From d529ecca21a6e0b81fa6a429b42da9d5a5a55b87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phan=20Kochen?= <git@stephank.nl>
Date: Tue, 3 Dec 2024 13:41:09 +0100
Subject: [PATCH] Add NixOS packaging

---
 .gitignore       |  2 ++
 dist/package.nix | 47 +++++++++++++++++++++++++
 flake.nix        |  7 ++++
 tests/nixos.nix  | 91 ++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 147 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 dist/package.nix
 create mode 100644 flake.nix
 create mode 100644 tests/nixos.nix

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4075fb2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+target
+result
diff --git a/dist/package.nix b/dist/package.nix
new file mode 100644
index 0000000..e95b2fb
--- /dev/null
+++ b/dist/package.nix
@@ -0,0 +1,47 @@
+{ lib, stdenv, llvmPackages, rustPlatform, pkg-config, openssl }:
+let
+  target = stdenv.hostPlatform.rust.rustcTargetSpec;
+  libExt = stdenv.hostPlatform.extensions.sharedLibrary;
+in
+  rustPlatform.buildRustPackage {
+    name = "rustls-libssl";
+
+    src = ../.;
+    cargoLock.lockFile = ../Cargo.lock;
+
+    nativeBuildInputs = [
+      pkg-config # for openssl-sys
+      llvmPackages.lld # see build.rs
+    ];
+    buildInputs = [
+      openssl
+    ];
+
+    doCheck = false; # TODO: can't find libcrypto
+
+    outputs = [ "out" "dev" ];
+    installPhase = ''
+      mkdir -p $out/lib $dev/lib/pkgconfig
+
+      mv target/${target}/release/libssl${libExt} $out/lib/libssl${libExt}.3
+      ln -s libssl${libExt}.3 $out/lib/libssl${libExt}
+
+      ln -s ${openssl.out}/lib/libcrypto${libExt}.3 $out/lib/
+      ln -s libcrypto${libExt}.3 $out/lib/libcrypto${libExt}
+
+      if [[ -e ${openssl.out}/lib/engines-3 ]]; then
+        ln -s ${openssl.out}/lib/engines-3 $out/lib/
+      fi
+      if [[ -e ${openssl.out}/lib/ossl-modules ]]; then
+        ln -s ${openssl.out}/lib/ossl-modules $out/lib/
+      fi
+
+      ln -s ${openssl.dev}/include $dev/
+
+      cp ${openssl.dev}/lib/pkgconfig/*.pc $dev/lib/pkgconfig/
+      sed -i \
+        -e "s|${openssl.out}|$out|g" \
+        -e "s|${openssl.dev}|$dev|g" \
+        $dev/lib/pkgconfig/*.pc
+    '';
+  }
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..bced1a4
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,7 @@
+{
+  outputs = { ... }: {
+    overlays.default = final: prev: {
+      rustls-libssl = final.callPackage ./dist/package.nix { };
+    };
+  };
+}
diff --git a/tests/nixos.nix b/tests/nixos.nix
new file mode 100644
index 0000000..d7374aa
--- /dev/null
+++ b/tests/nixos.nix
@@ -0,0 +1,91 @@
+# SPDX-License-Identifier: MIT
+
+# Derived from:
+# https://github.com/NixOS/nixpkgs/blob/4c9ca53890654b5e2fbb22ab8feb1842d81e01c1/nixos/tests/nginx-http3.nix
+# Copyright (c) 2003-2024 Eelco Dolstra and the Nixpkgs/NixOS contributors
+
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+
+  caCert = builtins.readFile <nixpkgs/nixos/tests/common/acme/server/ca.cert.pem>;
+  certPath = <nixpkgs/nixos/tests/common/acme/server/acme.test.cert.pem>;
+  keyPath = <nixpkgs/nixos/tests/common/acme/server/acme.test.key.pem>;
+
+  hosts = ''
+    192.168.2.101 acme.test
+  '';
+
+in
+
+pkgs.testers.runNixOSTest {
+  name = "rustls-libssl";
+
+  nodes = {
+    server = { lib, pkgs, ... }: {
+      networking = {
+        interfaces.eth1 = {
+          ipv4.addresses = [
+            { address = "192.168.2.101"; prefixLength = 24; }
+          ];
+        };
+        extraHosts = hosts;
+        firewall.allowedTCPPorts = [ 443 ];
+        firewall.allowedUDPPorts = [ 443 ];
+      };
+
+      security.pki.certificates = [ caCert ];
+
+      services.nginx = {
+        enable = true;
+        package = pkgs.nginxQuic.override {
+          modules = [ ];
+          openssl = pkgs.callPackage ../dist/package.nix { };
+        };
+
+        # Hardcoded sole input accepted by rustls-libssl.
+        sslCiphers = "HIGH:!aNULL:!MD5";
+
+        virtualHosts."acme.test" = {
+          onlySSL = true;
+          sslCertificate = certPath;
+          sslCertificateKey = keyPath;
+          http2 = true;
+          # TODO: Needs SSL_CTX_add_custom_ext
+          #http3 = true;
+          #http3_hq = false;
+          #quic = true;
+          reuseport = true;
+          root = lib.mkForce (pkgs.runCommandLocal "testdir" {} ''
+            mkdir "$out"
+            cat > "$out/index.html" <<EOF
+            <html><body>Hello World!</body></html>
+            EOF
+          '');
+        };
+      };
+    };
+
+    client = { pkgs, ... }: {
+      environment.systemPackages = [ pkgs.curlHTTP3 ];
+      networking = {
+        interfaces.eth1 = {
+          ipv4.addresses = [
+            { address = "192.168.2.201"; prefixLength = 24; }
+          ];
+        };
+        extraHosts = hosts;
+      };
+
+      security.pki.certificates = [ caCert ];
+    };
+  };
+
+  testScript = ''
+    start_all()
+    server.wait_for_open_port(443)
+    client.succeed("curl --verbose --http1.1 https://acme.test | grep 'Hello World!'")
+    client.succeed("curl --verbose --http2-prior-knowledge https://acme.test | grep 'Hello World!'")
+    #client.succeed("curl --verbose --http3-only https://acme.test | grep 'Hello World!'")
+  '';
+}