0,vendorid=${cfg.ethernet.usb.vendor},productid=${cfg.ethernet.usb.product}"
-          ] ++ [
+          ]
+          ++ [
             "-nographic"
             "-serial mon:stdio"
           ];
       };
       sharedDirectories = {
         liminix = {
+          securityModel = "none";
           source = builtins.toString ./.;
           target = "/home/liminix/liminix";
         };
@@ -108,6 +123,7 @@ in {
             tufted
             iptables
             usbutils
+            busybox
           ];
     security.sudo.wheelNeedsPassword = false;
     networking = {
@@ -117,11 +133,17 @@ in {
         useDHCP = false;
         ipv4.addresses = [ { address = "10.0.0.1"; prefixLength = 24;}];
       };
+      nat = {
+        enable = true;
+        internalInterfaces = [ "eth1" ];
+        externalInterface = "eth0";
+      };
     };
     users.users.liminix = {
       isNormalUser = true;
       uid = 1000;
-      extraGroups = [ "wheel"];
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = cfg.keys;
     };
     services.getty.autologinUser = "liminix";
   };

bordervm.conf-example.nix

@@ -1,8 +1,12 @@
-{...}:
+{ ... }:
 {
   bordervm = {
     # ethernet.pci = { id = "01:00.0"; enable = true; };
-    ethernet.usb = { vendor = "0x0bda"; product = "0x8153"; enable = true; };
+    ethernet.usb = {
+      vendor = "0x0bda";
+      product = "0x8153";
+      enable = true;
+    };
     l2tp = {
       host = "l2tp.aa.net.uk";
     };

ci.nix

@@ -1,12 +1,12 @@
 {
-  nixpkgs
-, unstable
-, liminix
-, ... }:
+  nixpkgs,
+  unstable,
+  liminix,
+  ...
+}:
 let
-  inherit (builtins) map;
-  pkgs = (import nixpkgs {});
-  borderVmConf =  ./bordervm.conf-example.nix;
+  pkgs = (import nixpkgs { });
+  borderVmConf = ./bordervm.conf-example.nix;
   inherit (pkgs.lib.attrsets) genAttrs;
   devices = [
     "gl-ar750"
@@ -27,33 +27,35 @@ let
     }).outputs.default;
   tests = import ./tests/ci.nix;
   jobs =
-    (genAttrs devices for-device) //
-    tests //
-    {
-      buildEnv = (import liminix {
-        inherit nixpkgs borderVmConf;
-        device = import (liminix + "/devices/qemu");
-        liminix-config = vanilla;
-      }).buildEnv;
+    (genAttrs devices for-device)
+    // tests
+    // {
+      buildEnv =
+        (import liminix {
+          inherit nixpkgs borderVmConf;
+          device = import (liminix + "/devices/qemu");
+          liminix-config = vanilla;
+        }).buildEnv;
       doc =
-        let json =
-              (import liminix {
-                inherit nixpkgs borderVmConf;
-                device = import (liminix + "/devices/qemu");
-                liminix-config = {...} : {
+        let
+          json =
+            (import liminix {
+              inherit nixpkgs borderVmConf;
+              device = import (liminix + "/devices/qemu");
+              liminix-config =
+                { ... }:
+                {
                   imports = [ ./modules/all-modules.nix ];
                 };
-              }).outputs.optionsJson;
-            installers = map (f: "system.outputs.${f}") [
-              "vmroot"
-              "mtdimage"
-              "ubimage"
-            ];
-            inherit (pkgs.lib) concatStringsSep;
-        in pkgs.stdenv.mkDerivation {
+            }).outputs.optionsJson;
+        in
+        pkgs.stdenv.mkDerivation {
           name = "liminix-doc";
           nativeBuildInputs = with pkgs; [
-            gnumake sphinx fennel luaPackages.lyaml
+            gnumake
+            sphinx
+            fennel
+            luaPackages.lyaml
           ];
           src = ./.;
           buildPhase = ''

default.nix

@@ -1,31 +1,39 @@
 {
-  device
-, liminix-config ? <liminix-config>
-, nixpkgs ? <nixpkgs>
-, borderVmConf ? ./bordervm.conf.nix
-, imageType ? "primary"
+  deviceName ? null,
+  device ? (import ./devices/${deviceName}),
+  liminix-config ? <liminix-config>,
+  nixpkgs ? <nixpkgs>,
+  borderVmConf ? ./bordervm.conf.nix,
+  imageType ? "primary",
 }:
 
 let
   overlay = import ./overlay.nix;
-  pkgs = import nixpkgs (device.system // {
-    overlays = [overlay];
-    config = {
-      allowUnsupportedSystem = true; # mipsel
-      permittedInsecurePackages = [
-        "python-2.7.18.6"       # kernel backports needs python <3
-        "python-2.7.18.7"
-      ];
-    };
-  });
+  pkgs = import nixpkgs (
+    device.system
+    // {
+      overlays = [ overlay ];
+      config = {
+        allowUnsupportedSystem = true; # mipsel
+        permittedInsecurePackages = [
+          "python-2.7.18.6" # kernel backports needs python <3
+          "python-2.7.18.7"
+        ];
+      };
+    }
+  );
 
   eval = pkgs.lib.evalModules {
+    specialArgs = {
+      modulesPath = builtins.toString ./modules;
+    };
     modules = [
       { _module.args = { inherit pkgs; inherit (pkgs) lim; }; }
       ./modules/hardware.nix
       ./modules/base.nix
       ./modules/busybox.nix
       ./modules/hostname.nix
+      ./modules/kernel
       device.module
       liminix-config
       ./modules/s6
@@ -41,7 +49,14 @@ let
   borderVm = ((import <nixpkgs/nixos/lib/eval-config.nix>) {
     system = builtins.currentSystem;
     modules = [
-      ({  ... } : { nixpkgs.overlays = [ overlay ]; })
+      {
+        nixpkgs.overlays = [
+          (final: prev: {
+            go-l2tp = final.callPackage ./pkgs/go-l2tp {};
+            tufted = final.callPackage ./pkgs/tufted {};
+          })
+        ];
+      }
       (import ./bordervm-configuration.nix)
       borderVmConf
     ];
@@ -72,6 +87,7 @@ in {
       min-copy-closure
       fennelrepl
       lzma
+      lua
     ];
   };
 }

devices/belkin-rt3200/default.nix

@@ -73,7 +73,7 @@
         MTK_INFRACFG = "y";
 
         MTK_PMIC_WRAP = "y";
-        MTK_EFUSE="y";
+        NVMEM_MTK_EFUSE="y";
         # MTK_HSDMA="y";
         MTK_SCPSYS="y";
         MTK_SCPSYS_PM_DOMAINS="y";
@@ -92,7 +92,6 @@
 
         MEDIATEK_GE_PHY = "y";
         # MEDIATEK_MT6577_AUXADC = "y";
-        # MEDIATEK_WATCHDOG = "y";
         NET_MEDIATEK_SOC = "y";
         NET_MEDIATEK_SOC_WED = "y";
         NET_MEDIATEK_STAR_EMAC = "y"; # this enables REGMAP_MMIO
@@ -214,7 +213,6 @@
         networkInterfaces =
           let
             inherit (config.system.service.network) link;
-            inherit (config.system.service) bridge;
           in rec {
             wan = link.build { ifname = "wan"; };
             lan1 = link.build { ifname = "lan1"; };

devices/families/qemu.nix

@@ -23,12 +23,17 @@
         VIRTIO_BLK = "y";
         VIRTIO_NET = "y";
       };
+      conditionalConfig = {
+        WLAN= {
+          MAC80211_HWSIM = "m";
+        };
+      };
     };
     hardware =
       let
-        mac80211 =  pkgs.mac80211.override {
-          drivers = ["mac80211_hwsim"];
-          klibBuild = config.system.outputs.kernel.modulesupport;
+        mac80211 =  pkgs.kmodloader.override {
+          inherit (config.system.outputs) kernel;
+          targets = ["mac80211_hwsim"];
         };
       in {
         defaultOutput = "vmroot";

devices/gl-ar750/default.nix

@@ -92,7 +92,6 @@
         '';
       };
       inherit (pkgs.pseudofile) dir symlink;
-      inherit (pkgs.liminix.networking) interface;
     in {
       imports = [
         ../../modules/network
@@ -125,8 +124,14 @@
         networkInterfaces =
           let inherit (config.system.service.network) link;
           in {
-            lan = link.build { ifname = "eth0"; };
-            wan = link.build { ifname = "eth1"; };
+            lan = link.build {
+              ifname = "lan";
+              devpath = "/devices/platform/ahb/19000000.eth";
+            };
+            wan = link.build {
+              ifname = "wan";
+              devpath = "/devices/platform/ahb/1a000000.eth";
+            };
             wlan = link.build {
               ifname = "wlan0";
               dependencies = [ mac80211 ];
@@ -149,6 +154,7 @@
       };
       boot.tftp = {
         loadAddress = lim.parseInt "0x00A00000";
+        appendDTB = true;
       };
       kernel = {
         src = pkgs.pkgsBuildBuild.fetchurl {

devices/gl-mt300a/default.nix

@@ -45,7 +45,6 @@
 
   module = { pkgs, config, lib, lim, ...}:
     let
-      inherit (pkgs.liminix.networking) interface;
       inherit (pkgs) openwrt;
       mac80211 = pkgs.kmodloader.override {
         targets = ["rt2800soc"];
@@ -90,19 +89,6 @@
           let
             inherit (config.system.service.network) link;
             inherit (config.system.service) vlan;
-            inherit (pkgs.liminix.services) oneshot;
-            swconfig = oneshot {
-              name = "swconfig";
-              up = ''
-                PATH=${pkgs.swconfig}/bin:$PATH
-                swconfig dev switch0 set reset
-                swconfig dev switch0 set enable_vlan 1
-                swconfig dev switch0 vlan 1 set ports '1 2 3 4 6t'
-                swconfig dev switch0 vlan 2 set ports '0 6t'
-                swconfig dev switch0 set apply
-              '';
-              down = "${pkgs.swconfig}/bin/swconfig dev switch0 set reset";
-            };
           in rec {
             eth = link.build { ifname = "eth0"; };
             # lan and wan ports are both behind a switch on eth0
@@ -110,13 +96,11 @@
               ifname = "eth0.1";
               primary = eth;
               vid = "1";
-              dependencies =  [swconfig eth];
             };
             wan = vlan.build {
               ifname = "eth0.2";
               primary = eth;
               vid = "2";
-              dependencies =  [swconfig eth];
             };
             wlan = link.build {
               ifname = "wlan0";
@@ -126,7 +110,8 @@
       };
       boot.tftp = {
         loadAddress = lim.parseInt "0x00A00000";
-      };
+        appendDTB = true;
+     };
 
       kernel = {
         src = pkgs.fetchurl {
@@ -136,6 +121,7 @@
         };
         extraPatchPhase = ''
           ${openwrt.applyPatches.ramips}
+          ${openwrt.applyPatches.rt2x00}
         '';
         config = {
 

devices/gl-mt300n-v2/default.nix

@@ -38,7 +38,6 @@
 
   module = { pkgs, config, lib, lim, ...}:
     let
-      inherit (pkgs.liminix.networking) interface;
       inherit (pkgs.liminix.services) oneshot;
       inherit (pkgs.pseudofile) dir symlink;
       inherit (pkgs) openwrt;
@@ -97,7 +96,7 @@
                 swconfig dev switch0 vlan 2 set ports '0 6t'
                 swconfig dev switch0 set apply
               '';
-              down = "swconfig dev switch0 set reset";
+              down = "${pkgs.swconfig}/bin/swconfig dev switch0 set reset";
             };
           in rec {
             eth = link.build { ifname = "eth0"; dependencies =  [swconfig]; };
@@ -122,6 +121,7 @@
         # 20MB seems to give enough room to uncompress the kernel
         # without anything getting trodden on. 10MB was too small
         loadAddress = lim.parseInt "0x1400000";
+        appendDTB = true;
       };
 
       kernel = {

devices/qemu-aarch64/default.nix

@@ -26,7 +26,7 @@
   # this device is described by the "qemu" device
   installer = "vmroot";
 
-  module = {pkgs, config, lim, ... }: {
+  module = { config, lim, ... }: {
     imports = [
       ../../modules/arch/aarch64.nix
       ../families/qemu.nix

devices/qemu-armv7l/default.nix

@@ -24,7 +24,7 @@
   '';
   installer = "vmroot";
 
-  module = {pkgs, config, lim, ... }: {
+  module = { config, lim, ... }: {
     imports = [
       ../../modules/arch/arm.nix
       ../families/qemu.nix

devices/qemu/default.nix

@@ -36,7 +36,7 @@
     in the Development manual.
 
   '';
-  module = {pkgs, config, lib, lim, ... }: {
+  module = { config, lib, lim, ... }: {
     imports = [
       ../../modules/arch/mipseb.nix
       ../families/qemu.nix

devices/tp-archer-ax23/default.nix

@@ -419,7 +419,6 @@
           networkInterfaces =
             let
               inherit (config.system.service.network) link;
-              inherit (config.system.service) bridge;
             in rec {
               lan1 = link.build { ifname = "lan1"; };
               lan2 = link.build { ifname = "lan2"; };

devices/turris-omnia/default.nix

@@ -155,8 +155,6 @@
 
   module = {pkgs, config, lib, lim, ... }:
     let
-      openwrt = pkgs.openwrt;
-      inherit (lib) mkOption types;
       inherit (pkgs.liminix.services) oneshot;
       inherit (pkgs) liminix;
       mtd_by_name_links = pkgs.liminix.services.oneshot rec  {
@@ -358,7 +356,6 @@
           networkInterfaces =
             let
               inherit (config.system.service.network) link;
-              inherit (config.system.service) bridge;
             in rec {
               en70000 = link.build {
                 # in armada-38x.dtsi this is eth0.

devices/zyxel-nwa50ax/default.nix

@@ -103,8 +103,6 @@
 
   module = { pkgs, config, lib, lim, ...}:
     let
-      inherit (pkgs.liminix.networking) interface;
-      inherit (pkgs.liminix.services) oneshot;
       inherit (pkgs.pseudofile) dir symlink;
       inherit (pkgs) openwrt;
 

doc/extract-options.nix

@@ -1,11 +1,9 @@
 { eval, lib, pkgs }:
 let
-  inherit (lib) types;
   conf = eval.config;
   rootDir = builtins.toPath ./..;
-  stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix)
-    ["${rootDir}/"];
-  optToDoc = name: opt : {
+  stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix) [ "${rootDir}/" ];
+  optToDoc = name: opt: {
     inherit name;
     description = opt.description or null;
     default = opt.default or null;
@@ -26,7 +24,6 @@ let
           let x = lib.mapAttrsToList optToDoc sd.parameters; in x;
       }
     else
-      item // { declarations =  map stripAnyPrefixes item.declarations; };
+      item // { declarations = map stripAnyPrefixes item.declarations; };
 in
-builtins.map spliceServiceDefn
-  (pkgs.lib.optionAttrSetToDocList eval.options)
+builtins.map spliceServiceDefn (pkgs.lib.optionAttrSetToDocList eval.options)

doc/hardware.nix

@@ -1,24 +1,18 @@
-with import <nixpkgs> {} ;
+with import <nixpkgs> { };
 
 let
   inherit (builtins) stringLength readDir filter;
-  devices = filter (n: n != "families")
-    (lib.mapAttrsToList (n: t: n) (readDir ../devices));
-  texts = map (n:
-    let d = import  ../devices/${n}/default.nix;
-        d' = {
-          description = "${n}\n${substring 0 (stringLength n) "********************************"}\n";
-        } // d;
-        installer =
-          if d ? description && d ? installer
-          then ''
-
-            The default installation route for this device is
-            :ref:`system-outputs-${d.installer}`
-          ''
-          else "";
-    in d'.description)
-    devices;
+  devices = filter (n: n != "families") (lib.mapAttrsToList (n: t: n) (readDir ../devices));
+  texts = map (
+    n:
+    let
+      d = import ../devices/${n}/default.nix;
+      d' = {
+        description = "${n}\n${substring 0 (stringLength n) "********************************"}\n";
+      } // d;
+    in
+    d'.description
+  ) devices;
 in
 writeText "hwdoc" ''
   Supported hardware

examples/arhcive.nix

@@ -11,15 +11,15 @@
   ...
 }: let
   secrets = import ./extneder-secrets.nix;
-  inherit (pkgs.liminix.services) oneshot longrun bundle target;
+  inherit (pkgs.liminix.services) oneshot longrun target;
   inherit (pkgs.pseudofile) dir symlink;
-  inherit (pkgs) writeText dropbear ifwait serviceFns;
+  inherit (pkgs) writeText serviceFns;
   svc = config.system.service;
 in rec {
   boot = {
     tftp = {
-      serverip = "192.168.8.148";
-      ipaddr = "192.168.8.251";
+      serverip = "10.0.0.1";
+      ipaddr = "10.0.0.8";
     };
   };
 
@@ -28,34 +28,12 @@ in rec {
     ../modules/network
     ../modules/vlan
     ../modules/ssh
+    ../modules/usb.nix
     ../modules/watchdog
     ../modules/mount
   ];
   hostname = "arhcive";
 
-  kernel = {
-    config = {
-      USB = "y";
-      USB_EHCI_HCD = "y";
-      USB_EHCI_HCD_PLATFORM = "y";
-      USB_OHCI_HCD = "y";
-      USB_OHCI_HCD_PLATFORM = "y";
-      USB_SUPPORT = "y";
-      USB_COMMON = "y";
-      USB_STORAGE = "y";
-      USB_STORAGE_DEBUG = "n";
-      USB_UAS = "y";
-      USB_ANNOUNCE_NEW_DEVICES = "y";
-      SCSI = "y";
-      BLK_DEV_SD = "y";
-      USB_PRINTER = "y";
-      MSDOS_PARTITION = "y";
-      EFI_PARTITION = "y";
-      EXT4_FS = "y";
-      EXT4_USE_FOR_EXT2 = "y";
-      FS_ENCRYPTION = "y";
-    };
-  };
 
   services.dhcpc =
     let iface = config.hardware.networkInterfaces.lan;
@@ -105,7 +83,7 @@ in rec {
   };
 
   services.mount_external_disk = svc.mount.build {
-    device = "LABEL=backup-disk";
+    partlabel = "backup-disk";
     mountpoint = "/srv";
     fstype = "ext4";
   };
@@ -141,23 +119,37 @@ in rec {
         secrets_file
         services.mount_external_disk
         config.hardware.networkInterfaces.lan
-      ] ;
+      ];
     };
 
   users.root = {
     passwd = lib.mkForce secrets.root.passwd;
-    # openssh.authorizedKeys.keys = [
-    #   (builtins.readFile "/home/dan/.ssh/id_rsa.pub")
-    # ];
+    openssh.authorizedKeys.keys = secrets.root.keys;
   };
 
   users.backup = {
-    uid=500; gid=500; gecos="Storage owner"; dir="/srv";
-    shell="/dev/null";
+    uid = 500;
+    gid = 500;
+    gecos = "Storage owner";
+    dir = "/srv";
+    shell = "/dev/null";
   };
   groups.backup = {
-    gid=500; usernames = ["backup"];
+    gid = 500;
+    usernames = [ "backup" ];
   };
 
-  defaultProfile.packages = with pkgs; [e2fsprogs strace tcpdump ];
+  defaultProfile.packages = with pkgs; [
+    e2fsprogs
+    mtdutils
+    (levitate.override {
+      config = {
+        services = {
+          inherit (config.services) dhcpc sshd watchdog;
+        };
+        defaultProfile.packages = [ mtdutils ];
+        users.root.openssh.authorizedKeys.keys = secrets.root.keys;
+      };
+    })
+  ];
 }

examples/demo.nix

@@ -5,9 +5,9 @@
 # wherever the text "EDIT" appears - please consult the tutorial
 # documentation for details.
 
-{ config, pkgs, lib, ... } :
+{ config, pkgs, ... }:
 let
-  inherit (pkgs.liminix.services) bundle oneshot longrun;
+  inherit (pkgs.liminix.services) bundle oneshot;
   inherit (pkgs) serviceFns;
   # EDIT: you can pick your preferred RFC1918 address space
   # for NATted connections, if you don't like this one.
@@ -49,31 +49,40 @@ in rec {
       country_code = "GB";
       wpa_passphrase = "not a real wifi password";
 
-      hw_mode="g";
+      hw_mode = "g";
       ieee80211n = 1;
       auth_algs = 1; # 1=wpa2, 2=wep, 3=both
-      wpa = 2;       # 1=wpa, 2=wpa2, 3=both
+      wpa = 2; # 1=wpa, 2=wpa2, 3=both
       wpa_key_mgmt = "WPA-PSK";
-      wpa_pairwise = "TKIP CCMP";   # auth for wpa (may not need this?)
-      rsn_pairwise = "CCMP";        # auth for wpa2
+      wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
+      rsn_pairwise = "CCMP"; # auth for wpa2
       wmm_enabled = 1;
     };
   };
 
   services.int = svc.network.address.build {
     interface = svc.bridge.primary.build { ifname = "int"; };
-    family = "inet"; address = "${ipv4LocalNet}.1"; prefixLength = 16;
+    family = "inet";
+    address = "${ipv4LocalNet}.1";
+    prefixLength = 16;
   };
 
-  services.bridge =  svc.bridge.members.build {
+  services.bridge = svc.bridge.members.build {
     primary = services.int;
-    members = with config.hardware.networkInterfaces;
-      [ wlan lan ];
+    members = with config.hardware.networkInterfaces; [
+      wlan
+      lan
+    ];
   };
 
   services.ntp = svc.ntp.build {
-    pools = { "pool.ntp.org" = ["iburst"]; };
-    makestep = { threshold = 1.0; limit = 3; };
+    pools = {
+      "pool.ntp.org" = [ "iburst" ];
+    };
+    makestep = {
+      threshold = 1.0;
+      limit = 3;
+    };
   };
 
   services.sshd = svc.ssh.build { };
@@ -157,9 +166,7 @@ in rec {
     interface = services.wan;
   };
 
-  services.firewall = svc.firewall.build {
-    ruleset = import ./demo-firewall.nix;
-  };
+  services.firewall = svc.firewall.build { };
 
   services.packet_forwarding = svc.network.forward.build { };
 
@@ -196,7 +203,5 @@ in rec {
       ];
     };
 
-  defaultProfile.packages = with pkgs; [
-    min-collect-garbage
-  ];
+  defaultProfile.packages = with pkgs; [ min-collect-garbage ];
 }

examples/extneder.nix

@@ -8,9 +8,11 @@
   config,
   pkgs,
   lib,
+  modulesPath,
   ...
 }: let
   secrets = import ./extneder-secrets.nix;
+  svc = config.system.service;
 in rec {
   boot = {
     tftp = {
@@ -20,47 +22,13 @@ in rec {
   };
 
   imports = [
-    ../modules/profiles/wap.nix
-    ../modules/vlan
+    "${modulesPath}/profiles/wap.nix"
+    "${modulesPath}/vlan"
+    "${modulesPath}/ssh"
   ];
 
   hostname = "extneder";
 
-  kernel = {
-    config = {
-
-      NETFILTER_XT_MATCH_CONNTRACK = "y";
-
-      IP6_NF_IPTABLES = "y"; # do we still need these
-      IP_NF_IPTABLES = "y"; # if using nftables directly
-
-      # these are copied from rotuer and need review.
-      # we're not running a firewall, so why do we need
-      # nftables config?
-      IP_NF_NAT = "y";
-      IP_NF_TARGET_MASQUERADE = "y";
-      NETFILTER = "y";
-      NETFILTER_ADVANCED = "y";
-      NETFILTER_XTABLES = "y";
-
-      NFT_COMPAT = "y";
-      NFT_CT = "y";
-      NFT_LOG = "y";
-      NFT_MASQ = "y";
-      NFT_NAT = "y";
-      NFT_REJECT = "y";
-      NFT_REJECT_INET = "y";
-
-      NF_CONNTRACK = "y";
-      NF_NAT = "y";
-      NF_NAT_MASQUERADE = "y";
-      NF_TABLES = "y";
-      NF_TABLES_INET = "y";
-      NF_TABLES_IPV4 = "y";
-      NF_TABLES_IPV6 = "y";
-    };
-  };
-
   profile.wap = {
     interfaces =  with config.hardware.networkInterfaces; [
       lan
@@ -79,6 +47,7 @@ in rec {
     };
   };
 
+  services.sshd = svc.ssh.build {};
   users.root.passwd = lib.mkForce secrets.root.passwd;
   defaultProfile.packages = with pkgs; [nftables strace tcpdump swconfig];
 }

examples/hello-from-mt300.nix

@@ -1,6 +1,5 @@
-{ config, pkgs, lib, ... } :
+{ config, pkgs, ... } :
 let
-  inherit (pkgs) serviceFns;
   svc = config.system.service;
 
 in rec {

examples/hello-from-qemu.nix

@@ -1,6 +1,5 @@
-{ config, pkgs, lib, ... } :
+{ config, pkgs, ... } :
 let
-  inherit (pkgs) serviceFns;
   svc = config.system.service;
 
 in rec {

examples/l2tp.nix

@@ -0,0 +1,141 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  secrets = import ./extneder-secrets.nix;
+  rsecrets = import ./rotuer-secrets.nix;
+
+  # https://support.aa.net.uk/Category:Incoming_L2TP says:
+  # "Please use the DNS name (l2tp.aa.net.uk) instead of hardcoding an
+  # IP address; IP addresses can and do change. If you have to use an
+  # IP, use 194.4.172.12, but do check the DNS for l2tp.aa.net.uk in
+  # case it changes."
+
+  # but (1) we don't want to use the wwan stick's dns as our main
+  # resolver: it's provided by some mobile ISP and they aren't
+  # necessarily the best at providing unfettered services without
+  # deciding to do something weird; (2) it's not simple to arrange
+  # that xl2tpd gets a different resolver than every other process;
+  # (3) there's no way to specify an lns address to xl2tpd at runtime
+  # except by rewriting its config file. So what we will do is lookup
+  # the lns hostname using the mobile ISP's dns server and then refuse
+  # to start l2tp unless the expected lns address is one of the
+  # addresses returned. I think this satisfies "do check the DNS"
+
+  lns = { hostname = "l2tp.aaisp.net.uk"; address = "194.4.172.12"; };
+
+  inherit (pkgs.liminix.services) oneshot target;
+  inherit (pkgs.pseudofile) dir symlink;
+  inherit (pkgs) serviceFns;
+  svc = config.system.service;
+in rec {
+  boot = {
+    tftp = {
+      serverip = "10.0.0.1";
+      ipaddr = "10.0.0.8";
+    };
+  };
+
+  imports = [
+    ../modules/cdc-ncm
+    ../modules/network
+    ../modules/vlan
+    ../modules/ssh
+    ../modules/usb.nix
+    ../modules/watchdog
+    ../modules/mount
+    ../modules/ppp
+  ];
+  hostname = "thing";
+
+  services.wwan = svc.wwan.build {
+    apn = "data.uk";
+    username = "user";
+    password = "one2one";
+    authType = "chap";
+  };
+
+  services.dhcpc = svc.network.dhcp.client.build {
+    interface = config.services.wwan;
+    dependencies = [ config.services.hostname ];
+  };
+
+  services.sshd = svc.ssh.build { };
+
+  services.resolvconf = oneshot rec {
+    dependencies = [ services.l2tp ];
+    name = "resolvconf";
+    up = ''
+      . ${serviceFns}
+       ( in_outputs ${name}
+        for i in ns1 ns2 ; do
+          ns=$(output ${services.l2tp} $i)
+          echo "nameserver $ns" >> resolv.conf
+        done
+       )
+    '';
+  };
+  filesystem = dir {
+    etc = dir {
+      "resolv.conf" = symlink "${services.resolvconf}/.outputs/resolv.conf";
+    };
+  };
+
+  services.lns-address = let
+    ns = "$(output_word ${services.dhcpc} dns 1)";
+    route-to-bootstrap-nameserver = svc.network.route.build {
+      via = "$(output ${services.dhcpc} router)";
+      target = ns;
+      dependencies = [services.dhcpc];
+    };
+  in oneshot rec {
+    name = "resolve-l2tp-server";
+    dependencies = [ services.dhcpc route-to-bootstrap-nameserver ];
+    up = ''
+      (in_outputs ${name}
+       DNSCACHEIP="${ns}" ${pkgs.s6-dns}/bin/s6-dnsip4 ${lns.hostname} \
+        > addresses
+      )
+    '';
+  };
+
+  services.l2tp =
+    let
+      check-address = oneshot rec {
+        name = "check-lns-address";
+        up = ''
+          grep -Fx ${lns.address} $(output_path ${services.lns-address} addresses)
+        '';
+        dependencies = [ services.lns-address ];
+      };
+      route = svc.network.route.build {
+        via = "$(output ${services.dhcpc} router)";
+        target = lns.address;
+        dependencies = [services.dhcpc check-address];
+      };
+    in svc.l2tp.build {
+      lns = lns.address;
+      ppp-options = [
+        "debug" "+ipv6" "noauth"
+        "name" rsecrets.l2tp.name
+        "connect-delay" "5000"
+        "password" rsecrets.l2tp.password
+      ];
+      dependencies = [config.services.lns-address route check-address];
+  };
+
+  services.defaultroute4 = svc.network.route.build {
+    via = "$(output ${services.l2tp} peer-address)";
+    target = "default";
+    dependencies = [services.l2tp];
+  };
+
+#  defaultProfile.packages = [ pkgs.go-l2tp ];
+
+  users.root = {
+    passwd = lib.mkForce secrets.root.passwd;
+    openssh.authorizedKeys.keys = secrets.root.keys;
+  };
+}

examples/nwa50ax-ap.nix

@@ -1,7 +1,6 @@
 { config, pkgs, ... } :
 let
-  inherit (pkgs.liminix.services) oneshot longrun bundle target;
-  inherit (pkgs) writeText;
+  inherit (pkgs.liminix.services) target;
   svc = config.system.service;
   secrets-1 = {
     ssid = "Zyxel 2G (N)";

examples/recovery.nix

@@ -3,8 +3,8 @@ let
   inherit (pkgs) serviceFns;
   svc = config.system.service;
   inherit (pkgs.pseudofile) dir symlink;
-  inherit (pkgs.liminix.services) oneshot longrun bundle target;
-  some-util-linux = pkgs.runCommand "some-util-linux" {} ''
+  inherit (pkgs.liminix.services) oneshot target;
+  some-util-linux = pkgs.runCommand "some-util-linux" { } ''
     mkdir -p $out/bin
     cd ${pkgs.util-linux-small}/bin
     cp fdisk sfdisk mkswap $out/bin
@@ -53,7 +53,7 @@ in rec {
   services.defaultroute4 = svc.network.route.build {
     via = "$(output ${services.dhcpc} router)";
     target = "default";
-    dependencies = [services.dhcpc];
+    dependencies = [ services.dhcpc ];
   };
 
   services.resolvconf = oneshot rec {

examples/rotuer-secrets.example.nix

@@ -8,12 +8,10 @@
   root = {
     #  mkpasswd -m sha512crypt
     passwd = "$6$6pt0mpbgcB7kC2RJ$kSBoCYGyi1.qxt7dqmexLj1l8E6oTZJZmfGyJSsMYMW.jlsETxdgQSdv6ptOYDM7DHAwf6vLG0pz3UD31XBfC1";
-    openssh.authorizedKeys.keys = [
-    ];
+    openssh.authorizedKeys.keys = [ ];
   };
 
   lan = {
     prefix = "10.8.0";
   };
-
 }

examples/rotuer.nix

@@ -6,23 +6,16 @@
 # problems.
 
 
-{ config, pkgs, lib, ... } :
+{ config, pkgs, lib, modulesPath, ... } :
 let
   secrets = {
     domainName = "fake.liminix.org";
-    firewallRules = {};
+    firewallRules = { };
   } // (import ./rotuer-secrets.nix);
-  inherit (pkgs.liminix.services) oneshot longrun bundle;
-  inherit (pkgs) serviceFns;
   svc = config.system.service;
-  wirelessConfig =  {
+  wirelessConfig = {
     country_code = "GB";
     inherit (secrets) wpa_passphrase;
-    auth_algs = 1; # 1=wpa2, 2=wep, 3=both
-    wpa = 2;       # 1=wpa, 2=wpa2, 3=both
-    wpa_key_mgmt = "WPA-PSK";
-    wpa_pairwise = "TKIP CCMP";   # auth for wpa (may not need this?)
-    rsn_pairwise = "CCMP";        # auth for wpa2
     wmm_enabled = 1;
   };
 
@@ -36,65 +29,62 @@ in rec {
   };
 
   imports = [
-    ../modules/wlan.nix
-    ../modules/network
-    ../modules/ppp
-    ../modules/dnsmasq
-    ../modules/dhcp6c
-    ../modules/firewall
-    ../modules/hostapd
-    ../modules/bridge
-    ../modules/ntp
-    ../modules/schnapps
-    ../modules/ssh
-    ../modules/outputs/btrfs.nix
-    ../modules/outputs/extlinux.nix
+    "${modulesPath}/profiles/gateway.nix"
+    "${modulesPath}/schnapps"
+    "${modulesPath}/outputs/btrfs.nix"
+    "${modulesPath}/outputs/extlinux.nix"
   ];
   hostname = "rotuer";
   rootfsType = "btrfs";
   rootOptions = "subvol=@";
   boot.loader.extlinux.enable = true;
 
-  services.hostap = svc.hostapd.build {
-    interface = config.hardware.networkInterfaces.wlan;
-    params = {
-      ssid = secrets.ssid;
-      hw_mode="g";
-      channel = "2";
-      ieee80211n = 1;
-    } // wirelessConfig;
-  };
-
-  services.hostap5 = svc.hostapd.build {
-    interface = config.hardware.networkInterfaces.wlan5;
-    params = rec {
-      ssid = "${secrets.ssid}5";
-      hw_mode="a";
-      channel = 36;
-      ht_capab = "[HT40+]";
-      vht_oper_chwidth = 1;
-      vht_oper_centr_freq_seg0_idx = channel + 6;
-      ieee80211n = 1;
-      ieee80211ac = 1;
-    } // wirelessConfig;
-  };
-
-  services.int = svc.network.address.build {
-    interface = svc.bridge.primary.build { ifname = "int"; };
-    family = "inet"; address ="${secrets.lan.prefix}.1"; prefixLength = 24;
-  };
-
-  services.bridge =  svc.bridge.members.build {
-    primary = services.int;
-    members = with config.hardware.networkInterfaces;
-      [ wlan
-        wlan5
-        lan0
-        lan1
-        lan2
-        lan3
-        lan4
-      ];
+  profile.gateway = {
+    lan = {
+      interfaces =  with config.hardware.networkInterfaces;
+        [
+          wlan wlan5
+          lan0 lan1 lan2 lan3 lan4
+        ];
+      inherit (secrets.lan) prefix;
+      address = {
+        family = "inet"; address ="${secrets.lan.prefix}.1"; prefixLength = 24;
+      };
+      dhcp = {
+        start = 10;
+        end = 240;
+        hosts = { } // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
+        localDomain = "lan";
+      };
+    };
+    wan = {
+      interface = config.hardware.networkInterfaces.wan;
+      username = secrets.l2tp.name;
+      password = secrets.l2tp.password;
+      dhcp6.enable = true;
+    };
+    firewall = {
+      enable = true;
+      rules = secrets.firewallRules;
+    };
+    wireless.networks = {
+      "${secrets.ssid}" = {
+        interface = config.hardware.networkInterfaces.wlan;
+        hw_mode = "g";
+        channel = "2";
+        ieee80211n = 1;
+      } // wirelessConfig;
+      "${secrets.ssid}5" = rec {
+        interface = config.hardware.networkInterfaces.wlan5;
+        hw_mode = "a";
+        channel = 36;
+        ht_capab = "[HT40+]";
+        vht_oper_chwidth = 1;
+        vht_oper_centr_freq_seg0_idx = channel + 6;
+        ieee80211n = 1;
+        ieee80211ac = 1;
+      } // wirelessConfig;
+    };
   };
 
   services.ntp = svc.ntp.build {
@@ -106,95 +96,6 @@ in rec {
 
   users.root = secrets.root;
 
-  services.dns =
-    let interface = services.int;
-    in svc.dnsmasq.build {
-      resolvconf = services.resolvconf;
-      inherit interface;
-      ranges = [
-        "${secrets.lan.prefix}.10,${secrets.lan.prefix}.240"
-        # ra-stateless: sends router advertisements with the O and A
-        # bits set, and provides a stateless DHCP service. The client
-        # will use a SLAAC address, and use DHCP for other
-        # configuration information.
-        "::,constructor:$(output ${interface} ifname),ra-stateless"
-      ];
-
-      # You can add static addresses for the DHCP server here.  I'm
-      # not putting my actual MAC addresses in a public git repo ...
-      hosts = { } // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
-      upstreams = [ "/${secrets.domainName}/" ];
-      domain = secrets.domainName;
-    };
-
-  services.wan = svc.pppoe.build {
-    interface = config.hardware.networkInterfaces.wan;
-    ppp-options = [
-      "debug" "+ipv6" "noauth"
-      "name" secrets.l2tp.name
-      "password" secrets.l2tp.password
-    ];
-  };
-
-  services.resolvconf = oneshot rec {
-    dependencies = [ services.wan ];
-    name = "resolvconf";
-    up = ''
-      . ${serviceFns}
-      ( in_outputs ${name}
-       echo "nameserver $(output ${services.wan} ns1)" > resolv.conf
-       echo "nameserver $(output ${services.wan} ns2)" >> resolv.conf
-       chmod 0444 resolv.conf
-      )
-    '';
-  };
-
-  filesystem =
-    let inherit (pkgs.pseudofile) dir symlink;
-    in dir {
-      etc = dir {
-        "resolv.conf" = symlink "${services.resolvconf}/.outputs/resolv.conf";
-      };
-    };
-
-  services.defaultroute4 = svc.network.route.build {
-    via = "$(output ${services.wan} address)";
-    target = "default";
-    dependencies = [ services.wan ];
-  };
-
-  services.defaultroute6 = svc.network.route.build {
-    via = "$(output ${services.wan} ipv6-peer-address)";
-    target = "default";
-    interface = services.wan;
-  };
-
-  services.firewall = svc.firewall.build {
-    ruleset =
-      let defaults = import ./demo-firewall.nix;
-      in lib.recursiveUpdate defaults secrets.firewallRules;
-  };
-
-  services.packet_forwarding = svc.network.forward.build { };
-
-  services.dhcp6c =
-    let client = svc.dhcp6c.client.build {
-          interface = services.wan;
-        };
-    in bundle {
-      name = "dhcp6c";
-      contents = [
-        (svc.dhcp6c.prefix.build {
-          inherit client;
-          interface = services.int;
-        })
-        (svc.dhcp6c.address.build {
-          inherit client;
-          interface = services.wan;
-        })
-      ];
-    };
-
   defaultProfile.packages = with pkgs; [
     min-collect-garbage
     nftables

examples/turris.nix

@@ -1,6 +1,5 @@
-{ config, pkgs, lib, lim, ... } :
+{ config, pkgs, lim, ... } :
 let
-  inherit (pkgs) serviceFns;
   svc = config.system.service;
 
 in rec {

modules/all-modules.nix

@@ -9,29 +9,29 @@
    ./busybox.nix
    ./dhcp6c
    ./dnsmasq
-   ./outputs/ext4fs.nix
    ./firewall
    ./hardware.nix
    ./hostapd
    ./hostname.nix
-   ./outputs/initramfs.nix
-   ./outputs/jffs2.nix
    ./kernel
-   ./outputs/kexecboot.nix
+   ./mdevd.nix
    ./mount
    ./network
    ./ntp
    ./outputs.nix
-   ./outputs/vmroot.nix
-   ./outputs/ubimage.nix
+   ./outputs/ext4fs.nix
+   ./outputs/initramfs.nix
+   ./outputs/jffs2.nix
+   ./outputs/kexecboot.nix
    ./outputs/mtdimage.nix
+   ./outputs/tftpboot.nix
+   ./outputs/ubifs.nix
+   ./outputs/ubimage.nix
+   ./outputs/vmroot.nix
    ./ppp
    ./ramdisk.nix
    ./squashfs.nix
    ./ssh
-   ./outputs/tftpboot.nix
-   ./outputs/ubifs.nix
-   ./ubinize.nix
    ./users.nix
    ./vlan
    ./watchdog

modules/arch/aarch64.nix

@@ -1,4 +1,4 @@
-{ lib, lim, pkgs, config, ...}:
+{ lim, pkgs, config, ...}:
 {
   config = {
     kernel.config = {

modules/arch/arm.nix

@@ -1,4 +1,4 @@
-{ lib, lim, pkgs, config, ...}:
+{ lim, pkgs, config, ...}:
 {
   config = {
     kernel.config = {

modules/arch/mips.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, config, lim, ...}:
+{ config, lim, ...}:
 {
   config = {
     kernel.config = {

modules/arch/mipseb.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, config, ...}:
+{ pkgs, config, ...}:
 {
   imports = [ ./mips.nix ];
   config = {

modules/arch/mipsel.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, config, ...}:
+{ config, ...}:
 {
   imports = [ ./mips.nix ];
   config = {

modules/base.nix

@@ -4,17 +4,12 @@
 
 { lib, pkgs, config, ...}:
 let
-  inherit (lib) mkEnableOption mkOption types isDerivation hasAttr ;
+  inherit (lib) mkOption types;
   inherit (pkgs.pseudofile) dir symlink;
-  inherit (pkgs.liminix.networking) address interface;
-  inherit (pkgs.liminix.services) bundle;
 
   type_service = pkgs.liminix.lib.types.service;
 
 in {
-  imports = [
-    ./kernel            # kernel is a separate module for doc purposes
-  ];
   options = {
     defaultProfile = {
       packages = mkOption {
@@ -29,6 +24,10 @@ in {
     services = mkOption {
       type = types.attrsOf type_service;
     };
+    system.callService = mkOption {
+      type = types.functionTo (types.functionTo types.anything);
+    };
+
     filesystem = mkOption {
       type = types.anything;
       description = ''
@@ -37,7 +36,7 @@ in {
       '';
       # internal = true;  # probably a good case to make this internal
     };
-    rootfsType =  mkOption {
+    rootfsType = mkOption {
       default = "squashfs";
       type = types.enum [
         "btrfs"
@@ -47,7 +46,7 @@ in {
         "ubifs"
       ];
     };
-    rootOptions =  mkOption {
+    rootOptions = mkOption {
       type = types.nullOr types.str;
       default = null;
     };
@@ -55,20 +54,29 @@ in {
     boot = {
       commandLine = mkOption {
         type = types.listOf types.nonEmptyStr;
-        default = [];
+        default = [ ];
         description = "Kernel command line";
       };
       commandLineDtbNode = mkOption {
-        type = types.enum [ "bootargs" "bootargs-override" ];
+        type = types.enum [
+          "bootargs"
+          "bootargs-override"
+        ];
         default = "bootargs";
         description = "Kernel command line's devicetree node";
       };
       imageType = mkOption {
-        type = types.enum [ "primary" "secondary" ];
+        type = types.enum [
+          "primary"
+          "secondary"
+        ];
         default = "primary";
       };
       imageFormat = mkOption {
-        type = types.enum ["fit" "uimage"];
+        type = types.enum [
+          "fit"
+          "uimage"
+        ];
         default = "uimage";
       };
       tftp = {
@@ -84,7 +92,7 @@ in {
         };
         # These names match the uboot environment variables. I reserve
         # the right to change them if I think of better ones.
-        ipaddr =  mkOption {
+        ipaddr = mkOption {
           type = types.str;
           description = ''
             Our IP address to use when creating scripts to
@@ -111,6 +119,29 @@ in {
       "fw_devlink=off"
     ] ++ lib.optional (config.rootOptions != null) "rootflags=${config.rootOptions}";
 
+    system.callService = path : parameters :
+      let
+        typeChecked = caller: type: value:
+          let
+            inherit (lib) types mergeDefinitions;
+            defs = [{ file = caller; inherit value; }];
+            type' = types.submodule { options = type; };
+          in (mergeDefinitions [] type' defs).mergedValue;
+        cp = lib.callPackageWith(pkgs // { svc = config.system.service; });
+        pkg = cp path {};
+        checkTypes = t : p : typeChecked (builtins.toString path) t p;
+      in {
+        inherit parameters;
+        build = { dependencies ? [], ... } @ args :
+          let
+            s = pkg (checkTypes parameters
+              (builtins.removeAttrs args ["dependencies"]));
+          in s.overrideAttrs (o: {
+            dependencies = dependencies ++ o.dependencies;
+            buildInputs = dependencies ++ o.buildInputs;
+          });
+      };
+
     users.root = {
       uid = 0; gid= 0; gecos = "Root of all evaluation";
       dir = "/home/root/";

modules/bridge/default.nix

@@ -10,10 +10,11 @@
 { lib, pkgs, config, ...}:
 let
   inherit (lib) mkOption types;
-  inherit (pkgs.liminix.services) oneshot;
   inherit (pkgs) liminix;
 in
 {
+  imports = [ ../ifwait ];
+
   options = {
     system.service.bridge = {
       primary = mkOption { type = liminix.lib.types.serviceDefn; };
@@ -27,7 +28,7 @@ in
         description = "bridge interface name to create";
       };
     };
-    members = liminix.callService ./members.nix {
+    members = config.system.callService ./members.nix {
       primary = mkOption {
         type = liminix.lib.types.interface;
         description = "primary bridge interface";
@@ -47,5 +48,5 @@ in
     # a better way to test for the existence of vlan config:
     # maybe the module should set an `enabled` attribute?
     BRIDGE_VLAN_FILTERING = "y";
-  };    
+  };
 }

modules/bridge/members.nix

@@ -1,23 +1,28 @@
 {
   liminix
 , ifwait
-, lib
+, svc
 }:
 { members, primary } :
 
 let
   inherit (liminix.networking) interface;
   inherit (liminix.services) bundle oneshot;
-  inherit (lib) mkOption types;
   addif = member :
-    oneshot {
-      name = "${primary.name}.member.${member.name}";
-      up = ''
-        dev=$(output ${member} ifname)
-        ${ifwait}/bin/ifwait $dev running && ip link set dev $dev master $(output ${primary} ifname)
-      '';
-      down = "ip link set dev $(output ${member} ifname) nomaster";
+    # how do we get sight of services from here? maybe we need to
+    # implement ifwait as a regualr derivation instead of a
+    # servicedefinition
+    svc.ifwait.build {
+      state = "running";
+      interface = member;
       dependencies = [ primary member ];
+      service = oneshot {
+        name = "${primary.name}.member.${member.name}";
+        up = ''
+          ip link set dev $(output ${member} ifname) master $(output ${primary} ifname)
+        '';
+        down = "ip link set dev $(output ${member} ifname) nomaster";
+      };
     };
 in bundle {
   name = "${primary.name}.members";

modules/bridge/primary.nix

@@ -1,12 +1,10 @@
 {
   liminix
-, ifwait
 , lib
 }:
 { ifname } :
 let
-  inherit (liminix.services) bundle oneshot;
-  inherit (lib) mkOption types;
+  inherit (liminix.services) oneshot;
 in oneshot rec {
   name = "${ifname}.link";
   up = ''

modules/busybox.nix

@@ -8,7 +8,7 @@
 
 { lib, pkgs, config, ...}:
 let
-  inherit (lib) mkOption mkEnableOption types mapAttrsToList;
+  inherit (lib) mkOption types mapAttrsToList;
   inherit (pkgs.pseudofile) dir symlink;
   inherit (lib.strings) toUpper;
 
@@ -85,10 +85,13 @@ in {
       };
     };
     filesystem = dir {
-      bin = dir ({
-        busybox = symlink "${busybox}/bin/busybox";
-        sh = symlink "${busybox}/bin/busybox";
-      } // makeLinks);
+      bin = dir (
+        {
+          busybox = symlink "${busybox}/bin/busybox";
+          sh = symlink "${busybox}/bin/busybox";
+        }
+        // makeLinks
+      );
     };
   };
 }

modules/cdc-ncm/default.nix

@@ -0,0 +1,31 @@
+{ config, pkgs, lib, ... }:
+let
+  inherit (pkgs) liminix;
+  inherit (lib) mkOption types;
+in {
+  imports = [
+    ../service-trigger
+  ];
+
+  options = {
+    system.service.wwan = mkOption {
+      type = liminix.lib.types.serviceDefn;
+    };
+  };
+  config = {
+    kernel.config = {
+      USB_NET_HUAWEI_CDC_NCM = "y";
+      USB_USBNET = "y";
+      USB_SERIAL = "y";
+      USB_SERIAL_OPTION = "y";
+    };
+
+    # https://www.0xf8.org/2017/01/flashing-a-huawei-e3372h-4g-lte-stick-from-hilink-to-stick-mode/
+    system.service.wwan = config.system.callService ./wwan.nix {
+      apn = mkOption { type = types.str; };
+      username = mkOption { type = types.str; };
+      password = mkOption { type = types.str; };
+      authType = mkOption { type = types.enum [ "pap" "chap" ]; };
+    };
+  };
+}

modules/cdc-ncm/wwan.nix

@@ -0,0 +1,67 @@
+{
+  liminix
+, usb-modeswitch
+, ppp
+, lib
+, svc
+, uevent-watch
+}:
+{ apn, username, password, authType }:
+let
+  inherit (liminix.services) oneshot;
+  authTypeNum = if authType == "pap" then "1" else "2";
+  chat = lib.escapeShellArgs [
+    # Your usb modem thing might present as a tty that you run PPP
+    # over, or as a network device ("ndis" or "ncm"). The latter
+    # kind is to be preferred, at least in principle, because it's
+    # faster.  This initialization sequence works for the Huawei
+    # E3372, and took much swearing: the error messages are *awful*
+    "" "AT"
+    "OK" "ATZ"
+    # create PDP context
+    "OK" "AT+CGDCONT=1,\"IP\",\"${apn}\""
+    # activate PDP context
+    "OK"  "AT+CGACT=1,1"
+    # setup username and password per requirements of sim provider.
+    # (caret is special to chat, so needs escaping in AT commands)
+    "OK"  "AT\\^AUTHDATA=1,${authTypeNum},\"\",\"${password}\",\"${username}\""
+    # start the thing (I am choosing to read this as "NDIS DialUP")
+    "OK" "AT\\^NDISDUP=1,1"
+    "OK"
+  ];
+  modeswitch = oneshot rec {
+    name = "modem-modeswitch";
+    controller = (svc.uevent-rule.build {
+      serviceName = name;
+      terms = { devtype = "usb_device"; product = "12d1/14fe/102"; };
+    });
+    up = ''
+      ${usb-modeswitch}/bin/usb_modeswitch -v 12d1 -p 14fe --huawei-new-mode
+    '';
+  };
+  atz = oneshot rec {
+    name = "modem-atz";
+    dependencies = [ modeswitch ];
+    controller = (svc.uevent-rule.build {
+      serviceName = name;
+      terms = {
+        subsystem = "tty";
+        attrs = {
+          idVendor = "12d1";
+          idProduct = "1506";
+        };
+      };
+      symlink = "/dev/modem";
+    });
+    up = ''
+      ls -l /dev/modem
+      test -L /dev/modem || exit 1
+      ${ppp}/bin/chat -s -v ${chat}  0<>/dev/modem 1>&0
+    '';
+    down = "${ppp}/bin/chat -v '' ATZ OK  0<>/dev/modem 1>&0";
+  };
+
+in svc.network.link.build {
+  ifname = "wwan0";
+  dependencies = [ atz ];
+}

modules/dhcp6c/acquire-delegated-prefix.nix

@@ -2,9 +2,9 @@
   writeFennel
 , linotify
 , anoia
-, lua
+, lualinux
 }:
 writeFennel "acquire-delegated-prefix" {
-  packages = [ linotify anoia lua.pkgs.luafilesystem ];
+  packages = [ linotify anoia lualinux ];
   mainFunction = "run";
 } ./acquire-delegated-prefix.fnl

modules/dhcp6c/acquire-wan-address-test.fnl

@@ -1,7 +1,8 @@
 (local subject (require :acquire-wan-address))
-(local { : view } (require :fennel))
+(import-macros { : expect= } :anoia.assert)
 (local { : merge : dup } (require :anoia))
 
+;; nix-shell --run "cd modules/dhcp6c && fennelrepl acquire-wan-address-test.fnl"
 
 (local a1
        {
@@ -47,19 +48,6 @@
         }
        )
 
-(macro expect [assertion]
-  (let [msg (.. "expectation failed: " (view assertion))]
-    `(when (not ,assertion)
-       (assert false ,msg))))
-
-(macro expect= [actual expected]
-  `(let [ve# (view ,expected)
-         va# (view ,actual)]
-     (when (not (= ve# va#))
-       (assert false
-               (.. "\nexpected " ve# "\ngot " va#)
-               ))))
-
 (fn first-address []
   (let [deleted
         (subject.deletions

modules/dhcp6c/acquire-wan-address.nix

@@ -2,9 +2,10 @@
   writeFennel
 , linotify
 , anoia
+, lualinux
 , lua
 }:
 writeFennel "acquire-wan-address" {
-  packages = [ linotify anoia lua.pkgs.luafilesystem ];
+  packages = [ linotify anoia lualinux ];
   mainFunction = "run";
 } ./acquire-wan-address.fnl

modules/dhcp6c/address.nix

@@ -1,12 +1,10 @@
 {
   liminix
-, lib
 , callPackage
 }:
 { client, interface } :
 let
   inherit (liminix.services) longrun;
-  inherit (lib) mkOption types;
   name = "dhcp6c.addr.${client.name}.${interface.name}";
   script = callPackage ./acquire-wan-address.nix {  };
 in longrun {

modules/dhcp6c/client.nix

@@ -1,13 +1,11 @@
 {
   liminix
-, lib
 , odhcp6c
 , odhcp-script
 }:
 { interface } :
 let
   inherit (liminix.services) longrun;
-  inherit (lib) mkOption types;
   name = "dhcp6c.${interface.name}";
 in longrun {
   inherit name;

modules/dhcp6c/default.nix

@@ -12,7 +12,6 @@
 { lib, pkgs, config, ...}:
 let
   inherit (lib) mkOption types;
-  inherit (pkgs.liminix.services) oneshot;
   inherit (pkgs) liminix;
 in
 {

modules/dhcp6c/prefix.nix

@@ -1,12 +1,10 @@
 {
   liminix
-, lib
 , callPackage
 }:
 { client, interface } :
 let
   inherit (liminix.services) longrun;
-  inherit (lib) mkOption types;
   name = "dhcp6c.prefix.${client.name}.${interface.name}";
   script = callPackage ./acquire-delegated-prefix.nix {  };
 in longrun {

modules/dnsmasq/service.nix

@@ -18,7 +18,7 @@ let
   name = "${interface.name}.dnsmasq";
   inherit (liminix.services) longrun;
   inherit (lib) concatStrings concatStringsSep mapAttrsToList;
-  hostOpt = name : { mac, v4, v6, leasetime } @ attrs:
+  hostOpt = name : { mac, v4, v6, leasetime }:
     let v6s = concatStrings (map (a : ",[${a}]") v6);
     in "--dhcp-host=${mac},${v4}${v6s},${name},${builtins.toString leasetime}";
 in

modules/firewall/default.nix

@@ -8,7 +8,6 @@
 let
   inherit (lib) mkOption types;
   inherit (pkgs) liminix;
-  inherit (pkgs.liminix.services) oneshot;
 
   kmodules = pkgs.kmodloader.override {
     inherit (config.system.outputs) kernel;
@@ -56,8 +55,14 @@ in
   config = {
     system.service.firewall =
       let svc = liminix.callService ./service.nix  {
-            ruleset = mkOption {
+            extraRules = mkOption {
+              type = types.attrsOf types.attrs;
+              description = "firewall ruleset";
+              default = {};
+            };
+            rules = mkOption {
               type = types.attrsOf types.attrs;   # we could usefully tighten this a bit :-)
+              default = import ./default-rules.nix;
               description = "firewall ruleset";
             };
           };
@@ -68,13 +73,17 @@ in
               };
           in svc.build args' ;
       };
-
+    programs.busybox.applets = [
+      "insmod" "rmmod"
+    ];
     kernel.config = {
       NETFILTER = "y";
       NETFILTER_ADVANCED = "y";
       NETFILTER_NETLINK = "m";
       NF_CONNTRACK = "m";
 
+      NETLINK_DIAG = "y";
+
       IP6_NF_IPTABLES=  "m";
       IP_NF_IPTABLES = "m";
       IP_NF_NAT = "m";

modules/firewall/service.nix

@@ -4,12 +4,10 @@
 , firewallgen
 , nftables
 }:
-{ ruleset }:
+{ rules, extraRules }:
 let
   inherit (liminix.services) oneshot;
-  inherit (liminix.lib) typeChecked;
-  inherit (lib) mkOption types;
-  script = firewallgen "firewall.nft" ruleset;
+  script = firewallgen "firewall.nft" (lib.recursiveUpdate rules extraRules);
 in oneshot {
   name = "firewall";
   up = script;

modules/hardware.nix

@@ -5,14 +5,13 @@
 ## you want to run on it, and would usually be set in the "device" file:
 ## :file:`devices/manuf-model/default.nix`
 
-
-{ lib, pkgs, config, ...}:
+{ lib, ... }:
 let
-  inherit (lib) mkEnableOption mkOption types isDerivation hasAttr ;
-in {
+  inherit (lib) mkOption types;
+in
+{
   options = {
-    boot = {
-    };
+    boot = { };
     hardware = {
       dts = {
         src = mkOption {
@@ -26,7 +25,7 @@ in {
           '';
         };
         includes = mkOption {
-          default = [];
+          default = [ ];
           description = "List of directories to search for DTS includes (.dtsi files)";
           type = types.listOf types.path;
         };

modules/hostapd/service.nix

@@ -8,8 +8,6 @@
 let
   inherit (liminix.services) longrun;
   inherit (lib) concatStringsSep mapAttrsToList;
-  inherit (liminix.lib) typeChecked;
-  inherit (lib) mkOption types;
 
   # This is not a friendly interface to configuring a wireless AP: it
   # just passes everything straight through to the hostapd config.

modules/ifwait/default.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, lib, ... } :
+let
+  inherit (pkgs) liminix;
+  inherit (lib) mkOption types;
+in {
+  options.system.service.ifwait =
+    mkOption { type = liminix.lib.types.serviceDefn; };
+
+  config.system.service.ifwait = config.system.callService ./ifwait.nix {
+    state = mkOption { type = types.str; };
+    interface = mkOption {
+      type = liminix.lib.types.interface;
+    };
+    service = mkOption {
+      type = liminix.lib.types.service;
+    };
+  };
+}

modules/ifwait/ifwait.nix

@@ -0,0 +1,16 @@
+{ ifwait, liminix } :
+{
+  state
+, interface
+, service
+}:
+let
+  inherit (liminix.services) longrun;
+in longrun {
+  name = "ifwait.${interface.name}";
+  buildInputs = [ service ];
+  restart-on-upgrade = true;
+  run = ''
+    ${ifwait}/bin/ifwait -s ${service.name}  $(output ${interface} ifname) ${state}
+  '';
+}

modules/kernel/default.nix

@@ -5,14 +5,9 @@
 
 { lib, pkgs, config, ...}:
 let
-  inherit (lib) mkEnableOption mkOption types isDerivation hasAttr ;
-  inherit (pkgs.pseudofile) dir symlink;
-  inherit (pkgs.liminix.networking) address interface;
-  inherit (pkgs.liminix.services) bundle;
+  inherit (lib) mkOption types ;
   inherit (pkgs) liminix;
 
-  type_service = pkgs.liminix.lib.types.service;
-
   mergeConditionals = conf : conditions :
     # for each key in conditions, if it is present in conf
     # then merge the associated value into conf

modules/mdevd.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, ...} :
+let inherit (pkgs.liminix.services) oneshot longrun;
+in {
+  config = {
+    services = rec {
+      mdevd = longrun {
+        name = "mdevd";
+        notification-fd = 3;
+        run = "${pkgs.mdevd}/bin/mdevd -D 3 -b 200000 -O4";
+      };
+      devout = longrun {
+        name = "devout";
+        notification-fd = 10;
+        run = "exec ${pkgs.devout}/bin/devout /run/devout.sock 4";
+      };
+      coldplug = oneshot {
+        name = "coldplug";
+        # would love to know what mdevd-coldplug/udevadm trigger does
+        # that this doesn't
+        up = ''
+          for i in $(find /sys -name uevent); do ( echo change > $i ) ; done
+        '';
+        dependencies = [
+          devout
+          mdevd
+        ];
+      };
+    };
+  };
+}

modules/mount/default.nix

@@ -7,11 +7,6 @@
 let
   inherit (lib) mkOption types;
   inherit (pkgs) liminix;
-  mkBoolOption = description : mkOption {
-    type = types.bool;
-    inherit description;
-    default = true;
-  };
 
 in {
   options = {
@@ -19,28 +14,39 @@ in {
       type = liminix.lib.types.serviceDefn;
     };
   };
-  config.system.service = {
-    mount = liminix.callService ./service.nix {
-      device = mkOption {
-        type = types.str;
-        example = "/dev/sda1";
-      };
-      mountpoint = mkOption {
-        type = types.str;
-        example = "/mnt/media";
-      };
-      options = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        example = ["noatime" "ro" "sync"];
-      };
-      fstype = mkOption {
-        type = types.str;
-        default = "auto";
-        example = "vfat";
-      };
+  imports = [ ../mdevd.nix ../service-trigger ];
+  config.system.service.mount =
+    let svc = config.system.callService ./service.nix {
+          partlabel = mkOption {
+            type = types.str;
+            example = "my-usb-stick";
+          };
+          mountpoint = mkOption {
+            type = types.str;
+            example = "/mnt/media";
+          };
+          options = mkOption {
+            type = types.listOf types.str;
+            default = [];
+            example = ["noatime" "ro" "sync"];
+          };
+          fstype = mkOption {
+            type = types.str;
+            default = "auto";
+            example = "vfat";
+          };
+        };
+    in svc // {
+      build = args:
+        let args' = args // {
+              dependencies = (args.dependencies or []) ++ [
+                config.services.mdevd
+                config.services.devout
+              ];
+            };
+        in svc.build args' ;
     };
-  };
+
   config.programs.busybox  = {
     applets = ["blkid" "findfs"];
     options = {

modules/mount/service.nix

@@ -1,18 +1,27 @@
 {
   liminix
 , lib
+, svc
 }:
-{ device, mountpoint, options, fstype }:
+{ partlabel, mountpoint, options, fstype }:
 let
   inherit (liminix.services) oneshot;
+  device = "/dev/disk/by-partlabel/${partlabel}";
+  name = "mount.${lib.strings.sanitizeDerivationName (lib.escapeURL mountpoint)}";
+  options_string =
+    if options == [] then "" else "-o ${lib.concatStringsSep "," options}";
+  controller = svc.uevent-rule.build {
+    serviceName = name;
+    symlink = device;
+    terms = {
+      partname = partlabel;
+      devtype = "partition";
+    };
+  };
 in oneshot {
-  name = "mount.${lib.escapeURL mountpoint}";
-  up = ''
-    while ! findfs ${device}; do
-      echo waiting for device ${device}
-      sleep 1
-    done
-    mount -t ${fstype} -o ${lib.concatStringsSep "," options} ${device} ${mountpoint}
-  '';
+  inherit name;
+  timeout-up = 3600;
+  up = "mount -t ${fstype} ${options_string} ${device} ${mountpoint}";
   down = "umount ${mountpoint}";
+  inherit controller;
 }

modules/network/address.nix

@@ -1,6 +1,5 @@
 {
   liminix
-, ifwait
 , serviceFns
 , lib
 }:

modules/network/dhcpc.nix

@@ -17,7 +17,7 @@ let
         ip address replace $ip/$mask dev $interface
         (in_outputs ${name}
          for i in lease mask ip router siaddr dns serverid subnet opt53 interface ; do
-            printenv $i > $i
+            (printenv $i || true) > $i
          done)
     }
     case $action in
@@ -40,7 +40,7 @@ let
   '';
 in longrun {
   inherit name;
-  run = "/bin/udhcpc -f -i $(output ${interface} ifname) -x hostname:$(cat /proc/sys/kernel/hostname) -s ${script}";
+  run = "exec /bin/udhcpc -f -i $(output ${interface} ifname) -x hostname:$(cat /proc/sys/kernel/hostname) -s ${script}";
   notification-fd = 10;
   dependencies = [ interface ];
 }

modules/network/forward.nix

@@ -1,7 +1,5 @@
 {
   liminix
-, ifwait
-, serviceFns
 , lib
 }:
 { enableIPv4, enableIPv6 }:

modules/network/link.nix

@@ -1,7 +1,5 @@
 {
   liminix
-, ifwait
-, serviceFns
 , lib
 }:
 {
@@ -11,8 +9,7 @@
 # if devpath is supplied, we rename the interface at that
 # path to have the specified name.
 let
-  inherit (liminix.services) longrun oneshot;
-  inherit (lib) concatStringsSep;
+  inherit (liminix.services) oneshot;
   name = "${ifname}.link";
   rename = if devpath != null
            then ''

modules/network/route.nix

@@ -1,15 +1,15 @@
 {
   liminix
-, ifwait
-, serviceFns
 , lib
 }:
 { target, via, interface ? null, metric }:
 let
   inherit (liminix.services) oneshot;
   with_dev = if interface != null then "dev $(output ${interface} ifname)" else "";
+  target_hash = builtins.substring 0 12 (builtins.hashString "sha256" target);
+  via_hash = builtins.substring 0 12 (builtins.hashString "sha256" via);
 in oneshot {
-  name = "route-${target}-${builtins.substring 0 12 (builtins.hashString "sha256" "${via}-${if interface!=null then interface.name else ""}")}";
+  name = "route-${target_hash}-${builtins.substring 0 12 (builtins.hashString "sha256" "${via_hash}-${if interface!=null then interface.name else ""}")}";
   up = ''
     ip route add ${target} via ${via} metric ${toString metric} ${with_dev}
   '';

modules/ntp/service.nix

@@ -1,7 +1,6 @@
 {
   liminix
 , chrony
-, serviceFns
 , lib
 , writeText
 }:
@@ -9,10 +8,6 @@ params:
 let
   inherit (liminix.services) longrun;
   inherit (lib) concatStringsSep mapAttrsToList;
-  inherit (liminix.lib) typeChecked;
-  inherit (lib) mkOption types;
-
-  serverOpts = types.listOf types.str;
   configFile = p:
     (mapAttrsToList (name: opts: "server ${name} ${concatStringsSep "" opts}")
       p.servers)

modules/outputs.nix

@@ -1,12 +1,12 @@
 {
-  config
-, pkgs
-, lib
-, ...
+  config,
+  pkgs,
+  lib,
+  ...
 }:
 let
   inherit (lib) mkOption types concatStringsSep;
-  inherit (pkgs) liminix callPackage writeText;
+  inherit (pkgs) liminix writeText;
   o = config.system.outputs;
 in
 {
@@ -22,7 +22,7 @@ in
       # but only part of one.
       kernel = mkOption {
         type = types.package;
-        internal  = true;
+        internal = true;
         description = ''
           kernel
           ******
@@ -42,7 +42,7 @@ in
       };
       dtb = mkOption {
         type = types.package;
-        internal  = true;
+        internal = true;
         description = ''
           dtb
           ***
@@ -52,7 +52,7 @@ in
       };
       uimage = mkOption {
         type = types.package;
-        internal  = true;
+        internal = true;
         description = ''
           uimage
           ******
@@ -68,7 +68,7 @@ in
       };
       manifest = mkOption {
         type = types.package;
-        internal  = true;
+        internal = true;
         description = ''
           Debugging aid. JSON rendition of config.filesystem, on
           which can run "nix-store -q --tree" on it and find

modules/outputs/btrfs.nix

@@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkIf mkOption types;
+  inherit (lib) mkIf;
   o = config.system.outputs;
 in
 {

modules/outputs/ext4fs.nix

@@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkIf mkOption types;
+  inherit (lib) mkIf;
   o = config.system.outputs;
 in
 {

modules/outputs/initramfs.nix

@@ -6,7 +6,7 @@
 }:
 let
   inherit (lib) mkEnableOption mkOption mkIf types;
-  inherit (pkgs) runCommand callPackage writeText;
+  inherit (pkgs) runCommand;
 in
 {
   options = {

modules/outputs/jffs2.nix

@@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkIf mkOption types;
+  inherit (lib) mkIf;
   o = config.system.outputs;
 in
 {

modules/outputs/kexecboot.nix

@@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkOption mkForce types concatStringsSep;
+  inherit (lib) mkOption types concatStringsSep;
 in {
   imports = [ ../ramdisk.nix ];
   options.system.outputs = {
@@ -42,8 +42,7 @@ in {
 
       boot-sh =
         let
-          inherit (pkgs.lib.trivial) toHexString;
-          inherit (config.system.outputs) rootfs kernel;
+          inherit (config.system.outputs) rootfs;
           cmdline = concatStringsSep " " config.boot.commandLine;
         in
           pkgs.buildPackages.runCommand "boot.sh.sh" {

modules/outputs/mbrimage.nix

@@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkOption types concatStringsSep;
+  inherit (lib) mkOption types;
   o = config.system.outputs;
   phram_address = lib.toHexString (config.hardware.ram.startAddress + 256 * 1024 * 1024);
 in {

modules/outputs/tftpboot.nix

@@ -58,7 +58,6 @@ in {
     system.outputs = rec {
       tftpboot =
         let
-          inherit (pkgs.lib.trivial) toHexString;
           o = config.system.outputs;
           image = let choices = {
             uimage = o.uimage;
@@ -122,7 +121,7 @@ in {
             fdtput -p -t lx dtb /reserved-memory/$node reg $ac_prefix $(hex $rootfsStart) $sz_prefix $(hex $rootfsSize)
 
             cmd="liminix ${cmdline} mtdparts=phram0:''${rootfsSize}(rootfs) phram.phram=phram0,''${rootfsStart},''${rootfsSize},${toString config.hardware.flash.eraseBlockSize} root=/dev/mtdblock0";
-            fdtput -t s dtb /chosen bootargs "$cmd"
+            fdtput -t s dtb /chosen ${config.boot.commandLineDtbNode} "$cmd"
 
             dtbSize=$(binsize ./dtb )
 

modules/outputs/tplink-safeloader.nix

@@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkOption types concatStringsSep;
+  inherit (lib) mkOption types;
   o = config.system.outputs;
   cfg = config.tplink-safeloader;
 in {

modules/outputs/ubimage.nix

@@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkIf mkEnableOption mkOption types concatStringsSep;
+  inherit (lib) mkIf mkOption types;
   cfg = config.boot.tftp;
   instructions = pkgs.writeText "env.scr" ''
     setenv serverip ${cfg.serverip}

modules/outputs/ubivolume.nix

@@ -5,7 +5,6 @@
 , ...
 }:
 let
-  inherit (pkgs) liminix;
   inherit (lib) mkIf mkOption types concatStringsSep optionalString;
 in
   {

modules/outputs/zyxel-nwa-fit.nix

@@ -5,7 +5,7 @@
 , ...
 }:
 let
-  inherit (lib) mkIf mkEnableOption mkOption types concatStringsSep;
+  inherit (lib) mkIf mkOption types;
   models = "6b e1 6f e1 ff ff ff ff ff ff";
 in {
   options.system.outputs = {

modules/ppp/default.nix

@@ -17,6 +17,9 @@ in {
     system.service.pppoe = mkOption {
       type = liminix.lib.types.serviceDefn;
     };
+    system.service.l2tp = mkOption {
+      type = liminix.lib.types.serviceDefn;
+    };
   };
   config = {
     system.service.pppoe = pkgs.liminix.callService ./pppoe.nix {
@@ -29,6 +32,16 @@ in {
         description = "options supplied on ppp command line";
       };
     };
+    system.service.l2tp = pkgs.liminix.callService ./l2tp.nix {
+      lns = mkOption {
+        type = types.str;
+        description = "hostname or address of the L2TP network server";
+      };
+      ppp-options = mkOption {
+        type = types.listOf types.str;
+        description = "options supplied on ppp command line";
+      };
+    };
     kernel = {
       config = {
         PPP = "y";
@@ -36,6 +49,8 @@ in {
         PPP_DEFLATE = "y";
         PPP_ASYNC = "y";
         PPP_SYNC_TTY = "y";
+        PPPOL2TP = "y";
+        L2TP = "y";
       };
     };
   };

modules/ppp/l2tp.nix

@@ -0,0 +1,59 @@
+{
+  liminix
+, writeAshScript
+, writeText
+, serviceFns
+, xl2tpd
+} :
+{ lns, ppp-options }:
+let
+  inherit (liminix.services) longrun;
+  name = "${lns}.l2tp";
+  ip-up = writeAshScript "ip-up" {} ''
+    . ${serviceFns} 
+    (in_outputs ${name}
+     echo $1 > ifname
+     echo $2 > tty
+     echo $3 > speed
+     echo $4 > address
+     echo $5 > peer-address
+     echo $DNS1 > ns1
+     echo $DNS2 > ns2
+    )
+    echo >/proc/self/fd/10
+  '';
+  ip6-up = writeAshScript "ip6-up" {} ''
+    . ${serviceFns} 
+    (in_outputs ${name}
+     echo $4 > ipv6-address
+     echo $5 > ipv6-peer-address
+    )
+    echo >/proc/self/fd/10
+  '';
+  ppp-options' = ppp-options ++ [
+    "ip-up-script" ip-up
+    "ipv6-up-script" ip6-up
+    "ipparam" name
+    "nodetach"
+    "usepeerdns"
+    "logfd" "2"
+  ];
+  conf = writeText "xl2tpd.conf" ''
+    [lac upstream]
+    lns = ${lns}
+    require authentication = no
+    pppoptfile = ${writeText "ppp-options" ppp-options'}
+    autodial = yes
+    redial = yes
+  '';
+  control = "/run/xl2tpd/control-${name}";
+in
+longrun {
+  inherit name;
+  run = ''
+    mkdir -p /run/xl2tpd
+    touch ${control}
+    exec ${xl2tpd}/bin/xl2tpd -D -p /run/xl2tpd/${name}.pid -c ${conf} -C ${control} 
+  '';
+  notification-fd = 10;
+}

modules/profiles/gateway.nix

@@ -0,0 +1,178 @@
+{ config, pkgs, lib, ... } :
+let
+  svc = config.system.service;
+  cfg = config.profile.gateway;
+  inherit (lib) mkOption mkEnableOption mkIf types;
+  inherit (pkgs) liminix serviceFns;
+  inherit (liminix.services) bundle oneshot;
+  hostaps =
+    let
+      defaults = {
+        auth_algs = 1; # 1=wpa2, 2=wep, 3=both
+        wpa = 2; # 1=wpa, 2=wpa2, 3=both
+        wpa_key_mgmt = "WPA-PSK";
+        wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
+        rsn_pairwise = "CCMP"; # auth for wpa2
+      };
+    in lib.mapAttrs'
+      (name : value :
+        let
+          attrs = defaults // { ssid = name; } // value;
+        in lib.nameValuePair
+          "hostap-${name}"
+          (svc.hostapd.build {
+            interface = attrs.interface;
+            params = lib.filterAttrs (k: v: k != "interface") attrs;
+          }))
+      cfg.wireless.networks;
+in {
+
+  options.profile.gateway = {
+    lan = {
+      interfaces = mkOption {
+        type = types.listOf liminix.lib.types.interface;
+        default = [];
+      };
+      address = mkOption {
+        type = types.attrs;
+      };
+      prefix = mkOption { type = types.str; };
+      dhcp = {
+        start = mkOption { type = types.int; };
+        end = mkOption { type = types.int; };
+        hosts = mkOption { type = types.attrs; };
+        localDomain = mkOption { type = types.str; };
+      };
+    };
+
+    firewall = {
+      enable = mkEnableOption "firewall";
+      rules = mkOption { type = types.attrsOf types.attrs; };
+    };
+
+    wan = {
+      interface = mkOption { type = liminix.lib.types.interface; };
+      username = mkOption { type = types.str; };
+      password =  mkOption { type = types.str; };
+      dhcp6.enable = mkOption { type = types.bool; };
+    };
+
+    wireless = mkOption {
+      type = types.attrsOf types.anything;
+    };
+  };
+
+  imports = [
+    ../wlan.nix
+    ../network
+    ../ppp
+    ../dnsmasq
+    ../dhcp6c
+    ../firewall
+    ../hostapd
+    ../bridge
+    ../ntp
+    ../ssh
+    { config.services = hostaps; }
+  ];
+
+  config = {
+    services.int = svc.network.address.build ({
+      interface = svc.bridge.primary.build { ifname = "int"; };
+    } // cfg.lan.address);
+
+    services.bridge =  svc.bridge.members.build {
+      primary = config.services.int;
+      members = cfg.lan.interfaces;
+    };
+
+    services.wan = svc.pppoe.build {
+      inherit (cfg.wan) interface;
+      ppp-options = [
+        "debug" "+ipv6" "noauth"
+        "name" cfg.wan.username
+        "password" cfg.wan.password
+      ];
+    };
+
+    services.packet_forwarding = svc.network.forward.build { };
+
+    services.dhcp6c =
+      let
+        client = svc.dhcp6c.client.build {
+          interface = config.services.wan;
+        };
+        bundl = bundle {
+          name = "dhcp6c";
+          contents = [
+            (svc.dhcp6c.prefix.build {
+              inherit client;
+              interface = config.services.int;
+            })
+            (svc.dhcp6c.address.build {
+              inherit client;
+              interface = config.services.wan;
+            })
+          ];
+        };
+      in mkIf cfg.wan.dhcp6.enable bundl;
+
+    services.dns =
+      let interface = config.services.int;
+          dcfg = cfg.lan.dhcp;
+      in svc.dnsmasq.build {
+        resolvconf = config.services.resolvconf;
+        inherit interface;
+        ranges = [
+          "${cfg.lan.prefix}.${toString dcfg.start},${cfg.lan.prefix}.${toString dcfg.end}"
+          # ra-stateless: sends router advertisements with the O and A
+          # bits set, and provides a stateless DHCP service. The client
+          # will use a SLAAC address, and use DHCP for other
+          # configuration information.
+          "::,constructor:$(output ${interface} ifname),ra-stateless"
+        ];
+
+        hosts = dcfg.hosts;
+        upstreams = [ "/${dcfg.localDomain}/" ];
+        domain = dcfg.localDomain;
+      };
+
+    services.defaultroute4 = svc.network.route.build {
+      via = "$(output ${config.services.wan} address)";
+      target = "default";
+      dependencies = [ config.services.wan ];
+    };
+
+    services.defaultroute6 = svc.network.route.build {
+      via = "$(output ${config.services.wan} ipv6-peer-address)";
+      target = "default";
+      interface = config.services.wan;
+    };
+
+    services.firewall = mkIf cfg.firewall.enable
+      (svc.firewall.build {
+        extraRules = cfg.firewall.rules;
+      });
+
+    services.resolvconf = oneshot rec {
+      dependencies = [ config.services.wan ];
+      name = "resolvconf";
+      up = ''
+        . ${serviceFns}
+        ( in_outputs ${name}
+         echo "nameserver $(output ${config.services.wan} ns1)" > resolv.conf
+         echo "nameserver $(output ${config.services.wan} ns2)" >> resolv.conf
+         chmod 0444 resolv.conf
+        )
+      '';
+    };
+
+    filesystem =
+      let inherit (pkgs.pseudofile) dir symlink;
+      in dir {
+        etc = dir {
+          "resolv.conf" = symlink "${config.services.resolvconf}/.outputs/resolv.conf";
+        };
+      };
+  };
+ }

modules/profiles/wap.nix

@@ -5,9 +5,9 @@
   ...
 }: let
   inherit (pkgs) liminix;
-  inherit (lib) mkEnableOption mkOption types isDerivation hasAttr ;
+  inherit (lib) mkOption types ;
 
-  inherit (pkgs.liminix.services) oneshot longrun bundle target;
+  inherit (pkgs.liminix.services) oneshot target;
   inherit (pkgs.pseudofile) dir symlink;
   inherit (pkgs) serviceFns;
   svc = config.system.service;
@@ -40,7 +40,6 @@ in {
     ../network
     ../hostapd
     ../bridge
-    ../ssh
     { config.services = hostaps; }
   ];
 
@@ -54,7 +53,6 @@ in {
     };
   };
   config = {
-    services.sshd = svc.ssh.build {};
 
     services.int = svc.bridge.primary.build {
       ifname = "int";

modules/ramdisk.nix

@@ -1,11 +1,6 @@
-{
-  config
-, pkgs
-, lib
-, ...
-}:
+{ config, lib, ... }:
 let
-  inherit (lib) mkIf mkEnableOption mkOption; # types concatStringsSep;
+  inherit (lib) mkIf mkEnableOption; # types concatStringsSep;
 in {
   options = {
     boot = {

modules/s6/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
   inherit (pkgs)
     execline
@@ -6,14 +6,50 @@ let
     s6-init-bin
     s6-linux-init
     stdenvNoCC;
+  inherit (lib.lists) unique concatMap;
   inherit (pkgs.pseudofile) dir symlink;
-  inherit (pkgs.liminix.services) bundle;
+  inherit (pkgs.liminix.services) oneshot bundle;
 
   s6-rc-db =
     let
+      # In the default bundle we need to have all the services
+      # in config.services except for controlled services and
+      # anything that depends on one. But we do need the controllers
+      # themselves.
+
+      # So, find all required services and their transitive
+      # dependencies and their controllers. remove all controlled
+      # services and all services that have a controlled service as
+      # dependency
+
+      isControlled = s : s ? controller && s.controller != null;
+      deps = s : s.dependencies ++
+                 lib.optional (isControlled s) s.controller;
+      flatDeps = s : [s] ++ concatMap flatDeps (deps s);
+      allServices = unique (concatMap flatDeps (builtins.attrValues config.services));
+      isDependentOnControlled = s :
+        isControlled s ||
+        (lib.lists.any isDependentOnControlled s.dependencies);
+
+      # all controlled services depend on this oneshot, which
+      # makes a list of them so we can identify them at runtime
+      controlled = oneshot {
+        name = "controlled";
+        up = ''
+          mkdir -p /run/services/controlled
+          for s in $(s6-rc-db -d dependencies controlled); do
+            touch /run/services/controlled/$s
+          done
+        '';
+        down = "rm -r /run/services/controlled";
+      };
+
+      defaultStart =
+        builtins.filter
+          (s: !(isDependentOnControlled s)) allServices;
       defaultDefaultTarget = bundle {
         name = "default";
-        contents = builtins.attrValues config.services;
+        contents = defaultStart ++ [controlled];
       };
       servicesAttrs = {
         default = defaultDefaultTarget;

modules/s6/scripts/rc.init

@@ -34,7 +34,7 @@ fi
 
 ### If your services are managed by s6-rc:
 ### (replace /run/service with your scandir)
-s6-rc-init /run/service -d -c /etc/s6-rc/compiled
+s6-rc-init -d -c /etc/s6-rc/compiled /run/service
 
 
 ### 2. Starting the wanted set of services

modules/schnapps/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... } :
+{ config, pkgs, ... } :
 {
   config = {
     programs.busybox = {

modules/service-trigger/default.nix

@@ -0,0 +1,37 @@
+# this is unlikely to be the final form or location of this code, it's
+# an interim module which wraps the uevent-watch command
+
+{ lib, pkgs, config, ... }:
+let
+  inherit (lib) mkOption types;
+  inherit (pkgs) liminix;
+#  inherit (pkgs.liminix.services) bundle;
+in {
+  options = {
+    system.service.uevent-rule = mkOption {
+      description = "a service which starts other services based on device state (sysfs)";
+      type = liminix.lib.types.serviceDefn;
+    };
+  };
+  config = {
+    system.service.uevent-rule = liminix.callService ./rule.nix {
+      serviceName = mkOption {
+        description = "name of the service to run when the rule matches";
+        type = types.str;
+      };
+      terms = mkOption {
+        type = types.attrs;
+        example = {
+          devtype = "usb_device";
+          attrs.idVendor = "8086";
+        };
+        default = {};
+      };
+      symlink = mkOption {
+        description = "create symlink targeted on devpath";
+        type = types.nullOr types.str;
+        default = null;
+      };
+    };
+  };
+}

modules/service-trigger/rule.nix

@@ -0,0 +1,23 @@
+{
+  liminix
+, uevent-watch
+, lib }:
+{
+  serviceName, terms, symlink
+}:
+let
+  inherit (liminix.services) longrun;
+  inherit (lib.attrsets) collect mapAttrsRecursive;
+  inherit (lib.strings) concatStringsSep;
+  stringify = attrs :
+    concatStringsSep " "
+      (collect lib.isString
+        (mapAttrsRecursive
+          (path : value : "${concatStringsSep "." path}=${value}")
+          attrs));
+  termsString = stringify terms;
+in longrun {
+  name = "watch-for-${serviceName}";
+  restart-on-upgrade = true;
+  run = "${uevent-watch}/bin/uevent-watch ${if symlink != null then "-n ${symlink}" else ""} -s ${serviceName} ${termsString}";
+}

modules/squashfs.nix

@@ -1,8 +1,8 @@
 {
-  config
-, pkgs
-, lib
-, ...
+  config,
+  pkgs,
+  lib,
+  ...
 }:
 let
   inherit (pkgs) liminix;

modules/ssh/ssh.nix

@@ -1,7 +1,6 @@
 {
   liminix
 , dropbear
-, serviceFns
 , lib
 }:
 p :

modules/usb.nix

@@ -1,7 +1,7 @@
 # support for USB block devices and the common filesystems
 # they're likely to provide
 
-{lib, config, ... }:
+{ config, ... }:
 {
   kernel = {
     config = {
@@ -24,8 +24,6 @@
       EXT4_FS = "y";
       EXT4_USE_FOR_EXT2 = "y";
       FS_ENCRYPTION = "y";
-
-
     };
   };
 }

modules/users.nix

@@ -16,11 +16,17 @@ let
   inherit (lib)
     concatStrings concatStringsSep mapAttrsToList mkOption types;
   inherit (builtins) toString;
-  inherit (pkgs.pseudofile) dir symlink;
-  passwd-file  =
-    let lines =  mapAttrsToList (name: u: "${name}:${if u ? passwd  then u.passwd else "!!"}:${toString u.uid}:${toString u.gid}:${u.gecos}:${u.dir}:${u.shell}\n" )
-      config.users;
-    in concatStrings lines;
+  inherit (pkgs.pseudofile) dir;
+  passwd-file =
+    let
+      lines = mapAttrsToList (
+        name: u:
+        "${name}:${
+          if u ? passwd then u.passwd else "!!"
+        }:${toString u.uid}:${toString u.gid}:${u.gecos}:${u.dir}:${u.shell}\n"
+      ) config.users;
+    in
+    concatStrings lines;
   group-file =
     let lines = mapAttrsToList
       (name: {gid, usernames ? []}:

modules/vlan/default.nix

@@ -13,7 +13,6 @@
 { lib, pkgs, config, ...}:
 let
   inherit (lib) mkOption types;
-  inherit (pkgs.liminix.services) oneshot;
   inherit (pkgs) liminix;
 in
 {

modules/vlan/service.nix

@@ -15,4 +15,5 @@ in oneshot rec {
     )
   '';
   down = "ip link set down dev ${ifname}";
+  dependencies = [ primary ];
 }

modules/watchdog/watchdog.nix

@@ -1,6 +1,7 @@
 {
   liminix
 , lib
+, s6
 }:
 { watched, headStart } :
 let
@@ -8,5 +9,5 @@ let
 in longrun {
   name = "watchdog";
   run =
-    "HEADSTART=${toString headStart} ${./gaspode.sh} ${lib.concatStringsSep " " (builtins.map (s: s.name) watched)}";
+    "PATH=${s6}/bin:$PATH HEADSTART=${toString headStart} ${./gaspode.sh} ${lib.concatStringsSep " " (builtins.map (s: s.name) watched)}";
 }

modules/wlan.nix

@@ -1,11 +1,10 @@
 { lib, pkgs, config, ...}:
 let
-  inherit (lib) mkEnableOption mkOption types isDerivation hasAttr ;
   inherit (pkgs.pseudofile) dir symlink;
   inherit (pkgs) stdenv wireless-regdb;
   regulatory = stdenv.mkDerivation {
     name = "regulatory.db";
-    phases = ["installPhase"];
+    phases = [ "installPhase" ];
     installPhase = ''
       mkdir -p $out
       cp ${wireless-regdb}/lib/firmware/regulatory.db $out/

overlay.nix

@@ -46,7 +46,7 @@ in
 extraPkgs // {
   # liminix library functions
   lim = {
-    parseInt = s : (builtins.fromTOML "r=${s}").r;
+    parseInt = s: (builtins.fromTOML "r=${s}").r;
   };
 
   # keep these alphabetical
@@ -74,9 +74,24 @@ extraPkgs // {
       # should texinfo be in nativeBuildInputs instead of
       # buildInputs?
       texinfo = null;
-
     };
 
+  # luarocks wants a cross-compiled cmake (which seems like a bug,
+  # we're never going to run luarocks on the device, but ...)
+  # but https://github.com/NixOS/nixpkgs/issues/284734
+  # so we do surgery on the cmake derivation until that's fixed
+
+  cmake = prev.cmake.overrideAttrs(o:
+    # don't override the build cmake or we'll have to rebuild
+    # half the known universe to no useful benefit
+    if final.stdenv.buildPlatform != final.stdenv.hostPlatform
+    then {
+      preConfigure =
+        builtins.replaceStrings
+          ["$configureFlags"] ["$configureFlags $cmakeFlags"] o.preConfigure;
+    }
+    else {}
+  );
 
   dnsmasq =
     let d =  prev.dnsmasq.overrideAttrs(o: {
@@ -170,9 +185,12 @@ extraPkgs // {
     # done. Do it the ugly way..
     postPatch =
       o.postPatch
-      + (with final;
-        lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform)
-          "\nsed -i.bak 's/linux.*-mips/linux-mops/' Configure\n");
+      + (
+        with final;
+        lib.optionalString (
+          stdenv.buildPlatform != stdenv.hostPlatform
+        ) "\nsed -i.bak 's/linux.*-mips/linux-mops/' Configure\n"
+      );
   });
 
   pppBuild = prev.ppp;
@@ -184,13 +202,12 @@ extraPkgs // {
   }); in q.override { nixosTestRunner = true; sdlSupport = false; };
 
   rsyncSmall =
-    let r = prev.rsync.overrideAttrs(o: {
-          configureFlags = o.configureFlags ++ [
-            "--disable-openssl"
-          ];
-        });
-    in r.override { openssl = null; };
-
+    let
+      r = prev.rsync.overrideAttrs (o: {
+        configureFlags = o.configureFlags ++ [ "--disable-openssl" ];
+      });
+    in
+    r.override { openssl = null; };
 
   inherit s6;
   s6-linux-init = prev.s6-linux-init.override {
@@ -208,14 +225,14 @@ extraPkgs // {
 
   ubootQemuAarch64 = final.buildUBoot {
     defconfig = "qemu_arm64_defconfig";
-    extraMeta.platforms = ["aarch64-linux"];
-    filesToInstall = ["u-boot.bin"];
+    extraMeta.platforms = [ "aarch64-linux" ];
+    filesToInstall = [ "u-boot.bin" ];
   };
 
   ubootQemuArm = final.buildUBoot {
     defconfig = "qemu_arm_defconfig";
-    extraMeta.platforms = ["armv7l-linux"];
-    filesToInstall = ["u-boot.bin"];
+    extraMeta.platforms = [ "armv7l-linux" ];
+    filesToInstall = [ "u-boot.bin" ];
     extraConfig = ''
       CONFIG_CMD_UBI=y
       CONFIG_CMD_UBIFS=y
@@ -229,8 +246,8 @@ extraPkgs // {
 
   ubootQemuMips = final.buildUBoot {
     defconfig = "malta_defconfig";
-    extraMeta.platforms = ["mips-linux"];
-    filesToInstall = ["u-boot.bin"];
+    extraMeta.platforms = [ "mips-linux" ];
+    filesToInstall = [ "u-boot.bin" ];
     # define the prompt to be the same as arm{32,64} so
     # we can use the same expect script for both
     extraPatches = [ ./pkgs/u-boot/0002-virtio-init-for-malta.patch ];
@@ -252,9 +269,20 @@ extraPkgs // {
       CONFIG_MIPS_BOOT_FDT=y
       CONFIG_OF_LIBFDT=y
       CONFIG_OF_STDOUT_VIA_ALIAS=y
-   '';
+    '';
   };
 
+  libusb1 =
+    let u = prev.libusb1.overrideAttrs(o: {
+          # don't use gcc libatomic because it vastly increases the
+          # closure size
+          preConfigure = "sed -i.bak /__atomic_fetch_add_4/c\: configure.ac";
+        });
+    in u.override {
+      enableUdev = final.stdenv.buildPlatform == final.stdenv.hostPlatform;
+      withDocs = false;
+    };
+
   util-linux-small = prev.util-linux.override {
     ncursesSupport = false;
     pamSupport = false;
@@ -263,5 +291,4 @@ extraPkgs // {
     translateManpages = false;
     capabilitiesSupport = false;
   };
-
 }