diff --git a/flake.lock b/flake.lock index 7a91599..e109bf4 100644 --- a/flake.lock +++ b/flake.lock @@ -282,11 +282,11 @@ ] }, "locked": { - "lastModified": 1710972558, - "narHash": "sha256-fA72ql4T4/KgSNxZwZJ1EoEHXjmwt7I/OukHC8NVVF0=", + "lastModified": 1718217962, + "narHash": "sha256-bVKwJdVeo6wMN6xMOFx3Um3x7ebijyCG5iGCIXAtDXA=", "owner": "chayleaf", "repo": "nixos-router", - "rev": "061cf097417ed363b1e23d11daa7192e4b5f1994", + "rev": "f25509e55a06f1dfa089556b28b9402c13e18aa4", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5e61604..4a079a3 100644 --- a/flake.nix +++ b/flake.nix @@ -81,7 +81,7 @@ if dev.${name} or false then (if input._type or null == "flake" then let inputs = input.inputs // { self = (import /${devPath}/${name}/flake.nix).outputs inputs; }; - in inputs.self + in { __toString = _: "/${devPath}/${name}"; } // inputs.self else /${devPath}/${name}) else input) base-inputs; diff --git a/system/hardware/oneplus-enchilada/linux_6_9.patch b/system/hardware/oneplus-enchilada/linux_6_9.patch index 64be243..6dc6d6c 100644 --- a/system/hardware/oneplus-enchilada/linux_6_9.patch +++ b/system/hardware/oneplus-enchilada/linux_6_9.patch @@ -4090,40 +4090,8 @@ index b84fdd17c3d..23beef9a62b 100644 }; static struct gdsc *disp_cc_sdm845_gdscs[] = { -diff --git a/drivers/gpu/drm/drm_bridge.c b/drivers/gpu/drm/drm_bridge.c -index 521a71c61b1..17ed94885dc 100644 ---- a/drivers/gpu/drm/drm_bridge.c -+++ b/drivers/gpu/drm/drm_bridge.c -@@ -687,11 +687,17 @@ void drm_atomic_bridge_chain_post_disable(struct drm_bridge *bridge, - */ - list_for_each_entry_from(next, &encoder->bridge_chain, - chain_node) { -- if (next->pre_enable_prev_first) { -+ if (!next->pre_enable_prev_first) { - next = list_prev_entry(next, chain_node); - limit = next; - break; - } -+ -+ if (list_is_last(&next->chain_node, -+ &encoder->bridge_chain)) { -+ limit = next; -+ break; -+ } - } - - /* Call these bridges in reverse order */ -@@ -774,7 +780,7 @@ void drm_atomic_bridge_chain_pre_enable(struct drm_bridge *bridge, - /* Found first bridge that does NOT - * request prev to be enabled first - */ -- limit = list_prev_entry(next, chain_node); -+ limit = next; - break; - } - } diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c -index ef6e416522f..795001bb7ff 100644 +index 9874ff6d471..795001bb7ff 100644 --- a/drivers/gpu/drm/drm_mipi_dsi.c +++ b/drivers/gpu/drm/drm_mipi_dsi.c @@ -645,29 +645,56 @@ int mipi_dsi_set_maximum_return_packet_size(struct mipi_dsi_device *dsi, @@ -4143,7 +4111,7 @@ index ef6e416522f..795001bb7ff 100644 * * Return: 0 on success or a negative error code on failure. */ --ssize_t mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable) +-int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable) +int mipi_dsi_compression_mode_ext(struct mipi_dsi_device *dsi, bool enable, + enum mipi_dsi_compression_algo algo, + unsigned int pps_selector) @@ -4190,17 +4158,6 @@ index ef6e416522f..795001bb7ff 100644 EXPORT_SYMBOL(mipi_dsi_compression_mode); /** -@@ -679,8 +706,8 @@ EXPORT_SYMBOL(mipi_dsi_compression_mode); - * - * Return: 0 on success or a negative error code on failure. - */ --ssize_t mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, -- const struct drm_dsc_picture_parameter_set *pps) -+int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, -+ const struct drm_dsc_picture_parameter_set *pps) - { - struct mipi_dsi_msg msg = { - .channel = dsi->channel, diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c index cf0b1de1c07..ff3ff6ab9dd 100644 --- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c @@ -47636,7 +47593,7 @@ index 10129095a4c..6d3016e008e 100644 static const struct of_device_id wled_match_table[] = { diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h -index c0aec0d4d66..82b1cc434ea 100644 +index 3011d33eccb..82b1cc434ea 100644 --- a/include/drm/drm_mipi_dsi.h +++ b/include/drm/drm_mipi_dsi.h @@ -226,6 +226,12 @@ static inline int mipi_dsi_pixel_format_to_bpp(enum mipi_dsi_pixel_format fmt) @@ -47652,22 +47609,16 @@ index c0aec0d4d66..82b1cc434ea 100644 struct mipi_dsi_device * mipi_dsi_device_register_full(struct mipi_dsi_host *host, const struct mipi_dsi_device_info *info); -@@ -241,9 +247,12 @@ int mipi_dsi_shutdown_peripheral(struct mipi_dsi_device *dsi); - int mipi_dsi_turn_on_peripheral(struct mipi_dsi_device *dsi); +@@ -242,6 +248,9 @@ int mipi_dsi_turn_on_peripheral(struct mipi_dsi_device *dsi); int mipi_dsi_set_maximum_return_packet_size(struct mipi_dsi_device *dsi, u16 value); --ssize_t mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable); --ssize_t mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, -- const struct drm_dsc_picture_parameter_set *pps); -+int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable); + int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable); +int mipi_dsi_compression_mode_ext(struct mipi_dsi_device *dsi, bool enable, + enum mipi_dsi_compression_algo algo, + unsigned int pps_selector); -+int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, -+ const struct drm_dsc_picture_parameter_set *pps); + int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi, + const struct drm_dsc_picture_parameter_set *pps); - ssize_t mipi_dsi_generic_write(struct mipi_dsi_device *dsi, const void *payload, - size_t size); diff --git a/include/dt-bindings/clock/qcom,dispcc-sdm845.h b/include/dt-bindings/clock/qcom,dispcc-sdm845.h index 4016fd1d5b4..f3e088b450b 100644 --- a/include/dt-bindings/clock/qcom,dispcc-sdm845.h diff --git a/system/hosts/router/avahi-resolver-v2.py b/system/hosts/router/avahi-resolver-v2.py index 25dcdb2..edbbce6 100644 --- a/system/hosts/router/avahi-resolver-v2.py +++ b/system/hosts/router/avahi-resolver-v2.py @@ -595,6 +595,10 @@ def add_split_domain(domains: Domains, split_domain: list[str]): if not split_domain: return split_domain = split_domain[:] + if split_domain and split_domain[-1] == '*': + split_domain.pop() + if not split_domain: + return while len(split_domain) > 1: key = split_domain[-1] if key in domains.keys(): diff --git a/system/hosts/router/default.nix b/system/hosts/router/default.nix index 0693386..db02f7a 100644 --- a/system/hosts/router/default.nix +++ b/system/hosts/router/default.nix @@ -580,20 +580,21 @@ in { [(is.eq ip6.daddr "@block6") (log "block6 ") drop] [(is.eq ip.saddr "@block4") (log "block4/s ") drop] [(is.eq ip6.saddr "@block6") (log "block6/s ") drop] + # default to no vpn... [(mangle meta.mark wan_table)] - # default to vpn... + # # default to vpn... # [(mangle meta.mark vpn_table)] - # ...but unvpn traffic to/from force_unvpn4/force_unvpn6 - # [(is.eq ip.daddr "@force_unvpn4") (mangle meta.mark wan_table)] - # [(is.eq ip6.daddr "@force_unvpn6") (mangle meta.mark wan_table)] - # [(is.eq ip.saddr "@force_unvpn4") (mangle meta.mark wan_table)] - # [(is.eq ip6.saddr "@force_unvpn6") (mangle meta.mark wan_table)] # ...force vpn to/from force_vpn4/force_vpn6 # (disable this if it breaks some sites) [(is.eq ip.daddr "@force_vpn4") (mangle meta.mark vpn_table)] [(is.eq ip6.daddr "@force_vpn6") (mangle meta.mark vpn_table)] [(is.eq ip.saddr "@force_vpn4") (mangle meta.mark vpn_table)] [(is.eq ip6.saddr "@force_vpn6") (mangle meta.mark vpn_table)] + # ...but unvpn traffic to/from force_unvpn4/force_unvpn6 + [(is.eq ip.daddr "@force_unvpn4") (mangle meta.mark wan_table)] + [(is.eq ip6.daddr "@force_unvpn6") (mangle meta.mark wan_table)] + [(is.eq ip.saddr "@force_unvpn4") (mangle meta.mark wan_table)] + [(is.eq ip6.saddr "@force_unvpn6") (mangle meta.mark wan_table)] # block requests to port 25 from hosts other than the server so they can't send mail pretending to originate from my domain # only do this for lans since traffic from other interfaces isn't forwarded to wan [(is.eq meta.iifname lanSet) (is.ne ether.saddr cfg.serverMac) (is.eq meta.l4proto (f: f.tcp)) (is.eq tcp.dport 25) (log "smtp ") drop] @@ -780,24 +781,23 @@ in { stopIfChanged = false; path = [ config.programs.ssh.package ]; script = '' - while true; do - ${config.programs.ssh.package}/bin/ssh \ - -i /secrets/vpn/sshtunnel.key \ - -L ${netAddresses.netnsWan4}:${toString cfg.vpn.tunnel.localPort}:127.0.0.1:${toString cfg.vpn.tunnel.remotePort} \ - -p ${toString cfg.vpn.tunnel.port} \ - -N -T -v \ - sshtunnel@${cfg.vpn.tunnel.ip} - echo "Restarting..." - sleep 10 - done + ${config.programs.ssh.package}/bin/ssh \ + -i /secrets/vpn/sshtunnel.key \ + -L ${netAddresses.netnsWan4}:${toString cfg.vpn.tunnel.localPort}:127.0.0.1:${toString cfg.vpn.tunnel.remotePort} \ + -p ${toString cfg.vpn.tunnel.port} \ + -N -T -v \ + ${cfg.vpn.tunnel.user}@${cfg.vpn.tunnel.ip} ''; serviceConfig = { Restart = "always"; + RestartSec = "10s"; Type = "simple"; NetworkNamespacePath = "/var/run/netns/wan"; }; }; - + systemd.services.openvpn-client = lib.mkIf cfg.vpn.openvpn.enable { + wantedBy = [ "nftables-netns-default.service" ]; + }; services.openvpn.servers = lib.mkIf cfg.vpn.openvpn.enable { client.config = cfg.vpn.openvpn.config; }; @@ -874,6 +874,8 @@ in { unbound-python = pkgs.python3.withPackages (ps: with ps; [ pydbus dnspython requests pytricia nftables ]); in "${unbound-python}/${unbound-python.sitePackages}"; + # see https://github.com/NixOS/nixpkgs/pull/310514 + environment.GI_TYPELIB_PATH = "${lib.getLib pkgs.glib}/lib/girepository-1.0"; environment.MDNS_ACCEPT_NAMES = "^(.*\\.)?local\\.$"; # resolve retracker.local to whatever router.local resolves to # we can't add a local zone alongside using avahi resolver, so we have to use hacks like this @@ -884,8 +886,8 @@ in { environment.NFT_QUERIES = "vpn:force_vpn4,force_vpn6;unvpn!:force_unvpn4,force_unvpn6;iot:allow_iot4,allow_iot6"; serviceConfig.EnvironmentFile = "/secrets/unbound_env"; # it needs to run after nftables has been set up because it sets up the sets - after = [ "nftables-default.service" "avahi-daemon.service" ]; - wants = [ "nftables-default.service" "avahi-daemon.service" ]; + after = [ "nftables-netns-default.service" "avahi-daemon.service" ]; + wants = [ "nftables-netns-default.service" "avahi-daemon.service" ]; # allow it to call nft serviceConfig.AmbientCapabilities = [ "CAP_NET_ADMIN" ]; serviceConfig.CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; diff --git a/system/hosts/router/options.nix b/system/hosts/router/options.nix index 3e718ed..6fe1f89 100644 --- a/system/hosts/router/options.nix +++ b/system/hosts/router/options.nix @@ -25,6 +25,11 @@ type = lib.types.port; default = 22; }; + user = lib.mkOption { + description = "SSH user"; + type = lib.types.str; + default = "sshtunnel"; + }; }; openvpn.enable = lib.mkEnableOption "OpenVPN"; openvpn.config = lib.mkOption {