krebs/2configs/security-workarounds.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

{ config, lib, pkgs, ... }:
{
  # OpenSSL pre-3.0.7 vulnerabilities
  nixpkgs.overlays = [
    (self: super: {
      exim =
        super.exim.overrideAttrs (old: let
          key = if builtins.hasAttr "preBuild" old then
            "preBuild"
          else
            "configurePhase";
        in {
          buildInputs = old.buildInputs ++ [ self.gnutls ];
          ${key} = /* sh */ ''
            ${old.${key}}
            sed -Ei '
              s:^USE_OPENSSL=.*:# &:
              s:^# (USE_GNUTLS)=.*:\1=yes:
              s:^# (USE_GNUTLS_PC=.*):\1:
            ' Local/Makefile
          '';
        });
    })
  ];
  # OpenSSL pre-3.0.7 vulnerabilities
  services.nginx.package = lib.mkDefault (pkgs.nginxStable.override { openssl = pkgs.libressl; });
}