Unverified Commit bdc8c440 authored by Martin Weinelt's avatar Martin Weinelt Committed by GitHub
Browse files

[Backport release-25.11] quictls: remove; nginx/angie: remove quic flavors;... 

[Backport release-25.11] quictls: remove; nginx/angie: remove quic flavors; haproxy: migrate to openssl (#465011)
parents bc9e64ef 7413e8e7

nixos/doc/manual/release-notes/rl-2511.section.md

+2 −0
Original line number Diff line number Diff line
@@ -290,6 +290,8 @@ 
  - The `mime_types_file` setting is now set to `"${pkgs.mailcap}/etc/mime.types"` to prevent errors.

  For a complete list of changes, please see [their announcement](https://blog.prosody.im/prosody-13.0.0-released/).



- HTTP3 support has been enabled in in `nginx`, `openresty`, `angie` and `tengine`. The `nginxQuic` and `angieQuic` package flavors have been removed.



- The `yeahwm` package and `services.xserver.windowManager.yeahwm` module were removed due to the package being broken and unmaintained upstream.



- `services.nixseparatedebuginfod.enable = true;` has been replaced by `services.nixseparatedebuginfod2.enable = true`. If you only use the official binary cache `https://cache.nixos.org` then no further configuration should be needed. If you have other https substituters, you can add them to `services.nixseparatedebuginfod2.subsituters`. SSH substituters are not supported by nixseparatedebuginfod2. Consider running nixseparatedebuginfod2 on the substituter instead, and pointing to it with the new option `environment.debuginfodServers`.

nixos/modules/services/web-servers/nginx/default.nix

+3 −28
Original line number Diff line number Diff line
@@ -205,9 +205,9 @@ let 
            ${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"}



            ${optionalString cfg.recommendedTlsSettings ''

              # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate

              # Consider https://ssl-config.mozilla.org/#server=nginx&config=intermediate as the lower bound



              ssl_ecdh_curve X25519:prime256v1:secp384r1;

              ssl_conf_command Groups "X25519MLKEM768:X25519:P-256:P-384";

              ssl_session_timeout 1d;

              ssl_session_cache shared:SSL:10m;

              # Breaks forward secrecy: https://github.com/mozilla/server-side-tls/issues/135
@@ -573,10 +573,7 @@ let 


  mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;



  oldHTTP2 = (

    versionOlder cfg.package.version "1.25.1"

    && !(cfg.package.pname == "angie" || cfg.package.pname == "angieQuic")

  );

  oldHTTP2 = (versionOlder cfg.package.version "1.25.1" && !(cfg.package.pname == "angie"));

in



{
@@ -778,7 +775,6 @@ in 
          that the nginx team recommends to use the mainline version which

          available in nixpkgs as `nginxMainline`.

          Supported Nginx forks include `angie`, `openresty` and `tengine`.

          For HTTP/3 support use `nginxQuic` or `angieQuic`.

        '';

      };
@@ -1374,27 +1370,6 @@ in 
          '';

        }



        {

          assertion =

            cfg.package.pname != "nginxQuic" && cfg.package.pname != "angieQuic" -> !(cfg.enableQuicBPF);

          message = ''

            services.nginx.enableQuicBPF requires using nginxQuic package,

            which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;` or

            `services.nginx.package = pkgs.angieQuic;`.

          '';

        }



        {

          assertion =

            cfg.package.pname != "nginxQuic" && cfg.package.pname != "angieQuic"

            -> all (host: !host.quic) (attrValues virtualHosts);

          message = ''

            services.nginx.service.virtualHosts.<name>.quic requires using nginxQuic or angie packages,

            which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;` or

            `services.nginx.package = pkgs.angieQuic;`.

          '';

        }



        {

          # The idea is to understand whether there is a virtual host with a listen configuration

          # that requires ACME configuration but has no HTTP listener which will make deterministically fail

nixos/tests/nginx-http3.nix

+2 −3
Original line number Diff line number Diff line
@@ -90,7 +90,6 @@ builtins.listToAttrs ( 


          server.wait_for_unit("nginx")

          server.wait_for_open_port(443)

          client.wait_for_unit("network-online.target")



          # Check http connections

          client.succeed("curl --verbose --http3-only https://acme.test | grep 'Hello World!'")
@@ -114,7 +113,7 @@ builtins.listToAttrs ( 
      };

    })

    [

      pkgs.angieQuic

      pkgs.nginxQuic

      pkgs.angie

      pkgs.nginx

    ]

)

nixos/tests/nginx-variants.nix

+0 −2
Original line number Diff line number Diff line
@@ -25,10 +25,8 @@ builtins.listToAttrs ( 
    })

    [

      "angie"

      "angieQuic"

      "nginxStable"

      "nginxMainline"

      "nginxQuic"

      "nginxShibboleth"

      "openresty"

      "tengine"

pkgs/by-name/ha/haproxy/package.nix

+1 −5
Original line number Diff line number Diff line
@@ -2,18 +2,16 @@ 
  useLua ? true,

  usePcre ? true,

  withPrometheusExporter ? true,

  sslLibrary ? "quictls",

  sslLibrary ? "openssl",

  stdenv,

  lib,

  fetchurl,

  fetchpatch,

  nixosTests,

  zlib,

  libxcrypt,

  aws-lc,

  libressl,

  openssl,

  quictls,

  wolfssl,

  lua5_4,

  pcre2,
@@ -23,7 +21,6 @@ assert lib.assertOneOf "sslLibrary" sslLibrary [ 
  "aws-lc"

  "libressl"

  "openssl"

  "quictls"

  "wolfssl"

];

let
@@ -32,7 +29,6 @@ let 
      aws-lc

      libressl

      openssl

      quictls

      ;

    wolfssl = wolfssl.override {

      variant = "haproxy";