weston-vnc: revert neatvnc overlay, use full TLS build with --disable-transport-layer-security
This commit is contained in:
iris
Mara
parent
49caf6e539
commit
fd433d2406
1 changed files with 8 additions and 32 deletions
|
|
@ -57,33 +57,6 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.hyperhive.gui.enable {
|
config = lib.mkIf config.hyperhive.gui.enable {
|
||||||
# Build weston linked against a neatvnc without TLS/auth support.
|
|
||||||
# neatvnc ≥ 0.9 compiled with gnutls always advertises RSA-AES-256
|
|
||||||
# (type 129), RSA-AES (type 5), and Apple-DH (type 30) security types
|
|
||||||
# regardless of the weston.ini auth-method setting — because
|
|
||||||
# nvnc_has_auth() returns true at the C level, causing weston to call
|
|
||||||
# nvnc_enable_auth() unconditionally. The in-browser RFB client has no
|
|
||||||
# RSA key and cannot complete these handshakes.
|
|
||||||
#
|
|
||||||
# The fix: pass `-Dtls=disabled` to neatvnc's meson build (the option
|
|
||||||
# name from neatvnc's meson_options.txt that guards gnutls + the entire
|
|
||||||
# auth module). With TLS disabled, nvnc_has_auth() returns false, weston
|
|
||||||
# skips nvnc_enable_auth(), and neatvnc advertises only type 1 (None).
|
|
||||||
# gnutls stays in buildInputs so pkg-config resolution doesn't error;
|
|
||||||
# the meson flag overrides the feature to "disabled" at configure time.
|
|
||||||
nixpkgs.overlays = [
|
|
||||||
(_final: prev: {
|
|
||||||
weston = prev.weston.override {
|
|
||||||
neatvnc = prev.neatvnc.overrideAttrs (old: {
|
|
||||||
mesonFlags = (old.mesonFlags or []) ++ [
|
|
||||||
"-Dtls=disabled"
|
|
||||||
"-Dnettle=disabled"
|
|
||||||
];
|
|
||||||
});
|
|
||||||
};
|
|
||||||
})
|
|
||||||
];
|
|
||||||
|
|
||||||
systemd.services.weston = {
|
systemd.services.weston = {
|
||||||
description = "Weston Wayland compositor (VNC backend)";
|
description = "Weston Wayland compositor (VNC backend)";
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
|
|
@ -131,14 +104,17 @@
|
||||||
${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \
|
${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \
|
||||||
"$VNC_PORT" > /etc/hyperhive/gui.json || true
|
"$VNC_PORT" > /etc/hyperhive/gui.json || true
|
||||||
|
|
||||||
# neatvnc is built without gnutls (see nixpkgs.overlays above),
|
# neatvnc ≥ 0.9 advertises RSA-AES and Apple-DH security types
|
||||||
# so nvnc_has_auth() returns false and weston skips auth setup
|
# when auth is compiled in. The browser client handles Apple-DH
|
||||||
# entirely — neatvnc advertises only security type 1 (None).
|
# (type 30) with empty credentials (weston auth-method=none
|
||||||
# No weston.ini or --disable-transport-layer-security needed.
|
# accepts any credentials). --disable-transport-layer-security
|
||||||
|
# prevents the VeNCrypt TLS wrapper over the VNC-over-WebSocket
|
||||||
|
# relay; plain auth types are used directly.
|
||||||
exec ${pkgs.weston}/bin/weston \
|
exec ${pkgs.weston}/bin/weston \
|
||||||
--backend=vnc-backend.so \
|
--backend=vnc-backend.so \
|
||||||
--renderer=pixman \
|
--renderer=pixman \
|
||||||
--port="$VNC_PORT"
|
--port="$VNC_PORT" \
|
||||||
|
--disable-transport-layer-security
|
||||||
'';
|
'';
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "5s";
|
RestartSec = "5s";
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue