From fef55f1306c6d522b5e0820086d324c19fb20ff4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 14 Nov 2025 02:52:27 +0100 Subject: [PATCH 1/5] Update readme --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 015dba9..60d9298 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,8 @@ Collection of opinionated, integrated and shared NixOS modules. This includes features like: - Backend independent LDAP/OAuth2 abstraction with service integration -- A continuation of environment.noXLibs named environment.noGraphicsPackages - Easy Postgres upgrades between major versions and installation of `pg_stat_statements` extension in all databases -- Easy integration of Matrix Synapse, Element Web and extra oembed providers +- Easy integration of Matrix Synapse, Element Web and extra Oembed providers - Configure extra dependencies in Nextcloud for the Recognize and Memories Apps and properly setup preview generation - Restricted nix remote builders which can only execute remote builds - More opinionated integrations on top of Portunus (Simple LDAP frontend), dex and oauth2-proxy From b8a94bcf810ebbe67670ed689bdef83dcf5db442 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 14 Nov 2025 02:52:33 +0100 Subject: [PATCH 2/5] haproxy: drop recommendedDefaults --- modules/default.nix | 1 + modules/haproxy.nix | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/default.nix b/modules/default.nix index 4d01dcb..2c1499d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -6,5 +6,6 @@ imports = [ (lib.mkRemovedOptionModule ["debugging" "enable"] "Because we never really used it.") (lib.mkRemovedOptionModule ["environment" "noGraphicsPackages"] "Maintaining it out of tree got unviable after the kernel started to depend on a graphics library through ~5 packages.") + (lib.mkRemovedOptionModule ["haproxy" "recommendedDefaults"] "it wasn't used") ]; } diff --git a/modules/haproxy.nix b/modules/haproxy.nix index 09bb3ff..ee013f5 100644 --- a/modules/haproxy.nix +++ b/modules/haproxy.nix @@ -7,8 +7,6 @@ in options = { services.haproxy = { compileWithAWSlc = libS.mkOpinionatedOption "compile nginx with aws-lc as crypto library"; - - recommendedDefaults = libS.mkOpinionatedOption "set recommended default settings"; }; }; From 7ed70ea0ca868ac1ab6776b50251c368f22f9dc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 14 Nov 2025 02:52:41 +0100 Subject: [PATCH 3/5] haproxy: drop dhparam That is not useful beginning with TLS 1.2 and it likely relied on out of repo code anyway... --- modules/haproxy.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/haproxy.nix b/modules/haproxy.nix index ee013f5..d291894 100644 --- a/modules/haproxy.nix +++ b/modules/haproxy.nix @@ -17,9 +17,7 @@ in config = lib.mkBefore ('' global ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets - '' + lib.optionalString (!cfg.compileWithAWSlc) '' - ssl-dh-param-file ${config.security.dhparams.params.haproxy.path} - ''); + ''; }; }; } From df4d56046601bcb910cfe21579bdbe573d8014e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 14 Nov 2025 02:52:59 +0100 Subject: [PATCH 4/5] haproxy: drop min tls 1.2 it is easy to mess up the haproxy config this way and it is a really minor improvement which should have been behind recommendedDefaults --- modules/haproxy.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/haproxy.nix b/modules/haproxy.nix index d291894..9e5a96b 100644 --- a/modules/haproxy.nix +++ b/modules/haproxy.nix @@ -13,11 +13,6 @@ in config = lib.mkIf cfg.enable { services.haproxy = { package = lib.mkIf cfg.compileWithAWSlc (pkgs.haproxy.override { sslLibrary = "aws-lc"; }); - - config = lib.mkBefore ('' - global - ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets - ''; }; }; } From a3e401c5dc9c7be3d3d61bddf60315c40326f9f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 14 Nov 2025 02:56:33 +0100 Subject: [PATCH 5/5] haproxy: remove very basic module --- modules/default.nix | 1 + modules/haproxy.nix | 18 ------------------ 2 files changed, 1 insertion(+), 18 deletions(-) delete mode 100644 modules/haproxy.nix diff --git a/modules/default.nix b/modules/default.nix index 2c1499d..9d7dec3 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -6,6 +6,7 @@ imports = [ (lib.mkRemovedOptionModule ["debugging" "enable"] "Because we never really used it.") (lib.mkRemovedOptionModule ["environment" "noGraphicsPackages"] "Maintaining it out of tree got unviable after the kernel started to depend on a graphics library through ~5 packages.") + (lib.mkRemovedOptionModule ["haproxy" "compileWithAWSlc"] ''just set `services.haproxy.package = pkgs.haproxy.override { sslLibrary = "aws-lc"; };`'') (lib.mkRemovedOptionModule ["haproxy" "recommendedDefaults"] "it wasn't used") ]; } diff --git a/modules/haproxy.nix b/modules/haproxy.nix deleted file mode 100644 index 9e5a96b..00000000 --- a/modules/haproxy.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, lib, libS, pkgs, ... }: - -let - cfg = config.services.haproxy; -in -{ - options = { - services.haproxy = { - compileWithAWSlc = libS.mkOpinionatedOption "compile nginx with aws-lc as crypto library"; - }; - }; - - config = lib.mkIf cfg.enable { - services.haproxy = { - package = lib.mkIf cfg.compileWithAWSlc (pkgs.haproxy.override { sslLibrary = "aws-lc"; }); - }; - }; -}