Squid: 6.13 -> 7.0.1 (#384972)

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- `services.rippled` has been removed, as `rippled` was broken and had not been updated since 2022.

- `services.rippleDataApi` has been removed, as `ripple-data-api` was broken and had not been updated since 2022.

- `squid` has been updated to version 7, this release includes multiple breaking changes, like ESI removal.

  For more information, [check the release notes](https://github.com/squid-cache/squid/releases/tag/SQUID_7_0_1).

- The [`no-broken-symlinks` hook](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) was added to catch builds containing dangling or reflexive symlinks, as these are indicative of problems with packaging.

  The hook can be disabled by providing `dontCheckForBrokenSymlinks = true;` as an argument to `mkDerivation`.

  For more information, [check the docs](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) or [see this PR](https://github.com/NixOS/nixpkgs/pull/370750).

    http_access deny to_localhost

    # Application logs to syslog, access and store logs have specific files

    cache_log       syslog

    cache_log       stdio:/var/log/squid/cache.log

    access_log      stdio:/var/log/squid/access.log

    cache_store_log stdio:/var/log/squid/store.log

          {

            virtualisation.vlans = [ 1 ];

            networking.firewall.enable = true;

            # NOTE: the client doesn't need a HTTP server, this is here to allow a validation of the proxy acl

            networking.firewall.allowedTCPPorts = [ 80 ];

            services.nginx = {

              enable = true;

              virtualHosts."server" = {

                root = "/etc";

                locations."/".index = "hostname";

                listen = [

                  {

                    addr = "0.0.0.0";

                    port = 80;

                  }

                ];

              };

            };

          }

        ];

        lib.mkMerge [

          commonConfig

          {

            nixpkgs.config.permittedInsecurePackages = [ "squid-7.0.1" ];

            virtualisation.vlans = [

              1

              2

            networking.firewall.enable = true;

            networking.firewall.allowedTCPPorts = [ config.services.squid.proxyPort ];

            nixpkgs.config.permittedInsecurePackages = [

              "squid-6.12"

            ];

            services.squid = {

              enable = true;

                acl client src ${clientIp}

                acl server dst ${serverIp}

                http_access allow client server

                http_access deny all

              '';

            };

          }

        with subtest("HTTP"):

            # the client cannot reach the server directly over HTTP

            client.fail('[[ `timeout 3 curl http://${serverIp}` ]]')

            client.fail('[[ `timeout 3 curl --fail-with-body http://${serverIp}` ]]')

            # ... but can with the proxy

            client.succeed('[[ `timeout 3 curl --proxy http://${proxyInternalIp}:3128 http://${serverIp}` == "server" ]]')

            client.succeed('[[ `timeout 3 curl --fail-with-body --proxy http://${proxyInternalIp}:3128 http://${serverIp}` == "server" ]]')

            # and cannot from the server (with a 4xx error code) and ...

            server.fail('[[ `timeout 3 curl --fail-with-body --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == "client" ]]')

            # .. not the client hostname

            server.fail('[[ `timeout 3 curl --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == "client" ]]')

            # with an explicit deny message (no --fail because we want to parse the returned message)

            server.succeed('[[ `timeout 3 curl --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == *"ERR_ACCESS_DENIED"* ]]')

      '';

  }

)

  pkg-config,

  systemd,

  cppunit,

  esi ? false,

  ipv6 ? true,

  nixosTests,

}:

stdenv.mkDerivation (finalAttrs: {

  pname = "squid";

  version = "6.13";

  version = "7.0.1";

  src = fetchurl {

    url = "https://github.com/squid-cache/squid/releases/download/SQUID_${

      builtins.replaceStrings [ "." ] [ "_" ] finalAttrs.version

    }/squid-${finalAttrs.version}.tar.xz";

    hash = "sha256-Iy4FZ5RszAEVZTw8GPAeg/LZzEnEPZ3q2LMZrws1rVI=";

    hash = "sha256-Bw3Y5iGtItRdcAYF6xnSysG2zae3PwTzRXjTw/2N35s=";

  };

  nativeBuildInputs = [ pkg-config ];

      "--enable-htcp"

    ]

    ++ (if ipv6 then [ "--enable-ipv6" ] else [ "--disable-ipv6" ])

    ++ lib.optional (!esi) "--disable-esi"

    ++ lib.optional (

      stdenv.hostPlatform.isLinux && !stdenv.hostPlatform.isMusl

    ) "--enable-linux-netfilter";

        --replace "$(type -P true)" "$(realpath fake-true)" \

        --replace "/bin/true" "$(realpath fake-true)"

    done

    cd test-suite/

  '';

  installPhase = ''

    runHook preInstall

    mkdir -p $out/bin $out/libexec $out/etc $out/share

    cd ..

    cp src/squid $out/bin

    cp src/unlinkd $out/libexec

    cp src/mime.conf.default $out/etc/mime.conf

    cp -r icons $out/share

    cp -r errors $out/share

    runHook postInstall

  '';

  passthru.tests.squid = nixosTests.squid;