diff --git a/nix/templates/weston-vnc.nix b/nix/templates/weston-vnc.nix index 8b0350b..d89a491 100644 --- a/nix/templates/weston-vnc.nix +++ b/nix/templates/weston-vnc.nix @@ -57,21 +57,28 @@ }; config = lib.mkIf config.hyperhive.gui.enable { - # Build weston linked against a neatvnc without auth/crypto support. - # neatvnc ≥ 0.9 compiled with gnutls/nettle always advertises RSA-AES - # and Apple-DH security types (types 129, 5, 30) regardless of the - # weston.ini auth-method setting, causing the in-browser RFB client to - # fail with "auth failed" (it has no RSA key to complete the handshake). - # Removing gnutls + nettle from neatvnc's buildInputs disables the auth - # module at compile time, so nvnc_has_auth() returns false and weston - # skips nvnc_enable_auth() — neatvnc then advertises only type 1 (None). + # Build weston linked against a neatvnc without TLS/auth support. + # neatvnc ≥ 0.9 compiled with gnutls always advertises RSA-AES-256 + # (type 129), RSA-AES (type 5), and Apple-DH (type 30) security types + # regardless of the weston.ini auth-method setting — because + # nvnc_has_auth() returns true at the C level, causing weston to call + # nvnc_enable_auth() unconditionally. The in-browser RFB client has no + # RSA key and cannot complete these handshakes. + # + # The fix: pass `-Dtls=disabled` to neatvnc's meson build (the option + # name from neatvnc's meson_options.txt that guards gnutls + the entire + # auth module). With TLS disabled, nvnc_has_auth() returns false, weston + # skips nvnc_enable_auth(), and neatvnc advertises only type 1 (None). + # gnutls stays in buildInputs so pkg-config resolution doesn't error; + # the meson flag overrides the feature to "disabled" at configure time. nixpkgs.overlays = [ (_final: prev: { weston = prev.weston.override { neatvnc = prev.neatvnc.overrideAttrs (old: { - buildInputs = builtins.filter - (p: (p.pname or p.name or "") != "gnutls") - old.buildInputs; + mesonFlags = (old.mesonFlags or []) ++ [ + "-Dtls=disabled" + "-Dnettle=disabled" + ]; }); }; })