raboof/liminix
1
0
Fork 0
forked from dan/liminix
Code Pull Requests Activity

Compare commits

base: raboof:main
Branches Tags
raboof:main
raboof:openwrt-one
raboof:typo
raboof:tftpboot-fit
raboof:linux-version-with-openwrt
raboof:tp-archer-c7
raboof:archer-wired-extender
raboof:add-archer-ax23-v1-bak
raboof:tftp-old-uboot
raboof:add-archer-ax23-v1
raboof:openwrt-update-to-v23.05.2
raboof:hardware-recommendations
raboof:armv7
raboof:hark-how-all-the-belkin-rings
raboof:first-do-no-arm
raboof:doc-do-over
raboof:module-based-network
dan:v1.0.0
..
compare: raboof:module-based-network
Branches Tags
raboof:openwrt-one
raboof:typo
raboof:tftpboot-fit
raboof:linux-version-with-openwrt
raboof:tp-archer-c7
raboof:archer-wired-extender
raboof:add-archer-ax23-v1-bak
raboof:tftp-old-uboot
raboof:add-archer-ax23-v1
raboof:openwrt-update-to-v23.05.2
raboof:hardware-recommendations
raboof:main
raboof:armv7
raboof:hark-how-all-the-belkin-rings
raboof:first-do-no-arm
raboof:doc-do-over
raboof:module-based-network
dan:main
dan:nftables-turned
dan:firescape
dan:runciter
dan:wip-pstore-tls
dan:fallover
dan:lte
dan:gateway-profile
dan:tftpboot-append-dtb
dan:mainline-omnia-wip
dan:armv7
dan:hark-how-all-the-belkin-rings
dan:first-do-no-arm
dan:doc-do-over
dan:module-based-network
dan:v1.0.0

11 Commits
main ... module-bas

Author SHA1 Message Date
Daniel Barlow
b326b685de add o+x permission on service-state directories 
this is needed for resolvconf, which writes resolv.conf as
an output and wants to make it world-readable
 2023-08-28 20:53:45 +01:00
Daniel Barlow
d7209f33c8 TODO comments 2023-08-28 18:24:14 +01:00
Daniel Barlow
999a11f89c pppoe serviceFns 2023-08-28 18:23:48 +01:00
Daniel Barlow
27c9bd9707 rotuer: create resolv.conf 2023-08-28 18:23:32 +01:00
Daniel Barlow
540d2fcf87 default value for services.default 
as a default default target, start all the services
 2023-08-28 18:22:36 +01:00
Daniel Barlow
d1fea06959 update examples so they build again 2023-08-28 16:08:46 +01:00
Daniel Barlow
5e37f2b99a add service fir dhcp v4 client 2023-08-28 15:10:53 +01:00
Daniel Barlow
d83f8716ea convert network link/address to module-based-service 
... and make bridge use it.

We also had to convert bridge back into a pair of services.
Downstreams want to depend on the bridge it self being configured
even if not necessarily all the members are up. e.g. don't want
to break ssh on lan if there's a misconfigured wlan device
 2023-08-28 09:01:07 +01:00
Daniel Barlow
83c451dd8f extract common "interface up" code to a string 
so that bridge service can use it
 2023-08-28 09:01:07 +01:00
Daniel Barlow
fbec31be79 more thoughts 2023-08-28 09:01:07 +01:00
Daniel Barlow
6ae062f5e4 remove interface.device 
build-time uses can mostly be replaced with interface.name

for runtime uses, switch to $(output ${interface} name)
 2023-08-28 09:01:07 +01:00
182 changed files with 1849 additions and 7600 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -5,4 +5,3 @@ result-*
*.qcow2
_build
*-secrets.nix
examples/static-leases.nix

27
NEWS
View File

@ -1,27 +0,0 @@
A brief guide to backward-incompatible changes
that are likely to break configurations or workflows
2023-07-13
* a significant re-arrangement of modules and services, which will
probably break any configuration written before this time. For a
detailed explanation, see
https://www.liminix.org/doc/configuration.html#modules
2023-12-10
* configurations (usually) need no longer import modules from
modules/outputs because devices are expected to do this instead. This
change is because the outputs that make sense in any given context are
usually a property of the device being installed onto.
2023-12-11
* rename outputs.flashimage to outputs.mtdimage (and also diskimage to
mbrimage). This change is made in the expectation that "fooimage" is
the name of an outputs that gloms together other filesystem-like
outputs with some kind of partition table - so we might in future have
gptimage or lvmimage or ubimage.

20
README.md
View File

@ -18,14 +18,22 @@ outside word goes across it.
Liminix is pre-1.0. We are still finding new and better ways to do things,
and there is no attempt to maintain backward compatibility with the old
ways.
ways. This will change when it settles down.
The [NEWS](NEWS) file (available wherever you found this README) is
a high-level overview of breaking changes.
_In general:_ development mostly happens on the `main` branch, which is
therefore not guaranteed to build or to work on every commit. For the
latest functioning version, see [the CI system](https://build.liminix.org/jobset/liminix/build) and pick a revision with all jobs green.
Development mostly happens on the `main` branch, which is therefore
not guaranteed to build or to work on every commit. For the latest
functioning version, see [the CI system](https://build.liminix.org/jobset/liminix/build) and pick a revision with all jobs green.
_In particular:_ as of July 2023, a significant re-arrangement of
modules and services is ongoing:
* if you are using out-of-tree configurations created before commit
2e50368, especially if they reference things under pkgs.liminix,
they will need updating. Look at changes to examples/rotuer.nix
for guidance
* the same is intermittently true for examples/{extensino,arhcive}.nix
where I've updated rotuer and not updated them to match.
## Documentation

1644
THOUGHTS.txt
View File

File diff suppressed because it is too large Load Diff

18
bordervm-configuration.nix
View File

@ -99,16 +99,14 @@ in {
};
};
};
environment.systemPackages =
let wireshark-nogui = pkgs.wireshark.override { withQt = false ; };
in with pkgs; [
tcpdump
wireshark-nogui
socat
tufted
iptables
usbutils
];
environment.systemPackages = with pkgs; [
tcpdump
wireshark
socat
tufted
iptables
usbutils
];
security.sudo.wheelNeedsPassword = false;
networking = {
hostName = "border";

64
ci.nix
View File

@ -8,10 +8,7 @@ let
pkgs = (import nixpkgs {});
borderVmConf = ./bordervm.conf-example.nix;
inherit (pkgs.lib.attrsets) genAttrs;
devices = [
"gl-ar750" "gl-mt300n-v2" "gl-mt300a"
"qemu" "qemu-aarch64" "qemu-armv7l"
];
devices = [ "qemu" "gl-ar750" "gl-mt300n-v2" "gl-mt300a" ];
vanilla = ./vanilla-configuration.nix;
for-device = name:
(import liminix {
@ -21,50 +18,33 @@ let
}).outputs.default;
tests = import ./tests/ci.nix;
jobs =
(genAttrs devices for-device) //
(genAttrs devices (name: for-device name)) //
tests //
{
buildEnv = (import liminix {
inherit nixpkgs borderVmConf;
inherit nixpkgs borderVmConf;
device = import (liminix + "/devices/qemu");
liminix-config = vanilla;
}).buildEnv;
doc =
let json =
(import liminix {
inherit nixpkgs borderVmConf;
device = import (liminix + "/devices/qemu");
liminix-config = {...} : {
imports = [ ./modules/all-modules.nix ];
};
}).outputs.optionsJson;
installers = map (f: "system.outputs.${f}") [
"vmroot"
"mtdimage"
"ubimage"
];
inherit (pkgs.lib) concatStringsSep;
in pkgs.stdenv.mkDerivation {
name = "liminix-doc";
nativeBuildInputs = with pkgs; [
gnumake sphinx fennel luaPackages.lyaml
];
src = ./.;
buildPhase = ''
cat ${json} | fennel --correlate doc/parse-options.fnl > doc/modules-generated.rst
cat ${json} | fennel --correlate doc/parse-options-outputs.fnl > doc/outputs-generated.rst
cp ${(import ./doc/hardware.nix)} doc/hardware.rst
make -C doc html
'';
installPhase = ''
mkdir -p $out/nix-support $out/share/doc/
cd doc
cp *-generated.rst $out
ln -s ${json} $out/options.json
cp -a _build/html $out/share/doc/liminix
echo "file source-dist \"$out/share/doc/liminix\"" \
> $out/nix-support/hydra-build-products
'';
doc = pkgs.stdenv.mkDerivation {
name = "liminix-doc";
nativeBuildInputs = with pkgs; [
gnumake sphinx
fennel luaPackages.lyaml
];
src = ./doc;
buildPhase = ''
cat ${(import ./doc/extract-options.nix).doc} > options.json
cat options.json | fennel --correlate parse-options.fnl > modules.rst
make html
'';
installPhase = ''
mkdir -p $out/nix-support $out/share/doc/
cp modules.rst options.json $out
cp -a _build/html $out/share/doc/liminix
echo "file source-dist \"$out/share/doc/liminix\"" \
> $out/nix-support/hydra-build-products
'';
};
with-unstable = (import liminix {
nixpkgs = unstable;

16
default.nix
View File

@ -13,14 +13,13 @@ let
allowUnsupportedSystem = true; # mipsel
permittedInsecurePackages = [
"python-2.7.18.6" # kernel backports needs python <3
"python-2.7.18.7"
];
};
});
eval = pkgs.lib.evalModules {
config = (pkgs.lib.evalModules {
modules = [
{ _module.args = { inherit pkgs; inherit (pkgs) lim; }; }
{ _module.args = { inherit pkgs; lib = pkgs.lib; }; }
./modules/hardware.nix
./modules/base.nix
./modules/busybox.nix
@ -31,8 +30,7 @@ let
./modules/users.nix
./modules/outputs.nix
];
};
config = eval.config;
}).config;
borderVm = ((import <nixpkgs/nixos/lib/eval-config.nix>) {
system = builtins.currentSystem;
@ -45,12 +43,6 @@ let
in {
outputs = config.system.outputs // {
default = config.system.outputs.${config.hardware.defaultOutput};
optionsJson =
let o = import ./doc/extract-options.nix {
inherit pkgs eval;
lib = pkgs.lib;
};
in pkgs.writeText "options.json" (builtins.toJSON o);
};
# this is just here as a convenience, so that we can get a
@ -62,7 +54,7 @@ in {
tufted
routeros.routeros
routeros.ros-exec-script
run-liminix-vm
mips-vm
borderVm.build.vm
go-l2tp
min-copy-closure

230
devices/belkin-rt3200/default.nix
View File

@ -1,230 +0,0 @@
{
description = ''
Belkin RT-3200 / Linksys E8450
******************************
This device is based on a 64 bit Mediatek MT7622 ARM platform,
and is "work in progress" in Liminix.
.. note:: The factory flash image contains ECC errors that make it
incompatible with Liminix: you need to use the `OpenWrt
UBI Installer <https://github.com/dangowrt/owrt-ubi-installer>`_ to
rewrite the partition layout before you can flash
Liminix onto it (or even use it with
:ref:`system-outputs-tftpboot`, if you want the wireless
to work).
Hardware summary
================
- MediaTek MT7622BV (1350MHz)
- 128MB NAND flash
- 512MB RAM
- b/g/n wireless using MediaTek MT7622BV (MT7615E driver)
- a/n/ac/ax wireless using MediaTek MT7915E
Installation
============
Installation is currently a manual process (you need a :ref:`serial <serial>` conection and
TFTP) following the instructions at :ref:`system-outputs-ubimage`
'';
system = {
crossSystem = {
config = "aarch64-unknown-linux-musl";
};
};
module = {pkgs, config, lib, lim, ... }:
let firmware = pkgs.stdenv.mkDerivation {
name = "wlan-firmware";
phases = ["installPhase"];
installPhase = ''
mkdir $out
cp ${pkgs.linux-firmware}/lib/firmware/mediatek/{mt7915,mt7615,mt7622}* $out
'';
};
in {
imports = [
../../modules/arch/aarch64.nix
../../modules/outputs/tftpboot.nix
../../modules/outputs/ubifs.nix
];
config = {
kernel = {
src = pkgs.pkgsBuildBuild.fetchurl {
name = "linux.tar.gz";
url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.71.tar.gz";
hash = "sha256-yhO2cXIeIgUxkSZf/4aAsF11uxyh+UUZu6D1h92vCD8=";
};
extraPatchPhase = ''
${pkgs.openwrt.applyPatches.mediatek}
'';
config = {
PCI = "y";
ARCH_MEDIATEK = "y";
# ARM_MEDIATEK_CPUFREQ = "y";
# needed for "Cannot find regmap for /infracfg@10000000"
MFD_SYSCON = "y";
MTK_INFRACFG = "y";
MTK_PMIC_WRAP = "y";
MTK_EFUSE="y";
# MTK_HSDMA="y";
MTK_SCPSYS="y";
MTK_SCPSYS_PM_DOMAINS="y";
# MTK_THERMAL="y";
MTK_TIMER="y";
COMMON_CLK_MT7622 = "y";
COMMON_CLK_MT7622_ETHSYS = "y";
COMMON_CLK_MT7622_HIFSYS = "y";
COMMON_CLK_MT7622_AUDSYS = "y";
PM_CLK="y";
REGMAP_MMIO = "y";
CLKSRC_MMIO = "y";
REGMAP = "y";
MEDIATEK_GE_PHY = "y";
# MEDIATEK_MT6577_AUXADC = "y";
# MEDIATEK_WATCHDOG = "y";
NET_MEDIATEK_SOC = "y";
NET_MEDIATEK_SOC_WED = "y";
NET_MEDIATEK_STAR_EMAC = "y"; # this enables REGMAP_MMIO
NET_VENDOR_MEDIATEK = "y";
PCIE_MEDIATEK = "y";
BLOCK = "y"; # move this to base option
SPI_MASTER = "y";
SPI = "y";
SPI_MEM="y";
SPI_MTK_NOR="y";
SPI_MTK_SNFI = "y";
MTD = "y";
MTD_BLOCK = "y";
MTD_RAW_NAND = "y";
MTD_NAND_MTK = "y";
MTD_NAND_MTK_BMT = "y"; # Bad-block Management Table
MTD_NAND_ECC_MEDIATEK= "y";
MTD_NAND_ECC_SW_HAMMING= "y";
MTD_SPI_NAND= "y";
MTD_OF_PARTS = "y";
MTD_NAND_CORE= "y";
MTD_SPI_NOR= "y";
MTD_SPLIT_FIRMWARE= "y";
MTD_SPLIT_FIT_FW= "y";
MMC = "y";
MMC_BLOCK = "y";
MMC_CQHCI = "y";
MMC_MTK = "y";
# Distributed Switch Architecture is needed
# to make the ethernet ports visible
NET_DSA="y";
NET_DSA_MT7530="y";
NET_DSA_TAG_MTK="y";
PSTORE = "y";
PSTORE_RAM = "y";
PSTORE_CONSOLE = "y";
PSTORE_DEFLATE_COMPRESS = "n";
SERIAL_8250 = "y";
SERIAL_8250_CONSOLE = "y";
SERIAL_8250_MT6577="y";
# SERIAL_8250_NR_UARTS="3";
# SERIAL_8250_RUNTIME_UARTS="3";
SERIAL_OF_PLATFORM="y";
};
};
boot = {
commandLine = [ "console=ttyS0,115200" ];
tftp.loadAddress = lim.parseInt "0x4007ff28";
imageFormat = "fit";
};
filesystem =
let inherit (pkgs.pseudofile) dir symlink;
in
dir {
lib = dir {
firmware = dir {
mediatek = symlink firmware;
};
};
};
hardware =
let
openwrt = pkgs.openwrt;
mac80211 = pkgs.mac80211.override {
drivers = [
"mt7615e"
"mt7915e"
];
klibBuild = config.system.outputs.kernel.modulesupport;
};
in {
ubi = {
minIOSize = "2048";
eraseBlockSize = "126976";
maxLEBcount = "1024"; # guessing
};
defaultOutput = "ubimage";
# the kernel expects this to be on a 2MB boundary. U-Boot
# (I don't know why) has a default of 0x41080000, which isn't.
# We put it at the 32MB mark so that tftpboot can put its rootfs
# image and DTB underneath, but maybe this is a terrible waste of
# RAM unless the kernel is able to reuse it later. Oh well
loadAddress = lim.parseInt "0x42000000";
entryPoint = lim.parseInt "0x42000000";
rootDevice = "ubi0:liminix";
dts = {
src = "${openwrt.src}/target/linux/mediatek/dts/mt7622-linksys-e8450-ubi.dts";
includes = [
"${openwrt.src}/target/linux/mediatek/dts"
"${config.system.outputs.kernel.modulesupport}/arch/arm64/boot/dts/mediatek/"
];
};
# - 0x000000000000-0x000008000000 : "spi-nand0"
# - 0x000000000000-0x000000080000 : "bl2"
# - 0x000000080000-0x0000001c0000 : "fip"
# - 0x0000001c0000-0x0000002c0000 : "factory"
# - 0x0000002c0000-0x000000300000 : "reserved"
# - 0x000000300000-0x000008000000 : "ubi"
networkInterfaces =
let
inherit (config.system.service.network) link;
inherit (config.system.service) bridge;
in rec {
wan = link.build { ifname = "wan"; };
lan1 = link.build { ifname = "lan1"; };
lan2 = link.build { ifname = "lan2"; };
lan3 = link.build { ifname = "lan3"; };
lan4 = link.build { ifname = "lan4"; };
lan = lan3;
wlan = link.build {
ifname = "wlan0";
dependencies = [ mac80211 ];
};
wlan5 = link.build {
ifname = "wlan1";
dependencies = [ mac80211 ];
};
};
};
};
};
}

57
devices/families/qemu.nix
View File

@ -1,57 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
../../modules/outputs/jffs2.nix
];
config = {
kernel = {
src = pkgs.pkgsBuildBuild.fetchurl {
name = "linux.tar.gz";
url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.71.tar.gz";
hash = "sha256-yhO2cXIeIgUxkSZf/4aAsF11uxyh+UUZu6D1h92vCD8=";
};
config = {
MTD = "y";
MTD_BLOCK = "y";
MTD_CMDLINE_PARTS = "y";
MTD_PHRAM = "y";
VIRTIO_MENU = "y";
PCI = "y";
VIRTIO_PCI = "y";
BLOCK = "y";
VIRTIO_BLK = "y";
VIRTIO_NET = "y";
};
};
hardware =
let
mac80211 = pkgs.mac80211.override {
drivers = ["mac80211_hwsim"];
klibBuild = config.system.outputs.kernel.modulesupport;
};
in {
defaultOutput = "vmroot";
rootDevice = "/dev/mtdblock0";
dts.src = pkgs.lib.mkDefault null;
flash.eraseBlockSize = 65536;
networkInterfaces =
let inherit (config.system.service.network) link;
in {
wan = link.build {
devpath = "/devices/pci0000:00/0000:00:13.0/virtio0";
ifname = "wan";
};
lan = link.build {
devpath = "/devices/pci0000:00/0000:00:14.0/virtio1";
ifname = "lan";
};
wlan_24 = link.build {
ifname = "wlan0";
dependencies = [ mac80211 ];
};
};
};
};
}

100
devices/gl-ar750/default.nix
View File

@ -1,3 +1,11 @@
# I like GL.iNet devices because they're relatively accessible to
# DIY users: the serial port connections have headers preinstalled
# and don't need soldering
# Mainline linux 5.19 doesn't have device-tree support for this device
# or even for the SoC, so we use the extensive OpenWrt kernel patches
{
system = {
crossSystem = {
@ -10,49 +18,27 @@
};
description = ''
GL.iNet GL-AR750
****************
Hardware summary
================
The GL-AR750 "Creta" travel router features:
GL.INet GL-AR750 "Creta" travel router
- QCA9531 @650Mhz SoC
- dual band wireless: IEEE 802.11a/b/g/n/ac
- two 10/100Mbps LAN ports and one WAN
- 128MB DDR2 RAM
- 16MB NOR Flash
- supported in OpenWrt by the "ath79" SoC family
- 128MB DDR2 RAM / 16MB NOR Flash
- "ath79" soc family
https://www.gl-inet.com/products/gl-ar750/
The GL-AR750 has two distinct sets of wifi hardware. The 2.4GHz
radio is part of the QCA9531 SoC, i.e. it's on the same silicon as
the CPU, the Ethernet, the USB etc. The device is connected to the
host via `AHB <https://en.wikipedia.org/wiki/Advanced_Microcontroller_Bus_Architecture>`_ and it is
supported in Linux using the ath9k driver. 5GHz wifi
is provided by a QCA9887 PCIe (PCI embedded) WLAN chip,
host via AHB, the "Advanced High-Performance Bus" and it is
supported in Linux using the ath9k driver. The 5GHz support, on the
other hand, is provided by a QCA9887 PCIe (PCI embedded) WLAN chip:
I haven't looked closely at the router innards to see if this is
actually physically a separate board that could be unplugged, but
as far as the Linux is concerned it behaves as one. This is
supported by the ath10k driver.
Installation
============
As with many GL.iNet devices, the stock vendor firmware
is a fork of OpenWrt, meaning that the binary created by
:ref:`system-outputs-mtdimage` can be flashed using the
vendor web UI or the U-Boot emergency "unbrick" routine.
For flashing from an existing Liminix system (we believe that) it
is necessary to first boot into a :ref:`system-outputs-kexecboot`
system, otherwise you'll be overwriting flash partitions while
they're in use - and that might not end well.
Vendor web page: https://www.gl-inet.com/products/gl-ar750/
OpenWrt web page: https://openwrt.org/toh/gl.inet/gl-ar750
'';
module = {pkgs, config, lim, ... }:
module = {pkgs, config, ... }:
let
openwrt = pkgs.openwrt;
firmwareBlobs = pkgs.pkgsBuildBuild.fetchFromGitHub {
@ -77,8 +63,8 @@
};
ath10k_cal_data =
let
offset = lim.parseInt "0x5000";
size = lim.parseInt "0x844";
offset = 1024 * 20; # 0x5000
size = 2048 + 68; # 0x844
in pkgs.liminix.services.oneshot rec {
name = "ath10k_cal_data";
up = ''
@ -89,29 +75,24 @@
dd if=/dev/$part of=data iflag=skip_bytes,fullblock bs=${toString size} skip=${toString offset} count=1
)
'';
down = "true";
};
inherit (pkgs.pseudofile) dir symlink;
inherit (pkgs.liminix.networking) interface;
in {
imports = [
../../modules/network
../../modules/arch/mipseb.nix
../../modules/outputs/tftpboot.nix
../../modules/outputs/mtdimage.nix
../../modules/outputs/jffs2.nix
];
imports = [ ../../modules/network];
programs.busybox.options = {
FEATURE_DD_IBS_OBS = "y"; # ath10k_cal_data needs skip_bytes,fullblock
};
hardware = {
defaultOutput = "mtdimage";
loadAddress = lim.parseInt "0x80060000";
entryPoint = lim.parseInt "0x80060000";
defaultOutput = "tftpboot";
loadAddress = "0x80060000";
entryPoint = "0x80060000";
flash = {
address = lim.parseInt "0x9F060000";
size = lim.parseInt "0xfa0000";
eraseBlockSize = 65536;
address = "0x9F060000";
size ="0xfa0000";
eraseBlockSize = "65536";
};
rootDevice = "/dev/mtdblock5";
dts = {
@ -126,11 +107,11 @@
in {
lan = link.build { ifname = "eth0"; };
wan = link.build { ifname = "eth1"; };
wlan = link.build {
wlan_24 = link.build {
ifname = "wlan0";
dependencies = [ mac80211 ];
};
wlan5 = link.build {
wlan_5 = link.build {
ifname = "wlan1";
dependencies = [ mac80211 ath10k_cal_data ];
};
@ -147,7 +128,7 @@
};
};
boot.tftp = {
loadAddress = lim.parseInt "0x00A00000";
loadAddress = "0x00A00000";
};
kernel = {
src = pkgs.pkgsBuildBuild.fetchurl {
@ -155,15 +136,13 @@
url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.71.tar.gz";
hash = "sha256-yhO2cXIeIgUxkSZf/4aAsF11uxyh+UUZu6D1h92vCD8=";
};
# Mainline linux 5.19 doesn't have device-tree support for
# this device or even for the SoC, so we use the extensive
# OpenWrt kernel patches
extraPatchPhase = ''
${openwrt.applyPatches.ath79}
'';
config = {
MIPS_ELF_APPENDED_DTB = "y";
OF = "y";
USE_OF = "y";
ATH79 = "y";
PCI = "y";
PCI_AR724X = "y";
@ -183,6 +162,7 @@
CONSOLE_LOGLEVEL_QUIET = "4";
NET = "y";
NETDEVICES = "y";
ETHERNET = "y";
NET_VENDOR_ATHEROS = "y";
AG71XX = "y"; # ethernet (qca,qca9530-eth)
@ -190,6 +170,7 @@
AR8216_PHY = "y"; # eth1 is behind a switch
MTD_SPI_NOR = "y";
MTD_SPI_NOR_USE_4K_SECTORS = "n"; # jffs2 needs min 8k erase block
SPI_ATH79 = "y"; # these are copied from OpenWrt.
SPI_MASTER= "y"; # At least one of them is necessary
@ -206,18 +187,25 @@
SYSFS = "y";
SPI = "y";
MTD = "y";
MTD_CMDLINE_PARTS = "y";
MTD_BLOCK = "y"; # fix undefined ref to register_mtd_blktrans_devs
WATCHDOG = "y";
ATH79_WDT = "y"; # watchdog timer
CPU_BIG_ENDIAN= "y";
# this is all copied from nixwrt ath79 config. Clearly not all
# of it is device config, some of it is wifi config or
# installation method config or ...
CMDLINE_PARTITION = "y";
EARLY_PRINTK = "y";
PARTITION_ADVANCED = "y";
PRINTK_TIME = "y";
SQUASHFS = "y";
SQUASHFS_XZ = "y";
};
};
};

136
devices/gl-mt300a/default.nix
View File

@ -1,4 +1,4 @@
# GL.iNet GL-MT300A
# GL.INet GL-MT300A
{
system = {
@ -12,38 +12,13 @@
};
description = ''
GL.iNet GL-MT300A
*****************
The GL-MT300A is based on a MT7620 chipset.
For flashing from U-Boot, the firmware partition is from
0xbc050000 to 0xbcfd0000.
WiFi on this device is provided by the rt2800soc module. It
expects firmware to be present in the "factory" MTD partition, so
- assuming we want to use the wireless - we need to build MTD
support into the kernel even if we're using TFTP root.
Installation
============
The stock vendor firmware is a fork of OpenWrt, meaning that the
binary created by :ref:`system-outputs-mtdimage` can be flashed
using the vendor web UI or the U-Boot emergency "unbrick" routine.
For flashing from an existing Liminix system (we think) it
is necessary to first boot into a :ref:`system-outputs-kexecboot`
system, otherwise you'll be overwriting flash partitions while
they're in use - and that might not end well.
Vendor web page: https://www.gl-inet.com/products/gl-mt300a/
OpenWrt web page: https://openwrt.org/toh/gl.inet/gl-mt300a
support into the kernel even if we're using TFTP root
'';
module = { pkgs, config, lib, lim, ...}:
module = { pkgs, config, ...}:
let
inherit (pkgs.liminix.networking) interface;
inherit (pkgs) openwrt;
@ -51,17 +26,11 @@
drivers = ["rt2800soc"];
klibBuild = config.system.outputs.kernel.modulesupport;
};
in {
imports = [
../../modules/arch/mipsel.nix
../../modules/outputs/tftpboot.nix
../../modules/outputs/mtdimage.nix
../../modules/outputs/jffs2.nix
];
in {
hardware = {
defaultOutput = "mtdimage";
loadAddress = lim.parseInt "0x80000000";
entryPoint = lim.parseInt "0x80000000";
defaultOutput = "tftpboot";
loadAddress = "0x80000000";
entryPoint = "0x80000000";
# Creating 5 MTD partitions on "spi0.0":
# 0x000000000000-0x000000030000 : "u-boot"
@ -74,9 +43,9 @@
# 0x000000260000-0x000000f80000 : "rootfs"
flash = {
address = lim.parseInt "0xbc050000";
size = lim.parseInt "0xf80000";
eraseBlockSize = 65536;
address = "0xbc050000";
size ="0xf80000";
eraseBlockSize = "65536";
};
rootDevice = "/dev/mtdblock5";
@ -86,46 +55,31 @@
"${openwrt.src}/target/linux/ramips/dts"
];
};
networkInterfaces =
let
inherit (config.system.service.network) link;
inherit (config.system.service) vlan;
inherit (pkgs.liminix.services) oneshot;
swconfig = oneshot {
name = "swconfig";
up = ''
PATH=${pkgs.swconfig}/bin:$PATH
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports '1 2 3 4 6t'
swconfig dev switch0 vlan 2 set ports '0 6t'
swconfig dev switch0 set apply
'';
down = "${pkgs.swconfig}/bin/swconfig dev switch0 set reset";
};
in rec {
eth = link.build { ifname = "eth0"; };
# lan and wan ports are both behind a switch on eth0
lan = vlan.build {
ifname = "eth0.1";
primary = eth;
vid = "1";
dependencies = [swconfig eth];
};
wan = vlan.build {
ifname = "eth0.2";
primary = eth;
vid = "2";
dependencies = [swconfig eth];
};
wlan = link.build {
ifname = "wlan0";
dependencies = [ mac80211 ];
};
networkInterfaces = rec {
# lan and wan ports are both behind a switch on eth0
eth = interface { device = "eth0"; };
lan = interface {
type = "vlan";
device = "eth0.1";
link = "eth0";
id = "1";
dependencies = [eth];
};
wan = interface {
type = "vlan";
device = "eth0.2";
id = "2";
link = "eth0";
dependencies = [eth];
};
wlan = interface {
device = "wlan0";
dependencies = [ mac80211 ];
};
};
};
boot.tftp = {
loadAddress = lim.parseInt "0x00A00000";
loadAddress = "0x00A00000";
};
kernel = {
@ -138,6 +92,9 @@
${openwrt.applyPatches.ramips}
'';
config = {
MIPS_ELF_APPENDED_DTB = "y";
OF = "y";
USE_OF = "y";
RALINK = "y";
PCI = "y";
@ -152,12 +109,12 @@
CONSOLE_LOGLEVEL_QUIET = "4";
NET = "y";
NETDEVICES = "y";
ETHERNET = "y";
NET_VENDOR_RALINK = "y";
NET_RALINK_MDIO = "y";
NET_RALINK_MDIO_MT7620 = "y";
NET_RALINK_MT7620 = "y";
SWPHY = "y";
SPI = "y";
MTD_SPI_NOR = "y";
@ -166,17 +123,34 @@
SPI_MASTER= "y";
SPI_MEM= "y";
# both the ethernet ports on this device (lan and wan)
# are behind a switch, so we need VLANs to do anything
# useful with them
VLAN_8021Q = "y";
SWCONFIG = "y";
SWPHY = "y";
BRIDGE = "y";
BRIDGE_VLAN_FILTERING = "y";
BRIDGE_IGMP_SNOOPING = "y";
MTD = "y";
MTD_CMDLINE_PARTS = "y";
MTD_BLOCK = "y"; # fix undefined ref to register_mtd_blktrans_devs
CPU_LITTLE_ENDIAN = "y";
CMDLINE_PARTITION = "y";
EARLY_PRINTK = "y";
NEW_LEDS = "y";
LEDS_CLASS = "y"; # required by rt2x00lib
PARTITION_ADVANCED = "y";
PRINTK_TIME = "y";
} // lib.optionalAttrs (config.system.service ? vlan) {
SWCONFIG = "y";
SQUASHFS = "y";
SQUASHFS_XZ = "y";
};
};
};

149
devices/gl-mt300n-v2/default.nix
View File

@ -1,3 +1,5 @@
# GL.INet GL-MT300N v2
{
system = {
crossSystem = {
@ -9,34 +11,7 @@
};
};
description = ''
GL.iNet GL-MT300N-v2
********************
The GL-MT300N-v2 "Mango" is is very similar to the :ref:`MT300A <GL.iNet GL-MT300A>, but is
based on the MT7628 chipset instead of MT7620. It's also marginally cheaper
and comes in a yellow case not a blue one. Be sure your device is
v2 not v1, which is a different animal and has only half as much RAM.
Installation
============
The stock vendor firmware is a fork of OpenWrt, meaning that the
binary created by :ref:`system-outputs-mtdimage` can be flashed
using the vendor web UI or the U-Boot emergency "unbrick" routine.
For flashing from an existing Liminix system (we think) it
is necessary to first boot into a :ref:`system-outputs-kexecboot`
system, otherwise you'll be overwriting flash partitions while
they're in use - and that might not end well.
Vendor web page: https://www.gl-inet.com/products/gl-mt300n-v2/
OpenWrt web page: https://openwrt.org/toh/gl.inet/gl-mt300n_v2
'';
module = { pkgs, config, lib, lim, ...}:
module = { pkgs, config, ...}:
let
inherit (pkgs.liminix.networking) interface;
inherit (pkgs.liminix.services) oneshot;
@ -52,12 +27,6 @@
hash = "sha256:1dkhfznmdz6s50kwc841x3wj0h6zg6icg5g2bim9pvg66as2vmh9";
};
in {
imports = [
../../modules/arch/mipsel.nix
../../modules/outputs/tftpboot.nix
../../modules/outputs/mtdimage.nix
../../modules/outputs/jffs2.nix
];
filesystem = dir {
lib = dir {
firmware = dir {
@ -66,14 +35,14 @@
};
};
hardware = {
defaultOutput = "mtdimage";
loadAddress = lim.parseInt "0x80000000";
entryPoint = lim.parseInt "0x80000000";
defaultOutput = "tftpboot";
loadAddress = "0x80000000";
entryPoint = "0x80000000";
flash = {
address = lim.parseInt "0xbc050000";
size = lim.parseInt "0xfb0000";
eraseBlockSize = 65536;
address = "0xbc050000";
size = "0xfb0000";
eraseBlockSize = "65536";
};
rootDevice = "/dev/mtdblock5";
@ -83,45 +52,49 @@
"${openwrt.src}/target/linux/ramips/dts"
];
};
networkInterfaces =
let
inherit (config.system.service.network) link;
inherit (config.system.service) vlan;
swconfig = oneshot {
name = "swconfig";
up = ''
PATH=${pkgs.swconfig}/bin:$PATH
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports '1 2 3 4 6t'
swconfig dev switch0 vlan 2 set ports '0 6t'
swconfig dev switch0 set apply
'';
down = "swconfig dev switch0 set reset";
};
in rec {
eth = link.build { ifname = "eth0"; dependencies = [swconfig]; };
# lan and wan ports are both behind a switch on eth0
lan = vlan.build {
ifname = "eth0.1";
primary = eth;
vid = "1";
};
wan = vlan.build {
ifname = "eth0.2";
primary = eth;
vid = "2";
};
wlan = link.build {
ifname = "wlan0";
dependencies = [ mac80211 ];
networkInterfaces = rec {
# lan and wan ports are both behind a switch on eth0
eth =
let swconfig = oneshot {
name = "swconfig";
up = ''
PATH=${pkgs.swconfig}/bin:$PATH
swconfig dev switch0 set reset
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports '1 2 3 4 6t'
swconfig dev switch0 vlan 2 set ports '0 6t'
swconfig dev switch0 set apply
'';
down = "swconfig dev switch0 set reset";
};
in interface {
device = "eth0";
dependencies = [swconfig];
};
lan = interface {
type = "vlan";
device = "eth0.1";
link = "eth0";
id = "1";
dependencies = [eth];
};
wan = interface {
type = "vlan";
device = "eth0.2";
id = "2";
link = "eth0";
dependencies = [eth];
};
wlan = interface {
device = "wlan0";
dependencies = [ mac80211 ];
};
};
};
boot.tftp = {
# 20MB seems to give enough room to uncompress the kernel
# without anything getting trodden on. 10MB was too small
loadAddress = lim.parseInt "0x1400000";
loadAddress = "0x1400000";
};
kernel = {
@ -134,10 +107,14 @@
${openwrt.applyPatches.ramips}
'';
config = {
MIPS_ELF_APPENDED_DTB = "y";
OF = "y";
USE_OF = "y";
RALINK = "y";
PCI = "y";
SOC_MT7620 = "y";
CPU_LITTLE_ENDIAN= "y";
SERIAL_8250_CONSOLE = "y";
SERIAL_8250 = "y";
@ -148,6 +125,7 @@
CONSOLE_LOGLEVEL_QUIET = "4";
MTD = "y";
MTD_CMDLINE_PARTS = "y";
MTD_BLOCK = "y"; # fix undefined ref to register_mtd_blktrans_dev
SPI = "y";
@ -160,6 +138,7 @@
REGULATOR_FIXED_VOLTAGE = "y";
NET = "y";
NETDEVICES = "y";
ETHERNET = "y";
PHYLIB = "y";
@ -169,21 +148,35 @@
NET_VENDOR_RALINK = "y";
NET_RALINK_RT3050 = "y";
NET_RALINK_SOC="y";
# both the ethernet ports on this device (lan and wan)
# are behind a switch, so we need VLANs to do anything
# useful with them
VLAN_8021Q = "y";
SWCONFIG = "y";
SWPHY = "y";
BRIDGE = "y";
BRIDGE_VLAN_FILTERING = "y";
BRIDGE_IGMP_SNOOPING = "y";
WATCHDOG = "y";
RALINK_WDT = "y"; # watchdog
MT7621_WDT = "y"; # or it might be this one
GPIOLIB="y";
GPIO_MT7621 = "y";
PHY_RALINK_USB = "y";
CMDLINE_PARTITION = "y";
EARLY_PRINTK = "y";
PARTITION_ADVANCED = "y";
PRINTK_TIME = "y";
} // lib.optionalAttrs (config.system.service ? vlan) {
SWCONFIG = "y";
} // lib.optionalAttrs (config.system.service ? watchdog) {
RALINK_WDT = "y"; # watchdog
MT7621_WDT = "y"; # or it might be this one
SQUASHFS = "y";
SQUASHFS_XZ = "y";
};
};
};

51
devices/qemu-aarch64/default.nix
View File

@ -1,51 +0,0 @@
# This "device" generates images that can be used with the QEMU
# emulator. The default output is a directory containing separate
# kernel ("Image" format) and root filesystem (squashfs or jffs2)
# images
{
system = {
crossSystem = {
config = "aarch64-unknown-linux-musl";
};
};
description = ''
QEMU Aarch64
************
This target produces an image for
the `QEMU "virt" platform <https://www.qemu.org/docs/master/system/arm/virt.html>`_ using a 64 bit CPU type.
ARM targets differ from MIPS in that the kernel format expected
by QEMU is an "Image" (raw binary file) rather than an ELF
file, but this is taken care of by :command:`run.sh`. Check the
documentation for the :ref:`QEMU` (MIPS) target for more information.
'';
# this device is described by the "qemu" device
installer = "vmroot";
module = {pkgs, config, lim, ... }: {
imports = [
../../modules/arch/aarch64.nix
../families/qemu.nix
];
kernel = {
config = {
VIRTUALIZATION = "y";
PCI_HOST_GENERIC="y";
SERIAL_AMBA_PL011 = "y";
SERIAL_AMBA_PL011_CONSOLE = "y";
};
};
boot.commandLine = [
"console=ttyAMA0,38400"
];
hardware = let addr = lim.parseInt "0x40010000"; in {
loadAddress = addr;
entryPoint = addr;
};
};
}

53
devices/qemu-armv7l/default.nix
View File

@ -1,53 +0,0 @@
# This "device" generates images that can be used with the QEMU
# emulator. The default output is a directory containing separate
# kernel ("Image" format) and root filesystem (squashfs or jffs2)
# images
{
system = {
crossSystem = {
config = "armv7l-unknown-linux-musleabihf";
};
};
# this device is described by the "qemu" device
description = ''
QEMU ARM v7
***********
This target produces an image for
the `QEMU "virt" platform <https://www.qemu.org/docs/master/system/arm/virt.html>`_ using a 32 bit CPU type.
ARM targets differ from MIPS in that the kernel format expected
by QEMU is an "Image" (raw binary file) rather than an ELF
file, but this is taken care of by :command:`run.sh`. Check the
documentation for the :ref:`QEMU` (MIPS) target for more information.
'';
installer = "vmroot";
module = {pkgs, config, lim, ... }: {
imports = [
../../modules/arch/arm.nix
../families/qemu.nix
];
kernel = {
config = {
PCI_HOST_GENERIC = "y";
ARCH_VIRT = "y";
VFP = "y";
NEON = "y";
AEABI = "y";
SERIAL_AMBA_PL011 = "y";
SERIAL_AMBA_PL011_CONSOLE = "y";
};
};
boot.commandLine = [
"console=ttyAMA0"
];
hardware = let addr = lim.parseInt "0x40008000"; in {
loadAddress = addr;
entryPoint = addr;
};
};
}

86
devices/qemu/default.nix
View File

@ -12,65 +12,59 @@
};
};
description = ''
QEMU MIPS
*********
This target produces an image for
QEMU, the "generic and open source machine emulator and
virtualizer".
MIPS QEMU emulates a "Malta" board, which was an ATX form factor
evaluation board made by MIPS Technologies, but mostly in Liminix
we use paravirtualized devices (Virtio) instead of emulating
hardware.
Building an image for QEMU results in a :file:`result/` directory
containing ``run.sh`` ``vmlinux``, and ``rootfs`` files. To invoke
the emulator, run ``run.sh``.
The configuration includes two emulated "hardware" ethernet
devices and the kernel :code:`mac80211_hwsim` module to
provide an emulated wlan device. To read more about how
to connect to this network, refer to :ref:`qemu-networking`
in the Development manual.
'';
module = {pkgs, config, lib, lim, ... }: {
imports = [
../../modules/arch/mipseb.nix
../families/qemu.nix
];
module = {pkgs, config, ... }: {
kernel = {
src = pkgs.pkgsBuildBuild.fetchurl {
name = "linux.tar.gz";
url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.71.tar.gz";
hash = "sha256-yhO2cXIeIgUxkSZf/4aAsF11uxyh+UUZu6D1h92vCD8=";
};
config = {
MIPS_MALTA= "y";
CPU_LITTLE_ENDIAN= "n";
CPU_BIG_ENDIAN= "y";
CPU_MIPS32_R2= "y";
POWER_RESET = "y";
POWER_RESET_SYSCON = "y";
MTD = "y";
MTD_BLOCK2MTD = "y";
MTD_BLKDEVS = "y";
MTD_BLOCK = "y";
SQUASHFS = "y";
SQUASHFS_XZ = "y";
VIRTIO_MENU = "y";
PCI = "y";
VIRTIO_PCI = "y";
BLOCK = "y";
VIRTIO_BLK = "y";
NETDEVICES = "y";
VIRTIO_NET = "y";
SERIAL_8250= "y";
SERIAL_8250_CONSOLE= "y";
};
};
hardware =
# from arch/mips/mti-malta/Platform:load-$(CONFIG_MIPS_MALTA) += 0xffffffff80100000
let addr = lim.parseInt "0x80100000";
in {
loadAddress = addr;
entryPoint = addr;
# Unlike the arm qemu targets, we need a static dts when
# running u-boot-using tests, qemu dumpdtb command doesn't
# work for this board. I am not at all sure this dts is
# *correct* but it does at least boot
dts = lib.mkForce {
src = "${config.system.outputs.kernel.modulesupport}/arch/mips/boot/dts/mti/malta.dts";
includes = [
"${config.system.outputs.kernel.modulesupport}/arch/mips/boot/dts/"
];
let
mac80211 = pkgs.mac80211.override {
drivers = ["mac80211_hwsim"];
klibBuild = config.system.outputs.kernel.modulesupport;
};
inherit (pkgs.liminix.networking) interface;
in {
defaultOutput = "vmroot";
flash.eraseBlockSize = "65536"; # c.f. pkgs/mips-vm/mips-vm.sh
networkInterfaces = {
lan = interface { device = "eth0"; };
wan = interface { device = "eth1"; };
wlan_24 = interface {
device = "wlan0";
dependencies = [ mac80211 ];
};
};
};
};
}

238
devices/turris-omnia/default.nix
View File

@ -1,238 +0,0 @@
{
description = ''
Turris Omnia
************
'';
system = {
crossSystem = {
config = "armv7l-unknown-linux-musleabihf";
};
};
module = {pkgs, config, lib, lim, ... }:
let
openwrt = pkgs.openwrt;
inherit (lib) mkOption types;
inherit (pkgs.liminix.services) oneshot;
inherit (pkgs) liminix;
mtd_by_name_links = pkgs.liminix.services.oneshot rec {
name = "mtd_by_name_links";
up = ''
mkdir -p /dev/mtd/by-name
cd /dev/mtd/by-name
for i in /sys/class/mtd/mtd*[0-9]; do
ln -s ../../$(basename $i) $(cat $i/name)
done
'';
};
in {
imports = [
../../modules/arch/arm.nix
../../modules/outputs/tftpboot.nix
../../modules/outputs/ext4fs.nix
../../modules/outputs/mbrimage.nix
../../modules/outputs/extlinux.nix
];
config = {
services.mtd-name-links = mtd_by_name_links;
kernel = {
src = pkgs.pkgsBuildBuild.fetchurl {
name = "linux.tar.gz";
url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.71.tar.gz";
hash = "sha256-yhO2cXIeIgUxkSZf/4aAsF11uxyh+UUZu6D1h92vCD8=";
};
extraPatchPhase = ''
${pkgs.openwrt.applyPatches.mvebu}
'';
config = {
PCI = "y";
OF = "y";
MEMORY = "y"; # for MVEBU_DEVBUS
DMADEVICES = "y"; # for MV_XOR
CPU_V7 = "y";
ARCH_MULTIPLATFORM = "y";
ARCH_MVEBU = "y";
ARCH_MULTI_V7= "y";
PCI_MVEBU = "y";
AHCI_MVEBU = "y";
MACH_ARMADA_38X = "y";
SMP = "y";
# this is disabled for the moment because it relies on a GCC
# plugin that requires gmp.h to build, and I can't see right now
# how to confgure it to find gmp
STACKPROTECTOR_PER_TASK = "n";
NR_CPUS = "4";
VFP = "y";
NEON= "y";
# WARNING: unmet direct dependencies detected for ARCH_WANT_LIBATA_LEDS
ATA = "y";
PSTORE = "y";
PSTORE_RAM = "y";
PSTORE_CONSOLE = "y";
PSTORE_DEFLATE_COMPRESS = "n";
BLOCK = "y";
MMC="y";
PWRSEQ_EMMC="y"; # ???
PWRSEQ_SIMPLE="y"; # ???
MMC_BLOCK="y";
MMC_SDHCI= "y";
MMC_SDHCI_PLTFM= "y";
MMC_SDHCI_PXAV3= "y";
MMC_MVSDIO= "y";
SERIAL_8250 = "y";
SERIAL_8250_CONSOLE = "y";
SERIAL_OF_PLATFORM="y";
SERIAL_MVEBU_UART = "y";
SERIAL_MVEBU_CONSOLE = "y";
SERIAL_8250_DMA= "y";
SERIAL_8250_DW= "y";
SERIAL_8250_EXTENDED= "y";
SERIAL_8250_MANY_PORTS= "y";
SERIAL_8250_SHARE_IRQ= "y";
OF_ADDRESS= "y";
OF_MDIO= "y";
WATCHDOG = "y"; # watchdog is enabled by u-boot
ORION_WATCHDOG = "y"; # so is non-optional to keep feeding
MVEBU_DEVBUS = "y"; # "Device Bus controller ... flash devices such as NOR, NAND, SRAM, and FPGA"
MVMDIO = "y";
MVNETA = "y";
MVNETA_BM = "y";
MVNETA_BM_ENABLE = "y";
SRAM = "y"; # mmio-sram is "compatible" for bm_bppi reqd by BM
PHY_MVEBU_A38X_COMPHY = "y"; # for eth2
MVPP2 = "y";
MV_XOR = "y";
# there is NOR flash on this device, which is used for U-Boot
# and the rescue system (which we don't interfere with) but
# also for the U-Boot environment variables (which we might
# need to meddle with)
MTD_SPI_NOR = "y";
SPI = "y";
SPI_MASTER = "y";
SPI_ORION = "y";
NET_DSA = "y";
NET_DSA_MV88E6XXX = "y"; # depends on PTP_1588_CLOCK_OPTIONAL
};
};
rootfsType = "ext4";
boot = {
commandLine = [
"console=ttyS0,115200"
"pcie_aspm=off" # ath9k pci incompatible with PCIe ASPM
];
imageFormat = "fit";
};
filesystem =
let
inherit (pkgs.pseudofile) dir symlink;
firmware = pkgs.stdenv.mkDerivation {
name = "wlan-firmware";
phases = ["installPhase"];
installPhase = ''
mkdir $out
cp -r ${pkgs.linux-firmware}/lib/firmware/ath10k/QCA988X $out
'';
};
in dir {
lib = dir {
firmware = dir {
ath10k = symlink firmware;
};
};
etc = dir {
"fw_env.config" =
let f = pkgs.writeText "fw_env.config" ''
/dev/mtd/by-name/u-boot-env 0x0 0x10000 0x10000
'';
in symlink f;
};
};
boot.tftp = {
loadAddress = lim.parseInt "0x1000000";
kernelFormat = "zimage";
compressRoot = true;
};
hardware = let
mac80211 = pkgs.mac80211.override {
drivers = ["ath9k_pci" "ath10k_pci"];
klibBuild = config.system.outputs.kernel.modulesupport;
};
in {
defaultOutput = "mtdimage";
loadAddress = lim.parseInt "0x00800000"; # "0x00008000";
entryPoint = lim.parseInt "0x00800000"; # "0x00008000";
rootDevice = "/dev/mtdblock0";
dts = {
src = "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/armada-385-turris-omnia.dts";
includes = [
"${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/"
];
};
flash.eraseBlockSize = 65536; # only used for tftpboot
networkInterfaces =
let
inherit (config.system.service.network) link;
inherit (config.system.service) bridge;
in rec {
en70000 = link.build {
# in armada-38x.dtsi this is eth0.
# It's connected to port 5 of the 88E6176 switch
devpath = "/devices/platform/soc/soc:internal-regs/f1070000.ethernet";
# name is unambiguous but not very semantic
ifname = "en70000";
};
en30000 = link.build {
# in armada-38x.dtsi this is eth1
# It's connected to port 6 of the 88E6176 switch
devpath = "/devices/platform/soc/soc:internal-regs/f1030000.ethernet";
# name is unambiguous but not very semantic
ifname = "en30000";
};
# the default (from the dts? I'm guessing) behavour for
# lan ports on the switch is to attach them to
# en30000. It should be possible to do something better,
# per
# https://www.kernel.org/doc/html/latest/networking/dsa/configuration.html#affinity-of-user-ports-to-cpu-ports
# but apparently OpenWrt doesn't either so maybe it's more
# complicated than it looks
wan = link.build {
# in armada-38x.dtsi this is eth2. It may be connected to
# an ethernet phy or to the SFP cage, depending on a gpio
devpath = "/devices/platform/soc/soc:internal-regs/f1034000.ethernet";
ifname = "wan";
};
lan = link.build {
ifname = "lan1";
};
wlan = link.build {
ifname = "wlan0";
dependencies = [ mac80211 ];
};
wlan5 = link.build {
ifname = "wlan1";
dependencies = [ mac80211 ];
};
};
};
};
};
}

198
doc/admin.rst
View File

@ -1,198 +0,0 @@
System Administration
#####################
Services on a running system
****************************
* add an s6-rc cheatsheet here
Flashing and updating
*********************
Flashing from Liminix
=====================
The flash procedure from an existing Liminix-system has two steps.
First we reboot the device (using "kexec") into an "ephemeral"
RAM-based version of the new configuration, then when we're happy it
works we can flash the image - and if it doesn't work we can reboot
the device again and it will boot from the old image.
Building the RAM-based image
----------------------------
To create the ephemeral image, build ``outputs.kexecboot`` instead of
``outputs.default``. This generates a directory containing the root
filesystem image and kernel, along with an executable called `kexec`
and a `boot.sh` script that runs it with appropriate arguments.
For example
.. code-block:: console
nix-build -I liminix-config=./examples/arhcive.nix \
--arg device "import ./devices/gl-ar750"
-A outputs.kexecboot && \
(tar chf - result | ssh root@the-device tar -C /run -xvf -)
and then login to the device and run
.. code-block:: console
cd /run/result
sh ./boot.sh .
This will load the new kernel and map the root filesystem into a RAM
disk, then start executing the new kernel. *This is effectively a
reboot - be sure to close all open files and finish anything else
you were doing first.*
If the new system crashes or is rebooted, then the device will revert
to the old configuration it finds in flash.
Building the second (permanent) image
-------------------------------------
While running in the kexecboot system, you can build the permanent
image and copy it to the device with :command:`ssh`
.. code-block:: console
build-machine$ nix-build -I liminix-config=./examples/arhcive.nix \
--arg device "import ./devices/gl-ar750"
-A outputs.default && \
(tar chf - result | ssh root@the-device tar -C /run -xvf -)
build-machine$ tar chf - result/firmware.bin | \
ssh root@the-device tar -C /run -xvf -
Next you need to connect to the device and locate the "firmware"
partition, which you can do with a combination of :command:`dmesg`
output and the contents of :file:`/proc/mtd`
.. code-block:: console
<5>[ 0.469841] Creating 4 MTD partitions on "spi0.0":
<5>[ 0.474837] 0x000000000000-0x000000040000 : "u-boot"
<5>[ 0.480796] 0x000000040000-0x000000050000 : "u-boot-env"
<5>[ 0.487056] 0x000000050000-0x000000060000 : "art"
<5>[ 0.492753] 0x000000060000-0x000001000000 : "firmware"
# cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00001000 "u-boot"
mtd1: 00010000 00001000 "u-boot-env"
mtd2: 00010000 00001000 "art"
mtd3: 00fa0000 00001000 "firmware"
mtd4: 002a0000 00001000 "kernel"
mtd5: 00d00000 00001000 "rootfs"
Now run (in this example)
.. code-block:: console
flashcp -v firmware.bin /dev/mtd3
"I know my new image is good, can I skip the intermediate step?"
----------------------------------------------------------------
In addition to giving you a chance to see if the new image works, this
two-step process ensures that you're not copying the new image over
the top of the active root filesystem. Sometimes it works, but you
will at least need physical access to the device to power-cycle it
because it will be effectively frozen afterwards.
Flashing from the boot monitor
==============================
If you are prepared to open the device and have a TTL serial adaptor
of some kind to connect it to, you can probably use U-Boot and a TFTP
server to download and flash the image. This is quite
hardware-specific, and sometimes involves soldering: please refer
to :ref:`serial`.
Flashing from OpenWrt
=====================
.. CAUTION:: Untested! A previous version of these instructions
(without the -e flag) led to bricking the device
when flashing a jffs2 image. If you are reading
this message, nobody has yet reported on whether the
new instructions are any better.
If your device is running OpenWrt then it probably has the
:command:`mtd` command installed. After transferring the image onto the
device using e.g. :command:`ssh`, you can run it as follows:
.. code-block:: console
mtd -e -r write /tmp/firmware.bin firmware
The options to this command are for "erase before writing" and "reboot
after writing".
For more information, please see the `OpenWrt manual <https://openwrt.org/docs/guide-user/installation/sysupgrade.cli>`_ which may also contain (hardware-dependent) instructions on how to flash an image using the vendor firmware - perhaps even from a web interface.
Updating an installed system (JFFS2)
************************************
Adding packages
===============
If your device is running a JFFS2 root filesystem, you can build
extra packages for it on your build system and copy them to the
device: any package in Nixpkgs or in the Liminix overlay is available
with the ``pkgs`` prefix:
.. code-block:: console
nix-build -I liminix-config=./my-configuration.nix \
--arg device "import ./devices/mydevice" -A pkgs.tcpdump
nix-shell -p min-copy-closure root@the-device result/
Note that this only copies the package to the device: it doesn't update
any profile to add it to ``$PATH``
Rebuilding the system
=====================
:command:`liminix-rebuild` is the Liminix analogue of :command:`nixos-rebuild`, although its operation is a bit different because it expects to run on a build machine and then copy to the host device. Run it with the same ``liminix-config`` and ``device`` parameters as you would run :command:`nix-build`, and it will build any new/changed packages and then copy them to the device using SSH. For example:
.. code-block:: console
liminix-rebuild root@the-device -I liminix-config=./examples/rotuer.nix --arg device "import ./devices/gl-ar750"
This will
* build anything that needs building
* copy new or changed packages to the device
* reboot the device
It doesn't delete old packages automatically: to do that run
:command:`min-collect-garbage`, which will delete any packages not in
the current system closure. Note that Liminix does not have the NixOS
concept of environments or generations, and there is no way back from
this except for building the previous configuration again.
Caveats
-------
* it needs there to be enough free space on the device for all the new
packages in addition to all the packages already on it - which may be
a problem if a lot of things have changed (e.g. a new version of
nixpkgs).
* it cannot upgrade the kernel, only userland

6
doc/adr/README
View File

@ -1,6 +0,0 @@
Architecture Decision Records
#############################
In this directory you will find descriptions of Liminix architecture
decisions.

201
doc/adr/module-system.rst
View File

@ -1,201 +0,0 @@
Module system
#############
**Status:** Adopted; implemented in July-September 2023
Context
*******
Liminix users need a way to assemble a full system configuration by
combining smaller, more isolated and reusable components, otherwise
systems will be unwieldy and copy-and-paste will be rife.
Alternatives
************
NixOS module system
===================
The NixOS module system addresses many of these concerns. A module is
a Nix function which accepts a ``configuration`` attrset and some
other parameters, and returns a new fragment of ``configuration``
which is merged into it. It includes a DSL describing the permitted
types of values for each key in the configuration, which is used for
checking that the supplied parameters are valid and also governs what
to do if two modules both specify a value for the same key. (Usually
they are "merged", using some type-appropriate concept of merging.)
Usually a NixOS module looks only (or mostly only) at a particular
subtree of the overall configuration which is hardcoded in the module
definition, but the configuration fragment it returns may touch any
part of the schema. For example, the factorio module refers to
``config.services.factorio``, and it returns values for keys in
``systemd.services.factorio`` and ``networking.firewall``. There is no
way to use this module to run **two** factorio services with different
config (e.g. on different ports) - the only way to make that
possible would be to extend the module definition so that it
accepts a collection of game configurations and then create
a systemd service for each.
NixWRT module system
====================
NixWRT, the (now defunct) predecessor of Liminix, used a homegrown
module system modelled on the Nixpkgs overlay pattern. Each module is
a function that accepts ``super`` and ``self`` parameters, and
using <handwaves>that fixpoint magic thing</handwaves>
is called in a chain with the configuration returned by the previous
module and the final configuration.
NixWRT modules mostly don't refer to the configuration object to
decide how to configure themselves, but accept their parameters
directly as function parameters. For example, the configuration
file for "arhcive" (a backup server) includes this text:
.. code-block:: nix
(sshd {
hostkey = secrets.sshHostKey;
authkeys = { root = lib.splitString "\n" secrets.myKeys; };
})
busybox
(usbdisk {
label = "backup-disk";
mountpoint = "/srv";
fstype = "ext4";
options = "rw";
})
This gives us flexibility that NixOS modules don't: for example, if we
want to mount two USB disks, we can simply repeat that module twice
with different parameters - and the module definition doesn't have to
handle it specially.
However, the downside of this system is that we didn't implement any
concept of "types" - there is no type information, so there is no
systematic checking that parameters are valid, and if two modules set
the same config key then the rules for merging are entirely ad hoc.
There is a further (arguable) downside, which is that the
configuration is not just data - it's now part code. While it could be
feasible (though I've never seen it done) to encode a NixOS
configuration using Yaml or XML and then manipulate it as data, this
is not even possible using the NixWRT system.
Use services for everything
===========================
The most common properties that a Liminix configuration needs to
define are:
* which services (processes) to run
* what packages to install
* permitted users and groups
* Linux kernel configuration options
* Busybox applets
* filesystem layout
Suppose we only had services?
A Liminix service is (also) a derivation, so it is able to
create any files it likes inside its own store path, and
transitively require other packages simply by referring to them.
If it needs particular kernel options it could define them
as kernel modules to be loaded on demand when the service
starts (see the nftables module for an example). However:
* there is no way for a service to add busybox modules
* it cannot create files outside of its store path, so
wouldn't be able to make e.g. :file:`/etc/something.conf`
* no way to create users/groups. We could steal the DynamicUsers idea
from systemd and make them on demand, but this starts to get a bit
more complicated.
These limitations force us to reject this option as a general
solution - though we should strive *where possible* to implement
functionality as services and to minimise the proportion of Liminix
that manipulates the global configuration.
Decision
********
"Why not both?" None of these options is sufficient alone, so we are
going to do a mixture.
We will use the NixOS module system, but instead of expecting modules
to create systemd services as instances, they will expose "service
templates": functions that accept an attrset and return an
appropriately configured service that can be assigned by the caller
to a key in ``config.services``.
We will typecheck the service template function parameters using the
same type-checking code as NixOS uses for its modules.
An example may make this clearer: to add an NTP
service you first add :file:`modules/ntp` to your ``imports`` list,
then you create a service by calling
:code:`config.system.service.ntp.build { .... }` with the appropriate
service-dependent configuration parameters.
.. code-block:: nix
let svc = config.system.service;
in {
# ...
imports = [
./modules/ntp
# ....
];
config.services.ntp = svc.ntp.build {
pools = { "pool.ntp.org" = ["iburst"]; };
makestep = { threshold = 1.0; limit = 3; };
};
Merely including the module won't define the service on its own: it
only creates the template in ``config.system.service.foo`` and you
have to create the actual service using the template.
Consequences
************
This decision has both good and bad consequences
Pro
===
* We have a workable system for reusing configuration elements in
Liminix.
* We have type checking for most imortant things, reducing the risk of
deploying an invalid configuration.
* We have a simple mechanism for creating multiple services based on
the same module, without buulding that logic into the module
definition itself. For example, we could create two SSH daemons on
different ports, or DHCP clients with different configurations on
different network devices.
* We expect to be able to automate the generation of module
documentation.
Con
===
* By departing somewhat from the NixOS conventions we increase the
amount of code we have to write/maintain ourselves - and the
learning burden on users who are already familiar with that system.
* Liminix configurations contain function calls and aren't just data,
which means we can ony realistically interpret or introspect
them with the Nix interpreter itself - we can't query them
as data with other non-Nix tools.

13
doc/conf.py
View File

@ -13,10 +13,7 @@ author = 'Daniel Barlow'
# -- General configuration ---------------------------------------------------
# https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration
extensions = [
'sphinx.ext.autosectionlabel'
]
autosectionlabel_prefix_document = True
extensions = []
templates_path = ['_templates']
exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
@ -28,11 +25,3 @@ exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
html_theme = 'alabaster'
html_static_path = ['_static']
html_theme_options = {
'logo': '/logo.svg',
'globaltoc_collapse': 'false',
'page_width': '90%',
'body_max_width': '90%',
'description': 'A Nix-based OpenWrt-style embedded Linux system for consumer wifi routers'
}

259
doc/configuration.rst
View File

@ -1,259 +0,0 @@
Configuration
#############
Liminix uses the Nix language to provide congruent configuration
management. This means that to change anything about the way in
which a Liminix system works, you make that change in
your :file:`configuration.nix` (or one of the other files it references),
and rerun :command:`nix-build` or :command:`liminix-rebuild` to action
the change. It is not possible (at least, without shenanigans) to make
changes by logging into the device and running imperative commands
whose effects may later be overridden: :file:`configuration.nix`
always describes the entire system and can be used to recreate that
system at any time. You can usefully keep it under version control.
If you are familiar with NixOS, you will notice some similarities
between NixOS and Liminix configuration, and also some
differences. Sometimes the differences are due to the
resource-constrained devices we deploy onto, sometimes due to
differences in the uses these devices are put to.
Configuration taxonomy
**********************
There are many things you can specify in a configuration, but these
are the ones you most commonly need to change:
* which services (processes) to run
* what packages to install
* permitted users and groups
* Linux kernel configuration options
* Busybox applets
* filesystem layout
Modules
*******
**Modules** are a means of abstraction which allow "bundling"
of configuration options related to a common purpose or theme. For
example, the ``dnsmasq`` module defines a template for a dnsmasq
service, ensures that the dnsmasq package is installed, and provides a
dnsmasq user and group for the service to run as. The ``ppp`` module
defines a service template and also enables various PPP-related kernel
configuration.
Not all modules are included in the configuration by default, because
that would mean that the kernel (and the Busybox binary providing
common CLI tools) was compiled with many unnecessary bells and whistles
and therefore be bigger than needed. (This is not purely an academic concern
if your device has little flash storage). Therefore, specifying a
service is usually a two-step process. For example, to add an NTP
service you first add :file:`modules/ntp` to your ``imports`` list,
then you create a service by calling
:code:`config.system.service.ntp.build { .... }` with the appropriate
service-dependent configuration parameters.
.. code-block:: nix
let svc = config.system.service;
in {
# ...
imports = [
./modules/ntp
# ....
];
config.services.ntp = svc.ntp.build {
pools = { "pool.ntp.org" = ["iburst"]; };
makestep = { threshold = 1.0; limit = 3; };
};
Merely including the module won't define the service on its own: it
only creates the template in ``config.system.service.foo`` and you
have to create an actual service using the template. This is an
intentional choice to allow the creation of multiple
differently-configured services based on the same template - perhaps
e.g. when you have multiple networks (VPNs etc) in different trust
domains, or you want to run two SSH daemons on different ports.
(For the background to this, please refer to the :doc:`architecture decision record <adr/module-system>`)
.. tip:: Liminix modules should be quite familiar (but also different)
if you already know how to use NixOS modules. We use the
NixOS module infrastructure code, meaning that you should
recognise the syntax, the type system, the rules for
combining configuration values from different sources. We
don't use the NixOS modules themselves, because the
underlying system is not similar enough for them to work.
Services
********
We use the `s6-rc service manager <https://www.skarnet.org/software/s6-rc/overview.html>`_ to start/stop/restart services and handle
service dependencies. Any attribute in `config.services` will become
part of the default set of services that s6-rc will try to bring up on
boot.
For the most part, for common use cases, hopefully the services you
need will be defined by modules and you will only have to pass the
right parameters to ``build``.
Should you need to create a custom service of your own devising, use
the `oneshot` or `longrun` functions:
* a "longrun" service is the "normal" service concept: it has a
``run`` action which describes the process to start, and it watches
that process to restart it if it exits. The process should not
attempt to daemonize or "background" itself, otherwise s6-rc will think
it died. Whatever it prints to standard output/standard error
will be logged.
.. code-block:: nix
config.services.cowsayd = pkgs.liminix.services.longrun {
name = "cowsayd";
run = "${pkgs.cowsayd}/bin/cowsayd --port 3001 --breed hereford";
# don't start this until the lan interface is ready
dependencies = [ config.services.lan ];
}
* a "oneshot" service doesn't have a process attached. It consists of
``up`` and ``down`` actions which are bits of shell script that
are run at the appropriate points in the service lifecycle
.. code-block:: nix
config.services.greenled = pkgs.liminix.services.oneshot {
name = "greenled";
up = ''
echo 17 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio17/direction
echo 0 > /sys/class/gpio/gpio17/value
'';
down = ''
echo 0 > /sys/class/gpio/gpio17/value
'';
}
Services may have dependencies: as you see above in the ``cowsayd``
example, it depends on some service called ``config.services.lan``,
meaning that it won't be started until that other service is up.
..
TODO: explain service outputs
..
TODO: outputs that change, and services that poll other services
Module implementation
*********************
Modules in Liminix conventionally live in
:file:`modules/somename/default.nix`. If you want or need to
write your own, you may wish to refer to the
examples there in conjunction with reading this section.
A module is a function that accepts ``{lib, pkgs, config, ... }`` and
returns an attrset with keys ``imports, options config``.
* ``imports`` is a list of paths to the other modules required by this one
* ``options`` is a nested set of option declarations
* ``config`` is a nested set of option definitions
The NixOS manual section `Writing NixOS Modules
<https://nixos.org/manual/nixos/stable/#sec-writing-modules>`_ is a
quite comprehensive reference to writing NixOS modules, which is also
mostly applicable to Liminix except that it doesn't cover
service templates.
Service templates
=================
To expose a service template in a module, it needs the following:
* an option declaration for ``system.service.myservicename`` with the
type of ``liminix.lib.types.serviceDefn``
.. code-block:: nix
options = {
system.service.cowsay = mkOption {
type = liminix.lib.types.serviceDefn;
};
};
* an option definition for the same key, which specifies where to
import the service template from (often :file:`./service.nix`)
and the types of its parameters.
.. code-block:: nix
config.system.service.cowsay = liminix.callService ./service.nix {
address = mkOption {
type = types.str;
default = "0.0.0.0";
description = "Listen on specified address";
example = "127.0.0.1";
};
port = mkOption {
type = types.port;
default = 22;
description = "Listen on specified TCP port";
};
breed = mkOption {
type = types.str;
default = "British Friesian"
description = "Breed of the cow";
};
};
Then you need to provide the service template itself, probably in
:file:`./service.nix`:
.. code-block:: nix
{
# any nixpkgs package can be named here
liminix
, cowsayd
, serviceFns
, lib
}:
# these are the parameters declared in the callService invocation
{ address, port, breed} :
let
inherit (liminix.services) longrun;
inherit (lib.strings) escapeShellArg;
in longrun {
name = "cowsayd";
run = "${cowsayd}/bin/cowsayd --address ${address} --port ${builtins.toString port} --breed ${escapeShellArg breed}";
}
.. tip::
Not relevant to module-based services specifically, but a common
gotcha when specifiying services is forgetting to transform "rich"
parameter values into text when composing a command for the shell
to execute. Note here that the port number, an integer, is
stringified with ``toString``, and the name of the breed,
which may contain spaces, is
escaped with ``escapeShellArg``
Types
=====
All of the NixOS module types are available in Liminix. These
Liminix-specific types also exist in ``pkgs.liminix.lib.types``:
* ``service``: an s6-rc service
* ``interface``: an s6-rc service which specifies a network
interface
* ``serviceDefn``: a service "template" definition
In the future it is likely that we will extend this to include other
useful types in the networking domain: for example; IP address,
network prefix or netmask, protocol family and others as we find them.

101
doc/development.rst → doc/developer.rst
View File

@ -1,14 +1,14 @@
Development
###########
Developer Manual
################
As a developer working on Liminix, or implementing a service or
module, you probably want to test your changes more conveniently
than by building and flashing a new image every time. This section
than by building and flashing a new image every time. This manual
documents various affordances for iteration and experiments.
In general, packages and tools that run on the "build" machine are
available in the ``buildEnv`` derivation and can most easily
be added to your environment by running :command:`nix-shell`.
be added to your environment by running :command:`nix-shell`
@ -27,18 +27,19 @@ To build it,
nix-build -I liminix-config=path/to/your/configuration.nix --arg device "import ./devices/qemu" -A outputs.default
This creates a :file:`result/` directory containing a :file:`vmlinux`
and a :file:`rootfs`, and also a shell script :file:`run.sh` which
invokes QEMU to run that kernel with that filesystem. It connects the Liminix
In a ``buildEnv`` nix-shell, you can use the :command:`mips-vm` command
to run Qemu with appropriate options. It connects the Liminix
serial console and the `QEMU monitor <https://www.qemu.org/docs/master/system/monitor.html>`_ to stdin/stdout. Use ^P (not ^A) to switch to the monitor.
.. code-block:: console
nix-shell --run "mips-vm result/vmlinux result/squashfs"
If you run with ``--background /path/to/some/directory`` as the first
parameter, it will fork into the background and open Unix sockets in
that directory for console and monitor. Use :command:`nix-shell --run
connect-vm` to connect to either of these sockets, and ^O to
disconnect.
.. _qemu-networking:
that directory for console and monitor. Use :command:`connect-vm`
(also in the ``buildEnv`` environment) to connect to either of these
sockets, and ^O to disconnect.
Networking
==========
@ -52,11 +53,9 @@ the right way:
* multicast 230.0.0.1:1235 : lan
* multicast 230.0.0.1:1236 : world (the internet)
Any VM started by a :command:`run.sh` script is connected to "lan" and
"access", and the emulated border network gateway (see below) runs
PPPoE and is connected to "access" and "world".
.. _border-network-gateway:
A VM started with :command:`mips-vm` is connected to "lan" and "access", and
the emulated border network gateway (see below) runs PPPoE and is
connected to "access" and "world".
Border Network Gateway
----------------------
@ -88,70 +87,6 @@ time with configurations for RP-PPPoE and/or Accel PPP.`
Hardware devices
****************
.. _serial:
U-Boot and serial shenanigans
=============================
Every device that we have so far encountered in Liminix uses `U-Boot,
the "Universal Boot Loader" <https://docs.u-boot.org/en/latest/>`_ so
it's worth knowing a bit about it. "Universal" is in this context a
bit of a misnomer, though: encountering *mainline* U-Boot is very rare
and often you'll find it is a fork from some version last updated
in 2008. Upgrading U-Boot is more or less complicated depending on the
device and is outside scope for Liminix.
To speak to U-Boot on your device you'll usually need a serial
connection to it. This is device-specific. Usually it involves
opening the box, locating the serial header pins (TX, RX and GND) and
connecting a USB TTL converter to them.
The Rolls Royce of USB/UART cables is the `FTDI cable
<https://cpc.farnell.com/ftdi/ttl-232r-rpi/cable-debug-ttl-232-usb-rpi/dp/SC12825?st=usb%20to%20uart%20cable>`_,
but there are cheaper alternatives based on the PL2303 and CP2102 chipsets. Or
get creative and use the `UART GPIO pins <https://pinout.xyz/>`_ on a Raspberry Pi. Whatever you do, make sure
that the voltages are compatible: if your device is 3.3V (this is
typical but not universal), you don't want to be sending it 5v or
(even worse) 12v.
Run a terminal emulator such as Minicom on the computer at other end
of the link. 115200 8N1 is the typical speed.
.. NOTE::
TTL serial connections typically have no form of flow control and
so don't always like having massive chunks of text pasted into
them - and U-Boot may drop characters while it's busy. So don't
necessarily expect to copy-paste large chunks of text into the
terminal emulator and have it work just like that.
If using Minicom, you may find it helps to bring up the "Termimal
settings" dialog (C^A T), then configure "Newline tx delay" to
some small but non-zero value.
When you turn the router on you should be greeted with some messages
from U-Boot, followed by the instruction to hit some key to stop
autoboot. Do this and you will get to the prompt. If you didn't see
anything, the strong likelihood is that TX and RX are the wrong way
around. If you see garbage, try a different speed.
Interesting commands to try first in U-Boot are :command:`help` and
:command:`printenv`.
To do anything useful with U-Boot you will probably need a way to get
large binary files onto the device, and the usual way to do this is by
adding a network connection and using TFTP to download them. It's
quite common that the device's U-Boot doesn't speak DHCP so it will
need a static LAN address. You might also want to keep it away from
your "real" LAN: see :ref:`bng` for some potentially useful tooling
to use it on an isolated network.
TFTP
====
.. _tftp server:
How you get your image onto hardware will vary according to the
device, but is likely to involve taking it apart to add wires to
serial console pads/headers, then using U-Boot to fetch images over
@ -180,7 +115,7 @@ Now add the device and server IP addresses to your configuration:
};
and then build the derivation for ``outputs.default`` or
``outputs.mtdimage`` (for which it will be an alias on any device
``outputs.flashimage`` (for which it will be an alias on any device
where this is applicable). You should find it has created
* :file:`result/firmware.bin` which is the file you are going to flash
@ -213,8 +148,6 @@ U-Boot to transfer the kernel and filesystem over TFTP and boot the
kernel from RAM.
.. _bng:
Networking
==========

51
doc/etc.rst Normal file
View File

@ -0,0 +1,51 @@
The Future
##########
What about NixWRT?
This is an in-progress rewrite of NixWRT, incorporating Lessons
Learned. That said, as of today it is not yet at feature parity.
Liminix will eventually provide these differentiators over NixWRT:
* a writable filesystem so that software updates or reconfiguration
(e.g. changing passwords) don't require taking the device offline to
reflash it.
* more flexible service management with dependencies, to allow
configurations such as "route through PPPoE if it is healthy, with
fallback to LTE"
* a spec for valid configuration options (a la NixOS module options)
to that we can detect errors at evaluation time instead of producing
a bad image.
* a network-based mechanism for secrets management so that changes can
be pushed from a central location to several Liminix devices at once
* send device metrics and logs to a monitoring/alerting/o11y
infrastructure
Today though, it does approximately none of these things and certainly
not on real hardware.
Articles of interest
####################
* `Build Safety of Software in 28 Popular Home Routers <https://cyber-itl.org/assets/papers/2018/build_safety_of_software_in_28_popular_home_routers.pdf>`_: "of the access
points and routers we reviewed, not a single one took full
advantage of the basic application armoring features provided by
the operating system. Indeed, only one or two models even came
close, and no brand did well consistently across all models tested"
* `A PPPoE Implementation for Linux <https://static.usenix.org/publications/library/proceedings/als00/2000papers/papers/full_papers/skoll/skoll_html/index.html>`_:
"Many DSL service providers use PPPoE for residential broadband
Internet access. This paper briefly describes the PPPoE protocol,
presents strategies for implementing it under Linux and describes in
detail a user-space implementation of a PPPoE client."
* `PPP IPV6CP vs DHCPv6 at AAISP <https://www.revk.uk/2011/01/ppp-ipv6cp-vs-dhcpv6.html>`_
* `Creating a Home IPv6 Network (James Bottomley) <https://blog.hansenpartnership.com/creating-a-home-ipv6-network/>`_

42
doc/extract-options.nix
View File

@ -1,10 +1,30 @@
{ eval, lib, pkgs }:
let
overlay = import ../overlay.nix;
pkgs = import <nixpkgs> ( {
overlays = [overlay];
config = {
allowUnsupportedSystem = true; # mipsel
permittedInsecurePackages = [
"python-2.7.18.6" # kernel backports needs python <3
];
};
});
inherit (pkgs) lib;
inherit (lib) types;
modulenames =
builtins.attrNames
(lib.filterAttrsRecursive
(n: t:
(t=="directory") ||
((t=="regular") && ((builtins.match ".*\\.nix$" n) != null)))
(builtins.readDir ../modules));
modulefiles = builtins.map (n: builtins.toPath "${../modules}/${n}") modulenames;
eval = (lib.evalModules {
modules = [
{ _module.args = { inherit pkgs; lib = pkgs.lib; }; }
] ++ modulefiles;
});
conf = eval.config;
rootDir = builtins.toPath ./..;
stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix)
["${rootDir}/"];
optToDoc = name: opt : {
inherit name;
description = opt.description or null;
@ -21,12 +41,16 @@ let
then
let sd = lib.attrByPath item.loc ["not found"] conf;
in item // {
declarations = map stripAnyPrefixes item.declarations;
parameters =
let x = lib.mapAttrsToList optToDoc sd.parameters; in x;
}
else
item // { declarations = map stripAnyPrefixes item.declarations; };
in
builtins.map spliceServiceDefn
(pkgs.lib.optionAttrSetToDocList eval.options)
item;
o = builtins.map spliceServiceDefn
(pkgs.lib.optionAttrSetToDocList eval.options);
in {
doc = pkgs.writeText "options.yaml" ''
# ${./..}
${builtins.toJSON o}
'';
}

29
doc/hardware.nix
View File

@ -1,29 +0,0 @@
with import <nixpkgs> {} ;
let
inherit (builtins) stringLength readDir filter;
devices = filter (n: n != "families")
(lib.mapAttrsToList (n: t: n) (readDir ../devices));
texts = map (n:
let d = import ../devices/${n}/default.nix;
d' = {
description = "${n}\n${substring 0 (stringLength n) "********************************"}\n";
} // d;
installer =
if d ? description && d ? installer
then ''
The default installation route for this device is
:ref:`system-outputs-${d.installer}`
''
else "";
in d'.description)
devices;
in
writeText "hwdoc" ''
Supported hardware
##################
${lib.concatStringsSep "\n\n" texts}
''

10
doc/index.rst
View File

@ -6,13 +6,9 @@ Liminix
:caption: Contents:
intro
tutorial
configuration
admin
development
modules
hardware
outputs
user
developer
etc
Indices and tables

4
doc/modules.rst
View File

@ -1,4 +0,0 @@
Module options
##############
.. include:: modules-generated.rst

13
doc/outputs.rst
View File

@ -1,13 +0,0 @@
Outputs
#######
Liminix *outputs* are artefacts that can be installed somehow on a
target device, or "installers" which run on the target device to
perform the installation.
There are different outputs because different target devices need
different artefacts, or have different ways to get that artefact
installed. The options available for a particular device are described in
the section for that device.
.. include:: outputs-generated.rst

19
doc/parse-options-outputs.fnl
View File

@ -1,19 +0,0 @@
(local yaml (require :lyaml))
;; (local { : view } (require :fennel))
(fn output? [option]
(match option.loc
["system" "outputs" & _] true
_ false))
(fn sorted-options [options]
(table.sort
options
(fn [a b] (< a.name b.name)))
options)
(each [_ option (ipairs (sorted-options (yaml.load (io.read "*a"))))]
(when (and (output? option) (not option.internal))
(print (.. ".. _" (string.gsub option.name "%." "-") ":") "\n")
(print option.description)))

28
doc/parse-options.fnl
View File

@ -2,25 +2,21 @@
(local { : view } (require :fennel))
(fn basename [str ext]
(-> str
(string.gsub "(.*/)(.*)" "%2")
(string.gsub (.. ext "$") "")))
(fn headline [name]
(let [title (assert (basename name ".nix"))
len (title:len)]
(.. title "\n" (string.rep "=" len))))
(let [(_ _ basename) (string.find name ".*/([^/].*).nix")
len (basename:len)]
(.. basename "\n" (string.rep "=" len))))
(fn read-preamble [pathname]
(let [pathname (if (string.match pathname ".nix$")
pathname
(.. pathname "/default.nix"))]
(with-open [f (assert (io.open pathname :r))]
(accumulate [lines nil
l (f:lines)
:until (not (= (string.sub l 1 2) "##"))]
(.. (or lines "") (string.gsub l "^## *" "") "\n")))))
(if (= (pathname:sub 1 1) "/")
(let [pathname (if (string.match pathname ".nix$")
pathname
(.. pathname "/default.nix"))]
(with-open [f (assert (io.open pathname :r))]
(accumulate [lines nil
l (f:lines)
:until (not (= (string.sub l 1 2) "##"))]
(.. (or lines "") (string.gsub l "^## *" "") "\n"))))))
(fn relative-pathname [pathname]
(let [pathname

322
doc/tutorial.rst
View File

@ -1,322 +0,0 @@
Tutorial
########
Liminix is very configurable, which can make it initially quite
daunting - especially if you're learning Nix or Linux or networking
concepts at the same time. In this section we build some "worked
example" Liminix images to introduce the concepts. If you follow the
examples exactly, they should work. If you change things as you go
along, they may work differently or not at all, but the experience
should be educational either way.
Requirements
************
You will need a reasonably powerful computer running Nix. Target
devices for Liminix are unlikely to have the CPU power and disk space
to be able to build it in situ, so the build process is based around
"cross-compilation" from another computer. The build machine can be
any reasonably powerful desktop/laptop/server PC running NixOS.
Standalone Nixpkgs installations on other Linux distributions - or on
MacOS, or even in a Docker container - also ought to work but are
untested.
Running in Qemu
***************
You can try out Liminix without even having a router to play with.
Clone the Liminix git repository and change into its directory
.. code-block:: console
git clone https://gti.telent.net/dan/liminix
cd liminix
Now build Liminix
.. code-block:: console
nix-build -I liminix-config=./examples/hello-from-qemu.nix \
--arg device "import ./devices/qemu" -A outputs.default
In this command ``liminix-config`` points to the desired software
configuration (e.g. services, users, filesystem, secrets) and
``device`` describes the hardware (or emulated hardware) to run it on.
``outputs.default`` tells Liminix that we want the default image
output for flashing to the device: for the Qemu "hardware" it's an
alias for ``outputs.vmbuild``, which creates a directory containing a
root filesystem image and a kernel.
.. tip:: The first time you run this it may take several hours,
because it builds all of the dependencies including a full
MIPS gcc and library toolchain. Once those intermediate build
products are in the nix store, subsequent builds will be much
faster - practically instant, if nothing has changed.
Now you can try it:
.. code-block:: console
./result/run.sh
This starts the Qemu emulator with a bunch of useful options, to run
the Liminix configuration you just built. It connects the emulated
device's serial console and the `QEMU monitor
<https://www.qemu.org/docs/master/system/monitor.html>`_ to
stdin/stdout.
You should now see Linux boot messages and after a few seconds be
presented with a root shell prompt. You can run commands to look at
the filesystem, see what processes are running, view log messages (in
:file:/run/uncaught-logs.current), etc. To kill the emulator, press ^P
(Control P) then c to enter the "QEMU Monitor", then type ``quit`` at
the ``(qemu)`` prompt.
To see that it's running network services we need to connect to its
emulated network. Start the machine again, if you had stopped it, and
open up a second terminal on your build machine. We're going to run
another virtual machine attached to the virtual network, which will
request an IP address from our Liminix system and give you a shell you
can run ssh from.
We use `System Rescue <https://www.system-rescue.org/>`_ in tty
mode (no graphical output) for this example, but if you have some
other favourite Linux Live CD ISO - or, for that matter, any other OS
image that QEMU can boot - adjust the command to suit.
Download the System Rescue ISO:
.. code-block:: console
curl https://fastly-cdn.system-rescue.org/releases/10.01/systemrescue-10.01-amd64.iso -O
and run it
.. code-block:: console
nix-shell -p qemu --run " \
qemu-system-x86_64 \
-echr 16 \
-m 1024 \
-cdrom systemrescue-10.01-amd64.iso \
-netdev socket,mcast=230.0.0.1:1235,localaddr=127.0.0.1,id=lan \
-device virtio-net,disable-legacy=on,disable-modern=off,netdev=lan,mac=ba:ad:3d:ea:21:01 \
-display none -serial mon:stdio"
System Rescue displays a boot menu at which you should select the
"serial console" option, then after a few moments it boots to a root
prompt. You can now try things out:
* run :command:`ip a` and see that it's been allocated an IP address in the range 10.3.0.0/16.
* run :command:`ping 10.3.0.1` to see that the Liminix VM responds
* run :command:`ssh root@10.3.0.1` to try logging into it.
Congratulations! You have installed your first Liminix system - albeit
it has no practical use and it's not even real. The next step is to try
running it on hardware.
Installing on hardware
**********************
For the next example, we're going to install onto an actual hardware
device. These steps have been tested using a GL.iNet GL-MT300A, which
has been chosen for the purpose because it's cheap and easy to
unbrick if necessary.
.. warning:: There is always a risk of rendering your device
unbootable by flashing it with an image that doesn't
work. The GL-MT300A has a builtin "debrick" procedure in
the boot monitor and is also comparatively simple to
attach serial cables to (soldering not required), so it
is lower-risk than some devices. Using some other
Liminix-supported MIPS hardware device also *ought* to
work here, but you accept the slightly greater bricking
risk if it doesn't.
You may want to read and inwardly digest the Develoment Manual section
:ref:`serial` when you start working with Liminix on real hardware. You
won't *need* serial access for this example, assuming it works, but it
allows you
to see the boot monitor and kernel messages, and to login directly to
the device if for some reason it doesn't bring its network up.
Now we can build Liminix. Although we could use the same example
configuration as we did for Qemu, you might not want to plug a DHCP
server into your working LAN because it will compete with the real
DHCP service. So we're going to use a different configuration with a
DHCP client: this is :file:`examples/hello-from-mt300.nix`
It's instructive to compare the two configurations:
.. code-block:: console
diff -u examples/hello-from-qemu.nix examples/hello-from-mt300.nix
You'll see a new ``boot.tftp`` stanza which you can ignore,
``services.dns`` has been removed, and the static IP address allocation
has been replaced by a ``dhcp.client`` service.
.. code-block:: console
nix-build -I liminix-config=./examples/hello-from-mt300.nix \
--arg device "import ./devices/gl-mt300a" -A outputs.default
.. tip:: The first time you run this it may take several hours.
Again? Yes, even if you ran the previous example. Qemu is
set up as a big-endian system whereas the MediaTek SoC
on this device is little-endian - so it requires building
all of the dependencies including an entirely different
MIPS gcc and library toolchain to the other one.
This time in :file:`result/` you will see a bunch of files. Most of
them you can ignore for the moment, but :file:`result/firmware.bin` is
the firmware image you can flash.
Flashing
========
Again, there are a number of different ways you could do this: using
TFTP with a serial cable, through the stock firmware's web UI, or
using the `vendor's "debrick" process
<https://docs.gl-inet.com/router/en/3/tutorials/debrick/>`_. The last
of these options has a lot to recommend it for a first attempt:
* it works no matter what firmware is currently installed
* it doesn't require plugging a router into the same network as your
build system and potentially messing up your actual upstream
* no need to open the device and add cables
You can read detailed instructions on the vendor site, but the short version is:
1. turn the device off
2. connect it by ethernet cable to a computer
3. configure the computer to have static ip address 192.168.1.10
4. while holding down the Reset button, turn the device on
5. after about five seconds you can release the Reset button
6. visit http://192.168.1.1/ using a web browser on the connected computer
7. click on "Browse" and choose :file:`result/firmware.bin`
8. click on "Update firmware"
9. wait a minute or so while it updates.
There's no feedback from the web interface when the flashing is
finished, but what should happen is that the router reboots and
starts running Liminix. Now you need to figure out what address it got
from DHCP - e.g. by checking the DHCP server logs, or maybe by pinging
``hello.lan`` or something. Once you've found it on the
network you can ping it and ssh to it just like you did the Qemu
example, but this time for real.
.. warning:: Do not leave the default root password in place on any
device exposed to the internet! Although it has no
writable storage and no default route, a motivated attacker
with some imagination could probably still do something
awful using it.
Congratulations Part II! You have installed your first Liminix system on actual hardware - albeit that it *still* has no practical use.
Exercise for the reader: change the default password by editing
:file:`examples/hello-from-mt300.nix`, and then create and upload a
new image that has it set to something less hopeless.
Routing
*******
The third example :file:`examples/demo.nix` is a fully-functional home
"WiFi router" - although you will have to edit it a bit before it will
actually work for you. Copy :file:`examples/demo.nix` to
:file:`my-router.nix` (or other name of your choice) and open it in
your favourite text editor. Everywhere that the text :code:`EDIT`
appears is either a place you probably want to change or a place you
almost certainly need to change.
There's a lot going on in this configuration:
* it provides a wireless access point using the :code:`hostapd`
service: in this stanza you can change the ssid, the channel,
the passphrase etc.
* the wireless lan and wired lan are bridged together with the
:code:`bridge` service, so that your wired and wireless clients appear
to be on the same network.
.. tip:: If you were using a hardware device that provides both 2.4GHz
and 5GHz wifi, you'd probably find that it has two wireless
devices (often called wlan0 and wlan1). In Liminix we handle
this by running two :code:`hostapd` services, and adding
both of them to the network bridge along with the wired lan.
(You can see an example in :file:`examples/rotuer.nix`)
* we use the combination DNS and DHCP daemon provided by the
:code:`dnsmasq` service, which you can configure
* the upstream network is "PPP over Ethernet", provided by the
:code:`pppoe` service. Assuming that your ISP uses this standard,
they will have provided you with a PPP username and password
(sometimes this will be listed as "PAP" or "CHAP") which you can edit
into the configuration
* this example supports the new [#ipv6]_ Internet Protocol v6
as well as traditional IPv4. Configuring IPv6 seems to
vary from one ISP to the next: this example expects them
to be providing IP address allocation and "prefix delegation"
using DHCP6.
Build it using the same method as the previous example
.. code-block:: console
nix-build -I liminix-config=./my-router.nix \
--arg device "import ./devices/gl-mt300a" -A outputs.default
and then you can flash it to the device.
Bonus: in-place updates
=======================
This configuration uses a writable filesystem (see the line
:code:`rootfsType = "jffs2"`), which means that once you've flashed it
for the first time, you can make further updates over SSH onto the
running router. To try this, make a small change (I'd suggest changing
the hostname) and then run
.. code-block:: console
nix-shell --run "liminix-rebuild root@address-of-the-device -I liminix-config=./my-router.nix --arg device "import ./devices/gl-ar750""
(This requires the device to be network-accessible from your build
machine, which for a test/demo system might involve a second network
device in your build system - USB ethernet adapters are cheap - or
a bit of messing around unplugging cables.)
For more information about :code:`liminix-rebuild`, see the manual section :ref:`admin:Rebuilding the system`.
Final thoughts
**************
* These are demonstration configs for pedagogical purposes. If you'd
like to see some more realistic uses of Liminix,
:file:`examples/rotuer,arhcive,extneder.nix` are based on some
actual real hosts in my home network.
* The technique used here for flashing was chosen mostly because it
doesn't need much infrastructure/tooling, but it is a bit of a faff
(requires physical access, vendor specific). There are slicker ways
to do it that need a bit more setup - we'll talk about that later as
well.
.. rubric:: Footnotes
.. [#ipv6] `RFC1883 Internet Protocol, Version 6 <https://datatracker.ietf.org/doc/html/rfc1883>`_ was published in 1995, so only "new" when Bill Clinton was US President

347
doc/user.rst Normal file
View File

@ -0,0 +1,347 @@
User Manual
###########
This manual is an early work in progress, not least because Liminix is
not yet really ready for users who are not also developers. Your
feedback to improve it is very welcome.
Installation
************
The Liminix installation process is not quite like installing NixOS on
a real computer, but some NixOS experience will nevertheless be
helpful in understanding it. The steps are as follows:
* Decide whether you want the device to be updatable in-place (there
are advantages and disadvantages), or if you are happy to generate
and flash a new image whenever changes are required.
* Create a :file:`configuration.nix` describing the system you want
* Build an image
* Flash it to the device
Supported devices
=================
For a list of devices that Liminix (present or previous versions)
has run on, refer to `devices/ in the source repo <https://gti.telent.net/dan/liminix/src/branch/main/devices>`_. For devices that _currently_ build,
cross-reference it with `the CI status <https://build.liminix.org/jobset/liminix/build#tabs-jobs>`_. Everything that builds is (usually) expected
to run, so if you end up with an image that builds but doesn't
boot, please report it as a bug.
As of June 2023 the device list is a little thin. Adding devices based
on the Atheros or Mediatek (Ralink) platform should be quite
straightforward if you have some C/Linux kernel experience and are
prepared to open it up and attach serial wires: please refer to the
Developer Manual.
Choosing a flavour (read-only or updatable)
===========================================
Liminix installations come in two "flavours"- read-only or in-place
updatable:
* a read-only installation can't be updated once it is flashed to your
device, and so must be reinstalled in its entirety every time you
want to change it. It uses the ``squashfs`` filesystem which has
very good compression ratios and so you can pack quite a lot of
useful stuff onto your device. This is good if you don't expect
to change it often.
* an updatable installation has a writable filesystem so that you can
update configuration, upgrade packages and install new packages over
the network after installation. This uses the `jffs2
<http://www.linux-mtd.infradead.org/doc/jffs2.html>`_ filesystem:
although it does compress the data, the need to support writes means
that it can't pack quite as small as squashfs, so you will not have
as much space to play with.
Updatability caveats
~~~~~~~~~~~~~~~~~~~~
At the time of writing this manual the read-only squashfs support is
much more mature. Consider also that it may not be possible to perform
"larger" updates in-place even if you do opt for updatability. If you
have (for example) an 11MB system on a 16MB device, you won't be able
to do an in-place update of something fundamental like the C library
(libc), as this will temporarily require 22MB to install all the
packages needing the new library before the packages using the old
library can be removed. A writable system will be more useful for
smaller updates such as installing a new package (perhaps you
temporarily need tcpdump to diagnose a network problem) or for
changing configuration files.
Note also that the kernel is not part of the filesystem so cannot be
updated this way. Kernel changes require a full reflash.
Creating configuration.nix
==========================
You need to create a :file:`configuration.nix` that describes your
device and the services that you want to run on it. The best way to
get started is by reading one of the examples such as
:file:`examples/rotuer.nix` and modifying it to your needs.
:file:`configuration.nix` conventionally describes the packages, services,
user accounts etc of the device. It does not describe the hardware
itself, which is specified separately in the build command (as you
will see below).
Most of the functionality of a Liminix system is driven by *services*
which are declared by *modules*: thus, to add for example an NTP service
you first add :file:`modules/ntp` to your ``imports`` list, then
you create a service by calling :code:`config.system.service.ntp.build { .... }`
with the appropriate service-dependent configuration parameters.
.. code-block:: nix
let svc = config.system.service;
in {
# ...
imports = [
./modules/ntp
# ....
];
config.services.ntp = svc.ntp.build {
pools = { "pool.ntp.org" = ["iburst"]; };
makestep = { threshold = 1.0; limit = 3; };
};
A :ref:`full list of module options <module-options>` is provided
later in this manual.
You *most likely* want to include the ``standard`` module unless you
have a quite unusual use case for a very minimal system, in which case
you will understand what it does and what happens if you leave it out.
.. code-block:: nix
imports = [
./modules/standard.nix
]
configuration.rootfsType = "jffs2"; # or "squashfs"
Building
========
Build Liminix using the :file:`default.nix` in the project toplevel
directory, passing it arguments for configuration and hardware. For
example:
.. code-block:: console
nix-build -I liminix-config=./tests/smoke/configuration.nix \
--arg device "import ./devices/qemu" -A outputs.default
In this command ``<liminix-config>`` points to your
:file:`configuration.nix`, ``device`` is the file for your hardware device
definition, and ``outputs.default`` will generate some kind of
Liminix image output appropriate to that device.
For the qemu device in this example, ``outputs.default`` is an alias
for ``outputs.vmbuild``, which creates a directory containing a
squashfs root image and a kernel. You can use the :command:`mips-vm` command to
run this.
For the currently supported hardware devices, ``outputs.default``
creates a directory containing a file called ``firmware.bin``. This
is a raw image file that can be written directly to the firmware flash
partition.
Flashing
========
Flashing from the boot monitor
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you are prepared to open the device and have a TTL serial adaptor
of some kind to connect it to, you can probably flash it using U-Boot.
This is quite hardware-specific, and sometimes involves soldering:
please refer to the Developer Manual.
Flashing from an existing Liminix system with :command:`flashcp`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The flash procedure from an existing Liminix-system is two-step.
First we reboot the device (using "kexec") into an "ephemeral"
RAM-based version of the new configuration, then when we're happy it
works we can flash the image - and if it doesn't work we can reboot
the device again and it will boot from the old image.
Building the RAM-based image
............................
To create the ephemeral image, build ``outputs.kexecboot`` instead of
``outputs.default``. This generates a directory containing the root
filesystem image and kernel, along with an executable called `kexec`
and a `boot.sh` script that runs it with appropriate arguments.
For example
.. code-block:: console
nix-build --show-trace -I liminix-config=./examples/arhcive.nix \
--arg device "import ./devices/gl-ar750"
-A outputs.kexecboot && \
(tar chf - result | ssh root@the-device tar -C /run -xvf -)
and then login to the device and run
.. code-block:: console
cd /run/result
sh ./boot.sh .
This will load the new kernel and map the root filesystem into a RAM
disk, then start executing the new kernel. *This is effectively a
reboot - be sure to close all open files and finish anything else
you were doing first.*
If the new system crashes or is rebooted, then the device will revert
to the old configuration it finds in flash.
Building the second (permanent) image
.....................................
While running in the kexecboot system, you can copy the permanent
image to the device with :command:`ssh`
.. code-block:: console
build-machine$ tar chf - result/firmware.bin | \
ssh root@the-device tar -C /run -xvf -
Next you need to connect to the device and locate the "firmware"
partition, which you can do with a combination of :command:`dmesg`
output and the contents of :file:`/proc/mtd`
.. code-block:: console
<5>[ 0.469841] Creating 4 MTD partitions on "spi0.0":
<5>[ 0.474837] 0x000000000000-0x000000040000 : "u-boot"
<5>[ 0.480796] 0x000000040000-0x000000050000 : "u-boot-env"
<5>[ 0.487056] 0x000000050000-0x000000060000 : "art"
<5>[ 0.492753] 0x000000060000-0x000001000000 : "firmware"
# cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00001000 "u-boot"
mtd1: 00010000 00001000 "u-boot-env"
mtd2: 00010000 00001000 "art"
mtd3: 00fa0000 00001000 "firmware"
mtd4: 002a0000 00001000 "kernel"
mtd5: 00d00000 00001000 "rootfs"
Now run (in this example)
.. code-block:: console
flashcp -v firmware.bin /dev/mtd3
"I know my new image is good, can I skip the intemediate step?"
```````````````````````````````````````````````````````````````
In addition to giving you a chance to see if the new image works, this
two-step process ensures that you're not copying the new image over
the top of the active root filesystem. It might work, or it might
crash in surprising ways.
Flashing from OpenWrt (not currently advised!)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. CAUTION:: At your own risk! This will (at least in some
circumstances) lead to bricking the device: we think this
flash method is currently incompatible with use of a
writeable (jffs2) filesystem.
If your device is running OpenWrt then it probably has the
:command:`mtd` command installed. After transferring the image onto the
device using e.g. :command:`ssh`, you can run it as follows:
.. code-block:: console
mtd -r write /tmp/firmware.bin firmware
For more information, please see the `OpenWrt manual <https://openwrt.org/docs/guide-user/installation/sysupgrade.cli>`_ which may also contain (hardware-dependent) instructions on how to flash an image using the vendor firmware - perhaps even from a web interface.
Updating an installed system (JFFS2)
************************************
Adding packages
===============
If your device is running a JFFS2 root filesystem, you can build
extra packages for it on your build system and copy them to the
device: any package in Nixpkgs or in the Liminix overlay is available
with the ``pkgs`` prefix:
.. code-block:: console
nix-build -I liminix-config=./my-configuration.nix \
--arg device "import ./devices/mydevice" -A pkgs.tcpdump
nix-shell -p min-copy-closure root@the-device result/
Note that this only copies the package to the device: it doesn't update
any profile to add it to ``$PATH``
Rebuilding the system
=====================
:command:`liminix-rebuild` is the Liminix analogue of :command:`nixos-rebuild`, although its operation is a bit different because it expects to run on a build machine and then copy to the host device. Run it with the same ``liminix-config`` and ``device`` parameters as you would run :command:`nix-build`, and it will build any new/changed packages and then copy them to the device using SSH. For example:
.. code-block:: console
liminix-rebuild root@the-device -I liminix-config=./examples/rotuer.nix --arg device "import ./devices/gl-ar750"
This will
* build anything that needs building
* copy new or changed packages to the device
* reboot the device
It doesn't delete old packages automatically: to do that run
:command:`min-collect-garbage`, which will delete any packages not in
the current system closure. Note that Liminix does not have the NixOS
concept of environments or generations, and there is no way back from
this except for building the previous configuration again.
Caveats
~~~~~~~
* it needs there to be enough free space on the device for all the new
packages in addition to all the packages already on it - which may be
a problem if a lot of things have changed (e.g. a new version of
nixpkgs).
* it cannot upgrade the kernel, only userland
Configuration options
*********************
.. _module-options:
.. include:: modules.rst

59
examples/acquire-delegated-prefix.fnl Normal file
View File

@ -0,0 +1,59 @@
(local { : merge : split : file-exists? : system } (require :anoia))
(local svc (require :anoia.svc))
(fn parse-prefix [str]
(fn parse-extra [s]
(let [out {}]
(each [name val (string.gmatch s ",(.-)=([^,]+)")]
(tset out name val))
out))
(let [(prefix len preferred valid extra)
(string.match str "(.-)::/(%d+),(%d+),(%d+)(.*)$")]
(merge {: prefix : len : preferred : valid} (parse-extra extra))))
;; Format: <prefix>/<length>,preferred,valid[,excluded=<excluded-prefix>/<length>][,class=<prefix class #>]
;;(parse-prefix "2001:8b0:de3a:40dc::/64,7198,7198")
;;(parse-prefix "2001:8b0:de3a:1001::/64,7198,7188,excluded=1/2,thi=10")
(local bound-states
{ :bound true
:rebound true
:informed true
:updated true
:ra-updated true
})
; (local { : view } (require :fennel))
(fn changes [old-prefixes new-prefixes]
(let [added {}
deleted {}
old-set (collect [_ v (ipairs old-prefixes)] (values v true))
new-set (collect [_ v (ipairs new-prefixes)] (values v true))]
(each [_ prefix (ipairs new-prefixes)]
(if (not (. old-set prefix))
(table.insert added (parse-prefix prefix))))
(each [_ prefix (ipairs old-prefixes)]
(if (not (. new-set prefix))
(table.insert deleted (parse-prefix prefix))))
(values added deleted)))
(let [[state-directory lan-device] arg
dir (svc.open state-directory)]
(var prefixes [])
(while true
(while (not (dir:ready?)) (dir:wait))
(if (. bound-states (dir:output "state"))
(let [new-prefixes (split " " (dir:output "/prefixes"))
(added deleted) (changes prefixes new-prefixes)]
(each [_ p (ipairs added)]
(system
(.. "ip address add " p.prefix "::1/" p.len " dev " lan-device)))
(each [_ p (ipairs deleted)]
(system
(.. "ip address del " p.prefix "::1/" p.len " dev " lan-device)))
(set prefixes new-prefixes)))
(dir:wait)))

8
examples/acquire-delegated-prefix.nix Normal file
View File

@ -0,0 +1,8 @@
{
writeFennelScript
, linotify
, anoia
}:
writeFennelScript "acquire-delegated-prefix"
[ linotify anoia ]
./acquire-delegated-prefix.fnl

60
examples/acquire-wan-address.fnl Normal file
View File

@ -0,0 +1,60 @@
(local { : merge : split : file-exists? : system } (require :anoia))
(local svc (require :anoia.svc))
;; structurally this is remarkably similar to
;; acquire-lan-prefix.fnl. maybe they should be merged: if not then
;; we could at least extract some common code
;; (alternatively we could move all the parsing code into the thing in
;; the odhcp service that *writes* this stuff)
; (parse-address "2001:8b0:1111:1111:0:ffff:51bb:4cf2/128,3600,7200")
(fn parse-address [str]
(fn parse-extra [s]
(let [out {}]
(each [name val (string.gmatch s ",(.-)=([^,]+)")]
(tset out name val))
out))
(let [(address len preferred valid extra)
(string.match str "(.-)/(%d+),(%d+),(%d+)(.*)$")]
(merge {: address : len : preferred : valid} (parse-extra extra))))
(local bound-states
{ :bound true
:rebound true
:informed true
:updated true
:ra-updated true
})
(fn changes [old-addresses new-addresses]
(let [added {}
deleted {}
old-set (collect [_ v (ipairs old-addresses)] (values v true))
new-set (collect [_ v (ipairs new-addresses)] (values v true))]
(each [_ address (ipairs new-addresses)]
(if (not (. old-set address))
(table.insert added (parse-address address))))
(each [_ address (ipairs old-addresses)]
(if (not (. new-set address))
(table.insert deleted (parse-address address))))
(values added deleted)))
(let [[state-directory wan-device] arg
dir (svc.open state-directory)]
(var addresses [])
(while true
(while (not (dir:ready?)) (dir:wait))
(if (. bound-states (dir:output "state"))
(let [new-addresses (split " " (dir:output "/addresses"))
(added deleted) (changes addresses new-addresses)]
(each [_ p (ipairs added)]
(system
(.. "ip address add " p.address "/" p.len " dev " wan-device)))
(each [_ p (ipairs deleted)]
(system
(.. "ip address del " p.address "/" p.len " dev " wan-device)))
(set addresses new-addresses)))
(dir:wait)))

8
examples/acquire-wan-address.nix Normal file
View File

@ -0,0 +1,8 @@
{
writeFennelScript
, linotify
, anoia
}:
writeFennelScript "acquire-wan-address"
[ linotify anoia ]
./acquire-wan-address.fnl

97
examples/arhcive.nix
View File

@ -11,6 +11,10 @@
...
}: let
secrets = import ./extneder-secrets.nix;
inherit
(pkgs.liminix.networking)
route
;
inherit (pkgs.liminix.services) oneshot longrun bundle target;
inherit (pkgs.pseudofile) dir symlink;
inherit (pkgs) writeText dropbear ifwait serviceFns;
@ -24,13 +28,11 @@ in rec {
};
imports = [
../modules/standard.nix
../modules/wlan.nix
../modules/network
../modules/vlan
../modules/ssh
../modules/watchdog
../modules/mount
];
hostname = "arhcive";
kernel = {
@ -49,6 +51,7 @@ in rec {
SCSI = "y";
BLK_DEV_SD = "y";
USB_PRINTER = "y";
PARTITION_ADVANCED = "y";
MSDOS_PARTITION = "y";
EFI_PARTITION = "y";
EXT4_FS = "y";
@ -64,12 +67,51 @@ in rec {
dependencies = [ config.services.hostname ];
};
services.sshd = svc.ssh.build { };
services.watchdog = svc.watchdog.build {
watched = with config.services ; [ sshd dhcpc ];
services.sshd = longrun {
name = "sshd";
run = ''
mkdir -p /run/dropbear
${dropbear}/bin/dropbear -E -P /run/dropbear.pid -R -F
'';
};
services.watchdog =
let
watched = with config.services ; [ sshd dhcpc ];
spinupGrace = 60;
script = pkgs.writeAshScript "gaspode" {
runtimeInputs = [ pkgs.s6 ];
} ''
deadline=$(expr $(date +%s) + ${toString spinupGrace})
services=$@
echo started feeding the dog
exec 3> ''${WATCHDOG-/dev/watchdog}
healthy(){
test $(date +%s) -le $deadline && return 0
for i in $services; do
if test "$(s6-svstat -o up /run/service/$i)" != "true" ; then
echo "service $i is down"
return 1
fi
done
}
while healthy ;do
sleep 10
echo >&3
done
echo "stopped feeding the dog"
sleep 6000 # don't want s6-rc to restart
'';
in longrun {
name = "watchdog";
run =
"${script} ${lib.concatStringsSep " " (builtins.map (s: s.name) watched)}";
};
services.resolvconf = oneshot rec {
dependencies = [ services.dhcpc ];
name = "resolvconf";
@ -81,6 +123,9 @@ in rec {
done
)
'';
down = ''
rm -rf /run/service-state/${name}/
'';
};
filesystem = dir {
etc = dir {
@ -89,25 +134,35 @@ in rec {
srv = dir {};
};
services.defaultroute4 = svc.network.route.build {
services.defaultroute4 = route {
name = "defaultroute";
via = "$(output ${services.dhcpc} router)";
target = "default";
dependencies = [services.dhcpc];
};
programs.busybox = {
applets = ["lsusb" "tar"];
applets = ["blkid" "lsusb" "findfs" "tar"];
options = {
FEATURE_LS_TIMESTAMPS = "y";
FEATURE_LS_SORTFILES = "y";
FEATURE_BLKID_TYPE = "y";
FEATURE_MOUNT_FLAGS = "y";
FEATURE_MOUNT_LABEL = "y";
FEATURE_VOLUMEID_EXT = "y";
};
};
services.mount_external_disk = svc.mount.build {
device = "LABEL=backup-disk";
mountpoint = "/srv";
fstype = "ext4";
services.mount_external_disk = oneshot {
name = "mount_external_disk";
up = ''
while ! findfs LABEL=backup-disk; do
echo waiting for backup-disk
sleep 1
done
mount -t ext4 LABEL=backup-disk /srv
'';
down = "umount /srv";
};
services.rsync =
@ -144,6 +199,20 @@ in rec {
] ;
};
services.default = target {
name = "default";
contents =
let links = config.hardware.networkInterfaces;
in with config.services; [
links.lo
defaultroute4
resolvconf
sshd
rsync
watchdog
];
};
users.root = {
passwd = lib.mkForce secrets.root_password;
# openssh.authorizedKeys.keys = [

202
examples/demo.nix
View File

@ -1,202 +0,0 @@
# This is an example configuration for a "typical" small office/home
# router and wifi access point.
# You need to copy it to another filename and change the configuration
# wherever the text "EDIT" appears - please consult the tutorial
# documentation for details.
{ config, pkgs, lib, ... } :
let
inherit (pkgs.liminix.services) bundle oneshot longrun;
inherit (pkgs) serviceFns;
# EDIT: you can pick your preferred RFC1918 address space
# for NATted connections, if you don't like this one.
ipv4LocalNet = "10.8.0";
svc = config.system.service;
in rec {
boot = {
tftp = {
freeSpaceBytes = 3 * 1024 * 1024;
serverip = "10.0.0.1";
ipaddr = "10.0.0.8";
};
};
imports = [
../modules/bridge
../modules/dhcp6c
../modules/dnsmasq
../modules/firewall
../modules/hostapd
../modules/network
../modules/ntp
../modules/ppp
../modules/ssh
../modules/vlan
../modules/wlan.nix
];
rootfsType = "jffs2";
hostname = "the-internet"; # EDIT
services.hostap = svc.hostapd.build {
interface = config.hardware.networkInterfaces.wlan;
# EDIT: you will want to change the obvious things
# here to values of your choice
params = {
ssid = "the-internet";
channel = "1";
country_code = "GB";
wpa_passphrase = "not a real wifi password";
hw_mode="g";
ieee80211n = 1;
auth_algs = 1; # 1=wpa2, 2=wep, 3=both
wpa = 2; # 1=wpa, 2=wpa2, 3=both
wpa_key_mgmt = "WPA-PSK";
wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
rsn_pairwise = "CCMP"; # auth for wpa2
wmm_enabled = 1;
};
};
services.int = svc.network.address.build {
interface = svc.bridge.primary.build { ifname = "int"; };
family = "inet"; address = "${ipv4LocalNet}.1"; prefixLength = 16;
};
services.bridge = svc.bridge.members.build {
primary = services.int;
members = with config.hardware.networkInterfaces;
[ wlan lan ];
};
services.ntp = svc.ntp.build {
pools = { "pool.ntp.org" = ["iburst"]; };
makestep = { threshold = 1.0; limit = 3; };
};
services.sshd = svc.ssh.build { };
users.root = {
# EDIT: choose a root password and then use
# "mkpasswd -m sha512crypt" to determine the hash.
# It should start wirh $6$.
passwd = "$6$6HG7WALLQQY1LQDE$428cnouMJ7wVmyK9.dF1uWs7t0z9ztgp3MHvN5bbeo0M4Kqg/u2ThjoSHIjCEJQlnVpDOaEKcOjXAlIClHWN21";
openssh.authorizedKeys.keys = [
# EDIT: you can add your ssh pubkey here
# "ssh-rsa AAAAB3NzaC1....H6hKd user@example.com";
];
};
services.dns =
let interface = services.int;
in svc.dnsmasq.build {
resolvconf = services.resolvconf;
inherit interface;
ranges = [
"${ipv4LocalNet}.10,${ipv4LocalNet}.249"
# EDIT: ... maybe. In this example we use "ra-stateless",
# meaning dnsmasq sends router advertisements with the O and A
# bits set, and provides a stateless DHCP service. The client
# will use a SLAAC address, and use DHCP for other
# configuration information.
# If you didn't understand the preceding sentence then
# the default is _probably_ fine, but if you need
# a DHCP-only IPv6 network or some other different
# configuration, this is the place to change it.
"::,constructor:$(output ${interface} ifname),ra-stateless"
];
# EDIT: choose a domain name for the DNS names issued for your
# DHCP-issued hosts
domain = "lan.example.com";
};
services.wan = svc.pppoe.build {
interface = config.hardware.networkInterfaces.wan;
ppp-options = [
"debug" "+ipv6" "noauth"
# EDIT: change the strings "chap-username"
# and "chap-secret" to match the username/password
# provided by your ISP for PPP logins
"name" "chap-username"
"password" "chap-secret"
];
};
services.resolvconf = oneshot rec {
dependencies = [ services.wan ];
name = "resolvconf";
up = ''
. ${serviceFns}
( in_outputs ${name}
echo "nameserver $(output ${services.wan} ns1)" > resolv.conf
echo "nameserver $(output ${services.wan} ns2)" >> resolv.conf
chmod 0444 resolv.conf
)
'';
};
filesystem =
let inherit (pkgs.pseudofile) dir symlink;
in dir {
etc = dir {
"resolv.conf" = symlink "${services.resolvconf}/.outputs/resolv.conf";
};
};
services.defaultroute4 = svc.network.route.build {
via = "$(output ${services.wan} address)";
target = "default";
dependencies = [ services.wan ];
};
services.defaultroute6 = svc.network.route.build {
via = "$(output ${services.wan} ipv6-peer-address)";
target = "default";
interface = services.wan;
};
services.firewall = svc.firewall.build {
ruleset = import ./demo-firewall.nix;
};
services.packet_forwarding = svc.network.forward.build { };
# We expect the ISP uses DHCP6 to issue IPv6 addresses. There is a
# service to request address information in the form of a DHCP
# lease, and two dependent services that listen for updates to the
# DHCP address information and update the addresses of the WAN and
# LAN interfaces respectively.
services.dhcp6c =
let client = svc.dhcp6c.client.build {
interface = services.wan;
};
in bundle {
name = "dhcp6c";
contents = [
(svc.dhcp6c.prefix.build {
# if your ISP provides you a real IPv6 prefix for your local
# network (usually a /64 or /48 or something in between the
# two), this service subscribes to that "prefix delegation"
# information, and uses it to assign an address to the LAN
# device. dnsmasq will notice this address and use it to
# form the addresses it hands out to devices on the lan
inherit client;
interface = services.int;
})
(svc.dhcp6c.address.build {
# if your ISP provides you a regular global IPv6 address,
# this service subscribes to that information and assigns
# the address to the WAN device.
inherit client;
interface = services.wan;
})
];
};
defaultProfile.packages = with pkgs; [
min-collect-garbage
];
}

46
examples/extneder.nix
View File

@ -11,6 +11,12 @@
...
}: let
secrets = import ./extneder-secrets.nix;
inherit
(pkgs.liminix.networking)
address
interface
route
;
inherit (pkgs.liminix.services) oneshot longrun bundle target;
inherit (pkgs.pseudofile) dir symlink;
inherit (pkgs) dropbear ifwait serviceFns;
@ -25,11 +31,10 @@ in rec {
imports = [
../modules/wlan.nix
../modules/vlan
../modules/network
../modules/hostapd
../modules/bridge
../modules/ssh
../modules/standard.nix
];
hostname = "extneder";
@ -42,9 +47,7 @@ in rec {
IP6_NF_IPTABLES = "y"; # do we still need these
IP_NF_IPTABLES = "y"; # if using nftables directly
# these are copied from rotuer and need review.
# we're not running a firewall, so why do we need
# nftables config?
# these are copied from rotuer and need review
IP_NF_NAT = "y";
IP_NF_TARGET_MASQUERADE = "y";
NETFILTER = "y";
@ -85,8 +88,9 @@ in rec {
};
};
services.int = svc.bridge.primary.build {
ifname = "int";
services.int = interface {
type = "bridge";
device = "int";
};
services.dhcpc = svc.network.dhcp.client.build {
@ -102,7 +106,13 @@ in rec {
];
};
services.sshd = svc.ssh.build {};
services.sshd = longrun {
name = "sshd";
run = ''
mkdir -p /run/dropbear
${dropbear}/bin/dropbear -E -P /run/dropbear.pid -R -F
'';
};
services.resolvconf = oneshot rec {
dependencies = [ services.dhcpc ];
@ -118,6 +128,9 @@ in rec {
done
)
'';
down = ''
rm -rf /run/service-state/${name}/
'';
};
filesystem = dir {
etc = dir {
@ -125,12 +138,27 @@ in rec {
};
};
services.defaultroute4 = svc.network.route.build {
services.defaultroute4 = route {
name = "defaultroute";
via = "$(output ${services.dhcpc} router)";
target = "default";
dependencies = [services.dhcpc];
};
services.default = target {
name = "default";
contents =
let links = config.hardware.networkInterfaces;
in with config.services; [
links.lo links.eth links.wlan
int
bridge
hostap
defaultroute4
resolvconf
sshd
];
};
users.root.passwd = lib.mkForce secrets.root_password;
defaultProfile.packages = with pkgs; [nftables strace tcpdump swconfig];
}

42
examples/hello-from-mt300.nix
View File

@ -1,42 +0,0 @@
{ config, pkgs, lib, ... } :
let
inherit (pkgs) serviceFns;
svc = config.system.service;
in rec {
imports = [
../modules/network
../modules/ssh
../modules/vlan
];
boot.tftp = {
# IP addresses to use in the boot monitor when flashing/ booting
# over TFTP. If you are flashing using the stock firmware's Web UI
# then these dummy values are fine
ipaddr = "192.0.2.115"; # my address
serverip = "192.0.2.5"; # build machine or other tftp server
};
hostname = "hello";
services.dhcpc = svc.network.dhcp.client.build {
interface = config.hardware.networkInterfaces.lan;
# don't start DHCP until the hostname is configured,
# so it can identify itself to the DHCP server
dependencies = [ config.services.hostname ];
};
services.sshd = svc.ssh.build { };
users.root = {
# the password is "secret". Use mkpasswd -m sha512crypt to
# create this hashed password string
passwd = "$6$y7WZ5hM6l5nriLmo$5AJlmzQZ6WA.7uBC7S8L4o19ESR28Dg25v64/vDvvCN01Ms9QoHeGByj8lGlJ4/b.dbwR9Hq2KXurSnLigt1W1";
};
defaultProfile.packages = with pkgs; [
figlet
];
}

44
examples/hello-from-qemu.nix
View File

@ -1,44 +0,0 @@
{ config, pkgs, lib, ... } :
let
inherit (pkgs) serviceFns;
svc = config.system.service;
in rec {
imports = [
../modules/network
../modules/dnsmasq
../modules/ssh
];
hostname = "hello";
# configure the internal network (LAN) with an address
services.int = svc.network.address.build {
interface = config.hardware.networkInterfaces.lan;
family = "inet"; address ="10.3.0.1"; prefixLength = 16;
};
services.sshd = svc.ssh.build { };
users.root = {
# the password is "secret". Use mkpasswd -m sha512crypt to
# create this hashed password string
passwd = "$6$y7WZ5hM6l5nriLmo$5AJlmzQZ6WA.7uBC7S8L4o19ESR28Dg25v64/vDvvCN01Ms9QoHeGByj8lGlJ4/b.dbwR9Hq2KXurSnLigt1W1";
};
services.dns =
let interface = services.int;
in svc.dnsmasq.build {
inherit interface;
ranges = [
"10.3.0.10,10.3.0.240"
"::,constructor:$(output ${interface} ifname),ra-stateless"
];
domain = "example.org";
};
defaultProfile.packages = with pkgs; [
figlet
];
}

0
examples/demo-firewall.nix → examples/rotuer-firewall.nix
View File

116
examples/rotuer.nix
View File

@ -9,8 +9,17 @@
{ config, pkgs, lib, ... } :
let
secrets = import ./rotuer-secrets.nix;
inherit (pkgs.liminix.services) oneshot longrun bundle;
inherit (pkgs) serviceFns;
inherit (pkgs.liminix.networking)
address
interface
route;
inherit (pkgs.liminix.services) oneshot longrun bundle target;
inherit (pkgs)
dropbear
ifwait
writeText
writeFennelScript
serviceFns;
svc = config.system.service;
wirelessConfig = {
country_code = "GB";
@ -34,20 +43,21 @@ in rec {
imports = [
../modules/wlan.nix
../modules/standard.nix
../modules/network
../modules/ppp
../modules/dnsmasq
../modules/dhcp6c
../modules/firewall
../modules/hostapd
../modules/bridge
../modules/ntp
../modules/ssh
];
rootfsType = "jffs2";
hostname = "rotuer";
services.hostap = svc.hostapd.build {
interface = config.hardware.networkInterfaces.wlan;
interface = config.hardware.networkInterfaces.wlan_24;
params = {
ssid = "liminix";
hw_mode="g";
@ -57,7 +67,7 @@ in rec {
};
services.hostap5 = svc.hostapd.build {
interface = config.hardware.networkInterfaces.wlan5;
interface = config.hardware.networkInterfaces.wlan_5;
params = rec {
ssid = "liminix_5";
hw_mode="a";
@ -70,16 +80,14 @@ in rec {
};
services.int = svc.network.address.build {
interface = svc.bridge.primary.build { ifname = "int"; };
interface = svc.bridge.primary.build { ifname = "int"; };# services.int;
family = "inet"; address ="10.8.0.1"; prefixLength = 16;
};
services.bridge = svc.bridge.members.build {
primary = services.int;
members = with config.hardware.networkInterfaces;
[ wlan
wlan5
lan ];
[ wlan_24 wlan_5 lan ];
};
services.ntp = svc.ntp.build {
@ -98,17 +106,8 @@ in rec {
inherit interface;
ranges = [
"10.8.0.10,10.8.0.240"
# ra-stateless: sends router advertisements with the O and A
# bits set, and provides a stateless DHCP service. The client
# will use a SLAAC address, and use DHCP for other
# configuration information.
"::,constructor:$(output ${interface} ifname),ra-stateless"
];
# You can add static addresses for the DHCP server here. I'm
# not putting my actual MAC addresses in a public git repo ...
hosts = { } // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
domain = "fake.liminix.org";
};
@ -132,8 +131,10 @@ in rec {
chmod 0444 resolv.conf
)
'';
down = ''
rm -rf /run/service-state/${name}/
'';
};
filesystem =
let inherit (pkgs.pseudofile) dir symlink;
in dir {
@ -142,47 +143,74 @@ in rec {
};
};
services.defaultroute4 = svc.network.route.build {
services.defaultroute4 = route {
name = "defaultroute4";
via = "$(output ${services.wan} address)";
target = "default";
dependencies = [ services.wan ];
};
services.defaultroute6 = svc.network.route.build {
services.defaultroute6 = route {
name = "defaultroute6";
via = "$(output ${services.wan} ipv6-peer-address)";
target = "default";
interface = services.wan;
dev = "$(output ${services.wan} ifname)";
dependencies = [ services.wan ];
};
services.firewall = svc.firewall.build {
ruleset = import ./demo-firewall.nix;
ruleset = import ./rotuer-firewall.nix;
};
services.packet_forwarding = svc.network.forward.build { };
services.packet_forwarding =
let
ip4 = "/proc/sys/net/ipv4/conf/all/forwarding";
ip6 = "/proc/sys/net/ipv6/conf/all/forwarding";
in oneshot {
name = "let-the-ip-flow";
up = ''
echo 1 > ${ip4}
echo 1 > ${ip6}
'';
down = ''
echo 0 > ${ip4};
echo 0 > ${ip6};
'';
dependencies = [ services.firewall ];
};
services.dhcp6c =
let client = svc.dhcp6c.client.build {
interface = services.wan;
};
in bundle {
name = "dhcp6c";
contents = [
(svc.dhcp6c.prefix.build {
inherit client;
interface = services.int;
})
(svc.dhcp6c.address.build {
inherit client;
interface = services.wan;
})
];
services.dhcp6 =
let
name = "dhcp6c.wan";
in longrun {
inherit name;
notification-fd = 10;
run = ''
export SERVICE_STATE=/run/service-state/${name}
${pkgs.odhcp6c}/bin/odhcp6c -s ${pkgs.odhcp-script} -e -v -p /run/${name}.pid -P 48 $(output ${services.wan} ifname)
)
'';
dependencies = [ services.wan ];
};
services.acquire-lan-prefix =
let script = pkgs.callPackage ./acquire-delegated-prefix.nix { };
in longrun {
name = "acquire-lan-prefix";
run = "${script} /run/service-state/dhcp6c.wan $(output ${services.int} ifname)";
dependencies = [ services.dhcp6 ];
};
services.acquire-wan-address =
let script = pkgs.callPackage ./acquire-wan-address.nix { };
in longrun {
name = "acquire-wan-address";
run = "${script} /run/service-state/dhcp6c.wan $(output ${services.wan} ifname)";
dependencies = [ services.dhcp6 ];
};
defaultProfile.packages = with pkgs; [
min-collect-garbage
];
programs.busybox.applets = [
"fdisk" "sfdisk"
];
}

109
examples/turris.nix
View File

@ -1,109 +0,0 @@
{ config, pkgs, lib, lim, ... } :
let
inherit (pkgs) serviceFns;
svc = config.system.service;
in rec {
imports = [
../modules/network
../modules/ssh
../modules/vlan
../modules/wlan.nix
../modules/hostapd
../modules/bridge
../modules/ext4fs.nix
../modules/tftpboot.nix
];
rootfsType = "ext4";
boot.tftp = {
# IP addresses to use in the boot monitor when flashing/ booting
# over TFTP. If you are flashing using the stock firmware's Web UI
# then these dummy values are fine
ipaddr = "10.0.0.8"; # my address
serverip = "10.0.0.1"; # build machine or other tftp server
loadAddress = lim.parseInt "0x40000800";
};
hostname = "omnia";
services.hostap =
let secrets = {
ssid = "not-the-internet";
channel = 4;
wpa_passphrase = "diamond dogs";
};
in svc.hostapd.build {
interface = config.hardware.networkInterfaces.wlan;
params = {
country_code = "GB";
hw_mode = "g";
wmm_enabled = 1;
ieee80211n = 1;
inherit (secrets) ssid channel wpa_passphrase;
auth_algs = 1; # 1=wpa2, 2=wep, 3=both
wpa = 2; # 1=wpa, 2=wpa2, 3=both
wpa_key_mgmt = "WPA-PSK";
wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
rsn_pairwise = "CCMP"; # auth for wpa2
};
};
services.hostap5 =
let secrets = {
ssid = "not-the-internet";
channel = 36;
wpa_passphrase = "diamond dogs";
};
in svc.hostapd.build {
interface = config.hardware.networkInterfaces.wlan5;
params = {
country_code = "GB";
hw_mode = "a";
ht_capab = "[HT40+]";
vht_oper_chwidth = 1;
vht_oper_centr_freq_seg0_idx = secrets.channel + 6;
ieee80211ac = 1;
wmm_enabled = 1;
inherit (secrets) ssid channel wpa_passphrase;
auth_algs = 1; # 1=wpa2, 2=wep, 3=both
wpa = 2; # 1=wpa, 2=wpa2, 3=both
wpa_key_mgmt = "WPA-PSK";
wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
rsn_pairwise = "CCMP"; # auth for wpa2
};
};
services.int = svc.bridge.primary.build {
ifname = "int";
};
services.dhcpc = svc.network.dhcp.client.build {
interface = services.int;
dependencies = [ config.services.hostname ];
};
services.bridge = svc.bridge.members.build {
primary = services.int;
members = with config.hardware.networkInterfaces; [
lan
wlan
];
};
services.sshd = svc.ssh.build { };
users.root = {
# the password is "secret". Use mkpasswd -m sha512crypt to
# create this hashed password string
passwd = "$6$y7WZ5hM6l5nriLmo$5AJlmzQZ6WA.7uBC7S8L4o19ESR28Dg25v64/vDvvCN01Ms9QoHeGByj8lGlJ4/b.dbwR9Hq2KXurSnLigt1W1";
};
defaultProfile.packages = with pkgs; [
figlet pciutils
];
}

0
pkgs/kernel/dtb.nix → kernel/dtb.nix
View File

48
kernel/uimage.nix Normal file
View File

@ -0,0 +1,48 @@
{
lzma
, stdenv
, ubootTools
, dtc
} :
let
objcopy = "${stdenv.cc.bintools.targetPrefix}objcopy";
in {
kernel
, commandLine
, entryPoint
, extraName ? "" # e.g. socFamily
, loadAddress
, dtb ? null
} :
stdenv.mkDerivation {
name = "kernel.image";
phases = [
"preparePhase"
(if dtb != null then "dtbPhase" else ":")
"buildPhase"
"installPhase" ];
nativeBuildInputs = [
lzma
dtc
stdenv.cc
ubootTools
];
preparePhase = ''
cp ${kernel} vmlinux.elf; chmod +w vmlinux.elf
'';
dtbPhase = ''
dtc -I dtb -O dts -o tmp.dts ${dtb}
echo '/{ chosen { bootargs = ${builtins.toJSON commandLine}; }; };' >> tmp.dts
dtc -I dts -O dtb -o tmp.dtb tmp.dts
${objcopy} --update-section .appended_dtb=tmp.dtb vmlinux.elf || ${objcopy} --add-section .appended_dtb=${dtb} vmlinux.elf
'';
buildPhase = ''
${objcopy} -O binary -R .reginfo -R .notes -R .note -R .comment -R .mdebug -R .note.gnu.build-id -S vmlinux.elf vmlinux.bin
rm -f vmlinux.bin.lzma ; lzma -k -z vmlinux.bin
mkimage -A mips -O linux -T kernel -C lzma -a ${loadAddress} -e ${entryPoint} -n 'MIPS Liminix Linux ${extraName}' -d vmlinux.bin.lzma kernel.uimage
'';
installPhase = ''
cp kernel.uimage $out
'';
}

39
modules/all-modules.nix
View File

@ -1,39 +0,0 @@
# Import all of the modules, used in the documentation generator. Not
# currently expected to work in an actual configuration, but it would
# be nice if it did.
{
imports = [
./base.nix
./bridge
./busybox.nix
./dhcp6c
./dnsmasq
./outputs/ext4fs.nix
./firewall
./hardware.nix
./hostapd
./hostname.nix
./outputs/initramfs.nix
./outputs/jffs2.nix
./kernel.nix
./outputs/kexecboot.nix
./mount
./network
./ntp
./outputs.nix
./outputs/vmroot.nix
./outputs/ubimage.nix
./outputs/mtdimage.nix
./ppp
./ramdisk.nix
./squashfs.nix
./ssh
./outputs/tftpboot.nix
./outputs/ubifs.nix
./users.nix
./vlan
./watchdog
./wlan.nix
];
}

18
modules/arch/aarch64.nix
View File

@ -1,18 +0,0 @@
{ lib, lim, pkgs, config, ...}:
{
config = {
kernel.config = {
CPU_LITTLE_ENDIAN= "y";
CPU_BIG_ENDIAN= "n";
# CMDLINE_FROM_BOOTLOADER availability is conditional
# on CMDLINE being set to something non-empty
CMDLINE="\"empty=false\"";
CMDLINE_FROM_BOOTLOADER = "y";
OF = "y";
# USE_OF = "y";
};
hardware.ram.startAddress = lim.parseInt "0x40000000";
system.outputs.u-boot = pkgs.ubootQemuAarch64;
};
}

11
modules/arch/arm.nix
View File

@ -1,11 +0,0 @@
{ lib, lim, pkgs, config, ...}:
{
config = {
kernel.config = {
OF = "y";
};
kernel.makeTargets = ["arch/arm/boot/zImage"];
hardware.ram.startAddress = lim.parseInt "0x40000000";
system.outputs.u-boot = pkgs.ubootQemuArm;
};
}

18
modules/arch/mips.nix
View File

@ -1,18 +0,0 @@
{ lib, pkgs, config, lim, ...}:
{
config = {
kernel.config = {
MIPS_ELF_APPENDED_DTB = "y";
MIPS_BOOTLOADER_CMDLINE_REQUIRE_COOKIE = "y";
MIPS_BOOTLOADER_CMDLINE_COOKIE = "\"liminix\"";
MIPS_CMDLINE_DTB_EXTEND = "y";
OF = "y";
USE_OF = "y";
};
hardware.ram.startAddress = lim.parseInt "0x80000000";
boot.commandLine = [
"console=ttyS0,115200" # true of all mips we've yet encountered
];
};
}

10
modules/arch/mipseb.nix
View File

@ -1,10 +0,0 @@
{ lib, pkgs, config, ...}:
{
imports = [ ./mips.nix ];
config = {
kernel.config = {
CPU_BIG_ENDIAN = "y";
};
system.outputs.u-boot = pkgs.ubootQemuMips;
};
}

9
modules/arch/mipsel.nix
View File

@ -1,9 +0,0 @@
{ lib, pkgs, config, ...}:
{
imports = [ ./mips.nix ];
config = {
kernel.config = {
CPU_LITTLE_ENDIAN = "y";
};
};
}

27
modules/base.nix
View File

@ -39,12 +39,7 @@ in {
};
rootfsType = mkOption {
default = "squashfs";
type = types.enum [
"ext4"
"jffs2"
"squashfs"
"ubifs"
];
type = types.enum ["squashfs" "jffs2"];
};
boot = {
commandLine = mkOption {
@ -52,13 +47,9 @@ in {
default = [];
description = "Kernel command line";
};
imageFormat = mkOption {
type = types.enum ["fit" "uimage"];
default = "uimage";
};
tftp = {
loadAddress = mkOption {
type = types.ints.unsigned;
type = types.str;
description = ''
RAM address at which to load data when transferring via
TFTP. This is not the address of the flash storage,
@ -89,8 +80,20 @@ in {
defaultProfile.packages = with pkgs;
[ s6 s6-init-bin execline s6-linux-init s6-rc ];
hardware.networkInterfaces = {
lo =
let iface = interface { type = "loopback"; device = "lo";};
in bundle {
name = "loopback";
contents = [
(address iface { family = "inet4"; address ="127.0.0.1"; prefixLength = 8;})
(address iface { family = "inet6"; address ="::1"; prefixLength = 128;})
];
};
};
boot.commandLine = [
"panic=10 oops=panic init=/bin/init loglevel=8"
"console=ttyS0,115200 panic=10 oops=panic init=/bin/init loglevel=8"
"root=${config.hardware.rootDevice}"
"rootfstype=${config.rootfsType}"
"fw_devlink=off"

10
modules/bridge/default.nix
View File

@ -39,13 +39,5 @@ in
};
};
};
config.kernel.config = {
BRIDGE = "y";
BRIDGE_IGMP_SNOOPING = "y";
} // lib.optionalAttrs (config.system.service ? vlan) {
# depends on bridge _and_ vlan. I would like there to be
# a better way to test for the existence of vlan config:
# maybe the module should set an `enabled` attribute?
BRIDGE_VLAN_FILTERING = "y";
};
config.kernel.config.BRIDGE = "y";
}

1
modules/bridge/primary.nix
View File

@ -5,6 +5,7 @@
}:
{ ifname } :
let
inherit (liminix.networking) interface;
inherit (liminix.services) bundle oneshot;
inherit (lib) mkOption types;
in oneshot rec {

31
modules/dhcp6c/acquire-delegated-prefix.fnl
View File

@ -1,31 +0,0 @@
(local { : system } (require :anoia))
(local svc (require :anoia.svc))
(fn changes [old-addresses new-addresses]
(let [added {}
deleted {}]
(each [n address (pairs new-addresses)]
(if (not (. old-addresses n))
(table.insert added address)))
(each [n address (pairs old-addresses)]
(if (not (. new-addresses n))
(table.insert deleted address)))
(values added deleted)))
(fn update-prefixes [device prefixes new-prefixes]
(let [(added deleted) (changes prefixes new-prefixes)]
(each [_ p (ipairs added)]
(system
(.. "ip address add " p.address "1/" p.len " dev " device)))
(each [_ p (ipairs deleted)]
(system
(.. "ip address del " p.address "1/" p.len " dev " device)))))
(fn run []
(let [[state-directory lan-device] arg
dir (svc.open state-directory)]
(accumulate [addresses []
v (dir:events)]
(update-prefixes lan-device addresses (v:output "prefix")))))
{ : changes : run }

10
modules/dhcp6c/acquire-delegated-prefix.nix
View File

@ -1,10 +0,0 @@
{
writeFennel
, linotify
, anoia
, lua
}:
writeFennel "acquire-delegated-prefix" {
packages = [ linotify anoia lua.pkgs.luafilesystem ];
mainFunction = "run";
} ./acquire-delegated-prefix.fnl

68
modules/dhcp6c/acquire-wan-address-test.fnl
View File

@ -1,68 +0,0 @@
(local subject (require :acquire-wan-address))
(local { : view } (require :fennel))
(local { : merge : dup } (require :anoia))
(local a1
{
"2001-ab-cd-ef_hjgKHGhKJH" {
:address "2001:ab:cd:ef"
:len "64"
:preferred "200"
:valid "200"
}
}
)
(local a2
{
"2001-0-1-2-3_aNteBnb" {
:address "2001:0:1:2:3"
:len "64"
:preferred "200"
:valid "200"
}
}
)
(macro expect [assertion]
(let [msg (.. "expectation failed: " (view assertion))]
`(when (not ,assertion)
(assert false ,msg))))
(fn first-address []
(let [(add del)
(subject.changes
{ }
a1
)]
(expect (= (# del) 0))
(expect (= (# add) 1))
(let [[first] add]
(expect (= first.address "2001:ab:cd:ef")))))
(fn second-address []
(let [(add del)
(subject.changes
a1
(merge (dup a1) a2)
)]
(expect (= (# del) 0))
(expect (= (# add) 1))
(let [[first] add] (expect (= first.address "2001:0:1:2:3")))))
(fn less-address []1
(let [(add del)
(subject.changes
(merge (dup a1) a2)
a1
)]
(expect (= (# add) 0))
(expect (= (# del) 1))
(let [[first] del] (expect (= first.address "2001:0:1:2:3")))))
(first-address)
(second-address)
(less-address)

35
modules/dhcp6c/acquire-wan-address.fnl
View File

@ -1,35 +0,0 @@
(local { : system } (require :anoia))
(local svc (require :anoia.svc))
;; acquire-delegated-prefix has very similar code: we'd like to move
;; this to anoia.svc when we see what the general form would look like
(fn changes [old-addresses new-addresses]
(let [added {}
deleted {}]
(each [n address (pairs new-addresses)]
(if (not (. old-addresses n))
(table.insert added address)))
(each [n address (pairs old-addresses)]
(if (not (. new-addresses n))
(table.insert deleted address)))
(values added deleted)))
(fn update-addresses [wan-device addresses new-addresses]
(let [(added deleted) (changes addresses new-addresses)]
(each [_ p (ipairs added)]
(system
(.. "ip address add " p.address "/" p.len " dev " wan-device)))
(each [_ p (ipairs deleted)]
(system
(.. "ip address del " p.address "/" p.len " dev " wan-device)))
new-addresses))
(fn run []
(let [[state-directory wan-device] arg
dir (svc.open state-directory)]
(accumulate [addresses []
v (dir:events)]
(update-addresses wan-device addresses (v:output "address")))))
{ : update-addresses : changes : run }

10
modules/dhcp6c/acquire-wan-address.nix
View File

@ -1,10 +0,0 @@
{
writeFennel
, linotify
, anoia
, lua
}:
writeFennel "acquire-wan-address" {
packages = [ linotify anoia lua.pkgs.luafilesystem ];
mainFunction = "run";
} ./acquire-wan-address.fnl

16
modules/dhcp6c/address.nix
View File

@ -1,16 +0,0 @@
{
liminix
, lib
, callPackage
}:
{ client, interface } :
let
inherit (liminix.services) longrun;
inherit (lib) mkOption types;
name = "dhcp6c.addr.${client.name}.${interface.name}";
script = callPackage ./acquire-wan-address.nix { };
in longrun {
inherit name;
run = "${script} /run/service-state/${client.name} $(output ${interface} ifname)";
dependencies = [ client interface ];
}

21
modules/dhcp6c/client.nix
View File

@ -1,21 +0,0 @@
{
liminix
, lib
, odhcp6c
, odhcp-script
}:
{ interface } :
let
inherit (liminix.services) longrun;
inherit (lib) mkOption types;
name = "dhcp6c.${interface.name}";
in longrun {
inherit name;
notification-fd = 10;
run = ''
export SERVICE_STATE=/run/service-state/${name}
${odhcp6c}/bin/odhcp6c -s ${odhcp-script} -e -v -p /run/${name}.pid -P0 $(output ${interface} ifname)
)
'';
dependencies = [ interface ];
}

52
modules/dhcp6c/default.nix
View File

@ -1,52 +0,0 @@
## DHCP6 client module
## ===================
##
## This is for use if you have an IPv6-capable upstream that provides
## address information and/or prefix delegation using DHCP6. It
## provides a service to request address information in the form of a
## DHCP lease, and two dependent services that listen for updates
## to the DHCP address information and can be used to update
## addresses of network interfaces that you want to assign those
## prefixes to
{ lib, pkgs, config, ...}:
let
inherit (lib) mkOption types;
inherit (pkgs.liminix.services) oneshot;
inherit (pkgs) liminix;
in
{
options = {
system.service.dhcp6c = {
client = mkOption { type = liminix.lib.types.serviceDefn; };
prefix = mkOption { type = liminix.lib.types.serviceDefn; };
address = mkOption { type = liminix.lib.types.serviceDefn; };
};
};
config.system.service.dhcp6c = {
client = liminix.callService ./client.nix {
interface = mkOption {
type = liminix.lib.types.interface;
description = "interface (usually WAN) to query for DHCP6";
};
};
address = liminix.callService ./address.nix {
client = mkOption {
type = types.anything; # liminix.lib.types.service;
};
interface = mkOption {
type = liminix.lib.types.interface;
description = "interface to assign the address to";
};
};
prefix = liminix.callService ./prefix.nix {
client = mkOption {
type = types.anything; # liminix.lib.types.service;
};
interface = mkOption {
type = liminix.lib.types.interface;
description = "interface to assign <prefix>::1 to";
};
};
};
}

16
modules/dhcp6c/prefix.nix
View File

@ -1,16 +0,0 @@
{
liminix
, lib
, callPackage
}:
{ client, interface } :
let
inherit (liminix.services) longrun;
inherit (lib) mkOption types;
name = "dhcp6c.prefix.${client.name}.${interface.name}";
script = callPackage ./acquire-delegated-prefix.nix { };
in longrun {
inherit name;
run = "${script} /run/service-state/${client.name} $(output ${interface} ifname)";
dependencies = [ client interface ];
}

32
modules/dnsmasq/default.nix
View File

@ -42,38 +42,6 @@ in {
ranges = mkOption {
type = types.listOf types.str;
};
hosts = mkOption {
default = {};
type = types.attrsOf (types.submodule {
options = {
mac = mkOption {
description = ''
MAC or other hardware address to match on. For Ethernet
this is a 48 bit address represented as colon-separated
hex bytes, or "id:clientid" to match a presented
client id (IPv6 DUID)
'';
type = types.str;
example = "01:20:31:4a:50";
};
v4 = mkOption {
description = "IPv4 address to assign to this client";
example = "192.0.2.1";
type = types.str;
};
v6 = mkOption {
type = types.listOf types.str;
description = "IPv6 addresses or interface-ids to assign to this client";
default = [];
example = [ "fe80::42:1eff:fefd:b341" "::1234"];
};
leasetime = mkOption {
type = types.int;
default = 86400;
};
};
});
};
domain = mkOption {
# this can be given multiple times so probably should be
# domains plural and list of string

7
modules/dnsmasq/service.nix
View File

@ -10,17 +10,13 @@
, domain
, group
, ranges
, hosts
, upstreams
, resolvconf
}:
let
name = "${interface.name}.dnsmasq";
inherit (liminix.services) longrun;
inherit (lib) concatStrings concatStringsSep mapAttrsToList;
hostOpt = name : { mac, v4, v6, leasetime } @ attrs:
let v6s = concatStrings (map (a : ",[${a}]") v6);
in "--dhcp-host=${mac},${v4}${v6s},${name},${builtins.toString leasetime}";
inherit (lib) concatStringsSep;
in
longrun {
inherit name;
@ -37,7 +33,6 @@ longrun {
--keep-in-foreground \
--dhcp-authoritative \
${if resolvconf != null then "--resolv-file=$(output_path ${resolvconf} resolv.conf)" else "--no-resolv"} \
${lib.concatStringsSep " " (mapAttrsToList hostOpt hosts)} \
--no-hosts \
--log-dhcp \
--enable-ra \

89
modules/flashimage.nix Normal file
View File

@ -0,0 +1,89 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkOption types concatStringsSep;
inherit (config.boot) tftp;
in {
options.system.outputs = {
firmware = mkOption {
type = types.package;
internal = true; # component of flashimage
description = ''
Binary image (combining kernel, FDT, rootfs, initramfs
if needed, etc) for the target device.
'';
};
flash-scr = mkOption {
type = types.package;
internal = true; # component of flashimage
description = ''
Copy-pastable U-Boot commands to TFTP download the
image and write it to flash
'';
};
flashimage = mkOption {
type = types.package;
description = ''
Flashable image for the target device, and the script to
install it
'';
};
};
config = {
kernel = {
config = {
MTD_SPLIT_UIMAGE_FW = "y";
};
};
programs.busybox.applets = [
"flashcp"
];
system.outputs = {
firmware =
let o = config.system.outputs; in
pkgs.runCommand "firmware" {} ''
dd if=${o.uimage} of=$out bs=128k conv=sync
dd if=${o.rootfs} of=$out bs=128k conv=sync,nocreat,notrunc oflag=append
'';
flashimage =
let o = config.system.outputs; in
# could use trivial-builders.linkFarmFromDrvs here?
pkgs.runCommand "flashimage" {} ''
mkdir $out
cd $out
ln -s ${o.firmware} firmware.bin
ln -s ${o.rootfs} rootfs
ln -s ${o.kernel} vmlinux
ln -s ${o.manifest} manifest
ln -s ${o.kernel.headers} build
ln -s ${o.uimage} uimage
ln -s ${o.dtb} dtb
ln -s ${o.flash-scr} flash.scr
'';
flash-scr =
let
inherit (pkgs.lib.trivial) toHexString;
inherit (config.hardware) flash;
in
pkgs.buildPackages.runCommand "" {} ''
imageSize=$(stat -L -c %s ${config.system.outputs.firmware})
cat > $out << EOF
setenv serverip ${tftp.serverip}
setenv ipaddr ${tftp.ipaddr}
tftp 0x$(printf %x ${tftp.loadAddress}) result/firmware.bin
erase 0x$(printf %x ${flash.address}) +${flash.size}
cp.b 0x$(printf %x ${tftp.loadAddress}) 0x$(printf %x ${flash.address}) \''${filesize}
echo command line was ${builtins.toJSON (concatStringsSep " " config.boot.commandLine)}
EOF
'';
};
};
}

28
modules/hardware.nix
View File

@ -16,14 +16,8 @@ in {
hardware = {
dts = {
src = mkOption {
type = types.nullOr types.path;
description = ''
If the device requires an external device tree to be loaded
alongside the kernel, this is the path to the device tree source
(we usually get these from OpenWrt). This value may be null if the
platform creates the device tree - currently this is the case
only for QEMU.
'';
type = types.path;
description = "Path to the device tree source (usually from OpenWrt)";
};
includes = mkOption {
default = [];
@ -32,15 +26,9 @@ in {
};
};
defaultOutput = mkOption {
description = "\"Default\" output: what gets built for this device when outputs.default is requested. Typically this is \"mtdimage\" or \"vmroot\"";
description = "\"Default\" output: what gets built for this device when outputs.default is requested. Typically this is \"flashimage\" or \"vmroot\"";
type = types.nonEmptyStr;
};
ram = {
startAddress = mkOption {
type = types.int;
};
};
flash = {
# start address and size of whichever partition (often
# called "firmware") we're going to overwrite with our
@ -54,19 +42,19 @@ in {
kernel uimage and root fs. Usually not the entire flash, as
we don't want to clobber the bootloader, calibration data etc
'';
type = types.ints.unsigned;
type = types.str;
};
size = mkOption {
type = types.ints.unsigned;
type = types.str;
description = "Size in bytes of the firmware partition";
};
eraseBlockSize = mkOption {
description = "Flash erase block size in bytes";
type = types.ints.unsigned;
type = types.str;
};
};
loadAddress = mkOption { type = types.ints.unsigned; default = null; };
entryPoint = mkOption { type = types.ints.unsigned; };
loadAddress = mkOption { default = null; };
entryPoint = mkOption { };
radios = mkOption {
description = ''
Kernel modules (from mac80211 package) required for the

32
modules/outputs/initramfs.nix → modules/initramfs.nix
View File

@ -13,23 +13,13 @@ in
boot.initramfs = {
enable = mkEnableOption "initramfs";
};
system.outputs = {
initramfs = mkOption {
type = types.package;
internal = true;
description = ''
Initramfs image capable of mounting the real root
filesystem
'';
};
systemConfiguration = mkOption {
type = types.package;
description = ''
pkgs.systemconfig for the configured filesystem,
contains 'activate' and 'init' commands
'';
internal = true;
};
system.outputs.initramfs = mkOption {
type = types.package;
internal = true;
description = ''
Initramfs image capable of mounting the jffs2 root
filesystem
'';
};
};
config = mkIf config.boot.initramfs.enable {
@ -47,14 +37,18 @@ in
dir /proc 0755 0 0
dir /dev 0755 0 0
nod /dev/console 0600 0 0 c 5 1
nod /dev/mtdblock0 0600 0 0 b 31 0
nod /dev/mtdblock1 0600 0 0 b 31 1
nod /dev/mtdblock2 0600 0 0 b 31 2
nod /dev/mtdblock3 0600 0 0 b 31 3
nod /dev/mtdblock4 0600 0 0 b 31 4
nod /dev/mtdblock5 0600 0 0 b 31 5
dir /target 0755 0 0
dir /target/persist 0755 0 0
dir /target/nix 0755 0 0
file /init ${pkgs.preinit}/bin/preinit 0755 0 0
SPECIALS
'';
systemConfiguration =
pkgs.systemconfig config.filesystem.contents;
};
};
}

54
modules/jffs2.nix Normal file
View File

@ -0,0 +1,54 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkIf mkOption types;
in
{
imports = [
./initramfs.nix
];
options.system.outputs = {
systemConfiguration = mkOption {
type = types.package;
description = ''
pkgs.systemconfig for the configured filesystem,
contains 'activate' and 'init' commands
'';
internal = true;
};
};
config = mkIf (config.rootfsType == "jffs2") {
kernel.config = {
JFFS2_FS = "y";
JFFS2_LZO = "y";
JFFS2_RTIME = "y";
JFFS2_COMPRESSION_OPTIONS = "y";
JFFS2_ZLIB = "y";
JFFS2_CMODE_SIZE = "y";
};
boot.initramfs.enable = true;
system.outputs = rec {
systemConfiguration =
pkgs.systemconfig config.filesystem.contents;
rootfs =
let
inherit (pkgs.pkgsBuildBuild) runCommand mtdutils;
endian = if pkgs.stdenv.isBigEndian
then "--big-endian" else "--little-endian";
in runCommand "make-jffs2" {
depsBuildBuild = [ mtdutils ];
} ''
mkdir -p $TMPDIR/empty/nix/store/ $TMPDIR/empty/secrets
cp ${systemConfiguration}/bin/activate $TMPDIR/empty/activate
ln -s ${pkgs.s6-init-bin}/bin/init $TMPDIR/empty/init
grafts=$(sed < ${systemConfiguration}/etc/nix-store-paths 's/^\(.*\)$/--graft \1:\1/g')
mkfs.jffs2 --compression-mode=size ${endian} -e ${config.hardware.flash.eraseBlockSize} --enable-compressor=lzo --pad --root $TMPDIR/empty --output $out $grafts --squash --faketime
'';
};
};
}

25
modules/kernel.nix
View File

@ -9,14 +9,13 @@ let
inherit (pkgs.pseudofile) dir symlink;
inherit (pkgs.liminix.networking) address interface;
inherit (pkgs.liminix.services) bundle;
inherit (pkgs) liminix;
type_service = pkgs.liminix.lib.types.service;
in {
options = {
kernel = {
src = mkOption { type = types.path; } ;
src = mkOption { type = types.package; } ;
modular = mkOption {
type = types.bool;
default = true;
@ -25,7 +24,7 @@ in {
extraPatchPhase = mkOption {
default = "true";
type = types.lines;
};
} ;
config = mkOption {
description = ''
Kernel config options, as listed in Kconfig* files in the
@ -42,25 +41,11 @@ in {
};
'';
};
makeTargets = mkOption {
type = types.listOf types.str;
};
};
};
config = {
system.outputs =
let k = liminix.builders.kernel.override {
inherit (config.kernel) config src extraPatchPhase;
targets = config.kernel.makeTargets;
};
in {
kernel = k.vmlinux;
zimage = k.zImage;
};
kernel = rec {
modular = true; # disabling this is not yet supported
makeTargets = ["vmlinux"];
config = {
IKCONFIG = "y";
IKCONFIG_PROC = "y";
@ -71,6 +56,10 @@ in {
MODULE_SIG = if modular then "y" else "n";
DEBUG_FS = "y";
MIPS_BOOTLOADER_CMDLINE_REQUIRE_COOKIE = "y";
MIPS_BOOTLOADER_CMDLINE_COOKIE = "\"liminix\"";
MIPS_CMDLINE_DTB_EXTEND = "y";
# basic networking protocols
NET = "y";
UNIX = "y";
@ -79,8 +68,6 @@ in {
PACKET = "y"; # for ppp, tcpdump ...
SYSVIPC= "y";
NETDEVICES = "y"; # even PPP needs this
# disabling this option causes the kernel to use an "empty"
# initramfs instead: it has a /dev/console node and not much
# else. Note that pid 1 is started *before* the root

2
modules/outputs/kexecboot.nix → modules/kexecboot.nix
View File

@ -7,7 +7,7 @@
let
inherit (lib) mkOption mkForce types concatStringsSep;
in {
imports = [ ../ramdisk.nix ];
imports = [ ./ramdisk.nix ];
options.system.outputs = {
kexecboot = mkOption {
type = types.package;

53
modules/mount/default.nix
View File

@ -1,53 +0,0 @@
## Mount
##
## Mount filesystems
{ lib, pkgs, config, ...}:
let
inherit (lib) mkOption types;
inherit (pkgs) liminix;
mkBoolOption = description : mkOption {
type = types.bool;
inherit description;
default = true;
};
in {
options = {
system.service.mount = mkOption {
type = liminix.lib.types.serviceDefn;
};
};
config.system.service = {
mount = liminix.callService ./service.nix {
device = mkOption {
type = types.str;
example = "/dev/sda1";
};
mountpoint = mkOption {
type = types.str;
example = "/mnt/media";
};
options = mkOption {
type = types.listOf types.str;
default = [];
example = ["noatime" "ro" "sync"];
};
fstype = mkOption {
type = types.str;
default = "auto";
example = "vfat";
};
};
};
config.programs.busybox = {
applets = ["blkid" "findfs"];
options = {
FEATURE_BLKID_TYPE = "y";
FEATURE_MOUNT_FLAGS = "y";
FEATURE_MOUNT_LABEL = "y";
FEATURE_VOLUMEID_EXT = "y";
};
};
}

18
modules/mount/service.nix
View File

@ -1,18 +0,0 @@
{
liminix
, lib
}:
{ device, mountpoint, options, fstype }:
let
inherit (liminix.services) oneshot;
in oneshot {
name = "mount.${lib.escapeURL mountpoint}";
up = ''
while ! findfs ${device}; do
echo waiting for device ${device}
sleep 1
done
mount -t ${fstype} -o ${lib.concatStringsSep "," options} ${device} ${mountpoint}
'';
down = "umount ${mountpoint}";
}

79
modules/network/default.nix
View File

@ -9,7 +9,6 @@
let
inherit (lib) mkOption types;
inherit (pkgs) liminix;
inherit (pkgs.liminix.services) bundle;
in {
options = {
system.service.network = {
@ -21,12 +20,6 @@ in {
description = "network interface address";
type = liminix.lib.types.serviceDefn;
};
route = mkOption {
type = liminix.lib.types.serviceDefn;
};
forward = mkOption {
type = liminix.lib.types.serviceDefn;
};
dhcp = {
client = mkOption {
# this needs to move to its own service as it has
@ -38,51 +31,12 @@ in {
};
};
config = {
hardware.networkInterfaces = {
lo =
let
net = config.system.service.network;
iface = net.link.build { ifname = "lo";};
in bundle {
name = "loopback";
contents = [
( net.address.build {
interface = iface;
family = "inet";
address ="127.0.0.1";
prefixLength = 8;
})
( net.address.build {
interface = iface;
family = "inet6";
address = "::1";
prefixLength = 128;
})
];
};
};
services.loopback = config.hardware.networkInterfaces.lo;
system.service.network = {
link = liminix.callService ./link.nix {
ifname = mkOption {
type = types.str;
example = "eth0";
description = ''
Device name as used by the kernel (as seen in "ip link"
or "ifconfig" output). If devpath is also specified, the
device will be renamed to the name provided.
'';
};
devpath = mkOption {
type = types.nullOr types.str;
default = null;
example = "/devices/platform/soc/soc:internal-regs/f1070000.ethernet";
description = ''
Path to the sysfs node of the device. If you provide this
and the ifname option, the device will be renamed to the
name given by ifname.
''; };
# other "ip link add" options could go here as well
mtu = mkOption {
type = types.nullOr types.int;
@ -103,39 +57,6 @@ in {
type = types.ints.between 0 128;
};
};
route = liminix.callService ./route.nix {
interface = mkOption {
type = types.nullOr liminix.lib.types.interface;
default = null;
description = "Interface to route through. May be omitted if it can be inferred from \"via\"";
};
target = mkOption {
type = types.str;
description = "host or network to add route to";
};
via = mkOption {
type = types.str;
description = "address of next hop";
};
metric = mkOption {
type = types.int;
description = "route metric";
default = 100;
};
};
forward = liminix.callService ./forward.nix {
enableIPv4 = mkOption {
type = types.bool;
default = true;
};
enableIPv6 = mkOption {
type = types.bool;
default = true;
};
};
dhcp.client = liminix.callService ./dhcpc.nix {
interface = mkOption {
type = liminix.lib.types.service;

21
modules/network/forward.nix
View File

@ -1,21 +0,0 @@
{
liminix
, ifwait
, serviceFns
, lib
}:
{ enableIPv4, enableIPv6 }:
let
inherit (liminix.services) oneshot;
ip4 = "/proc/sys/net/ipv4/conf/all/forwarding";
ip6 = "/proc/sys/net/ipv6/conf/all/forwarding";
opt = lib.optionalString;
sysctls = b :
""
+ opt enableIPv4 "echo ${b} > ${ip4}\n"
+ opt enableIPv6 "echo ${b} > ${ip6}\n";
in oneshot {
name = "forwarding${opt enableIPv4 "4"}${opt enableIPv6 "6"}";
up = sysctls "1";
down = sysctls "0";
}

20
modules/network/link.nix
View File

@ -4,27 +4,13 @@
, serviceFns
, lib
}:
{
ifname
, devpath ? null
, mtu} :
# if devpath is supplied, we rename the interface at that
# path to have the specified name.
{ifname, mtu} :
let
inherit (liminix.services) longrun oneshot;
inherit (lib) concatStringsSep;
name = "${ifname}.link";
rename = if devpath != null
then ''
oldname=$(cd /sys${devpath} && cd net/ && echo *)
ip link set ''${oldname} name ${ifname}
''
else "";
up = liminix.networking.ifup name ifname;
in oneshot {
inherit name;
up = ''
${rename}
${liminix.networking.ifup name ifname}
'';
inherit name up;
down = "ip link set down dev ${ifname}";
}

20
modules/network/route.nix
View File

@ -1,20 +0,0 @@
{
liminix
, ifwait
, serviceFns
, lib
}:
{ target, via, interface ? null, metric }:
let
inherit (liminix.services) oneshot;
with_dev = if interface != null then "dev $(output ${interface} ifname)" else "";
in oneshot {
name = "route-${target}-${builtins.substring 0 12 (builtins.hashString "sha256" "${via}-${if interface!=null then interface.name else ""}")}";
up = ''
ip route add ${target} via ${via} metric ${toString metric} ${with_dev}
'';
down = ''
ip route del ${target} via ${via} ${with_dev}
'';
dependencies = [] ++ lib.optional (interface != null) interface;
}

98
modules/outputs.nix
View File

@ -7,132 +7,84 @@
let
inherit (lib) mkOption types concatStringsSep;
inherit (pkgs) liminix callPackage writeText;
o = config.system.outputs;
in
{
imports = [
./squashfs.nix
./outputs/vmroot.nix
./outputs/extlinux.nix
];
options = {
system.outputs = {
# the convention here is to mark an output as "internal" if
# it's not a complete system (kernel plus userland, or installer)
# but only part of one.
kernel = mkOption {
type = types.package;
internal = true;
description = ''
kernel
******
Kernel vmlinux file (usually ELF)
'';
};
zimage = mkOption {
type = types.package;
internal = true;
description = ''
zimage
******
Kernel in compressed self-extracting package
'';
};
dtb = mkOption {
type = types.package;
internal = true;
description = ''
dtb
***
Compiled device tree (FDT) for the target device
'';
};
uimage = mkOption {
type = types.package;
internal = true;
description = ''
uimage
******
Combined kernel and FDT in uImage (U-Boot compatible) format
'';
};
u-boot = mkOption {
vmroot = mkOption {
type = types.package;
description = ''
Directory containing separate kernel and rootfs image for
use with qemu (see mips-vm)
'';
};
manifest = mkOption {
type = types.package;
internal = true;
description = ''
Debugging aid. JSON rendition of config.filesystem, on
which can run "nix-store -q --tree" on it and find
out what's in the image, which is nice if it's unexpectedly huge
'';
};
rootdir = mkOption {
type = types.package;
internal = true;
description = ''
directory of files to package into root filesystem
'';
};
bootablerootdir = mkOption {
type = types.package;
internal = true;
description = ''
directory of files to package into root filesystem, including
a kernel and appropriate associated gubbins for the
selected bootloader
'';
};
rootfs = mkOption {
type = types.package;
internal = true;
description = ''
root filesystem (squashfs or jffs2) image
'';
internal = true;
};
};
};
config = {
system.outputs = rec {
dtb = liminix.builders.dtb {
# tftpd = pkgs.buildPackages.tufted;
kernel = liminix.builders.kernel.override {
inherit (config.kernel) config src extraPatchPhase;
};
dtb = (callPackage ../kernel/dtb.nix {}) {
inherit (config.boot) commandLine;
dts = config.hardware.dts.src;
includes = config.hardware.dts.includes ++ [
"${o.kernel.headers}/include"
"${kernel.headers}/include"
];
};
uimage = liminix.builders.uimage {
uimage = (callPackage ../kernel/uimage.nix {}) {
commandLine = concatStringsSep " " config.boot.commandLine;
inherit (config.hardware) loadAddress entryPoint;
inherit (config.boot) imageFormat;
inherit (o) kernel dtb;
inherit kernel;
inherit dtb;
};
rootdir =
let
inherit (pkgs.pkgsBuildBuild) runCommand;
in runCommand "mktree" { } ''
mkdir -p $out/nix/store/ $out/secrets $out/boot
cp ${o.systemConfiguration}/bin/activate $out/activate
ln -s ${pkgs.s6-init-bin}/bin/init $out/init
mkdir -p $out/nix/store
for path in $(cat ${o.systemConfiguration}/etc/nix-store-paths) ; do
(cd $out && cp -a $path .$path)
done
'';
bootablerootdir =
let inherit (pkgs.pkgsBuildBuild) runCommand;
in runCommand "add-slash-boot" { } ''
cp -a ${o.rootdir} $out
${if config.boot.loader.extlinux.enable
then "(cd $out && chmod -R +w . && rmdir boot && cp -a ${o.extlinux} boot)"
else ""
}
'';
# could use trivial-builders.linkFarmFromDrvs here?
vmroot = pkgs.runCommand "qemu" {} ''
mkdir $out
cd $out
ln -s ${config.system.outputs.rootfs} rootfs
ln -s ${kernel} vmlinux
ln -s ${manifest} manifest
ln -s ${kernel.headers} build
'';
manifest = writeText "manifest.json" (builtins.toJSON config.filesystem.contents);
};
};

38
modules/outputs/ext4fs.nix
View File

@ -1,38 +0,0 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkIf mkOption types;
o = config.system.outputs;
in
{
imports = [
./initramfs.nix
];
config = mkIf (config.rootfsType == "ext4") {
kernel.config = {
EXT4_FS = "y";
EXT4_USE_FOR_EXT2 = "y";
FS_ENCRYPTION = "y";
};
boot.initramfs.enable = true;
system.outputs = {
rootfs =
let
inherit (pkgs.pkgsBuildBuild) runCommand e2fsprogs;
in runCommand "mkfs.ext4" {
depsBuildBuild = [ e2fsprogs ];
} ''
tree=${o.bootablerootdir}
size=$(du -s --apparent-size --block-size 1024 $tree |cut -f1)
# add 25% for filesystem overhead
size=$(( 5 * $size / 4))
dd if=/dev/zero of=$out bs=1024 count=$size
mke2fs -t ext4 -j -d $tree $out
'';
};
};
}

39
modules/outputs/extlinux.nix
View File

@ -1,39 +0,0 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkIf mkEnableOption mkOption types concatStringsSep;
cfg = config.boot.loader.extlinux;
o = config.system.outputs;
cmdline = concatStringsSep " " config.boot.commandLine;
wantsDtb = config.hardware.dts ? src && config.hardware.dts.src != null;
in {
options.system.outputs.extlinux = mkOption {
type = types.package;
# description = "";
};
options.boot.loader.extlinux.enable = mkEnableOption "extlinux";
config = { # mkIf cfg.enable {
system.outputs.extlinux = pkgs.runCommand "extlinux" {} ''
mkdir $out
cd $out
${if wantsDtb then "cp ${o.dtb} dtb" else "true"}
cp ${o.initramfs} initramfs
cp ${o.zimage} kernel
mkdir extlinux
cat > extlinux/extlinux.conf << _EOF
menu title Liminix
timeout 100
label Liminix
kernel /boot/kernel
# initrd /boot/initramfs
append ${cmdline} root=/dev/vda1
${if wantsDtb then "fdt /boot/dtb" else ""}
_EOF
'';
};
}

40
modules/outputs/jffs2.nix
View File

@ -1,40 +0,0 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkIf mkOption types;
o = config.system.outputs;
in
{
imports = [
./initramfs.nix
];
config = mkIf (config.rootfsType == "jffs2") {
kernel.config = {
JFFS2_FS = "y";
JFFS2_LZO = "y";
JFFS2_RTIME = "y";
JFFS2_COMPRESSION_OPTIONS = "y";
JFFS2_ZLIB = "y";
JFFS2_CMODE_SIZE = "y";
};
boot.initramfs.enable = true;
system.outputs = {
rootfs =
let
inherit (pkgs.pkgsBuildBuild) runCommand mtdutils;
endian = if pkgs.stdenv.isBigEndian
then "--big-endian" else "--little-endian";
in runCommand "make-jffs2" {
depsBuildBuild = [ mtdutils ];
} ''
tree=${o.bootablerootdir}
(cd $tree && mkfs.jffs2 --compression-mode=size ${endian} -e ${toString config.hardware.flash.eraseBlockSize} --enable-compressor=lzo --pad --root . --output $out --squash --faketime )
'';
};
};
}

51
modules/outputs/mbrimage.nix
View File

@ -1,51 +0,0 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkOption types concatStringsSep;
o = config.system.outputs;
phram_address = lib.toHexString (config.hardware.ram.startAddress + 256 * 1024 * 1024);
in {
options.system.outputs = {
mbrimage = mkOption {
type = types.package;
description = ''
mbrimage
*********
This creates a disk image file with a partition table containing
the contents of ``outputs.rootfs`` as its only partition.
'';
};
vmdisk = mkOption { type = types.package; };
};
config = {
system.outputs = {
mbrimage =
let
o = config.system.outputs;
in pkgs.runCommand "mbrimage" {
depsBuildBuild = [ pkgs.pkgsBuildBuild.util-linux ];
} ''
# leave 4 sectors at start for partition table
# and alignment to 2048 bytes (does that help?)
dd if=${o.rootfs} of=$out bs=512 seek=4 conv=sync
echo '4,-,L,*' | sfdisk $out
'';
vmdisk = pkgs.runCommand "vmdisk" {} ''
mkdir $out
cd $out
ln -s ${o.mbrimage} ./mbrimage
cat > run.sh <<EOF
#!${pkgs.runtimeShell}
${pkgs.pkgsBuildBuild.run-liminix-vm}/bin/run-liminix-vm --arch ${pkgs.stdenv.hostPlatform.qemuArch} --u-boot ${o.u-boot}/u-boot.bin --phram-address 0x${phram_address} --disk-image ${o.mbrimage} \$* /dev/null /dev/null
EOF
chmod +x run.sh
'';
};
};
}

117
modules/outputs/mtdimage.nix
View File

@ -1,117 +0,0 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkOption types concatStringsSep;
inherit (config.boot) tftp;
in {
options.system.outputs = {
firmware = mkOption {
type = types.package;
internal = true; # component of mtdimage
description = ''
Binary image (combining kernel, FDT, rootfs, initramfs
if needed, etc) for the target device.
'';
};
flash-scr = mkOption {
type = types.package;
internal = true; # component of mtdimage
description = ''
Copy-pastable U-Boot commands to TFTP download the
image and write it to flash
'';
};
mtdimage = mkOption {
type = types.package;
description = ''
mtdimage
**********
This creates an image called :file:`firmware.bin` suitable for
squashfs or jffs2 systems. It can be flashed from U-Boot (if
you have a serial console connection), or on some devices from
the vendor firmware, or from a Liminix kexecboot system.
If you are flashing from U-Boot, the file
:file:`flash.scr` is a sequence of commands
which you can paste at the U-Boot prompt to
to transfer the firmware file from a TFTP server and
write it to flash. **Please read the script before
running it: flash operations carry the potential to
brick your device**
.. NOTE::
TTL serial connections typically have no form of flow
control and so don't always like having massive chunks of
text pasted into them - and U-Boot may drop characters
while it's busy. So don't necessarily expect to copy-paste
the whole of :file:`flash.scr` into a terminal emulator and
have it work just like that. You may need to paste each
line one at a time, or even retype it.
'';
};
};
config = {
kernel = {
config = {
MTD_SPLIT_UIMAGE_FW = "y";
} // lib.optionalAttrs (pkgs.stdenv.isMips) {
# https://stackoverflow.com/questions/26466470/can-the-logical-erase-block-size-of-an-mtd-device-be-increased
MTD_SPI_NOR_USE_4K_SECTORS = "n";
};
};
programs.busybox.applets = [
"flashcp"
];
system.outputs = {
firmware =
let
o = config.system.outputs;
bs = toString config.hardware.flash.eraseBlockSize;
in pkgs.runCommand "firmware" {} ''
dd if=${o.uimage} of=$out bs=${bs} conv=sync
dd if=${o.rootfs} of=$out bs=${bs} conv=sync,nocreat,notrunc oflag=append
'';
mtdimage =
let o = config.system.outputs; in
# could use trivial-builders.linkFarmFromDrvs here?
pkgs.runCommand "mtdimage" {} ''
mkdir $out
cd $out
ln -s ${o.firmware} firmware.bin
ln -s ${o.rootfs} rootfs
ln -s ${o.kernel} vmlinux
ln -s ${o.manifest} manifest
ln -s ${o.kernel.headers} build
ln -s ${o.uimage} uimage
ln -s ${o.dtb} dtb
ln -s ${o.flash-scr} flash.scr
'';
flash-scr =
let
inherit (pkgs.lib.trivial) toHexString;
inherit (config.hardware) flash;
in
pkgs.buildPackages.runCommand "" {} ''
imageSize=$(stat -L -c %s ${config.system.outputs.firmware})
cat > $out << EOF
setenv serverip ${tftp.serverip}
setenv ipaddr ${tftp.ipaddr}
tftp 0x${toHexString tftp.loadAddress} result/firmware.bin
erase 0x${toHexString flash.address} +0x${toHexString flash.size}
cp.b 0x${toHexString tftp.loadAddress} 0x${toHexString flash.address} \''${filesize}
echo command line was ${builtins.toJSON (concatStringsSep " " config.boot.commandLine)}
EOF
'';
};
};
}

127
modules/outputs/tftpboot.nix
View File

@ -1,127 +0,0 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkOption types concatStringsSep;
cfg = config.boot.tftp;
in {
imports = [ ../ramdisk.nix ];
options.boot.tftp = {
freeSpaceBytes = mkOption {
type = types.int;
default = 0;
};
kernelFormat = mkOption {
type = types.enum [ "zimage" "uimage" ];
default = "uimage";
};
compressRoot = mkOption {
type = types.bool;
default = false;
};
};
options.system.outputs = {
tftpboot = mkOption {
type = types.package;
description = ''
tftpboot
********
This output is intended for developing on a new device.
It assumes you have a serial connection and a
network connection to the device and that your
build machine is running a TFTP server.
The output is a directory containing kernel and
root filesystem image, and a script :file:`boot.scr` of U-Boot
commands that will load the images into memory and
run them directly,
instead of first writing them to flash. This saves
time and erase cycles.
It uses the Linux `phram <https://github.com/torvalds/linux/blob/master/drivers/mtd/devices/phram.c>`_ driver to emulate a flash device using a segment of physical RAM.
'';
};
};
config = {
boot.ramdisk.enable = true;
system.outputs = rec {
tftpboot =
let
inherit (pkgs.lib.trivial) toHexString;
o = config.system.outputs;
image = let choices = {
uimage = o.uimage;
zimage = o.zimage;
}; in choices.${cfg.kernelFormat};
bootCommand = let choices = {
uimage = "bootm";
zimage = "bootz";
}; in choices.${cfg.kernelFormat};
cmdline = concatStringsSep " " config.boot.commandLine;
in
pkgs.runCommand "tftpboot" { nativeBuildInputs = with pkgs.pkgsBuildBuild; [ lzma dtc ]; } ''
mkdir $out
cd $out
binsize() { local s=$(stat -L -c %s $1); echo $(($s + 0x1000 &(~0xfff))); }
binsize64k() { local s=$(stat -L -c %s $1); echo $(($s + 0x10000 &(~0xffff))); }
hex() { printf "0x%x" $1; }
rootfsStart=${toString cfg.loadAddress}
rootfsSize=$(binsize64k ${o.rootfs} )
dtbStart=$(($rootfsStart + $rootfsSize))
dtbSize=$(binsize ${o.dtb} )
imageStart=$(($dtbStart + $dtbSize))
imageSize=$(binsize ${image})
ln -s ${o.manifest} manifest
ln -s ${image} image
ln -s ${o.kernel} vmlinux # handy for gdb
${if cfg.compressRoot
then ''
lzma -z9cv ${o.rootfs} > rootfs.lz
rootfsLzStart=$(($imageStart + $imageSize))
rootfsLzSize=$(binsize rootfs.lz)
''
else "ln -s ${o.rootfs} rootfs"
}
cat ${o.dtb} > dtb
address_cells=$(fdtget dtb / '#address-cells')
size_cells=$(fdtget dtb / '#size-cells')
if [ $address_cells -gt 1 ]; then ac_prefix=0; fi
if [ $size_cells -gt 1 ]; then sz_prefix=0; fi
fdtput -p dtb /reserved-memory '#address-cells' $address_cells
fdtput -p dtb /reserved-memory '#size-cells' $size_cells
fdtput -p dtb /reserved-memory ranges
node=$(printf "phram-rootfs@%x" $rootfsStart)
fdtput -p -t s dtb /reserved-memory/$node compatible phram
fdtput -p -t lx dtb /reserved-memory/$node reg $ac_prefix $(hex $rootfsStart) $sz_prefix $(hex $rootfsSize)
cmd="liminix ${cmdline} mtdparts=phram0:''${rootfsSize}(rootfs) phram.phram=phram0,''${rootfsStart},''${rootfsSize},${toString config.hardware.flash.eraseBlockSize} root=/dev/mtdblock0";
fdtput -t s dtb /chosen bootargs "$cmd"
# dtc -I dtb -O dts -o /dev/stdout dtb | grep -A10 chosen ; exit 1
cat > boot.scr << EOF
setenv serverip ${cfg.serverip}
setenv ipaddr ${cfg.ipaddr}
tftpboot $(hex $imageStart) result/image ; ${
if cfg.compressRoot
then "tftpboot $(hex $rootfsLzStart) result/rootfs.lz"
else "tftpboot $(hex $rootfsStart) result/rootfs"
}; tftpboot $(hex $dtbStart) result/dtb
${if cfg.compressRoot
then "lzmadec $(hex $rootfsLzStart) $(hex $rootfsStart); "
else ""
} ${bootCommand} $(hex $imageStart) - $(hex $dtbStart)
EOF
'';
};
};
}

42
modules/outputs/ubifs.nix
View File

@ -1,42 +0,0 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkIf mkOption types;
o = config.system.outputs;
in
{
imports = [
./initramfs.nix
];
options.hardware.ubi = {
minIOSize = mkOption { type = types.str; };
eraseBlockSize = mkOption { type = types.str; }; # LEB
maxLEBcount = mkOption { type = types.str; }; # LEB
};
config = mkIf (config.rootfsType == "ubifs") {
kernel.config = {
MTD_UBI="y";
UBIFS_FS = "y";
UBIFS_FS_SECURITY = "n";
};
boot.initramfs.enable = true;
system.outputs = {
rootfs =
let
inherit (pkgs.pkgsBuildBuild) runCommand mtdutils;
cfg = config.hardware.ubi;
in runCommand "mkfs.ubifs" {
depsBuildBuild = [ mtdutils ];
} ''
mkdir tmp
tree=${o.bootablerootdir}
mkfs.ubifs -x favor_lzo -c ${cfg.maxLEBcount} -m ${cfg.minIOSize} -e ${cfg.eraseBlockSize} -y -r $tree --output $out --squash-uids -o $out
'';
};
};
}

126
modules/outputs/ubimage.nix
View File

@ -1,126 +0,0 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkIf mkEnableOption mkOption types concatStringsSep;
cfg = config.boot.tftp;
instructions = pkgs.writeText "env.scr" ''
setenv serverip ${cfg.serverip}
setenv ipaddr ${cfg.ipaddr}
setenv loadaddr ${lib.toHexString cfg.loadAddress}
'';
in {
options.system.outputs = {
ubimage = mkOption {
type = types.package;
description = ''
ubimage
*******
This output provides a UBIFS filesystem image and a small U-Boot script
to make the manual installation process very slightly simpler. You will
need a serial connection and a network connection to a TFTP server
containing the filesystem image it creates.
.. warning:: These steps were tested on a Belkin RT3200 (also known as
Linksys E8450). Other devices may be set up differently,
so use them as inspiration and don't just paste them
blindly.
1) determine which MTD device is being used for UBI, and the partition name:
.. code-block:: console
uboot> ubi part
Device 0: ubi0, MTD partition ubi
In this case the important value is ``ubi0``
2) list the available volumes and create a new one on which to install Liminix
.. code-block:: console
uboot> ubi info l
[ copious output scrolls past ]
Expect there to be existing volumes and for some or all of them to be
important. Unless you know what you're doing, don't remove anything
whose name suggests it's related to uboot, or any kind of backup or
recovery partition. To see how much space is free:
.. code-block:: console
uboot> ubi info
[ ... ]
UBI: available PEBs: 823
Now we can make our new root volume
.. code-block:: console
uboot> ubi create liminix -
3) transfer the root filesystem from the build system and write it
to the new volume. Paste the environment variable settings from
:file:`result/env.scr` into U-Boot, then run
.. code-block:: console
uboot> tftpboot ''${loadaddr} result/rootfs
uboot> ubi write ''${loadaddr} liminix $filesize
Now we have the root filesystem installed on the device. You
can even mount it and poke around using ``ubifsmount ubi0:liminix;
ubifsls /``
4) optional: before you configure the device to boot into Liminix
automatically, you can try booting it by hand to see if it works:
.. code-block:: console
uboot> ubifsmount ubi0:liminix
uboot> ubifsload ''${loadaddr} boot/uimage
uboot> bootm ''${loadaddr}
Once you've done this and you're happy with it, reset the device to
U-Boot. You don't need to recreate the volume but you do need to
repeat step 3.
5) Instructions for configuring autoboot are likely to be very
device-dependent. On the Linksys E8450/Belkin RT3200, the environment
variable `boot_production` governs what happens on a normal boot, so
you could do
.. code-block:: console
uboot> setenv boot_production 'led $bootled_pwr on ; ubifsmount ubi0:liminix; ubifsload ''${loadaddr} boot/uimage; bootm ''${loadaddr}'
On other devices, some detective work may be needed. Try running
`printenv` and look for likely commands, try looking at the existing
boot process, maybe even try looking for documentation for that device.
6) Now you can reboot the device into Liminix
.. code-block:: console
uboot> reset
'';
};
};
config = mkIf (config.rootfsType == "ubifs") {
system.outputs = {
ubimage =
let o = config.system.outputs; in
pkgs.runCommand "ubimage" {} ''
mkdir $out
cd $out
ln -s ${o.rootfs} rootfs
ln -s ${instructions} env.scr
'';
};
};
}

73
modules/outputs/vmroot.nix
View File

@ -1,73 +0,0 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkOption types concatStringsSep;
in
{
options = {
system.outputs = {
vmroot = mkOption {
type = types.package;
description = ''
vmroot
******
This target is for use with the qemu, qemu-aarch64, qemu-armv7l
devices. It generates an executable :file:`run.sh` which
invokes QEMU. It connects the Liminix
serial console and the `QEMU monitor <https://www.qemu.org/docs/master/system/monitor.html>`_
to stdin/stdout. Use ^P (not ^A) to switch between monitor and
stdio.
If you call :command:`run.sh` with ``--background
/path/to/some/directory`` as the first parameter, it will
fork into the background and open Unix sockets in that
directory for console and monitor. Use :command:`nix-shell
--run connect-vm` to connect to either of these sockets, and
^O to disconnect.
Liminix VMs are networked using QEMU socket networking. The
default behaviour is to connect
* multicast 230.0.0.1:1234 ("access") to eth0
* multicast 230.0.0.1:1235 ("lan") to eth1
Refer to :ref:`border-network-gateway` for details of how to
start an emulated upstream on the "access" network that
your Liminix device can talk to.
'';
};
};
};
config = {
system.outputs = rec {
vmroot =
let
inherit (config.system.outputs) rootfs kernel manifest;
cmdline = builtins.toJSON (concatStringsSep " " config.boot.commandLine);
makeBootableImage = pkgs.runCommandCC "objcopy" {}
(if pkgs.stdenv.hostPlatform.isAarch
then "${pkgs.stdenv.cc.targetPrefix}objcopy -O binary -R .comment -S ${kernel} $out"
else "cp ${kernel} $out");
phram_address = lib.toHexString (config.hardware.ram.startAddress + 256 * 1024 * 1024);
in pkgs.runCommand "vmroot" {} ''
mkdir $out
cd $out
ln -s ${rootfs} rootfs
ln -s ${kernel} vmlinux
ln -s ${manifest} manifest
ln -s ${kernel.headers} build
echo ${cmdline} > commandline
cat > run.sh << EOF
#!${pkgs.runtimeShell}
${pkgs.pkgsBuildBuild.run-liminix-vm}/bin/run-liminix-vm --command-line ${cmdline} --arch ${pkgs.stdenv.hostPlatform.qemuArch} --phram-address 0x${phram_address} \$* ${makeBootableImage} ${config.system.outputs.rootfs}
EOF
chmod +x run.sh
'';
};
};
}

54
modules/s6/default.nix
View File

@ -55,9 +55,6 @@ let
run = {
file = ''
#!${execline}/bin/execlineb -P
importas PATH PATH
export PATH ${s6}/bin:''${PATH}
foreground { echo path is ''${PATH} }
${s6-linux-init}/bin/s6-linux-init-shutdownd -c "/etc/s6-linux-init/current" -g 3000
'';
mode = "0755";
@ -81,44 +78,26 @@ let
};
getty = dir {
run = {
# We can't run a useful shell on /dev/console because
# /dev/console is not allowed to be the controlling
# tty of any process, which means ^C ^Z etc don't work.
# So we work out what the *actual* console device is
# using sysfs and open our shell there instead.
file = ''
#!${execline}/bin/execlineb -P
${execline}/bin/cd /
redirfd -r 0 /sys/devices/virtual/tty/console/active
withstdinas CONSOLETTY
importas CONSOLETTY CONSOLETTY
redirfd -w 2 /dev/''${CONSOLETTY}
fdmove -c 1 2
redirfd -r 0 /dev/''${CONSOLETTY}
/bin/ash -l
'';
#!${execline}/bin/execlineb -P
/bin/getty -l /bin/login 115200 /dev/console
'';
mode = "0755";
};
down-signal = {
file = "HUP\n";
};
};
".s6-svscan" =
let
openConsole = ''
#!${execline}/bin/execlineb -P
${execline}/bin/redirfd -w 2 /dev/console
${execline}/bin/fdmove -c 1 2
'';
quit = message: ''
${openConsole}
${execline}/bin/foreground { ${s6-linux-init}/bin/s6-linux-init-echo -- ${message} }
${s6-linux-init}/bin/s6-linux-init-hpr -fr
'';
#!${execline}/bin/execlineb -P
${execline}/bin/redirfd -w 2 /dev/console
${execline}/bin/fdmove -c 1 2
${execline}/bin/foreground { ${s6-linux-init}/bin/s6-linux-init-echo -- ${message} }
${s6-linux-init}/bin/s6-linux-init-hpr -fr
'';
shutdown = action: ''
#!${execline}/bin/execlineb -P
${s6-linux-init}/bin/s6-linux-init-shutdown -a #{action} -- now
'';
#!${execline}/bin/execlineb -P
${s6-linux-init}/bin/s6-linux-init-hpr -a #{action} -- now
'';
empty = "#!${execline}/bin/execlineb -P\n";
in dir {
crash = {
@ -126,13 +105,7 @@ let
mode = "0755";
};
finish = {
file = ''
${openConsole}
ifelse { test -x /run/maintenance/exec } { /run/maintenance/exec }
foreground { echo "s6-svscan exited. Rebooting." }
wait { }
${s6-linux-init}/bin/s6-linux-init-hpr -fr
'';
file = quit "s6-svscan exited. Rebooting.";
mode = "0755";
};
SIGINT = {
@ -168,6 +141,7 @@ let
};
in {
config = {
programs.busybox.applets = [ "login" "getty" ];
filesystem = dir {
etc = dir {
s6-rc = dir {

30
modules/s6/scripts/rc.shutdown.final
View File

@ -1,22 +1,18 @@
#!/bin/sh -e
## s6-linux-init-shutdownd never tells s6-svscan to exit, so if
## you're running s6-linux-init, it's normal that your
## .s6-svscan/finish script is not executed.
### Things to do *right before* the machine gets rebooted or
### powered off, at the very end of the shutdown sequence,
### when all the filesystems are unmounted.
## The place where you want to hack things is /etc/rc.shutdown.final,
## which is run by the stage 4 script right before the hard reboot.
## So you can do dirty stuff [...] which should clean up the
## s6-supervise and the foreground, and give control to
## .s6-svscan/finish.
### This is a last resort hook; normally nothing should be
### done here (your rc.shutdown script should have taken care
### of everything) and you should leave this script empty.
## -- Laurent Bercot on skaware mailing list,
## https://skarnet.org/lists/skaware/1913.html
### Some distributions, however, may need to perform some
### actions after unmounting the filesystems: typically if
### an additional teardown action is required on a filesystem
### after unmounting it, or if the system needs to be
### pivot_rooted before it can be shut down, etc.
exec >/dev/console 2>&1
# down, exit supervisor, wait, stay down
s6-svc -dxwD /run/service/s6-linux-init-shutdownd
# HUP, exit supervisor, wait, down
s6-svc -hxwd /run/service/s6-svscan-log
s6-svscanctl -b /run/service # abort
### Those are all exceptional cases. If you don't know for
### certain that you need to do something here, you don't.

4
modules/squashfs.nix
View File

@ -12,9 +12,5 @@ in
config = mkIf (config.rootfsType == "squashfs") {
system.outputs.rootfs =
liminix.builders.squashfs config.filesystem.contents;
kernel.config = {
SQUASHFS = "y";
SQUASHFS_XZ = "y";
};
};
}

2
modules/ssh/ssh.nix
View File

@ -35,8 +35,6 @@ longrun {
if test -d /persist; then
mkdir -p /persist/secrets/dropbear
ln -s /persist/secrets/dropbear /run
else
mkdir -p /run/dropbear
fi
. /etc/profile # sets PATH but do we need this? it's the same file as ashrc
exec env -i ENV=/etc/ashrc PATH=$PATH ${dropbear}/bin/dropbear ${concatStringsSep " " options}

11
modules/standard.nix Normal file
View File

@ -0,0 +1,11 @@
{
# "standard" modules that aren't fundamentally required,
# but are probably useful in most common workflows and
# you should have to opt out of instead of into
imports = [
./tftpboot.nix
./kexecboot.nix
./flashimage.nix
./jffs2.nix
];
}

70
modules/tftpboot.nix Normal file
View File

@ -0,0 +1,70 @@
{
config
, pkgs
, lib
, ...
}:
let
inherit (lib) mkOption types concatStringsSep;
cfg = config.boot.tftp;
in {
imports = [ ./ramdisk.nix ];
options.boot.tftp.freeSpaceBytes = mkOption {
type = types.int;
default = 0;
};
options.system.outputs = {
tftpboot = mkOption {
type = types.package;
description = ''
Directory containing files needed for TFTP booting
'';
};
boot-scr = mkOption {
type = types.package;
description = ''
U-Boot commands to load and boot a kernel and rootfs over TFTP.
Copy-paste into the device boot monitor
'';
};
};
config = {
boot.ramdisk.enable = true;
system.outputs = rec {
tftpboot =
let o = config.system.outputs; in
pkgs.runCommand "tftpboot" {} ''
mkdir $out
cd $out
ln -s ${o.rootfs} rootfs
ln -s ${o.kernel} vmlinux
ln -s ${o.manifest} manifest
ln -s ${o.kernel.headers} build
ln -s ${o.uimage} uimage
ln -s ${o.boot-scr} boot.scr
'';
boot-scr =
let
inherit (pkgs.lib.trivial) toHexString;
o = config.system.outputs;
in
pkgs.buildPackages.runCommand "boot-scr" {} ''
uimageSize=$(($(stat -L -c %s ${o.uimage}) + 0x1000 &(~0xfff)))
rootfsStart=0x$(printf %x $((${cfg.loadAddress} + 0x100000 + $uimageSize)))
rootfsBytes=$(($(stat -L -c %s ${o.rootfs}) + 0x100000 &(~0xfffff)))
rootfsBytes=$(($rootfsBytes + ${toString cfg.freeSpaceBytes} ))
cmd="mtdparts=phram0:''${rootfsMb}M(rootfs) phram.phram=phram0,''${rootfsStart},''${rootfsBytes},${config.hardware.flash.eraseBlockSize} memmap=''${rootfsBytes}\$''${rootfsStart} root=/dev/mtdblock0";
cat > $out << EOF
setenv serverip ${cfg.serverip}
setenv ipaddr ${cfg.ipaddr}
setenv bootargs 'liminix $cmd'
tftp 0x$(printf %x ${cfg.loadAddress}) result/uimage ; tftp 0x$(printf %x $rootfsStart) result/rootfs
bootm 0x$(printf %x ${cfg.loadAddress})
EOF
'';
};
};
}

40
modules/vlan/default.nix
View File

@ -1,40 +0,0 @@
## VLAN
## ====
##
## Virtual LANs give you the ability to sub-divide a LAN. Linux can
## accept VLAN tagged traffic and presents each VLAN ID as a
## different network interface (eg: eth0.100 for VLAN ID 100)
##
## Some Liminix devices with multiple ethernet ports are implemented
## using a network switch connecting the physical ports to the CPU,
## and require using VLAN in order to send different traffic to
## different ports (e.g. LAN vs WAN)
{ lib, pkgs, config, ...}:
let
inherit (lib) mkOption types;
inherit (pkgs.liminix.services) oneshot;
inherit (pkgs) liminix;
in
{
options = {
system.service.vlan = mkOption { type = liminix.lib.types.serviceDefn; };
};
config.system.service.vlan = liminix.callService ./service.nix {
ifname = mkOption {
type = types.str;
description = "interface name to create";
};
primary = mkOption {
description = "existing physical interface";
type = liminix.lib.types.interface;
};
vid = mkOption {
description = "VLAN identifier (VID) in range 1-4094";
type = types.str;
};
};
config.kernel.config = {
VLAN_8021Q = "y";
};
}

18
modules/vlan/service.nix
View File

@ -1,18 +0,0 @@
{
liminix
, lib
}:
{ ifname, primary, vid } :
let
inherit (liminix.services) oneshot;
in oneshot rec {
name = "${ifname}.link";
up = ''
ip link add link $(output ${primary} ifname) name ${ifname} type vlan id ${vid}
${liminix.networking.ifup name ifname}
(in_outputs ${name}
echo ${ifname} > ifname
)
'';
down = "ip link set down dev ${ifname}";
}

30
modules/watchdog/default.nix
View File

@ -1,30 +0,0 @@
## Watchdog
##
## Enable hardware watchdog (for devices that support one) and
## feed it by checking the health of specified critical services.
## If the watchdog feeder stops, the device will reboot.
{ lib, pkgs, config, ...}:
let
inherit (lib) mkOption types;
inherit (pkgs) liminix;
in
{
options = {
system.service.watchdog = mkOption {
type = liminix.lib.types.serviceDefn;
};
};
config.system.service.watchdog = liminix.callService ./watchdog.nix {
watched = mkOption {
description = "services to watch";
type = types.listOf liminix.lib.types.service;
};
headStart = mkOption {
description = "delay in seconds before watchdog starts checking service health";
default = 60;
type = types.int;
};
};
config.kernel.config.WATCHDOG = "y";
}

23
modules/watchdog/gaspode.sh
View File

@ -1,23 +0,0 @@
#!/bin/sh
deadline=$(expr $(date +%s) + ${HEADSTART})
services=$@
echo started feeding the dog
exec 3> ${WATCHDOG-/dev/watchdog}
healthy(){
test $(date +%s) -le $deadline && return 0
for i in $services; do
if test "$(s6-svstat -o up /run/service/$i)" != "true" ; then
echo "service $i is down"
return 1
fi
done
}
while healthy ;do
sleep 10
echo >&3
done
echo "stopped feeding the dog"
sleep 6000 # don't want s6-rc to restart

12
modules/watchdog/watchdog.nix
View File

@ -1,12 +0,0 @@
{
liminix
, lib
}:
{ watched, headStart } :
let
inherit (liminix.services) longrun;
in longrun {
name = "watchdog";
run =
"HEADSTART=${toString headStart} ${./gaspode.sh} ${lib.concatStringsSep " " (builtins.map (s: s.name) watched)}";
}

212
overlay.nix
View File

@ -44,12 +44,20 @@ let
lua = let s = lua_no_readline.override { self = s; }; in s;
in
extraPkgs // {
# liminix library functions
lim = {
parseInt = s : (builtins.fromTOML "r=${s}").r;
};
mtdutils = prev.mtdutils.overrideAttrs(o: {
patches = (if o ? patches then o.patches else []) ++ [
./pkgs/mtdutils/0001-mkfs.jffs2-add-graft-option.patch
];
});
rsyncSmall =
let r = prev.rsync.overrideAttrs(o: {
configureFlags = o.configureFlags ++ [
"--disable-openssl"
];
});
in r.override { openssl = null; };
# keep these alphabetical
chrony =
let chrony' = prev.chrony.overrideAttrs(o: {
configureFlags = [
@ -71,6 +79,49 @@ extraPkgs // {
};
strace = prev.strace.override { libunwind = null; };
kexec-tools-static = prev.kexec-tools.overrideAttrs(o: {
# For kexecboot we copy kexec into a ramdisk on the system being
# upgraded from. This is more likely to work if kexec is
# statically linked so doesn't have dependencies on store paths that
# may not exist on that machine. (We can't nix-copy-closure as
# the store may not be on a writable filesystem)
LDFLAGS = "-static";
patches = o.patches ++ [
(fetchpatch {
# merge user command line options into DTB chosen
url = "https://patch-diff.githubusercontent.com/raw/horms/kexec-tools/pull/3.patch";
hash = "sha256-MvlJhuex9dlawwNZJ1sJ33YPWn1/q4uKotqkC/4d2tk=";
})
pkgs/kexec-map-file.patch
];
});
luaFull = prev.lua;
inherit lua;
inherit s6;
s6-linux-init = prev.s6-linux-init.override {
skawarePackages = prev.skawarePackages // {
inherit s6;
};
};
s6-rc = prev.s6-rc.override {
skawarePackages = prev.skawarePackages // {
inherit s6;
};
};
nftables = prev.nftables.overrideAttrs(o: {
configureFlags = [
"--disable-debug"
"--disable-python"
"--with-mini-gmp"
"--without-cli"
];
});
dnsmasq =
let d = prev.dnsmasq.overrideAttrs(o: {
@ -83,15 +134,6 @@ extraPkgs // {
nettle = null;
};
dropbear = prev.dropbear.overrideAttrs (o: {
postPatch = ''
(echo '#define DSS_PRIV_FILENAME "/run/dropbear/dropbear_dss_host_key"'
echo '#define RSA_PRIV_FILENAME "/run/dropbear/dropbear_rsa_host_key"'
echo '#define ECDSA_PRIV_FILENAME "/run/dropbear/dropbear_ecdsa_host_key"'
echo '#define ED25519_PRIV_FILENAME "/run/dropbear/dropbear_ed25519_host_key"') > localoptions.h
'';
});
hostapd =
let
config = [
@ -119,142 +161,14 @@ extraPkgs // {
});
in h.override { openssl = null; sqlite = null; };
kexec-tools-static = prev.kexec-tools.overrideAttrs(o: {
# For kexecboot we copy kexec into a ramdisk on the system being
# upgraded from. This is more likely to work if kexec is
# statically linked so doesn't have dependencies on store paths that
# may not exist on that machine. (We can't nix-copy-closure as
# the store may not be on a writable filesystem)
LDFLAGS = "-static";
patches = o.patches ++ [
(fetchpatch {
# merge user command line options into DTB chosen
url = "https://patch-diff.githubusercontent.com/raw/horms/kexec-tools/pull/3.patch";
hash = "sha256-MvlJhuex9dlawwNZJ1sJ33YPWn1/q4uKotqkC/4d2tk=";
})
pkgs/kexec-map-file.patch
];
});
luaFull = prev.lua;
inherit lua;
mtdutils = prev.mtdutils.overrideAttrs(o: {
patches = (if o ? patches then o.patches else []) ++ [
./pkgs/mtdutils/0001-mkfs.jffs2-add-graft-option.patch
];
});
nftables = prev.nftables.overrideAttrs(o: {
configureFlags = [
"--disable-debug"
"--disable-python"
"--with-mini-gmp"
"--without-cli"
];
});
openssl = prev.openssl.overrideAttrs (o: {
# we want to apply
# https://patch-diff.githubusercontent.com/raw/openssl/openssl/pull/20273.patch";
# which disables overriding the -march cflags to the wrong values,
# but openssl is used for bootstrapping so that's easier said than
# done. Do it the ugly way..
postPatch =
o.postPatch
+ (with final;
lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform)
"\nsed -i.bak 's/linux.*-mips/linux-mops/' Configure\n");
dropbear = prev.dropbear.overrideAttrs (o: {
postPatch = ''
(echo '#define DSS_PRIV_FILENAME "/run/dropbear/dropbear_dss_host_key"'
echo '#define RSA_PRIV_FILENAME "/run/dropbear/dropbear_rsa_host_key"'
echo '#define ECDSA_PRIV_FILENAME "/run/dropbear/dropbear_ecdsa_host_key"'
echo '#define ED25519_PRIV_FILENAME "/run/dropbear/dropbear_ed25519_host_key"') > localoptions.h
'';
});
pppBuild = prev.ppp;
qemuLim = let q = prev.qemu.overrideAttrs (o: {
patches = o.patches ++ [
./pkgs/qemu/arm-image-friendly-load-addr.patch
];
}); in q.override { nixosTestRunner = true; sdlSupport = false; };
rsyncSmall =
let r = prev.rsync.overrideAttrs(o: {
configureFlags = o.configureFlags ++ [
"--disable-openssl"
];
});
in r.override { openssl = null; };
inherit s6;
s6-linux-init = prev.s6-linux-init.override {
skawarePackages = prev.skawarePackages // {
inherit s6;
};
};
s6-rc = prev.s6-rc.override {
skawarePackages = prev.skawarePackages // {
inherit s6;
};
};
strace = prev.strace.override { libunwind = null; };
ubootQemuAarch64 = final.buildUBoot {
defconfig = "qemu_arm64_defconfig";
extraMeta.platforms = ["aarch64-linux"];
filesToInstall = ["u-boot.bin"];
};
ubootQemuArm = final.buildUBoot {
defconfig = "qemu_arm_defconfig";
extraMeta.platforms = ["armv7l-linux"];
filesToInstall = ["u-boot.bin"];
extraConfig = ''
CONFIG_CMD_UBI=y
CONFIG_CMD_UBIFS=y
CONFIG_BOOTSTD=y
CONFIG_BOOTMETH_DISTRO=y
CONFIG_LZMA=y
CONFIG_CMD_LZMADEC=y
CONFIG_SYS_BOOTM_LEN=0x1000000
'';
};
ubootQemuMips = final.buildUBoot {
defconfig = "malta_defconfig";
extraMeta.platforms = ["mips-linux"];
filesToInstall = ["u-boot.bin"];
# define the prompt to be the same as arm{32,64} so
# we can use the same expect script for both
extraPatches = [ ./pkgs/u-boot/0002-virtio-init-for-malta.patch ];
extraConfig = ''
CONFIG_SYS_PROMPT="=> "
CONFIG_VIRTIO=y
CONFIG_AUTOBOOT=y
CONFIG_DM_PCI=y
CONFIG_VIRTIO_PCI=y
CONFIG_VIRTIO_NET=y
CONFIG_VIRTIO_BLK=y
CONFIG_VIRTIO_MMIO=y
CONFIG_QFW_MMIO=y
CONFIG_FIT=y
CONFIG_LZMA=y
CONFIG_CMD_LZMADEC=y
CONFIG_SYS_BOOTM_LEN=0x1000000
CONFIG_SYS_MALLOC_LEN=0x400000
CONFIG_MIPS_BOOT_FDT=y
CONFIG_OF_LIBFDT=y
CONFIG_OF_STDOUT_VIA_ALIAS=y
'';
};
util-linux-small = prev.util-linux.override {
ncursesSupport = false;
pamSupport = false;
systemdSupport = false;
nlsSupport = false;
translateManpages = false;
capabilitiesSupport = false;
};
}

Some files were not shown because too many files have changed in this diff Show More