initial commit

without warranty of any kind, express or impliend

4 files changed, 141 insertions, 0 deletions

diff --git a/example/default.nix b/example/default.nix
new file mode 100644
index 0000000..bec7622
--- /dev/null
+++ b/example/default.nix
@@ -0,0 +1,7 @@
+{ pkgs ? import <nixpkgs> {}
+}:
+
+import ../. {
+  inherit pkgs;
+  configuration = ./example.nix;
+}
diff --git a/example/example.key b/example/example.key
new file mode 100644
index 0000000..b909ea7
--- /dev/null
+++ b/example/example.key
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBxkBCpST6VJEfjUBzm3dQlljOyLW5BS5PND8ivm/thDQAAAJj8yiBW/Mog
+VgAAAAtzc2gtZWQyNTUxOQAAACBxkBCpST6VJEfjUBzm3dQlljOyLW5BS5PND8ivm/thDQ
+AAAEBXKPGOexD2ynQZKK/w5WimXmtLHagt8JzotMGv1gKywHGQEKlJPpUkR+NQHObd1CWW
+M7ItbkFLk80PyK+b+2ENAAAAE2RoaXZhZWxAY2hjb3JkYWloa2gBAg==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/example/example.nix b/example/example.nix
new file mode 100644
index 0000000..ce399ee
--- /dev/null
+++ b/example/example.nix
@@ -0,0 +1,106 @@
+# example config for a qemu image of openwrt that is accessible
+# via port 2222 on localhost. the root password is set to `a`
+# and a few utilities are installed, otherwise the configuration
+# is a subset of the default config.
+#
+# to use this example run a squashfs image of openwrt
+# (eg https://downloads.openwrt.org/releases/22.03.5/targets/x86/64/openwrt-22.03.5-x86-64-generic-squashfs-combined.img.gz)
+# with something like
+#
+#   qemu-system-x86_64 -M q35,accel=kvm \
+#     -drive file=openwrt-22.03.5-x86-64-generic-squashfs-combined.img,id=d0,if=none,bus=0,unit=0 \
+#     -device ide-hd,drive=d0,bus=ide.0 \
+#     -nic user,hostfwd=tcp::2222-:22,hostfwd=tcp::8080-:80
+#
+# and run `uci set network.lan.proto=dhcp; uci commit; reload_config`
+# from the serial console.
+#
+# age keys for sops are as follow:
+#
+# SOPS_AGE_KEY=AGE-SECRET-KEY-1292U9T04N6MJUK223038MD246X4G2K8GPDWHVHY09JVCLSRUS6TQ6988D9
+
+{
+  openwrt.example = {
+    deploy.host = "localhost";
+    deploy.sshConfig = {
+      Port = 2222;
+      NoHostAuthenticationForLocalhost = true;
+      IdentityFile = ./example.key;
+    };
+
+    packages = [ "losetup" "mount-utils" "coreutils-stat" "htop" ];
+    users.root.hashedPassword = "$6$n/dIMAV5QZyMp6UQ$fSvzsPZ8Vl1kzq9Mm3oQy81hxDkPqv04YPSlBOpqjMQKGu6xjcIuXrrfvf3Dcm8ea46oG8XtEPm6AViOFESF81";
+    etc."dropbear/authorized_keys".text = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGQEKlJPpUkR+NQHObd1CWWM7ItbkFLk80PyK+b+2EN example@key
+    '';
+
+    uci.sopsSecrets = ./secrets.yaml;
+    # leave the ucitrack and firewall packages as they are, retaining defaults if
+    # freshly installed. the firewall rules are verbose and ucitrack is mostly not
+    # necessary, so we don't want to include either here. we also keep luci to not
+    # break the web interface, although configuration through the web ui is discouraged.
+    # rpcd is needed for luci.
+    uci.retain = [ "ucitrack" "firewall" "luci" "rpcd" ];
+    uci.settings = {
+      dropbear.dropbear = [{
+        PasswordAuth = "on";
+        RootPasswordAuth = "on";
+        Port = 22;
+      }];
+
+      network = {
+        device = [{
+          name = "br-lan";
+          ports = "eth0";
+          type = "bridge";
+        }];
+
+        globals = [{
+          ula_prefix = "fd10:155d:7ef5::/48";
+        }];
+
+        interface.lan = {
+          device = "br-lan";
+          proto = "dhcp";
+        };
+
+        interface.loopback = {
+          device = "lo";
+          ipaddr = "127.0.0.1";
+          netmask = "255.0.0.0";
+          proto = "static";
+        };
+      };
+
+      uhttpd.uhttpd.main = {
+        listen_http = [ "0.0.0.0:80" "[::]:80" ];
+        lua_prefix = [ "/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua" ];
+        home = "/www";
+        cgi_prefix = "/cgi-bin";
+        ubus_prefix = "/ubus";
+      };
+
+      system = {
+        system = [{
+          hostname = "OpenWrt";
+          timezone = "UTC";
+          ttylogin = 0;
+          log_size = 64;
+          urandom_seed = 0;
+          notes._secret = "notes";
+        }];
+
+        timeserver.ntp = {
+          enabled = true;
+          enable_server = false;
+          server = [
+            "0.openwrt.pool.ntp.org"
+            "1.openwrt.pool.ntp.org"
+            "2.openwrt.pool.ntp.org"
+            "3.openwrt.pool.ntp.org"
+          ];
+        };
+      };
+    };
+  };
+}
diff --git a/example/secrets.yaml b/example/secrets.yaml
new file mode 100644
index 0000000..c39d0a8
--- /dev/null
+++ b/example/secrets.yaml
@@ -0,0 +1,21 @@
+notes: ENC[AES256_GCM,data:n0mIh8xH33lfehAl8hVtaT01Ge4dUOYI9r4=,iv:YtDWrrLWL0PHADc5mQi2XGjUh2XJLuESuv2Hz61JcmU=,tag:Y/1nhr3iBwFxUrNoeEIKow==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1megd5nhnhr03x5syey7ualp0sgk72j0gskjvc7jtj052pd28ndtsalql9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVC82aTZJMGhBV0JTM3Rx
+            SkEreDYwTmFENWpkNThLK09DblNDS09HVVFvClQ2dkIrOUt6Zm5wSjZVbWdkeFdw
+            Sk9nRTFobTJ5LzZUYllIS3VmR1VMTE0KLS0tIExLZnAwaURkODN5VjE5TXNCNStT
+            dVdFSUdTTVIxa1ZCdEc4ZS9iYnJkZTQKFdpjkFFIXEV0/V6twZBwh5CszlvSQNVb
+            STPm1i2CMHanYSORzZMWfwahZII2D7hy8oRdM6TxULYvPqktgj8+Ew==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-09-22T18:51:22Z"
+    mac: ENC[AES256_GCM,data:SpQt2upVEbXNjguWcBcn907M0Y8autst7ptJZhE62m81AFv60ziZYdslRm7a5r2nqaG38PVTJSTvvfsi25zw/Gcfc0bTDl+PxU3Ew4Bt2Nq7M8HWOmhZZrCb4N1N0uePhjEIOsw0dY2BYc77BW+C2DDOIiF3vjGLLmfO2naWk98=,iv:uEY7MMzi+Ekfrmw5ygShypr7QFpNoh0/R987DhgmkvU=,tag:zdSH0CPmU1KolNHaIRRrWQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3