router: fix
This commit is contained in:
parent
c3db9da6d5
commit
fb7d64c5ea
|
@ -282,11 +282,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1710972558,
|
"lastModified": 1718217962,
|
||||||
"narHash": "sha256-fA72ql4T4/KgSNxZwZJ1EoEHXjmwt7I/OukHC8NVVF0=",
|
"narHash": "sha256-bVKwJdVeo6wMN6xMOFx3Um3x7ebijyCG5iGCIXAtDXA=",
|
||||||
"owner": "chayleaf",
|
"owner": "chayleaf",
|
||||||
"repo": "nixos-router",
|
"repo": "nixos-router",
|
||||||
"rev": "061cf097417ed363b1e23d11daa7192e4b5f1994",
|
"rev": "f25509e55a06f1dfa089556b28b9402c13e18aa4",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -81,7 +81,7 @@
|
||||||
if dev.${name} or false then
|
if dev.${name} or false then
|
||||||
(if input._type or null == "flake"
|
(if input._type or null == "flake"
|
||||||
then let inputs = input.inputs // { self = (import /${devPath}/${name}/flake.nix).outputs inputs; };
|
then let inputs = input.inputs // { self = (import /${devPath}/${name}/flake.nix).outputs inputs; };
|
||||||
in inputs.self
|
in { __toString = _: "/${devPath}/${name}"; } // inputs.self
|
||||||
else /${devPath}/${name})
|
else /${devPath}/${name})
|
||||||
else input)
|
else input)
|
||||||
base-inputs;
|
base-inputs;
|
||||||
|
|
|
@ -4090,40 +4090,8 @@ index b84fdd17c3d..23beef9a62b 100644
|
||||||
};
|
};
|
||||||
|
|
||||||
static struct gdsc *disp_cc_sdm845_gdscs[] = {
|
static struct gdsc *disp_cc_sdm845_gdscs[] = {
|
||||||
diff --git a/drivers/gpu/drm/drm_bridge.c b/drivers/gpu/drm/drm_bridge.c
|
|
||||||
index 521a71c61b1..17ed94885dc 100644
|
|
||||||
--- a/drivers/gpu/drm/drm_bridge.c
|
|
||||||
+++ b/drivers/gpu/drm/drm_bridge.c
|
|
||||||
@@ -687,11 +687,17 @@ void drm_atomic_bridge_chain_post_disable(struct drm_bridge *bridge,
|
|
||||||
*/
|
|
||||||
list_for_each_entry_from(next, &encoder->bridge_chain,
|
|
||||||
chain_node) {
|
|
||||||
- if (next->pre_enable_prev_first) {
|
|
||||||
+ if (!next->pre_enable_prev_first) {
|
|
||||||
next = list_prev_entry(next, chain_node);
|
|
||||||
limit = next;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (list_is_last(&next->chain_node,
|
|
||||||
+ &encoder->bridge_chain)) {
|
|
||||||
+ limit = next;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Call these bridges in reverse order */
|
|
||||||
@@ -774,7 +780,7 @@ void drm_atomic_bridge_chain_pre_enable(struct drm_bridge *bridge,
|
|
||||||
/* Found first bridge that does NOT
|
|
||||||
* request prev to be enabled first
|
|
||||||
*/
|
|
||||||
- limit = list_prev_entry(next, chain_node);
|
|
||||||
+ limit = next;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c
|
diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c
|
||||||
index ef6e416522f..795001bb7ff 100644
|
index 9874ff6d471..795001bb7ff 100644
|
||||||
--- a/drivers/gpu/drm/drm_mipi_dsi.c
|
--- a/drivers/gpu/drm/drm_mipi_dsi.c
|
||||||
+++ b/drivers/gpu/drm/drm_mipi_dsi.c
|
+++ b/drivers/gpu/drm/drm_mipi_dsi.c
|
||||||
@@ -645,29 +645,56 @@ int mipi_dsi_set_maximum_return_packet_size(struct mipi_dsi_device *dsi,
|
@@ -645,29 +645,56 @@ int mipi_dsi_set_maximum_return_packet_size(struct mipi_dsi_device *dsi,
|
||||||
|
@ -4143,7 +4111,7 @@ index ef6e416522f..795001bb7ff 100644
|
||||||
*
|
*
|
||||||
* Return: 0 on success or a negative error code on failure.
|
* Return: 0 on success or a negative error code on failure.
|
||||||
*/
|
*/
|
||||||
-ssize_t mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable)
|
-int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable)
|
||||||
+int mipi_dsi_compression_mode_ext(struct mipi_dsi_device *dsi, bool enable,
|
+int mipi_dsi_compression_mode_ext(struct mipi_dsi_device *dsi, bool enable,
|
||||||
+ enum mipi_dsi_compression_algo algo,
|
+ enum mipi_dsi_compression_algo algo,
|
||||||
+ unsigned int pps_selector)
|
+ unsigned int pps_selector)
|
||||||
|
@ -4190,17 +4158,6 @@ index ef6e416522f..795001bb7ff 100644
|
||||||
EXPORT_SYMBOL(mipi_dsi_compression_mode);
|
EXPORT_SYMBOL(mipi_dsi_compression_mode);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -679,8 +706,8 @@ EXPORT_SYMBOL(mipi_dsi_compression_mode);
|
|
||||||
*
|
|
||||||
* Return: 0 on success or a negative error code on failure.
|
|
||||||
*/
|
|
||||||
-ssize_t mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi,
|
|
||||||
- const struct drm_dsc_picture_parameter_set *pps)
|
|
||||||
+int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi,
|
|
||||||
+ const struct drm_dsc_picture_parameter_set *pps)
|
|
||||||
{
|
|
||||||
struct mipi_dsi_msg msg = {
|
|
||||||
.channel = dsi->channel,
|
|
||||||
diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
|
diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
|
||||||
index cf0b1de1c07..ff3ff6ab9dd 100644
|
index cf0b1de1c07..ff3ff6ab9dd 100644
|
||||||
--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
|
--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
|
||||||
|
@ -47636,7 +47593,7 @@ index 10129095a4c..6d3016e008e 100644
|
||||||
|
|
||||||
static const struct of_device_id wled_match_table[] = {
|
static const struct of_device_id wled_match_table[] = {
|
||||||
diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h
|
diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h
|
||||||
index c0aec0d4d66..82b1cc434ea 100644
|
index 3011d33eccb..82b1cc434ea 100644
|
||||||
--- a/include/drm/drm_mipi_dsi.h
|
--- a/include/drm/drm_mipi_dsi.h
|
||||||
+++ b/include/drm/drm_mipi_dsi.h
|
+++ b/include/drm/drm_mipi_dsi.h
|
||||||
@@ -226,6 +226,12 @@ static inline int mipi_dsi_pixel_format_to_bpp(enum mipi_dsi_pixel_format fmt)
|
@@ -226,6 +226,12 @@ static inline int mipi_dsi_pixel_format_to_bpp(enum mipi_dsi_pixel_format fmt)
|
||||||
|
@ -47652,22 +47609,16 @@ index c0aec0d4d66..82b1cc434ea 100644
|
||||||
struct mipi_dsi_device *
|
struct mipi_dsi_device *
|
||||||
mipi_dsi_device_register_full(struct mipi_dsi_host *host,
|
mipi_dsi_device_register_full(struct mipi_dsi_host *host,
|
||||||
const struct mipi_dsi_device_info *info);
|
const struct mipi_dsi_device_info *info);
|
||||||
@@ -241,9 +247,12 @@ int mipi_dsi_shutdown_peripheral(struct mipi_dsi_device *dsi);
|
@@ -242,6 +248,9 @@ int mipi_dsi_turn_on_peripheral(struct mipi_dsi_device *dsi);
|
||||||
int mipi_dsi_turn_on_peripheral(struct mipi_dsi_device *dsi);
|
|
||||||
int mipi_dsi_set_maximum_return_packet_size(struct mipi_dsi_device *dsi,
|
int mipi_dsi_set_maximum_return_packet_size(struct mipi_dsi_device *dsi,
|
||||||
u16 value);
|
u16 value);
|
||||||
-ssize_t mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable);
|
int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable);
|
||||||
-ssize_t mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi,
|
|
||||||
- const struct drm_dsc_picture_parameter_set *pps);
|
|
||||||
+int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable);
|
|
||||||
+int mipi_dsi_compression_mode_ext(struct mipi_dsi_device *dsi, bool enable,
|
+int mipi_dsi_compression_mode_ext(struct mipi_dsi_device *dsi, bool enable,
|
||||||
+ enum mipi_dsi_compression_algo algo,
|
+ enum mipi_dsi_compression_algo algo,
|
||||||
+ unsigned int pps_selector);
|
+ unsigned int pps_selector);
|
||||||
+int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi,
|
int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi,
|
||||||
+ const struct drm_dsc_picture_parameter_set *pps);
|
const struct drm_dsc_picture_parameter_set *pps);
|
||||||
|
|
||||||
ssize_t mipi_dsi_generic_write(struct mipi_dsi_device *dsi, const void *payload,
|
|
||||||
size_t size);
|
|
||||||
diff --git a/include/dt-bindings/clock/qcom,dispcc-sdm845.h b/include/dt-bindings/clock/qcom,dispcc-sdm845.h
|
diff --git a/include/dt-bindings/clock/qcom,dispcc-sdm845.h b/include/dt-bindings/clock/qcom,dispcc-sdm845.h
|
||||||
index 4016fd1d5b4..f3e088b450b 100644
|
index 4016fd1d5b4..f3e088b450b 100644
|
||||||
--- a/include/dt-bindings/clock/qcom,dispcc-sdm845.h
|
--- a/include/dt-bindings/clock/qcom,dispcc-sdm845.h
|
||||||
|
|
|
@ -595,6 +595,10 @@ def add_split_domain(domains: Domains, split_domain: list[str]):
|
||||||
if not split_domain:
|
if not split_domain:
|
||||||
return
|
return
|
||||||
split_domain = split_domain[:]
|
split_domain = split_domain[:]
|
||||||
|
if split_domain and split_domain[-1] == '*':
|
||||||
|
split_domain.pop()
|
||||||
|
if not split_domain:
|
||||||
|
return
|
||||||
while len(split_domain) > 1:
|
while len(split_domain) > 1:
|
||||||
key = split_domain[-1]
|
key = split_domain[-1]
|
||||||
if key in domains.keys():
|
if key in domains.keys():
|
||||||
|
|
|
@ -580,20 +580,21 @@ in {
|
||||||
[(is.eq ip6.daddr "@block6") (log "block6 ") drop]
|
[(is.eq ip6.daddr "@block6") (log "block6 ") drop]
|
||||||
[(is.eq ip.saddr "@block4") (log "block4/s ") drop]
|
[(is.eq ip.saddr "@block4") (log "block4/s ") drop]
|
||||||
[(is.eq ip6.saddr "@block6") (log "block6/s ") drop]
|
[(is.eq ip6.saddr "@block6") (log "block6/s ") drop]
|
||||||
|
# default to no vpn...
|
||||||
[(mangle meta.mark wan_table)]
|
[(mangle meta.mark wan_table)]
|
||||||
# default to vpn...
|
# # default to vpn...
|
||||||
# [(mangle meta.mark vpn_table)]
|
# [(mangle meta.mark vpn_table)]
|
||||||
# ...but unvpn traffic to/from force_unvpn4/force_unvpn6
|
|
||||||
# [(is.eq ip.daddr "@force_unvpn4") (mangle meta.mark wan_table)]
|
|
||||||
# [(is.eq ip6.daddr "@force_unvpn6") (mangle meta.mark wan_table)]
|
|
||||||
# [(is.eq ip.saddr "@force_unvpn4") (mangle meta.mark wan_table)]
|
|
||||||
# [(is.eq ip6.saddr "@force_unvpn6") (mangle meta.mark wan_table)]
|
|
||||||
# ...force vpn to/from force_vpn4/force_vpn6
|
# ...force vpn to/from force_vpn4/force_vpn6
|
||||||
# (disable this if it breaks some sites)
|
# (disable this if it breaks some sites)
|
||||||
[(is.eq ip.daddr "@force_vpn4") (mangle meta.mark vpn_table)]
|
[(is.eq ip.daddr "@force_vpn4") (mangle meta.mark vpn_table)]
|
||||||
[(is.eq ip6.daddr "@force_vpn6") (mangle meta.mark vpn_table)]
|
[(is.eq ip6.daddr "@force_vpn6") (mangle meta.mark vpn_table)]
|
||||||
[(is.eq ip.saddr "@force_vpn4") (mangle meta.mark vpn_table)]
|
[(is.eq ip.saddr "@force_vpn4") (mangle meta.mark vpn_table)]
|
||||||
[(is.eq ip6.saddr "@force_vpn6") (mangle meta.mark vpn_table)]
|
[(is.eq ip6.saddr "@force_vpn6") (mangle meta.mark vpn_table)]
|
||||||
|
# ...but unvpn traffic to/from force_unvpn4/force_unvpn6
|
||||||
|
[(is.eq ip.daddr "@force_unvpn4") (mangle meta.mark wan_table)]
|
||||||
|
[(is.eq ip6.daddr "@force_unvpn6") (mangle meta.mark wan_table)]
|
||||||
|
[(is.eq ip.saddr "@force_unvpn4") (mangle meta.mark wan_table)]
|
||||||
|
[(is.eq ip6.saddr "@force_unvpn6") (mangle meta.mark wan_table)]
|
||||||
# block requests to port 25 from hosts other than the server so they can't send mail pretending to originate from my domain
|
# block requests to port 25 from hosts other than the server so they can't send mail pretending to originate from my domain
|
||||||
# only do this for lans since traffic from other interfaces isn't forwarded to wan
|
# only do this for lans since traffic from other interfaces isn't forwarded to wan
|
||||||
[(is.eq meta.iifname lanSet) (is.ne ether.saddr cfg.serverMac) (is.eq meta.l4proto (f: f.tcp)) (is.eq tcp.dport 25) (log "smtp ") drop]
|
[(is.eq meta.iifname lanSet) (is.ne ether.saddr cfg.serverMac) (is.eq meta.l4proto (f: f.tcp)) (is.eq tcp.dport 25) (log "smtp ") drop]
|
||||||
|
@ -780,24 +781,23 @@ in {
|
||||||
stopIfChanged = false;
|
stopIfChanged = false;
|
||||||
path = [ config.programs.ssh.package ];
|
path = [ config.programs.ssh.package ];
|
||||||
script = ''
|
script = ''
|
||||||
while true; do
|
|
||||||
${config.programs.ssh.package}/bin/ssh \
|
${config.programs.ssh.package}/bin/ssh \
|
||||||
-i /secrets/vpn/sshtunnel.key \
|
-i /secrets/vpn/sshtunnel.key \
|
||||||
-L ${netAddresses.netnsWan4}:${toString cfg.vpn.tunnel.localPort}:127.0.0.1:${toString cfg.vpn.tunnel.remotePort} \
|
-L ${netAddresses.netnsWan4}:${toString cfg.vpn.tunnel.localPort}:127.0.0.1:${toString cfg.vpn.tunnel.remotePort} \
|
||||||
-p ${toString cfg.vpn.tunnel.port} \
|
-p ${toString cfg.vpn.tunnel.port} \
|
||||||
-N -T -v \
|
-N -T -v \
|
||||||
sshtunnel@${cfg.vpn.tunnel.ip}
|
${cfg.vpn.tunnel.user}@${cfg.vpn.tunnel.ip}
|
||||||
echo "Restarting..."
|
|
||||||
sleep 10
|
|
||||||
done
|
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
|
RestartSec = "10s";
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
NetworkNamespacePath = "/var/run/netns/wan";
|
NetworkNamespacePath = "/var/run/netns/wan";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
systemd.services.openvpn-client = lib.mkIf cfg.vpn.openvpn.enable {
|
||||||
|
wantedBy = [ "nftables-netns-default.service" ];
|
||||||
|
};
|
||||||
services.openvpn.servers = lib.mkIf cfg.vpn.openvpn.enable {
|
services.openvpn.servers = lib.mkIf cfg.vpn.openvpn.enable {
|
||||||
client.config = cfg.vpn.openvpn.config;
|
client.config = cfg.vpn.openvpn.config;
|
||||||
};
|
};
|
||||||
|
@ -874,6 +874,8 @@ in {
|
||||||
unbound-python = pkgs.python3.withPackages (ps: with ps; [ pydbus dnspython requests pytricia nftables ]);
|
unbound-python = pkgs.python3.withPackages (ps: with ps; [ pydbus dnspython requests pytricia nftables ]);
|
||||||
in
|
in
|
||||||
"${unbound-python}/${unbound-python.sitePackages}";
|
"${unbound-python}/${unbound-python.sitePackages}";
|
||||||
|
# see https://github.com/NixOS/nixpkgs/pull/310514
|
||||||
|
environment.GI_TYPELIB_PATH = "${lib.getLib pkgs.glib}/lib/girepository-1.0";
|
||||||
environment.MDNS_ACCEPT_NAMES = "^(.*\\.)?local\\.$";
|
environment.MDNS_ACCEPT_NAMES = "^(.*\\.)?local\\.$";
|
||||||
# resolve retracker.local to whatever router.local resolves to
|
# resolve retracker.local to whatever router.local resolves to
|
||||||
# we can't add a local zone alongside using avahi resolver, so we have to use hacks like this
|
# we can't add a local zone alongside using avahi resolver, so we have to use hacks like this
|
||||||
|
@ -884,8 +886,8 @@ in {
|
||||||
environment.NFT_QUERIES = "vpn:force_vpn4,force_vpn6;unvpn!:force_unvpn4,force_unvpn6;iot:allow_iot4,allow_iot6";
|
environment.NFT_QUERIES = "vpn:force_vpn4,force_vpn6;unvpn!:force_unvpn4,force_unvpn6;iot:allow_iot4,allow_iot6";
|
||||||
serviceConfig.EnvironmentFile = "/secrets/unbound_env";
|
serviceConfig.EnvironmentFile = "/secrets/unbound_env";
|
||||||
# it needs to run after nftables has been set up because it sets up the sets
|
# it needs to run after nftables has been set up because it sets up the sets
|
||||||
after = [ "nftables-default.service" "avahi-daemon.service" ];
|
after = [ "nftables-netns-default.service" "avahi-daemon.service" ];
|
||||||
wants = [ "nftables-default.service" "avahi-daemon.service" ];
|
wants = [ "nftables-netns-default.service" "avahi-daemon.service" ];
|
||||||
# allow it to call nft
|
# allow it to call nft
|
||||||
serviceConfig.AmbientCapabilities = [ "CAP_NET_ADMIN" ];
|
serviceConfig.AmbientCapabilities = [ "CAP_NET_ADMIN" ];
|
||||||
serviceConfig.CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
|
serviceConfig.CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
|
||||||
|
|
|
@ -25,6 +25,11 @@
|
||||||
type = lib.types.port;
|
type = lib.types.port;
|
||||||
default = 22;
|
default = 22;
|
||||||
};
|
};
|
||||||
|
user = lib.mkOption {
|
||||||
|
description = "SSH user";
|
||||||
|
type = lib.types.str;
|
||||||
|
default = "sshtunnel";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
openvpn.enable = lib.mkEnableOption "OpenVPN";
|
openvpn.enable = lib.mkEnableOption "OpenVPN";
|
||||||
openvpn.config = lib.mkOption {
|
openvpn.config = lib.mkOption {
|
||||||
|
|
Loading…
Reference in a new issue