diff --git a/cabal.project b/cabal.project index e6fdbad..490ae9b 100644 --- a/cabal.project +++ b/cabal.project @@ -1 +1,10 @@ packages: . + +source-repository-package + type: git + location: https://github.com/amesgen/hs-rustls + tag: af95cd7d3f79913d2864f46931bbfe339f9c396d + --sha256: 0a2drcy9893r06ghh7cpj21lg2n8ma737x0mhqh0spsf3znsd4db + subdir: rustls http-client-rustls + +constraints: rustls -derive-storable-plugin diff --git a/flake.lock b/flake.lock index 3d92c66..808eda7 100644 --- a/flake.lock +++ b/flake.lock @@ -83,6 +83,28 @@ "type": "github" } }, + "fenix": { + "inputs": { + "nixpkgs": [ + "nix-rustls", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1655706580, + "narHash": "sha256-7DshIT1Ya5W9NAW7UdnYCHsGmXfOXJZCEHbbB/cCX7g=", + "owner": "nix-community", + "repo": "fenix", + "rev": "d895003d8e03ac2fc8ffe2aa898299cbef1a7048", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1649676176, @@ -239,6 +261,27 @@ "type": "github" } }, + "naersk": { + "inputs": { + "nixpkgs": [ + "nix-rustls", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655042882, + "narHash": "sha256-9BX8Fuez5YJlN7cdPO63InoyBy7dm3VlJkkmTt6fS1A=", + "owner": "nix-community", + "repo": "naersk", + "rev": "cddffb5aa211f50c4b8750adbec0bbbdfb26bb9f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "naersk", + "type": "github" + } + }, "nix": { "inputs": { "lowdown-src": "lowdown-src", @@ -260,6 +303,34 @@ "type": "github" } }, + "nix-rustls": { + "inputs": { + "fenix": "fenix", + "flake-utils": [ + "flake-utils" + ], + "naersk": "naersk", + "nixpkgs": [ + "nixpkgs" + ], + "rustls-ffi": "rustls-ffi" + }, + "locked": { + "dir": "nix-rustls", + "lastModified": 1656101670, + "narHash": "sha256-y4emTKYao8ovbiqGlJu6piuObj8nj30Rew33EHgJgOY=", + "owner": "amesgen", + "repo": "hs-rustls", + "rev": "a20318f89e73c51b4082797f8b0a9a81f2b61abb", + "type": "github" + }, + "original": { + "dir": "nix-rustls", + "owner": "amesgen", + "repo": "hs-rustls", + "type": "github" + } + }, "nix-tools": { "flake": false, "locked": { @@ -429,6 +500,7 @@ "inputs": { "flake-utils": "flake-utils", "haskellNix": "haskellNix", + "nix-rustls": "nix-rustls", "nixpkgs": [ "haskellNix", "nixpkgs-unstable" @@ -437,6 +509,40 @@ "pre-commit-hooks": "pre-commit-hooks" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1655654433, + "narHash": "sha256-auHQ0XPCiaTPSn+R3Yu4J7oZ5Zq/FS5/Da1ivvdYb/Y=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "427061da19723f2206fe4dcb175c9c43b9a6193d", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, + "rustls-ffi": { + "flake": false, + "locked": { + "lastModified": 1654915986, + "narHash": "sha256-9+AgNq8+YLSjQQxVZrdPkW1c082EhIDeAbFQfX0MOQA=", + "owner": "rustls", + "repo": "rustls-ffi", + "rev": "3e66fba148a8a97935b49c178ccfd1a71929bf2a", + "type": "github" + }, + "original": { + "owner": "rustls", + "ref": "v0.9.1", + "repo": "rustls-ffi", + "type": "github" + } + }, "stackage": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 23ae9b4..ead1ee2 100644 --- a/flake.nix +++ b/flake.nix @@ -9,14 +9,23 @@ inputs.flake-utils.follows = "flake-utils"; }; flake-utils.url = "github:numtide/flake-utils"; + nix-rustls = { + url = "github:amesgen/hs-rustls?dir=nix-rustls"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + }; }; - outputs = { self, nixpkgs, flake-utils, haskellNix, nur, pre-commit-hooks }: + outputs = { self, nixpkgs, flake-utils, haskellNix, nur, pre-commit-hooks, nix-rustls }: flake-utils.lib.eachSystem [ "x86_64-linux" ] (system: let pkgs = import nixpkgs { inherit system; inherit (haskellNix) config; - overlays = [ haskellNix.overlay nur.overlay ]; + overlays = [ + haskellNix.overlay + nur.overlay + nix-rustls.overlays.default + ]; }; inherit (pkgs) lib; hsPkgs = pkgs.haskell-nix.cabalProject { @@ -53,20 +62,15 @@ --hie-directory ${hellsmack.components.tests.tasty.hie} ''; pre-commit-check = - let ormolu = pkgs.nur.repos.amesgen.ormolu; in pre-commit-hooks.lib.${system}.run { src = ./.; hooks = { nixpkgs-fmt.enable = true; - ormolu = { - enable = true; - entry = lib.mkForce "${ormolu}/bin/ormolu -i"; - }; + ormolu.enable = true; hlint.enable = true; }; tools = { - inherit ormolu; - hlint = pkgs.nur.repos.amesgen.hlint; + inherit (pkgs.nur.repos.amesgen) ormolu hlint; }; }; }; @@ -74,7 +78,7 @@ tools = { cabal = { }; }; buildInputs = [ pkgs.nur.repos.amesgen.cabal-docspec ]; withHoogle = false; - exactDeps = true; + exactDeps = false; inherit (self.checks.${system}.pre-commit-check) shellHook; }; diff --git a/hellsmack.cabal b/hellsmack.cabal index 5ab84b3..0b76498 100644 --- a/hellsmack.cabal +++ b/hellsmack.cabal @@ -41,6 +41,8 @@ library , temporary >= 1.3 , http-types >= 0.12 , http-client >= 0.7 + , rustls >= 0.0 + , http-client-rustls >= 0.0 , network-uri >= 2.6 , aeson >= 2.0 , deriving-aeson >= 0.2.7 @@ -68,11 +70,6 @@ library , semigroups >= 0.19 , optparse-applicative >= 0.16 , th-env >= 0.1 - if os(windows) - build-depends: http-client-tls >= 0.3 - cpp-options: -DUSE_HASKELL_TLS - else - build-depends: http-client-openssl >= 0.3.3 exposed-modules: Prelude diff --git a/src/HellSmack/Http.hs b/src/HellSmack/Http.hs index 7176833..210d56c 100644 --- a/src/HellSmack/Http.hs +++ b/src/HellSmack/Http.hs @@ -1,17 +1,23 @@ -{-# LANGUAGE CPP #-} +module HellSmack.Http (newTLSManager) where -module HellSmack.Http (newTLSManager, Manager) where +import Network.HTTP.Client qualified as HTTP +import Network.HTTP.Client.Rustls (rustlsManagerSettings) +import Rustls qualified +import UnliftIO.Exception -import Network.HTTP.Client -#if USE_HASKELL_TLS -import Network.HTTP.Client.TLS -#else -import Network.HTTP.Client.OpenSSL -#endif - -newTLSManager :: MonadIO m => m Manager -#if USE_HASKELL_TLS -newTLSManager = newTlsManager -#else -newTLSManager = liftIO $ withOpenSSL newOpenSSLManager -#endif +newTLSManager :: MonadIO m => m HTTP.Manager +newTLSManager = liftIO do + roots <- + fmap (Rustls.ClientRootsInMemory . pure . Rustls.PEMCertificatesStrict) $ + defaultCertFile `onException` envCertFile + clientConfig <- Rustls.buildClientConfig $ Rustls.defaultClientConfigBuilder roots + HTTP.newManager $ rustlsManagerSettings clientConfig + where + defaultCertFile = readFileBS "/etc/ssl/certs/ca-certificates.crt" + envCertFile = + lookupEnv envKey >>= \case + Just file | not (null file) -> readFileBS file + _ -> throwString [i|default SSL certs not found, please set $envKey|] + where + envKey :: String + envKey = "SSL_CERT_FILE"