er, don\'t know?

pppd runs them with 0,1,2 => /dev/null but we actually quite like
seeing errors in the logs

NEWS

@@ -34,7 +34,7 @@ Upstream changes that have led to incompatible Liminix changes are:
 2024-01-30
 
 New port! Thanks to Arnout Engelen <arnout@bzzt.net>, Liminix
-now runs on the TP-Link Archer AX23
+now runs on the TP-Link Archer AX23.
 
 2024-02-12
 
@@ -80,3 +80,56 @@ Turris Omnia and has been serving my family's internet needs for most
 of this week.  Thanks to NGI0 Entrust and the NLnet Foundation for
 sponsoring this development (and funding the hardware)
 
+2024-02-21
+
+New port! Thanks to Raito Bezarius, Liminix now runs on the Zyxel NWA50AX,
+an MT7621 (MIPS EL) dual radio WiFi AP.
+
+2024-04-29
+
+The setup for using `levitate` has changed: now it accepts an entire
+config fragment, not just a list of services.  Hopefully this makes it
+a bit more useful :-)
+
+  defaultProfile.packages = with pkgs; [
+    ... 
+    (levitate.override {
+      config  = {
+        services = {
+          inherit (config.services) dhcpc sshd watchdog;
+        };
+        defaultProfile.packages = [ mtdutils ];
+        users.root.openssh.authorizedKeys.keys = secrets.root.keys;
+      };
+    })
+  ];
+
+2024-07-16
+
+* structured parameters are available for the pppoe service
+
+* The "wan" configuration in modules/profiles/gateway.nix has changed:
+instead of passing options that are used to create a pppoe interface,
+callers should create a (pppoe or other) interface and pass that as
+the value of profile.gateway.wan. For the pppoe case this is now only
+very slightly more verbose, and it allows using the gateway profile
+with other kinds of upstream.
+
+2024-8-16
+
+As part of implementing log shipping, the default directory for system
+logs has beenchanged from /run/uncaught-logs to /run/log
+
+2024-10-09
+
+liminix-rebuild is being deprecated. From hereon in, the preferred way
+to do an incremental update on an installed device with a writable
+filesystem is to build the systemConfiguration output
+
+    nix-build  -I liminix-config=hosts/myhost.nix --argstr deviceName turris-omnia -A outputs.systemConfiguration 
+
+and then run the generated `install.sh` script
+
+    result/install.sh root@192.168.8.1
+
+

boot.expect

@@ -0,0 +1,20 @@
+# This is for use with minicom, but needs you to configure it to
+# use expect as its "Script program" instead of runscript.  Try
+# Ctrl+A O -> Filenames and paths -> D
+
+log_user 0
+log_file -a -open stderr
+set f [open "result/boot.scr"]
+send "version\r"
+set timeout 60
+while {[gets $f line] >= 0} {
+    puts stderr "next line $line\r"
+    puts stderr "waiting for prompt\r"	
+    expect {
+      "ath>" {}
+      "BusyBox" { puts stderr  "DONE"; exit 0 }
+    }
+    send "$line\r\n"
+}
+puts stderr "done\r\n"
+close $f

bordervm-configuration.nix

@@ -4,6 +4,10 @@ let
   inherit (lib) mkOption mkEnableOption mdDoc types optional optionals;
 in {
   options.bordervm = {
+    keys = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+    };
     l2tp = {
       host = mkOption {
         description = mdDoc ''
@@ -51,18 +55,17 @@ in {
     <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
   ];
   config = {
-    boot.kernelParams = [
-      "loglevel=9"
-    ];
+    boot.kernelParams = [ "loglevel=9" ];
     systemd.services.pppoe =
-      let conf = pkgs.writeText "kpppoed.toml"
-        ''
-      interface_name = "eth1"
-      services = [ "myservice" ]
-      lns_ipaddr = "${cfg.l2tp.host}:${builtins.toString cfg.l2tp.port}"
-      ac_name = "kpppoed-1.0"
-    '';
-      in  {
+      let
+        conf = pkgs.writeText "kpppoed.toml" ''
+          interface_name = "eth1"
+          services = [ "myservice" ]
+          lns_ipaddr = "${cfg.l2tp.host}:${builtins.toString cfg.l2tp.port}"
+          ac_name = "kpppoed-1.0"
+        '';
+      in
+      {
         wantedBy = [ "multi-user.target" ];
         after = [ "network-online.target" ];
         serviceConfig = {
@@ -76,29 +79,63 @@ in {
       };
     };
     services.openssh.enable = true;
+    services.dnsmasq = {
+      enable = true;
+      resolveLocalQueries = false;
+      settings = {
+        # domain-needed = true;
+        dhcp-range = [ "10.0.0.10,10.0.0.240" ];
+        interface = "eth1";
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      user = "liminix";
+      virtualHosts.${config.networking.hostName} = {
+        root = "/home/liminix";
+        default = true;
+      };
+    };
+    systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
+
     systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
 
     virtualisation = {
+      forwardPorts = [ {
+        from = "host";
+        host.port = 7654;
+#        guest.address = "10.0.2.15";
+        guest.port =7654;
+      } ];
       qemu = {
-        networkingOptions = [];
-        options = [] ++
-          optional cfg.ethernet.pci.enable
-            "-device vfio-pci,host=${cfg.ethernet.pci.id}" ++
-          optionals cfg.ethernet.usb.enable [
+        networkingOptions = [ ];
+        options =
+          [ ]
+          ++ optional cfg.ethernet.pci.enable "-device vfio-pci,host=${cfg.ethernet.pci.id}"
+          ++ optionals cfg.ethernet.usb.enable [
             "-device usb-ehci,id=ehci"
             "-device usb-host,bus=ehci.0,vendorid=${cfg.ethernet.usb.vendor},productid=${cfg.ethernet.usb.product}"
-          ] ++ [
+          ]
+          ++ [
             "-nographic"
             "-serial mon:stdio"
           ];
       };
       sharedDirectories = {
         liminix = {
+          securityModel = "none";
           source = builtins.toString ./.;
           target = "/home/liminix/liminix";
         };
       };
     };
+
+    services.tang = {
+      enable = true;
+      ipAddressAllow = [ "10.0.0.0/24" "0.0.0.0/0" ];
+    };
+
     environment.systemPackages =
       let wireshark-nogui = pkgs.wireshark.override { withQt = false ; };
           in with pkgs; [
@@ -108,6 +145,8 @@ in {
             tufted
             iptables
             usbutils
+            busybox
+            clevis
           ];
     security.sudo.wheelNeedsPassword = false;
     networking = {
@@ -117,11 +156,17 @@ in {
         useDHCP = false;
         ipv4.addresses = [ { address = "10.0.0.1"; prefixLength = 24;}];
       };
+      nat = {
+        enable = true;
+        internalInterfaces = [ "eth1" ];
+        externalInterface = "eth0";
+      };
     };
     users.users.liminix = {
       isNormalUser = true;
       uid = 1000;
-      extraGroups = [ "wheel"];
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = cfg.keys;
     };
     services.getty.autologinUser = "liminix";
   };

bordervm.conf-example.nix

@@ -1,8 +1,12 @@
-{...}:
+{ ... }:
 {
   bordervm = {
     # ethernet.pci = { id = "01:00.0"; enable = true; };
-    ethernet.usb = { vendor = "0x0bda"; product = "0x8153"; enable = true; };
+    ethernet.usb = {
+      vendor = "0x0bda";
+      product = "0x8153";
+      enable = true;
+    };
     l2tp = {
       host = "l2tp.aa.net.uk";
     };

ci.nix

@@ -1,77 +1,79 @@
-{
-  nixpkgs
-, unstable
-, liminix
-, ... }:
 let
-  inherit (builtins) map;
-  pkgs = (import nixpkgs {});
-  borderVmConf =  ./bordervm.conf-example.nix;
+  pkgs = import <nixpkgs> { };
+  liminix = <liminix>;
+  borderVmConf = ./bordervm.conf-example.nix;
   inherit (pkgs.lib.attrsets) genAttrs;
   devices = [
-    "gl-ar750" "gl-mt300n-v2" "gl-mt300a"
-    "qemu" "qemu-aarch64" "qemu-armv7l"
+    "gl-ar750"
+    "gl-mt300a"
+    "gl-mt300n-v2"
+    "qemu"
+    "qemu-aarch64"
+    "qemu-armv7l"
     "tp-archer-ax23"
+    "zyxel-nwa50ax"
   ];
   vanilla = ./vanilla-configuration.nix;
   for-device = name:
     (import liminix {
-      inherit nixpkgs borderVmConf;
+      inherit borderVmConf;
       device = import (liminix + "/devices/${name}");
       liminix-config = vanilla;
     }).outputs.default;
   tests = import ./tests/ci.nix;
   jobs =
-    (genAttrs devices for-device) //
-    tests //
-    {
-      buildEnv = (import liminix {
-        inherit nixpkgs borderVmConf;
-        device = import (liminix + "/devices/qemu");
-        liminix-config = vanilla;
-      }).buildEnv;
+    (genAttrs devices for-device)
+    // tests
+    // {
+      buildEnv =
+        (import liminix {
+          inherit borderVmConf;
+          device = import (liminix + "/devices/qemu");
+          liminix-config = vanilla;
+        }).buildEnv;
       doc =
-        let json =
-              (import liminix {
-                inherit nixpkgs borderVmConf;
-                device = import (liminix + "/devices/qemu");
-                liminix-config = {...} : {
+        let
+          json =
+            (import liminix {
+              inherit borderVmConf;
+              device = import (liminix + "/devices/qemu");
+              liminix-config =
+                { ... }:
+                {
                   imports = [ ./modules/all-modules.nix ];
                 };
-              }).outputs.optionsJson;
-            installers = map (f: "system.outputs.${f}") [
-              "vmroot"
-              "mtdimage"
-              "ubimage"
-            ];
-            inherit (pkgs.lib) concatStringsSep;
-        in pkgs.stdenv.mkDerivation {
+            }).outputs.optionsJson;
+        in
+        pkgs.stdenv.mkDerivation {
           name = "liminix-doc";
           nativeBuildInputs = with pkgs; [
-            gnumake sphinx fennel luaPackages.lyaml
+            gnumake
+            sphinx
+            fennel
+            luaPackages.lyaml
           ];
           src = ./.;
           buildPhase = ''
-            cat ${json} | fennel --correlate doc/parse-options.fnl > doc/modules-generated.rst
-            cat ${json} | fennel --correlate doc/parse-options-outputs.fnl     > doc/outputs-generated.rst
+            cat ${json} | fennel --correlate doc/parse-options.fnl > doc/modules-generated.inc.rst
+            cat ${json} | fennel --correlate doc/parse-options-outputs.fnl     > doc/outputs-generated.inc.rst
             cp ${(import ./doc/hardware.nix)} doc/hardware.rst
             make -C doc html
           '';
           installPhase = ''
             mkdir -p $out/nix-support $out/share/doc/
             cd doc
-            cp *-generated.rst  $out
+            cp *-generated.inc.rst hardware.rst $out
             ln -s ${json} $out/options.json
             cp -a _build/html $out/share/doc/liminix
             echo "file source-dist \"$out/share/doc/liminix\"" \
                 > $out/nix-support/hydra-build-products
           '';
       };
-      with-unstable = (import liminix {
-        nixpkgs = unstable;
-        inherit borderVmConf;
-        device = import (liminix + "/devices/qemu");
-        liminix-config = vanilla;
-      }).outputs.default;
     };
-in jobs
+in jobs //
+   {
+     all = pkgs.mkShell {
+       name = "all tests";
+       contents = pkgs.lib.collect pkgs.lib.isDerivation jobs;
+     };
+   }

default.nix

@@ -1,35 +1,47 @@
 {
-  device
-, liminix-config ? <liminix-config>
-, nixpkgs ? <nixpkgs>
-, borderVmConf ? ./bordervm.conf.nix
+  deviceName ? null,
+  device ? (import ./devices/${deviceName}),
+  liminix-config ? <liminix-config>,
+  borderVmConf ? ./bordervm.conf.nix,
+  imageType ? "primary",
 }:
 
 let
   overlay = import ./overlay.nix;
-  pkgs = import nixpkgs (device.system // {
-    overlays = [overlay];
-    config = {
-      allowUnsupportedSystem = true; # mipsel
-      permittedInsecurePackages = [
-        "python-2.7.18.6"       # kernel backports needs python <3
-        "python-2.7.18.7"
-      ];
-    };
-  });
+  pkgs = import <nixpkgs> (
+    device.system
+    // {
+      overlays = [ overlay ];
+      config = {
+        allowUnsupportedSystem = true; # mipsel
+        permittedInsecurePackages = [
+          "python-2.7.18.6" # kernel backports needs python <3
+          "python-2.7.18.7"
+        ];
+      };
+    }
+  );
 
   eval = pkgs.lib.evalModules {
+    specialArgs = {
+      modulesPath = builtins.toString ./modules;
+    };
     modules = [
       { _module.args = { inherit pkgs; inherit (pkgs) lim; }; }
       ./modules/hardware.nix
       ./modules/base.nix
       ./modules/busybox.nix
       ./modules/hostname.nix
+      ./modules/kernel
+      ./modules/klogd.nix
       device.module
       liminix-config
       ./modules/s6
       ./modules/users.nix
       ./modules/outputs.nix
+      {
+        boot.imageType = imageType;
+      }
     ];
   };
   config = eval.config;
@@ -37,7 +49,14 @@ let
   borderVm = ((import <nixpkgs/nixos/lib/eval-config.nix>) {
     system = builtins.currentSystem;
     modules = [
-      ({  ... } : { nixpkgs.overlays = [ overlay ]; })
+      {
+        nixpkgs.overlays = [
+          (final: prev: {
+            go-l2tp = final.callPackage ./pkgs/go-l2tp {};
+            tufted = final.callPackage ./pkgs/tufted {};
+          })
+        ];
+      }
       (import ./bordervm-configuration.nix)
       borderVmConf
     ];
@@ -68,6 +87,7 @@ in {
       min-copy-closure
       fennelrepl
       lzma
+      lua
     ];
   };
 }

devices/belkin-rt3200/default.nix

@@ -73,7 +73,7 @@
         MTK_INFRACFG = "y";
 
         MTK_PMIC_WRAP = "y";
-        MTK_EFUSE="y";
+        NVMEM_MTK_EFUSE="y";
         # MTK_HSDMA="y";
         MTK_SCPSYS="y";
         MTK_SCPSYS_PM_DOMAINS="y";
@@ -92,7 +92,6 @@
 
         MEDIATEK_GE_PHY = "y";
         # MEDIATEK_MT6577_AUXADC = "y";
-        # MEDIATEK_WATCHDOG = "y";
         NET_MEDIATEK_SOC = "y";
         NET_MEDIATEK_SOC_WED = "y";
         NET_MEDIATEK_STAR_EMAC = "y"; # this enables REGMAP_MMIO
@@ -214,7 +213,6 @@
         networkInterfaces =
           let
             inherit (config.system.service.network) link;
-            inherit (config.system.service) bridge;
           in rec {
             wan = link.build { ifname = "wan"; };
             lan1 = link.build { ifname = "lan1"; };

devices/families/qemu.nix

@@ -23,12 +23,17 @@
         VIRTIO_BLK = "y";
         VIRTIO_NET = "y";
       };
+      conditionalConfig = {
+        WLAN= {
+          MAC80211_HWSIM = "m";
+        };
+      };
     };
     hardware =
       let
-        mac80211 =  pkgs.mac80211.override {
-          drivers = ["mac80211_hwsim"];
-          klibBuild = config.system.outputs.kernel.modulesupport;
+        mac80211 =  pkgs.kmodloader.override {
+          inherit (config.system.outputs) kernel;
+          targets = ["mac80211_hwsim"];
         };
       in {
         defaultOutput = "vmroot";

devices/gl-ar750/default.nix

@@ -92,7 +92,6 @@
         '';
       };
       inherit (pkgs.pseudofile) dir symlink;
-      inherit (pkgs.liminix.networking) interface;
     in {
       imports = [
         ../../modules/network
@@ -115,18 +114,39 @@
           eraseBlockSize = 65536;
         };
         rootDevice = "/dev/mtdblock5";
-        dts = {
-          src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts";
-          includes =  [
-            "${openwrt.src}/target/linux/ath79/dts"
-          ];
-        };
+        dts =
+          let
+            upstream = {
+              src = "${openwrt.src}/target/linux/ath79/dts/qca9531_glinet_gl-ar750.dts";
+              includes =  [
+                "${openwrt.src}/target/linux/ath79/dts"
+              ];
+            };
+            cppDtSearchFlags = builtins.concatStringsSep " " (map (f: "-I${f}") upstream.includes);
+            dtcSearchFlags = builtins.concatStringsSep " " (map (f: "-i${f}") upstream.includes);
+
+            patched = pkgs.runCommand "patch-dts" {
+              nativeBuildInputs = with pkgs.pkgsBuildBuild; [pkgs.stdenv.cc dtc ];
+            }
+              ''
+                echo patching dts
+                ${pkgs.stdenv.cc.targetPrefix}cpp -nostdinc -x assembler-with-cpp ${cppDtSearchFlags} -undef -D__DTS__  -o dts.tmp ${upstream.src}
+                dtc -I dts ${dtcSearchFlags} -o $out -O dts dts.tmp
+              '';
+          in upstream // { src = patched; };
+
 
         networkInterfaces =
           let inherit (config.system.service.network) link;
           in {
-            lan = link.build { ifname = "eth0"; };
-            wan = link.build { ifname = "eth1"; };
+            lan = link.build {
+              ifname = "lan";
+              devpath = "/devices/platform/ahb/1a000000.eth";
+            };
+            wan = link.build {
+              ifname = "wan";
+              devpath = "/devices/platform/ahb/19000000.eth";
+            };
             wlan = link.build {
               ifname = "wlan0";
               dependencies = [ mac80211 ];
@@ -149,6 +169,7 @@
       };
       boot.tftp = {
         loadAddress = lim.parseInt "0x00A00000";
+        appendDTB = true;
       };
       kernel = {
         src = pkgs.pkgsBuildBuild.fetchurl {

devices/gl-mt300a/default.nix

@@ -45,7 +45,6 @@
 
   module = { pkgs, config, lib, lim, ...}:
     let
-      inherit (pkgs.liminix.networking) interface;
       inherit (pkgs) openwrt;
       mac80211 = pkgs.kmodloader.override {
         targets = ["rt2800soc"];
@@ -90,19 +89,6 @@
           let
             inherit (config.system.service.network) link;
             inherit (config.system.service) vlan;
-            inherit (pkgs.liminix.services) oneshot;
-            swconfig = oneshot {
-              name = "swconfig";
-              up = ''
-                PATH=${pkgs.swconfig}/bin:$PATH
-                swconfig dev switch0 set reset
-                swconfig dev switch0 set enable_vlan 1
-                swconfig dev switch0 vlan 1 set ports '1 2 3 4 6t'
-                swconfig dev switch0 vlan 2 set ports '0 6t'
-                swconfig dev switch0 set apply
-              '';
-              down = "${pkgs.swconfig}/bin/swconfig dev switch0 set reset";
-            };
           in rec {
             eth = link.build { ifname = "eth0"; };
             # lan and wan ports are both behind a switch on eth0
@@ -110,13 +96,11 @@
               ifname = "eth0.1";
               primary = eth;
               vid = "1";
-              dependencies =  [swconfig eth];
             };
             wan = vlan.build {
               ifname = "eth0.2";
               primary = eth;
               vid = "2";
-              dependencies =  [swconfig eth];
             };
             wlan = link.build {
               ifname = "wlan0";
@@ -126,7 +110,8 @@
       };
       boot.tftp = {
         loadAddress = lim.parseInt "0x00A00000";
-      };
+        appendDTB = true;
+     };
 
       kernel = {
         src = pkgs.fetchurl {
@@ -136,6 +121,7 @@
         };
         extraPatchPhase = ''
           ${openwrt.applyPatches.ramips}
+          ${openwrt.applyPatches.rt2x00}
         '';
         config = {
 

devices/gl-mt300n-v2/default.nix

@@ -13,7 +13,7 @@
     GL.iNet GL-MT300N-v2
     ********************
 
-    The GL-MT300N-v2 "Mango" is is very similar to the :ref:`MT300A <GL.iNet GL-MT300A>, but is
+    The GL-MT300N-v2 "Mango" is is very similar to the :ref:`gl-mt300a`, but is
     based on the MT7628 chipset instead of MT7620.  It's also marginally cheaper
     and comes in a yellow case not a blue one.  Be sure your device is
     v2 not v1, which is a different animal and has only half as much RAM.
@@ -38,7 +38,6 @@
 
   module = { pkgs, config, lib, lim, ...}:
     let
-      inherit (pkgs.liminix.networking) interface;
       inherit (pkgs.liminix.services) oneshot;
       inherit (pkgs.pseudofile) dir symlink;
       inherit (pkgs) openwrt;
@@ -97,7 +96,7 @@
                 swconfig dev switch0 vlan 2 set ports '0 6t'
                 swconfig dev switch0 set apply
               '';
-              down = "swconfig dev switch0 set reset";
+              down = "${pkgs.swconfig}/bin/swconfig dev switch0 set reset";
             };
           in rec {
             eth = link.build { ifname = "eth0"; dependencies =  [swconfig]; };
@@ -122,6 +121,7 @@
         # 20MB seems to give enough room to uncompress the kernel
         # without anything getting trodden on. 10MB was too small
         loadAddress = lim.parseInt "0x1400000";
+        appendDTB = true;
       };
 
       kernel = {

devices/qemu-aarch64/default.nix

@@ -19,14 +19,14 @@
     ARM targets differ from MIPS in that the kernel format expected
     by QEMU is an "Image" (raw binary file) rather than an ELF
     file, but this is taken care of by :command:`run.sh`. Check the
-    documentation for the :ref:`QEMU` (MIPS) target for more information.
+    documentation for the :ref:`qemu` target for more information.
 
   '';
 
   # this device is described by the "qemu" device
   installer = "vmroot";
 
-  module = {pkgs, config, lim, ... }: {
+  module = { config, lim, ... }: {
     imports = [
       ../../modules/arch/aarch64.nix
       ../families/qemu.nix

devices/qemu-armv7l/default.nix

@@ -24,7 +24,7 @@
   '';
   installer = "vmroot";
 
-  module = {pkgs, config, lim, ... }: {
+  module = { config, lim, ... }: {
     imports = [
       ../../modules/arch/arm.nix
       ../families/qemu.nix

devices/qemu/default.nix

@@ -36,7 +36,7 @@
     in the Development manual.
 
   '';
-  module = {pkgs, config, lib, lim, ... }: {
+  module = { config, lib, lim, ... }: {
     imports = [
       ../../modules/arch/mipseb.nix
       ../families/qemu.nix

devices/tp-archer-ax23/default.nix

@@ -419,7 +419,6 @@
           networkInterfaces =
             let
               inherit (config.system.service.network) link;
-              inherit (config.system.service) bridge;
             in rec {
               lan1 = link.build { ifname = "lan1"; };
               lan2 = link.build { ifname = "lan2"; };

devices/turris-omnia/default.nix

@@ -155,8 +155,6 @@
 
   module = {pkgs, config, lib, lim, ... }:
     let
-      openwrt = pkgs.openwrt;
-      inherit (lib) mkOption types;
       inherit (pkgs.liminix.services) oneshot;
       inherit (pkgs) liminix;
       mtd_by_name_links = pkgs.liminix.services.oneshot rec  {
@@ -358,7 +356,6 @@
           networkInterfaces =
             let
               inherit (config.system.service.network) link;
-              inherit (config.system.service) bridge;
             in rec {
               en70000 = link.build {
                 # in armada-38x.dtsi this is eth0.

devices/zyxel-nwa50ax/a_image/mt7621_zyxel_nwa-ax-for-ab.dtsi

@@ -0,0 +1,155 @@
+#include "mt7621.dtsi"
+
+#include <dt-bindings/gpio/gpio.h>
+#include <dt-bindings/input/input.h>
+
+/ {
+	aliases {
+		label-mac-device = &gmac0;
+	};
+};
+
+&nand {
+	status = "okay";
+
+	mediatek,nmbm;
+	mediatek,bmt-max-ratio = <15>;
+	mediatek,bmt-max-reserved-blocks = <64>;
+	mediatek,bmt-remap-range =
+		<0x0 0x980000>,
+		<0x2980000 0x7800000>;
+
+	partitions {
+		compatible = "fixed-partitions";
+		#address-cells = <1>;
+		#size-cells = <1>;
+
+		partition@0 {
+			label = "u-boot";
+			reg = <0x0 0x80000>;
+			read-only;
+		};
+
+		partition@80000 {
+			label = "u-boot-env";
+			reg = <0x80000 0x80000>;
+			read-only;
+		};
+
+		factory: partition@100000 {
+			label = "factory";
+			reg = <0x100000 0x80000>;
+			read-only;
+		};
+
+		partition@180000 {
+			label = "firmware_a";
+			reg = <0x180000 0x2800000>;
+
+			compatible = "fixed-partitions";
+			#address-cells = <1>;
+			#size-cells = <1>;
+
+			partition@0 {
+				label = "kernel_a";
+				reg = <0x0 0x800000>;
+			};
+
+			partition@400000 {
+				label = "ubi";
+				reg = <0x800000 0x2000000>;
+			};
+		};
+
+		partition@2980000 {
+			label = "firmware_b";
+			reg = <0x2980000 0x2800000>;
+
+			compatible = "fixed-partitions";
+			#address-cells = <1>;
+			#size-cells = <1>;
+
+			partition@0 {
+				label = "kernel_b";
+				reg = <0x0 0x800000>;
+			};
+
+			partition@400000 {
+				label = "ubi_b";
+				reg = <0x800000 0x2000000>;
+			};
+		};
+
+		partition@5180000 {
+			label = "rootfs_data";
+			reg = <0x5180000 0x1400000>;
+		};
+
+		partition@6580000 {
+			label = "logs";
+			reg = <0x6580000 0xd00000>;
+		};
+
+		partition@7280000 {
+			label = "vendor-myzyxel";
+			reg = <0x7280000 0x480000>;
+			read-only;
+		};
+
+		partition@7700000 {
+			label = "bootconfig";
+			reg = <0x7700000 0x80000>;
+		};
+
+		mrd: partition@7780000 {
+			label = "mrd";
+			reg = <0x7780000 0x80000>;
+			read-only;
+
+			nvmem-layout {
+				compatible = "fixed-layout";
+				#address-cells = <1>;
+				#size-cells = <1>;
+
+				macaddr_mrd_1fff8: macaddr@1fff8 {
+					reg = <0x1fff8 0x6>;
+				};
+			};
+		};
+	};
+};
+
+&pcie {
+	status = "okay";
+};
+
+&pcie1 {
+	wlan_5g: wifi@0,0 {
+		reg = <0x0 0 0 0 0>;
+		compatible = "mediatek,mt76";
+
+		mediatek,mtd-eeprom = <&factory 0x0>;
+		/* MAC-Address set in userspace */
+	};
+};
+
+&gmac0 {
+	nvmem-cells = <&macaddr_mrd_1fff8>;
+	nvmem-cell-names = "mac-address";
+};
+
+&switch0 {
+	ports {
+		port@4 {
+			status = "okay";
+			label = "lan";
+		};
+	};
+};
+
+&state_default {
+	gpio {
+		groups = "uart3";
+		function = "gpio";
+	};
+};

devices/zyxel-nwa50ax/b_image/mt7621_zyxel_nwa-ax-for-ab.dtsi

@@ -0,0 +1,155 @@
+#include "mt7621.dtsi"
+
+#include <dt-bindings/gpio/gpio.h>
+#include <dt-bindings/input/input.h>
+
+/ {
+	aliases {
+		label-mac-device = &gmac0;
+	};
+};
+
+&nand {
+	status = "okay";
+
+	mediatek,nmbm;
+	mediatek,bmt-max-ratio = <15>;
+	mediatek,bmt-max-reserved-blocks = <64>;
+	mediatek,bmt-remap-range =
+		<0x0 0x980000>,
+		<0x2980000 0x7800000>;
+
+	partitions {
+		compatible = "fixed-partitions";
+		#address-cells = <1>;
+		#size-cells = <1>;
+
+		partition@0 {
+			label = "u-boot";
+			reg = <0x0 0x80000>;
+			read-only;
+		};
+
+		partition@80000 {
+			label = "u-boot-env";
+			reg = <0x80000 0x80000>;
+			read-only;
+		};
+
+		factory: partition@100000 {
+			label = "factory";
+			reg = <0x100000 0x80000>;
+			read-only;
+		};
+
+		partition@2980000 {
+			label = "firmware_b";
+			reg = <0x2980000 0x2800000>;
+
+			compatible = "fixed-partitions";
+			#address-cells = <1>;
+			#size-cells = <1>;
+
+			partition@0 {
+				label = "kernel_b";
+				reg = <0x0 0x800000>;
+			};
+
+			partition@400000 {
+				label = "ubi";
+				reg = <0x800000 0x2000000>;
+			};
+		};
+
+		partition@180000 {
+			label = "firmware_a";
+			reg = <0x180000 0x2800000>;
+
+			compatible = "fixed-partitions";
+			#address-cells = <1>;
+			#size-cells = <1>;
+
+			partition@0 {
+				label = "kernel_a";
+				reg = <0x0 0x800000>;
+			};
+
+			partition@400000 {
+				label = "ubi_a";
+				reg = <0x800000 0x2000000>;
+			};
+		};
+
+		partition@5180000 {
+			label = "rootfs_data";
+			reg = <0x5180000 0x1400000>;
+		};
+
+		partition@6580000 {
+			label = "logs";
+			reg = <0x6580000 0xd00000>;
+		};
+
+		partition@7280000 {
+			label = "vendor-myzyxel";
+			reg = <0x7280000 0x480000>;
+			read-only;
+		};
+
+		partition@7700000 {
+			label = "bootconfig";
+			reg = <0x7700000 0x80000>;
+		};
+
+		mrd: partition@7780000 {
+			label = "mrd";
+			reg = <0x7780000 0x80000>;
+			read-only;
+
+			nvmem-layout {
+				compatible = "fixed-layout";
+				#address-cells = <1>;
+				#size-cells = <1>;
+
+				macaddr_mrd_1fff8: macaddr@1fff8 {
+					reg = <0x1fff8 0x6>;
+				};
+			};
+		};
+	};
+};
+
+&pcie {
+	status = "okay";
+};
+
+&pcie1 {
+	wlan_5g: wifi@0,0 {
+		reg = <0x0 0 0 0 0>;
+		compatible = "mediatek,mt76";
+
+		mediatek,mtd-eeprom = <&factory 0x0>;
+		/* MAC-Address set in userspace */
+	};
+};
+
+&gmac0 {
+	nvmem-cells = <&macaddr_mrd_1fff8>;
+	nvmem-cell-names = "mac-address";
+};
+
+&switch0 {
+	ports {
+		port@4 {
+			status = "okay";
+			label = "lan";
+		};
+	};
+};
+
+&state_default {
+	gpio {
+		groups = "uart3";
+		function = "gpio";
+	};
+};

devices/zyxel-nwa50ax/default.nix

@@ -0,0 +1,365 @@
+{
+  system = {
+    crossSystem = {
+      config = "mipsel-unknown-linux-musl";
+      gcc = {
+        abi = "32";
+        arch = "mips32";          # mips32r2?
+      };
+    };
+  };
+
+  description = ''
+    Zyxel NWA50AX
+    ********************
+
+    Zyxel NWA50AX is quite close to the GL-MT300N-v2 "Mango" device, but it is based on the MT7621
+    chipset instead of the MT7628.
+
+    Installation
+    ============
+
+    This device is pretty, but, due to its A/B capabilities, can be a bit hard
+    to use completely.
+
+    The stock vendor firmware is a downstream fork of U-Boot: <https://github.com/RaitoBezarius/uboot-nwa50ax>
+    with restricted boot commands. Fortunately, OpenWrt folks figured out trivial command injections,
+    so you can use most of the OpenWrt commands without trouble by just command injecting
+    atns, atna or atnf, e.g. atns "; $real_command".
+
+    From factory web UI, you can upload the result of the zyxel-nwa-fit output.
+    From another operating system, you need to `dumpimage -T flat_dt -p 0 $zyxel-nwa-fit -o firmware.bin`,
+    `flash_erase $(mtd partition of the target partition firmware or zy_firmware) 0 0`, then you complete by
+    `nandwrite -p $(mtd partition of the target partition firmware or zy_firmware) firmware.bin`.
+
+    How to put the firmware.bin on the machine is left to you as an exercise, e.g. SSH, TFTP, whatever.
+
+    From serial, you have two choices:
+
+    - Flash this system via U-Boot:
+      same reasoning as from an existing Linux system, two choices:
+      - ymodem the binary, perform the write manually, you can inspire yourself
+      from the `script` contained in the vendor firmware, those are just a FIT containing a script.
+      - prepare a FIT containing a script executing your commands, tftpboot this.
+
+    - boot from an existing Liminix system, e.g. TFTPBOOT image.
+    - boot from an OpenWrt system, i.e. follow OpenWrt steps.
+
+    Once you are in a Linux system, understand that this device has A/B boot.
+
+    OpenWrt provides you with `zyxel-bootconfig` to set/unset the image status and choice.
+
+    The kernel is booted with `bootImage=<number>` which tells you which slot are you on.
+
+    You should find yourself with 10ish MTD partitions, the most interesting ones are two:
+
+    - firmware: 40MB
+    - firmware_1: 40MB
+
+    In the current setup, they are split further into kernel (8MB) and ubi (32MB).
+
+    Once you are done with first installation, note that if you want to use the A/B feature,
+    you need to write a _secondary_ image on the slot B. There is no proper flashing code
+    that will set the being-updated slot to `new` and boot on it to verify if it's working.
+    This is a WIP.
+
+    Upgrading your system can be achieved via:
+
+    - `liminix-rebuild` for the userspace.
+    - `flash_erase` + `nandwrite` for the kernelspace to the other slot than the one you are booted on,
+      note that you can just nandwrite the mtd partition corresponding to the *kernel* and not the whole firmware.
+
+    If you soft-bricked your AP, i.e. you cannot boot anything in U-Boot, no worries, just plug the serial console,
+    prepare a TFTP server (via `tufted` for example), download vendor firmware, set up `atns`, `atnf`, etc. and run `atnz`.
+
+    This will reflash everything back to normal via TFTP.
+
+    If you hard-bricked your AP, i.e. U-Boot is telling you to transfer a valid bootloader via ymodem, just extract
+    a U-Boot from the vendor OS, send it via ymodem and use the previous operations to perform a full flash this time
+    of all partitions.
+
+    Note that if you erased your MRD partition, you lost your serial and MAC address. There's no way to recover the original one
+    except by reading the physical label on your… device!
+
+    If you super-hard-bricked your AP, i.e. no output on serial console, congratulations, you reached one of the rare state
+    of this device. You need an external NAND flasher to repair it and write the first stage from Mediatek to continue the previous
+    recovery operations.
+
+    Development TODO list:
+
+    - Better support for upgrade automation w.r.t. to A/B, e.g. automagic scripts.
+    - Mount the logs partition, mount / as overlayfs of firmware ? rootfs and rootfs_data for extended data.
+    - Jitter-based entropy injection? Device can be slow to initialize its CRNG and hostapd will reject few clients at the start because of that.
+    - Defaults for hostapd based on MT7915 capabilities? See the example for one possible list.
+    - Remove primary/secondary hack and put it in preinit.
+    - Offer ways to reflash the *bootloader* itself to support direct boot via UBI and kernel upgrades via filesystem rewrite.
+
+    Vendor web page: https://www.zyxel.com/fr/fr/products/wireless/ax1800-wifi-6-dual-radio-nebulaflex-access-point-nwa50ax
+
+    OpenWrt web page: https://openwrt.org/inbox/toh/zyxel/nwa50ax
+    OpenWrt tech data: https://openwrt.org/toh/hwdata/zyxel/zyxel_nwa50ax
+
+  '';
+
+  module = { pkgs, config, lib, lim, ...}:
+    let
+      inherit (pkgs.pseudofile) dir symlink;
+      inherit (pkgs) openwrt;
+
+      mac80211 = pkgs.mac80211.override {
+        drivers = [ "mt7915e" ];
+        klibBuild = config.system.outputs.kernel.modulesupport;
+      };
+      # v204520220929
+      wlan_firmware = pkgs.fetchurl {
+        url = "https://github.com/openwrt/mt76/raw/1b88dd07f153b202e57fe29734806744ed006b0e/firmware/mt7915_wa.bin";
+        hash = "sha256-wooyefzb0i8640+lwq3vNhcBXRFCtGuo+jiL7afZaKA=";
+      };
+      wlan_firmware' = pkgs.fetchurl {
+        url = "https://github.com/openwrt/mt76/raw/1b88dd07f153b202e57fe29734806744ed006b0e/firmware/mt7915_wm.bin";
+        hash = "sha256-k62nQewRuKjBLd5R3RxU4F74YKnQx5zr6gqMMImqVQw=";
+      };
+      wlan_firmware'' = pkgs.fetchurl {
+        url = "https://github.com/openwrt/mt76/raw/1b88dd07f153b202e57fe29734806744ed006b0e/firmware/mt7915_rom_patch.bin";
+        hash = "sha256-ifriAjWzFACrxVWCANZpUaEZgB/0pdbhnTVQytx6ddg=";
+      };
+    in {
+      imports = [ 
+        # We include it to ensure the bridge functionality
+        # is available on the target kernel.
+        ../../modules/bridge
+        ../../modules/arch/mipsel.nix
+        ../../modules/outputs/tftpboot.nix
+        ../../modules/outputs/zyxel-nwa-fit.nix
+        ../../modules/zyxel-dual-image
+      ];
+
+      filesystem = dir {
+        lib = dir {
+          firmware = dir {
+            mediatek = dir {
+              "mt7915_wa.bin" = symlink wlan_firmware;
+              "mt7915_wm.bin" = symlink wlan_firmware';
+              "mt7915_rom_patch.bin" = symlink wlan_firmware'';
+            };
+          };
+        };
+      };
+
+      rootfsType = "ubifs";
+      hardware = {
+        # Taken from OpenWRT
+        # root@OpenWrt:/# ubinfo /dev/ubi0
+        # ubi0
+        # Volumes count:                           2
+        # Logical eraseblock size:                 126976 bytes, 124.0 KiB
+        # Total amount of logical eraseblocks:     256 (32505856 bytes, 31.0 MiB)
+        # Amount of available logical eraseblocks: 0 (0 bytes)
+        # Maximum count of volumes                 128
+        # Count of bad physical eraseblocks:       0
+        # Count of reserved physical eraseblocks:  19
+        # Current maximum erase counter value:     2
+        # Minimum input/output unit size:          2048 bytes
+        # Character device major/minor:            250:0
+        # Present volumes:                         0, 1
+        ubi = {
+          minIOSize = "2048";
+          logicalEraseBlockSize = "126976";
+          physicalEraseBlockSize = "128KiB";
+          maxLEBcount = "256";
+        };
+
+        # This is a FIT containing a kernel padded and
+        # a UBI volume rootfs.
+        defaultOutput = "zyxel-nwa-fit";
+
+        loadAddress = lim.parseInt "0x80001000";
+        entryPoint = lim.parseInt "0x80001000";
+        # Aligned on 2kb.
+        alignment = 2048;
+
+        rootDevice = "ubi:rootfs";
+
+        dts = {
+          # Actually, this is not what we want.
+          # This DTS is insufficient.
+          src = ./mt7621_zyxel_nwa50ax.dtsi;
+          includes = [
+            # Here's one weird trick to make `ubi` detection
+            # out of the box.
+            # We will write ubi on /dev/firmware_a:rootfs location
+            # and same for /dev/firmware_b:rootfs.
+            # How do we distinguish both?
+            # We can just use the DTS to point ubi at A or B.
+            # This, unfortunately, means that we have "two images".
+            # But they are really just 1 image with 2 different DTS.
+            # TODO: improve this hack in preinit?
+            (if config.boot.imageType == "primary" then "${./a_image}" else "${./b_image}")
+            "${openwrt.src}/target/linux/ramips/dts"
+          ];
+        };
+        networkInterfaces =
+          let
+            inherit (config.system.service.network) link;
+          in {
+            eth = link.build { ifname = "eth0"; };
+            lan = link.build { ifname = "lan"; };
+            wlan0 = link.build {
+              ifname = "wlan0";
+              dependencies = [ mac80211 ];
+            };
+            wlan1 = link.build {
+              ifname = "wlan1";
+              dependencies = [ mac80211 ];
+            };
+          };
+      };
+
+      boot = {
+        # Critical because NWA50AX will extend your cmdline with the image number booted.
+        # and some bootloader version.
+        # You don't want to find yourself being overridden.
+        commandLineDtbNode = "bootargs-override";
+
+        imageFormat = "fit";
+        tftp = {
+          # 5MB is nice.
+          freeSpaceBytes = 5 * 1024 * 1024;
+          loadAddress = lim.parseInt "0x2000000";
+        };
+      };
+
+      # Dual image management service in userspace.
+      services.zyxel-dual-image = config.boot.zyxel-dual-image.build {
+        ensureActiveImage = "primary";
+        # TODO: use mtd names rather…
+        # primary and secondary are always /dev/mtd3 by virtue of the 
+        # dtb being not too wrong…
+        # TODO: remove this hack.
+        primaryMtdPartition = "/dev/mtd3";
+        secondaryMtdPartition = "/dev/mtd3";
+        bootConfigurationMtdPartition = "/dev/mtd12";
+      };
+
+      #  DEVICE_VENDOR := ZyXEL
+      #  KERNEL_SIZE := 8192k
+      #  DEVICE_PACKAGES := kmod-mt7915-firmware zyxel-bootconfig
+      #  KERNEL := kernel-bin | lzma | fit lzma $$(KDIR)/image-$$(firstword $$(DEVICE_DTS)).dtb
+      #  IMAGES += factory.bin ramboot-factory.bin
+      #  IMAGE/factory.bin := append-kernel | pad-to $$(KERNEL_SIZE) | append-ubi | zyxel-nwa-fit
+      #  IMAGE/ramboot-factory.bin := append-kernel | pad-to $$(KERNEL_SIZE) | append-ubi
+
+      kernel = {
+        src = pkgs.fetchurl {
+          name = "linux.tar.gz";
+          url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
+          hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
+        };
+        extraPatchPhase = ''
+          ${openwrt.applyPatches.ramips}
+
+        '';
+        config = {
+
+          RALINK = "y";
+          PCI = "y";
+          PHY_MT7621_PCI = "y";
+          PCIE_MT7621 = "y";
+          SOC_MT7621 = "y";
+          CLK_MT7621 = "y";
+          CLOCKSOURCE_WATCHDOG = "y";
+
+          SERIAL_8250_CONSOLE = "y";
+          SERIAL_8250 = "y";
+          SERIAL_CORE_CONSOLE = "y";
+          SERIAL_OF_PLATFORM = "y";
+          SERIAL_8250_NR_UARTS = "3";
+          SERIAL_8250_RUNTIME_UARTS = "3";
+          SERIAL_MCTRL_GPIO = "y";
+
+          CONSOLE_LOGLEVEL_DEFAULT = "8";
+          CONSOLE_LOGLEVEL_QUIET = "4";
+
+          # MTD_UBI_BEB_LIMIT = "20";
+          # MTD_UBI_WL_THRESHOLD = "4096";
+
+          MTD = "y";
+          MTD_BLOCK = "y";          # fix undefined ref to register_mtd_blktrans_dev
+          MTD_RAW_NAND = "y";
+          MTD_NAND_MT7621 = "y";
+          MTD_NAND_MTK_BMT = "y";      # Bad-block Management Table
+          MTD_NAND_ECC_SW_HAMMING= "y";
+          MTD_SPI_NAND= "y";
+          MTD_OF_PARTS = "y";
+          MTD_NAND_CORE= "y";
+          MTD_SPLIT_FIRMWARE= "y";
+          MTD_SPLIT_FIT_FW= "y";
+
+          PINCTRL = "y";
+          PINCTRL_MT7621 = "y";
+
+          I2C = "y";
+          I2C_MT7621 = "y";
+
+          SPI = "y";
+          MTD_SPI_NOR = "y";
+          SPI_MT7621 = "y";
+          SPI_MASTER = "y";
+          SPI_MEM = "y";
+
+          REGULATOR = "y";
+          REGULATOR_FIXED_VOLTAGE = "y";
+          RESET_CONTROLLER = "y";
+          POWER_RESET = "y";
+          POWER_RESET_GPIO = "y";
+          POWER_SUPPLY = "y";
+          LED_TRIGGER_PHY = "y";
+
+          PCI_DISABLE_COMMON_QUIRKS = "y";
+          PCI_DOMAINS = "y";
+          PCI_DOMAINS_GENERIC = "y";
+          PCI_DRIVERS_GENERIC = "y";
+          PCS_MTK_LYNXI = "y";
+
+          SOC_BUS = "y";
+
+          NET = "y";
+          ETHERNET = "y";
+          WLAN = "y";
+
+          PHYLIB = "y";
+          AT803X_PHY = "y";
+          FIXED_PHY = "y";
+          GENERIC_PHY = "y";
+          NET_DSA = "y";
+          NET_DSA_MT7530 = "y";
+          NET_DSA_MT7530_MDIO = "y";
+          NET_DSA_TAG_MTK = "y";
+          NET_MEDIATEK_SOC = "y";
+          NET_SWITCHDEV = "y";
+          NET_VENDOR_MEDIATEK = "y";
+
+          SWPHY = "y";
+
+          GPIOLIB = "y";
+          GPIO_MT7621 = "y";
+          OF_GPIO = "y";
+
+          EARLY_PRINTK = "y";
+
+          NEW_LEDS = "y";
+          LEDS_TRIGGERS = "y";
+          LEDS_CLASS = "y";         # required by rt2x00lib
+          LEDS_CLASS_MULTICOLOR = "y";
+          LEDS_BRIGHTNESS_HW_CHANGED = "y";
+
+          PRINTK_TIME = "y";
+        } // lib.optionalAttrs (config.system.service ? vlan) {
+          SWCONFIG = "y";
+        } // lib.optionalAttrs (config.system.service ? watchdog) {
+          RALINK_WDT = "y";  # watchdog
+          MT7621_WDT = "y";  # or it might be this one
+        };
+      };
+    };
+}

devices/zyxel-nwa50ax/mt7621_zyxel_nwa50ax.dtsi

@@ -0,0 +1,56 @@
+#include "mt7621_zyxel_nwa-ax-for-ab.dtsi"
+
+#include <dt-bindings/gpio/gpio.h>
+#include <dt-bindings/input/input.h>
+
+/ {
+	compatible = "zyxel,nwa50ax", "mediatek,mt7621-soc";
+	model = "ZyXEL NWA50AX";
+
+	aliases {
+		led-boot = &led_system_green;
+		led-failsafe = &led_system_red;
+		led-running = &led_system_green;
+		led-upgrade = &led_system_red;
+	};
+
+	leds {
+		compatible = "gpio-leds";
+
+		led_system_red: system_red {
+			label = "red:system";
+			gpios = <&gpio 6 GPIO_ACTIVE_HIGH>;
+		};
+
+		led_system_green: system_green {
+			label = "green:system";
+			gpios = <&gpio 7 GPIO_ACTIVE_HIGH>;
+		};
+
+		system_blue {
+			label = "blue:system";
+			gpios = <&gpio 8 GPIO_ACTIVE_HIGH>;
+		};
+	};
+
+	keys {
+		compatible = "gpio-keys";
+
+		reset {
+			label = "reset";
+			gpios = <&gpio 30 GPIO_ACTIVE_LOW>;
+			linux,code = <KEY_RESTART>;
+		};
+	};
+};
+
+&ethernet {
+	pinctrl-0 = <&mdio_pins>, <&rgmii1_pins>;
+};
+
+&state_default {
+	gpio {
+		groups = "uart3", "rgmii2";
+		function = "gpio";
+	};
+};

doc/admin.rst

@@ -4,143 +4,134 @@ System Administration
 Services on a running system
 ****************************
 
-* add an s6-rc cheatsheet here
+Liminix services are built on s6-rc, which is itself layered on s6.
+Services are defined at build time in your configuration (see
+:ref:`configuration-services` for information) and can't be added
+to/changed at runtime, but to monitor
+events or diagnose problems you may need to inspect them on the
+running system. Here are some of the most commonly used s6,-rc
+commands:
 
+.. list-table:: Service management quick reference
+   :widths: 55 45
+   :header-rows: 1
+   
+   * - What
+     - How
+   * - List all running services
+     - ``s6-rc -a list``
+   * - List all services that are **not** running
+     - ``s6-rc -da list``
+   * - List services that ``wombat`` depends on
+     - ``s6-rc-db dependencies wombat``
+   * - ... transitively
+     - ``s6-rc-db all-dependencies wombat``
+   * - List services that depend on service ``wombat``
+     - ``s6-rc-db -d dependencies wombat``
+   * - ... transitively
+     - ``s6-rc-db -d all-dependencies wombat``
+   * - Stop service ``wombat`` and everything depending on it
+     - ``s6-rc -d change wombat``
+   * - Start service ``wombat`` (but not any services depending on it)
+     - ``s6-rc -u change wombat``
+   * - Start service ``wombat`` and all* services depending on it
+     - ``s6-rc-up-tree wombat``
 
-Flashing and updating
-*********************
+:command:`s6-rc-up-tree` brings up a service and all services that
+depend on it, except for any services that depend on a "controlled"
+service that is not currently running. Controlled services are not
+started at boot time but in response to external events (e.g. plugging
+in a particular piece of hardware) so you probably don't want to be
+starting them by hand if the conditions aren't there.
 
+A service may be **up** or **down** (there are no intermediate states
+like "started" or "stopping" or "dying" or "cogitating"). Some (but
+not all) services have "readiness" notifications: the dependents of a
+service with a readiness notification won't be started until the
+service signals (by writing to a nominated file descriptor) that it's
+prepared to start work. Most services defined by Liminix also have a
+``timeout-up`` parameter, which means that if a service has readiness
+notifications and doesn't become ready in the allotted time (defaults
+20 seconds) it will be terminated and its state set to **down**.
 
+If the process providing a service dies, it will be restarted
+automatically. Liminix does not automatically set it to **down**.
 
-Flashing from Liminix
-=====================
+(If the process providing a service dies without ever notifying
+readiness, Liminix will restart it as many times as it has to until the
+timeout period elapses, and then stop it and mark it down.)
 
-The flash procedure from an existing Liminix-system has two steps.
-First we reboot the device (using "kexec") into an "ephemeral"
-RAM-based version of the new configuration, then when we're happy it
-works we can flash the image - and if it doesn't work we can reboot
-the device again and it will boot from the old image.
+Controlled services
+===================
 
+**Controlled** services are those which are started/stopped on demand
+by a **controller** (another service) instead of being started at boot
+time.  For example:
 
-Building the RAM-based image
-----------------------------
+* ``svc.uevent-rule.build`` creates a controlled service which is
+  active when a particular hardware device (identified by uevent/sysfs
+  directory) is present.
 
-To create the ephemeral image, build ``outputs.kexecboot`` instead of
-``outputs.default``.  This generates a directory containing the root
-filesystem image and kernel, along with an executable called `kexec`
-and a `boot.sh` script that runs it with appropriate arguments.
+* ``svc.round-robin.build`` creates a service controller that
+  invokes two or more services in turn, running the next one when the
+  process providing the previous one exits. We use this for failover
+  from one network connection to a backup connection, for example.
 
-For example
+* ``svc.health-check.build`` creates a service controller that
+  runs a controlled service and periodically tests whether it is
+  healthy by running an external health check command or script. If the
+  check command repeatedly fails, the controlled service is
+  restarted.
+
+  The Configuration section of the manual describes controlled
+  services in more detail. Some operational considerations
+
+* ``round-robin`` detects a service status by looking at its
+  :file:`outputs` directory, so it won't work unless the service
+  creates some outputs. This is considered a bug and will be
+  fixed in a future release
+
+* ``health-check`` works for longruns but not for oneshots, as it
+  internally relies on ``s6-svc`` to restart the process
+
+Logs
+====
+
+Logs for all services are collated into :file:`/run/log/current`.
+The log file is rotated when it reaches a threshold size, into another
+file in the same directory whose name contains a TAI64 timestamp.
+
+Each log line is prefixed with a TAI64 timestamp and the name of the
+service, if it is a longrun. If it is a oneshot, a timestamp and the
+name of some other service. To convert the timestamp into a
+human-readable format, use :command:`s6-tai64nlocal`.
 
 .. code-block:: console
 
-   nix-build -I liminix-config=./examples/arhcive.nix \
-     --arg device "import ./devices/gl-ar750"
-     -A outputs.kexecboot && \
-     (tar chf - result | ssh root@the-device tar -C /run -xvf -)
-
-and then login to the device and run
-
-.. code-block:: console
-
-   cd /run/result
-   sh ./boot.sh .
+  # ls -l /run/log/
+  -rw-r--r--    1         0 lock
+  -rw-r--r--    1         0 state
+  -rwxr--r--    1     98059 @4000000000025cb629c311ac.s
+  -rwxr--r--    1     98061 @40000000000260f7309c7fb4.s
+  -rwxr--r--    1     98041 @40000000000265233a6cc0b6.s
+  -rwxr--r--    1     98019 @400000000002695d10c06929.s
+  -rwxr--r--    1     98064 @4000000000026d84189559e0.s
+  -rwxr--r--    1     98055 @40000000000271ce1e031d91.s
+  -rwxr--r--    1     98054 @400000000002760229733626.s
+  -rwxr--r--    1     98104 @4000000000027a2e3b6f4e12.s
+  -rwxr--r--    1     98023 @4000000000027e6f0ed24a6c.s
+  -rw-r--r--    1     42374 current
+  
+  # tail -2 /run/log/current
+  @40000000000284f130747343 wan.link.pppoe Connect: ppp0 <--> /dev/pts/0
+  @40000000000284f230acc669 wan.link.pppoe sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x667a9594> <pcomp> <accomp>]
+  # tail -2 /run/log/current  | s6-tai64nlocal
+  1970-01-02 21:51:45.828598156 wan.link.pppoe sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x667a9594> <pcomp> <accom
+  p>]
+  1970-01-02 21:51:48.832588765 wan.link.pppoe sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x667a9594> <pcomp> <accom
+  p>]
 
 
-This will load the new kernel and map the root filesystem into a RAM
-disk, then start executing the new kernel. *This is effectively a
-reboot - be sure to close all open files and finish anything else
-you were doing first.*
-
-If the new system crashes or is rebooted, then the device will revert
-to the old configuration it finds in flash.
-
-
-Building the second (permanent) image
--------------------------------------
-
-While running in the kexecboot system, you can build the permanent
-image and copy it to the device with :command:`ssh`
-
-.. code-block:: console
-
-   build-machine$ nix-build -I liminix-config=./examples/arhcive.nix \
-     --arg device "import ./devices/gl-ar750"
-     -A outputs.default && \
-     (tar chf - result | ssh root@the-device tar -C /run -xvf -)
-
-   build-machine$ tar chf - result/firmware.bin | \
-    ssh root@the-device tar -C /run -xvf -
-
-Next you need to connect to the device and locate the "firmware"
-partition, which you can do with a combination of :command:`dmesg`
-output and the contents of :file:`/proc/mtd`
-
-.. code-block:: console
-
-   <5>[    0.469841] Creating 4 MTD partitions on "spi0.0":
-   <5>[    0.474837] 0x000000000000-0x000000040000 : "u-boot"
-   <5>[    0.480796] 0x000000040000-0x000000050000 : "u-boot-env"
-   <5>[    0.487056] 0x000000050000-0x000000060000 : "art"
-   <5>[    0.492753] 0x000000060000-0x000001000000 : "firmware"
-
-   # cat /proc/mtd
-   dev:    size   erasesize  name
-   mtd0: 00040000 00001000 "u-boot"
-   mtd1: 00010000 00001000 "u-boot-env"
-   mtd2: 00010000 00001000 "art"
-   mtd3: 00fa0000 00001000 "firmware"
-   mtd4: 002a0000 00001000 "kernel"
-   mtd5: 00d00000 00001000 "rootfs"
-
-Now run (in this example)
-
-.. code-block:: console
-
-   flashcp -v firmware.bin /dev/mtd3
-
-
-"I know my new image is good, can I skip the intermediate step?"
-----------------------------------------------------------------
-
-In addition to giving you a chance to see if the new image works, this
-two-step process ensures that you're not copying the new image over
-the top of the active root filesystem. Sometimes it works, but you
-will at least need physical access to the device to power-cycle it
-because it will be effectively frozen afterwards.
-
-
-Flashing from the boot monitor
-==============================
-
-If you are prepared to open the device and have a TTL serial adaptor
-of some kind to connect it to, you can probably use U-Boot and a TFTP
-server to download and flash the image.  This is quite
-hardware-specific, and sometimes involves soldering: please refer
-to :ref:`serial`.
-
-
-Flashing from OpenWrt
-=====================
-
-.. CAUTION:: Untested! A previous version of these instructions
-	     (without the -e flag) led to bricking the device
-	     when flashing a jffs2 image. If you are reading
-	     this message, nobody has yet reported on whether the
-	     new instructions are any better.
-
-If your device is running OpenWrt then it probably has the
-:command:`mtd` command installed. After transferring the image onto the
-device using e.g. :command:`ssh`,  you can run it as follows:
-
-.. code-block:: console
-
-   mtd -e -r write /tmp/firmware.bin firmware
-
-The options to this command are for "erase before writing" and "reboot
-after writing".
-
-For more information, please see the `OpenWrt manual <https://openwrt.org/docs/guide-user/installation/sysupgrade.cli>`_ which may also contain (hardware-dependent) instructions on how to flash an image using the vendor firmware - perhaps even from a web interface.
 
 Updating an installed system (JFFS2)
 ************************************
@@ -165,20 +156,37 @@ Note that this only copies the package to the device: it doesn't update
 any profile to add it to ``$PATH``
 
 
+.. _rebuilding the system:
+
 Rebuilding the system
 =====================
 
-:command:`liminix-rebuild` is the Liminix analogue of :command:`nixos-rebuild`, although its operation is a bit different because it expects to run on a build machine and then copy to the host device. Run it with the same ``liminix-config`` and ``device`` parameters as you would run :command:`nix-build`, and it will build any new/changed packages and then copy them to the device using SSH. For example:
+Liminix has a mechanism for in-place updates of a running system which
+is analogous to :command:`nixos-rebuild`, but its operation is a
+bit different because it expects to run on a build machine and then
+copy to the host device. To use this, build the `outputs.systemConfiguration`
+target and then run the :command:`result/install.sh` script it generates.
 
 .. code-block:: console
 
-     liminix-rebuild root@the-device  -I liminix-config=./examples/rotuer.nix --arg device "import ./devices/gl-ar750"
+    nix-build -I liminix-config=./my-configuration.nix \
+       --arg device "import ./devices/mydevice" \
+       -A outputs.systemConfiguration
+    ./result/install.sh root@the-device 
 
-This will
+The install script uses min-copy-closure to copy new or changed
+packages to the device, then (perhaps) reboots it. The reboot
+behaviour can be affected by flags:
+
+* `--no-reboot` will cause it not to reboot at all, if you would
+  rather do that yourself. Note that none of the newly-installed or
+  updated services will be running until you do.
+
+* `--fast` causes it tn not do a full reboot, but instead to restart
+  only the services that have been changed. This will restart all of
+  the services that have updated store paths (and anything that
+  depends on them), but will not affect services that haven't changed.
 
-* build anything that needs building
-* copy new or changed packages to the device
-* reboot the device
 
 It doesn't delete old packages automatically: to do that run
 :command:`min-collect-garbage`, which will delete any packages not in
@@ -196,3 +204,116 @@ Caveats
   nixpkgs).
 
 * it cannot upgrade the kernel, only userland
+
+.. _levitate:  
+
+Reinstalling on a running system
+********************************
+
+Liminix is initially installed from a monolithic
+:file:`firmware.bin` - and unless you're running a writable
+filesystem, the only way to update it is to build and install a whole
+new :file:`firmware.bin`.  However, you probably would prefer not to
+have to remove it from its installation site, unplug it from the
+network and stick serial cables in it all over again.
+
+It is not (generally) safe to install a new firmware onto the flash
+partitions that the active system is running on. To address this we
+have :command:`levitate`, which a way for a running Liminix system to
+"soft restart" into a ramdisk running only a limited set of services,
+so that the main partitions can then be safely flashed.
+
+
+
+Configuration
+=============
+
+Levitate *needs to be configured when you create the initial system*
+to specify which services/packages/etc to run in maintenance
+mode. Most likely you want to configure a network interface and an ssh
+for example so that you can login to reflash it.
+
+.. code-block:: nix
+
+  defaultProfile.packages = with pkgs; [
+    ...
+    (levitate.override {
+      config  = {
+        services = {
+          inherit (config.services) dhcpc sshd watchdog;
+        };
+        defaultProfile.packages = [ mtdutils ];
+        users.root = config.users.root;
+      };
+    })
+  ];
+  		
+
+
+Use
+===
+
+Connect (with ssh, probably) to the running Liminix system that you
+wish to upgrade.
+
+.. code-block:: console
+
+  bash$ ssh root@the-device
+  
+Run :command:`levitate`. This takes a little while (perhaps a few
+tens of seconds) to execute, and copies all config required for
+maintenance mode to :file:`/run/maintenance`.
+  
+.. code-block:: console
+  
+  # levitate 
+  
+Reboot into maintenance mode. You will be logged out
+  
+.. code-block:: console
+
+  # reboot
+  
+Connect to the device again - note that the ssh host key will have changed.
+  
+.. code-block:: console
+
+  # ssh -o UserKnownHostsFile=/dev/null root@the-device
+  
+Check we're in maintenance mode
+  
+.. code-block:: console
+
+  # cat /etc/banner 
+  
+  LADIES AND GENTLEMEN WE ARE FLOATING IN SPACE
+  
+  Most services are disabled. The system is operating
+  with a ram-based root filesystem, making it safe to
+  overwrite the flash devices in order to perform
+  upgrades and maintenance.
+  
+  Don't forget to reboot when you have finished.
+  
+Perform the upgrade, using flashcp. This is an example,
+your device will differ
+   
+.. code-block:: console
+
+  # cat /proc/mtd 
+  dev:    size   erasesize  name
+  mtd0: 00030000 00010000 "u-boot"
+  mtd1: 00010000 00010000 "u-boot-env"
+  mtd2: 00010000 00010000 "factory"
+  mtd3: 00f80000 00010000 "firmware"
+  mtd4: 00220000 00010000 "kernel"
+  mtd5: 00d60000 00010000 "rootfs"
+  mtd6: 00010000 00010000 "art"
+  # flashcp -v firmware.bin mtd:firmware
+
+All done
+  
+.. code-block:: console
+
+  # reboot
+

doc/conf.py

@@ -7,19 +7,19 @@
 # https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information
 
 project = 'Liminix'
-copyright = '2023, Daniel Barlow'
+copyright = '2023-2024 Daniel Barlow'
 author = 'Daniel Barlow'
 
 # -- General configuration ---------------------------------------------------
 # https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration
 
 extensions = [
-    'sphinx.ext.autosectionlabel'
+#    'sphinx.ext.autosectionlabel'
 ]
 autosectionlabel_prefix_document = True
 
 templates_path = ['_templates']
-exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+exclude_patterns = ['*.inc.rst', '_build', 'Thumbs.db', '.DS_Store']
 
 
 

doc/configuration.rst

@@ -1,27 +1,8 @@
+.. _configuration:
+
 Configuration
 #############
 
-Liminix uses the Nix language to provide congruent configuration
-management.  This means that to change anything about the way in
-which a Liminix system works, you make that change in
-your :file:`configuration.nix` (or one of the other files it references),
-and rerun :command:`nix-build` or :command:`liminix-rebuild` to action
-the change. It is not possible (at least, without shenanigans) to make
-changes by logging into the device and running imperative commands
-whose effects may later be overridden: :file:`configuration.nix`
-always describes the entire system and can be used to recreate that
-system at any time.  You can usefully keep it under version control.
-
-If you are familiar with NixOS, you will notice some similarities
-between NixOS and Liminix configuration, and also some
-differences. Sometimes the differences are due to the
-resource-constrained devices we deploy onto, sometimes due to
-differences in the uses these devices are put to.
-
-
-Configuration taxonomy
-**********************
-
 There are many things you can specify in a configuration, but these
 are the ones you most commonly need to change:
 
@@ -86,14 +67,166 @@ domains, or you want to run two SSH daemons on different ports.
 	 don't use the NixOS modules themselves, because the
 	 underlying system is not similar enough for them to work.
 
+.. _configuration-services:
 
 Services
 ********
 
-We use the `s6-rc service manager <https://www.skarnet.org/software/s6-rc/overview.html>`_  to start/stop/restart services and handle
-service dependencies. Any attribute in `config.services` will become
-part of the default set of services that s6-rc will try to bring up on
-boot.
+In Liminix a service is any kind of long-running task or process on
+the system, that is managed (started, stopped, and monitored) by a
+service supervisor.  A typical SOHO router might have services to
+
+* answer DHCP and DNS requests from the LAN
+* provide a wireless access point
+* connect using PPPoE or L2TP to an upstream network
+* start/stop the firewall
+* enable/disable IP packet forwarding
+* mount filesystems
+
+(Some of these might not be considered services using other
+definitions of the term: for example, this L2TP process would be a
+"client" in the client/server classification; and enabling packet
+forwarding doesn't require any long-lived process - just a setting to
+be toggled.  However, there is value in being able to use the same
+abstractions for all the things to manage them and specify their
+dependency relationships - so in Liminix "everything is a service")
+
+The service supervision system enables service health monitoring,
+restart of unhealthy services, and failover to "backup" services when
+a primary service fails or its dependencies are unavailable. The
+intention is that you have a framework in which you can specify policy
+requirements like "ethernet wan dhcp-client should be restarted if it
+crashes, but if it can't start because the hardware link is down, then
+4G ppp service should be started instead".
+
+Any attribute in `config.services` will become part of the default set
+of services that s6-rc will try to bring up.  Services are usually
+started at boot time, but **controlled services** are those that are
+required only in particular contexts.  For example, a service to mount
+a USB backup drive should run only when the drive is attached to the
+system. Liminix currently implements three kinds of controlled service:
+
+* "uevent-rule" service controllers use sysfs/uevent to identify when
+  particular hardware devices are present, and start/stop a controlled
+  service appropriately.
+
+* the "round-robin" service controller is used for service failover:
+  it allows you to specify a list of services and runs each of them
+  in turn until it exits, then runs the next.
+
+* the "health-check" service wraps another service, and runs a "health
+  check" command at regular intervals. When the health check fails,
+  indicating that the wrapped service is not working, it is terminated
+  and allowed to restart.
+
+Runtime secrets (external vault)
+================================
+
+Secrets (such as wifi passphrases, PPP username/password, SSH keys,
+etc) that you provide as literal values in :file:`configuration.nix`
+are processed into into config files and scripts at build time, and
+eventually end up in various files in the (world-readable)
+:file:`/nix/store` before being baked into a flashable image. To
+change a secret - whether due to a compromise, or just as part of to a
+routine key rotation - you need to rebuild the configuration and
+potentially reflash the affected devices.
+
+To avoid this, you may instead use a "secrets service", which is a
+mechanism for your device to fetch secrets from a source external to
+the Nix store, and create at runtime the configuration files and
+scripts that start the services which require them.
+
+Not every possible parameter to every possible service is configurable
+using a secrets service. Parameters which can be configured this way
+are those with the type ``liminix.lib.types.replacable``. At the time
+this document was written, these include:
+
+* ppp (pppoe and l2tp): ``username``, ``password``
+* ssh: ``authorizedKeys``
+* hostapd: all parameters (most likely to be useful for ``wpa_passphrase``)
+
+To use a runtime secret for any of these parameters:
+
+* create a secrets service to specify the source of truth for secrets
+* use the :code:`outputRef` function in the service parameter to specify the secrets service and path
+
+For example, given you had an HTTPS server hosting a JSON file with the structure
+
+.. code-block:: json
+
+    "ssh": {
+      "authorizedKeys": {
+	"root": [ "ssh-rsa ....",  "ssh-rsa ....", ... ]
+	"guest": [ "ssh-rsa ....",  "ssh-rsa ....", ... ]
+      }
+    }
+ 
+you could use a :file:`configuration.nix` fragment something like this
+to make those keys visible to ssh:
+  
+.. code-block:: nix  
+
+    services.secrets = svc.secrets.outboard.build {
+      name = "secret-service";
+      url = "http://10.0.0.1/secrets.json";
+      username = "secrets";
+      password = "liminix";
+      interval = 30; # minutes
+      dependencies = [ config.services.lan ];
+    };
+    services.sshd = svc.ssh.build {
+      authorizedKeys = outputRef config.services.secrets "ssh/authorizedKeys";
+    };
+
+
+    
+There are presently two implementations of a secrets service:
+
+Outboard secrets (HTTPS)
+------------------------
+
+This service expects a URL to a JSON file containing all the secrets.
+
+You may specify a username and password along with the URL, which are
+used if the file is password-protected (HTTP Basic
+authentication). Note that this is not a protection against a
+malicious local user: the username and password are normal build-time
+parameters so will be readable in the Nix store.  This is a mitigation
+against the URL being accidentally discovered due to e.g. a log file
+or error message on the server leaking.
+
+
+Tang secrets (encrypted local file)
+-----------------------------------
+
+Aternatively, secrets may be stored locally on the device, in a file
+that has been encrypted using `Tang <https://github.com/latchset/tang>`_.
+
+    Tang is a server for binding data to network presence.
+
+    This sounds fancy, but the concept is simple. You have some data, but you only want it to be available when the system containing the data is on a certain, usually secure, network. 
+
+
+.. code-block:: nix
+
+    services.secrets = svc.secrets.tang.build {
+      name = "secret-service";
+      path = "/run/mnt/usbstick/secrets.json.jwe";
+      interval = 30; # minutes
+      dependencies = [ config.services.mount-usbstick ];
+    };
+
+The encryption uses the
+same scheme/algorithm as `Clevis <https://github.com/latchset/clevis>`_ : you may use the `Clevis instructions <https://github.com/latchset/clevis?tab=readme-ov-file#pin-tang>`_ to
+encrypt the file on another host and then copy it to your Liminix
+device, or you can use :command:`tangc encrypt` to encrypt directly on
+the device.  (That latter approach may pose a chicken/egg problem if
+the device needs secrets to boot up and run the services you are
+relying on in order to login).
+ 
+
+Writing services
+================
 
 For the most part, for common use cases, hopefully the services you
 need will be defined by modules and you will only have to pass the
@@ -141,11 +274,101 @@ Services may have dependencies: as you see above in the ``cowsayd``
 example, it depends on some service called ``config.services.lan``,
 meaning that it won't be started until that other service is up.
 
-..
-	TODO: explain service outputs
+Service outputs
+===============
+
+Outputs are a mechanism by which a service can provide data which may
+be required by other services. For example:
+
+* the DHCP client service can expect to receive nameserver address
+  information as one of the fields in the response from the DHCP
+  server: we provide that as an output which a dependent service for a
+  stub name resolver can use to configure its upstream servers.
+
+* a service that creates a new network interface (e.g. ppp) will
+  provide the name of the interface (:code:`ppp0`, or :code:`ppp1` or
+  :code:`ppp7`) as an output so that a dependent service can reference
+  it to set up a route, or to configure firewall rules.
+
+A service :code:`myservice` should write its outputs as files in
+:file:`/run/services/outputs/myservice`: you can look around this
+directory on a running Liminix system to see how it's used currently.
+Usually we use the :code:`in_outputs` shell function in the
+:command:`up` or :command:`run` attributes of the service:
+
+.. code-block:: shell
+		
+    (in_outputs ${name}
+     for i in lease mask ip router siaddr dns serverid subnet opt53 interface ; do
+       (printenv $i || true) > $i
+     done)
+ 
+The outputs are just files, so technically you can read them using
+anything that can read a file. Liminix has two "preferred"
+mechanisms, though:
+
+One-off lookups
+---------------
+
+In any context that ends up being evaluated by the shell, use 
+:code:`output` to print the value of an output
+
+.. code-block:: nix
+		
+    services.defaultroute4 = svc.network.route.build {
+      via = "$(output ${services.wan} address)";
+      target = "default";
+      dependencies = [ services.wan ];
+    };	  
+
+    
+Continuous updates
+------------------
+
+The downside of using shell functions in downstream service startup
+scripts is that they only run when the service starts up: if a service
+output *changes*, the downstream service would have to be restarted to
+notice the change. Sometimes this is OK but other times the downstream
+has no other need to restart, if it can only get its new data.
+
+For this case, there is the :code:`anoia.svc` Fennel library, which
+allows you to write a simple loop which is iterated over whenever a
+service's outputs change. This code is from
+:file:`modules/dhcp6c/acquire-wan-address.fnl`
+
+.. code-block:: fennel
+
+    (fn update-addresses [wan-device addresses new-addresses exec]
+      ;; run some appropriate "ip address [add|remove]" commands
+      )
+
+    (fn run []
+      (let [[state-directory wan-device] arg
+	    dir (svc.open state-directory)]
+	(accumulate [addresses []
+		     v (dir:events)]
+	  (update-addresses wan-device addresses
+	                    (or (v:output "address") []) system))))		
+
+The :code:`output` method seen here accepts a filename (relative
+to the service's output directory), or a directory name. It 
+returns the first line of that file, or for directories it
+returns a table (Lua's key/value datastructure, similar to
+a hash/dictionary) of the outputs in that directory.
+	  
+    
+Output design considerations
+----------------------------
+
+For preference, outputs should be short and simple, and not require
+downstream services to do complicated parsing in order to use them.
+Shell commands in Liminix are run using the Busybox shell which
+doesn't have the niceties of an advanced shell like Bash let alone
+those of a real programming language.
+
+Note also that the Lua :code:`svc` library only reads the first line
+of each output.
 
-..
-	TODO: outputs that change, and services that poll other services
 
 Module implementation
 *********************
@@ -192,7 +415,7 @@ To expose a service template in a module, it needs the following:
 
 .. code-block:: nix
 
-    config.system.service.cowsay = liminix.callService ./service.nix {
+    config.system.service.cowsay = config.system.callService ./service.nix {
       address = mkOption {
 	type = types.str;
 	default = "0.0.0.0";

doc/development.rst

@@ -88,64 +88,6 @@ time with configurations for RP-PPPoE and/or Accel PPP.`
 Hardware devices
 ****************
 
-.. _serial:
-
-U-Boot and serial shenanigans
-=============================
-
-Every device that we have so far encountered in Liminix uses `U-Boot,
-the "Universal Boot Loader" <https://docs.u-boot.org/en/latest/>`_ so
-it's worth knowing a bit about it. "Universal" is in this context a
-bit of a misnomer, though: encountering *mainline* U-Boot is very rare
-and often you'll find it is a fork from some version last updated
-in 2008. Upgrading U-Boot is more or less complicated depending on the
-device and is outside scope for Liminix.
-
-To speak to U-Boot on your device you'll usually need a serial
-connection to it.  This is device-specific. Usually it involves
-opening the box, locating the serial header pins (TX, RX and GND) and
-connecting a USB TTL converter to them.
-
-The Rolls Royce of USB/UART cables is the `FTDI cable
-<https://cpc.farnell.com/ftdi/ttl-232r-rpi/cable-debug-ttl-232-usb-rpi/dp/SC12825?st=usb%20to%20uart%20cable>`_,
-but there are cheaper alternatives based on the PL2303 and CP2102 chipsets.  Or
-get creative and use the `UART GPIO pins <https://pinout.xyz/>`_ on a Raspberry Pi. Whatever you do, make sure
-that the voltages are compatible: if your device is 3.3V (this is
-typical but not universal), you don't want to be sending it 5v or
-(even worse) 12v.
-
-Run a terminal emulator such as Minicom on the computer at other end
-of the link. 115200 8N1 is the typical speed.
-
-.. NOTE::
-
-   TTL serial connections typically have no form of flow control and
-   so don't always like having massive chunks of text pasted into
-   them - and U-Boot may drop characters while it's busy. So don't
-   necessarily expect to copy-paste large chunks of text into the
-   terminal emulator and have it work just like that.
-
-   If using Minicom, you may find it helps to bring up the "Termimal
-   settings" dialog (C^A T), then configure "Newline tx delay" to
-   some small but non-zero value.
-
-When you turn the router on you should be greeted with some messages
-from U-Boot, followed by the instruction to hit some key to stop
-autoboot. Do this and you will get to the prompt. If you didn't see
-anything, the strong likelihood is that TX and RX are the wrong way
-around. If you see garbage, try a different speed.
-
-Interesting commands to try first in U-Boot are :command:`help` and
-:command:`printenv`.
-
-To do anything useful with U-Boot you will probably need a way to get
-large binary files onto the device, and the usual way to do this is by
-adding a network connection and using TFTP to download them. It's
-quite common that the device's U-Boot doesn't speak DHCP so it will
-need a static LAN address. You might also want to keep it away from
-your "real" LAN: see :ref:`bng` for some potentially useful tooling
-to use it on an isolated network.
-
 
 TFTP
 ====
@@ -290,18 +232,13 @@ Running tests
 *************
 
 You can run all of the tests by evaluating :file:`ci.nix`, which is the
-input I use in Hydra. Note that it expects Nixpkgs stable `and` unstable
-as inputs, because it builds the qemu device against both.
+input I use in Hydra. 
 
 .. code-block:: console
 
-    nix-build --argstr liminix `pwd`  --arg  nixpkgs "<nixpkgs>" \
-     --argstr unstable `pwd`/../unstable-nixpkgs/ ci.nix
-
-To run a single named test, use the ``-A`` flag. For example, ``-A pppoe``
-
-
-
+    nix-build -I liminix=`pwd`  ci.nix -A pppoe # run one job
+    nix-build -I liminix=`pwd`  ci.nix -A all # run all jobs
+    
 
 Troubleshooting
 ***************

doc/extract-options.nix

@@ -1,11 +1,9 @@
 { eval, lib, pkgs }:
 let
-  inherit (lib) types;
   conf = eval.config;
   rootDir = builtins.toPath ./..;
-  stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix)
-    ["${rootDir}/"];
-  optToDoc = name: opt : {
+  stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix) [ "${rootDir}/" ];
+  optToDoc = name: opt: {
     inherit name;
     description = opt.description or null;
     default = opt.default or null;
@@ -26,7 +24,6 @@ let
           let x = lib.mapAttrsToList optToDoc sd.parameters; in x;
       }
     else
-      item // { declarations =  map stripAnyPrefixes item.declarations; };
+      item // { declarations = map stripAnyPrefixes item.declarations; };
 in
-builtins.map spliceServiceDefn
-  (pkgs.lib.optionAttrSetToDocList eval.options)
+builtins.map spliceServiceDefn (pkgs.lib.optionAttrSetToDocList eval.options)

doc/hardware.nix

@@ -1,24 +1,22 @@
-with import <nixpkgs> {} ;
+with import <nixpkgs> { };
 
 let
   inherit (builtins) stringLength readDir filter;
-  devices = filter (n: n != "families")
-    (lib.mapAttrsToList (n: t: n) (readDir ../devices));
-  texts = map (n:
-    let d = import  ../devices/${n}/default.nix;
-        d' = {
-          description = "${n}\n${substring 0 (stringLength n) "********************************"}\n";
-        } // d;
-        installer =
-          if d ? description && d ? installer
-          then ''
-
-            The default installation route for this device is
-            :ref:`system-outputs-${d.installer}`
-          ''
-          else "";
-    in d'.description)
-    devices;
+  devices = filter (n: n != "families") (lib.mapAttrsToList (n: t: n) (readDir ../devices));
+  texts = map (
+    n:
+    let
+      d = import ../devices/${n}/default.nix;
+      tag = ".. _${lib.strings.replaceStrings [" "] ["-"] n}:";
+      d' = {
+        description = ''
+          ${n}
+          ${substring 0 (stringLength n) "********************************"}
+        '';
+      } // d;
+    in
+      "${tag}\n\n${d'.description}"
+  ) devices;
 in
 writeText "hwdoc" ''
   Supported hardware

doc/index.rst

@@ -7,6 +7,7 @@ Liminix
 
    intro
    tutorial
+   installation
    configuration
    admin
    development

doc/installation.rst

@@ -0,0 +1,211 @@
+Installation
+############
+
+Hardware devices vary wildly in their affordances for installing new
+operating systems, so it should be no surprise that the Liminix
+installation procedure is hardware-dependent. This section contains
+generic instructions, but please refer to the documentation for your
+device to find whether and how well they apply.
+
+
+Building a firmware image
+*************************
+
+Liminix uses the Nix language to provide congruent configuration
+management.  This means that to change anything about the way in
+which a Liminix system works, you make that change in
+your :file:`configuration.nix` (or one of the other files it references),
+and rerun :command:`nix-build` to action
+the change. It is not possible (at least, without shenanigans) to make
+changes by logging into the device and running imperative commands
+whose effects may later be overridden: :file:`configuration.nix`
+always describes the entire system and can be used to recreate that
+system at any time.  You can usefully keep it under version control.
+
+If you are familiar with NixOS, you will notice some similarities
+between NixOS and Liminix configuration, and also some
+differences. Sometimes the differences are due to the
+resource-constrained devices we deploy onto, sometimes due to
+differences in the uses these devices are put to.
+
+For a more full description of how to configure Liminix, see
+:ref:`configuration`. Assuming for the moment that you want a typical
+home wireless gateway/router, the best way to get started is to copy
+:file:`examples/rotuer.nix` and edit it for your requirements.
+
+
+.. code-block:: console
+
+    $ cp examples/rotuer.nix configuration.nix
+    $ vi configuration.nix # other editors are available 
+    $ # adjust this next command for your hardware device
+    $ nix-build -I liminix-config=./configuration.nix \
+     --arg device "import ./devices/gl-mt300a" -A outputs.default
+
+Usually  (not always, *please check the documentation for your device*)
+this will leave you with a file :file:`result/firmware.bin`
+which you now need to flash to the device.
+
+
+Flashing from the boot monitor (TFTP install)
+*********************************************
+
+If you are prepared to open the device and have a TTL serial adaptor
+of some kind to connect it to, you can probably use U-Boot and a TFTP
+server to download and flash the image.
+
+This is quite hardware-specific and may even involve soldering - see
+the documention for your device. However, it is in some ways the most
+"reliable" option: if you can see what's happening (or not happening)
+in early boot, the risk of "bricking" is substantially reduced and you
+have options for recovering if you misstep or flash a bad image.
+
+
+.. _serial:
+
+U-Boot and serial shenanigans
+=============================
+
+Every device that we have so far encountered in Liminix uses `U-Boot,
+the "Universal Boot Loader" <https://docs.u-boot.org/en/latest/>`_ so
+it's worth knowing a bit about it. "Universal" is in this context a
+bit of a misnomer, though: encountering *mainline* U-Boot is very rare
+and often you'll find it is a fork from some version last updated
+in 2008. Upgrading U-Boot is more or less complicated depending on the
+device and is outside scope for Liminix.
+
+To speak to U-Boot on your device you'll usually need a serial
+connection to it.  This typically involves opening the box, locating
+the serial header pins (TX, RX and GND) and connecting a USB TTL
+converter to them.
+
+The Rolls Royce of USB/UART cables is the `FTDI cable
+<https://cpc.farnell.com/ftdi/ttl-232r-rpi/cable-debug-ttl-232-usb-rpi/dp/SC12825?st=usb%20to%20uart%20cable>`_,
+but there are cheaper alternatives based on the PL2303 and CP2102 chipsets -   or you could even 
+get creative and use the `UART GPIO pins <https://pinout.xyz/>`_ on a Raspberry Pi. Whatever you do, make sure
+that the voltages are compatible: if your device is 3.3V (this is
+typical but not universal), you don't want to be sending it 5v or
+(even worse) 12v.
+
+Run a terminal emulator such as Minicom on the computer at other end
+of the link. 115200 8N1 is the typical speed.
+
+.. NOTE::
+
+   TTL serial connections often have no flow control and
+   so don't always like having massive chunks of text pasted into
+   them - and U-Boot may drop characters while it's busy. So don't
+   do that.
+
+   If using Minicom, you may find it helps to bring up the "Termimal
+   settings" dialog (C^A T), then configure "Newline tx delay" to
+   some small but non-zero value.
+
+When you turn the router on you should be greeted with some messages
+from U-Boot, followed by the instruction to hit some key to stop
+autoboot. Do this and you will get to the prompt. If you didn't see
+anything, the strong likelihood is that TX and RX are the wrong way
+around. If you see garbage, try a different speed.
+
+Interesting commands to try first in U-Boot are :command:`help` and
+:command:`printenv`.
+
+You will also need to configure a TFTP server on a network that's
+accessible to the device: how you do that will vary according to which
+TFTP server you're using and so is out of scope for this document.
+
+
+
+Buildiing and installing the image
+==================================
+
+Follow the device-specific instructions for "TFTP install": usually,
+the steps are 
+
+* build the `outputs.mtdimage` output
+* copy :file:`result/firmware.bin` to your TFTP server
+* copy/paste the commands in :file:`result/flash.scr` one at a time into the U-Boot command line
+* reset the device
+
+You should now see messages from U-Boot, then from the Linux kernel
+and eventually a shell prompt.
+
+.. NOTE:: Before you reboot, check which networks the device is
+          plugged into, and disconnect as necessary. If you've just
+          installed a DHCP server or anything similar that responds to
+          broadcasts, you may not want it to do that on the network
+          that you temporarily connected it to for installing it.
+
+
+
+Flashing from OpenWrt
+*********************
+
+.. CAUTION:: Untested! A previous version of these instructions
+	     (without the -e flag) led to bricking the device
+	     when flashing a jffs2 image. If you are reading
+	     this message, nobody has yet reported on whether the
+	     new instructions are any better.
+
+If your device is running OpenWrt then it probably has the
+:command:`mtd` command installed. Build the `outputs.mtdimage` output
+(as you would for a TFTP install) and then transfer
+:file:`result/firmware.bin` onto the device using e.g.
+:command:`scp`. Now flash as follows:
+
+.. code-block:: console
+
+   mtd -e -r write /tmp/firmware.bin firmware
+
+The options to this command are for "erase before writing" and "reboot
+after writing".
+
+For more information, please see the `OpenWrt manual <https://openwrt.org/docs/guide-user/installation/sysupgrade.cli>`_ which may also contain (hardware-dependent) instructions on how to flash an image using the vendor firmware - perhaps even from a web interface.
+
+
+Flashing from Liminix
+*********************
+
+If the device is already running Liminix and has been configured with
+:command:`levitate`, you can use that to safely flash your new image.
+Refer to :ref:`levitate` for an explanation.
+
+If the device is running Liminix but doesn't have :command:`levitate`
+your options are more limited. You may attempt to use
+:command:`flashcp` but it doesn't always work: as it copies the new
+image over the top of the active root filesystem, surprise may ensue.
+Consider instead using a serial connection: you may need one anyway
+after trying flashcp if it corrupts the image.
+
+flashcp (not generally recommended)
+===================================
+
+Connect to the device and locate the "firmware" partition, which you
+can do with a combination of :command:`dmesg` output and the contents
+of :file:`/proc/mtd`
+
+.. code-block:: console
+
+   <5>[    0.469841] Creating 4 MTD partitions on "spi0.0":
+   <5>[    0.474837] 0x000000000000-0x000000040000 : "u-boot"
+   <5>[    0.480796] 0x000000040000-0x000000050000 : "u-boot-env"
+   <5>[    0.487056] 0x000000050000-0x000000060000 : "art"
+   <5>[    0.492753] 0x000000060000-0x000001000000 : "firmware"
+
+   # cat /proc/mtd
+   dev:    size   erasesize  name
+   mtd0: 00040000 00001000 "u-boot"
+   mtd1: 00010000 00001000 "u-boot-env"
+   mtd2: 00010000 00001000 "art"
+   mtd3: 00fa0000 00001000 "firmware"
+   mtd4: 002a0000 00001000 "kernel"
+   mtd5: 00d00000 00001000 "rootfs"
+
+Copy :file:`result/firmware.bin` to the device and now run (in this
+example)
+
+.. code-block:: console
+
+   flashcp -v firmware.bin /dev/mtd3
+
+

doc/modules.rst

@@ -1,4 +1,4 @@
 Module options
 ##############
 
-.. include:: modules-generated.rst
+.. include:: modules-generated.inc.rst

doc/outputs.rst

@@ -10,4 +10,4 @@ different artefacts, or have different ways to get that artefact
 installed. The options available for a particular device are described in
 the section for that device.
 
-.. include:: outputs-generated.rst
+.. include:: outputs-generated.inc.rst

doc/parse-options-outputs.fnl

@@ -16,4 +16,4 @@
 (each [_ option (ipairs (sorted-options (yaml.load (io.read "*a"))))]
   (when (and (output? option) (not option.internal))
     (print (.. ".. _" (string.gsub option.name "%." "-") ":") "\n")
-    (print option.description)))
+    (print option.description "\n")))

doc/tutorial.rst

@@ -71,7 +71,7 @@ stdin/stdout.
 You should now see Linux boot messages and after a few seconds be
 presented with a root shell prompt.  You can run commands to look at
 the filesystem, see what processes are running, view log messages (in
-:file:/run/uncaught-logs.current), etc. To kill the emulator, press ^P
+:file:/run/log/current), etc. To kill the emulator, press ^P
 (Control P) then c to enter the "QEMU Monitor", then type ``quit`` at
 the ``(qemu)`` prompt.
 
@@ -293,14 +293,17 @@ the hostname) and then run
 
 .. code-block:: console
 
-    nix-shell --run "liminix-rebuild root@address-of-the-device  -I liminix-config=./my-router.nix --arg device "import ./devices/gl-ar750""
+    nix-build  -I liminix-config=./my-router.nix \
+      --arg device "import ./devices/gl-ar750" \
+      -A outputs.systemConfiguration && \
+    result/install.sh root@address-of-the-device 
 
 (This requires the device to be network-accessible from your build
 machine, which for a test/demo system might involve a second network
 device in your build system - USB ethernet adapters are cheap - or
 a bit of messing around unplugging cables.)
 
-For more information about :code:`liminix-rebuild`, see the manual section :ref:`admin:Rebuilding the system`.
+For more information about in-place-updates, see the manual section :ref:`Rebuilding the system`.
 
 
 Final thoughts

examples/arhcive.nix

@@ -11,15 +11,15 @@
   ...
 }: let
   secrets = import ./extneder-secrets.nix;
-  inherit (pkgs.liminix.services) oneshot longrun bundle target;
+  inherit (pkgs.liminix.services) oneshot longrun target;
   inherit (pkgs.pseudofile) dir symlink;
-  inherit (pkgs) writeText dropbear ifwait serviceFns;
+  inherit (pkgs) writeText serviceFns;
   svc = config.system.service;
 in rec {
   boot = {
     tftp = {
-      serverip = "192.168.8.148";
-      ipaddr = "192.168.8.251";
+      serverip = "10.0.0.1";
+      ipaddr = "10.0.0.8";
     };
   };
 
@@ -28,34 +28,12 @@ in rec {
     ../modules/network
     ../modules/vlan
     ../modules/ssh
+    ../modules/usb.nix
     ../modules/watchdog
     ../modules/mount
   ];
   hostname = "arhcive";
 
-  kernel = {
-    config = {
-      USB = "y";
-      USB_EHCI_HCD = "y";
-      USB_EHCI_HCD_PLATFORM = "y";
-      USB_OHCI_HCD = "y";
-      USB_OHCI_HCD_PLATFORM = "y";
-      USB_SUPPORT = "y";
-      USB_COMMON = "y";
-      USB_STORAGE = "y";
-      USB_STORAGE_DEBUG = "n";
-      USB_UAS = "y";
-      USB_ANNOUNCE_NEW_DEVICES = "y";
-      SCSI = "y";
-      BLK_DEV_SD = "y";
-      USB_PRINTER = "y";
-      MSDOS_PARTITION = "y";
-      EFI_PARTITION = "y";
-      EXT4_FS = "y";
-      EXT4_USE_FOR_EXT2 = "y";
-      FS_ENCRYPTION = "y";
-    };
-  };
 
   services.dhcpc =
     let iface = config.hardware.networkInterfaces.lan;
@@ -74,7 +52,6 @@ in rec {
     dependencies = [ services.dhcpc ];
     name = "resolvconf";
     up = ''
-      . ${serviceFns}
       ( in_outputs ${name}
       for i in $(output ${services.dhcpc} dns); do
         echo "nameserver $i" > resolv.conf
@@ -105,7 +82,7 @@ in rec {
   };
 
   services.mount_external_disk = svc.mount.build {
-    device = "LABEL=backup-disk";
+    partlabel = "backup-disk";
     mountpoint = "/srv";
     fstype = "ext4";
   };
@@ -115,7 +92,6 @@ in rec {
       secrets_file = oneshot rec {
         name = "rsync-secrets";
         up = ''
-          . ${serviceFns}
           (in_outputs ${name}
            echo  "backup:${secrets.rsync_secret}" > secrets)
         '';
@@ -141,23 +117,37 @@ in rec {
         secrets_file
         services.mount_external_disk
         config.hardware.networkInterfaces.lan
-      ] ;
+      ];
     };
 
   users.root = {
     passwd = lib.mkForce secrets.root.passwd;
-    # openssh.authorizedKeys.keys = [
-    #   (builtins.readFile "/home/dan/.ssh/id_rsa.pub")
-    # ];
+    openssh.authorizedKeys.keys = secrets.root.keys;
   };
 
   users.backup = {
-    uid=500; gid=500; gecos="Storage owner"; dir="/srv";
-    shell="/dev/null";
+    uid = 500;
+    gid = 500;
+    gecos = "Storage owner";
+    dir = "/srv";
+    shell = "/dev/null";
   };
   groups.backup = {
-    gid=500; usernames = ["backup"];
+    gid = 500;
+    usernames = [ "backup" ];
   };
 
-  defaultProfile.packages = with pkgs; [e2fsprogs strace tcpdump ];
+  defaultProfile.packages = with pkgs; [
+    e2fsprogs
+    mtdutils
+    (levitate.override {
+      config = {
+        services = {
+          inherit (config.services) dhcpc sshd watchdog;
+        };
+        defaultProfile.packages = [ mtdutils ];
+        users.root.openssh.authorizedKeys.keys = secrets.root.keys;
+      };
+    })
+  ];
 }

examples/demo.nix

@@ -5,9 +5,9 @@
 # wherever the text "EDIT" appears - please consult the tutorial
 # documentation for details.
 
-{ config, pkgs, lib, ... } :
+{ config, pkgs, ... }:
 let
-  inherit (pkgs.liminix.services) bundle oneshot longrun;
+  inherit (pkgs.liminix.services) bundle oneshot;
   inherit (pkgs) serviceFns;
   # EDIT: you can pick your preferred RFC1918 address space
   # for NATted connections, if you don't like this one.
@@ -49,31 +49,40 @@ in rec {
       country_code = "GB";
       wpa_passphrase = "not a real wifi password";
 
-      hw_mode="g";
+      hw_mode = "g";
       ieee80211n = 1;
       auth_algs = 1; # 1=wpa2, 2=wep, 3=both
-      wpa = 2;       # 1=wpa, 2=wpa2, 3=both
+      wpa = 2; # 1=wpa, 2=wpa2, 3=both
       wpa_key_mgmt = "WPA-PSK";
-      wpa_pairwise = "TKIP CCMP";   # auth for wpa (may not need this?)
-      rsn_pairwise = "CCMP";        # auth for wpa2
+      wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
+      rsn_pairwise = "CCMP"; # auth for wpa2
       wmm_enabled = 1;
     };
   };
 
   services.int = svc.network.address.build {
     interface = svc.bridge.primary.build { ifname = "int"; };
-    family = "inet"; address = "${ipv4LocalNet}.1"; prefixLength = 16;
+    family = "inet";
+    address = "${ipv4LocalNet}.1";
+    prefixLength = 16;
   };
 
-  services.bridge =  svc.bridge.members.build {
+  services.bridge = svc.bridge.members.build {
     primary = services.int;
-    members = with config.hardware.networkInterfaces;
-      [ wlan lan ];
+    members = with config.hardware.networkInterfaces; [
+      wlan
+      lan
+    ];
   };
 
   services.ntp = svc.ntp.build {
-    pools = { "pool.ntp.org" = ["iburst"]; };
-    makestep = { threshold = 1.0; limit = 3; };
+    pools = {
+      "pool.ntp.org" = [ "iburst" ];
+    };
+    makestep = {
+      threshold = 1.0;
+      limit = 3;
+    };
   };
 
   services.sshd = svc.ssh.build { };
@@ -128,7 +137,6 @@ in rec {
     dependencies = [ services.wan ];
     name = "resolvconf";
     up = ''
-      . ${serviceFns}
       ( in_outputs ${name}
        echo "nameserver $(output ${services.wan} ns1)" > resolv.conf
        echo "nameserver $(output ${services.wan} ns2)" >> resolv.conf
@@ -157,9 +165,7 @@ in rec {
     interface = services.wan;
   };
 
-  services.firewall = svc.firewall.build {
-    ruleset = import ./demo-firewall.nix;
-  };
+  services.firewall = svc.firewall.build { };
 
   services.packet_forwarding = svc.network.forward.build { };
 
@@ -196,7 +202,5 @@ in rec {
       ];
     };
 
-  defaultProfile.packages = with pkgs; [
-    min-collect-garbage
-  ];
+  defaultProfile.packages = with pkgs; [ min-collect-garbage ];
 }

examples/extneder.nix

@@ -8,12 +8,10 @@
   config,
   pkgs,
   lib,
+  modulesPath,
   ...
 }: let
   secrets = import ./extneder-secrets.nix;
-  inherit (pkgs.liminix.services) oneshot longrun bundle target;
-  inherit (pkgs.pseudofile) dir symlink;
-  inherit (pkgs) dropbear ifwait serviceFns;
   svc = config.system.service;
 in rec {
   boot = {
@@ -24,113 +22,32 @@ in rec {
   };
 
   imports = [
-    ../modules/wlan.nix
-    ../modules/vlan
-    ../modules/network
-    ../modules/hostapd
-    ../modules/bridge
-    ../modules/ssh
+    "${modulesPath}/profiles/wap.nix"
+    "${modulesPath}/vlan"
+    "${modulesPath}/ssh"
   ];
 
   hostname = "extneder";
 
-  kernel = {
-    config = {
-
-      NETFILTER_XT_MATCH_CONNTRACK = "y";
-
-      IP6_NF_IPTABLES = "y"; # do we still need these
-      IP_NF_IPTABLES = "y"; # if using nftables directly
-
-      # these are copied from rotuer and need review.
-      # we're not running a firewall, so why do we need
-      # nftables config?
-      IP_NF_NAT = "y";
-      IP_NF_TARGET_MASQUERADE = "y";
-      NETFILTER = "y";
-      NETFILTER_ADVANCED = "y";
-      NETFILTER_XTABLES = "y";
-
-      NFT_COMPAT = "y";
-      NFT_CT = "y";
-      NFT_LOG = "y";
-      NFT_MASQ = "y";
-      NFT_NAT = "y";
-      NFT_REJECT = "y";
-      NFT_REJECT_INET = "y";
-
-      NF_CONNTRACK = "y";
-      NF_NAT = "y";
-      NF_NAT_MASQUERADE = "y";
-      NF_TABLES = "y";
-      NF_TABLES_INET = "y";
-      NF_TABLES_IPV4 = "y";
-      NF_TABLES_IPV6 = "y";
-    };
-  };
-
-  services.hostap = svc.hostapd.build {
-    interface = config.hardware.networkInterfaces.wlan;
-    params = {
-      country_code = "GB";
-      hw_mode = "g";
-      wmm_enabled = 1;
-      ieee80211n = 1;
-      inherit (secrets) ssid channel wpa_passphrase;
-      auth_algs = 1; # 1=wpa2, 2=wep, 3=both
-      wpa = 2; # 1=wpa, 2=wpa2, 3=both
-      wpa_key_mgmt = "WPA-PSK";
-      wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
-      rsn_pairwise = "CCMP"; # auth for wpa2
-    };
-  };
-
-  services.int = svc.bridge.primary.build {
-    ifname = "int";
-  };
-
-  services.dhcpc = svc.network.dhcp.client.build {
-    interface = services.int;
-    dependencies = [ config.services.hostname ];
-  };
-
-  services.bridge = svc.bridge.members.build {
-    primary = services.int;
-    members = with config.hardware.networkInterfaces; [
+  profile.wap = {
+    interfaces =  with config.hardware.networkInterfaces; [
       lan
       wlan
     ];
-  };
 
-  services.sshd = svc.ssh.build {};
-
-  services.resolvconf = oneshot rec {
-    dependencies = [ services.dhcpc ];
-    name = "resolvconf";
-    # CHECK: https://udhcp.busybox.net/README.udhcpc says
-    # 'A list of DNS server' but doesn't say what separates the
-    # list members. Assuming it's a space or other IFS character
-    up = ''
-      . ${serviceFns}
-      ( in_outputs ${name}
-      for i in $(output ${services.dhcpc} dns); do
-        echo "nameserver $i" > resolv.conf
-      done
-      )
-    '';
-  };
-  filesystem = dir {
-    etc = dir {
-      "resolv.conf" = symlink "${services.resolvconf}/.outputs/resolv.conf";
+    wireless = {
+      networks.${secrets.ssid} = {
+        interface = config.hardware.networkInterfaces.wlan;
+        inherit (secrets) channel wpa_passphrase;
+        country_code = "GB";
+        hw_mode = "g";
+        wmm_enabled = 1;
+        ieee80211n = 1;
+      };
     };
   };
 
-  services.defaultroute4 = svc.network.route.build {
-    via = "$(output ${services.dhcpc} router)";
-    target = "default";
-    dependencies = [services.dhcpc];
-  };
-
+  services.sshd = svc.ssh.build {};
   users.root.passwd = lib.mkForce secrets.root.passwd;
   defaultProfile.packages = with pkgs; [nftables strace tcpdump swconfig];
 }

examples/hello-from-mt300.nix

@@ -1,6 +1,5 @@
-{ config, pkgs, lib, ... } :
+{ config, pkgs, ... } :
 let
-  inherit (pkgs) serviceFns;
   svc = config.system.service;
 
 in rec {

examples/hello-from-qemu.nix

@@ -1,13 +1,14 @@
 { config, pkgs, lib, ... } :
 let
-  inherit (pkgs) serviceFns;
   svc = config.system.service;
+  inherit (pkgs.liminix.services) longrun oneshot ;
 
 in rec {
   imports = [
     ../modules/network
     ../modules/dnsmasq
     ../modules/ssh
+    ../modules/tls-certificate
   ];
 
   hostname = "hello";
@@ -18,8 +19,51 @@ in rec {
     family = "inet"; address ="10.3.0.1"; prefixLength = 16;
   };
 
+  filesystem =
+    let inherit (pkgs.pseudofile) file dir symlink;
+    in dir {
+      etc = dir {
+        hosts =  {
+          type = "f";
+          file = "127.0.0.1 localhost\n10.0.2.2 loaclhost.telent.net\n";
+          mode = "0444";
+        };
+      };
+    };
+
   services.sshd = svc.ssh.build { };
 
+  services.lan-address-for-secrets =
+    svc.network.address.build {
+      interface = config.hardware.networkInterfaces.lan;
+      family = "inet"; address ="10.0.2.15"; prefixLength = 24;
+    };
+
+  # services.client-cert = svc.tls-certificate.certifix-client.build {
+  #   caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt;
+  #   subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}";
+  #   secret = builtins.readFile ../challengePassword;
+  #   serviceUrl = "https://loaclhost.telent.net:19613/sign";
+  # };
+
+  # logging.shipping = {
+  #   enable = true;
+  #   service = longrun {
+  #     name = "ship-logs";
+  #     dependencies = [ config.services.client-cert ];
+  #     run =
+  #       let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]);
+  #       in ''
+  #         PATH=${path}:$PATH \
+  #         CAFILE=${/var/lib/certifix/certs/ca.crt} \
+  #         KEYFILE=$(output_path ${services.client-cert} key) \
+  #         CERTFILE=$(output_path ${services.client-cert} cert) \
+  #         s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \
+  #         fdmove -c 1 7 cat
+  #       '';
+  #   };
+  # };
+
   users.root = {
     # the password is "secret". Use mkpasswd -m sha512crypt to
     # create this hashed password string
@@ -39,6 +83,6 @@ in rec {
     };
 
   defaultProfile.packages = with pkgs; [
-    figlet
+    figlet openssl
   ];
 }

examples/nwa50ax-ap.nix

@@ -0,0 +1,119 @@
+{ config, pkgs, ... } :
+let
+  inherit (pkgs.liminix.services) target;
+  svc = config.system.service;
+  secrets-1 = {
+    ssid = "Zyxel 2G (N)";
+    wpa_passphrase = "diamond dogs";
+  };
+  secrets-2 = {
+    ssid = "Zyxel 5G (AX)";
+    wpa_passphrase = "diamond dogs";
+  };
+  baseParams = {
+    country_code = "FR";
+    hw_mode = "g";
+    channel = 6;
+    wmm_enabled = 1;
+    ieee80211n = 1;
+    ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
+    auth_algs = 1;
+    wpa = 2;
+    wpa_key_mgmt = "WPA-PSK";
+    wpa_pairwise = "TKIP CCMP";
+    rsn_pairwise = "CCMP";
+  };
+
+  modernParams = {
+    hw_mode = "a";
+    he_su_beamformer = 1;
+    he_su_beamformee = 1;
+    he_mu_beamformer = 1;
+    preamble = 1;
+    # Allow radar detection.
+    ieee80211d = 1;
+    ieee80211h = 1;
+    ieee80211ac = 1;
+    ieee80211ax = 1;
+    vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]";
+    vht_oper_chwidth = 1;
+    he_oper_chwidth = 1;
+    channel = 36;
+    vht_oper_centr_freq_seg0_idx = 42;
+    he_oper_centr_freq_seg0_idx = 42;
+    require_vht = 1;
+  };
+  mkWifiSta = params: interface: secrets: svc.hostapd.build {
+    inherit interface;
+      params = params // {
+        inherit (secrets) ssid wpa_passphrase;
+      };
+  };
+in rec {
+  imports = [
+    ../modules/wlan.nix
+    ../modules/network
+    ../modules/hostapd
+    ../modules/ssh
+    ../modules/ntp
+    ../modules/vlan
+    ../modules/bridge
+  ];
+
+  hostname = "zyxel";
+
+  users.root = {
+    # EDIT: choose a root password and then use
+    # "mkpasswd -m sha512crypt" to determine the hash.
+    # It should start wirh $6$.
+    passwd = "$y$j9T$f8GhLiqYmr3lc58eKhgyD0$z7P/7S9u.kq/cANZExxhS98bze/6i7aBxU6tbl7RMi.";
+    openssh.authorizedKeys.keys = [
+      # EDIT: you can add your ssh pubkey here
+      # "ssh-rsa AAAAB3NzaC1....H6hKd user@example.com";
+    ];
+  };
+
+  services.int = svc.bridge.primary.build {
+    ifname = "int";
+  };
+
+  services.bridge = svc.bridge.members.build {
+    primary = services.int;
+    members = with config.hardware.networkInterfaces; [
+      lan
+      wlan0
+      wlan1
+    ];
+  };
+
+  services.dhcpv4 =
+    let iface = services.int;
+    in svc.network.dhcp.client.build { interface = iface; };
+
+  services.defaultroute4 = svc.network.route.build {
+    via = "$(output ${services.dhcpv4} address)";
+    target = "default";
+    dependencies = [ services.dhcpv4 ];
+  };
+
+  services.packet_forwarding = svc.network.forward.build { };
+  services.sshd = svc.ssh.build {
+    allowRoot = true;
+  };
+
+  services.ntp = config.system.service.ntp.build {
+    pools = { "pool.ntp.org" = ["iburst"] ; };
+  };
+
+  boot.tftp = {
+    serverip = "192.0.2.10";
+    ipaddr = "192.0.2.12";
+  };
+
+  # wlan0 is the 2.4GHz interface.
+  services.hostap-1 = mkWifiSta baseParams config.hardware.networkInterfaces.wlan0 secrets-1;
+  # wlan1 is the 5GHz interface, e.g. AX capable.
+  services.hostap-2 = mkWifiSta (baseParams // modernParams) config.hardware.networkInterfaces.wlan1 secrets-2;
+
+  defaultProfile.packages = with pkgs; [ zyxel-bootconfig iw min-collect-garbage mtdutils ];
+}

examples/recovery.nix

@@ -3,8 +3,8 @@ let
   inherit (pkgs) serviceFns;
   svc = config.system.service;
   inherit (pkgs.pseudofile) dir symlink;
-  inherit (pkgs.liminix.services) oneshot longrun bundle target;
-  some-util-linux = pkgs.runCommand "some-util-linux" {} ''
+  inherit (pkgs.liminix.services) oneshot target;
+  some-util-linux = pkgs.runCommand "some-util-linux" { } ''
     mkdir -p $out/bin
     cd ${pkgs.util-linux-small}/bin
     cp fdisk sfdisk mkswap $out/bin
@@ -53,14 +53,13 @@ in rec {
   services.defaultroute4 = svc.network.route.build {
     via = "$(output ${services.dhcpc} router)";
     target = "default";
-    dependencies = [services.dhcpc];
+    dependencies = [ services.dhcpc ];
   };
 
   services.resolvconf = oneshot rec {
     dependencies = [ services.dhcpc ];
     name = "resolvconf";
     up = ''
-      . ${serviceFns}
       ( in_outputs ${name}
       for i in $(output ${services.dhcpc} dns); do
         echo "nameserver $i" > resolv.conf
@@ -72,7 +71,6 @@ in rec {
   services.growfs = let name = "growfs"; in oneshot {
     inherit name;
     up = ''
-      . ${serviceFns}
       device=$(grep /persist /proc/1/mountinfo | cut -f9 -d' ')
       ${pkgs.e2fsprogs}/bin/resize2fs $device
     '';

examples/rotuer-secrets.example.nix

@@ -8,12 +8,10 @@
   root = {
     #  mkpasswd -m sha512crypt
     passwd = "$6$6pt0mpbgcB7kC2RJ$kSBoCYGyi1.qxt7dqmexLj1l8E6oTZJZmfGyJSsMYMW.jlsETxdgQSdv6ptOYDM7DHAwf6vLG0pz3UD31XBfC1";
-    openssh.authorizedKeys.keys = [
-    ];
+    openssh.authorizedKeys.keys = [ ];
   };
 
   lan = {
     prefix = "10.8.0";
   };
-
 }

examples/rotuer.nix

@@ -1,100 +1,113 @@
-# This is not part of Liminix per se. This is my "scratchpad"
-# configuration for the device I'm testing with.
-#
-# Parts of it do do things that Liminix eventually needs to do, but
-# don't look in here for solutions - just for identifying the
-# problems.
+# This is an example that uses the "gateway" profile to create a
+# "typical home wireless router" configuration suitable for a Gl.inet
+# gl-ar750 router. It should be fairly simple to edit it for other
+# devices: mostly you will need to attend to the number of wlan and lan
+# interfaces
 
-
-{ config, pkgs, lib, ... } :
+{ config, pkgs, lib, modulesPath, ... } :
 let
   secrets = {
     domainName = "fake.liminix.org";
-    firewallRules = {};
+    firewallRules = { };
   } // (import ./rotuer-secrets.nix);
-  inherit (pkgs.liminix.services) oneshot longrun bundle;
-  inherit (pkgs) serviceFns;
   svc = config.system.service;
-  wirelessConfig =  {
+  wirelessConfig = {
     country_code = "GB";
     inherit (secrets) wpa_passphrase;
-    auth_algs = 1; # 1=wpa2, 2=wep, 3=both
-    wpa = 2;       # 1=wpa, 2=wpa2, 3=both
-    wpa_key_mgmt = "WPA-PSK";
-    wpa_pairwise = "TKIP CCMP";   # auth for wpa (may not need this?)
-    rsn_pairwise = "CCMP";        # auth for wpa2
     wmm_enabled = 1;
   };
-
+  inherit (pkgs.liminix.services) longrun;
 in rec {
   boot = {
     tftp = {
-      freeSpaceBytes = 3 * 1024 * 1024;
+      freeSpaceBytes = 2 * 1024 * 1024;
       serverip = "10.0.0.1";
       ipaddr = "10.0.0.8";
     };
   };
 
   imports = [
-    ../modules/wlan.nix
-    ../modules/network
-    ../modules/ppp
-    ../modules/dnsmasq
-    ../modules/dhcp6c
-    ../modules/firewall
-    ../modules/hostapd
-    ../modules/bridge
-    ../modules/ntp
-    ../modules/schnapps
-    ../modules/ssh
-    ../modules/outputs/btrfs.nix
-    ../modules/outputs/extlinux.nix
+    "${modulesPath}/profiles/gateway.nix"
+    "${modulesPath}/tls-certificate"
   ];
+
   hostname = "rotuer";
-  rootfsType = "btrfs";
-  rootOptions = "subvol=@";
-  boot.loader.extlinux.enable = true;
+#  rootfsType = "jffs2";
 
-  services.hostap = svc.hostapd.build {
-    interface = config.hardware.networkInterfaces.wlan;
-    params = {
-      ssid = secrets.ssid;
-      hw_mode="g";
-      channel = "2";
-      ieee80211n = 1;
-    } // wirelessConfig;
-  };
+  filesystem =
+    let inherit (pkgs.pseudofile) file dir symlink;
+    in dir {
+      mnt = dir {};
+      etc = dir {
+        hosts = {
+          type = "f";
+          file = "127.0.0.1 localhost\n10.0.0.1 loaclhost.telent.net\n";
+          mode = "0444";
+        };
+      };
+    };
 
-  services.hostap5 = svc.hostapd.build {
-    interface = config.hardware.networkInterfaces.wlan5;
-    params = rec {
-      ssid = "${secrets.ssid}5";
-      hw_mode="a";
-      channel = 36;
-      ht_capab = "[HT40+]";
-      vht_oper_chwidth = 1;
-      vht_oper_centr_freq_seg0_idx = channel + 6;
-      ieee80211n = 1;
-      ieee80211ac = 1;
-    } // wirelessConfig;
-  };
+  profile.gateway = {
+    lan = {
+      interfaces =  with config.hardware.networkInterfaces;
+        [
+          # EDIT: these are the interfaces exposed by the gl.inet gl-ar750:
+          # if your device has more or differently named lan interfaces,
+          # specify them here
+          wlan wlan5
+          lan
+        ];
+      inherit (secrets.lan) prefix;
+      address = {
+        family = "inet"; address ="${secrets.lan.prefix}.1"; prefixLength = 24;
+      };
+      dhcp = {
+        start = 10;
+        end = 240;
+        hosts = { } // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
+        localDomain = "lan";
+      };
+    };
+    wan = {
+      # wan interface depends on your upstream - could be dhcp, static
+      # ethernet, a pppoe, ppp over serial, a complicated bonded
+      # failover ... who knows what else?
+      interface = svc.pppoe.build {
+        interface = config.hardware.networkInterfaces.wan;
+        username = secrets.l2tp.name;
+        password = secrets.l2tp.password;
+      };
+      # once the wan has ipv4 connnectivity, should we run dhcp6
+      # client to potentially get an address range ("prefix
+      # delegation")
+      dhcp6.enable = true;
+    };
+    firewall = {
+      enable = true;
+      rules = secrets.firewallRules;
+    };
+    wireless.networks = {
+      # EDIT: if you have more or fewer wireless radios, here is where
+      # you need to say so.  hostapd tuning is hardware-specific and
+      # left as an exercise for the reader :-).
 
-  services.int = svc.network.address.build {
-    interface = svc.bridge.primary.build { ifname = "int"; };
-    family = "inet"; address ="${secrets.lan.prefix}.1"; prefixLength = 24;
-  };
-
-  services.bridge =  svc.bridge.members.build {
-    primary = services.int;
-    members = with config.hardware.networkInterfaces;
-      [ wlan
-        wlan5
-        lan0
-        lan1
-        lan2
-        lan3
-        lan4
-      ];
+      "${secrets.ssid}" = {
+        interface = config.hardware.networkInterfaces.wlan;
+        hw_mode = "g";
+        channel = "2";
+        ieee80211n = 1;
+      } // wirelessConfig;
+      "${secrets.ssid}5" = rec {
+        interface = config.hardware.networkInterfaces.wlan5;
+        hw_mode = "a";
+        channel = 36;
+        ht_capab = "[HT40+]";
+        vht_oper_chwidth = 1;
+        vht_oper_centr_freq_seg0_idx = channel + 6;
+        ieee80211n = 1;
+        ieee80211ac = 1;
+      } // wirelessConfig;
+    };
   };
 
   services.ntp = svc.ntp.build {
@@ -106,101 +119,14 @@ in rec {
 
   users.root = secrets.root;
 
-  services.dns =
-    let interface = services.int;
-    in svc.dnsmasq.build {
-      resolvconf = services.resolvconf;
-      inherit interface;
-      ranges = [
-        "${secrets.lan.prefix}.10,${secrets.lan.prefix}.240"
-        # ra-stateless: sends router advertisements with the O and A
-        # bits set, and provides a stateless DHCP service. The client
-        # will use a SLAAC address, and use DHCP for other
-        # configuration information.
-        "::,constructor:$(output ${interface} ifname),ra-stateless"
-      ];
-
-      # You can add static addresses for the DHCP server here.  I'm
-      # not putting my actual MAC addresses in a public git repo ...
-      hosts = { } // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
-      upstreams = [ "/${secrets.domainName}/" ];
-      domain = secrets.domainName;
-    };
-
-  services.wan = svc.pppoe.build {
-    interface = config.hardware.networkInterfaces.wan;
-    ppp-options = [
-      "debug" "+ipv6" "noauth"
-      "name" secrets.l2tp.name
-      "password" secrets.l2tp.password
-    ];
-  };
-
-  services.resolvconf = oneshot rec {
-    dependencies = [ services.wan ];
-    name = "resolvconf";
-    up = ''
-      . ${serviceFns}
-      ( in_outputs ${name}
-       echo "nameserver $(output ${services.wan} ns1)" > resolv.conf
-       echo "nameserver $(output ${services.wan} ns2)" >> resolv.conf
-       chmod 0444 resolv.conf
-      )
-    '';
-  };
-
-  filesystem =
-    let inherit (pkgs.pseudofile) dir symlink;
-    in dir {
-      etc = dir {
-        "resolv.conf" = symlink "${services.resolvconf}/.outputs/resolv.conf";
-      };
-    };
-
-  services.defaultroute4 = svc.network.route.build {
-    via = "$(output ${services.wan} address)";
-    target = "default";
-    dependencies = [ services.wan ];
-  };
-
-  services.defaultroute6 = svc.network.route.build {
-    via = "$(output ${services.wan} ipv6-peer-address)";
-    target = "default";
-    interface = services.wan;
-  };
-
-  services.firewall = svc.firewall.build {
-    ruleset =
-      let defaults = import ./demo-firewall.nix;
-      in lib.recursiveUpdate defaults secrets.firewallRules;
-  };
-
-  services.packet_forwarding = svc.network.forward.build { };
-
-  services.dhcp6c =
-    let client = svc.dhcp6c.client.build {
-          interface = services.wan;
-        };
-    in bundle {
-      name = "dhcp6c";
-      contents = [
-        (svc.dhcp6c.prefix.build {
-          inherit client;
-          interface = services.int;
-        })
-        (svc.dhcp6c.address.build {
-          inherit client;
-          interface = services.wan;
-        })
-      ];
-    };
-
   defaultProfile.packages = with pkgs; [
     min-collect-garbage
     nftables
-    strace
-    tcpdump
+    # strace
+    # tcpdump
     s6
+    dtc
+    # certifix-client
   ];
 
   programs.busybox = {
@@ -211,4 +137,47 @@ in rec {
       FEATURE_FANCY_TAIL = "y";
     };
   };
+
+  services.wan-address-for-secrets =
+    let
+      interface = config.hardware.networkInterfaces.wan;
+      addr =
+        svc.network.address.build {
+          inherit interface;
+          family = "inet"; address ="10.0.0.10"; prefixLength = 24;
+        };
+    in svc.network.route.build {
+      target = "10.0.0.1";
+      inherit interface;
+      via = "10.0.0.10";
+      metric = 1;
+      dependencies = [ addr ];
+    };
+
+  # services.client-cert = svc.tls-certificate.certifix-client.build {
+  #   caCertificate = builtins.readFile /var/lib/certifix/certs/ca.crt;
+  #   subject = "C=GB,ST=London,O=Telent,OU=devices,CN=${config.hostname}";
+  #   secret = builtins.readFile ../challengePassword;
+  #   serviceUrl = "https://loaclhost.telent.net:19613/sign";
+  #   dependencies = [ services.wan-address-for-secrets ];
+  # };
+
+  logging.pstore = true;
+  logging.shipping = {
+    enable = false;
+    service = longrun {
+      name = "ship-logs";
+      dependencies = [ config.services.client-cert ];
+      run =
+        let path = lib.makeBinPath (with pkgs; [ s6-networking s6 ]);
+        in ''
+          PATH=${path}:$PATH \
+          CAFILE=${/var/lib/certifix/certs/ca.crt} \
+          KEYFILE=$(output_path ${services.client-cert} key) \
+          CERTFILE=$(output_path ${services.client-cert} cert) \
+          s6-tlsclient -k loaclhost.telent.net -h -y loaclhost.telent.net 19612 \
+          fdmove -c 1 7 cat
+        '';
+    };
+  };
 }

examples/router-with-l2tp.nix

@@ -0,0 +1,211 @@
+# A demonstration config for a home/soho router with PPPoE upstream
+# and fallback to an L2TP tunnel over a USB WWAN device
+
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  secrets = import ./extneder-secrets.nix;
+  rsecrets = import ./rotuer-secrets.nix;
+
+  # https://support.aa.net.uk/Category:Incoming_L2TP says:
+  # "Please use the DNS name (l2tp.aa.net.uk) instead of hardcoding an
+  # IP address; IP addresses can and do change. If you have to use an
+  # IP, use 194.4.172.12, but do check the DNS for l2tp.aa.net.uk in
+  # case it changes."
+
+  # but (1) we don't want to use the wwan stick's dns as our main
+  # resolver: it's provided by some mobile ISP and they aren't
+  # necessarily the best at providing unfettered services without
+  # deciding to do something weird; (2) it's not simple to arrange
+  # that xl2tpd gets a different resolver than every other process;
+  # (3) there's no way to specify an lns address to xl2tpd at runtime
+  # except by rewriting its config file. So what we will do is lookup
+  # the lns hostname using the mobile ISP's dns server and then refuse
+  # to start l2tp unless the expected lns address is one of the
+  # addresses returned. I think this satisfies "do check the DNS"
+
+  lns = { hostname = "l2tp.aaisp.net.uk"; address = "194.4.172.12"; };
+
+  inherit (pkgs.liminix.services) oneshot longrun target;
+  inherit (pkgs.liminix) outputRef;
+  inherit (pkgs.pseudofile) dir symlink;
+  inherit (pkgs) serviceFns;
+  svc = config.system.service;
+  wirelessConfig = {
+    country_code = "GB";
+    inherit (rsecrets) wpa_passphrase;
+    wmm_enabled = 1;
+  };
+in rec {
+  boot = {
+    tftp = {
+      serverip = "10.0.0.1";
+      ipaddr = "10.0.0.8";
+    };
+  };
+
+  imports = [
+    ../modules/wwan
+    ../modules/network
+    ../modules/ssh
+    ../modules/usb.nix
+    ../modules/ppp
+    ../modules/round-robin
+    ../modules/health-check
+    ../modules/secrets
+    ../modules/profiles/gateway.nix
+  ];
+  hostname = "thing";
+
+  services.wan-address-for-secrets = svc.network.address.build {
+    interface = config.hardware.networkInterfaces.wan;
+    family = "inet"; address ="10.0.0.10"; prefixLength = 24;
+  };
+
+  services.secrets = svc.secrets.outboard.build {
+    name = "secret-service";
+    url = "http://10.0.0.1/liminix/examples/real-secrets.json";
+    username = "demo";
+    password = "demo";
+    interval = 5;
+    dependencies = [ services.wan-address-for-secrets ];
+  };
+
+  services.wwan = svc.wwan.huawei-e3372.build {
+    apn = "data.uk";
+    username = "user";
+    password = "one2one";
+    authType = "chap";
+  };
+
+  profile.gateway = {
+    lan = {
+      interfaces =  with config.hardware.networkInterfaces;
+        [
+          # EDIT: these are the interfaces exposed by the gl.inet gl-ar750:
+          # if your device has more or differently named lan interfaces,
+          # specify them here
+          wlan wlan5
+          lan
+        ];
+      inherit (rsecrets.lan) prefix;
+      address = {
+        family = "inet"; address ="${rsecrets.lan.prefix}.1"; prefixLength = 24;
+      };
+      dhcp = {
+        start = 10;
+        end = 240;
+        hosts = { } // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
+        localDomain = "lan";
+      };
+    };
+    wan =
+      let
+        secret = outputRef config.services.secrets;
+        username = secret "ppp/username";
+        password = secret "ppp/password";
+      in {
+        interface =
+          let
+            pppoe = svc.pppoe.build {
+              interface = config.hardware.networkInterfaces.wan;
+              debug = true;
+              inherit username password;
+            };
+
+            l2tp =
+              let
+                check-address = oneshot rec {
+                  name = "check-lns-address";
+                  up = "grep -Fx ${lns.address} $(output_path ${services.lns-address} addresses)";
+                  dependencies = [ services.lns-address ];
+                };
+                route = svc.network.route.build {
+                  via = "$(output ${services.bootstrap-dhcpc} router)";
+                  target = lns.address;
+                  dependencies = [services.bootstrap-dhcpc check-address];
+                };
+                l2tpd= svc.l2tp.build {
+                  lns = lns.address;
+                  inherit username password;
+                  dependencies = [config.services.lns-address route check-address];
+                };
+              in
+                svc.health-check.build {
+                  service = l2tpd;
+                  threshold = 3;
+                  interval = 2;
+                  healthCheck = pkgs.writeAshScript "ping-check" {} "ping 1.1.1.1";
+                };
+          in svc.round-robin.build {
+            name = "wan";
+            services = [
+              pppoe
+              l2tp
+            ];
+          };
+        dhcp6.enable = true;
+      };
+
+    wireless.networks = {
+      "${rsecrets.ssid}" = {
+        interface = config.hardware.networkInterfaces.wlan;
+        hw_mode = "g";
+        channel = "6";
+        ieee80211n = 1;
+      } // wirelessConfig // {
+        wpa_passphrase = outputRef config.services.secrets "wpa_passphrase";
+      };
+
+      "${rsecrets.ssid}5" = rec {
+        interface = config.hardware.networkInterfaces.wlan5;
+        hw_mode = "a";
+        channel = 36;
+        ht_capab = "[HT40+]";
+        vht_oper_chwidth = 1;
+        vht_oper_centr_freq_seg0_idx = channel + 6;
+        ieee80211n = 1;
+        ieee80211ac = 1;
+      } // wirelessConfig // {
+        wpa_passphrase = outputRef config.services.secrets "wpa_passphrase";
+      };
+    };
+  };
+
+  services.bootstrap-dhcpc = svc.network.dhcp.client.build {
+    interface = config.services.wwan;
+    dependencies = [ config.services.hostname ];
+  };
+
+  services.sshd = svc.ssh.build {
+    authorizedKeys = outputRef config.services.secrets "ssh/authorizedKeys";
+  };
+
+  services.lns-address = let
+    ns = "$(output_word ${services.bootstrap-dhcpc} dns 1)";
+    route-to-bootstrap-nameserver = svc.network.route.build {
+      via = "$(output ${services.bootstrap-dhcpc} router)";
+      target = ns;
+      dependencies = [services.bootstrap-dhcpc];
+    };
+  in oneshot rec {
+    name = "resolve-l2tp-server";
+    dependencies = [ services.bootstrap-dhcpc route-to-bootstrap-nameserver ];
+    up = ''
+      (in_outputs ${name}
+       DNSCACHEIP="${ns}" ${pkgs.s6-dns}/bin/s6-dnsip4 ${lns.hostname} \
+        > addresses
+      )
+    '';
+  };
+
+  users.root = rsecrets.root;
+
+  programs.busybox.options = {
+    FEATURE_FANCY_TAIL = "y";
+  };
+
+}

examples/secrets.json

@@ -0,0 +1,19 @@
+{
+    "wpa_passphrase": "you bring light in",
+    "ssid": "liminix",
+    "l2tp": {
+	"name": "abcde@a.1",
+	"password": "NotMyIspPassword"
+    },
+    "root": {
+	"passwd": "$6$6pt0mpbgcB7kC2RJ$kSBoCYGyi1.qxt7dqmexLj1l8E6oTZJZmfGyJSsMYMW.jlsETxdgQSdv6ptOYDM7DHAwf6vLG0pz3UD31XBfC1",
+	"openssh": {
+	    "authorizedKeys": {
+		"keys": [ ]
+	    }
+	}
+    },
+    "lan": {
+	"prefix": "10.8.0"
+    }
+}

examples/turris.nix

@@ -1,6 +1,5 @@
-{ config, pkgs, lib, lim, ... } :
+{ config, pkgs, lim, ... } :
 let
-  inherit (pkgs) serviceFns;
   svc = config.system.service;
 
 in rec {

modules/all-modules.nix

@@ -9,28 +9,29 @@
    ./busybox.nix
    ./dhcp6c
    ./dnsmasq
-   ./outputs/ext4fs.nix
    ./firewall
    ./hardware.nix
    ./hostapd
    ./hostname.nix
-   ./outputs/initramfs.nix
-   ./outputs/jffs2.nix
    ./kernel
-   ./outputs/kexecboot.nix
+   ./mdevd.nix
    ./mount
    ./network
    ./ntp
    ./outputs.nix
-   ./outputs/vmroot.nix
-   ./outputs/ubimage.nix
+   ./outputs/ext4fs.nix
+   ./outputs/initramfs.nix
+   ./outputs/jffs2.nix
+   ./outputs/kexecboot.nix
    ./outputs/mtdimage.nix
+   ./outputs/tftpboot.nix
+   ./outputs/ubifs.nix
+   ./outputs/ubimage.nix
+   ./outputs/vmroot.nix
    ./ppp
    ./ramdisk.nix
    ./squashfs.nix
    ./ssh
-   ./outputs/tftpboot.nix
-   ./outputs/ubifs.nix
    ./users.nix
    ./vlan
    ./watchdog

modules/arch/aarch64.nix

@@ -1,4 +1,4 @@
-{ lib, lim, pkgs, config, ...}:
+{ lim, pkgs, config, ...}:
 {
   config = {
     kernel.config = {

modules/arch/arm.nix

@@ -1,4 +1,4 @@
-{ lib, lim, pkgs, config, ...}:
+{ lim, pkgs, config, ...}:
 {
   config = {
     kernel.config = {

modules/arch/mips.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, config, lim, ...}:
+{ config, lim, ...}:
 {
   config = {
     kernel.config = {

modules/arch/mipseb.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, config, ...}:
+{ pkgs, config, ...}:
 {
   imports = [ ./mips.nix ];
   config = {

modules/arch/mipsel.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, config, ...}:
+{ config, ...}: