weston-vnc: revert neatvnc overlay, use full TLS build with --disable-transport-layer-security

2026-05-20 19:11:17 +02:00 · 2026-05-20 19:11:17 +02:00 · fd433d2406
commit fd433d2406
parent 49caf6e539
1 changed files with 8 additions and 32 deletions
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@ -57,33 +57,6 @@
  };

  config = lib.mkIf config.hyperhive.gui.enable {
-    # Build weston linked against a neatvnc without TLS/auth support.
-    # neatvnc ≥ 0.9 compiled with gnutls always advertises RSA-AES-256
-    # (type 129), RSA-AES (type 5), and Apple-DH (type 30) security types
-    # regardless of the weston.ini auth-method setting — because
-    # nvnc_has_auth() returns true at the C level, causing weston to call
-    # nvnc_enable_auth() unconditionally. The in-browser RFB client has no
-    # RSA key and cannot complete these handshakes.
-    #
-    # The fix: pass `-Dtls=disabled` to neatvnc's meson build (the option
-    # name from neatvnc's meson_options.txt that guards gnutls + the entire
-    # auth module). With TLS disabled, nvnc_has_auth() returns false, weston
-    # skips nvnc_enable_auth(), and neatvnc advertises only type 1 (None).
-    # gnutls stays in buildInputs so pkg-config resolution doesn't error;
-    # the meson flag overrides the feature to "disabled" at configure time.
-    nixpkgs.overlays = [
-      (_final: prev: {
-        weston = prev.weston.override {
-          neatvnc = prev.neatvnc.overrideAttrs (old: {
-            mesonFlags = (old.mesonFlags or []) ++ [
-              "-Dtls=disabled"
-              "-Dnettle=disabled"
-            ];
-          });
-        };
-      })
-    ];
-
    systemd.services.weston = {
      description = "Weston Wayland compositor (VNC backend)";
      after = [ "network.target" ];
@ -131,14 +104,17 @@
          ${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \
            "$VNC_PORT" > /etc/hyperhive/gui.json || true

-          # neatvnc is built without gnutls (see nixpkgs.overlays above),
-          # so nvnc_has_auth() returns false and weston skips auth setup
-          # entirely — neatvnc advertises only security type 1 (None).
-          # No weston.ini or --disable-transport-layer-security needed.
+          # neatvnc ≥ 0.9 advertises RSA-AES and Apple-DH security types
+          # when auth is compiled in. The browser client handles Apple-DH
+          # (type 30) with empty credentials (weston auth-method=none
+          # accepts any credentials). --disable-transport-layer-security
+          # prevents the VeNCrypt TLS wrapper over the VNC-over-WebSocket
+          # relay; plain auth types are used directly.
          exec ${pkgs.weston}/bin/weston \
            --backend=vnc-backend.so \
            --renderer=pixman \
-            --port="$VNC_PORT"
+            --port="$VNC_PORT" \
+            --disable-transport-layer-security
        '';
        Restart = "on-failure";
        RestartSec = "5s";