From 20490c08538122b77142a9af7569b42371ffc3b8 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 28 Oct 2023 20:32:40 +0000 Subject: [PATCH 1/4] swann: enable TFTP and HTTP for phone booting --- ops/nixos/swann/default.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/ops/nixos/swann/default.nix b/ops/nixos/swann/default.nix index 50cd81439c..fc208a03aa 100644 --- a/ops/nixos/swann/default.nix +++ b/ops/nixos/swann/default.nix @@ -551,6 +551,8 @@ in { allowedUDPPorts = [ 3478 10001 # Unifi 53 # DNS + 69 # TFTP + 80 # HTTP ]; }; interfaces.vl-eduroam = { @@ -853,6 +855,14 @@ in { ''; }; + services.atftpd = { + enable = true; + }; + services.nginx = { + enable = true; + virtualHosts."192.168.1.1".root = "/srv/tftp"; + }; + services.kea = { dhcp4.enable = true; dhcp4.settings = { @@ -879,6 +889,14 @@ in { hw-address = "9c:93:4e:ad:1f:7b"; ip-address = "192.168.1.51"; hostname = "printer-xerox"; + } { + hw-address = "e8:ed:f3:6a:b9:24"; + ip-address = "192.168.1.52"; + hostname = "phone-lukegb-desk"; + option-data = [{ + name = "tftp-server-name"; + data = "192.168.1.1"; + }]; } { hw-address = "bc:33:29:26:01:5c"; ip-address = "92.118.30.18"; From cb845df067af31014ef22eb16bdf1c9e1304c323 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 17 Nov 2023 10:58:06 +0000 Subject: [PATCH 2/4] freeswitch-sounds: init --- nix/pkgs/default.nix | 2 ++ nix/pkgs/freeswitch-sounds.nix | 38 ++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 nix/pkgs/freeswitch-sounds.nix diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index 8e07214d9c..1db86af820 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -81,4 +81,6 @@ callPackage ./archipelago { factorio-rcon-py = callPackage ./archipelago/factorio-rcon-py.nix { }; }; + + freeswitch-sounds = pkgs.callPackage ./freeswitch-sounds.nix { }; } // (import ./heptapod-runner args) diff --git a/nix/pkgs/freeswitch-sounds.nix b/nix/pkgs/freeswitch-sounds.nix new file mode 100644 index 0000000000..b61f8b1e3c --- /dev/null +++ b/nix/pkgs/freeswitch-sounds.nix @@ -0,0 +1,38 @@ +{ stdenv +, fetchFromGitHub +, ... }: + +stdenv.mkDerivation rec { + pname = "freeswitch-sounds"; + version = "1.0.53"; + + src = fetchFromGitHub { + owner = "freeswitch"; + repo = "freeswitch-sounds"; + rev = "fbe44d17b3cb13fcc8dff190d232162e411ce2db"; + sha256 = "sha256:021qbdvbhc63va32xndqbdanjysijx2b5an3bzw4ya7b2icnfl0s"; + }; + + installPhase = '' + runHook preInstall + + mkdir $out + for voice in en/ca/june en/us/{allison,callie} es/ar/mario fr/ca/june pt/BR/karina ru/RU/{elena,kirill,vika} sv/se/jakob zh/{cn,hk}/sinmei; do + mkdir -p $out/$voice + for category in $voice/*; do + test -d $category || continue + + for f in $category/*/*; do + filename=$(basename $f) + rootname=$(dirname $(dirname $f)) + mkdir -p $out/$rootname + cp $f $out/$rootname/$filename + done + done + done + + cp -Rv music $out/music + + runHook postInstall + ''; +} From 0471d2209268bcb0bb685ca42cbc866e93543e26 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 17 Nov 2023 10:58:53 +0000 Subject: [PATCH 3/4] kerrigan: add device tree, uboot fw_printenv --- ops/nixos/kerrigan/default.nix | 63 ++++++++++++++++++++++++++++++++-- 1 file changed, 61 insertions(+), 2 deletions(-) diff --git a/ops/nixos/kerrigan/default.nix b/ops/nixos/kerrigan/default.nix index 811d069582..a2d8d9d94c 100644 --- a/ops/nixos/kerrigan/default.nix +++ b/ops/nixos/kerrigan/default.nix @@ -13,8 +13,19 @@ let }; }) nmFiles); - boot-builder = pkgs.callPackage ./boot-builder.nix { }; - populate-boot-builder = pkgs.buildPackages.callPackage ./boot-builder.nix { }; + uboot-envtools = pkgs.ubootTools.override { + extraMakeFlags = [ "HOST_TOOLS_ALL=y" "CROSS_BUILD_TOOLS=1" "NO_SDL=1" "envtools" ]; + + outputs = [ "out" "man" ]; + + postInstall = '' + ln -s $out/bin/fw_printenv $out/bin/fw_setenv + installManPage doc/*.1 + ''; + filesToInstall = [ + "tools/env/fw_printenv" + ]; + }; in { fileSystems = { @@ -97,6 +108,7 @@ in environment.systemPackages = with pkgs; [ libqmi screen minicom conntrack-tools modemmanager android-tools + uboot-envtools ]; services.udev.packages = with pkgs; [ modemmanager @@ -119,4 +131,51 @@ in systemd.services."systemd-networkd-wait-online".wantedBy = lib.mkForce []; system.stateVersion = "23.05"; + + hardware.deviceTree = { + enable = true; + name = "marvell/armada-7040-mochabin.dtb"; + filter = "armada-7040-mochabin.dtb"; + overlays = [{ + name = "spi"; + filter = "armada-7040-mochabin.dtb"; + dtsText = '' + /dts-v1/; + /plugin/; + + / { + compatible = "globalscale,mochabin marvell,armada7040 marvell,armada-ap806-quad marvell,armada-ap806"; + }; + + &cp0_spi1 { + flash@0 { + status = "disabled"; + }; + flash-real@0 { + #address-cells = <1>; + #size-cells = <1>; + compatible = "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <20000000>; + + partitions { + compatible = "fixed-partitions"; + #address-cells = <1>; + #size-cells = <1>; + + partition@0 { + label = "firmware"; + reg = <0x0 0x3e0000>; + read-only; + }; + partition@3e0000 { + label = "u-boot-env"; + reg = <0x3e0000 0x20000>; + }; + }; + }; + }; + ''; + }]; + }; } From 6f11983d7584480cbc3abd72ceaf0fbe2637308e Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 17 Nov 2023 10:59:16 +0000 Subject: [PATCH 4/4] swann: add wg-eta --- ops/nixos/swann/default.nix | 117 +++++++++++++++++++++++++++++++++++- 1 file changed, 115 insertions(+), 2 deletions(-) diff --git a/ops/nixos/swann/default.nix b/ops/nixos/swann/default.nix index fc208a03aa..63c16bcee9 100644 --- a/ops/nixos/swann/default.nix +++ b/ops/nixos/swann/default.nix @@ -140,7 +140,7 @@ in { { routeConfig = { - Destination = "${replaceV6Octet v6Linknet (n: n - 1)}/112"; + Destination = "${replaceV6Octet v6Linknet (n: 0)}/112"; Table = rtID; }; } @@ -195,6 +195,7 @@ in { bgp = 150; wg-ee = 152; wg-gnet = 153; + wg-eta = 160; ee = 201; gnet = 203; }; @@ -215,6 +216,13 @@ in { v4Linknet = "92.118.30.4"; v6Linknet = "2a09:a442::3:1"; }; + networks."50-wg-eta" = wireguardNetwork { + linkName = "wg-eta"; + relativePriority = 10; + rtID = routeTables.wg-eta; + v4Linknet = "169.254.2.1"; + v6Linknet = "fe80:1234::b"; + }; networks."40-lo" = { routingPolicyRules = let viaMain = priority: to: { @@ -352,6 +360,30 @@ in { endpoint = "92.118.28.252:51822"; fwmark = "0xcafe"; }; + "50-wg-eta" = { + netdevConfig = { + Name = "wg-eta"; + Kind = "wireguard"; + Description = "WireGuard tunnel wg-eta"; + }; + wireguardConfig = { + ListenPort = 51830; + PrivateKeyFile = config.my.vault.secrets.wg-eta-private.path; + RouteTable = "off"; + FirewallMark = hexToInt "0xcafe"; # over gnet + }; + wireguardPeers = [{ + wireguardPeerConfig = { + Endpoint = "shenfield-mythic.i.eta.st:51825"; + #PublicKey = config.my.vault.secrets.wg-eta-public.path; + PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8="; + AllowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + }; + }]; + }; "20-br-internal" = { netdevConfig = { Name = "br-internal"; @@ -380,6 +412,24 @@ in { }; }; }; + my.vault.secrets = { + wg-eta-public = { + group = "systemd-network"; + template = '' + {{- with secret "kv/apps/wireguard/swann" -}} + {{- .Data.data.publicKeyFromEta -}} + {{- end -}} + ''; + }; + wg-eta-private = { + group = "systemd-network"; + template = '' + {{- with secret "kv/apps/wireguard/swann" -}} + {{- .Data.data.privateKeyToEta -}} + {{- end -}} + ''; + }; + }; services.mstpd.enable = true; my.ip.tailscale = "100.102.224.95"; my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6266:e05f"; @@ -583,6 +633,11 @@ in { 3784 # BFD ]; }; + interfaces.wg-eta = { + allowedTCPPorts = [ + 179 # BGP + ]; + }; extraCommands = '' ip46tables -F FORWARD @@ -594,6 +649,7 @@ in { ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-ee -j ACCEPT ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-gnet -j ACCEPT + ip46tables -A FORWARD -i vl-eduroam -o wg-eta -j ACCEPT ip46tables -A FORWARD -i vl-eduroam -m state --state NEW,RELATED -j REJECT ''; }; @@ -730,6 +786,16 @@ in { # GNetwork preference = 200; }; + + route 92.118.30.0/24 unreachable { + bgp_ext_community.add((ro, 205479, 1000)); # export this + }; + route 92.118.30.16/28 via "br-internal"; + route 92.118.30.254/32 via "lo"; + route 92.118.30.253/32 via "lo"; + # route 92.118.30.0/31 via "wg-tuvok-vm"; + route 92.118.30.2/31 via "wg-tuvok-ee"; + route 92.118.30.4/31 via "wg-tuvok-gnet"; }; protocol static export6 { ipv6 {}; @@ -754,7 +820,9 @@ in { route 2a09:a443:1::/48 via "br-internal"; route 2a09:a443:2::/64 via "vl-eduroam"; route 2a09:a443:3::/48 via "vl-eduroam"; - route 2a09:a443::/32 unreachable; + route 2a09:a443::/32 unreachable { + bgp_ext_community.add((ro, 205479, 1000)); # export this + }; }; protocol bfd { @@ -771,6 +839,51 @@ in { neighbor 92.118.30.5; neighbor 2a09:a442::3:2; }; + + protocol bgp eta4 { + local 169.254.2.1 as 205479; + neighbor 169.254.2.0 as 213185; + interface "wg-eta"; + + ipv4 { + export filter { + if source != RTS_STATIC then reject; + if ! ((ro, 205479, 1000) ~ bgp_ext_community) then reject; + + bgp_ext_community.delete([(ro, 205479, *)]); + accept; + }; + import filter { + if ! (net ~ [ + 44.31.189.0/24 + ]) then reject; + accept; + }; + next hop self; + }; + }; + protocol bgp eta6 { + local fe80:1234::b as 205479; + neighbor fe80:1234::a as 213185; + interface "wg-eta"; + + ipv6 { + export filter { + if source != RTS_STATIC then reject; + if ! ((ro, 205479, 1000) ~ bgp_ext_community) then reject; + + bgp_ext_community.delete([(ro, 205479, *)]); + accept; + }; + import filter { + if ! (net ~ [ + 2a0d:1a40:7553::/48{48,64} + ]) then reject; + accept; + }; + next hop self; + }; + }; ''; };