vinzenz/hyperhive
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

weston-vnc: build neatvnc without gnutls to disable RSA/DH auth types

Browse source
This commit is contained in:
iris 2026-05-20 17:46:40 +02:00
parent 76061eb3ae
commit a4706d793e
1 changed files with 25 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

39
nix/templates/weston-vnc.nix
View file

@ -57,6 +57,26 @@
}; };
config = lib.mkIf config.hyperhive.gui.enable { config = lib.mkIf config.hyperhive.gui.enable {
# Build weston linked against a neatvnc without auth/crypto support.
# neatvnc ≥ 0.9 compiled with gnutls/nettle always advertises RSA-AES
# and Apple-DH security types (types 129, 5, 30) regardless of the
# weston.ini auth-method setting, causing the in-browser RFB client to
# fail with "auth failed" (it has no RSA key to complete the handshake).
# Removing gnutls + nettle from neatvnc's buildInputs disables the auth
# module at compile time, so nvnc_has_auth() returns false and weston
# skips nvnc_enable_auth() — neatvnc then advertises only type 1 (None).
nixpkgs.overlays = [
(_final: prev: {
weston = prev.weston.override {
neatvnc = prev.neatvnc.overrideAttrs (old: {
buildInputs = builtins.filter
(p: (p.pname or p.name or "") != "gnutls")
old.buildInputs;
});
};
})
];
systemd.services.weston = { systemd.services.weston = {
description = "Weston Wayland compositor (VNC backend)"; description = "Weston Wayland compositor (VNC backend)";
after = [ "network.target" ]; after = [ "network.target" ];
@ -104,23 +124,14 @@
${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \ ${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \
"$VNC_PORT" > /etc/hyperhive/gui.json || true "$VNC_PORT" > /etc/hyperhive/gui.json || true
# Write a weston.ini that disables VNC authentication. # neatvnc is built without gnutls (see nixpkgs.overlays above),
# Without this, neatvnc offers VNC password auth (type 2) by default # so nvnc_has_auth() returns false and weston skips auth setup
# which causes the in-browser RFB client to fail with "auth failed". # entirely — neatvnc advertises only security type 1 (None).
# auth-method=none makes neatvnc offer security type 1 (None). # No weston.ini or --disable-transport-layer-security needed.
# --disable-transport-layer-security additionally disables the
# VeNCrypt TLS wrapper — VNC is loopback-only via the harness
# WebSocket relay so neither TLS nor a password is needed.
WESTON_INI=$(${pkgs.coreutils}/bin/mktemp /tmp/weston-XXXXXX.ini)
${pkgs.coreutils}/bin/printf '[core]\nbackend=vnc\n\n[vnc]\nauth-method=none\n' \
> "$WESTON_INI"
exec ${pkgs.weston}/bin/weston \ exec ${pkgs.weston}/bin/weston \
--config="$WESTON_INI" \
--backend=vnc-backend.so \ --backend=vnc-backend.so \
--renderer=pixman \ --renderer=pixman \
--port="$VNC_PORT" \ --port="$VNC_PORT"
--disable-transport-layer-security
''; '';
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "5s"; RestartSec = "5s";