ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push sheeet
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details

Browse Source
This commit is contained in:
Dark Steveneq
2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

326
pkgs/servers/http/nginx/generic.nix Normal file
View File

@@ -0,0 +1,326 @@
outer@{
lib,
stdenv,
fetchurl,
fetchpatch,
openssl,
zlib-ng,
pcre2,
libxml2,
libxslt,
nginx-doc,
nixosTests,
installShellFiles,
replaceVars,
removeReferencesTo,
gd,
geoip,
perl,
withDebug ? false,
withGeoIP ? false,
withImageFilter ? false,
withKTLS ? true,
withStream ? true,
withMail ? false,
withPerl ? true,
withSlice ? false,
modules ? [ ],
...
}:
{
pname ? "nginx",
version,
nginxVersion ? version,
src ? null, # defaults to upstream nginx ${version}
hash ? null, # when not specifying src
configureFlags ? [ ],
nativeBuildInputs ? [ ],
buildInputs ? [ ],
extraPatches ? [ ],
fixPatch ? p: p,
postPatch ? null,
preConfigure ? "",
preInstall ? "",
postInstall ? "",
meta ? null,
nginx-doc ? outer.nginx-doc,
passthru ? {
tests = { };
},
}:
let
moduleNames = map (
mod:
mod.name
or (throw "The nginx module with source ${toString mod.src} does not have a `name` attribute. This prevents duplicate module detection and is no longer supported.")
) modules;
mapModules =
attrPath:
lib.flip lib.concatMap modules (
mod:
let
supports = mod.supports or (_: true);
in
if supports nginxVersion then
mod.${attrPath} or [ ]
else
throw "Module at ${toString mod.src} does not support nginx version ${nginxVersion}!"
);
in
assert lib.assertMsg (lib.unique moduleNames == moduleNames)
"nginx: duplicate modules: ${lib.concatStringsSep ", " moduleNames}. A common cause for this is that services.nginx.additionalModules adds a module which the nixos module itself already adds.";
stdenv.mkDerivation {
inherit pname version nginxVersion;
outputs = [
"out"
"doc"
];
src =
if src != null then
src
else
fetchurl {
url = "https://nginx.org/download/nginx-${version}.tar.gz";
inherit hash;
};
nativeBuildInputs = [
installShellFiles
removeReferencesTo
]
++ nativeBuildInputs;
buildInputs = [
openssl
zlib-ng
pcre2
libxml2
libxslt
perl
]
++ buildInputs
++ mapModules "inputs"
++ lib.optional withGeoIP geoip
++ lib.optional withImageFilter gd;
configureFlags = [
"--sbin-path=bin/nginx"
"--with-http_ssl_module"
"--with-http_v2_module"
"--with-http_realip_module"
"--with-http_addition_module"
"--with-http_xslt_module"
"--with-http_sub_module"
"--with-http_dav_module"
"--with-http_flv_module"
"--with-http_mp4_module"
"--with-http_gunzip_module"
"--with-http_gzip_static_module"
"--with-http_auth_request_module"
"--with-http_random_index_module"
"--with-http_secure_link_module"
"--with-http_degradation_module"
"--with-http_stub_status_module"
"--with-threads"
"--with-pcre-jit"
"--http-log-path=/var/log/nginx/access.log"
"--error-log-path=/var/log/nginx/error.log"
"--pid-path=/var/log/nginx/nginx.pid"
"--http-client-body-temp-path=/tmp/nginx_client_body"
"--http-proxy-temp-path=/tmp/nginx_proxy"
"--http-fastcgi-temp-path=/tmp/nginx_fastcgi"
"--http-uwsgi-temp-path=/tmp/nginx_uwsgi"
"--http-scgi-temp-path=/tmp/nginx_scgi"
]
++ lib.optionals withDebug [
"--with-debug"
]
++ lib.optionals withKTLS [
"--with-openssl-opt=enable-ktls"
]
++ lib.optionals withStream [
"--with-stream"
"--with-stream_realip_module"
"--with-stream_ssl_module"
"--with-stream_ssl_preread_module"
]
++ lib.optionals withMail [
"--with-mail"
"--with-mail_ssl_module"
]
++ lib.optionals withPerl [
"--with-http_perl_module"
"--with-perl=${perl}/bin/perl"
"--with-perl_modules_path=lib/perl5"
]
++ lib.optional withImageFilter "--with-http_image_filter_module"
++ lib.optional withSlice "--with-http_slice_module"
++ lib.optionals withGeoIP (
[ "--with-http_geoip_module" ] ++ lib.optional withStream "--with-stream_geoip_module"
)
++ lib.optional (with stdenv.hostPlatform; isLinux || isFreeBSD) "--with-file-aio"
++ lib.optional (
stdenv.buildPlatform != stdenv.hostPlatform
) "--crossbuild=${stdenv.hostPlatform.uname.system}::${stdenv.hostPlatform.uname.processor}"
++ configureFlags
++ map (mod: "--add-module=${mod.src}") modules;
env = {
NIX_CFLAGS_COMPILE = toString (
[
"-I${libxml2.dev}/include/libxml2"
"-Wno-error=implicit-fallthrough"
(
# zlig-ng patch needs this
if stdenv.cc.isGNU then
"-Wno-error=discarded-qualifiers"
else
"-Wno-error=incompatible-pointer-types-discards-qualifiers"
)
]
++ lib.optionals (stdenv.cc.isGNU && lib.versionAtLeast stdenv.cc.version "11") [
# fix build vts module on gcc11
"-Wno-error=stringop-overread"
]
++ lib.optionals stdenv.cc.isClang [
"-Wno-error=deprecated-declarations"
"-Wno-error=gnu-folding-constant"
"-Wno-error=unused-but-set-variable"
]
++ lib.optionals stdenv.hostPlatform.isMusl [
# fix sys/cdefs.h is deprecated
"-Wno-error=cpp"
]
);
}
// lib.optionalAttrs (stdenv.buildPlatform != stdenv.hostPlatform) {
CONFIG_BIG_ENDIAN = if stdenv.hostPlatform.isBigEndian then "y" else "n";
};
configurePlatforms = [ ];
# Disable _multioutConfig hook which adds --bindir=$out/bin into configureFlags,
# which breaks build, since nginx does not actually use autoconf.
preConfigure = ''
setOutputFlags=
''
+ preConfigure
+ lib.concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules;
patches =
map fixPatch (
[
./nix-etag-1.15.4.patch
./nix-skip-check-logs-path.patch
]
# Upstream may be against cross-compilation patches.
# https://trac.nginx.org/nginx/ticket/2240 https://trac.nginx.org/nginx/ticket/1928#comment:6
# That dev quit the project in 2024 so the stance could be different now.
++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
(fetchpatch {
url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/102-sizeof_test_fix.patch";
sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a";
})
(fetchpatch {
url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/101-feature_test_fix.patch";
sha256 = "0v6890a85aqmw60pgj3mm7g8nkaphgq65dj4v9c6h58wdsrc6f0y";
})
(fetchpatch {
url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/103-sys_nerr.patch";
sha256 = "0s497x6mkz947aw29wdy073k8dyjq8j99lax1a1mzpikzr4rxlmd";
})
(fetchpatch {
url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/104-endianness_fix.patch";
sha256 = "sha256-M7V3ZJfKImur2OoqXcoL+CbgFj/huWnfZ4xMCmvkqfc=";
})
]
++ mapModules "patches"
)
++ extraPatches;
postPatch = lib.defaultTo ''
substituteInPlace src/http/ngx_http_core_module.c \
--replace-fail '@nixStoreDir@' "$NIX_STORE" \
--replace-fail '@nixStoreDirLen@' "''${#NIX_STORE}"
'' postPatch;
hardeningEnable = lib.optional (!stdenv.hostPlatform.isDarwin) "pie";
enableParallelBuilding = true;
preInstall = ''
mkdir -p $doc
cp -r ${nginx-doc}/* $doc
# TODO: make it unconditional when `openresty` and `nginx` are not
# sharing this code.
if [[ -e man/nginx.8 ]]; then
installManPage man/nginx.8
fi
''
+ preInstall;
disallowedReferences = map (m: m.src) modules;
postInstall =
let
noSourceRefs = lib.concatMapStrings (
m: "remove-references-to -t ${m.src} $(readlink -fn $out/bin/nginx)\n"
) modules;
in
postInstall + noSourceRefs;
passthru = {
inherit modules;
tests = {
inherit (nixosTests)
nginx
nginx-auth
nginx-etag
nginx-etag-compression
nginx-globalredirect
nginx-http3
nginx-proxyprotocol
nginx-pubhtml
nginx-sso
nginx-status-page
nginx-unix-socket
;
variants = lib.recurseIntoAttrs nixosTests.nginx-variants;
acme-integration = nixosTests.acme.nginx;
}
// passthru.tests;
};
meta =
if meta != null then
meta
else
with lib;
{
description = "Reverse proxy and lightweight webserver";
mainProgram = "nginx";
homepage = "http://nginx.org";
license = [ licenses.bsd2 ] ++ concatMap (m: m.meta.license) modules;
broken = lib.any (m: m.meta.broken or false) modules;
platforms = platforms.all;
maintainers = with maintainers; [
fpletz
raitobezarius
];
teams = with teams; [
helsinki-systems
stridtech
];
};
}

6
pkgs/servers/http/nginx/mainline.nix Normal file
View File

@@ -0,0 +1,6 @@
{ callPackage, ... }@args:
callPackage ./generic.nix args {
version = "1.29.1";
hash = "sha256-xYn35+2AHdvZBK+/PeJq4k6wzOJ8dxei6U33+xLWrSc=";
}

1118
pkgs/servers/http/nginx/modules.nix Normal file
View File

File diff suppressed because it is too large Load Diff

106
pkgs/servers/http/nginx/nix-etag-1.15.4.patch Normal file
View File

@@ -0,0 +1,106 @@
This patch makes it possible to serve static content from Nix store paths, by
using the hash of the store path for the ETag header.
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index 97a91aee2..2d07d71e6 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1676,6 +1676,8 @@ ngx_http_set_etag(ngx_http_request_t *r)
{
ngx_table_elt_t *etag;
ngx_http_core_loc_conf_t *clcf;
+ u_char *real, *ptr1, *ptr2;
+ ngx_err_t err;
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
@@ -1692,16 +1694,82 @@ ngx_http_set_etag(ngx_http_request_t *r)
etag->next = NULL;
ngx_str_set(&etag->key, "ETag");
- etag->value.data = ngx_pnalloc(r->pool, NGX_OFF_T_LEN + NGX_TIME_T_LEN + 3);
- if (etag->value.data == NULL) {
- etag->hash = 0;
- return NGX_ERROR;
+ // Upstream nginx uses file mod timestamp and content-length for Etag, but
+ // files in the Nix store have their timestamps reset, so that doesn't work.
+ // Instead, when serving from the Nix store, we use the hash from the store
+ // path and content-length.
+ //
+ // Every file in under the given store path will share the same store path
+ // hash. It is fine to serve different resources with the same Etag, but
+ // different representations of the same resource (eg the same file, but
+ // gzip-compressed) should have different Etags. Thus, we also append
+ // content-length, which should be different when the response is compressed
+
+ err = ngx_errno;
+ real = ngx_realpath(clcf->root.data, NULL);
+ ngx_set_errno(err);
+
+ #define NIX_STORE_DIR "@nixStoreDir@"
+ #define NIX_STORE_LEN @nixStoreDirLen@
+
+ if (r->headers_out.last_modified_time == 1
+ && real != NULL
+ && !ngx_strncmp(real, NIX_STORE_DIR, NIX_STORE_LEN)
+ && real[NIX_STORE_LEN] == '/'
+ && real[NIX_STORE_LEN + 1] != '\0')
+ {
+ // extract the hash from a path formatted like
+ // /nix/store/hashhere1234-pname-1.0.0
+ // +1 to skip the leading /
+ ptr1 = real + NIX_STORE_LEN + 1;
+
+ ptr2 = (u_char *) ngx_strchr(ptr1, '-');
+
+ if (ptr2 == NULL) {
+ ngx_free(real);
+ etag->hash = 0;
+ return NGX_ERROR;
+ }
+
+ *ptr2 = '\0';
+
+ // hash + content-length + quotes and hyphen. Note that the
+ // content-length part of the string can vary in length.
+ etag->value.data = ngx_pnalloc(r->pool, ngx_strlen(ptr1) + NGX_OFF_T_LEN + 3);
+
+ if (etag->value.data == NULL) {
+ ngx_free(real);
+ etag->hash = 0;
+ return NGX_ERROR;
+ }
+
+
+ // set value.data content to "{hash}-{content-length}" (including quote
+ // marks), and set value.len to the length of the resulting string
+ etag->value.len = ngx_sprintf(etag->value.data, "\"\%s-%xO\"",
+ ptr1,
+ r->headers_out.content_length_n)
+ - etag->value.data;
+
+ ngx_http_clear_last_modified(r);
+ } else {
+ // outside of Nix store, use the upstream Nginx logic for etags
+
+ etag->value.data = ngx_pnalloc(r->pool, NGX_OFF_T_LEN + NGX_TIME_T_LEN + 3);
+
+ if (etag->value.data == NULL) {
+ ngx_free(real);
+ etag->hash = 0;
+ return NGX_ERROR;
+ }
+
+ etag->value.len = ngx_sprintf(etag->value.data, "\"%xT-%xO\"",
+ r->headers_out.last_modified_time,
+ r->headers_out.content_length_n)
+ - etag->value.data;
}
- etag->value.len = ngx_sprintf(etag->value.data, "\"%xT-%xO\"",
- r->headers_out.last_modified_time,
- r->headers_out.content_length_n)
- - etag->value.data;
+ ngx_free(real);
r->headers_out.etag = etag;

27
pkgs/servers/http/nginx/nix-skip-check-logs-path.patch Normal file
View File

@@ -0,0 +1,27 @@
diff --git a/auto/install b/auto/install
index d884487..dccc411 100644
--- a/auto/install
+++ b/auto/install
@@ -148,12 +148,6 @@ install: build $NGX_INSTALL_PERL_MODULES
|| cp conf/nginx.conf '\$(DESTDIR)$NGX_CONF_PATH'
cp conf/nginx.conf '\$(DESTDIR)$NGX_CONF_PREFIX/nginx.conf.default'
- test -d '\$(DESTDIR)`dirname "$NGX_PID_PATH"`' \\
- || mkdir -p '\$(DESTDIR)`dirname "$NGX_PID_PATH"`'
-
- test -d '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`' \\
- || mkdir -p '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`'
-
test -d '\$(DESTDIR)$NGX_PREFIX/html' \\
|| cp -R $NGX_HTML '\$(DESTDIR)$NGX_PREFIX'
END
@@ -161,9 +155,6 @@ END
if test -n "$NGX_ERROR_LOG_PATH"; then
cat << END >> $NGX_MAKEFILE
-
- test -d '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`' \\
- || mkdir -p '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`'
END
fi

15
pkgs/servers/http/nginx/quic.nix Normal file
View File

@@ -0,0 +1,15 @@
{
callPackage,
nginxMainline,
...
}@args:
callPackage ./generic.nix args {
pname = "nginxQuic";
inherit (nginxMainline) src version;
configureFlags = [
"--with-http_v3_module"
];
}

13
pkgs/servers/http/nginx/stable.nix Normal file
View File

@@ -0,0 +1,13 @@
{ callPackage, fetchpatch, ... }@args:
callPackage ./generic.nix args {
version = "1.28.0";
hash = "sha256-xrXGsIbA3508o/9eCEwdDvkJ5gOCecccHD6YX1dv92o=";
extraPatches = [
(fetchpatch {
name = "CVE-2025-53859.patch";
url = "https://nginx.org/download/patch.2025.smtp.txt";
hash = "sha256-v49sLskFNMoKuG8HQISw8ST7ga6DS+ngJiL0D3sUyGk=";
})
];
}