default firewall zones in gateway profile

- zones are an attrset of name -> [interface-service]

- the firewall will create empty "ifname" sets for each zone name
 in each address family (ip, ip6)

- then watch the interface services, and add the "ifname" outputs
to the corresponding sets when they appear

This commit only adds the empty sets

NEWS

@@ -34,7 +34,7 @@ Upstream changes that have led to incompatible Liminix changes are:
 2024-01-30
 
 New port! Thanks to Arnout Engelen <arnout@bzzt.net>, Liminix
-now runs on the TP-Link Archer AX23
+now runs on the TP-Link Archer AX23.
 
 2024-02-12
 
@@ -80,3 +80,80 @@ Turris Omnia and has been serving my family's internet needs for most
 of this week.  Thanks to NGI0 Entrust and the NLnet Foundation for
 sponsoring this development (and funding the hardware)
 
+2024-02-21
+
+New port! Thanks to Raito Bezarius, Liminix now runs on the Zyxel NWA50AX,
+an MT7621 (MIPS EL) dual radio WiFi AP.
+
+2024-04-29
+
+The setup for using `levitate` has changed: now it accepts an entire
+config fragment, not just a list of services.  Hopefully this makes it
+a bit more useful :-)
+
+  defaultProfile.packages = with pkgs; [
+    ... 
+    (levitate.override {
+      config  = {
+        services = {
+          inherit (config.services) dhcpc sshd watchdog;
+        };
+        defaultProfile.packages = [ mtdutils ];
+        users.root.openssh.authorizedKeys.keys = secrets.root.keys;
+      };
+    })
+  ];
+
+2024-07-16
+
+* structured parameters are available for the pppoe service
+
+* The "wan" configuration in modules/profiles/gateway.nix has changed:
+instead of passing options that are used to create a pppoe interface,
+callers should create a (pppoe or other) interface and pass that as
+the value of profile.gateway.wan. For the pppoe case this is now only
+very slightly more verbose, and it allows using the gateway profile
+with other kinds of upstream.
+
+2024-8-16
+
+As part of implementing log shipping, the default directory for system
+logs has beenchanged from /run/uncaught-logs to /run/log
+
+2024-10-09
+
+liminix-rebuild is being deprecated. From hereon in, the preferred way
+to do an incremental update on an installed device with a writable
+filesystem is to build the systemConfiguration output
+
+    nix-build  -I liminix-config=hosts/myhost.nix --argstr deviceName turris-omnia -A outputs.systemConfiguration 
+
+and then run the generated `install.sh` script
+
+    result/install.sh root@192.168.8.1
+
+2024-12-16
+
+Config options changed: if you had set config.hardware.dts.includes
+(maybe in an out-of-tree device port) to specify the search paths
+in which dtc finds include files, you will need to change this to 
+hardware.dts.includePaths.
+
+The "new" hardware.dts.includes option is now for dtsi files which
+should be merged into the device tree.
+
+2024-12-19
+
+Incremental updates changed again (but not massively). From hereon in,
+the preferred way to do an incremental update on an installed device
+with a writable filesystem is to build the updater output
+
+    nix-build  -I liminix-config=hosts/myhost.nix --argstr deviceName turris-omnia -A outputs.updater
+
+and then run the generated `update.sh` script. See 
+https://www.liminix.org/doc/admin.html#updating-an-installed-system
+
+2024-12-22
+
+outputs.zimage is now outputs.kernel.zImage. This is unlikely to
+affect many people at all but I mention it anyway.

boot.expect

@@ -0,0 +1,42 @@
+# This is for use with minicom, but needs you to configure it to
+# use expect as its "Script program" instead of runscript.  Try
+# Ctrl+A O -> Filenames and paths -> D
+
+fconfigure stderr -buffering  none
+fconfigure stdout -buffering  none
+
+proc waitprompt { } {
+    expect {
+      "BusyBox" { puts stderr  "DONE\r"; exit 0 }
+      "READY" { puts stderr ";;; READY\r"; }
+      timeout { puts stderr ";;; timed out waiting after $line\r" }
+    }
+}
+
+proc sendline { line } {
+     send "$line; echo \$ready \r"
+     sleep 0.1
+}
+
+log_user 0
+log_file -a -open stderr
+
+set f [open "result/boot.scr"]
+
+send "setenv ready REA\r"
+sleep 0.1
+send "setenv ready \${ready}DY\r"
+sleep 0.1
+
+set timeout 300
+expect_before timeout abort
+while {[gets $f line] >= 0} {
+    puts stderr ";;; next line $line\r"
+    puts stderr ";;; waiting for prompt\r"
+    puts stderr ";;; sending\r"	
+    sendline $line
+    waitprompt
+}
+
+puts stderr "done\r\n"
+close $f

bordervm-configuration.nix

@@ -4,6 +4,10 @@ let
   inherit (lib) mkOption mkEnableOption mdDoc types optional optionals;
 in {
   options.bordervm = {
+    keys = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+    };
     l2tp = {
       host = mkOption {
         description = mdDoc ''
@@ -51,18 +55,17 @@ in {
     <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
   ];
   config = {
-    boot.kernelParams = [
-      "loglevel=9"
-    ];
+    boot.kernelParams = [ "loglevel=9" ];
     systemd.services.pppoe =
-      let conf = pkgs.writeText "kpppoed.toml"
-        ''
-      interface_name = "eth1"
-      services = [ "myservice" ]
-      lns_ipaddr = "${cfg.l2tp.host}:${builtins.toString cfg.l2tp.port}"
-      ac_name = "kpppoed-1.0"
-    '';
-      in  {
+      let
+        conf = pkgs.writeText "kpppoed.toml" ''
+          interface_name = "eth1"
+          services = [ "myservice" ]
+          lns_ipaddr = "${cfg.l2tp.host}:${builtins.toString cfg.l2tp.port}"
+          ac_name = "kpppoed-1.0"
+        '';
+      in
+      {
         wantedBy = [ "multi-user.target" ];
         after = [ "network-online.target" ];
         serviceConfig = {
@@ -76,29 +79,69 @@ in {
       };
     };
     services.openssh.enable = true;
+    services.dnsmasq = {
+      enable = true;
+      resolveLocalQueries = false;
+      settings = {
+        # domain-needed = true;
+        dhcp-range = [ "10.0.0.10,10.0.0.240" ];
+        interface = "eth1";
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      user = "liminix";
+      virtualHosts.${config.networking.hostName} = {
+        root = "/home/liminix";
+        default = true;
+      };
+    };
+    systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
+
     systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
 
     virtualisation = {
+      forwardPorts = [
+        {
+          from = "host";
+          host.port = 7654;
+          #        guest.address = "10.0.2.15";
+          guest.port =7654;
+        }
+        {
+          host.port = 2222;
+          guest.address = "10.0.2.15";
+          guest.port = 22;
+        }];
       qemu = {
-        networkingOptions = [];
-        options = [] ++
-          optional cfg.ethernet.pci.enable
-            "-device vfio-pci,host=${cfg.ethernet.pci.id}" ++
-          optionals cfg.ethernet.usb.enable [
+        networkingOptions = [ ];
+        options =
+          [ ]
+          ++ optional cfg.ethernet.pci.enable "-device vfio-pci,host=${cfg.ethernet.pci.id}"
+          ++ optionals cfg.ethernet.usb.enable [
             "-device usb-ehci,id=ehci"
             "-device usb-host,bus=ehci.0,vendorid=${cfg.ethernet.usb.vendor},productid=${cfg.ethernet.usb.product}"
-          ] ++ [
+          ]
+          ++ [
             "-nographic"
             "-serial mon:stdio"
           ];
       };
       sharedDirectories = {
         liminix = {
+          securityModel = "none";
           source = builtins.toString ./.;
           target = "/home/liminix/liminix";
         };
       };
     };
+
+    services.tang = {
+      enable = true;
+      ipAddressAllow = [ "10.0.0.0/24" "0.0.0.0/0" ];
+    };
+
     environment.systemPackages =
       let wireshark-nogui = pkgs.wireshark.override { withQt = false ; };
           in with pkgs; [
@@ -108,6 +151,8 @@ in {
             tufted
             iptables
             usbutils
+            busybox
+            clevis
           ];
     security.sudo.wheelNeedsPassword = false;
     networking = {
@@ -117,11 +162,17 @@ in {
         useDHCP = false;
         ipv4.addresses = [ { address = "10.0.0.1"; prefixLength = 24;}];
       };
+      nat = {
+        enable = true;
+        internalInterfaces = [ "eth1" ];
+        externalInterface = "eth0";
+      };
     };
     users.users.liminix = {
       isNormalUser = true;
       uid = 1000;
-      extraGroups = [ "wheel"];
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = cfg.keys;
     };
     services.getty.autologinUser = "liminix";
   };

bordervm.conf-example.nix

@@ -1,8 +1,12 @@
-{...}:
+{ ... }:
 {
   bordervm = {
     # ethernet.pci = { id = "01:00.0"; enable = true; };
-    ethernet.usb = { vendor = "0x0bda"; product = "0x8153"; enable = true; };
+    ethernet.usb = {
+      vendor = "0x0bda";
+      product = "0x8153";
+      enable = true;
+    };
     l2tp = {
       host = "l2tp.aa.net.uk";
     };

ci.nix

@@ -1,77 +1,82 @@
-{
-  nixpkgs
-, unstable
-, liminix
-, ... }:
 let
-  inherit (builtins) map;
-  pkgs = (import nixpkgs {});
-  borderVmConf =  ./bordervm.conf-example.nix;
+  pkgs = import <nixpkgs> { };
+  liminix = <liminix>;
+  borderVmConf = ./bordervm.conf-example.nix;
   inherit (pkgs.lib.attrsets) genAttrs;
   devices = [
-    "gl-ar750" "gl-mt300n-v2" "gl-mt300a"
-    "qemu" "qemu-aarch64" "qemu-armv7l"
+    "gl-ar750"
+    "gl-mt300a"
+    "gl-mt300n-v2"
+    "qemu"
+    "qemu-aarch64"
+    "qemu-armv7l"
     "tp-archer-ax23"
+    "openwrt-one"
+    "zyxel-nwa50ax"
+    "turris-omnia"
+    "belkin-rt3200"
   ];
   vanilla = ./vanilla-configuration.nix;
   for-device = name:
     (import liminix {
-      inherit nixpkgs borderVmConf;
+      inherit borderVmConf;
       device = import (liminix + "/devices/${name}");
       liminix-config = vanilla;
     }).outputs.default;
   tests = import ./tests/ci.nix;
   jobs =
-    (genAttrs devices for-device) //
-    tests //
-    {
-      buildEnv = (import liminix {
-        inherit nixpkgs borderVmConf;
-        device = import (liminix + "/devices/qemu");
-        liminix-config = vanilla;
-      }).buildEnv;
+    (genAttrs devices for-device)
+    // tests
+    // {
+      buildEnv =
+        (import liminix {
+          inherit borderVmConf;
+          device = import (liminix + "/devices/qemu");
+          liminix-config = vanilla;
+        }).buildEnv;
       doc =
-        let json =
-              (import liminix {
-                inherit nixpkgs borderVmConf;
-                device = import (liminix + "/devices/qemu");
-                liminix-config = {...} : {
+        let
+          json =
+            (import liminix {
+              inherit borderVmConf;
+              device = import (liminix + "/devices/qemu");
+              liminix-config =
+                { ... }:
+                {
                   imports = [ ./modules/all-modules.nix ];
                 };
-              }).outputs.optionsJson;
-            installers = map (f: "system.outputs.${f}") [
-              "vmroot"
-              "mtdimage"
-              "ubimage"
-            ];
-            inherit (pkgs.lib) concatStringsSep;
-        in pkgs.stdenv.mkDerivation {
+            }).outputs.optionsJson;
+        in
+        pkgs.stdenv.mkDerivation {
           name = "liminix-doc";
           nativeBuildInputs = with pkgs; [
-            gnumake sphinx fennel luaPackages.lyaml
+            gnumake
+            sphinx
+            fennel
+            luaPackages.lyaml
           ];
           src = ./.;
           buildPhase = ''
-            cat ${json} | fennel --correlate doc/parse-options.fnl > doc/modules-generated.rst
-            cat ${json} | fennel --correlate doc/parse-options-outputs.fnl     > doc/outputs-generated.rst
+            cat ${json} | fennel --correlate doc/parse-options.fnl > doc/modules-generated.inc.rst
+            cat ${json} | fennel --correlate doc/parse-options-outputs.fnl     > doc/outputs-generated.inc.rst
             cp ${(import ./doc/hardware.nix)} doc/hardware.rst
             make -C doc html
           '';
           installPhase = ''
             mkdir -p $out/nix-support $out/share/doc/
             cd doc
-            cp *-generated.rst  $out
+            cp *-generated.inc.rst hardware.rst $out
             ln -s ${json} $out/options.json
             cp -a _build/html $out/share/doc/liminix
             echo "file source-dist \"$out/share/doc/liminix\"" \
                 > $out/nix-support/hydra-build-products
           '';
       };
-      with-unstable = (import liminix {
-        nixpkgs = unstable;
-        inherit borderVmConf;
-        device = import (liminix + "/devices/qemu");
-        liminix-config = vanilla;
-      }).outputs.default;
     };
-in jobs
+in jobs //
+   {
+     all = pkgs.mkShell {
+       name = "all tests";
+       contents = pkgs.lib.collect pkgs.lib.isDerivation jobs;
+     };
+   }

default.nix

@@ -1,35 +1,48 @@
 {
-  device
-, liminix-config ? <liminix-config>
-, nixpkgs ? <nixpkgs>
-, borderVmConf ? ./bordervm.conf.nix
+  deviceName ? null,
+  device ? (import ./devices/${deviceName}),
+  liminix-config ? <liminix-config>,
+  borderVmConf ? ./bordervm.conf.nix,
+  imageType ? "primary",
 }:
 
 let
   overlay = import ./overlay.nix;
-  pkgs = import nixpkgs (device.system // {
-    overlays = [overlay];
-    config = {
-      allowUnsupportedSystem = true; # mipsel
-      permittedInsecurePackages = [
-        "python-2.7.18.6"       # kernel backports needs python <3
-        "python-2.7.18.7"
-      ];
-    };
-  });
+  pkgs = import <nixpkgs> (
+    device.system
+    // {
+      overlays = [ overlay ];
+      config = {
+        allowUnsupportedSystem = true; # mipsel
+        permittedInsecurePackages = [
+          "python-2.7.18.6" # kernel backports needs python <3
+          "python-2.7.18.7"
+        ];
+      };
+    }
+  );
 
   eval = pkgs.lib.evalModules {
+    specialArgs = {
+      modulesPath = builtins.toString ./modules;
+    };
     modules = [
       { _module.args = { inherit pkgs; inherit (pkgs) lim; }; }
       ./modules/hardware.nix
       ./modules/base.nix
       ./modules/busybox.nix
       ./modules/hostname.nix
+      ./modules/kernel
+      ./modules/logging.nix
+      ./modules/klogd.nix
       device.module
       liminix-config
       ./modules/s6
       ./modules/users.nix
       ./modules/outputs.nix
+      {
+        boot.imageType = imageType;
+      }
     ];
   };
   config = eval.config;
@@ -37,7 +50,14 @@ let
   borderVm = ((import <nixpkgs/nixos/lib/eval-config.nix>) {
     system = builtins.currentSystem;
     modules = [
-      ({  ... } : { nixpkgs.overlays = [ overlay ]; })
+      {
+        nixpkgs.overlays = [
+          (final: prev: {
+            go-l2tp = final.callPackage ./pkgs/go-l2tp {};
+            tufted = final.callPackage ./pkgs/tufted {};
+          })
+        ];
+      }
       (import ./bordervm-configuration.nix)
       borderVmConf
     ];
@@ -68,6 +88,7 @@ in {
       min-copy-closure
       fennelrepl
       lzma
+      lua
     ];
   };
 }

devices/belkin-rt3200/default.nix

@@ -4,15 +4,8 @@
     ******************************
 
     This device is based on a 64 bit Mediatek MT7622 ARM platform,
-    and is "work in progress" in Liminix.
-
-    .. note:: The factory flash image contains ECC errors that make it
-              incompatible with Liminix: you need to use the `OpenWrt
-              UBI Installer <https://github.com/dangowrt/owrt-ubi-installer>`_ to
-              rewrite the partition layout before you can flash
-              Liminix onto it (or even use it with
-              :ref:`system-outputs-tftpboot`, if you want the wireless
-              to work).
+    and is mostly feature-complete in Liminix but as of Dec 2024
+    has seen very little actual use.
 
     Hardware summary
     ================
@@ -27,10 +20,94 @@
     Installation
     ============
 
-    Installation is currently a manual process (you need a :ref:`serial <serial>` conection and
-    TFTP) following the instructions at :ref:`system-outputs-ubimage`
+    Liminix on this device uses the UBI volume management system to
+    perform wear leveling on the flash. This is not set up from the
+    factory, so a one-time step is needed to prepare it before Liminix
+    can be installed.
 
-'';
+
+    Preparation
+    -----------
+
+    To prepare the device for Liminix you first need to use the
+    `OpenWrt UBI Installer
+    <https://github.com/dangowrt/owrt-ubi-installer>`_ image to
+    rewrite the flash layout. As of Jan 2025 there are two versions
+    of the installer available: the release version 1.0.2 and the
+    pre-release 1.1.3 and for Liminix you nee the pre-relese.
+    The release version of the installer creates UBI volumes
+    according to an older layout that is not compatible with
+    the Linux 6.6.67 kernel used in Liminix.
+
+    You can run the installer in one of two ways:
+    either follow the instructions to do it through the vendor web
+    interface, or you can drop to U-Boot and use TFTP
+
+    .. code-block:: console
+
+        MT7622> setenv ipaddr 10.0.0.6
+        MT7622> setenv serverip 10.0.0.1
+        MT7622> tftpboot 0x42000000  openwrt-mediatek-mt7622-linksys_e8450-ubi-initramfs-recovery-installer.itb
+        MT7622> bootm 0x42000000
+
+    This will write the new flash layout and then boot into a
+    "recovery" OpenWrt installation.
+
+    Building/installing Liminix
+    ----------------
+
+    The default target for this device is ``outputs.ubimage`` which
+    makes a ubifs image suitable for use with :command:`ubiupdatevol`.
+    To write this to the device we use the OpenWrt recovery system
+    installed in the previous step. In this configuration the
+    device assigns itself the IP address 192.168.1.1/24 on its LAN
+    ports and expects the connected computer to have 192.168.1.254
+
+    .. warning:: The `ubi0_7` device in these instructions is correct
+                 as of Dec 2024 (dangowrt/owrt-ubi-installer commit
+                 d79e7928). If you are installing some time later, it
+                 is important to check the output from
+                 :command:`ubinfo -a` and make sure you are updating
+                 the "liminix" volume and not some other one which had
+                 been introduced since I wrote this.
+
+    .. code-block:: console
+
+        $ nix-build -I liminix-config=./my-configuration.nix  --arg device "import ./devices/belkin-rt3200" -A outputs.default
+        $ cat result/rootfs | ssh root@192.168.1.1 "cat > /tmp/rootfs"
+        $ ssh root@192.168.1.1
+        root@OpenWrt:~# ubimkvol /dev/ubi0 --name=liminix --maxavsize
+        root@OpenWrt:~# ubinfo -a
+        [...]
+        Volume ID:   7 (on ubi0)
+        Type:        dynamic
+        Alignment:   1
+        Size:        851 LEBs (108056576 bytes, 103.0 MiB)
+        State:       OK
+        Name:        liminix
+        Character device major/minor: 250:8
+        root@OpenWrt:~# ubiupdatevol /dev/ubi0_7 /tmp/rootfs
+
+    To make the new system bootable we also need to change some U-Boot variables.
+    ``boot_production`` needs to mount the filesystem and boot the FIT image
+    found there, and :code:`bootcmd` needs to be told _not_ to boot the rescue
+    image if there are records in pstore, because that interferes with
+    ``config.log.persistent``
+
+    .. code-block:: console
+
+        root@OpenWrt:~# fw_setenv orig_boot_production $(fw_printenv -n boot_production)
+        root@OpenWrt:~# fw_setenv orig_bootcmd $(fw_printenv -n bootcmd)
+        root@OpenWrt:~# fw_setenv boot_production 'led $bootled_pwr on ; ubifsmount ubi0:liminix && ubifsload ''${loadaddr} boot/fit && bootm ''${loadaddr}'
+        root@OpenWrt:~# fw_setenv bootcmd 'run boot_ubi'
+
+    For subsequent Liminix reinstalls, just run the
+    :command:`ubiupdatevol` command again. You don't need to repeat
+    the "Preparation" step and in fact should seek to avoid it if
+    possible, as it will reset the erase counters used for write
+    levelling.  Using UBI-aware tools is therefore preferred over any
+    kind of "factory" wipe which will reset them.
+    '';
 
   system = {
     crossSystem = {
@@ -39,7 +116,8 @@
   };
 
   module = {pkgs, config, lib, lim, ... }:
-    let firmware = pkgs.stdenv.mkDerivation {
+    let inherit (lib) mkIf;
+        firmware = pkgs.stdenv.mkDerivation {
           name = "wlan-firmware";
           phases = ["installPhase"];
           installPhase = ''
@@ -47,6 +125,7 @@
             cp ${pkgs.linux-firmware}/lib/firmware/mediatek/{mt7915,mt7615,mt7622}* $out
           '';
         };
+        openwrt = pkgs.openwrt_24_10;
     in {
       imports = [
         ../../modules/arch/aarch64.nix
@@ -55,14 +134,11 @@
       ];
       config = {
     kernel = {
-      src = pkgs.pkgsBuildBuild.fetchurl {
-        name = "linux.tar.gz";
-        url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-        hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-      };
       extraPatchPhase = ''
-          ${pkgs.openwrt.applyPatches.mediatek}
+          ${openwrt.applyPatches.mediatek}
       '';
+      src = openwrt.kernelSrc;
+      version = openwrt.kernelVersion;
       config = {
         PCI = "y";
         ARCH_MEDIATEK = "y";
@@ -73,8 +149,8 @@
         MTK_INFRACFG = "y";
 
         MTK_PMIC_WRAP = "y";
-        MTK_EFUSE="y";
-        # MTK_HSDMA="y";
+        DMADEVICES = "y";
+        MTK_HSDMA="y";
         MTK_SCPSYS="y";
         MTK_SCPSYS_PM_DOMAINS="y";
         # MTK_THERMAL="y";
@@ -92,7 +168,6 @@
 
         MEDIATEK_GE_PHY = "y";
         # MEDIATEK_MT6577_AUXADC = "y";
-        # MEDIATEK_WATCHDOG = "y";
         NET_MEDIATEK_SOC = "y";
         NET_MEDIATEK_SOC_WED = "y";
         NET_MEDIATEK_STAR_EMAC = "y"; # this enables REGMAP_MMIO
@@ -121,6 +196,10 @@
         MTD_SPLIT_FIRMWARE= "y";
         MTD_SPLIT_FIT_FW= "y";
 
+        MTD_UBI_NVMEM = "y";
+        NVMEM_MTK_EFUSE = "y";
+        NVMEM_BLOCK = "y";
+        NVMEM_LAYOUT_ADTRAN = "y";
 
         MMC = "y";
         MMC_BLOCK = "y";
@@ -132,11 +211,7 @@
         NET_DSA="y";
         NET_DSA_MT7530="y";
         NET_DSA_TAG_MTK="y";
-
-        PSTORE = "y";
-        PSTORE_RAM = "y";
-        PSTORE_CONSOLE = "y";
-        PSTORE_DEFLATE_COMPRESS = "n";
+        NET_DSA_MT7530_MDIO="y";
 
         SERIAL_8250 = "y";
         SERIAL_8250_CONSOLE = "y";
@@ -159,9 +234,11 @@
     };
     boot = {
       commandLine = [ "console=ttyS0,115200" ];
-      tftp.loadAddress = lim.parseInt "0x4007ff28";
+      tftp.loadAddress = lim.parseInt "0x48000000";
       imageFormat = "fit";
+      loader.fit.enable = lib.mkDefault true; # override this if you are building tftpboot
     };
+    rootfsType = lib.mkDefault "ubifs"; # override this if you are building tftpboot
     filesystem =
       let inherit (pkgs.pseudofile) dir symlink;
            in
@@ -175,7 +252,6 @@
 
     hardware =
       let
-        openwrt = pkgs.openwrt;
         mac80211 =  pkgs.kmodloader.override {
           targets = ["mt7615e" "mt7915e"];
           inherit (config.system.outputs) kernel;
@@ -183,7 +259,8 @@
       in {
         ubi = {
           minIOSize = "2048";
-          eraseBlockSize = "126976";
+          logicalEraseBlockSize = "126976";
+          physicalEraseBlockSize = "131072";
           maxLEBcount = "1024"; # guessing
         };
 
@@ -198,10 +275,13 @@
         rootDevice = "ubi0:liminix";
         dts = {
           src = "${openwrt.src}/target/linux/mediatek/dts/mt7622-linksys-e8450-ubi.dts";
-          includes =  [
+          includePaths =  [
             "${openwrt.src}/target/linux/mediatek/dts"
             "${config.system.outputs.kernel.modulesupport}/arch/arm64/boot/dts/mediatek/"
           ];
+          includes = mkIf config.logging.persistent.enable [
+            ./pstore-pmsg.dtsi
+          ];
         };
 
         # - 0x000000000000-0x000008000000 : "spi-nand0"
@@ -214,7 +294,6 @@
         networkInterfaces =
           let
             inherit (config.system.service.network) link;
-            inherit (config.system.service) bridge;
           in rec {
             wan = link.build { ifname = "wan"; };
             lan1 = link.build { ifname = "lan1"; };

devices/belkin-rt3200/pstore-pmsg.dtsi

@@ -0,0 +1,8 @@
+/ {
+	reserved-memory {
+		/* make sure address matches upstream  */
+		ramoops@42ff0000 {
+			pmsg-size = <0x10000>;
+		};
+	};
+};

devices/families/qemu.nix

@@ -5,11 +5,6 @@
   ];
   config = {
     kernel = {
-      src = pkgs.pkgsBuildBuild.fetchurl {
-        name = "linux.tar.gz";
-        url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-        hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-      };
       config = {
         MTD = "y";
         MTD_BLOCK = "y";
@@ -23,12 +18,17 @@
         VIRTIO_BLK = "y";
         VIRTIO_NET = "y";
       };
+      conditionalConfig = {
+        WLAN= {
+          MAC80211_HWSIM = "m";
+        };
+      };
     };
     hardware =
       let
-        mac80211 =  pkgs.mac80211.override {
-          drivers = ["mac80211_hwsim"];
-          klibBuild = config.system.outputs.kernel.modulesupport;
+        mac80211 =  pkgs.kmodloader.override {
+          inherit (config.system.outputs) kernel;
+          targets = ["mac80211_hwsim"];
         };
       in {
         defaultOutput = "vmroot";

devices/gl-ar750/default.nix

@@ -41,10 +41,11 @@
     :ref:`system-outputs-mtdimage` can be flashed using the
     vendor web UI or the U-Boot emergency "unbrick" routine.
 
-    For flashing from an existing Liminix system (we believe that) it
-    is necessary to first boot into a :ref:`system-outputs-kexecboot`
-    system, otherwise you'll be overwriting flash partitions while
-    they're in use - and that might not end well.
+    Flashing over an existing Liminix system is not possible while
+    that system is running, otherwise you'll be overwriting flash
+    partitions while they're in use - and that might not end well.
+    Configure the system with :ref:`levitate` if you need to
+    make it upgradable.
 
     Vendor web page: https://www.gl-inet.com/products/gl-ar750/
 
@@ -52,8 +53,9 @@
 
   '';
 
-  module = {pkgs, config, lim, ... }:
+  module = {pkgs, config, lim, lib, ... }:
     let
+      inherit (lib) mkIf;
       openwrt = pkgs.openwrt;
       firmwareBlobs = pkgs.pkgsBuildBuild.fetchFromGitHub {
         owner = "kvalo";
@@ -92,7 +94,6 @@
         '';
       };
       inherit (pkgs.pseudofile) dir symlink;
-      inherit (pkgs.liminix.networking) interface;
     in {
       imports = [
         ../../modules/network
@@ -117,16 +118,25 @@
         rootDevice = "/dev/mtdblock5";
         dts = {
           src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts";
-          includes =  [
+          includePaths =  [
             "${openwrt.src}/target/linux/ath79/dts"
           ];
+          includes = mkIf config.logging.persistent.enable [
+            ./pstore-ramoops.dtsi
+          ];
         };
 
         networkInterfaces =
           let inherit (config.system.service.network) link;
           in {
-            lan = link.build { ifname = "eth0"; };
-            wan = link.build { ifname = "eth1"; };
+            lan = link.build {
+              ifname = "lan";
+              devpath = "/devices/platform/ahb/1a000000.eth";
+            };
+            wan = link.build {
+              ifname = "wan";
+              devpath = "/devices/platform/ahb/19000000.eth";
+            };
             wlan = link.build {
               ifname = "wlan0";
               dependencies = [ mac80211 ];
@@ -149,14 +159,9 @@
       };
       boot.tftp = {
         loadAddress = lim.parseInt "0x00A00000";
+        appendDTB = true;
       };
       kernel = {
-        src = pkgs.pkgsBuildBuild.fetchurl {
-          name = "linux.tar.gz";
-          url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-          hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-        };
-
         # Mainline linux 5.19 doesn't have device-tree support for
         # this device or even for the SoC, so we use the extensive
         # OpenWrt kernel patches

devices/gl-ar750/pstore-ramoops.dtsi

@@ -0,0 +1,9 @@
+/ {
+reserved-memory {
+		ramoops@03f00000 {
+			compatible = "ramoops";
+			reg = <0x03f00000 0x10000>;
+			pmsg-size = <0x10000>;
+		};
+	};
+};

devices/gl-mt300a/default.nix

@@ -32,10 +32,11 @@
     binary created by :ref:`system-outputs-mtdimage` can be flashed
     using the vendor web UI or the U-Boot emergency "unbrick" routine.
 
-    For flashing from an existing Liminix system (we think) it
-    is necessary to first boot into a :ref:`system-outputs-kexecboot`
-    system, otherwise you'll be overwriting flash partitions while
-    they're in use - and that might not end well.
+    Flashing over an existing Liminix system is not possible while
+    that system is running, otherwise you'll be overwriting flash
+    partitions while they're in use - and that might not end well.
+    Configure the system with :ref:`levitate` if you need to
+    make it upgradable.
 
     Vendor web page: https://www.gl-inet.com/products/gl-mt300a/
 
@@ -45,7 +46,6 @@
 
   module = { pkgs, config, lib, lim, ...}:
     let
-      inherit (pkgs.liminix.networking) interface;
       inherit (pkgs) openwrt;
       mac80211 = pkgs.kmodloader.override {
         targets = ["rt2800soc"];
@@ -82,7 +82,7 @@
 
         dts = {
           src = "${openwrt.src}/target/linux/ramips/dts/mt7620a_glinet_gl-mt300a.dts";
-          includes = [
+          includePaths = [
             "${openwrt.src}/target/linux/ramips/dts"
           ];
         };
@@ -90,19 +90,6 @@
           let
             inherit (config.system.service.network) link;
             inherit (config.system.service) vlan;
-            inherit (pkgs.liminix.services) oneshot;
-            swconfig = oneshot {
-              name = "swconfig";
-              up = ''
-                PATH=${pkgs.swconfig}/bin:$PATH
-                swconfig dev switch0 set reset
-                swconfig dev switch0 set enable_vlan 1
-                swconfig dev switch0 vlan 1 set ports '1 2 3 4 6t'
-                swconfig dev switch0 vlan 2 set ports '0 6t'
-                swconfig dev switch0 set apply
-              '';
-              down = "${pkgs.swconfig}/bin/swconfig dev switch0 set reset";
-            };
           in rec {
             eth = link.build { ifname = "eth0"; };
             # lan and wan ports are both behind a switch on eth0
@@ -110,13 +97,11 @@
               ifname = "eth0.1";
               primary = eth;
               vid = "1";
-              dependencies =  [swconfig eth];
             };
             wan = vlan.build {
               ifname = "eth0.2";
               primary = eth;
               vid = "2";
-              dependencies =  [swconfig eth];
             };
             wlan = link.build {
               ifname = "wlan0";
@@ -126,16 +111,13 @@
       };
       boot.tftp = {
         loadAddress = lim.parseInt "0x00A00000";
-      };
+        appendDTB = true;
+     };
 
       kernel = {
-        src = pkgs.fetchurl {
-          name = "linux.tar.gz";
-          url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-          hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-        };
         extraPatchPhase = ''
           ${openwrt.applyPatches.ramips}
+          ${openwrt.applyPatches.rt2x00}
         '';
         config = {
 

devices/gl-mt300n-v2/default.nix

@@ -13,7 +13,7 @@
     GL.iNet GL-MT300N-v2
     ********************
 
-    The GL-MT300N-v2 "Mango" is is very similar to the :ref:`MT300A <GL.iNet GL-MT300A>, but is
+    The GL-MT300N-v2 "Mango" is is very similar to the :ref:`gl-mt300a`, but is
     based on the MT7628 chipset instead of MT7620.  It's also marginally cheaper
     and comes in a yellow case not a blue one.  Be sure your device is
     v2 not v1, which is a different animal and has only half as much RAM.
@@ -25,10 +25,11 @@
     binary created by :ref:`system-outputs-mtdimage` can be flashed
     using the vendor web UI or the U-Boot emergency "unbrick" routine.
 
-    For flashing from an existing Liminix system (we think) it
-    is necessary to first boot into a :ref:`system-outputs-kexecboot`
-    system, otherwise you'll be overwriting flash partitions while
-    they're in use - and that might not end well.
+    Flashing over an existing Liminix system is not possible while
+    that system is running, otherwise you'll be overwriting flash
+    partitions while they're in use - and that might not end well.
+    Configure the system with :ref:`levitate` if you need to
+    make it upgradable.
 
     Vendor web page: https://www.gl-inet.com/products/gl-mt300n-v2/
 
@@ -38,7 +39,6 @@
 
   module = { pkgs, config, lib, lim, ...}:
     let
-      inherit (pkgs.liminix.networking) interface;
       inherit (pkgs.liminix.services) oneshot;
       inherit (pkgs.pseudofile) dir symlink;
       inherit (pkgs) openwrt;
@@ -79,7 +79,7 @@
 
         dts = {
           src = "${openwrt.src}/target/linux/ramips/dts/mt7628an_glinet_gl-mt300n-v2.dts";
-          includes = [
+          includePaths = [
             "${openwrt.src}/target/linux/ramips/dts"
           ];
         };
@@ -97,7 +97,7 @@
                 swconfig dev switch0 vlan 2 set ports '0 6t'
                 swconfig dev switch0 set apply
               '';
-              down = "swconfig dev switch0 set reset";
+              down = "${pkgs.swconfig}/bin/swconfig dev switch0 set reset";
             };
           in rec {
             eth = link.build { ifname = "eth0"; dependencies =  [swconfig]; };
@@ -122,14 +122,10 @@
         # 20MB seems to give enough room to uncompress the kernel
         # without anything getting trodden on. 10MB was too small
         loadAddress = lim.parseInt "0x1400000";
+        appendDTB = true;
       };
 
       kernel = {
-        src = pkgs.fetchurl {
-          name = "linux.tar.gz";
-          url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-          hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-        };
         extraPatchPhase = ''
           ${openwrt.applyPatches.ramips}
         '';

devices/openwrt-one/default.nix

@@ -0,0 +1,739 @@
+{
+  description = ''
+    OpenWrt One
+    ***********
+
+    Hardware summary
+    ================
+
+    - MediaTek MT7981B (1300MHz)
+    - 256MB NAND Flash
+    - 1024MB RAM
+    - WLan hardware: Mediatek MT7976C
+
+    Status
+    ======
+
+    - Only tested over TFTP so far.
+    - WiFi (2.4G and 5G) works.
+    - 2.5G ethernet port works.
+
+    Limitations
+    ===========
+
+    - adding `he_bss_color="128"` causes `Invalid argument` for hostap
+    - nvme support untested
+    - I don't think the front LEDs work yet
+
+    Installation
+    ============
+
+      TODO: add instructions on how to boot directly from TFTP to memory
+      and how to install from TFTP to flash without going through OpenWrt.
+
+      The instructions below assume you can boot and SSH into OpenWrt:
+
+      Boot into OpenWrt and create a 'liminix' UBI partition:
+
+        root@OpenWrt:~# ubimkvol /dev/ubi0 --name=liminix --maxavsize
+
+    Remember the 'Volume ID' that was created for this new partition
+
+    Build the UBI image and write it to this new partition:
+
+        $ nix-build -I liminix-config=./my-configuration.nix  --arg device "import ./devices/openwrt-one" -A outputs.default
+        $ cat result/rootfs | ssh root@192.168.1.1 "cat > /tmp/rootfs"
+        $ ssh root@192.168.1.1
+        root@OpenWrt:~# ubiupdatevol /dev/ubi0_X /tmp/rootfs # replace X with the volume id, if needed check with `ubinfo`
+
+    Reboot into the U-Boot prompt and boot with:
+
+        OpenWrt One> ubifsmount ubi0:liminix && ubifsload ''${loadaddr} boot/fit && bootm ''${loadaddr}'
+
+    If this works, reboot into OpenWrt and configure U-Boot to boot ubifs by default:
+
+        root@OpenWrt:~# fw_setenv orig_boot_production $(fw_printenv -n boot_production)
+        root@OpenWrt:~# fw_setenv boot_production 'led white on ; ubifsmount ubi0:liminix && ubifsload ''${loadaddr} boot/fit && bootm ''${loadaddr}'
+
+    Troubleshooting
+    ===============
+
+      The instructions above assume you can boot and SSH into the (recovery)
+      OpenWrt installation. If you have broken your device to the point where that
+      is no longer possible, you could re-install OpenWrt, but probably you could
+      also install directly from U-Boot:
+
+        https://github.com/u-boot/u-boot/blob/master/doc/README.ubi
+  '';
+
+  system = {
+    crossSystem = {
+      config = "aarch64-unknown-linux-musl";
+      gcc = {
+        # https://openwrt.org/docs/techref/instructionset/aarch64_cortex-a53
+        # openwrt ./target/linux/mediatek/filogic/target.mk
+        # https://gcc.gnu.org/onlinedocs/gcc/AArch64-Options.html
+        # https://en.wikipedia.org/wiki/Comparison_of_ARM_processors
+        arch = "armv8-a";
+      };
+    };
+  };
+
+  module = {pkgs, config, lib, lim, ... }:
+  let 
+    openwrt = pkgs.openwrt_24_10;
+    mediatek-firmware = pkgs.stdenv.mkDerivation {
+          name = "wlan-firmware";
+          phases = ["installPhase"];
+          installPhase = ''
+            mkdir $out
+
+            cp ${pkgs.linux-firmware}/lib/firmware/mediatek/{mt7915,mt7615,mt7986_eeprom_mt7976,mt7981}* $out
+          '';
+        };
+    airoha-firmware = pkgs.stdenv.mkDerivation {
+          name = "airoha-firmware";
+          phases = ["installPhase"];
+          installPhase = ''
+            mkdir $out
+
+            cp ${pkgs.linux-firmware}/lib/firmware/airoha/* $out
+          '';
+        };
+    in {
+      imports = [
+        ../../modules/arch/aarch64.nix
+        ../../modules/outputs/tftpboot.nix
+        ../../modules/outputs/ubifs.nix
+      ];
+      config = {
+        kernel = {
+          src = openwrt.kernelSrc;
+          version = openwrt.kernelVersion;
+          extraPatchPhase = ''
+            ${openwrt.applyPatches.mediatek}
+          '';
+          config = {
+            NET="y"; # unlock NET_XGRESS
+            SERIAL_8250="y"; # unlock SERIAL_8250_FSL
+            SERIAL_8250_CONSOLE="y"; # to get the serial console
+            WATCHDOG="y"; # unlock WATCHDOG_CORE
+            NEW_LEDS="y"; # unlock LEDS_PWM
+            LEDS_CLASS="y"; # unlock LEDS_PWM
+            LEDS_TRIGGERS="y"; # unlock LEDS_TRIGGER_PATTERN
+            DEFERRED_STRUCT_PAGE_INIT="y"; # trigger PADATA
+            # Taken from openwrt's ./target/linux/mediatek/filogic/config-6.6
+            "64BIT"="y";
+            AIROHA_EN8801SC_PHY="y";
+            ARCH_BINFMT_ELF_EXTRA_PHDRS="y";
+            ARCH_CORRECT_STACKTRACE_ON_KRETPROBE="y";
+            ARCH_DEFAULT_KEXEC_IMAGE_VERIFY_SIG="y";
+            ARCH_DMA_ADDR_T_64BIT="y";
+            ARCH_FORCE_MAX_ORDER="10";
+            ARCH_KEEP_MEMBLOCK="y";
+            ARCH_MEDIATEK="y";
+            ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE="y";
+            ARCH_MMAP_RND_BITS="18";
+            ARCH_MMAP_RND_BITS_MAX="24";
+            ARCH_MMAP_RND_BITS_MIN="18";
+            ARCH_MMAP_RND_COMPAT_BITS_MIN="11";
+            ARCH_PROC_KCORE_TEXT="y";
+            ARCH_SPARSEMEM_ENABLE="y";
+            ARCH_STACKWALK="y";
+            ARCH_SUSPEND_POSSIBLE="y";
+            ARCH_WANTS_NO_INSTR="y";
+            ARCH_WANTS_THP_SWAP="y";
+            ARM64="y";
+            ARM64_4K_PAGES="y";
+            ARM64_ERRATUM_843419="y";
+            ARM64_LD_HAS_FIX_ERRATUM_843419="y";
+            ARM64_PAGE_SHIFT="12";
+            ARM64_PA_BITS="48";
+            ARM64_PA_BITS_48="y";
+            ARM64_TAGGED_ADDR_ABI="y";
+            ARM64_VA_BITS="39";
+            ARM64_VA_BITS_39="y";
+            ARM_AMBA="y";
+            ARM_ARCH_TIMER="y";
+            ARM_ARCH_TIMER_EVTSTREAM="y";
+            ARM_GIC="y";
+            ARM_GIC_V2M="y";
+            ARM_GIC_V3="y";
+            ARM_GIC_V3_ITS="y";
+            ARM_GIC_V3_ITS_PCI="y";
+            ARM_MEDIATEK_CPUFREQ="y";
+            ARM_PMU="y";
+            ARM_PMUV3="y";
+            ARM_PSCI_FW="y";
+            ATA="y";
+            AUDIT_ARCH_COMPAT_GENERIC="y";
+            BLK_DEV_LOOP="y";
+            BLK_DEV_SD="y";
+            BLK_MQ_PCI="y";
+            BLK_PM="y";
+            BLOCK_NOTIFIERS="y";
+            BSD_PROCESS_ACCT="y";
+            BSD_PROCESS_ACCT_V3="y";
+            BUFFER_HEAD="y";
+            BUILTIN_RETURN_ADDRESS_STRIPS_PAC="y";
+            CC_HAVE_SHADOW_CALL_STACK="y";
+            CC_HAVE_STACKPROTECTOR_SYSREG="y";
+            #CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5";
+            CC_NO_ARRAY_BOUNDS="y";
+            CLKSRC_MMIO="y";
+            CLONE_BACKWARDS="y";
+            CMDLINE_OVERRIDE="y";
+            COMMON_CLK="y";
+            COMMON_CLK_MEDIATEK="y";
+            COMMON_CLK_MT7981="y";
+            COMMON_CLK_MT7981_ETHSYS="y";
+            COMMON_CLK_MT7986="y";
+            COMMON_CLK_MT7986_ETHSYS="y";
+            COMMON_CLK_MT7988="y";
+            COMPACT_UNEVICTABLE_DEFAULT="1";
+            CONFIGFS_FS="y";
+            CONSOLE_LOGLEVEL_DEFAULT="15";
+            CONTEXT_TRACKING="y";
+            CONTEXT_TRACKING_IDLE="y";
+            CPU_FREQ="y";
+            CPU_FREQ_DEFAULT_GOV_USERSPACE="y";
+            CPU_FREQ_GOV_ATTR_SET="y";
+            CPU_FREQ_GOV_COMMON="y";
+            CPU_FREQ_GOV_CONSERVATIVE="y";
+            CPU_FREQ_GOV_ONDEMAND="y";
+            CPU_FREQ_GOV_PERFORMANCE="y";
+            CPU_FREQ_GOV_POWERSAVE="y";
+            CPU_FREQ_GOV_SCHEDUTIL="y";
+            CPU_FREQ_GOV_USERSPACE="y";
+            CPU_FREQ_STAT="y";
+            CPU_LITTLE_ENDIAN="y";
+            CPU_RMAP="y";
+            CPU_THERMAL="y";
+            CRC16="y";
+            CRC_CCITT="y";
+            CRYPTO_AES_ARM64="y";
+            CRYPTO_AES_ARM64_CE="y";
+            CRYPTO_AES_ARM64_CE_BLK="y";
+            CRYPTO_AES_ARM64_CE_CCM="y";
+            CRYPTO_CMAC="y";
+            CRYPTO_CRC32="y";
+            CRYPTO_CRC32C="y";
+            CRYPTO_CRYPTD="y";
+            CRYPTO_DEFLATE="y";
+            CRYPTO_DRBG="y";
+            CRYPTO_DRBG_HMAC="y";
+            CRYPTO_DRBG_MENU="y";
+            CRYPTO_ECB="y";
+            CRYPTO_ECC="y";
+            CRYPTO_ECDH="y";
+            CRYPTO_GHASH_ARM64_CE="y";
+            CRYPTO_HASH_INFO="y";
+            CRYPTO_HMAC="y";
+            CRYPTO_JITTERENTROPY="y";
+            CRYPTO_LIB_BLAKE2S_GENERIC="y";
+            CRYPTO_LIB_GF128MUL="y";
+            CRYPTO_LIB_SHA1="y";
+            CRYPTO_LIB_SHA256="y";
+            CRYPTO_LIB_UTILS="y";
+            CRYPTO_LZO="y";
+            CRYPTO_RNG="y";
+            CRYPTO_RNG2="y";
+            CRYPTO_RNG_DEFAULT="y";
+            CRYPTO_SHA256="y";
+            CRYPTO_SHA256_ARM64="y";
+            CRYPTO_SHA2_ARM64_CE="y";
+            CRYPTO_SHA3="y";
+            CRYPTO_SHA512="y";
+            CRYPTO_SM4="y";
+            CRYPTO_SM4_ARM64_CE_BLK="y";
+            CRYPTO_SM4_ARM64_CE_CCM="y";
+            CRYPTO_SM4_ARM64_CE_GCM="y";
+            CRYPTO_ZSTD="y";
+            DCACHE_WORD_ACCESS="y";
+            #DEBUG_INFO="y";
+            DEBUG_MISC="y";
+            DIMLIB="y";
+            DMADEVICES="y";
+            DMATEST="y";
+            DMA_BOUNCE_UNALIGNED_KMALLOC="y";
+            DMA_DIRECT_REMAP="y";
+            DMA_ENGINE="y";
+            DMA_ENGINE_RAID="y";
+            DMA_OF="y";
+            DMA_VIRTUAL_CHANNELS="y";
+            DTC="y";
+            EDAC_SUPPORT="y";
+            EINT_MTK="y";
+            EXCLUSIVE_SYSTEM_RAM="y";
+            EXT4_FS="y";
+            F2FS_FS="y";
+            FIXED_PHY="y";
+            FIX_EARLYCON_MEM="y";
+            FRAME_POINTER="y";
+            FS_IOMAP="y";
+            FS_MBCACHE="y";
+            FUNCTION_ALIGNMENT="4";
+            FUNCTION_ALIGNMENT_4B="y";
+            FWNODE_MDIO="y";
+            FW_LOADER_PAGED_BUF="y";
+            #FW_LOADER_SYSFS="y";
+            #GCC11_NO_ARRAY_BOUNDS="y";
+            #GCC_ASM_GOTO_OUTPUT_WORKAROUND="y";
+            GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS="y";
+            GENERIC_ALLOCATOR="y";
+            GENERIC_ARCH_TOPOLOGY="y";
+            GENERIC_BUG="y";
+            GENERIC_BUG_RELATIVE_POINTERS="y";
+            GENERIC_CLOCKEVENTS="y";
+            GENERIC_CLOCKEVENTS_BROADCAST="y";
+            GENERIC_CPU_AUTOPROBE="y";
+            GENERIC_CPU_VULNERABILITIES="y";
+            GENERIC_CSUM="y";
+            GENERIC_EARLY_IOREMAP="y";
+            GENERIC_GETTIMEOFDAY="y";
+            GENERIC_IDLE_POLL_SETUP="y";
+            GENERIC_IOREMAP="y";
+            GENERIC_IRQ_EFFECTIVE_AFF_MASK="y";
+            GENERIC_IRQ_SHOW="y";
+            GENERIC_IRQ_SHOW_LEVEL="y";
+            GENERIC_LIB_DEVMEM_IS_ALLOWED="y";
+            GENERIC_MSI_IRQ="y";
+            GENERIC_PCI_IOMAP="y";
+            GENERIC_PHY="y";
+            GENERIC_PINCONF="y";
+            GENERIC_PINCTRL_GROUPS="y";
+            GENERIC_PINMUX_FUNCTIONS="y";
+            GENERIC_SCHED_CLOCK="y";
+            GENERIC_SMP_IDLE_THREAD="y";
+            GENERIC_STRNCPY_FROM_USER="y";
+            GENERIC_STRNLEN_USER="y";
+            GENERIC_TIME_VSYSCALL="y";
+            GLOB="y";
+            GPIO_CDEV="y";
+            GPIO_WATCHDOG="y";
+            GPIO_WATCHDOG_ARCH_INITCALL="y";
+            GRO_CELLS="y";
+            HARDIRQS_SW_RESEND="y";
+            HAS_DMA="y";
+            HAS_IOMEM="y";
+            HAS_IOPORT="y";
+            HAS_IOPORT_MAP="y";
+            HWMON="y";
+            HW_RANDOM="y";
+            HW_RANDOM_MTK="y";
+            I2C="y";
+            I2C_BOARDINFO="y";
+            I2C_CHARDEV="y";
+            I2C_MT65XX="y";
+            ICPLUS_PHY="y";
+            ILLEGAL_POINTER_VALUE="0xdead000000000000";
+            #INITRAMFS_SOURCE="""";
+            IRQCHIP="y";
+            IRQ_DOMAIN="y";
+            IRQ_DOMAIN_HIERARCHY="y";
+            IRQ_FORCED_THREADING="y";
+            IRQ_TIME_ACCOUNTING="y";
+            IRQ_WORK="y";
+            JBD2="y";
+            JUMP_LABEL="y";
+            LEDS_PWM="y";
+            LEDS_SMARTRG_LED="y";
+            LIBFDT="y";
+            LOCK_DEBUGGING_SUPPORT="y";
+            LOCK_SPIN_ON_OWNER="y";
+            LZO_COMPRESS="y";
+            LZO_DECOMPRESS="y";
+            MAGIC_SYSRQ="y";
+            MAXLINEAR_GPHY="y";
+            MDIO_BUS="y";
+            MDIO_DEVICE="y";
+            MDIO_DEVRES="y";
+            MEDIATEK_2P5GE_PHY="y";
+            MEDIATEK_GE_PHY="y";
+            MEDIATEK_GE_SOC_PHY="y";
+            MEDIATEK_WATCHDOG="y";
+            MESSAGE_LOGLEVEL_DEFAULT="7";
+            MFD_SYSCON="y";
+            MIGRATION="y";
+            MMC="y";
+            MMC_BLOCK="y";
+            MMC_CQHCI="y";
+            MMC_MTK="y";
+            MMU_LAZY_TLB_REFCOUNT="y";
+            MODULES_TREE_LOOKUP="y";
+            MODULES_USE_ELF_RELA="y";
+            MTD_NAND_CORE="y";
+            MTD_NAND_ECC="y";
+            MTD_NAND_ECC_MEDIATEK="y";
+            MTD_NAND_ECC_SW_HAMMING="y";
+            MTD_NAND_MTK="y";
+            MTD_NAND_MTK_BMT="y";
+            MTD_PARSER_TRX="y";
+            MTD_RAW_NAND="y";
+            MTD_SPI_NAND="y";
+            MTD_SPI_NOR="y";
+            MTD_SPLIT_FIRMWARE="y";
+            MTD_SPLIT_FIT_FW="y";
+            MTD_UBI="y";
+            MTD_UBI_BEB_LIMIT="20";
+            MTD_UBI_BLOCK="y";
+            MTD_UBI_FASTMAP="y";
+            MTD_UBI_NVMEM="y";
+            MTD_UBI_WL_THRESHOLD="4096";
+            MTK_CPUX_TIMER="y";
+            MTK_HSDMA="y";
+            MTK_INFRACFG="y";
+            MTK_LVTS_THERMAL="y";
+            MTK_LVTS_THERMAL_DEBUGFS="y";
+            MTK_PMIC_WRAP="y";
+            MTK_REGULATOR_COUPLER="y";
+            MTK_SCPSYS="y";
+            MTK_SCPSYS_PM_DOMAINS="y";
+            MTK_SOC_THERMAL="y";
+            MTK_THERMAL="y";
+            MTK_TIMER="y";
+            MUTEX_SPIN_ON_OWNER="y";
+            NEED_DMA_MAP_STATE="y";
+            NEED_SG_DMA_LENGTH="y";
+            NET_DEVLINK="y";
+            NET_DSA="y";
+            NET_DSA_MT7530="y";
+            NET_DSA_MT7530_MDIO="y";
+            NET_DSA_MT7530_MMIO="y";
+            NET_DSA_TAG_MTK="y";
+            #NET_EGRESS="y";
+            NET_FLOW_LIMIT="y";
+            #NET_INGRESS="y";
+            NET_MEDIATEK_SOC="y";
+            NET_MEDIATEK_SOC_WED="y";
+            NET_SELFTESTS="y";
+            NET_SWITCHDEV="y";
+            NET_VENDOR_MEDIATEK="y";
+            #NET_XGRESS="y";
+            NLS="y";
+            NO_HZ_COMMON="y";
+            NO_HZ_IDLE="y";
+            NR_CPUS="4";
+            NVMEM="y";
+            NVMEM_BLOCK="y";
+            NVMEM_LAYOUTS="y";
+            NVMEM_LAYOUT_ADTRAN="y";
+            NVMEM_MTK_EFUSE="y";
+            NVMEM_SYSFS="y";
+            OF="y";
+            OF_ADDRESS="y";
+            OF_DYNAMIC="y";
+            OF_EARLY_FLATTREE="y";
+            OF_FLATTREE="y";
+            OF_GPIO="y";
+            OF_IRQ="y";
+            OF_KOBJ="y";
+            OF_MDIO="y";
+            OF_OVERLAY="y";
+            OF_RESOLVE="y";
+            PADATA="y";
+            PAGE_POOL="y";
+            PAGE_POOL_STATS="y";
+            PAGE_SIZE_LESS_THAN_256KB="y";
+            PAGE_SIZE_LESS_THAN_64KB="y";
+            #PAHOLE_HAS_LANG_EXCLUDE="y";
+            PARTITION_PERCPU="y";
+            PCI="y";
+            PCIEAER="y";
+            PCIEASPM="y";
+            PCIEASPM_PERFORMANCE="y";
+            PCIEPORTBUS="y";
+            PCIE_MEDIATEK_GEN3="y";
+            PCIE_PME="y";
+            PCI_DEBUG="y";
+            PCI_DOMAINS="y";
+            PCI_DOMAINS_GENERIC="y";
+            PCI_MSI="y";
+            PCS_MTK_LYNXI="y";
+            PCS_MTK_USXGMII="y";
+            PERF_EVENTS="y";
+            PER_VMA_LOCK="y";
+            PGTABLE_LEVELS="3";
+            PHYLIB="y";
+            PHYLIB_LEDS="y";
+            PHYLINK="y";
+            PHYS_ADDR_T_64BIT="y";
+            PHY_MTK_TPHY="y";
+            PHY_MTK_XFI_TPHY="y";
+            PHY_MTK_XSPHY="y";
+            PINCTRL="y";
+            PINCTRL_MT7981="y";
+            PINCTRL_MT7986="y";
+            PINCTRL_MT7988="y";
+            PINCTRL_MTK_MOORE="y";
+            PINCTRL_MTK_V2="y";
+            PM="y";
+            PM_CLK="y";
+            PM_GENERIC_DOMAINS="y";
+            PM_GENERIC_DOMAINS_OF="y";
+            PM_OPP="y";
+            POLYNOMIAL="y";
+            POSIX_CPU_TIMERS_TASK_WORK="y";
+            POWER_RESET="y";
+            POWER_RESET_SYSCON="y";
+            POWER_SUPPLY="y";
+            PREEMPT_NONE_BUILD="y";
+            PRINTK_TIME="y";
+            PSTORE="y";
+            PSTORE_COMPRESS="y";
+            PSTORE_CONSOLE="y";
+            PSTORE_PMSG="y";
+            PSTORE_RAM="y";
+            PTP_1588_CLOCK_OPTIONAL="y";
+            PWM="y";
+            PWM_MEDIATEK="y";
+            PWM_SYSFS="y";
+            QUEUED_RWLOCKS="y";
+            QUEUED_SPINLOCKS="y";
+            RANDSTRUCT_NONE="y";
+            RAS="y";
+            RATIONAL="y";
+            REALTEK_PHY="y";
+            REED_SOLOMON="y";
+            REED_SOLOMON_DEC8="y";
+            REED_SOLOMON_ENC8="y";
+            REGMAP="y";
+            REGMAP_I2C="y";
+            REGMAP_MMIO="y";
+            REGULATOR="y";
+            REGULATOR_FIXED_VOLTAGE="y";
+            REGULATOR_MT6380="y";
+            REGULATOR_RT5190A="y";
+            RESET_CONTROLLER="y";
+            RESET_TI_SYSCON="y";
+            RFS_ACCEL="y";
+            RODATA_FULL_DEFAULT_ENABLED="y";
+            RPS="y";
+            RTC_CLASS="y";
+            RTC_DRV_MT7622="y";
+            RTC_I2C_AND_SPI="y";
+            RWSEM_SPIN_ON_OWNER="y";
+            SCHED_MC="y";
+            SCSI="y";
+            SCSI_COMMON="y";
+            SERIAL_8250_FSL="y";
+            SERIAL_8250_MT6577="y";
+            SERIAL_8250_NR_UARTS="3";
+            SERIAL_8250_RUNTIME_UARTS="3";
+            SERIAL_DEV_BUS="y";
+            SERIAL_DEV_CTRL_TTYPORT="y";
+            SERIAL_MCTRL_GPIO="y";
+            SERIAL_OF_PLATFORM="y";
+            SGL_ALLOC="y";
+            SG_POOL="y";
+            SMP="y";
+            SOCK_RX_QUEUE_MAPPING="y";
+            SOFTIRQ_ON_OWN_STACK="y";
+            SPARSEMEM="y";
+            SPARSEMEM_EXTREME="y";
+            SPARSEMEM_VMEMMAP="y";
+            SPARSEMEM_VMEMMAP_ENABLE="y";
+            SPARSE_IRQ="y";
+            SPI="y";
+            SPI_DYNAMIC="y";
+            SPI_MASTER="y";
+            SPI_MEM="y";
+            SPI_MT65XX="y";
+            SPI_MTK_SNFI="y";
+            #SQUASHFS_DECOMP_MULTI_PERCPU="y";
+            SWIOTLB="y";
+            SWPHY="y";
+            SYSCTL_EXCEPTION_TRACE="y";
+            THERMAL="y";
+            THERMAL_DEFAULT_GOV_STEP_WISE="y";
+            THERMAL_EMERGENCY_POWEROFF_DELAY_MS="0";
+            THERMAL_GOV_BANG_BANG="y";
+            THERMAL_GOV_FAIR_SHARE="y";
+            THERMAL_GOV_STEP_WISE="y";
+            THERMAL_GOV_USER_SPACE="y";
+            THERMAL_HWMON="y";
+            THERMAL_OF="y";
+            THERMAL_WRITABLE_TRIPS="y";
+            THREAD_INFO_IN_TASK="y";
+            TICK_CPU_ACCOUNTING="y";
+            TIMER_OF="y";
+            TIMER_PROBE="y";
+            TRACE_IRQFLAGS_NMI_SUPPORT="y";
+            TREE_RCU="y";
+            TREE_SRCU="y";
+            UBIFS_FS="y";
+            UIMAGE_FIT_BLK="y";
+            USB_SUPPORT="y";
+            VMAP_STACK="y";
+            WATCHDOG_CORE="y";
+            WATCHDOG_PRETIMEOUT_DEFAULT_GOV_PANIC="y";
+            WATCHDOG_PRETIMEOUT_GOV="y";
+            WATCHDOG_PRETIMEOUT_GOV_PANIC="y";
+            WATCHDOG_PRETIMEOUT_GOV_SEL="m";
+            WATCHDOG_SYSFS="y";
+            XPS="y";
+            XXHASH="y";
+            ZLIB_DEFLATE="y";
+            ZLIB_INFLATE="y";
+            ZONE_DMA32="y";
+            ZSTD_COMMON="y";
+            ZSTD_COMPRESS="y";
+            ZSTD_DECOMPRESS="y";
+            # from DEVICE_PACKAGES in the openwrt_one section of
+            # openwrt's ./target/linux/mediatek/image/filogic.mk:
+            # chop off the 'kmod-' prefix and search for 'KernelPackage/...'
+            # in ./package/kernel/linux/modules/*.mk, and remember to add
+            # modules to kmodloader targets below
+            AIR_EN8811H_PHY="m";
+            RTC_DRV_PCF8563="m";
+            NVME_CORE="m";
+            BLK_DEV_NVME="m";
+            NVME_MULTIPATH="n";
+            NVME_HWMON="y";
+            # ???
+            AQUANTIA_PHY="m";
+            MT798X_WMAC="y";
+          } // lib.optionalAttrs (config.system.service ? watchdog) {
+            RALINK_WDT = "y";  # watchdog
+            MT7621_WDT = "y";  # or it might be this one
+          };
+          conditionalConfig = {
+            WLAN = {
+              MT7915E = "m";
+            };
+          };
+        };
+        boot = {
+          commandLine = [ "console=ttyS0,115200" ];
+          tftp = {
+            # Should be a segment of free RAM, where the tftp artifact
+            # can be stored before unpacking it to the 'hardware.loadAddress'
+            # The 'hardware.loadAddress' is 0x44000000, and the bootlog
+            # suggests it loads the fit to 0x46000000
+            loadAddress = lim.parseInt "0x46000000";
+          };
+          imageFormat = "fit";
+          loader.fit.enable = lib.mkDefault true; # override this if you are building tftpboot
+        };
+        rootfsType = lib.mkDefault "ubifs"; # override this if you are building tftpboot
+        filesystem =
+        let inherit (pkgs.pseudofile) dir symlink;
+             in
+               dir {
+                 lib = dir {
+                   firmware = dir {
+                     mediatek = symlink mediatek-firmware;
+                     airoha = symlink airoha-firmware;
+                   };
+                 };
+               };
+
+      hardware =
+        let
+          phy = pkgs.kmodloader.override {
+            targets = [
+              "air_en8811h"
+            ];
+            inherit (config.system.outputs) kernel;
+          };
+          mac80211 = pkgs.kmodloader.override {
+            targets = [
+              "mt7915e"
+              "rtc-pcf8563"
+              "nvme_core"
+              "nvme"
+              #"mt7996e"
+              "aquantia"
+            ];
+            inherit (config.system.outputs) kernel;
+          };
+        in {
+          # from OEM bootlog
+          # Creating 4 MTD partitions on "spi0.0":
+          # 0x000000000000-0x000000040000 : "bl2-nor"
+          # 0x000000040000-0x000000100000 : "factory"
+          # 0x000000100000-0x000000180000 : "fip-nor"
+          # 0x000000180000-0x000000e00000 : "recovery"
+          # spi-nand spi1.1: calibration result: 0x3
+          # spi-nand spi1.1: Winbond SPI NAND was found.
+          # spi-nand spi1.1: 256 MiB, block size: 128 KiB, page size: 2048, OOB size: 128
+          # 2 fixed-partitions partitions found on MTD device spi1.1
+          # Creating 2 MTD partitions on "spi1.1":
+          # 0x000000000000-0x000000100000 : "bl2"
+          # 0x000000100000-0x000010000000 : "ubi"
+
+          flash = {
+            # from the OEM bootlog:
+            # ## Checking Image at 46000000 ...
+            #   FIT image found
+            #   FIT description: ARM64 OpenWrt FIT (Flattened Image Tree)
+            #    Image 0 (kernel-1)
+            #     Description:  ARM64 OpenWrt Linux-6.6.57
+            #     Type:         Kernel Image
+            #     Compression:  gzip compressed
+            #     Data Start:   0x46001000
+            #     Data Size:    5751840 Bytes = 5.5 MiB
+            #     Architecture: AArch64
+            #     OS:           Linux
+            #     Load Address: 0x44000000
+            #     Entry Point:  0x44000000
+
+            address = lim.parseInt "0x44000000";
+            size = lim.parseInt "0xf60000";
+            # /proc/mtd on a running system:
+            # dev:    size   erasesize  name
+            # mtd0: 00040000 00010000 "bl2-nor"
+            # mtd1: 000c0000 00010000 "factory"
+            # mtd2: 00080000 00010000 "fip-nor"
+            # mtd3: 00c80000 00010000 "recovery"
+            # mtd4: 00100000 00020000 "bl2"
+            # mtd5: 0ff00000 00020000 "ubi"
+            eraseBlockSize = 65536;
+          };
+          ubi = {
+            # TODO taken from belkin-rt3200, to review
+            minIOSize = "2048";
+            logicalEraseBlockSize = "126976";
+            physicalEraseBlockSize = "131072";
+            maxLEBcount = "1024"; # guessing
+          };
+
+
+          defaultOutput = "ubimage";
+          loadAddress = lim.parseInt "0x44000000";
+          entryPoint = lim.parseInt "0x44000000";
+          # TODO AFAICT this should be 2048, but I got 'FIT: image rootfs-1 start not aligned to page boundaries' with that...
+          #alignment = 2048;
+          alignment = 4096;
+          rootDevice = "ubi0:liminix";
+          dts = {
+            src = "${openwrt.src}/target/linux/mediatek/dts/mt7981b-openwrt-one.dts";
+            includePaths = [
+              "${openwrt.src}/target/linux/mediatek/dts"
+              "${config.system.outputs.kernel.modulesupport}/arch/arm64/boot/dts/mediatek/"
+            ];
+          };
+
+          networkInterfaces =
+            let
+              inherit (config.system.service.network) link;
+            in rec {
+              eth0 = link.build {
+                ifname = "eth0";
+                dependencies = [ phy ];
+              };
+              eth1 = link.build { ifname = "eth1"; };
+
+              wlan0 = link.build {
+                ifname = "wlan0";
+                dependencies = [ mac80211 ];
+              };
+              wlan1 = link.build {
+                ifname = "wlan1";
+                dependencies = [ mac80211 ];
+              };
+            };
+        };
+    };
+    };
+}

devices/qemu-aarch64/default.nix

@@ -19,14 +19,14 @@
     ARM targets differ from MIPS in that the kernel format expected
     by QEMU is an "Image" (raw binary file) rather than an ELF
     file, but this is taken care of by :command:`run.sh`. Check the
-    documentation for the :ref:`QEMU` (MIPS) target for more information.
+    documentation for the :ref:`qemu` target for more information.
 
   '';
 
   # this device is described by the "qemu" device
   installer = "vmroot";
 
-  module = {pkgs, config, lim, ... }: {
+  module = { config, lim, ... }: {
     imports = [
       ../../modules/arch/aarch64.nix
       ../families/qemu.nix

devices/qemu-armv7l/default.nix

@@ -24,7 +24,7 @@
   '';
   installer = "vmroot";
 
-  module = {pkgs, config, lim, ... }: {
+  module = { config, lim, ... }: {
     imports = [
       ../../modules/arch/arm.nix
       ../families/qemu.nix

devices/qemu/default.nix

@@ -36,7 +36,7 @@
     in the Development manual.
 
   '';
-  module = {pkgs, config, lib, lim, ... }: {
+  module = { config, lib, lim, ... }: {
     imports = [
       ../../modules/arch/mipseb.nix
       ../families/qemu.nix
@@ -66,7 +66,7 @@
         # *correct* but it does at least boot
         dts = lib.mkForce {
           src = "${config.system.outputs.kernel.modulesupport}/arch/mips/boot/dts/mti/malta.dts";
-          includes =  [
+          includePaths =  [
             "${config.system.outputs.kernel.modulesupport}/arch/mips/boot/dts/"
           ];
         };

devices/tp-archer-ax23/default.nix

@@ -50,11 +50,6 @@
       ];
       config = {
         kernel = {
-          src = pkgs.pkgsBuildBuild.fetchurl {
-            name = "linux.tar.gz";
-            url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-            hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-          };
           extraPatchPhase = ''
             ${pkgs.openwrt.applyPatches.ramips}
           '';
@@ -410,7 +405,7 @@
           rootDevice = "/dev/mtdblock3";
           dts = {
             src = "${openwrt.src}/target/linux/ramips/dts/mt7621_tplink_archer-ax23-v1.dts";
-            includes =  [
+            includePaths =  [
               "${openwrt.src}/target/linux/ramips/dts"
               "${config.system.outputs.kernel.modulesupport}/arch/arm64/boot/dts/mediatek/"
             ];
@@ -419,7 +414,6 @@
           networkInterfaces =
             let
               inherit (config.system.service.network) link;
-              inherit (config.system.service) bridge;
             in rec {
               lan1 = link.build { ifname = "lan1"; };
               lan2 = link.build { ifname = "lan2"; };

devices/turris-omnia/default.nix

@@ -155,8 +155,6 @@
 
   module = {pkgs, config, lib, lim, ... }:
     let
-      openwrt = pkgs.openwrt;
-      inherit (lib) mkOption types;
       inherit (pkgs.liminix.services) oneshot;
       inherit (pkgs) liminix;
       mtd_by_name_links = pkgs.liminix.services.oneshot rec  {
@@ -174,10 +172,12 @@
         ../../modules/arch/arm.nix
         ../../modules/outputs/tftpboot.nix
         ../../modules/outputs/mbrimage.nix
-        ../../modules/outputs/extlinux.nix
       ];
 
       config = {
+        rootfsType = lib.mkDefault "btrfs"; # override this if you are building tftpboot
+        rootOptions = lib.mkDefault "subvol=@";
+
         services.mtd-name-links = mtd_by_name_links;
         kernel = {
           src = pkgs.pkgsBuildBuild.fetchurl {
@@ -226,11 +226,6 @@
             # WARNING: unmet direct dependencies detected for ARCH_WANT_LIBATA_LEDS
             ATA = "y";
 
-            PSTORE = "y";
-            PSTORE_RAM = "y";
-            PSTORE_CONSOLE = "y";
-#            PSTORE_DEFLATE_COMPRESS = "n";
-
             BLOCK = "y";
             MMC="y";
             PWRSEQ_EMMC="y";        # ???
@@ -300,6 +295,7 @@
           };
         };
         boot = {
+          loader.extlinux.enable = lib.mkDefault true; # override this if you are building tftpboot
           commandLine = [
             "console=ttyS0,115200"
             "pcie_aspm=off" # ath9k pci incompatible with PCIe ASPM
@@ -343,14 +339,14 @@
             targets = ["ath9k" "ath10k_pci"];
           };
         in {
-          defaultOutput = "mtdimage";
+          defaultOutput = "updater";
           loadAddress = lim.parseInt "0x00800000"; # "0x00008000";
           entryPoint = lim.parseInt "0x00800000"; # "0x00008000";
           rootDevice = "/dev/mmcblk0p1";
 
           dts = {
             src = "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/marvell/armada-385-turris-omnia.dts";
-            includes =  [
+            includePaths =  [
               "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/marvell/"
             ];
           };
@@ -358,7 +354,6 @@
           networkInterfaces =
             let
               inherit (config.system.service.network) link;
-              inherit (config.system.service) bridge;
             in rec {
               en70000 = link.build {
                 # in armada-38x.dtsi this is eth0.

devices/zyxel-nwa50ax/a_image/mt7621_zyxel_nwa-ax-for-ab.dtsi

@@ -0,0 +1,155 @@
+#include "mt7621.dtsi"
+
+#include <dt-bindings/gpio/gpio.h>
+#include <dt-bindings/input/input.h>
+
+/ {
+	aliases {
+		label-mac-device = &gmac0;
+	};
+};
+
+&nand {
+	status = "okay";
+
+	mediatek,nmbm;
+	mediatek,bmt-max-ratio = <15>;
+	mediatek,bmt-max-reserved-blocks = <64>;
+	mediatek,bmt-remap-range =
+		<0x0 0x980000>,
+		<0x2980000 0x7800000>;
+
+	partitions {
+		compatible = "fixed-partitions";
+		#address-cells = <1>;
+		#size-cells = <1>;
+
+		partition@0 {
+			label = "u-boot";
+			reg = <0x0 0x80000>;
+			read-only;
+		};
+
+		partition@80000 {
+			label = "u-boot-env";
+			reg = <0x80000 0x80000>;
+			read-only;
+		};
+
+		factory: partition@100000 {
+			label = "factory";
+			reg = <0x100000 0x80000>;
+			read-only;
+		};
+
+		partition@180000 {
+			label = "firmware_a";
+			reg = <0x180000 0x2800000>;
+
+			compatible = "fixed-partitions";
+			#address-cells = <1>;
+			#size-cells = <1>;
+
+			partition@0 {
+				label = "kernel_a";
+				reg = <0x0 0x800000>;
+			};
+
+			partition@400000 {
+				label = "ubi";
+				reg = <0x800000 0x2000000>;
+			};
+		};
+
+		partition@2980000 {
+			label = "firmware_b";
+			reg = <0x2980000 0x2800000>;
+
+			compatible = "fixed-partitions";
+			#address-cells = <1>;
+			#size-cells = <1>;
+
+			partition@0 {
+				label = "kernel_b";
+				reg = <0x0 0x800000>;
+			};
+
+			partition@400000 {
+				label = "ubi_b";
+				reg = <0x800000 0x2000000>;
+			};
+		};
+
+		partition@5180000 {
+			label = "rootfs_data";
+			reg = <0x5180000 0x1400000>;
+		};
+
+		partition@6580000 {
+			label = "logs";
+			reg = <0x6580000 0xd00000>;
+		};
+
+		partition@7280000 {
+			label = "vendor-myzyxel";
+			reg = <0x7280000 0x480000>;
+			read-only;
+		};
+
+		partition@7700000 {
+			label = "bootconfig";
+			reg = <0x7700000 0x80000>;
+		};
+
+		mrd: partition@7780000 {
+			label = "mrd";
+			reg = <0x7780000 0x80000>;
+			read-only;
+
+			nvmem-layout {
+				compatible = "fixed-layout";
+				#address-cells = <1>;
+				#size-cells = <1>;
+
+				macaddr_mrd_1fff8: macaddr@1fff8 {
+					reg = <0x1fff8 0x6>;
+				};
+			};
+		};
+	};
+};
+
+&pcie {
+	status = "okay";
+};
+
+&pcie1 {
+	wlan_5g: wifi@0,0 {
+		reg = <0x0 0 0 0 0>;
+		compatible = "mediatek,mt76";
+
+		mediatek,mtd-eeprom = <&factory 0x0>;
+		/* MAC-Address set in userspace */
+	};
+};
+
+&gmac0 {
+	nvmem-cells = <&macaddr_mrd_1fff8>;
+	nvmem-cell-names = "mac-address";
+};
+
+&switch0 {
+	ports {
+		port@4 {
+			status = "okay";
+			label = "lan";
+		};
+	};
+};
+
+&state_default {
+	gpio {
+		groups = "uart3";
+		function = "gpio";
+	};
+};

devices/zyxel-nwa50ax/b_image/mt7621_zyxel_nwa-ax-for-ab.dtsi

@@ -0,0 +1,155 @@
+#include "mt7621.dtsi"
+
+#include <dt-bindings/gpio/gpio.h>
+#include <dt-bindings/input/input.h>
+
+/ {
+	aliases {
+		label-mac-device = &gmac0;
+	};
+};
+
+&nand {
+	status = "okay";
+
+	mediatek,nmbm;
+	mediatek,bmt-max-ratio = <15>;
+	mediatek,bmt-max-reserved-blocks = <64>;
+	mediatek,bmt-remap-range =
+		<0x0 0x980000>,
+		<0x2980000 0x7800000>;
+
+	partitions {
+		compatible = "fixed-partitions";
+		#address-cells = <1>;
+		#size-cells = <1>;
+
+		partition@0 {
+			label = "u-boot";
+			reg = <0x0 0x80000>;
+			read-only;
+		};
+
+		partition@80000 {
+			label = "u-boot-env";
+			reg = <0x80000 0x80000>;
+			read-only;
+		};
+
+		factory: partition@100000 {
+			label = "factory";
+			reg = <0x100000 0x80000>;
+			read-only;
+		};
+
+		partition@2980000 {
+			label = "firmware_b";
+			reg = <0x2980000 0x2800000>;
+
+			compatible = "fixed-partitions";
+			#address-cells = <1>;
+			#size-cells = <1>;
+
+			partition@0 {
+				label = "kernel_b";
+				reg = <0x0 0x800000>;
+			};
+
+			partition@400000 {
+				label = "ubi";
+				reg = <0x800000 0x2000000>;
+			};
+		};
+
+		partition@180000 {
+			label = "firmware_a";
+			reg = <0x180000 0x2800000>;
+
+			compatible = "fixed-partitions";
+			#address-cells = <1>;
+			#size-cells = <1>;
+
+			partition@0 {
+				label = "kernel_a";
+				reg = <0x0 0x800000>;
+			};
+
+			partition@400000 {
+				label = "ubi_a";
+				reg = <0x800000 0x2000000>;
+			};
+		};
+
+		partition@5180000 {
+			label = "rootfs_data";
+			reg = <0x5180000 0x1400000>;
+		};
+
+		partition@6580000 {
+			label = "logs";
+			reg = <0x6580000 0xd00000>;
+		};
+
+		partition@7280000 {
+			label = "vendor-myzyxel";
+			reg = <0x7280000 0x480000>;
+			read-only;
+		};
+
+		partition@7700000 {
+			label = "bootconfig";
+			reg = <0x7700000 0x80000>;
+		};
+
+		mrd: partition@7780000 {
+			label = "mrd";
+			reg = <0x7780000 0x80000>;
+			read-only;
+
+			nvmem-layout {
+				compatible = "fixed-layout";
+				#address-cells = <1>;
+				#size-cells = <1>;
+
+				macaddr_mrd_1fff8: macaddr@1fff8 {
+					reg = <0x1fff8 0x6>;
+				};
+			};
+		};
+	};
+};
+
+&pcie {
+	status = "okay";
+};
+
+&pcie1 {
+	wlan_5g: wifi@0,0 {
+		reg = <0x0 0 0 0 0>;
+		compatible = "mediatek,mt76";
+
+		mediatek,mtd-eeprom = <&factory 0x0>;
+		/* MAC-Address set in userspace */
+	};
+};
+
+&gmac0 {
+	nvmem-cells = <&macaddr_mrd_1fff8>;
+	nvmem-cell-names = "mac-address";
+};
+
+&switch0 {
+	ports {
+		port@4 {
+			status = "okay";
+			label = "lan";
+		};
+	};
+};
+
+&state_default {
+	gpio {
+		groups = "uart3";
+		function = "gpio";
+	};
+};

devices/zyxel-nwa50ax/default.nix

@@ -0,0 +1,359 @@
+{
+  system = {
+    crossSystem = {
+      config = "mipsel-unknown-linux-musl";
+      gcc = {
+        abi = "32";
+        arch = "mips32";          # mips32r2?
+      };
+    };
+  };
+
+  description = ''
+    Zyxel NWA50AX
+    ********************
+
+    Zyxel NWA50AX is quite close to the GL-MT300N-v2 "Mango" device, but it is based on the MT7621
+    chipset instead of the MT7628.
+
+    Installation
+    ============
+
+    This device is pretty, but, due to its A/B capabilities, can be a bit hard
+    to use completely.
+
+    The stock vendor firmware is a downstream fork of U-Boot: <https://github.com/RaitoBezarius/uboot-nwa50ax>
+    with restricted boot commands. Fortunately, OpenWrt folks figured out trivial command injections,
+    so you can use most of the OpenWrt commands without trouble by just command injecting
+    atns, atna or atnf, e.g. atns "; $real_command".
+
+    From factory web UI, you can upload the result of the zyxel-nwa-fit output.
+    From another operating system, you need to `dumpimage -T flat_dt -p 0 $zyxel-nwa-fit -o firmware.bin`,
+    `flash_erase $(mtd partition of the target partition firmware or zy_firmware) 0 0`, then you complete by
+    `nandwrite -p $(mtd partition of the target partition firmware or zy_firmware) firmware.bin`.
+
+    How to put the firmware.bin on the machine is left to you as an exercise, e.g. SSH, TFTP, whatever.
+
+    From serial, you have two choices:
+
+    - Flash this system via U-Boot:
+      same reasoning as from an existing Linux system, two choices:
+      - ymodem the binary, perform the write manually, you can inspire yourself
+      from the `script` contained in the vendor firmware, those are just a FIT containing a script.
+      - prepare a FIT containing a script executing your commands, tftpboot this.
+
+    - boot from an existing Liminix system, e.g. TFTPBOOT image.
+    - boot from an OpenWrt system, i.e. follow OpenWrt steps.
+
+    Once you are in a Linux system, understand that this device has A/B boot.
+
+    OpenWrt provides you with `zyxel-bootconfig` to set/unset the image status and choice.
+
+    The kernel is booted with `bootImage=<number>` which tells you which slot are you on.
+
+    You should find yourself with 10ish MTD partitions, the most interesting ones are two:
+
+    - firmware: 40MB
+    - firmware_1: 40MB
+
+    In the current setup, they are split further into kernel (8MB) and ubi (32MB).
+
+    Once you are done with first installation, note that if you want to use the A/B feature,
+    you need to write a _secondary_ image on the slot B. There is no proper flashing code
+    that will set the being-updated slot to `new` and boot on it to verify if it's working.
+    This is a WIP.
+
+    Upgrading your system can be achieved via:
+
+    - `liminix-rebuild` for the userspace.
+    - `flash_erase` + `nandwrite` for the kernelspace to the other slot than the one you are booted on,
+      note that you can just nandwrite the mtd partition corresponding to the *kernel* and not the whole firmware.
+
+    If you soft-bricked your AP, i.e. you cannot boot anything in U-Boot, no worries, just plug the serial console,
+    prepare a TFTP server (via `tufted` for example), download vendor firmware, set up `atns`, `atnf`, etc. and run `atnz`.
+
+    This will reflash everything back to normal via TFTP.
+
+    If you hard-bricked your AP, i.e. U-Boot is telling you to transfer a valid bootloader via ymodem, just extract
+    a U-Boot from the vendor OS, send it via ymodem and use the previous operations to perform a full flash this time
+    of all partitions.
+
+    Note that if you erased your MRD partition, you lost your serial and MAC address. There's no way to recover the original one
+    except by reading the physical label on your… device!
+
+    If you super-hard-bricked your AP, i.e. no output on serial console, congratulations, you reached one of the rare state
+    of this device. You need an external NAND flasher to repair it and write the first stage from Mediatek to continue the previous
+    recovery operations.
+
+    Development TODO list:
+
+    - Better support for upgrade automation w.r.t. to A/B, e.g. automagic scripts.
+    - Mount the logs partition, mount / as overlayfs of firmware ? rootfs and rootfs_data for extended data.
+    - Jitter-based entropy injection? Device can be slow to initialize its CRNG and hostapd will reject few clients at the start because of that.
+    - Defaults for hostapd based on MT7915 capabilities? See the example for one possible list.
+    - Remove primary/secondary hack and put it in preinit.
+    - Offer ways to reflash the *bootloader* itself to support direct boot via UBI and kernel upgrades via filesystem rewrite.
+
+    Vendor web page: https://www.zyxel.com/fr/fr/products/wireless/ax1800-wifi-6-dual-radio-nebulaflex-access-point-nwa50ax
+
+    OpenWrt web page: https://openwrt.org/inbox/toh/zyxel/nwa50ax
+    OpenWrt tech data: https://openwrt.org/toh/hwdata/zyxel/zyxel_nwa50ax
+
+  '';
+
+  module = { pkgs, config, lib, lim, ...}:
+    let
+      inherit (pkgs.pseudofile) dir symlink;
+      inherit (pkgs) openwrt;
+
+      mac80211 = pkgs.mac80211.override {
+        drivers = [ "mt7915e" ];
+        klibBuild = config.system.outputs.kernel.modulesupport;
+      };
+      # v204520220929
+      wlan_firmware = pkgs.fetchurl {
+        url = "https://github.com/openwrt/mt76/raw/1b88dd07f153b202e57fe29734806744ed006b0e/firmware/mt7915_wa.bin";
+        hash = "sha256-wooyefzb0i8640+lwq3vNhcBXRFCtGuo+jiL7afZaKA=";
+      };
+      wlan_firmware' = pkgs.fetchurl {
+        url = "https://github.com/openwrt/mt76/raw/1b88dd07f153b202e57fe29734806744ed006b0e/firmware/mt7915_wm.bin";
+        hash = "sha256-k62nQewRuKjBLd5R3RxU4F74YKnQx5zr6gqMMImqVQw=";
+      };
+      wlan_firmware'' = pkgs.fetchurl {
+        url = "https://github.com/openwrt/mt76/raw/1b88dd07f153b202e57fe29734806744ed006b0e/firmware/mt7915_rom_patch.bin";
+        hash = "sha256-ifriAjWzFACrxVWCANZpUaEZgB/0pdbhnTVQytx6ddg=";
+      };
+    in {
+      imports = [
+        # We include it to ensure the bridge functionality
+        # is available on the target kernel.
+        ../../modules/bridge
+        ../../modules/arch/mipsel.nix
+        ../../modules/outputs/tftpboot.nix
+        ../../modules/outputs/zyxel-nwa-fit.nix
+        ../../modules/zyxel-dual-image
+      ];
+
+      filesystem = dir {
+        lib = dir {
+          firmware = dir {
+            mediatek = dir {
+              "mt7915_wa.bin" = symlink wlan_firmware;
+              "mt7915_wm.bin" = symlink wlan_firmware';
+              "mt7915_rom_patch.bin" = symlink wlan_firmware'';
+            };
+          };
+        };
+      };
+
+      rootfsType = "ubifs";
+      hardware = {
+        # Taken from OpenWRT
+        # root@OpenWrt:/# ubinfo /dev/ubi0
+        # ubi0
+        # Volumes count:                           2
+        # Logical eraseblock size:                 126976 bytes, 124.0 KiB
+        # Total amount of logical eraseblocks:     256 (32505856 bytes, 31.0 MiB)
+        # Amount of available logical eraseblocks: 0 (0 bytes)
+        # Maximum count of volumes                 128
+        # Count of bad physical eraseblocks:       0
+        # Count of reserved physical eraseblocks:  19
+        # Current maximum erase counter value:     2
+        # Minimum input/output unit size:          2048 bytes
+        # Character device major/minor:            250:0
+        # Present volumes:                         0, 1
+        ubi = {
+          minIOSize = "2048";
+          logicalEraseBlockSize = "126976";
+          physicalEraseBlockSize = "128KiB";
+          maxLEBcount = "256";
+        };
+
+        # This is a FIT containing a kernel padded and
+        # a UBI volume rootfs.
+        defaultOutput = "zyxel-nwa-fit";
+
+        loadAddress = lim.parseInt "0x80001000";
+        entryPoint = lim.parseInt "0x80001000";
+        # Aligned on 2kb.
+        alignment = 2048;
+
+        rootDevice = "ubi:rootfs";
+
+        dts = {
+          # Actually, this is not what we want.
+          # This DTS is insufficient.
+          src = ./mt7621_zyxel_nwa50ax.dtsi;
+          includePaths = [
+            # Here's one weird trick to make `ubi` detection
+            # out of the box.
+            # We will write ubi on /dev/firmware_a:rootfs location
+            # and same for /dev/firmware_b:rootfs.
+            # How do we distinguish both?
+            # We can just use the DTS to point ubi at A or B.
+            # This, unfortunately, means that we have "two images".
+            # But they are really just 1 image with 2 different DTS.
+            # TODO: improve this hack in preinit?
+            (if config.boot.imageType == "primary" then "${./a_image}" else "${./b_image}")
+            "${openwrt.src}/target/linux/ramips/dts"
+          ];
+        };
+        networkInterfaces =
+          let
+            inherit (config.system.service.network) link;
+          in {
+            eth = link.build { ifname = "eth0"; };
+            lan = link.build { ifname = "lan"; };
+            wlan0 = link.build {
+              ifname = "wlan0";
+              dependencies = [ mac80211 ];
+            };
+            wlan1 = link.build {
+              ifname = "wlan1";
+              dependencies = [ mac80211 ];
+            };
+          };
+      };
+
+      boot = {
+        # Critical because NWA50AX will extend your cmdline with the image number booted.
+        # and some bootloader version.
+        # You don't want to find yourself being overridden.
+        commandLineDtbNode = "bootargs-override";
+
+        imageFormat = "fit";
+        tftp = {
+          # 5MB is nice.
+          freeSpaceBytes = 5 * 1024 * 1024;
+          loadAddress = lim.parseInt "0x2000000";
+        };
+      };
+
+      # Dual image management service in userspace.
+      services.zyxel-dual-image = config.boot.zyxel-dual-image.build {
+        ensureActiveImage = "primary";
+        # TODO: use mtd names rather…
+        # primary and secondary are always /dev/mtd3 by virtue of the
+        # dtb being not too wrong…
+        # TODO: remove this hack.
+        primaryMtdPartition = "/dev/mtd3";
+        secondaryMtdPartition = "/dev/mtd3";
+        bootConfigurationMtdPartition = "/dev/mtd12";
+      };
+
+      #  DEVICE_VENDOR := ZyXEL
+      #  KERNEL_SIZE := 8192k
+      #  DEVICE_PACKAGES := kmod-mt7915-firmware zyxel-bootconfig
+      #  KERNEL := kernel-bin | lzma | fit lzma $$(KDIR)/image-$$(firstword $$(DEVICE_DTS)).dtb
+      #  IMAGES += factory.bin ramboot-factory.bin
+      #  IMAGE/factory.bin := append-kernel | pad-to $$(KERNEL_SIZE) | append-ubi | zyxel-nwa-fit
+      #  IMAGE/ramboot-factory.bin := append-kernel | pad-to $$(KERNEL_SIZE) | append-ubi
+
+      kernel = {
+        extraPatchPhase = ''
+          ${openwrt.applyPatches.ramips}
+        '';
+        config = {
+
+          RALINK = "y";
+          PCI = "y";
+          PHY_MT7621_PCI = "y";
+          PCIE_MT7621 = "y";
+          SOC_MT7621 = "y";
+          CLK_MT7621 = "y";
+          CLOCKSOURCE_WATCHDOG = "y";
+
+          SERIAL_8250_CONSOLE = "y";
+          SERIAL_8250 = "y";
+          SERIAL_CORE_CONSOLE = "y";
+          SERIAL_OF_PLATFORM = "y";
+          SERIAL_8250_NR_UARTS = "3";
+          SERIAL_8250_RUNTIME_UARTS = "3";
+          SERIAL_MCTRL_GPIO = "y";
+
+          CONSOLE_LOGLEVEL_DEFAULT = "8";
+          CONSOLE_LOGLEVEL_QUIET = "4";
+
+          # MTD_UBI_BEB_LIMIT = "20";
+          # MTD_UBI_WL_THRESHOLD = "4096";
+
+          MTD = "y";
+          MTD_BLOCK = "y";          # fix undefined ref to register_mtd_blktrans_dev
+          MTD_RAW_NAND = "y";
+          MTD_NAND_MT7621 = "y";
+          MTD_NAND_MTK_BMT = "y";      # Bad-block Management Table
+          MTD_NAND_ECC_SW_HAMMING= "y";
+          MTD_SPI_NAND= "y";
+          MTD_OF_PARTS = "y";
+          MTD_NAND_CORE= "y";
+          MTD_SPLIT_FIRMWARE= "y";
+          MTD_SPLIT_FIT_FW= "y";
+
+          PINCTRL = "y";
+          PINCTRL_MT7621 = "y";
+
+          I2C = "y";
+          I2C_MT7621 = "y";
+
+          SPI = "y";
+          MTD_SPI_NOR = "y";
+          SPI_MT7621 = "y";
+          SPI_MASTER = "y";
+          SPI_MEM = "y";
+
+          REGULATOR = "y";
+          REGULATOR_FIXED_VOLTAGE = "y";
+          RESET_CONTROLLER = "y";
+          POWER_RESET = "y";
+          POWER_RESET_GPIO = "y";
+          POWER_SUPPLY = "y";
+          LED_TRIGGER_PHY = "y";
+
+          PCI_DISABLE_COMMON_QUIRKS = "y";
+          PCI_DOMAINS = "y";
+          PCI_DOMAINS_GENERIC = "y";
+          PCI_DRIVERS_GENERIC = "y";
+          PCS_MTK_LYNXI = "y";
+
+          SOC_BUS = "y";
+
+          NET = "y";
+          ETHERNET = "y";
+          WLAN = "y";
+
+          PHYLIB = "y";
+          AT803X_PHY = "y";
+          FIXED_PHY = "y";
+          GENERIC_PHY = "y";
+          NET_DSA = "y";
+          NET_DSA_MT7530 = "y";
+          NET_DSA_MT7530_MDIO = "y";
+          NET_DSA_TAG_MTK = "y";
+          NET_MEDIATEK_SOC = "y";
+          NET_SWITCHDEV = "y";
+          NET_VENDOR_MEDIATEK = "y";
+
+          SWPHY = "y";
+
+          GPIOLIB = "y";
+          GPIO_MT7621 = "y";
+          OF_GPIO = "y";
+
+          EARLY_PRINTK = "y";
+
+          NEW_LEDS = "y";
+          LEDS_TRIGGERS = "y";
+          LEDS_CLASS = "y";         # required by rt2x00lib
+          LEDS_CLASS_MULTICOLOR = "y";
+          LEDS_BRIGHTNESS_HW_CHANGED = "y";
+
+          PRINTK_TIME = "y";
+        } // lib.optionalAttrs (config.system.service ? vlan) {
+          SWCONFIG = "y";
+        } // lib.optionalAttrs (config.system.service ? watchdog) {
+          RALINK_WDT = "y";  # watchdog
+          MT7621_WDT = "y";  # or it might be this one
+        };
+      };
+    };
+}

devices/zyxel-nwa50ax/mt7621_zyxel_nwa50ax.dtsi

@@ -0,0 +1,56 @@
+#include "mt7621_zyxel_nwa-ax-for-ab.dtsi"
+
+#include <dt-bindings/gpio/gpio.h>
+#include <dt-bindings/input/input.h>
+
+/ {
+	compatible = "zyxel,nwa50ax", "mediatek,mt7621-soc";
+	model = "ZyXEL NWA50AX";
+
+	aliases {
+		led-boot = &led_system_green;
+		led-failsafe = &led_system_red;
+		led-running = &led_system_green;
+		led-upgrade = &led_system_red;
+	};
+
+	leds {
+		compatible = "gpio-leds";
+
+		led_system_red: system_red {
+			label = "red:system";
+			gpios = <&gpio 6 GPIO_ACTIVE_HIGH>;
+		};
+
+		led_system_green: system_green {
+			label = "green:system";
+			gpios = <&gpio 7 GPIO_ACTIVE_HIGH>;
+		};
+
+		system_blue {
+			label = "blue:system";
+			gpios = <&gpio 8 GPIO_ACTIVE_HIGH>;
+		};
+	};
+
+	keys {
+		compatible = "gpio-keys";
+
+		reset {
+			label = "reset";
+			gpios = <&gpio 30 GPIO_ACTIVE_LOW>;
+			linux,code = <KEY_RESTART>;
+		};
+	};
+};
+
+&ethernet {
+	pinctrl-0 = <&mdio_pins>, <&rgmii1_pins>;
+};
+
+&state_default {
+	gpio {
+		groups = "uart3", "rgmii2";
+		function = "gpio";
+	};
+};

doc/admin.rst

@@ -4,155 +4,247 @@ System Administration
 Services on a running system
 ****************************
 
-* add an s6-rc cheatsheet here
+Liminix services are built on s6-rc, which is itself layered on s6.
+Services are defined at build time in your configuration (see
+:ref:`configuration-services` for information) and can't be added
+to/changed at runtime, but to monitor
+events or diagnose problems you may need to inspect them on the
+running system. Here are some of the most commonly used s6,-rc
+commands:
 
+.. list-table:: Service management quick reference
+   :widths: 55 45
+   :header-rows: 1
+   
+   * - What
+     - How
+   * - List all running services
+     - ``s6-rc -a list``
+   * - List all services that are **not** running
+     - ``s6-rc -da list``
+   * - List services that ``wombat`` depends on
+     - ``s6-rc-db dependencies wombat``
+   * - ... transitively
+     - ``s6-rc-db all-dependencies wombat``
+   * - List services that depend on service ``wombat``
+     - ``s6-rc-db -d dependencies wombat``
+   * - ... transitively
+     - ``s6-rc-db -d all-dependencies wombat``
+   * - Stop service ``wombat`` and everything depending on it
+     - ``s6-rc -d change wombat``
+   * - Start service ``wombat`` (but not any services depending on it)
+     - ``s6-rc -u change wombat``
+   * - Start service ``wombat`` and all* services depending on it
+     - ``s6-rc-up-tree wombat``
 
-Flashing and updating
-*********************
+:command:`s6-rc-up-tree` brings up a service and all services that
+depend on it, except for any services that depend on a "controlled"
+service that is not currently running. Controlled services are not
+started at boot time but in response to external events (e.g. plugging
+in a particular piece of hardware) so you probably don't want to be
+starting them by hand if the conditions aren't there.
 
+A service may be **up** or **down** (there are no intermediate states
+like "started" or "stopping" or "dying" or "cogitating"). Some (but
+not all) services have "readiness" notifications: the dependents of a
+service with a readiness notification won't be started until the
+service signals (by writing to a nominated file descriptor) that it's
+prepared to start work. Most services defined by Liminix also have a
+``timeout-up`` parameter, which means that if a service has readiness
+notifications and doesn't become ready in the allotted time (defaults
+20 seconds) it will be terminated and its state set to **down**.
 
+If the process providing a service dies, it will be restarted
+automatically. Liminix does not automatically set it to **down**.
 
-Flashing from Liminix
-=====================
+(If the process providing a service dies without ever notifying
+readiness, Liminix will restart it as many times as it has to until the
+timeout period elapses, and then stop it and mark it down.)
 
-The flash procedure from an existing Liminix-system has two steps.
-First we reboot the device (using "kexec") into an "ephemeral"
-RAM-based version of the new configuration, then when we're happy it
-works we can flash the image - and if it doesn't work we can reboot
-the device again and it will boot from the old image.
+Controlled services
+===================
 
+**Controlled** services are those which are started/stopped on demand
+by a **controller** (another service) instead of being started at boot
+time.  For example:
 
-Building the RAM-based image
-----------------------------
+* ``svc.uevent-rule.build`` creates a controlled service which is
+  active when a particular hardware device (identified by uevent/sysfs
+  directory) is present.
 
-To create the ephemeral image, build ``outputs.kexecboot`` instead of
-``outputs.default``.  This generates a directory containing the root
-filesystem image and kernel, along with an executable called `kexec`
-and a `boot.sh` script that runs it with appropriate arguments.
+* ``svc.round-robin.build`` creates a service controller that
+  invokes two or more services in turn, running the next one when the
+  process providing the previous one exits. We use this for failover
+  from one network connection to a backup connection, for example.
 
-For example
+* ``svc.health-check.build`` creates a service controller that
+  runs a controlled service and periodically tests whether it is
+  healthy by running an external health check command or script. If the
+  check command repeatedly fails, the controlled service is
+  restarted.
+
+  The Configuration section of the manual describes controlled
+  services in more detail. Some operational considerations
+
+* ``round-robin`` detects a service status by looking at its
+  :file:`outputs` directory, so it won't work unless the service
+  creates some outputs. This is considered a bug and will be
+  fixed in a future release
+
+* ``health-check`` works for longruns but not for oneshots, as it
+  internally relies on ``s6-svc`` to restart the process
+
+Logs
+====
+
+Logs for all services are collated into :file:`/run/log/current`.
+The log file is rotated when it reaches a threshold size, into another
+file in the same directory whose name contains a TAI64 timestamp.
+
+Each log line is prefixed with a TAI64 timestamp and the name of the
+service, if it is a longrun. If it is a oneshot, a timestamp and the
+name of some other service. To convert the timestamp into a
+human-readable format, use :command:`s6-tai64nlocal`.
 
 .. code-block:: console
 
-   nix-build -I liminix-config=./examples/arhcive.nix \
-     --arg device "import ./devices/gl-ar750"
-     -A outputs.kexecboot && \
-     (tar chf - result | ssh root@the-device tar -C /run -xvf -)
+  # ls -l /run/log/
+  -rw-r--r--    1         0 lock
+  -rw-r--r--    1         0 state
+  -rwxr--r--    1     98059 @4000000000025cb629c311ac.s
+  -rwxr--r--    1     98061 @40000000000260f7309c7fb4.s
+  -rwxr--r--    1     98041 @40000000000265233a6cc0b6.s
+  -rwxr--r--    1     98019 @400000000002695d10c06929.s
+  -rwxr--r--    1     98064 @4000000000026d84189559e0.s
+  -rwxr--r--    1     98055 @40000000000271ce1e031d91.s
+  -rwxr--r--    1     98054 @400000000002760229733626.s
+  -rwxr--r--    1     98104 @4000000000027a2e3b6f4e12.s
+  -rwxr--r--    1     98023 @4000000000027e6f0ed24a6c.s
+  -rw-r--r--    1     42374 current
+  
+  # tail -2 /run/log/current
+  @40000000000284f130747343 wan.link.pppoe Connect: ppp0 <--> /dev/pts/0
+  @40000000000284f230acc669 wan.link.pppoe sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x667a9594> <pcomp> <accomp>]
+  # tail -2 /run/log/current  | s6-tai64nlocal
+  1970-01-02 21:51:45.828598156 wan.link.pppoe sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x667a9594> <pcomp> <accom
+  p>]
+  1970-01-02 21:51:48.832588765 wan.link.pppoe sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x667a9594> <pcomp> <accom
+  p>]
 
-and then login to the device and run
+Log persistence
+---------------
+
+Logs written to :file:`/run/log/` will not survive a reboot or crash,
+as it is an ephemeral filesystem.
+
+On supported hardware you can enable logging to `pstore
+<https://www.kernel.org/doc/Documentation/ABI/testing/pstore>`_ which
+means the most recent log messages will be preserved on reboot.  Set
+the config option ``logging.persistent.enable = true`` to log messages
+to :file:`/dev/pmsg0` as well as to the regular log. This is a
+circular buffer, so when it fills up newer messages will overwrite the
+oldest messages.
+
+Logs found in pstore after a reboot will be moved at startup to
+:file:`/run/log/previous-boot`
+
+
+
+Updating an installed system
+****************************
+
+If your system has a writable root filesystem (JFFS2, btrfs etc -
+anything but squashfs), we have mechanisms for in-places updates
+analogous to :command:`nixos-rebuild`, but the operation is a bit
+different because it expects to run on a build machine and then copy
+to the host device using :command:`ssh`.
+
+To use this, build the ``outputs.updater``
+target and then run the :command:`update.sh` script it generates.
 
 .. code-block:: console
 
-   cd /run/result
-   sh ./boot.sh .
+    nix-build -I liminix-config=./my-configuration.nix \
+       --arg device "import ./devices/mydevice" \
+       -A outputs.updater
+    ./result/bin/update.sh root@the-device 
+
+The update script uses min-copy-closure to copy new or changed
+packages to the device, then (perhaps) reboots it. The reboot
+behaviour can be affected by flags:
+
+* `--no-reboot` will cause it not to reboot at all, if you would
+  rather do that yourself. Note that none of the newly-installed or
+  updated services will be running until you do.
+
+* `--fast` causes it tn not do a full reboot, but instead to restart
+  only the services that have been changed. This will restart all of
+  the services that have updated store paths (and anything that
+  depends on them), but will not affect services that haven't changed.
+
+It doesn't delete old packages automatically: to do that run
+:command:`min-collect-garbage`, which will delete any packages not in
+the current system closure. Note that Liminix does not have the NixOS
+concept of environments or generations, and there is no way back from
+this except for building the previous configuration again.
+
+Caveats
+-------
+
+* it needs there to be enough free space on the device for all the new
+  packages in addition to all the packages already on it - which may
+  be a problem if there is little flash storage or if a lot of things
+  have changed (e.g. a new version of nixpkgs).
+
+* it may not be able to upgrade the kernel: this is device-dependent.
+  If your device boots from a kernel image on a raw MTD partition or
+  or UBI volume, update.sh is unable to alter the kernel partition.
+  If your device boots from a kernel inside the filesystem (e.g. using
+  bootloader.extlinux or bootloder.fit) then the kernel will be
+  upgraded along with the userland
 
 
-This will load the new kernel and map the root filesystem into a RAM
-disk, then start executing the new kernel. *This is effectively a
-reboot - be sure to close all open files and finish anything else
-you were doing first.*
+Recovery/downgrades
+-------------------
 
-If the new system crashes or is rebooted, then the device will revert
-to the old configuration it finds in flash.
+The :command:`update.sh` script also creates a timestamped symlink on
+the device which points to the system configuration it installs. If
+you install a configuration that doesn't work, you can revert to any
+other installed configuration by
 
+1) booting to some kind of rescue or recovery system (which may be
+   some vendor-provided rescue option, or your own recovery system
+   perhaps based on :file:`examples/recovery.nix`) and mounting
+   your Liminix filesystem on /mnt
 
-Building the second (permanent) image
--------------------------------------
-
-While running in the kexecboot system, you can build the permanent
-image and copy it to the device with :command:`ssh`
+2) picking another previously-installed configuration that _did_ work,
+   and switching back to it:
 
 .. code-block:: console
-
-   build-machine$ nix-build -I liminix-config=./examples/arhcive.nix \
-     --arg device "import ./devices/gl-ar750"
-     -A outputs.default && \
-     (tar chf - result | ssh root@the-device tar -C /run -xvf -)
-
-   build-machine$ tar chf - result/firmware.bin | \
-    ssh root@the-device tar -C /run -xvf -
-
-Next you need to connect to the device and locate the "firmware"
-partition, which you can do with a combination of :command:`dmesg`
-output and the contents of :file:`/proc/mtd`
-
-.. code-block:: console
-
-   <5>[    0.469841] Creating 4 MTD partitions on "spi0.0":
-   <5>[    0.474837] 0x000000000000-0x000000040000 : "u-boot"
-   <5>[    0.480796] 0x000000040000-0x000000050000 : "u-boot-env"
-   <5>[    0.487056] 0x000000050000-0x000000060000 : "art"
-   <5>[    0.492753] 0x000000060000-0x000001000000 : "firmware"
-
-   # cat /proc/mtd
-   dev:    size   erasesize  name
-   mtd0: 00040000 00001000 "u-boot"
-   mtd1: 00010000 00001000 "u-boot-env"
-   mtd2: 00010000 00001000 "art"
-   mtd3: 00fa0000 00001000 "firmware"
-   mtd4: 002a0000 00001000 "kernel"
-   mtd5: 00d00000 00001000 "rootfs"
-
-Now run (in this example)
-
-.. code-block:: console
-
-   flashcp -v firmware.bin /dev/mtd3
+   
+    # ls  -ld /mnt/*configuration
+    lrwxrwxrwx    1        90 /mnt/20252102T182104.configuration -> nix/store/v1w0h4zw65ah4c2r0k7nyy125qrxhq78-system-configuration-aarch64-unknown-linux-musl
+    lrwxrwxrwx    1        90 /mnt/20251802T181822.configuration -> nix/store/wqjl9s9xljl2wg8257292zghws9ssidk-system-configuration-aarch64-unknown-linux-musl
+    # : 20251802T181822 is the working system, so reinstall it
+    # /mnt/20251802T181822.configuration/bin/install /mnt
+    # umount /mnt
+    # reboot
+    
+This will install the previous configuration's activation binary into
+/bin, and copy its kernel and initramfs into /boot. Note that it
+depends on the previous system not having been garbage-collected.
 
 
-"I know my new image is good, can I skip the intermediate step?"
-----------------------------------------------------------------
-
-In addition to giving you a chance to see if the new image works, this
-two-step process ensures that you're not copying the new image over
-the top of the active root filesystem. Sometimes it works, but you
-will at least need physical access to the device to power-cycle it
-because it will be effectively frozen afterwards.
 
 
-Flashing from the boot monitor
-==============================
-
-If you are prepared to open the device and have a TTL serial adaptor
-of some kind to connect it to, you can probably use U-Boot and a TFTP
-server to download and flash the image.  This is quite
-hardware-specific, and sometimes involves soldering: please refer
-to :ref:`serial`.
-
-
-Flashing from OpenWrt
-=====================
-
-.. CAUTION:: Untested! A previous version of these instructions
-	     (without the -e flag) led to bricking the device
-	     when flashing a jffs2 image. If you are reading
-	     this message, nobody has yet reported on whether the
-	     new instructions are any better.
-
-If your device is running OpenWrt then it probably has the
-:command:`mtd` command installed. After transferring the image onto the
-device using e.g. :command:`ssh`,  you can run it as follows:
-
-.. code-block:: console
-
-   mtd -e -r write /tmp/firmware.bin firmware
-
-The options to this command are for "erase before writing" and "reboot
-after writing".
-
-For more information, please see the `OpenWrt manual <https://openwrt.org/docs/guide-user/installation/sysupgrade.cli>`_ which may also contain (hardware-dependent) instructions on how to flash an image using the vendor firmware - perhaps even from a web interface.
-
-Updating an installed system (JFFS2)
-************************************
-
+.. _levitate:  
 
 Adding packages
 ===============
 
-If your device is running a JFFS2 root filesystem, you can build
-extra packages for it on your build system and copy them to the
-device: any package in Nixpkgs or in the Liminix overlay is available
-with the ``pkgs`` prefix:
+If you simply wish to add a package without any change to services,
+you can call :command:`min-copy-closure` directly to install
+any package in Nixpkgs or in the Liminix overlay
 
 .. code-block:: console
 
@@ -161,38 +253,119 @@ with the ``pkgs`` prefix:
 
     nix-shell -p min-copy-closure root@the-device result/
 
-Note that this only copies the package to the device: it doesn't update
-any profile to add it to ``$PATH``
+Note that this only copies the package and its dependencies to the
+device: it doesn't update any profile to add it to ``$PATH``
 
 
-Rebuilding the system
-=====================
+.. _rebuilding the system:
 
-:command:`liminix-rebuild` is the Liminix analogue of :command:`nixos-rebuild`, although its operation is a bit different because it expects to run on a build machine and then copy to the host device. Run it with the same ``liminix-config`` and ``device`` parameters as you would run :command:`nix-build`, and it will build any new/changed packages and then copy them to the device using SSH. For example:
+Reinstalling on a running system
+********************************
+
+Liminix is initially installed from a monolithic
+:file:`firmware.bin` - and unless you're running a writable
+filesystem, the only way to update it is to build and install a whole
+new :file:`firmware.bin`.  However, you probably would prefer not to
+have to remove it from its installation site, unplug it from the
+network and stick serial cables in it all over again.
+
+It is not (generally) safe to install a new firmware onto the flash
+partitions that the active system is running on. To address this we
+have :command:`levitate`, which a way for a running Liminix system to
+"soft restart" into a ramdisk running only a limited set of services,
+so that the main partitions can then be safely flashed.
+
+
+
+Configuration
+=============
+
+Levitate *needs to be configured when you create the initial system*
+to specify which services/packages/etc to run in maintenance
+mode. Most likely you want to configure a network interface and an ssh
+for example so that you can login to reflash it.
+
+.. code-block:: nix
+
+  defaultProfile.packages = with pkgs; [
+    ...
+    (levitate.override {
+      config  = {
+        services = {
+          inherit (config.services) dhcpc sshd watchdog;
+        };
+        defaultProfile.packages = [ mtdutils ];
+        users.root = config.users.root;
+      };
+    })
+  ];
+  		
+
+
+Use
+===
+
+Connect (with ssh, probably) to the running Liminix system that you
+wish to upgrade.
 
 .. code-block:: console
 
-     liminix-rebuild root@the-device  -I liminix-config=./examples/rotuer.nix --arg device "import ./devices/gl-ar750"
+  bash$ ssh root@the-device
+  
+Run :command:`levitate`. This takes a little while (perhaps a few
+tens of seconds) to execute, and copies all config required for
+maintenance mode to :file:`/run/maintenance`.
+  
+.. code-block:: console
+  
+  # levitate 
+  
+Reboot into maintenance mode. You will be logged out
+  
+.. code-block:: console
 
-This will
+  # reboot
+  
+Connect to the device again - note that the ssh host key will have changed.
+  
+.. code-block:: console
 
-* build anything that needs building
-* copy new or changed packages to the device
-* reboot the device
+  # ssh -o UserKnownHostsFile=/dev/null root@the-device
+  
+Check we're in maintenance mode
+  
+.. code-block:: console
 
-It doesn't delete old packages automatically: to do that run
-:command:`min-collect-garbage`, which will delete any packages not in
-the current system closure. Note that Liminix does not have the NixOS
-concept of environments or generations, and there is no way back from
-this except for building the previous configuration again.
+  # cat /etc/banner 
+  
+  LADIES AND GENTLEMEN WE ARE FLOATING IN SPACE
+  
+  Most services are disabled. The system is operating
+  with a ram-based root filesystem, making it safe to
+  overwrite the flash devices in order to perform
+  upgrades and maintenance.
+  
+  Don't forget to reboot when you have finished.
+  
+Perform the upgrade, using flashcp. This is an example,
+your device will differ
+   
+.. code-block:: console
 
+  # cat /proc/mtd 
+  dev:    size   erasesize  name
+  mtd0: 00030000 00010000 "u-boot"
+  mtd1: 00010000 00010000 "u-boot-env"
+  mtd2: 00010000 00010000 "factory"
+  mtd3: 00f80000 00010000 "firmware"
+  mtd4: 00220000 00010000 "kernel"
+  mtd5: 00d60000 00010000 "rootfs"
+  mtd6: 00010000 00010000 "art"
+  # flashcp -v firmware.bin mtd:firmware
 
-Caveats
--------
+All done
+  
+.. code-block:: console
 
-* it needs there to be enough free space on the device for all the new
-  packages in addition to all the packages already on it - which may be
-  a problem if a lot of things have changed (e.g. a new version of
-  nixpkgs).
+  # reboot
 
-* it cannot upgrade the kernel, only userland

doc/conf.py

@@ -7,19 +7,19 @@
 # https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information
 
 project = 'Liminix'
-copyright = '2023, Daniel Barlow'
+copyright = '2023-2024 Daniel Barlow'
 author = 'Daniel Barlow'
 
 # -- General configuration ---------------------------------------------------
 # https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration
 
 extensions = [
-    'sphinx.ext.autosectionlabel'
+#    'sphinx.ext.autosectionlabel'
 ]
 autosectionlabel_prefix_document = True
 
 templates_path = ['_templates']
-exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+exclude_patterns = ['*.inc.rst', '_build', 'Thumbs.db', '.DS_Store']
 
 
 

doc/configuration.rst

@@ -1,27 +1,8 @@
+.. _configuration:
+
 Configuration
 #############
 
-Liminix uses the Nix language to provide congruent configuration
-management.  This means that to change anything about the way in
-which a Liminix system works, you make that change in
-your :file:`configuration.nix` (or one of the other files it references),
-and rerun :command:`nix-build` or :command:`liminix-rebuild` to action
-the change. It is not possible (at least, without shenanigans) to make
-changes by logging into the device and running imperative commands
-whose effects may later be overridden: :file:`configuration.nix`
-always describes the entire system and can be used to recreate that
-system at any time.  You can usefully keep it under version control.
-
-If you are familiar with NixOS, you will notice some similarities
-between NixOS and Liminix configuration, and also some
-differences. Sometimes the differences are due to the
-resource-constrained devices we deploy onto, sometimes due to
-differences in the uses these devices are put to.
-
-
-Configuration taxonomy
-**********************
-
 There are many things you can specify in a configuration, but these
 are the ones you most commonly need to change:
 
@@ -86,14 +67,166 @@ domains, or you want to run two SSH daemons on different ports.
 	 don't use the NixOS modules themselves, because the
 	 underlying system is not similar enough for them to work.
 
+.. _configuration-services:
 
 Services
 ********
 
-We use the `s6-rc service manager <https://www.skarnet.org/software/s6-rc/overview.html>`_  to start/stop/restart services and handle
-service dependencies. Any attribute in `config.services` will become
-part of the default set of services that s6-rc will try to bring up on
-boot.
+In Liminix a service is any kind of long-running task or process on
+the system, that is managed (started, stopped, and monitored) by a
+service supervisor.  A typical SOHO router might have services to
+
+* answer DHCP and DNS requests from the LAN
+* provide a wireless access point
+* connect using PPPoE or L2TP to an upstream network
+* start/stop the firewall
+* enable/disable IP packet forwarding
+* mount filesystems
+
+(Some of these might not be considered services using other
+definitions of the term: for example, this L2TP process would be a
+"client" in the client/server classification; and enabling packet
+forwarding doesn't require any long-lived process - just a setting to
+be toggled.  However, there is value in being able to use the same
+abstractions for all the things to manage them and specify their
+dependency relationships - so in Liminix "everything is a service")
+
+The service supervision system enables service health monitoring,
+restart of unhealthy services, and failover to "backup" services when
+a primary service fails or its dependencies are unavailable. The
+intention is that you have a framework in which you can specify policy
+requirements like "ethernet wan dhcp-client should be restarted if it
+crashes, but if it can't start because the hardware link is down, then
+4G ppp service should be started instead".
+
+Any attribute in `config.services` will become part of the default set
+of services that s6-rc will try to bring up.  Services are usually
+started at boot time, but **controlled services** are those that are
+required only in particular contexts.  For example, a service to mount
+a USB backup drive should run only when the drive is attached to the
+system. Liminix currently implement