From 73023b817d76760c077e1ddab43d731d5ebc9fdb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?=
 <tristan.maat@codethink.co.uk>
Date: Mon, 31 Oct 2022 16:06:31 +0000
Subject: [PATCH 1/2] conduit: Use dependencies from stable

Partially to circumvent the upcoming openssl CVE, partially to reduce
the number of dependencies.
---
 lib/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/default.nix b/lib/default.nix
index da4031f..5cd7382 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -28,7 +28,9 @@ in {
           {
             nixpkgs.overlays = [
               (self: super: {
-                matrix-conduit = nixpkgs-unstable.legacyPackages.${system}.matrix-conduit;
+                matrix-conduit = nixpkgs-unstable.legacyPackages.${system}.matrix-conduit.override {
+                  inherit (self) stdenv lib fetchFromGitLab rustPlatform pkg-config rocksdb;
+                };
               })
             ];
           }

From 2304711359ff33551d00bc6a90ac1bd88a06ad68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?=
 <tristan.maat@codethink.co.uk>
Date: Mon, 31 Oct 2022 16:07:41 +0000
Subject: [PATCH 2/2] config: Mitigate upcoming SSL CVE

See
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

As 1.1 is unaffected, this override should be sufficient to evade this
problem.
---
 configuration/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/configuration/default.nix b/configuration/default.nix
index f5d68fb..9c0ce68 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -25,6 +25,10 @@
         pkgs = prev;
         lib = prev.lib;
       };
+
+      # Mitigate
+      # https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
+      nginxStable = prev.nginxStable.override {openssl = prev.openssl_1_1;};
     })
   ];