From fd433d2406e407a58d4432f56ee15aa31e38f686 Mon Sep 17 00:00:00 2001
From: iris <iris@hyperhive>
Date: Wed, 20 May 2026 19:11:17 +0200
Subject: [PATCH] weston-vnc: revert neatvnc overlay, use full TLS build with
 --disable-transport-layer-security

---
 nix/templates/weston-vnc.nix | 40 ++++++++----------------------------
 1 file changed, 8 insertions(+), 32 deletions(-)

diff --git a/nix/templates/weston-vnc.nix b/nix/templates/weston-vnc.nix
index d89a491..e17b151 100644
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@@ -57,33 +57,6 @@
   };
 
   config = lib.mkIf config.hyperhive.gui.enable {
-    # Build weston linked against a neatvnc without TLS/auth support.
-    # neatvnc ≥ 0.9 compiled with gnutls always advertises RSA-AES-256
-    # (type 129), RSA-AES (type 5), and Apple-DH (type 30) security types
-    # regardless of the weston.ini auth-method setting — because
-    # nvnc_has_auth() returns true at the C level, causing weston to call
-    # nvnc_enable_auth() unconditionally. The in-browser RFB client has no
-    # RSA key and cannot complete these handshakes.
-    #
-    # The fix: pass `-Dtls=disabled` to neatvnc's meson build (the option
-    # name from neatvnc's meson_options.txt that guards gnutls + the entire
-    # auth module). With TLS disabled, nvnc_has_auth() returns false, weston
-    # skips nvnc_enable_auth(), and neatvnc advertises only type 1 (None).
-    # gnutls stays in buildInputs so pkg-config resolution doesn't error;
-    # the meson flag overrides the feature to "disabled" at configure time.
-    nixpkgs.overlays = [
-      (_final: prev: {
-        weston = prev.weston.override {
-          neatvnc = prev.neatvnc.overrideAttrs (old: {
-            mesonFlags = (old.mesonFlags or []) ++ [
-              "-Dtls=disabled"
-              "-Dnettle=disabled"
-            ];
-          });
-        };
-      })
-    ];
-
     systemd.services.weston = {
       description = "Weston Wayland compositor (VNC backend)";
       after = [ "network.target" ];
@@ -131,14 +104,17 @@
           ${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \
             "$VNC_PORT" > /etc/hyperhive/gui.json || true
 
-          # neatvnc is built without gnutls (see nixpkgs.overlays above),
-          # so nvnc_has_auth() returns false and weston skips auth setup
-          # entirely — neatvnc advertises only security type 1 (None).
-          # No weston.ini or --disable-transport-layer-security needed.
+          # neatvnc ≥ 0.9 advertises RSA-AES and Apple-DH security types
+          # when auth is compiled in. The browser client handles Apple-DH
+          # (type 30) with empty credentials (weston auth-method=none
+          # accepts any credentials). --disable-transport-layer-security
+          # prevents the VeNCrypt TLS wrapper over the VNC-over-WebSocket
+          # relay; plain auth types are used directly.
           exec ${pkgs.weston}/bin/weston \
             --backend=vnc-backend.so \
             --renderer=pixman \
-            --port="$VNC_PORT"
+            --port="$VNC_PORT" \
+            --disable-transport-layer-security
         '';
         Restart = "on-failure";
         RestartSec = "5s";