ngtcp2-gnutls: init at 0.7.0 and use in knot-dns

[vcunat]

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[vcunat]

@Izorkin might want to know about the split or comment. Anyway, I don't expect significant usage of the openssl variant before the official openssl is made compatible with QUIC.

[Izorkin]

Not working this variant?

index 90372cc97a2..8c75eb1b8c5 100644
--- a/pkgs/development/libraries/ngtcp2/default.nix
+++ b/pkgs/development/libraries/ngtcp2/default.nix
@@ -1,10 +1,14 @@
 { lib, stdenv, fetchFromGitHub
 , autoreconfHook, pkg-config, file
-, libev, nghttp3, quictls
+, libev, nghttp3
 , cunit, ncurses
 , withJemalloc ? false, jemalloc
+, withGnutls ? false, gnutls
+, withQuictls ? true, quictls
 }:

+assert !(withGnutls && withQuictls);
+
 stdenv.mkDerivation rec {
   pname = "ngtcp2";
   version = "0.7.0";
@@ -19,9 +23,16 @@ stdenv.mkDerivation rec {
   outputs = [ "out" "dev" "doc" ];

   nativeBuildInputs = [ autoreconfHook pkg-config file ];
-  buildInputs = [ libev nghttp3 quictls ] ++ lib.optional withJemalloc jemalloc;
+
+  buildInputs = [ libev nghttp3 ]
+    ++ lib.optional withQuictls quictls
+    ++ lib.optional withGnutls gnutls
+    ++ lib.optional withJemalloc jemalloc;
+
   checkInputs = [ cunit ncurses ];

+  configureFlags = lib.optional withGnutls "--with-gnutls=yes";
+
   preConfigure = ''
     substituteInPlace ./configure --replace /usr/bin/file ${file}/bin/file
   '';
diff --git a/pkgs/servers/dns/knot-dns/default.nix b/pkgs/servers/dns/knot-dns/default.nix
index 23fefe80e76..fff31f86df3 100644
--- a/pkgs/servers/dns/knot-dns/default.nix
+++ b/pkgs/servers/dns/knot-dns/default.nix
@@ -1,5 +1,5 @@
 { lib, stdenv, fetchurl, pkg-config, gnutls, liburcu, lmdb, libcap_ng, libidn2, libunistring
-, systemd, nettle, libedit, zlib, libiconv, libintl, libmaxminddb, libbpf, nghttp2, libmnl
+, systemd, nettle, libedit, zlib, libiconv, libintl, libmaxminddb, libbpf, ngtcp2, nghttp2, libmnl
 , autoreconfHook, nixosTests, knot-resolver
 }:

@@ -32,6 +32,7 @@ stdenv.mkDerivation rec {
     gnutls liburcu libidn2 libunistring
     nettle libedit
     libiconv lmdb libintl
+    ngtcp2
     nghttp2 # DoH support in kdig
     libmaxminddb # optional for geoip module (it's tiny)
     # without sphinx &al. for developer documentation
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index bb0430ef58d..6d7576bacef 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -22657,7 +22657,10 @@ with pkgs;

   keycloak = callPackage ../servers/keycloak { };

-  knot-dns = callPackage ../servers/dns/knot-dns { };
+  knot-dns = callPackage ../servers/dns/knot-dns {
+    ngtcp2 = ngtcp2.override { withGnutls = true; withQuictls = false; };
+  };
+
   knot-resolver = callPackage ../servers/dns/knot-resolver {
     systemd = systemdMinimal; # in closure already anyway
   };

[vcunat]

Yes, it's certainly possible to merge this way into one nix expression. But I might also need ngtcp2 version kept in lock-step with knot-dns. Until nghtcp2 development stabilizes. So the overal code sharing opportunities don't seem significant.

[Izorkin]

Then it will be easier to have two variants.
Knot-dns can't work with quictls?

[vcunat]

No, it only uses gnutls for crypto. (including parts that are not related to TLS or QUIC)

[SuperSandro2000]

Would it be a problem to compile openssl and gnutls into one package?

[vcunat]

You would need to put each of these into a separate output (and leaving the base lib in a third one) – and then patch paths in pkg-config and libtool files. That is, if the closure blowup should be avoided.

[SuperSandro2000]

"blowup" according to the comment it is not even 1MB, or am I missing something? Are the new deps bigger?

[vcunat]

No, that's a different one. The openssl fork takes a few megabytes and gnutls+deps also (and each additional crypto lib that you'd add). Packages always want just one but they'd get all of them.

[vcunat]

The potential blowup in this comment is for the situation that got merged. That is you maybe need (through different packages) ngtcp2 with both openssl and gnutls, in which case you get the core twice. And the core is 0.3--0.4 MB.