[gentoo-dev] [RFC PATCH 00/19] Rework NGINX packaging in Gentoo by introducing nginx{,-module}.eclass

[gentoo-dev] [RFC PATCH 00/19] Rework NGINX packaging in Gentoo by introducing nginx{,-module}.eclass

[Zurab Kvachadze]

Do not merge this yet! This patch is still an RFC. Refer to the "Questions and
problems" section for more detailed explanation of the issues that (more or
less) block the merging of the patches.

GitHub PR: https://github.com/gentoo/gentoo/pull/37590

This is an attempt to improve the state of NGINX in the Gentoo tree. The
majority of reasoning for introducing this series can be found in the
nginx.eclass commit, whereas the actual differences between the previous and
the new versions are outlined in the NGINX 1.26.1 revbump commit.

Such "refreshes" are important for Gentoo, as to my belief. NGINX has not been
maintained for two years now, let alone being rewritten. Thus, NGINX ebuilds
are around 42K in size, having accumulated rust over the years. The sheer size
and monstrosity of the ebuild hinders the discourages developers from adopting
the package. These patches aim to drastically reduce the size and fix numerous
issues that NGINX has acquired throughout its lifetime.

Questions and problems
======================

(1) Is having separate SLOTs for different NGINX update streams useful?

Currently, NGINX is half-slotted. It has the '0' and the 'mainline' slot with
both undergoing the same stabilisation, i.e. 'mainline' version can and do
have stable keywords (unlike, for example Firefox, where LTS versions are
stable and rapid ones are always testing).

Therefore, intention for this was to make this half-baked slotting complete,
by introducing the 'stable' slot. One use case of such distinction is an
ability to subscribe to the 'stable' version and receive updates from that,
ignoring 'mainline' versions.

One of the downsides of SLOTting NGINX is the fact that mainline versions are
not always ahead of the stable ones. As an example of this point, the stable
NGINX 1.26.0 version was ahead of the mainline 1.25.5. If, for instance, NGINX
utilised SLOTting and a user updated from nginx-1.25.5:mainline to
nginx-1.26.0:stable, they would be greeted with rather unwelcoming
blocker messages.

Is this approach reasonable? If not, the SLOTting machinery can easily be
removed :)

(2) Do all the previously-bundled modules need to be ported to
nginx-module.eclass for this to be considered "mergeable"?

This implements somewhat special infrastructure (which could be considered as
a hack) to tackle the fact that the NGINX build system does not fully support
building external modules out of tree. As a proof of concept, four simple
modules have been ported to the introduced nginx-module.eclass.

If the nginx-module.eclass approach is deemed suitable, should I port the rest
of the modules to maintain their presence in the Gentoo tree or shall we just
drop them altogether?

I am bringing this up since despite the modules (modsecurity, rtmp, lua, etc.)
were not independent packages a lot of people rely on them in their workflow,
and, thus, we should not just blindly remove them.

Having said this, I am not really willing to maintain third party modules as I
have no interest in using them. Nonetheless, I believe that people will be
encouraged to adopt the unbundled NGINX modules quicker with a number of
simplifications brought forth by these patches.

(3) Please, test these patches. Although automated tests do work and the
ebuilds pass them, it is entirely possible that I have missed something.

Happy hacking :)

Zurab Kvachadze (19):
  nginx.eclass: Add new eclass for building the NGINX server
  nginx-module.eclass: Add new eclass for building NGINX external
    modules
  www-servers/nginx: add myself as a proxy maintainer; update
    metadata.xml
  www-servers/nginx: add nginx-r5.initd
  www-servers/nginx: add nginx-r1.confd
  www-servers/nginx: add nginx-r2.service
  www-servers/nginx: add nginx-r2.logrotate
  www-servers/nginx: add nginx-r4.conf
  profiles/desc: reword and update nginx_modules_http.desc
  profiles/desc: reword and update nginx_modules_mail.desc
  profiles/desc: reword and update nginx_modules_stream.desc
  profiles/categories: Add www-nginx category for external NGINX modules
  www-servers/nginx: revbump 1.26.1-r1 to 1.26.1-r2, use nginx.eclass
  www-servers/nginx: revbump 1.27.0-r1 to 1.27.0-r2, use nginx.eclass
  www-servers/nginx: add 9999 live version, use nginx.eclass
  www-nginx/ngx_devel_kit: new package, add 0.3.3
  www-nginx/ngx-echo: new package, add 0.63
  www-nginx/ngx-encrypted-session: new package, add 0.09
  www-nginx/ngx-set-misc: new package, add 0.33

 eclass/nginx-module.eclass                    | 180 ++++
 eclass/nginx.eclass                           | 774 ++++++++++++++++++
 profiles/categories                           |   1 +
 profiles/desc/nginx_modules_http.desc         | 147 ++--
 profiles/desc/nginx_modules_mail.desc         |   9 +-
 profiles/desc/nginx_modules_stream.desc       |  34 +-
 www-nginx/metadata.xml                        |   7 +
 www-nginx/ngx-echo/Manifest                   |   1 +
 www-nginx/ngx-echo/metadata.xml               |   8 +
 www-nginx/ngx-echo/ngx-echo-0.63.ebuild       |  18 +
 www-nginx/ngx-encrypted-session/Manifest      |   1 +
 www-nginx/ngx-encrypted-session/metadata.xml  |   8 +
 .../ngx-encrypted-session-0.09.ebuild         |  32 +
 www-nginx/ngx-set-misc/Manifest               |   1 +
 www-nginx/ngx-set-misc/metadata.xml           |  11 +
 .../ngx-set-misc/ngx-set-misc-0.33.ebuild     |  50 ++
 www-nginx/ngx_devel_kit/Manifest              |   1 +
 www-nginx/ngx_devel_kit/metadata.xml          |   8 +
 .../ngx_devel_kit/ngx_devel_kit-0.3.3.ebuild  |  28 +
 www-servers/nginx/Manifest                    |   1 +
 www-servers/nginx/files/nginx-r1.confd        |  37 +
 www-servers/nginx/files/nginx-r2.logrotate    |  11 +
 www-servers/nginx/files/nginx-r2.service      |  12 +
 www-servers/nginx/files/nginx-r4.conf         |  39 +
 www-servers/nginx/files/nginx-r5.initd        | 117 +++
 www-servers/nginx/metadata.xml                |  61 +-
 www-servers/nginx/nginx-1.26.1-r2.ebuild      |  30 +
 www-servers/nginx/nginx-1.27.0-r2.ebuild      |  30 +
 www-servers/nginx/nginx-9999.ebuild           |  28 +
 29 files changed, 1574 insertions(+), 111 deletions(-)
 create mode 100644 eclass/nginx-module.eclass
 create mode 100644 eclass/nginx.eclass
 create mode 100644 www-nginx/metadata.xml
 create mode 100644 www-nginx/ngx-echo/Manifest
 create mode 100644 www-nginx/ngx-echo/metadata.xml
 create mode 100644 www-nginx/ngx-echo/ngx-echo-0.63.ebuild
 create mode 100644 www-nginx/ngx-encrypted-session/Manifest
 create mode 100644 www-nginx/ngx-encrypted-session/metadata.xml
 create mode 100644 www-nginx/ngx-encrypted-session/ngx-encrypted-session-0.09.ebuild
 create mode 100644 www-nginx/ngx-set-misc/Manifest
 create mode 100644 www-nginx/ngx-set-misc/metadata.xml
 create mode 100644 www-nginx/ngx-set-misc/ngx-set-misc-0.33.ebuild
 create mode 100644 www-nginx/ngx_devel_kit/Manifest
 create mode 100644 www-nginx/ngx_devel_kit/metadata.xml
 create mode 100644 www-nginx/ngx_devel_kit/ngx_devel_kit-0.3.3.ebuild
 create mode 100644 www-servers/nginx/files/nginx-r1.confd
 create mode 100644 www-servers/nginx/files/nginx-r2.logrotate
 create mode 100644 www-servers/nginx/files/nginx-r2.service
 create mode 100644 www-servers/nginx/files/nginx-r4.conf
 create mode 100644 www-servers/nginx/files/nginx-r5.initd
 create mode 100644 www-servers/nginx/nginx-1.26.1-r2.ebuild
 create mode 100644 www-servers/nginx/nginx-1.27.0-r2.ebuild
 create mode 100644 www-servers/nginx/nginx-9999.ebuild

-- 
2.44.2

[gentoo-dev] [RFC PATCH 01/19] nginx.eclass: Add new eclass for building the NGINX server

[Zurab Kvachadze]

This adds a generic eclass for building, testing and installing NGINX
distributions (F5's NGINX, freenginx, etc).
This is a complete revamp of the way NGINX is packaged in Gentoo.

The problem
===========
NGINX has not been maintained for almost 2 years, since June 5 2022
(commit 9061b2f2318: "*/*: reassign whissi's packages"). In its current
state, NGINX has 16 open bugs, with the oldest being reported more than
10 years ago (471106, 496318 and a few more). Moreover, each NGINX
ebuild is over 1100 lines of code and 40 kilobytes in size, with
enormous amounts of code being copied over with each version bump.
Currently, these are some of the most obvious issues.

There is another major problem: the www-servers/nginx package bundles
25 third party modules. This inflexible approach has its own issues:

    * version pinning (of the external modules).

    * no trivial way to add other external modules (for the end user).

The actual code is very old, has inconsistent USE flag choices
(http{2,3} being USE flags on their own rather than NGINX_MODULES_HTTP
USE_EXPAND flags, the same goes for the ssl USE flag, etc.), outright
useless USE flags that do nothing at all (pcre-jit and ktls), outdated
dependencies (libpcre instead of libpcre2 by default), mixed shell
constructs ('[' somewhere and '[[' elsewhere). The ebuild adds the
default include paths to CFLAGS and LDFLAGS for no reason and has
warnings about the versions as old as 1.10 (released in January
2017); the ebuild configures NGINX to store its temporary files in
/var/lib, instead of /var/tmp and so on...

Although this does not intend to cover all the flaws of the current
state of NGINX in the Gentoo tree, it is blatant that the quality of the
NGINX ebuilds are quite poor and that they are overall particularly
messy and clunky.

So, I deemed "repackaging" NGINX from the ground up an easier task (than
fixing the current NGINX ebuild in-place) and went on with it.

The solution
============
This eclass aims to fully cover as much of what is in common between
different NGINX versions and distributions as possible, which by itself
requires a high degree of flexibility in an eclass. The nginx.eclass
does not intend to move the aforementioned complexity to a one place,
but rather to *get rid* of it entirely. It achieves this by requiring
the inheriting ebuilds to provide the "specification" of their version.

The specification is really simple and is comprised of 4 variables:

    * NGINX_MODULES, that defines available modules, i.e "http_perl",
      "http_geoip", "http_ssl", "http_v3", "mail_imap", etc.

    * NGINX_SUBSYSTEMS, that defines individual available NGINX servers:
      "http", "stream" and "mail".

    * NGINX_TESTS_RV, that defines a partcular revision of NGINX tests.

    * NGINX_UPDATE_STREAM, that corresponds to the NGINX version type as
      defined upstream. Currently, it is either "mainline", "stable" or
      "live" for the Mercurial version. SLOT is derived from this
      variable.

And 1 optional variable:

    * NGINX_MISC_FILES, that specifies files in FILESDIR, e.g. NGINX
      main configuration file, NGINX systemd service file, etc. They are
      installed into specific locations based on their file extension.

The nginx.eclass takes care of all the other aspects. This eclass:

    1. Sets the default value for DESCRITPION, HOMEPAGE, LICENSE,
       SRC_URI. SLOT is set to ${NGINX_UPDATE_STREAM}/${PV}.

    2. Populates IUSE, based on the NGINX_MODULES and NGINX_SUBSYSTEMS
       variables.

    3. Fills BDEPEND, DEPEND and RDEPEND with general
       NGINX dependencies.

    4. Sets blocks on all possible update streams (that are expressed as
       SLOT) apart from the current one, in order to disallow installing
       multiple NGINX versions at once.

    5. Sets REQUIRED_USE for inter-module dependencies, unless
       OVERRIDE_NGINX_MOD_REQUIRED_USE is set.

    6. Sets BDEPEND, DEPEND and RDEPEND for external module
       dependencies, unless OVERRIDE_NGINX_MOD_DEPEND is set.

    7. Sets BDEPEND for module test dependencies, unless
       OVERRIDE_NGINX_MOD_TEST_DEPEND is set.

    (points 5-7: the nginx.eclass comes with a default list for such
    dependencies; the REQUIRED_USE and *DEPEND variables are only set
    for the modules that are present in NGINX_MODULES).

    8. Unpacks the sources or clones the Mercurial repository.

    9. Configures NGINX, obviously.

    10. Compiles NGINX.

    11. Tests the compiled binary. The test dependencies have also been
	brought in line with what tests actually depend on.

    12. Installs NGINX, complying with the FHS. The files specified in
	NGINX_MISC_FILES are installed in their respective directories.
	If "modules" use flag is enabled, indicating dynamic modules
	support, NGINX build system is installed into /usr/src/nginx and
	NGINX headers are installed into /usr/include/nginx.
	The nginx.eclass also installs Portage set
	@nginx-modules-rebuild. It groups all the NGINX dynamic modules
	and is mainly of use for those who install the "live" version.

A considerable part of the eclass parses the ebuild variables, the
actual phase function code constitues roughly 240 LoC (out of 790
total). Every part of the eclass is thoroughly annotated and documented.

The nginx.eclass sets up the infrastructure for resolving the following
bugs:

    * 886537 - "drop support for obsolete dev-libs/libpcre":
	_ngx_set_mod_depend() makes the http_rewrite module depend only
	on dev-libs/libpcre2.

    * 667102 - "...installing to one or more unexpected paths: /run":
	already fixed? In any case, this eclass makes sure NGINX does
	not install anything into /run in nginx_src_install().

    * 578658 - "silently ignoring USE=http":
	nginx.eclass introduces the "http" USE flag, which is a master
	switch for the whole http subsystem.

    * 573710 - "Add support for external 3rd party modules":
	nginx.eclass acts as a foundation for such support. The actual
	support for building dynamic modules will be in a separate
	eclass - nginx-module.eclass.

    * 735020 - "missing a USE flag for building --with-stream only":
	nginx.eclass adds the "stream" flag to IUSE, allowing the
	subsystem to be enabled without requiring to alter the
	NGINX_MODULES_STREAM variable.

    * 700866 - "use default log names":
	this eclass uses the default {access,error}.log filenames,
	instead of {access,error}_log.

    * 925098 - "www-servers/freenginx - new package":
	with this eclass, adding freenginx to the Gentoo tree is as
	simple as setting the aforementioned NGINX_* variables,
	inheriting nginx.eclass and setting the proper HOMEPAGE,
	DESCRITPION and SRC_URI. It is crucial to also add block on
	www-servers/nginx, so that the two packages are not installed
	simultaneously. Nonetheless, the procedure desribed above is not
	comprehensive; freenginx will not be regarded by the package
	manager as a drop-in replacement of F5's NGINX for external
	modules. To achieve this, a separate virtual/nginx ebuild must
	be created.

Bug: https://bugs.gentoo.org/886537
Bug: https://bugs.gentoo.org/667102
Bug: https://bugs.gentoo.org/578658
Bug: https://bugs.gentoo.org/573710
Bug: https://bugs.gentoo.org/735020
Bug: https://bugs.gentoo.org/700866
Bug: https://bugs.gentoo.org/925098
Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 eclass/nginx.eclass | 774 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 774 insertions(+)
 create mode 100644 eclass/nginx.eclass

diff --git a/eclass/nginx.eclass b/eclass/nginx.eclass
new file mode 100644
index 000000000000..527171a7bc59
--- /dev/null
+++ b/eclass/nginx.eclass
@@ -0,0 +1,774 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: nginx.eclass
+# @MAINTAINER:
+# Zurab Kvachadze <zurabid2016@gmail.com>
+# @AUTHOR:
+# Zurab Kvachadze <zurabid2016@gmail.com>
+# @SUPPORTED_EAPIS: 8
+# @PROVIDES: toolchain-funcs multiprocessing systemd perl-functions
+# @BLURB: Provides a common set of functions for building the NGINX server
+# @DESCRIPTION:
+# This eclass automates building, testing and installation of the NGINX server.
+# Essentially, apart from the advanced usage, the ebuild must only define 4
+# variables prior to inheriting the eclass, everything else is handled by the
+# nginx.eclass.
+# Refer to the individual variable descriptions for documentation. The required
+# variables are:
+#  - NGINX_SUBSYSTEMS
+#  - NGINX_MODULES
+#  - NGINX_UPDATE_STREAM
+#  - NGINX_TESTS_RV
+# And 1 optional variable (see description):
+#  - NGINX_MISC_FILES
+
+case ${EAPI} in
+	8) ;;
+	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
+esac
+
+if [[ -z ${_NGINX_ECLASS} ]]; then
+_NGINX_ECLASS=1
+
+inherit toolchain-funcs multiprocessing systemd perl-functions
+
+#----> ebuild-defined variables <-----
+
+# @ECLASS_VARIABLE: NGINX_SUBSYSTEMS
+# @PRE_INHERIT
+# @REQUIRED
+# @DESCRIPTION:
+# An array of individual NGINX "servers" or, as they are called in this eclass,
+# subsystems. An optional '+' prefix represents a default-enabled state.
+# The variable must be an exact representation of the upstream policy, i.e. the
+# subsystems that are enabled-by-default upstream must be prefixed with a '+' in
+# this array and the subsystems that are disabled-by-default must not be
+# prefixed with a '+'. Not following this rule will break NGINX build system. As
+# of the time of writing, there are 3 subsystems: "http", "stream", and "mail".
+# The naming is the exact representation of ./configure's '--with' and
+# '--without' options with the mentioned parts stripped and '+' appended where
+# relevant: '--without-http' -> '+http', '--with-stream' -> 'stream', etc.
+#
+# Example:
+# @CODE
+# NGINX_SUBSYSTEMS=( +http stream mail )
+# @CODE
+[[ ${#NGINX_SUBSYSTEMS[@]} -eq 0 ]] &&
+	die "The required NGINX_SUBSYSTEMS variable is unset or empty"
+
+# @ECLASS_VARIABLE: _NGX_SUBSYSTEMS
+# @INTERNAL
+# @DESCRIPTION:
+# Internal, read-only copy of NGINX_SUBSYSTEMS, used in various places in the
+# eclass.
+readonly _NGX_SUBSYSTEMS=( "${NGINX_SUBSYSTEMS[@]}" )
+
+# @ECLASS_VARIABLE: NGINX_MODULES
+# @PRE_INHERIT
+# @REQUIRED
+# @DESCRIPTION:
+# An array of bundled NGINX modules names with optional '+' prefix
+# representing a default-enabled state.
+# The variable must be an exact representation of the upstream policy, i.e. the
+# modules that are enabled-by-default upstream must be prefixed with a '+' in
+# this array and the modules that are disabled-by-default must not be prefixed
+# with a '+'. Not following this rule will break NGINX build system.
+# The naming scheme is exactly the same as used by the ./configure script with
+# '--with(out)' and '_module' parts stripped and the '+' prefix applied where
+# necessary: '--with-http_v2_module' -> 'http_v2',
+# '--without-http_autoindex_module' -> '+http_autoindex',
+# '--without-stream_limit_conn_module' -> '+stream_limit_conn', etc.
+#
+# Example:
+# @CODE
+# NGINX_MODULES=(
+# 	+http_rewrite http_ssl +http_gzip
+# 	+stream_access
+# 	+mail_imap
+#	http_{geoip,perl}
+# )
+# @CODE
+[[ ${#NGINX_MODULES[@]} -eq 0 ]] &&
+	die "The required NGINX_MODULES variable is unset or empty"
+
+# @ECLASS_VARIABLE: _NGX_MODULES
+# @INTERNAL
+# @DESCRIPTION:
+# Internal, read-only copy of NGINX_MODULES, used in various places in the
+# nginx.eclass.
+readonly _NGX_MODULES=( "${NGINX_MODULES[@]}" )
+
+# @ECLASS_VARIABLE: NGINX_UPDATE_STREAM
+# @PRE_INHERIT
+# @REQUIRED
+# @DESCRIPTION:
+# This variable must contain the update stream for NGINX. The list of all
+# possible update streams is set by the NGX_UPDATE_STREAMS_LIST variable. An
+# ebuild must not attempt to set SLOT manually. The eclass will automatically
+# set SLOT and add blocks on other update streams into RDEPEND variable, based
+# on this variable.
+# NGINX_UPDATE_STREAM might be set to a special value: 'live'. Doing this makes
+# the eclass fetch the live (latest) version of NGINX from its Mercurial
+# repository.
+# This behaviour can be further configured by setting the following variables
+# (refer to each variable description for documentation):
+#  - NGINX_HG_URI
+#  - NGINX_HG_TESTS_URI
+#
+# Example:
+# @CODE
+# NGINX_UPDATE_STREAM=mainline
+# @CODE
+
+# @ECLASS_VARIABLE: NGX_UPDATE_STREAMS_LIST
+# @DESCRIPTION:
+# Read-only array that contains all the possible NGINX update
+# streams.
+readonly NGX_UPDATE_STREAMS_LIST=( stable mainline live )
+
+[[ -z ${NGINX_UPDATE_STREAM} ]] &&
+	die "The required NGINX_UPDATE_STREAM variable is unset or empty"
+has "${NGINX_UPDATE_STREAM}" "${NGX_UPDATE_STREAMS_LIST[@]}" ||
+	die "Unknown update stream set in the NGINX_UPDATE_STREAM variable"
+
+[[ ${NGINX_UPDATE_STREAM} == live ]] && inherit mercurial
+
+# @ECLASS_VARIABLE: NGINX_TESTS_RV
+# @PRE_INHERIT
+# @REQUIRED
+# @DESCRIPTION:
+# This variable must contain a valid revision of nginx-tests[1] repository. The
+# tests for NGINX are unversioned, therefore their snapshot is obtained from the
+# specified revision.
+# Only in case the NGINX_UPDATE_STREAM variable is set to 'live', this variable
+# might alternatively be set exactly to 'live' in order to fetch the latest
+# revision of the nginx-tests[1] repository.
+# [1]: https://hg.nginx.org/nginx-tests/
+#
+# Example:
+# @CODE
+# NGINX_TESTS_REVISION=6e83940ac1df
+# @CODE
+[[ -z ${NGINX_TESTS_RV} ]] &&
+	die "The required NGINX_TESTS_RV variable is unset or empty"
+[[ ${NGINX_TESTS_RV} == live && ${NGINX_UPDATE_STREAM} != live ]] &&
+	die "Live tests can not be used with a non-live version of NGINX"
+
+# @ECLASS_VARIABLE: NGINX_HG_URI
+# @DESCRIPTION:
+# May be set to an alternative URI of NGINX Mercurial repository for the live
+# version to be fetched from. Defaults to "https://hg.nginx.org/nginx".
+: "${NGINX_HG_URI=https://hg.nginx.org/nginx}"
+
+# @ECLASS_VARIABLE: NGINX_HG_TESTS_URI
+# @DESCRIPTION:
+# May be set to an alternative URI of NGINX tests Mercurial repository for the
+# live version to be fetched from. Defaults to "https://hg.nginx.org/nginx-tests".
+: "${NGINX_HG_TESTS_URI=https://hg.nginx.org/nginx-tests}"
+
+# @ECLASS_VARIABLE: NGINX_MISC_FILES
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# This array holds the filenames of files in FILESDIR. The files that are
+# specified in this array are installed to various locations, based on
+# their file extension. The "file extension - path" mappings are as follows:
+#  '.conf'      -> '/etc/nginx'
+#  '.service'   ->  systemd unit directory
+#  '.initd'     -> '/etc/init.d'
+#  '.confd'     -> '/etc/conf.d'
+#  '.logrotate' -> '/etc/logrotate.d'
+# This variable exists to avoid (1) hardcoding specific versions of the files
+# that may change due to revisions (the revisions happen rather frequently in
+# case of NGINX), (2) repeating the code which installs the files in every
+# ebuild, and (3) requiring these miscellaneous files to exist at all.
+#
+# Example:
+# @CODE
+# NGINX_MISC_FILES=(
+#  nginx-r5.initd nginx-r4.conf nginx-r1.confd nginx-{r2.logrotate,r2.service}
+# )
+# @CODE
+
+# @ECLASS_VARIABLE: OVERRIDE_NGINX_MOD_REQUIRED_USE
+# @DEFAULT_UNSET
+# @PRE_INHERIT
+# @DESCRIPTION:
+# Set this to a non-empty value prior to inheriting the eclass to NOT
+# automatically fill the REQUIRED_USE variable with inter-module dependencies.
+# For details, see _ngx_set_mod_required_use() function description below.
+
+# @ECLASS_VARIABLE: OVERRIDE_NGINX_MOD_DEPEND
+# @DEFAULT_UNSET
+# @PRE_INHERIT
+# @DESCRIPTION:
+# Set this to a non-empty value prior to inheriting the eclass to NOT
+# automatically fill the BDEPEND, DEPEND, and RDEPEND variables with module
+# dependencies.
+# For details, see _ngx_set_mod_depend() function description below.
+
+# @ECLASS_VARIABLE: OVERRIDE_NGINX_MOD_TEST_DEPEND
+# @DEFAULT_UNSET
+# @PRE_INHERIT
+# @DESCRIPTION:
+# Set this to a non-empty value prior to inheriting the eclass to NOT
+# automatically fill the BDEPEND variable with module test dependencies.
+# For details, see _ngx_set_mod_test_depend() function description below.
+
+#----> ebuild setup <----
+
+# NGINX does not guarantee ABI stability (required by dynamic modules), SLOT is
+# set to reflect this.
+SLOT="${NGINX_UPDATE_STREAM}/${PV}"
+: "${DESCRIPTION=Robust, small and high performance HTTP and reverse proxy server}"
+: "${HOMEPAGE=https://nginx.org}"
+if [[ -z ${SRC_URI} ]]; then
+	if [[ ${NGINX_UPDATE_STREAM} != live ]]; then
+		SRC_URI="https://nginx.org/download/${P}.tar.gz"
+	fi
+	if [[ ${NGINX_TESTS_RV} != live ]]; then
+		SRC_URI+="
+			test? (
+				https://hg.nginx.org/nginx-tests/archive/${NGINX_TESTS_RV}.tar.gz ->
+					nginx-tests-${NGINX_TESTS_RV}.tar.gz
+			)
+		"
+	fi
+fi
+: "${LICENSE=BSD-2}"
+
+# @ECLASS_VARIABLE: NGX_TESTS_S
+# @OUTPUT_VARIABLE
+# @DESCRIPTION:
+# Variable set to the work directory of the NGINX tests.
+NGX_TESTS_S="${WORKDIR}/nginx-tests-${NGINX_TESTS_RV}"
+
+#----> Generic helper functions <-----
+
+# @FUNCTION: econf_ngx
+# @USAGE: [<args>...]
+# @DESCRIPTION:
+# Call ./configure, passing the supplied arguments.
+# The NGINX build system consists of many helper scripts, which are executed
+# relative to the working directory. Therefore, the function only supports
+# executing the ./configure script from the current working directory. This
+# function also checks whether the script is executable. If any of the above
+# conditions are not satisfied, the function aborts the build process with
+# 'die'. It also fails if the script itself exits with a non-zero exit code,
+# unless the function is called with 'nonfatal'.
+# If running ./configure is required, this is the way it should be done.
+econf_ngx() {
+	debug-print-function "${FUNCNAME[0]}" "$@"
+	[[ -x ./configure ]] ||
+		die "./configure is not present in the current working directory or is not executable"
+	echo "./configure ${*@Q}" >&2
+	./configure "$@"
+	# For some reason, NGINX ./configure returns 1 if it is used with the
+	# '--help' argument.
+	if [[ $? -ne 0 && $1 != --help ]]; then
+		die -n "./configure ${*@Q} failed"
+	fi
+}
+
+#----> USE logic <----
+
+# @FUNCTION: _ngx_populate_iuse
+# @INTERNAL
+# @DESCRIPTION:
+# Populates IUSE with parsed entries from NGINX_SUBSYSTEMS and NGINX_MODULES.
+_ngx_populate_iuse() {
+	local mod state
+	IUSE+=" ${_NGX_SUBSYSTEMS[*]}"
+	for mod in "${_NGX_MODULES[@]}"; do
+		if [[ "${mod:0:1}" == + || ${mod} == *_ssl ]]; then
+			state=+
+		else
+			state=''
+		fi
+		IUSE+=" ${state}nginx_modules_${mod#+}"
+	done
+}
+
+IUSE="aio debug libatomic +modules selinux test"
+REQUIRED_USE="|| ( ${_NGX_SUBSYSTEMS[*]#+} )"
+RESTRICT="!test? ( test )"
+
+_ngx_populate_iuse
+
+unset -f _ngx_populate_iuse
+
+#----> *DEPEND stuff <----
+
+BDEPEND="
+	test? (
+		dev-lang/perl
+		virtual/perl-IO-Compress
+		virtual/perl-Test-Simple
+		virtual/perl-Test-Harness
+	)
+"
+
+DEPEND="
+	acct-group/nginx
+	acct-user/nginx
+	virtual/libcrypt
+	libatomic? ( dev-libs/libatomic_ops )
+"
+
+RDEPEND="
+	${DEPEND}
+	app-misc/mime-types[nginx]
+	selinux? ( sec-policy/selinux-nginx )
+"
+
+
+# @FUNCTION: _ngx_set_blocks
+# @INTERNAL
+# @USAGE: <chosen_update_stream> <possible_upd_stream1> [<possible_upd_stream2>...]
+# @DESCRIPTION:
+# Set blocks on all the supplied update streams apart from the chosen one.
+_ngx_set_blocks() {
+	debug-print-function "${FUNCNAME[0]}" "$@"
+	[[ $# -ge 2 ]] || die "${FUNCNAME[0]} must receive at least two arguments"
+	local chosen candidate
+	chosen="$1"
+	shift
+	for candidate; do
+		[[ ${candidate} != "${chosen}" ]] &&
+			RDEPEND+=" !${CATEGORY}/${PN}:${candidate}"
+	done
+}
+
+# Null at the end makes the function also block the legacy unslotted NGINX versions.
+_ngx_set_blocks "${NGINX_UPDATE_STREAM}" "${NGX_UPDATE_STREAMS_LIST[@]}" 0
+
+
+# @FUNCTION: _ngx_set_mod_required_use
+# @INTERNAL
+# @DESCRIPTION:
+# Sets the REQUIRED_USE variable for inter-modules dependencies. The subscript
+# specifies the target module and the value is a comma separated list of the
+# modules the subscript depends on.
+# This function comes with a predefined associative array of dependencies (that
+# should be updated, in case they change, get added/removed), for each ebuild
+# to not redundantly specify these.
+# The function adds dependencies only if the corresponding module is specified
+# in the NGINX_MODULES variable, defined by the ebuild. Therefore, it is safe
+# to add new modules to the default list, since the respective dependencies
+# will not be set for the versions that do not have the modules in question.
+# This function is always executed, unless OVERRIDE_NGINX_MOD_REQUIRED_USE is
+# set to a non-empty value (see the variable description).
+_ngx_set_mod_required_use() {
+	local -A _NGX_DEP_TABLE=(
+		[http_v3]=http_ssl
+		[http_grpc]=http_v2
+	)
+
+	local mod dep_list dep result
+	# Iterate over all the indexes.
+	for mod in "${!_NGX_DEP_TABLE[@]}"; do
+		if has "${mod}" "${_NGX_MODULES[@]}"; then
+			result=''
+			# Feed the comma-delimited dependencies into the dep_list array.
+			IFS=, read -ra dep_list <<< "${_NGX_DEP_TABLE[${mod}]}"
+			for dep in "${dep_list[@]}"; do
+				has "${dep}" "${_NGX_MODULES[@]}" &&
+					result+=" nginx_modules_${dep}"
+			done
+			[[ -n ${result} ]] &&
+				REQUIRED_USE+="
+					nginx_modules_${mod}? ( ${result} )
+				"
+		fi
+	done
+}
+
+# @FUNCTION: _ngx_set_mod_depend
+# @INTERNAL
+# @DESCRIPTION:
+# Fills the {,B,R}DEPEND variables with external module dependencies.
+# This function comes with a predefined associative array of dependencies (that
+# should be updated, in case they change, get added/removed), for each ebuild to
+# not redundantly specify these.
+# The function adds dependencies only if the corresponding module is specified
+# in the NGINX_MODULES variable, defined by the ebuild. Therefore, it is safe to
+# add new modules to the default list, since they will not propagate to the
+# versions that do not have the modules in question.
+# This function is always executed, unless OVERRIDE_NGINX_MOD_DEPEND is set to a
+# non-empty value (see the variable description).
+_ngx_set_mod_depend() {
+	# The highest common denominator of module dependencies.
+	local -A CDEPEND=(
+		[http_image_filter]="media-libs/gd:="
+		[http_geoip]="dev-libs/geoip"
+		[http_gunzip]="sys-libs/zlib:="
+		[http_gzip]="sys-libs/zlib:="
+		[http_rewrite]="dev-libs/libpcre2:="
+		[http_ssl]="dev-libs/openssl:="
+		# http_v3 requires NGINX QUIC compatibility layer that uses
+		# SSL_CTX_add_custom_ext OpenSSL interface, which was introduced in
+		# OpenSSL 1.1.1.
+		[http_v3]=">=dev-libs/openssl-1.1.1:="
+		[http_xslt]="
+			dev-libs/libxml2:=
+			dev-libs/libxslt
+		"
+		[mail_ssl]="dev-libs/openssl:="
+		[stream_geoip]="dev-libs/geoip"
+		[stream_ssl]="dev-libs/openssl:="
+	)
+	local CDEPEND_DEF
+	# Bash does not have an easy way to copy an associative array, so its value
+	# is obtained using the 'declare' builtin.
+	CDEPEND_DEF="$(declare -p CDEPEND)"
+
+	local -A _NGX_MOD_BDEPEND=(
+		[http_perl]="dev-lang/perl"
+	)
+	local -A _NGX_MOD_DEPEND="${CDEPEND_DEF#*=}"
+	_NGX_MOD_DEPEND+=(
+		[http_perl]="dev-lang/perl"
+	)
+	local -A _NGX_MOD_RDEPEND="${CDEPEND_DEF#*=}"
+	_NGX_MOD_RDEPEND+=(
+		[http_perl]="dev-lang/perl:="
+	)
+
+	local mod dep_type dep_table
+	# Make dep_table a reference to one of the _NGX_MOD_* variables defined
+	# above, then make dep_type itself a reference to the dependency variable.
+	for dep_type in {,B,R}DEPEND; do
+		declare -n dep_table="_NGX_MOD_${dep_type}"
+		declare -n dep_type
+		# Iterate over all the indexes of the referenced variable.
+		for mod in "${!dep_table[@]}"; do
+			if has "${mod}" "${_NGX_MODULES[@]}"; then
+				dep_type+=" nginx_modules_${mod}? ( ${dep_table[${mod}]} )"
+			fi
+		done
+		# Reset the 'name reference' attribute.
+		declare +n dep_table dep_type
+	done
+}
+
+# @FUNCTION: _ngx_set_mod_test_depend
+# @INTERNAL
+# @DESCRIPTION:
+# Fills the BDEPEND variable with module test dependencies.
+# This function comes with a predefined associative array of dependencies (that
+# should be updated, in case they change, get added/removed), for each ebuild to
+# not redundantly specify these.
+# The function adds dependencies only if the corresponding module is specified
+# in the NGINX_MODULES variable, defined by the ebuild. Therefore, it is safe to
+# add new modules to the default list, since they will not propagate to the
+# versions that do not have the modules in question.
+# This function is always executed, unless OVERRIDE_NGINX_MOD_TEST_DEPEND is set
+# to a non-empty value (see the variable description).
+_ngx_set_mod_test_depend() {
+	# A few notes:
+	#  - http_scgi needs SCGI Perl module, which is not packaged by Gentoo,
+	#  - http_proxy needs Protocol::Websocket, not packaged by Gentoo.
+	local -A _NGX_MOD_TEST_DEP=(
+			[http_fastcgi]="dev-perl/FCGI"
+			[http_image_filter]="dev-perl/GD"
+			[http_memcached]="
+				dev-perl/Cache-Memcached
+				dev-perl/Cache-Memcached-Fast
+				net-misc/memcached
+			"
+			[http_ssl]="
+				dev-perl/IO-Socket-SSL
+				dev-perl/Net-SSLeay
+			"
+			[http_v3]="dev-perl/CryptX"
+			[mail_ssl]="dev-perl/IO-Socket-SSL"
+			[stream_ssl]="dev-perl/IO-Socket-SSL"
+	)
+	local mod result=
+	for mod in "${!_NGX_MOD_TEST_DEP[@]}"; do
+		if has "${mod}" "${_NGX_MODULES[@]}"; then
+			result+=" nginx_modules_${mod}? ( ${_NGX_MOD_TEST_DEP[${mod}]} )"
+		fi
+	done
+	[[ -n ${result} ]] &&
+		BDEPEND+=" test? ( ${result} )"
+}
+
+[[ -z ${OVERRIDE_NGINX_MOD_REQUIRED_USE} ]] &&
+	_ngx_set_mod_required_use
+
+[[ -z ${OVERRIDE_NGINX_MOD_DEPEND} ]] &&
+	_ngx_set_mod_depend
+
+[[ -z ${OVERRIDE_NGINX_MOD_TEST_DEPEND} ]] &&
+	_ngx_set_mod_test_depend
+
+unset -f _ngx_set_blocks _ngx_set_mod_required_use _ngx_set_mod_depend \
+	_ngx_set_mod_test_depend
+
+#----> Phase functions <----
+
+# @FUNCTION: nginx_src_unpack
+# @DESCRIPTION:
+# Unpacks the NGINX sources. For the live version of NGINX, fetches the tip
+# of the Mercurial repository.
+nginx_src_unpack() {
+	if [[ ${NGINX_UPDATE_STREAM} == live ]]; then
+		mercurial_fetch "${NGINX_HG_URI}"
+		# In Mercurial repo, ./configure script is located in auto/ folder.
+		mv "${S}/auto/configure" "${S}/configure" || die "mv failed"
+		# Non-live tests for any update stream are taken care of in SRC_URI.
+		if use test && [[ ${NGINX_TESTS_RV} == live ]]; then
+			local EHG_CHECKOUT_DIR="${NGX_TESTS_S}"
+			mercurial_fetch "${NGINX_HG_TESTS_URI}"
+		fi
+	fi
+	default
+}
+
+# @FUNCTION: nginx_src_configure
+# @DESCRIPTION:
+# Configures NGINX. It initialises the default set of configure flags, coupled
+# with the USE-conditional ones. The function also automatically disables and
+# enables NGINX modules and subsystems set in NGINX_MODULES and NGINX_SUBSYSTEMS
+# respectively.
+# Custom flags can be supplied via the 'myconf' array, taking precedence over
+# the eclass flags.
+nginx_src_configure() {
+	debug-print-function "${FUNCNAME[0]}" "$@"
+	local nginx_flags
+	nginx_flags=(
+		--with-cc="$(tc-getCC)"
+		--with-cpp="$(tc-getCPP)"
+		--with-ld-opt="${LDFLAGS}"
+		--builddir=build
+		# NGINX loads modules relative to the prefix, not modules-path
+		--prefix="${EPREFIX}/usr/$(get_libdir)/nginx"
+		--sbin-path="${EPREFIX}/usr/sbin/nginx"
+		--modules-path="${EPREFIX}/usr/$(get_libdir)/nginx/modules"
+		--conf-path="${EPREFIX}/etc/nginx/nginx.conf"
+		--error-log-path="${EPREFIX}/var/log/nginx/error.log"
+		--http-log-path="${EPREFIX}/var/log/nginx/access.log"
+		--pid-path="${EPREFIX}/run/nginx.pid"
+		--lock-path="${EPREFIX}/run/lock/nginx.lock"
+		--user=nginx
+		--group=nginx
+		--with-threads
+	)
+
+	use aio        && nginx_flags+=( --with-file-aio )
+	use debug      && nginx_flags+=( --with-debug )
+	use libatomic  && nginx_flags+=( --with-libatomic )
+	use modules    && nginx_flags+=( --with-compat )
+
+	# Fix paths for various temporary files.
+	local conf _txt
+	while read -r conf _txt; do
+		conf="${conf%%-temp-path*}"
+		conf="${conf#--http-}"
+		nginx_flags+=(
+			"--http-${conf}-temp-path=${EPREFIX}/var/tmp/nginx/${conf//-/_}_temp"
+		)
+	done < <(econf_ngx --help 2>/dev/null | grep -E -- '--http-([A-Za-z]+-?)+-temp-path')
+	unset conf _txt
+
+	# For each subsystem and module we check if they diverge from their default
+	# state and, if that is the case, we pass the corresponding flag to the
+	# ./configure script.
+	# This is done this way because NGINX build system does not understand
+	# arguments that set options to their default state, e.g. ./configure does
+	# not recognise arguments like '--with-http_rewrite_module', only
+	# '--without-http_rewrite_module', as http_rewrite module is enabled by
+	# default.
+	local subsys mod def_state cur_state
+	for subsys in "${_NGX_SUBSYSTEMS[@]}"; do
+		use "${subsys#+}"; cur_state=$?
+		[[ ${subsys:0:1} == + ]]; def_state=$?
+		if [[ cur_state -ne def_state ]]; then
+			nginx_flags+=( "$(use_with "${subsys#+}")" )
+		fi
+	done
+	for mod in "${_NGX_MODULES[@]}"; do
+		use "nginx_modules_${mod#+}"; cur_state=$?
+		[[ ${mod:0:1} == + ]]; def_state=$?
+		if [[ cur_state -ne def_state ]]; then
+			nginx_flags+=( "$(use_with "nginx_modules_${mod#+}" "${mod#+}_module")" )
+		fi
+	done
+	unset subsys mod def_state cur_state
+
+	# Handle arguments containing quoted whitespace.
+	eval "local -a EXTRA_ECONF=( ${EXTRA_ECONF} )"
+
+	# You never know when bug #286772 may get you.
+	LC_ALL=C LANG=C econf_ngx	\
+		"${nginx_flags[@]}"		\
+		"${myconf[@]}"			\
+		"${EXTRA_ECONF[@]}"
+
+	sed -E -i \
+		-e 's|\$\(LINK\)|$(LINK) $(CFLAGS)|' \
+		-e '/^\s*LIB= \\$/d' \
+		-e '/^\s*INSTALLSITEMAN3DIR= \\$/d' \
+			build/Makefile || die "sed failed"
+}
+
+# @FUNCTION: nginx_src_compile
+# @DESCRIPTION:
+# Compiles NGINX, setting the correct installation directories for the
+# Perl-related files.
+nginx_src_compile() {
+	PERL_MM_OPT='INSTALLDIRS=vendor' emake
+}
+
+# @FUNCTION: nginx_src_test
+# @DESCRIPTION:
+# Performs tests on the compiled NGINX binary, using Perl's prove.
+nginx_src_test() {
+	pushd "${NGX_TESTS_S}" >/dev/null || die "pushd failed"
+	echo "prove -j $(makeopts_jobs) ." >&2
+	TEST_NGINX_BINARY="${S}/build/nginx" prove -j "$(makeopts_jobs)" .
+	popd >/dev/null || die "popd failed"
+}
+
+# @FUNCTION: nginx_src_install
+# @DESCRIPTION:
+# Installs NGINX, including miscellaneous directories under '/var' and
+# documentation. Vimfiles from 'contrib/vim' are also installed by this
+# function. All the files specified in the NGINX_MISC_FILES array are installed
+# in their respective directories.
+# If 'modules' USE flag is enabled, the build system (the './configure' script
+# and the scripts in the 'auto/' directory) is installed into '/usr/src/nginx'
+# and NGINX headers into '/usr/include/nginx'.
+nginx_src_install() {
+	debug-print-function "${FUNCNAME[0]}" "$@"
+	emake DESTDIR="${ED}" install
+	keepdir "/usr/$(get_libdir)/nginx/modules"
+
+	keepdir /var/log/nginx
+	# Set the proper permissions on /var/log/nginx to mitigate CVE-2016-1247
+	# (bug #605008).
+	fperms 0750 /var/log/nginx
+	fowners root:nginx /var/log/nginx
+	# NGINX desperately wants to *install* its pidfile (and some web pages).
+	# Unfortunately, we can not let it do this...
+	rm -r "${ED}/run" "${ED}/usr/$(get_libdir)/nginx/html" || die "rm failed"
+	# The default directory for serving web content.
+	keepdir /var/www
+
+	# Clean /etc/nginx from unneeded files and move the directory to
+	# /usr/share/nginx.
+	pushd "${ED}/etc/nginx" >/dev/null || die "pushd failed"
+	# mime-types* are provided by app-misc/mime-types[nginx], .default config
+	# files are redundant due to CONFIG_PROTECT and fastcgi.conf is a copy of
+	# fastcgi_params. As for nginx.conf, we ship our own config file.
+	rm -- *.default mime.types fastcgi.conf nginx.conf || die "rm failed"
+	popd >/dev/null || die "Returning to the previous directory failed"
+
+	dodir /usr/share
+	mv "${ED}/etc/nginx" "${ED}/usr/share/nginx" || die "mv failed"
+
+	insinto /usr/share/nginx
+	if [[ ${NGINX_UPDATE_STREAM} != live ]]; then
+		dodoc CHANGES* LICENSE README
+		doins html/*.html
+	else
+		# The Mercurial version has a slightly different file structure.
+		dodoc docs/text/{LICENSE,README}
+		doins docs/html/*.html
+	fi
+	doman build/nginx.8
+
+	# Install miscellaneous files in the proper directories, based on their file
+	# extension (see the description of the NGINX_MISC_FILES variable).
+	local mfile
+	for mfile in "${NGINX_MISC_FILES[@]}"; do
+		case "${mfile}" in
+			*.conf) insinto /etc/nginx; newins "${FILESDIR}/${mfile}" nginx.conf ;;
+			*.service) systemd_newunit "${FILESDIR}/${mfile}" nginx.service ;;
+			*.initd) exeinto /etc/init.d; newexe "${FILESDIR}/${mfile}" nginx ;;
+			*.confd) insinto /etc/conf.d; newins "${FILESDIR}/${mfile}" nginx ;;
+			*.logrotate) insinto /etc/logrotate.d; newins "${FILESDIR}/${mfile}" nginx ;;
+			*) die "Unknown file in NGINX_MISC_FILES: ${mfile}. Please file a bug" ;;
+		esac
+	done
+
+	# Install vimfiles from 'contrib/vim'.
+	insinto /usr/share/vim/vimfiles
+	doins -r contrib/vim/*
+
+	if in_iuse nginx_modules_http_perl && use nginx_modules_http_perl; then
+		perl_delete_module_manpages
+		perl_delete_localpod
+		perl_fix_packlist
+	fi
+
+	# For the rationale of the following, see nginx-module.eclass.
+	if use modules; then
+		# Install the headers into /usr/include/nginx.
+		insinto /usr/include/nginx
+		doins -r src/*
+		find "${ED}/usr/include/nginx" -type f -not -name '*.h' -delete ||
+			die "find failed"
+		find "${ED}/usr/include/nginx" -type d -empty -delete ||
+			die "find failed"
+		# Install the auto-generated headers with #define's to not handle the
+		# saving and restoration of configuration flags. This is needed for the
+		# compilation of dynamic modules, since NGINX does not guarantee API
+		# stability.
+		insinto /usr/include/nginx
+		doins build/ngx_auto_{config,headers}.h
+		# The directory where third-party modules should save their own headers.
+		keepdir /usr/include/nginx/modules
+
+		# Copy the build system of NGINX to /usr/src/nginx.
+		insinto /usr/src/nginx
+		doins -r auto
+
+		# Disable several checks if the _NGINX_GENTOO_SKIP_PHASES variable is
+		# set to a non-empty value during the invocation of ./configure script.
+		# This is done since (1) these scripts do not have any effect on the
+		# build process of third-party modules and (2) they considerably
+		# increase configuration time.
+		sed -E -i \
+			's#^\s*\. auto/(unix|lib/conf|headers|summary)$# \
+			[ -z "${_NGINX_GENTOO_SKIP_PHASES}" ] \&\& &#' \
+			configure || die "sed failed"
+		# The last statement in ./configure is [ -z "${_NGINX_GENTOO... ]. If
+		# _NGINX_GENTOO_SKIP_PHASES is non-empty, it evaluates to false and the
+		# whole ./configure script exits with non-zero exit status. This is done
+		# to always return zero upon reaching the end of the script.
+		echo ':' >> configure
+		exeinto /usr/src/nginx
+		doexe configure
+
+		# Install the @nginx-module-rebuild set, which groups all the packages
+		# that have NGINX in BDEPEND, i.e. third-party modules.
+		dodir /usr/share/portage/config/sets
+		cat <<- EOF > "${ED}/usr/share/portage/config/sets/nginx-modules.conf" || die "cat failed"
+			[nginx-modules-rebuild]
+			class = portage.sets.dbapi.VariableSet
+			variable = BDEPEND
+			includes = ${CATEGORY}/${PN}
+		EOF
+	fi
+}
+
+# @FUNCTION: nginx_pkg_postinst
+# @DESCRIPTION:
+# Shows various warnings and informational messages to a user.
+nginx_pkg_postinst() {
+	if use modules && [[ ${NGINX_UPDATE_STREAM} == live ]]; then
+		ewarn "The live NGINX package is used with modules enabled."
+		elog "NGINX does not have a stable API or ABI, therefore it is"
+		elog "necessary for the exact version used to compile a module"
+		elog "to match the one used at runtime to load the module."
+		elog "To be able to use NGINX modules compiled against previous"
+		elog "version of NGINX, they must be rebuilt."
+		elog "Run 'emerge @nginx-module-rebuild' to rebuild all NGINX modules."
+	fi
+}
+
+fi
+
+EXPORT_FUNCTIONS src_unpack src_configure src_compile src_test src_install pkg_postinst
-- 
2.44.2

[gentoo-dev] [RFC PATCH 02/19] nginx-module.eclass: Add new eclass for building NGINX external modules

[Zurab Kvachadze]

Currently, it is impossible for NGINX external modules to be packaged
on their own, separately from the NGINX ebuild. The nginx-module.eclass
enables packaging third party NGINX modules as any other software in the
Gentoo tree.

The eclass builds on the foundation provided by nginx.eclass.

NGINX modules are somewhat special in the way they are built. In
addition to (obviously) requiring NGINX headers, their build system is
the one of NGINX. Actually, they are intended to be built and installed
alongside the NGINX server, but, luckily, it is possible to succesfuly
build a module, given (1) the headers, (2) the build system and the
exact same (3) ./configure flags that have been used to configure NGINX
itself are present. The points (1) and (2) are taken for granted here,
as nginx.eclass takes care of them:

    * headers are installed into /usr/include/nginx

    * build system is installed into /usr/src/nginx

As for the (3) point, the configuration flags are recorder into
ngx_auto_config.h file as preprocessor #define's. The file is also saved
into /usr/include/nginx.

The build process undergoes in the ${WORKDIR}/nginx directory, which
has 3 symlinks:
    * src/        -> /usr/include/nginx
    * configure   -> /usr/src/nginx/configure
    * auto/       -> /usr/src/nginx/auto
The build is the exact same as building a module "in-tree": the
./configure script is called with the '--add-dynamic-module' flag. The
rest of the eclass is really simple; src_compile() executes 'make
modules' and src_install() installs the compiled shared objects into
/usr/$(get_libdir)/nginx/modules.

Closes: https://bugs.gentoo.org/573710
Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 eclass/nginx-module.eclass | 180 +++++++++++++++++++++++++++++++++++++
 1 file changed, 180 insertions(+)
 create mode 100644 eclass/nginx-module.eclass

diff --git a/eclass/nginx-module.eclass b/eclass/nginx-module.eclass
new file mode 100644
index 000000000000..4f2a1e6c6ed6
--- /dev/null
+++ b/eclass/nginx-module.eclass
@@ -0,0 +1,180 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: nginx-module.eclass
+# @MAINTAINER:
+# Zurab Kvachadze <zurabid2016@gmail.com>
+# @AUTHOR:
+# Zurab Kvachadze <zurabid2016@gmail.com>
+# @SUPPORTED_EAPIS: 8
+# @PROVIDES: toolchain-funcs flag-o-matic
+# @BLURB: Provides a common set of functions for building NGINX's dynamic modules
+# @DESCRIPTION:
+# The nginx-module.eclass automates configuring, building and installing NGINX's
+# dynamic modules. Using this eclass is as simple as calling 'inherit nginx-module'.
+#
+# This eclass automatically adds dependency on NGINX. If the part of the
+# module's functionality depends on the NGINX configuration (e.g.
+# HMAC generation support depending on http_ssl module being enabled), the
+# corresponding code should be rewritten so that the functionality in question
+# (1) is unconditionally enabled/disabled or (2) could be toggled by a USE flag.
+#
+# If the module makes use of the ngx_devel_kit (NDK), it must make sure to
+# add that to the relevant *DEPEND variables and to call "append-cflags -DNDK",
+# since (obviously) the NDK is not built alongside the module.
+
+case ${EAPI} in
+	8) ;;
+	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
+esac
+
+if [[ -z ${_NGINX_MODULE_ECLASS} ]]; then
+_NGINX_MODULE_ECLASS=1
+
+inherit toolchain-funcs flag-o-matic
+
+# @FUNCTION: econf_ngx
+# @USAGE: [<args>...]
+# @DESCRIPTION:
+# Call ./configure, passing the supplied arguments.
+# The NGINX's build system consists of many helper scripts, which are executed
+# relative to the working directory. Therefore, the function only supports
+# executing the configure script from the current working directory. This
+# function also checks whether the script is executable. If any of the above
+# conditions are not satisfied, the function aborts the build process with
+# 'die'. It also fails if the script itself exits with a non-zero exit code,
+# unless the function is called with 'nonfatal'.
+# If running ./configure is required, this is the way it should be done.
+econf_ngx() {
+	debug-print-function "${FUNCNAME[0]}" "$@"
+	[[ ! -x ./configure ]] &&
+		die "./configure is not present in the current working directory or is not executable"
+	echo "./configure ${*@Q}" >&2
+	./configure "$@"
+	# For some reason, NGINX's ./configure returns 1 if it is used with the
+	# '--help' argument.
+	if [[ $? -ne 0 && "$1" != --help ]]; then
+		die -n "./configure ${*@Q} failed"
+	fi
+}
+
+# As per upstream documentation, modules must be rebuilt with each NGINX
+# upgrade.
+DEPEND="
+	www-servers/nginx:=[modules(-)]
+"
+BDEPEND="${DEPEND}"
+RDEPEND="${DEPEND}"
+
+# @ECLASS_VARIABLE: NGINX_MOD_S
+# @DESCRIPTION:
+# Holds the path to the module's build directory, used in the
+# nginx-module_src_configure() phase function. Defaults to ${S}. Can be changed
+# by the ebuild.
+: "${NGINX_MOD_S=${S}}"
+
+# The ${S} variable is set to the path of the directory where the actual build
+# will be performed. In this directory, symbolic links to NGINX's build system
+# and NGINX's headers are created by the nginx-module_src_unpack() phase
+# function.
+S="${WORKDIR}/nginx"
+
+
+# @FUNCTION: nginx-module_src_unpack
+# @DESCRIPTION:
+# Unpacks the sources and sets up the build directory in S=${WORKDIR}/nginx.
+# Creates the following symbolic links (to not copy the files over):
+#  - '${S}/src' -> '/usr/include/nginx',
+#  - '${S}/auto' -> '/usr/src/nginx/auto',
+#  - '${S}/configure' -> '/usr/src/nginx/configure'.
+# For additional information, see nginx.eclass source, namely
+# nginx_src_install() function.
+nginx-module_src_unpack() {
+	default
+	mkdir nginx || die "mkdir failed"
+	ln -s "${BROOT}/usr/src/nginx/configure" nginx/configure || die "ln failed"
+	ln -s "${BROOT}/usr/src/nginx/auto" nginx/auto || die "ln failed"
+	ln -s "${ESYSROOT}/usr/include/nginx" nginx/src || die "ln failed"
+}
+
+# @FUNCTION: nginx-module_src_prepare
+# @DESCRIPTION:
+# Patches module's initialisation code so that any module's preprocessor
+# definitions appear in the separate '__ngx_gentoo_mod_config.h' file inside the
+# 'build' directory. This function also makes module's "config" script clear
+# whatever content build/ngx_auto_config.h may have at the time of invocation.
+# Then, default_src_prepare() is called.
+nginx-module_src_prepare() {
+	sed -i -e '1i\' -e ': > build/ngx_auto_config.h' "${NGINX_MOD_S}/config"
+	echo 'mv build/ngx_auto_config.h build/__ngx_gentoo_mod_config.h' \
+		>> "${NGINX_MOD_S}/config"
+	default_src_prepare
+}
+
+# @FUNCTION: nginx-module_src_configure
+# @DESCRIPTION:
+# Configures the dynamic module(s) by calling NGINX's ./configure script.
+# Custom flags can be supplied via the 'myconf' array, taking precedence over
+# eclass's flags.
+# This assembles ngx_auto_config.h from the system ngx_auto_config.h and
+# __ngx_gentoo_mod_config.h (see nginx-module_src_prepare()), and
+# ngx_auto_headers.h from the system ngx_auto_headers.h.
+nginx-module_src_configure() {
+	local ngx_mod_flags
+	ngx_mod_flags=(
+		--with-cc="$(tc-getCC)"
+		--with-cpp="$(tc-getCPP)"
+		# The '-isystem' flag is used instead of '-I', so as for the installed
+		# (system) modules' headers to be of lower priority than the headers of
+		# the currently built module. This only affects the modules that both
+		# come with and install their own headers, e.g. ngx_devel_kit.
+		--with-cc-opt="-isystem src/modules"
+		--with-ld-opt="${LDFLAGS}"
+		--builddir=build
+		--add-dynamic-module="${NGINX_MOD_S}"
+	)
+
+	# NGINX build system adds directories under src/ to the include path based
+	# on selected modules. Since nginx.eclass does not save/restore the
+	# configuration flags, we have to add the directories to the include path
+	# manually.
+	# The src/os is added automatically by the auto/unix script and the
+	# src/modules directory is included by the '--with-cc-opt' configuration
+	# flag.
+	append-cflags "$(find -H src -mindepth 1 -type d \! \( \( -path 'src/os' -o \
+						-path 'src/modules' \) -prune \) -printf '-I %p ')"
+
+	eval "local -a EXTRA_ECONF=( ${EXTRA_ECONF} )"
+
+	# Setting the required environmental variables to skip the unneeded
+	# execution of certain scripts (see nginx_src_install() in nginx.eclass).
+	_NGINX_GENTOO_SKIP_PHASES=1 econf_ngx \
+		"${ngx_mod_flags[@]}"	\
+		"${myconf[@]}"			\
+		"${EXTRA_ECONF[@]}"
+
+	cat "${ESYSROOT}/usr/include/nginx/ngx_auto_config.h" \
+		build/__ngx_gentoo_mod_config.h > build/ngx_auto_config.h ||
+		die "cat failed"
+	cp "${ESYSROOT}/usr/include/nginx/ngx_auto_headers.h" build ||
+		die "cp failed"
+}
+
+# @FUNCTION: nginx-module_src_compile
+# @DESCRIPTION:
+# Compiles the module(s) by calling "make modules".
+nginx-module_src_compile() {
+	emake modules
+}
+
+# @FUNCTION: nginx-module_src_install
+# @DESCRIPTION:
+# Installs the compiled module(s) into /usr/${libdir}/nginx/modules.
+nginx-module_src_install() {
+	insinto "/usr/$(get_libdir)/nginx/modules"
+	doins build/*.so
+}
+
+fi
+
+EXPORT_FUNCTIONS src_unpack src_prepare src_configure src_compile src_install
-- 
2.44.2

[gentoo-dev] [RFC PATCH 03/19] www-servers/nginx: add myself as a proxy maintainer; update metadata.xml

[Zurab Kvachadze]

With this commit I am stepping up to maintain the www-servers/nginx
package.

In addition to changing the maintainer tags, this commit also makes the
following modifications to the metadata.xml:
  1. Added longdescription from [1].
  2. Changed descriptions for "aio", "http", "libatomic" USE flags.
  3. Added descriptions for "debug", "mail" and "stream" USE flags.
     These USE flags were introduced by nginx.eclass.
  4. Add <doc>, <bugs-to> and <remote-id> elements under the <upstream>
     element; update vendor in NGINX's CPE.
  5. Remove all the <remote-id>'s, since they mention third party
     modules, not NGINX itself.

[1]: https://nginx.org/en/

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 www-servers/nginx/metadata.xml | 61 +++++++++++++++++++++++-----------
 1 file changed, 41 insertions(+), 20 deletions(-)

diff --git a/www-servers/nginx/metadata.xml b/www-servers/nginx/metadata.xml
index 820efd9d7322..bcde3a07f064 100644
--- a/www-servers/nginx/metadata.xml
+++ b/www-servers/nginx/metadata.xml
@@ -1,24 +1,45 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
-  <!-- maintainer-needed -->
-  <use>
-    <flag name="aio">Enables file AIO support</flag>
-    <flag name="http">Enable HTTP core support</flag>
-    <flag name="http2">Enable HTTP2 module support</flag>
-    <flag name="http3">Enable HTTP3 module support</flag>
-    <flag name="http-cache">Enable HTTP cache support</flag>
-    <flag name="ktls">Enable Kernel TLS offload (kTLS)</flag>
-    <flag name="libatomic">Use libatomic instead of builtin atomic operations</flag>
-    <flag name="pcre-jit">Enable JIT for pcre</flag>
-    <flag name="pcre2">Enable support for pcre2</flag>
-    <flag name="ssl">Enable HTTPS module for http. Enable SSL/TLS support for POP3/IMAP/SMTP for mail.</flag>
-    <flag name="rtmp">NGINX-based Media Streaming Server</flag>
-  </use>
-  <upstream>
-    <changelog>https://nginx.org/en/CHANGES</changelog>
-    <remote-id type="github">openresty/memc-nginx-module</remote-id>
-    <remote-id type="bitbucket">nginx-goodies/nginx-sticky-module-ng</remote-id>
-    <remote-id type="cpe">cpe:/a:nginx:nginx</remote-id>
-  </upstream>
+	<maintainer type="person" proxied="yes">
+		<email>zurabid2016@gmail.com</email>
+		<name>Zurab Kvachadze</name>
+	</maintainer>
+	<maintainer type="project" proxied="proxy">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
+	<longdescription>
+		nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic
+		TCP/UDP proxy server, originally written by Igor Sysoev.
+	</longdescription>
+	<use>
+		<flag name="aio">Enable asynchronous I/O support</flag>
+		<flag name="debug">Enable support for debugging log</flag>
+		<flag name="http">Enable core HTTP support</flag>
+		<flag name="libatomic">
+			Use <pkg>dev-libs/libatomic_ops</pkg> instead of builtin atomic operations
+		</flag>
+		<flag name="mail">Enable POP3/IMAP4/SMTP mail proxy server</flag>
+		<flag name="stream">
+			Enable generic TCP/UDP proxying and load balancing
+		</flag>
+		<!-- NOTE: These are the USE flags for the legacy versions -->
+		<flag name="http2">Enable HTTP2 module support</flag>
+		<flag name="http3">Enable HTTP3 module support</flag>
+		<flag name="http-cache">Enable HTTP cache support</flag>
+		<flag name="ktls">Enable Kernel TLS offload (kTLS)</flag>
+		<flag name="pcre-jit">Enable JIT for pcre</flag>
+		<flag name="pcre2">Enable support for pcre2</flag>
+		<flag name="ssl">
+			Enable HTTPS module for http. Enable SSL/TLS support for POP3/IMAP/SMTP for mail.
+		</flag>
+		<flag name="rtmp">NGINX-based Media Streaming Server</flag>
+	</use>
+	<upstream>
+		<doc>https://nginx.org/en/docs/</doc>
+		<changelog>https://nginx.org/en/CHANGES</changelog>
+		<bugs-to>https://trac.nginx.org/nginx/report</bugs-to>
+		<remote-id type="cpe">cpe:/a:f5:nginx</remote-id>
+	</upstream>
 </pkgmetadata>
-- 
2.44.2

[gentoo-dev] [RFC PATCH 04/19] www-servers/nginx: add nginx-r5.initd

[Zurab Kvachadze]

This is the fifth revision of the init.d script for NGINX.

Starting with this commit, NGINX does not check its configuration twice
upon start and configuration reload (bug 481456). In the former case, if
any errors occur, the error message will be printed. This is not the
case with the reload() function though, as it is impossible to
programmatically check if it has succeeded.

Previously, the stop_post() function would block the termination of the
NGINX service from finishing successfuly by returning 1 after not being
able to remove the PID-file. This was caused due to the PID-file being
deleted before the code block in question got executed. This revision
removes this troublesome statement.

The start_pre() now utilises "checkpath" to create, if it is not
present, the /var/tmp/nginx directory, where NGINX stores its temporary
files.

Bug: https://bugs.gentoo.org/481456
Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 www-servers/nginx/files/nginx-r5.initd | 117 +++++++++++++++++++++++++
 1 file changed, 117 insertions(+)
 create mode 100644 www-servers/nginx/files/nginx-r5.initd

diff --git a/www-servers/nginx/files/nginx-r5.initd b/www-servers/nginx/files/nginx-r5.initd
new file mode 100644
index 000000000000..1eafb75a9e37
--- /dev/null
+++ b/www-servers/nginx/files/nginx-r5.initd
@@ -0,0 +1,117 @@
+#!/sbin/openrc-run
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+name="NGINX"
+description="Robust, small and high performance HTTP and reverse proxy server"
+description_configtest="Run NGINX's internal config check."
+description_upgrade="Upgrade the NGINX binary without losing connections."
+description_reload="Reload the NGINX configuration without losing connections."
+
+NGINX_CONFIGFILE=${NGINX_CONFIGFILE:-/etc/nginx/nginx.conf}
+NGINX_MAXWAITTIME=${NGINX_MAXWAITTIME:-3}
+
+command="/usr/sbin/nginx"
+start_stop_daemon_args=${NGINX_SSDARGS:-"--wait 1000"}
+pidfile=${NGINX_PIDFILE:-/run/nginx.pid}
+user=${NGINX_USER:-nginx}
+group=${NGINX_GROUP:-nginx}
+retry=${NGINX_TERMTIMEOUT:-"TERM/60/KILL/5"}
+
+extra_commands="configtest"
+extra_started_commands="upgrade reload"
+
+depend() {
+	need net
+	use dns logger netmount
+}
+
+start_pre() {
+	checkpath -d -o root:root /var/tmp/nginx || return 1
+}
+
+stop_pre() {
+	if [ "${RC_CMD}" = "restart" ]; then
+		configtest || return 1
+	fi
+}
+
+start() {
+	ebegin "Starting NGINX"
+	set -f
+	local output
+	output="$(start-stop-daemon --start --exec "${command}" -p "${pidfile}" \
+		${start_stop_daemon_args} -- -c "${NGINX_CONFIGFILE}" 2>&1)"
+	if ! eend $? ; then
+		eerror "Failed to start NGINX, please have a look at its output below:"
+		# Delete the last line in a POSIX-compliant way because it contains
+		# "start-stop-daemon failed..."
+		printf '%s\n' "${output}" | sed '$d'
+		eerror "Starting NGINX failed, please correct the errors above"
+		return 1
+	else
+		if [ -n "${output}" ]; then
+			ewarn "NGINX has started successfuly, yet there are warnings:"
+			printf "%s\n" "${output}"
+			ewarn "Please take a notice of the warnings above"
+		fi
+		return 0
+	fi
+}
+
+
+reload() {
+	ebegin "Refreshing NGINX's configuration"
+	start-stop-daemon --signal SIGHUP --pidfile "${pidfile}"
+	eend $? "Failed to reload NGINX's configuration, please correct the errors above"
+}
+
+upgrade() {
+	einfo "Upgrading NGINX"
+	configtest || { eerror "Unable to upgrade NGINX: Configuration check failed";
+					return 1; }
+
+	einfo "Sending USR2 signal to the old binary"
+	start-stop-daemon --signal SIGUSR2 --pidfile "${pidfile}"
+
+	ebegin "Waiting up to ${NGINX_MAXWAITTIME} seconds for NGINX to upgrade"
+	local startdate pidfile_found
+	pidfile_found=0
+	startdate="$(date +%s)"
+	while [ $(("$(date +%s)" - startdate)) -le "${NGINX_MAXWAITTIME}" ]; do
+		if [ -f "${pidfile}" ] && [ -f "${pidfile}.oldbin" ]; then
+			pidfile_found=1
+			break
+		fi
+		sleep 1
+	done
+
+	[ "${pidfile_found}" = 1 ]
+	if ! eend $?; then
+		eerror "NGINX has failed to upgrade in time. This might have been caused either"
+		eerror "by a configuration error, uncaught by the configuration check, or, more"
+		eerror "likely, by NGINX taking more time to load the configuration than is"
+		eerror "allowed by the NGINX_MAXWAITTIME variable"
+		eerror "The maximum waiting time can be adjusted by setting the NGINX_MAXWAITTIME"
+		eerror "variable to a larger value in /etc/conf.d/nginx"
+		return 1
+	fi
+
+	einfo "Sending QUIT signal to the old binary"
+	start-stop-daemon --signal SIGQUIT --pidfile "${pidfile}.oldbin" ||
+		{ eerror "The old NGINX binary may not have been stopped properly: Sending QUIT signal failed";
+		return 1; }
+
+	einfo "The upgrade completed successfuly"
+}
+
+configtest() {
+	ebegin "Checking NGINX's configuration"
+	local output
+	output="$("${command}" -c "${NGINX_CONFIGFILE}" -t 2>&1)"
+	if ! eend $?; then
+		printf '%s\n' "${output}"
+		eerror "Configuration check failed, please correct the errors above"
+		return 1
+	fi
+}
-- 
2.44.2

[gentoo-dev] [RFC PATCH 05/19] www-servers/nginx: add nginx-r1.confd

[Zurab Kvachadze]

This is the first revision of NGINX .confd file.

This adds the NGINX_MAXWAITTIME variable that configures the maximum
amount of time for the upgrade() function to wait for NGINX to start
before producing an error.

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 www-servers/nginx/files/{nginx.confd => nginx-r1.confd} | 5 +++++
 1 file changed, 5 insertions(+)
 copy www-servers/nginx/files/{nginx.confd => nginx-r1.confd} (85%)

diff --git a/www-servers/nginx/files/nginx.confd b/www-servers/nginx/files/nginx-r1.confd
similarity index 85%
copy from www-servers/nginx/files/nginx.confd
copy to www-servers/nginx/files/nginx-r1.confd
index f4b804375e92..374305c52ea2 100644
--- a/www-servers/nginx/files/nginx.confd
+++ b/www-servers/nginx/files/nginx-r1.confd
@@ -30,3 +30,8 @@
 # that the service will be terminated within a given time (60 + 5 seconds
 # per default) when you are stopping the service.
 #NGINX_TERMTIMEOUT="TERM/60/KILL/5"
+
+# For the 'upgrade' function, this defines the maximum amount of time (in
+# seconds) the script should wait for the new NGINX binary to start before
+# producing an error.
+#NGINX_MAXWAITTIME="3"
-- 
2.44.2

[gentoo-dev] [RFC PATCH 06/19] www-servers/nginx: add nginx-r2.service

[Zurab Kvachadze]

This is the second revision of the systemd service file for NGINX.

This commit removes redundant Exec{Stop,Reload} lines that restate the
systemd defaults and changes the ExecStartPre directive from "nginx -t"
(testing the NGINX configuration that is done anyway by the main
process, bug 481456) to "mkdir -p /var/tmp/nginx", making sure the
required directory for the NGINX temp files is present. ExecStopPost has
also been removed, since sleeping for 100 ms serves no purpose.

The second revision also changes the Exec* directives to use the plain
file names, instead of the absolute ones, per systemd.service(5)
guidelines:
> It is thus safe to use just the executable name in case of executables
> located in any of the "standard" directories, and an absolute path
> must be used in other cases.

Bug: https://bugs.gentoo.org/481456
Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 www-servers/nginx/files/nginx-r2.service | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 www-servers/nginx/files/nginx-r2.service

diff --git a/www-servers/nginx/files/nginx-r2.service b/www-servers/nginx/files/nginx-r2.service
new file mode 100644
index 000000000000..2916aba391a2
--- /dev/null
+++ b/www-servers/nginx/files/nginx-r2.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=The NGINX HTTP and reverse proxy server
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+Type=forking
+PIDFile=/run/nginx.pid
+ExecStartPre=mkdir -p /var/tmp/nginx
+ExecStart=nginx
+
+[Install]
+WantedBy=multi-user.target
-- 
2.44.2

[gentoo-dev] [RFC PATCH 07/19] www-servers/nginx: add nginx-r2.logrotate

[Zurab Kvachadze]

This is the second revision of the logrotate script for NGINX.

This changes the log files' names from /var/log/nginx/*_log to
/var/log/nginx/*.log, resembling the new nginx.eclass defaults (bug
700866).

The postrotate script was updated to use the "$()" construct for the
command substitution, instead of the legacy `backtick` one. The "kill"
utility now use a more POSIX-complying argument "-s singal_name",
replacing the XSI's "-signal_name".

Bug: https://bugs.gentoo.org/700866
Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 .../nginx/files/{nginx.logrotate-r1 => nginx-r2.logrotate}  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 copy www-servers/nginx/files/{nginx.logrotate-r1 => nginx-r2.logrotate} (51%)

diff --git a/www-servers/nginx/files/nginx.logrotate-r1 b/www-servers/nginx/files/nginx-r2.logrotate
similarity index 51%
copy from www-servers/nginx/files/nginx.logrotate-r1
copy to www-servers/nginx/files/nginx-r2.logrotate
index bc9d87a09a91..55a3b01e13a1 100644
--- a/www-servers/nginx/files/nginx.logrotate-r1
+++ b/www-servers/nginx/files/nginx-r2.logrotate
@@ -1,11 +1,11 @@
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2024 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
-/var/log/nginx/*_log {
+/var/log/nginx/*.log {
 	missingok
 	delaycompress
 	sharedscripts
 	postrotate
-		test -r /run/nginx.pid && kill -USR1 `cat /run/nginx.pid`
+		test -r /run/nginx.pid && kill -s USR1 "$(cat /run/nginx.pid)"
 	endscript
 }
-- 
2.44.2

[gentoo-dev] [RFC PATCH 08/19] www-servers/nginx: add nginx-r4.conf

[Zurab Kvachadze]

This is the fourth revision of the main configuration file of NGINX.

Thank you Torbjörn Lönnemark for reporting this!

This revision brings a lot of changes, mainly in terms of removed
directives (and yes, I will quote Torbjörn Lönnemark on this):
    * worker_processes "1" -> "auto": it makes no sense to cap the
      number of worker processes at 1, this commit makes the NGINX spawn
      as many worker processes as there are CPU cores.
    * remove "worker_connections 1024": 512 is the default value, no
      reason to increase.
    * remove "use epoll": NGINX already uses the most efficient polling
      method available by default, no need to specify it explicitly.
      Additionally, NGINX may even fail to start if epoll() is
      unavailable on the system.
    * remove "default_type application/octet-stream": arbitrary setting
      with no obvious purpose, in some circumstances may even be
      harmful, considering that the default value for this directive is
      "text/plain".
    * remove custom "log_format": needlessly diverges from the default
      format, quoting Torbjörn Lönnemark:
> The only difference between this and the builtin 'combined' format
> is that it includes gzip_ratio, and gzip is disabled by default
> anyway. Can be removed while additionally replacing 'main' in the
> access_log directives to 'combined'
    * remove "connection_pool_size 256", "client_header_buffer_size 1k"
      and "large_client_header_buffers 4 2k": the connection_pool_size
      directive sets the default value on 32-bit machines and overrides
      the default value on 64-bit machines, client_body_buffer_size is 8
      times less than the default value, the same applies to
      large_client_header_buffers.
    * remove "request_pool_size 4k", "gzip off", "tcp_nodelay on",
      "ignore_invalid_headers on", "index index.html": they restate the
      defaults.
    * remove "client_header_timeout 10m", "client_body_timeout 10m",
      "send_timeout 10m", "output_buffers 1 32k", "postpone_output
      1460", "tcp_nopush off", "keepalive_timeout 75 20": the directives
      override the defaults with no clear intent.

The "server" blocks have also been reworked. Due to www-servers/nginx
not installing anything into /var/www/localhost/htodcs, the root
directory for the default server will almost always be empty. Therefore,
the plaintext example server has had its "root" directive commented out.
For the SSL server, the removed-since-1.25.1 "ssl" directive has been
changed into an argument to the "listen" directive, as prescribed
upstream.

Bug: https://bugs.gentoo.org/928131
Bug: https://bugs.gentoo.org/576414
Reported-by: Torbjörn Lönnemark
Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 www-servers/nginx/files/nginx-r4.conf | 39 +++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 www-servers/nginx/files/nginx-r4.conf

diff --git a/www-servers/nginx/files/nginx-r4.conf b/www-servers/nginx/files/nginx-r4.conf
new file mode 100644
index 000000000000..1144af3d7ceb
--- /dev/null
+++ b/www-servers/nginx/files/nginx-r4.conf
@@ -0,0 +1,39 @@
+user nginx nginx;
+worker_processes auto;
+
+events {
+	# NGINX refuses to start if the 'events' section is not present. Yet,
+	# NGINX does not seem to care whether this section is non-empty.
+}
+
+http {
+	# Maximum hash table size is increased to accommodate for a large
+	# mime.types file that is shipped on Gentoo.
+	types_hash_max_size 4096;
+	include /etc/nginx/mime.types.nginx;
+
+	sendfile on;
+
+	# Example server. Warning: by default, the /var/www/localhost directory is
+	# NOT created; for the following configuration block to work, the
+	# directory must be created manually.
+	server {
+		listen 127.0.0.1;
+		server_name localhost;
+
+		# Substitute the directory below for the one you use.
+		#root /var/www/localhost/htdocs;
+	}
+
+	# SSL server example.
+	#server {
+		#listen 127.0.0.1:443 ssl;
+		#server_name localhost;
+
+		#ssl_certificate /etc/ssl/nginx/nginx.pem;
+		#ssl_certificate_key /etc/ssl/nginx/nginx.key;
+
+		#root /var/www/localhost/htdocs;
+	#}
+
+}
-- 
2.44.2

[gentoo-dev] [RFC PATCH 09/19] profiles/desc: reword and update nginx_modules_http.desc

[Zurab Kvachadze]

The wording used in nginx_modules_http.desc to describe the USE flags
was rather inconsistent with how USE flags are described in Gentoo.

This commit features the following changes:

    * The missing descriptions were added for the "ssl"[1],
      "upstream_random", "v2"[1] and "v3"[1] modules.

    * "This module does something" was changed to "Add support for
      something" en masse, as is done elsewhere in Gentoo.

    * The descriptions were brought in line with upstream[2] ones. For
      many of them, the wording was modified to better (sometimes more
      concisely) reflect their function.

    * Update copyright and actually sort the modules!

[1]: Previously, these modules were not USE_EXPAND flags but rather USE
flags on their own. With the introduction of nginx.eclass, they become
NGINX_MODULES_HTTP USE_EXPAND flags, as the rest of NGINX modules are.
[2]: See "Module reference" at the bottom of https://nginx.org/en/docs/

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 profiles/desc/nginx_modules_http.desc | 147 +++++++++++++-------------
 1 file changed, 75 insertions(+), 72 deletions(-)

diff --git a/profiles/desc/nginx_modules_http.desc b/profiles/desc/nginx_modules_http.desc
index dd1d7ea38a95..24f06804721c 100644
--- a/profiles/desc/nginx_modules_http.desc
+++ b/profiles/desc/nginx_modules_http.desc
@@ -1,77 +1,80 @@
-# Copyright 1999-2018 Gentoo Foundation.
+# Copyright 1999-2024 Gentoo Authors.
 # Distributed under the terms of the GNU General Public License v2
 
 # This file contains descriptions of NGINX_MODULES_HTTP USE_EXPAND flags.
 
 # Keep it sorted.
-access - This module provides a simple host-based access control.
-addition - This module adds contents of other locations before and after the current location's content.
-auth_basic - This module protects your site or parts of it with username and password based on HTTP Basic Authentication.
-auth_ldap - LDAP module for nginx which supports authentication against multiple LDAP servers.
-auth_pam - This module provides authentication via PAM.
-auth_request - Module implementing client authorization based on the result of a subrequest.
-autoindex - This module provides automatic directory listings.
-brotli - This module allows for on-the-fly Brotli compression.
-browser - This module creates variables, the values of which depend on the request header "User-agent".
-cache_purge - External module adding ability to purge content from nginx's FastCGI and proxy caches.
-charset - This module can reencode data of one encoding into another.
-dav - This module adds the HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY and MOVE.
-dav_ext - Add missing WebDAV methods PROPFIND & OPTIONS to the existing WebDAV module.
-degradation - Allows to return 204 or 444 code for some locations on low memory condition (reliable on FreeBSD only)
-echo - Brings shell-style goodies to Nginx config file.
-empty_gif - This module keeps a 1x1 transparent GIF in memory that can be served very quickly.
-fancyindex - This module makes possible the generation of file listings, like the built-in autoindex module does, but adding a touch of style.
-fastcgi - This module allows Nginx to interact with FastCGI processes and control what parameters are passed to the process.
-flv - This module provides the ability to seek within FLV (Flash) files using time-based offsets.
-geo - This module creates variables, whose values depend on the IP-address of the client.
-geoip - This module creates variables based on the IP-address of the client matched against the MaxMind GeoIP binary files.
-geoip2 - This module creates variables based on the IP-address of the client matched against the MaxMind GeoIP2 binary files.
-grpc - This module provides gRPC support.
-gunzip - Permits to decompress gzip'ed files on-the-fly for clients not supporting the gzip encoding method.
-gzip - This module allows for on-the-fly gzip compression.
-gzip_static - Before serving a file from disk to a gzip-enabled client, this module will look for a precompressed file in the same location.
-headers_more - Set and clear input and output headers
-image_filter - This module is a filter for transforming JPEG, GIF and PNG images.
-javascript - This module implements location and variable handlers in nginScript.
-limit_conn - This module makes it possible to limit the number of simultaneous connections for the assigned session
-limit_req - This module allows you to limit the number of requests for a given session.
-limit_conn - This module makes it possible to limit the number of simultaneous connections for the assigned session
-lua - Embed the power of Lua into nginx
-map - This module allows you to classify, or map a set of values into a different set of values and store the result in a variable.
-memc - An extended version of the standard memcached module that supports set, add, delete, and many more memcached commands.
-memcached - You can use this module to perform simple caching.
-metrics - Module to export various metrics in easy-parseable JSON.
-mirror - This module implements mirroring of an original request by creating background mirror subrequests.
-mogilefs - Enable support for MogileFS.
-mp4 - This module adds pseudo-streaming
-naxsi - An open source, high performance, low rules maintenance, Web Application Firewall module for Nginx.
-perl - This module makes it possible to execute Perl directly within Nginx and call Perl via SSI.
-proxy - This module makes it possible to transfer requests to another server.
-push_stream - Push Stream module, supporting EventSource, WebSocket, Long Polling, and Forever Iframe.
-random_index - Pick a random directory index from a directory.
-realip - This module allows to change the client's IP address to value from request header (e. g. X-Real-IP or X-Forwarded-For).
-referer - This module makes it possible to block access to the site with the incorrect values of line "Referer" in the request header.
-rewrite - This module makes it possible to change URI using regular expressions (PCRE), and to redirect and select configuration depending on variables.
-scgi - An implementation of the Simple Common Gateway Interface.
-secure_link - This module computes and checks request URLs for a required security token.
-security - Web application firewall and Intrusion Detection System.
-slice - A filter that splits a request into subrequests, each returning a certain range of response
-slowfs_cache - This module adds the ability to cache static files
-split_clients - This module provides A/B testing support.
-ssi - This module provides a filter which processes Server-Side Includes (SSI) in the input.
-spdy - This module provides an SPDY implementation. (Deprecated, use IUSE="http2" instead)
-sticky - Module to always forward clients to the same upstream server (via sticky cookies)
-stub_status - This module provides the ability to get some status from nginx.
-sub - This module can search and replace text in the nginx response.
-upload_progress - This module adds the ability to track POST upload progress via JSON API
-upstream_check - Add health check support for upstream servers.
-upstream_hash - This module provides the ability to distribute upstream requests based on hashed key value.
-upstream_ip_hash - This module provides the ability to distribute upstream requests based on the IP-address of the client.
-upstream_keepalive - Thiis module provides the ability to cache connections to upstream servers.
-upstream_least_conn - This module provides the ability to distribute upstream requests using load balancing methods.
-upstream_zone - This module makes it possible to define a shared memory zone that keeps the group's configuration and run-time state that are shared between worker processes.
-userid - This module gives out cookies for identification of clients.
-uwsgi - External module for the uWSGI protocol for python web apps.
-vhost_traffic_status - This module provides access to virtual host status information.
-vod - Adds support for video streaming using DASH, HDS, HLS, MSS.
-xslt - This module is a filter which converts an XML response with the aid of one or more XSLT templates.
+access - Add support for a simple host-based access control
+addition - Add support for adding contents of other locations before and after the current location's content
+auth_basic - Add support for limiting access to a location by validating the username and password using the HTTP Basic Authentication
+auth_ldap - Add support for LDAP authentication module for NGINX
+auth_pam - Add support for authentication via PAM
+auth_request - Add support for client authorization based on the result of a subrequest
+autoindex - Add support for processing requests ending with the slash character ('/') and produciing a directory listing
+brotli - Add support for on-the-fly Brotli compression
+browser - Add support for creating variables whose values depend on the value of the "User-Agent" request header field
+cache_purge - Add support for purging content from NGINX's FastCGI and proxy caches
+charset - Add support for adding the specified charset to the "Content-Type" response header field and reencoding singe-byte charsets
+dav - Add support for the WebDAV functionality and methods: PUT, DELETE, MKCOL, COPY and MOVE
+dav_ext - Add support for the additional WebDAV methods into the existing WebDAV module: PROPFIND & OPTIONS
+degradation - Add support for returning 204 or 444 code for some locations on low memory condition (reliable on FreeBSD only)
+echo - Add support for shell-style goodies in the NGINX configuration file
+empty_gif - Add support for emiting a single-pixel transparent GIF
+fancyindex - Add support for the fancy generation of file listings
+fastcgi - Add support for passing requests to a FastCGI server
+flv - Add support for the server-side pseudo-streaming of Flash Video (FLV) files
+geo - Add support for creating variables whose values depend on the client IP-address
+geoip - Add support for creating variables whose values depend on the client IP-address, using the precompiled MaxMind databases
+geoip2 - Add support for creating variables whose values depend on the client IP-address, using the precompiled MaxMind GeoIP2 databases
+grpc - Add support for passing requests to a gRPC server
+gunzip - Add support for decompressing responses with "Content-Encoding: gzip" for clients that do not support "gzip" encoding method
+gzip - Add support for compressing responses using the "gzip" method
+gzip_static - Add support for sending precompressed files with the ".gz" filename extension instead of regular files
+headers_more - Add support for setting arbitrary input and output headers
+image_filter - Add support for transforming images in JPEG, GIF, PNG, and WebP formats
+javascript - Add support for implementing location and variable handlers in njs - a subset of the JavaScript language
+limit_conn - Add support for limiting the number of connections per a defined key, e.g. the number of connections from a single IP address
+limit_req - Add support for limiting the request processing rate per a defined key, e.g. the processing rate of requests coming from a single IP address
+lua - Add support for Lua scripting in NGINX
+map - Add support for creating variables whose values depend on values of other variables
+memc - Add support for an extended version of the standard memcached module that supports set, add, delete, and many more memcached commands
+memcached - Add support for obtaining responses from a memcached server
+metrics - Add support for exporting various metrics in an easy-parseable JSON format
+mirror - Add support for mirroring of the original request by creating background mirror subrequests
+mogilefs - Add support for MogileFS
+mp4 - Add support for server-side pseudo-streaming for MP4 files
+naxsi - Add support for NAXSI WAF (Web Application Firewall)
+perl - Add support for implementing location and variable handlers in Perl and inserting Perl calls into SSI
+proxy - Add support for passing subrequests to another server
+push_stream - Add support for the stream HTTP push module, which supports EventSource, WebSocket, Long Polling, and Forever Iframe
+random_index - Add support for processing requests ending with the slash character ('/') by picking a random file in a directory to serve as an index file
+realip - Add support for setting the client address and optional port to those sent in the specified header field (e.g. "X-Real-IP" or "X-Forwarded-For")
+referer - Add support for blocking access to a site for requests with invalid values in the "Referer" header field
+rewrite - Add support for changing the request URI using PCRE regular expressions, returning redirects, and conditionally selecting configurations
+scgi - Add support for passing requests to an SCGI server
+secure_link - Add support for checking authenticity of requested links, protecting resources from unauthorized access, and limiting link lifetime
+security - Add support for modsecurity: web application firewall and intrusion detection system
+slice - Add support for spliting a request into subrequests, each returning a certain range of response
+slowfs_cache - Add support for caching static files
+spdy - Add support for an SPDY implementation. (Deprecated, use USE="nginx_modules_http_v2" instead)
+split_clients - Add support for creating variables suitable for A/B testing, also known as split testing
+ssi - Add support for processing SSI (Server Side Includes) commands in responses passing through NGINX
+ssl - Add support for HTTPS - SSL/TLS-encrypted HTTP
+sticky - Add support for sending a sticky cookie in order to always forward client to the same upstream server
+stub_status - Add support for providing access to basic status information
+sub - Add support for modifying a response by replacing one specified string by another
+upload_progress - Add support for an upload progress system, that monitors RFC1867 POST uploads as they are transmitted to upstream servers
+upstream_check - Add support for performing health check of upstream servers
+upstream_hash - Add support for distributing upstream requests based on hashed key value
+upstream_ip_hash - Add support for distributing upstream requests based on the IP-address of the client
+upstream_keepalive - Add support for caching connections to upstream servers
+upstream_least_conn - Add support for passing upstream requests to the server with the least number of active connections
+upstream_random - Add support for passing upstream requests to a randomly selected server
+upstream_zone - Add support for defining a shared memory zone that keeps the group's configuration and run-time state that are shared between worker processes
+userid - Add support for setting cookies suitable for client identification
+uwsgi - Add support for passing requests to a uwsgi server
+vhost_traffic_status - Add support for providing access to virtual host status information
+v2 - Add support for HTTP/2
+v3 - Add experimental support for HTTP/3
+vod - Add support for streaming video using DASH, HDS, HLS, MSS
+xslt - Add support for transforming XML responses using one or more XSLT stylesheets
-- 
2.44.2

[gentoo-dev] [RFC PATCH 10/19] profiles/desc: reword and update nginx_modules_mail.desc

[Zurab Kvachadze]

This commit modifies the nginx_modules_mail.desc roughly the same as the
preceeding one modified nginx_modules_http.desc.

This commit adds description for the "ssl" module (see [1] in the
previous commit).

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 profiles/desc/nginx_modules_mail.desc | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/profiles/desc/nginx_modules_mail.desc b/profiles/desc/nginx_modules_mail.desc
index 930f57bc2480..7345af51ee28 100644
--- a/profiles/desc/nginx_modules_mail.desc
+++ b/profiles/desc/nginx_modules_mail.desc
@@ -1,9 +1,10 @@
-# Copyright 2010 Gentoo Foundation.
+# Copyright 2010-2024 Gentoo Authors.
 # Distributed under the terms of the GNU General Public License v2
 
 # This file contains descriptions of NGINX_MODULES_MAIL USE_EXPAND flags.
 
 # Keep it sorted.
-imap - This module provides IMAP proxy capability.
-pop3 - This module provides POP3 proxy capability.
-smtp - This module provides SMTP proxy capability.
+imap - Add support for proxying IMAP messages
+pop3 - Add support for proxying POP3 messages
+smtp - Add support for proxying SMTP messages
+ssl - Add SSL/TLS protocol support to a mail proxy server (implicit TLS, STARTTLS, etc.)
-- 
2.44.2

[gentoo-dev] [RFC PATCH 11/19] profiles/desc: reword and update nginx_modules_stream.desc

[Zurab Kvachadze]

Does the same as two previous commits, this time with
nginx_modules_stream.desc.

Two new modules were added: "pass", "set", "upstream_random" and "ssl".
For the last module, see [1] in the first of two preceeding commits.

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 profiles/desc/nginx_modules_stream.desc | 34 ++++++++++++++-----------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/profiles/desc/nginx_modules_stream.desc b/profiles/desc/nginx_modules_stream.desc
index 8d8e9cb5a5f9..0fe435c2c734 100644
--- a/profiles/desc/nginx_modules_stream.desc
+++ b/profiles/desc/nginx_modules_stream.desc
@@ -1,20 +1,24 @@
-# Copyright 1999-2017 Gentoo Foundation.
+# Copyright 1999-2024 Gentoo Authors.
 # Distributed under the terms of the GNU General Public License v2
 
 # This file contains descriptions of NGINX_MODULES_STREAM USE_EXPAND flags.
 
 # Keep it sorted.
-access - This module allows limiting access to certain client addresses.
-geo - This module creates variables, whose values depend on the IP-address of the client.
-geoip - This module creates variables based on the IP-address of the client matched against the MaxMind GeoIP binary files.
-geoip2 - This module creates variables based on the IP-address of the client matched against the MaxMind GeoIP2 binary files.
-javascript - This module implements location and variable handlers in nginScript.
-limit_conn - This module is used to limit the number of connections per the defined key.
-map - This module allows you to classify, or map a set of values into a different set of values and store the result in a variable.
-realip - This module allows to change the client's IP address to value from request header (e. g. X-Real-IP or X-Forwarded-For).
-return - This module allows sending a specified value to the client and then closing the connection.
-split_clients - This module provides A/B testing support.
-ssl_preread - This module allows extracting information from the ClientHello message without terminating SSL/TLS.
-upstream_hash - This module provides the ability to distribute upstream requests based on hashed key value.
-upstream_least_conn - This module provides the ability to distribute upstream requests using load balancing methods.
-upstream_zone - This module makes it possible to define a shared memory zone that keeps the group's configuration and run-time state that are shared between worker processes.
+access - Add support for a simple host-based access control
+geo - Add support for creating variables whose values depend on the client IP-address
+geoip - Add support for creating variables whose values depend on the client IP-address, using the precompiled MaxMind databases
+geoip2 - Add support for creating variables whose values depend on the client IP-address, using the precompiled MaxMind GeoIP2 databases
+javascript - Add support for implementing location and variable handlers in njs - a subset of the JavaScript language
+limit_conn - Add support for limiting the number of connections per a defined key, e.g. the number of connections from a single IP address
+map - Add support for creating variables whose values depend on the values of other variables
+pass - Add support for passing the accepted connection directly to any configured listening socket in "http", "stream", "mail", and other similar modules
+realip - Add support for setting the client address and optional port to those sent in the specified header field (e.g. "X-Real-IP" or "X-Forwarded-For")
+return - Add support for sending a specified value to the client and then closing the connection
+set - Add support for setting a value for a variable
+split_clients - Add support for creating variables suitable for A/B testing, also known as split testing
+ssl - Add SSL/TLS protocol support to a stream proxy server
+ssl_preread - Add support for extracting information from the ClientHello message without terminating SSL/TLS connection
+upstream_hash - Add support for distributing upstream requests based on hashed key value
+upstream_least_conn - Add support for passing upstream requests to the server with the least number of active connections
+upstream_random - Add support for passing upstream requests to a randomly selected server
+upstream_zone - Add support for defining a shared memory zone that keeps the group's configuration and run-time state that are shared between worker processes
-- 
2.44.2

[gentoo-dev] [RFC PATCH 12/19] profiles/categories: Add www-nginx category for external NGINX modules

[Zurab Kvachadze]

The www-nginx category is expected to contain third party modules for
the NGINX server, which was made possible with the introduction of
nginx-module.eclass.

Currently, NGINX bundles 25 modules that could all be separate packages.
A non-comprehensive list of these modules: ngx_devel_kit[1],
ngx-fancyindex[2], lua-nginx-module[3], nginx-push-stream-module[4] and
many more.
See the www-servers/nginx ebuild for the full list of bundled moduled
that may be packaged in the www-nginx category.

[1]: https://github.com/vision5/ngx_devel_kit
[2]: https://github.com/aperezdc/ngx-fancyindex
[3]: https://github.com/openresty/lua-nginx-module
[4]: https://github.com/wandenberg/nginx-push-stream-module

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 profiles/categories                | 1 +
 {gui-wm => www-nginx}/metadata.xml | 5 +----
 2 files changed, 2 insertions(+), 4 deletions(-)
 copy {gui-wm => www-nginx}/metadata.xml (53%)

diff --git a/profiles/categories b/profiles/categories
index f7f5996e1810..e0f21f99e72a 100644
--- a/profiles/categories
+++ b/profiles/categories
@@ -155,6 +155,7 @@ www-apache
 www-apps
 www-client
 www-misc
+www-nginx
 www-plugins
 www-servers
 x11-apps
diff --git a/gui-wm/metadata.xml b/www-nginx/metadata.xml
similarity index 53%
copy from gui-wm/metadata.xml
copy to www-nginx/metadata.xml
index 448acadd7390..53d8713dfcd1 100644
--- a/gui-wm/metadata.xml
+++ b/www-nginx/metadata.xml
@@ -2,9 +2,6 @@
 <!DOCTYPE catmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <catmetadata>
 	<longdescription lang="en">
-		The gui-wm category contains various window managers.
-	</longdescription>
-	<longdescription lang="de">
-		Die Kategorie gui-wm enthält verschiedene Fenstermanager.
+		The www-nginx category contains external modules for the NGINX reverse proxy and web server
 	</longdescription>
 </catmetadata>
-- 
2.44.2

[gentoo-dev] [RFC PATCH 13/19] www-servers/nginx: revbump 1.26.1-r1 to 1.26.1-r2, use nginx.eclass

[Zurab Kvachadze]

This commit makes NGINX employ new nginx.eclass. This bumps the stable
1.26.1 NGINX version to the second revision bringing a considerable
amount of changes:

    * NGINX is now fully slotted. Stable versions are in the 'stable'
      SLOT and mainline ones are in the 'mainline' SLOT.

    * All external modules have been unbundled from the main NGINX
      package. They will soon be available as separate packages in the
      www-nginx/ category. In addition, NGINX development kit
      (ngx_devel_kit) is no longer unconditionally built into NGINX
      binary.

    * LICENSE has been modified to reflect reality.

    * USE flag changes:

	1. "pcre", "pcre2" have been removed along with the dependency
	   on EOL libpcre1.

	2. "ktls" and "pcre-jit" have been removed completely since they
	   have no effect if system OpenSSL and libpcre are used (as is
	   always the case with NGINX in Gentoo).

	3. "threads" - removed, even though some really ancient
	   third-party modules break with this (e.g. mogilefs, last time
	   I checked it). nginx.eclass enables pthreads support
	   unconditionally, see https://bugs.gentoo.org/868336.

	4. "vim-syntax" has been removed, as vimfiles are bundled with
	   NGINX, are more updated there and, therefore, are now
	   installed from the NGINX tarball.

	5. "http2" and "http3" have been moved to their
	   nginx_modules_http_v{2,3} counterparts where they actually
	   belong as regular modules.

	6. "ssl" has been moved to nginx_modules_{http,mail,stream}_ssl.

	7. "http-cache" has been removed. It does not even qualify to be
	   a USE flag...

	8. "modules" USE flag has been added to control dynamic modules
	   support.

	9. A substantial amount of USE flags have been added for minor
	   HTTP, stream and mail modules.

    * All the miscellaneous files (configuration file, confd, init
      script) have been revbumped.

    * All the files that previously went into /etc/nginx are now stored
      in /usr/share/nginx, apart from nginx.conf.

    * NGINX's temporary files are now stored in /var/tmp/nginx, instead
      of /var/lib/nginx/tmp.

    * NGINX now uses the access.log and error.log as default log names,
      instead of access_log and error_log.

    * NGINX no longer does strange permission checks for 8-year-old
      CVEs.

Closes: https://bugs.gentoo.org/886537
Closes: https://bugs.gentoo.org/667102
Closes: https://bugs.gentoo.org/578658
Closes: https://bugs.gentoo.org/735020
Closes: https://bugs.gentoo.org/700866
Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 www-servers/nginx/Manifest               |  1 +
 www-servers/nginx/nginx-1.26.1-r2.ebuild | 30 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 www-servers/nginx/nginx-1.26.1-r2.ebuild

diff --git a/www-servers/nginx/Manifest b/www-servers/nginx/Manifest
index 46b2b1a44166..1c5c432afd04 100644
--- a/www-servers/nginx/Manifest
+++ b/www-servers/nginx/Manifest
@@ -3,6 +3,7 @@ DIST nginx-1.26.1.tar.gz 1244738 BLAKE2B 5df95f6771a93009f5bd1a4038857c29af580d1
 DIST nginx-1.27.0.tar.gz 1244887 BLAKE2B 035ec8d44f7f7df9b0c77e97e353a579642b75f905c1a6be5caf5ff952be9cae7ccc14c0bfce5ab148a11799d308225e9b7155458905b624c12acd09c03dfa44 SHA512 251bfe65c717a8027ef05caae2ab2ea73b9b544577f539a1d419fe6adf0bcc846b73b58f54ea3f102df79aaf340e4fa56793ddadea3cd61bcbbe2364ef94bacb
 DIST nginx-auth-ldap-42d195d7a7575ebab1c369ad3fc5d78dc2c2669c.tar.gz 18457 BLAKE2B 22225ca9e5299b20ab5a93a001cac48e446bd86b3a24ac49e716bc975b128890bdb4b0dbbf5730fbaaeadfd958160093c7a6af798dd0e6de27062f149a760333 SHA512 ec59637fda5acac053e815cb1d04b545fc6b765e5ec63d8c2c9c301abad87afaa2698145acac08e9e14c91e1423ebff7aff0cca2b940b19ccccbf4cf53973269
 DIST nginx-tests-0b5ec15c62ed.tar.gz 282652 BLAKE2B af41397f88f7aa969749c6dd9a77c58d1835bca24fe764dd0af328d621817f5fb89b3f5b5c0fbd1e7db53d51365e9098b020005e27a531649bd8a51a05b3cbb0 SHA512 c376d23c7001c5203428b664c388e97956cdda8365eb7df57db0da5146d0806f5c35cd1352260d6803d55542f46a90da4a604ebf971055caa77dd6106930558e
+DIST nginx-tests-0e9c1a8aa1d4.tar.gz 286643 BLAKE2B 0a768a8e1cc1a364ec36c67cca38882364aa076fbac582861724ad3086184ae76e41dac6698be58c93d4d589366d8e35521ae5e6c14cceff2c372ed731397c1c SHA512 1107a79cf1a6f152fe2e068d4447492c7d0a2fabc74ac1345b8784140a3653a0471ddb8bfbacd627bc148c7d05f3409299495122199ad95a242be9fc8a22aff5
 DIST nginx-vod-module-1.33.tar.gz 471858 BLAKE2B fa5cb9fd185b30c5c53b25a6f103213b3d04dac5d2d81db72f9749a51548e09e3e17dccc636d748aff8d21c6623484c77fdeb10d70854480759665d140d42e0e SHA512 29ef77f1bbdb2410ff317ebdd7434f31b8ec370ae6b617b92e745e87c11bc820b451181d1d2b57156b414348da14ac448b689b32b17ab418144292eda094512d
 DIST nginx_http_sticky_module_ng-1.2.6-10-g08a395c66e42.tar.bz2 124047 BLAKE2B d37ef9a15c91abe3c6258e420d1f99fa452f9d9966a0e13102174973314a3bac5413957a5fe632a9dcb1163b3be5df8116e05cc053ee061e19319ec25f341570 SHA512 6c1bfdcf89884b2855d51ae7da0f6e53a4ca3629e1aaf58433b70c07dcb2af797ba6e87d9b3eb4fe2fb6d4d697e862f2b4c2f8d8b3fdaea201740c97ec936529
 DIST ngx_brotli-1.0.0rc.tar.gz 16207 BLAKE2B 450d0ea693bd98d4a1b615f2cdcaad41ccd28266f6d80beec7fe77fe750ab8c5d1bb55aabe15161b9b6d819d2b4d99a7774f2706f2f6fd084b52a7c7dddbc00c SHA512 05a880d5e48ac83be84498ed41fb4750211b827a9d7541acfd6ef494e5205a6e853d5594bfec3ab4ae668ea3f803e4f4b0ba550c76811971c8e266e42663c56d
diff --git a/www-servers/nginx/nginx-1.26.1-r2.ebuild b/www-servers/nginx/nginx-1.26.1-r2.ebuild
new file mode 100644
index 000000000000..3a877df22b13
--- /dev/null
+++ b/www-servers/nginx/nginx-1.26.1-r2.ebuild
@@ -0,0 +1,30 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~x86 ~amd64-linux ~x86-linux"
+
+NGINX_SUBSYSTEMS=(+http stream mail)
+NGINX_MODULES=(
+	+http_{charset,gzip,ssi,userid,access,auth_basic,mirror,autoindex,geo,map}
+	+http_{split_clients,referer,rewrite,proxy,fastcgi,uwsgi,scgi,grpc}
+	+http_{memcached,limit_conn,limit_req,empty_gif,browser,upstream_hash}
+	+http_{upstream_ip_hash,upstream_least_conn,upstream_random}
+	+http_{upstream_keepalive,upstream_zone}
+	http_{ssl,v2,v3,realip,addition,xslt,image_filter,geoip,sub,dav,flv,mp4}
+	http_{gunzip,gzip_static,auth_request,random_index,secure_link,degradation}
+	http_{slice,stub_status,perl}
+	+mail_{pop3,imap,smtp}
+	mail_ssl
+	+stream_{limit_conn,access,geo,map,split_clients,return,pass,set}
+	+stream_{upstream_hash,upstream_least_conn,upstream_random,upstream_zone}
+	stream_{ssl,realip,geoip,ssl_preread}
+)
+NGINX_UPDATE_STREAM=stable
+NGINX_TESTS_RV=0e9c1a8aa1d4
+NGINX_MISC_FILES=(
+	nginx-{r2.logrotate,r2.service,r4.conf,r5.initd,r1.confd}
+)
+
+inherit nginx
-- 
2.44.2

[gentoo-dev] [RFC PATCH 14/19] www-servers/nginx: revbump 1.27.0-r1 to 1.27.0-r2, use nginx.eclass

[Zurab Kvachadze]

This commit is identical to the previous one, with the mainline
1.27.0 NGINX version being made to utilize nginx.eclass.

See the previous commit for the list of changes.

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 .../nginx/{nginx-1.26.1-r2.ebuild => nginx-1.27.0-r2.ebuild}    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 copy www-servers/nginx/{nginx-1.26.1-r2.ebuild => nginx-1.27.0-r2.ebuild} (97%)

diff --git a/www-servers/nginx/nginx-1.26.1-r2.ebuild b/www-servers/nginx/nginx-1.27.0-r2.ebuild
similarity index 97%
copy from www-servers/nginx/nginx-1.26.1-r2.ebuild
copy to www-servers/nginx/nginx-1.27.0-r2.ebuild
index 3a877df22b13..aa0297e32488 100644
--- a/www-servers/nginx/nginx-1.26.1-r2.ebuild
+++ b/www-servers/nginx/nginx-1.27.0-r2.ebuild
@@ -21,7 +21,7 @@ NGINX_MODULES=(
 	+stream_{upstream_hash,upstream_least_conn,upstream_random,upstream_zone}
 	stream_{ssl,realip,geoip,ssl_preread}
 )
-NGINX_UPDATE_STREAM=stable
+NGINX_UPDATE_STREAM=mainline
 NGINX_TESTS_RV=0e9c1a8aa1d4
 NGINX_MISC_FILES=(
 	nginx-{r2.logrotate,r2.service,r4.conf,r5.initd,r1.confd}
-- 
2.44.2

[gentoo-dev] [RFC PATCH 15/19] www-servers/nginx: add 9999 live version, use nginx.eclass

[Zurab Kvachadze]

This commit adds the live Mercurial version of NGINX to the Gentoo tree,
making use of nginx.eclass.

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 .../nginx/{nginx-1.26.1-r2.ebuild => nginx-9999.ebuild}     | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)
 copy www-servers/nginx/{nginx-1.26.1-r2.ebuild => nginx-9999.ebuild} (87%)

diff --git a/www-servers/nginx/nginx-1.26.1-r2.ebuild b/www-servers/nginx/nginx-9999.ebuild
similarity index 87%
copy from www-servers/nginx/nginx-1.26.1-r2.ebuild
copy to www-servers/nginx/nginx-9999.ebuild
index 3a877df22b13..f0ee3aa9ac2b 100644
--- a/www-servers/nginx/nginx-1.26.1-r2.ebuild
+++ b/www-servers/nginx/nginx-9999.ebuild
@@ -3,8 +3,6 @@
 
 EAPI=8
 
-KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~x86 ~amd64-linux ~x86-linux"
-
 NGINX_SUBSYSTEMS=(+http stream mail)
 NGINX_MODULES=(
 	+http_{charset,gzip,ssi,userid,access,auth_basic,mirror,autoindex,geo,map}
@@ -21,8 +19,8 @@ NGINX_MODULES=(
 	+stream_{upstream_hash,upstream_least_conn,upstream_random,upstream_zone}
 	stream_{ssl,realip,geoip,ssl_preread}
 )
-NGINX_UPDATE_STREAM=stable
-NGINX_TESTS_RV=0e9c1a8aa1d4
+NGINX_UPDATE_STREAM=live
+NGINX_TESTS_RV=live
 NGINX_MISC_FILES=(
 	nginx-{r2.logrotate,r2.service,r4.conf,r5.initd,r1.confd}
 )
-- 
2.44.2

[gentoo-dev] [RFC PATCH 16/19] www-nginx/ngx_devel_kit: new package, add 0.3.3

[Zurab Kvachadze]

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 www-nginx/ngx_devel_kit/Manifest              |  1 +
 .../ngx_devel_kit}/metadata.xml               |  2 +-
 .../ngx_devel_kit/ngx_devel_kit-0.3.3.ebuild  | 28 +++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 www-nginx/ngx_devel_kit/Manifest
 copy {app-admin/apachetop => www-nginx/ngx_devel_kit}/metadata.xml (75%)
 create mode 100644 www-nginx/ngx_devel_kit/ngx_devel_kit-0.3.3.ebuild

diff --git a/www-nginx/ngx_devel_kit/Manifest b/www-nginx/ngx_devel_kit/Manifest
new file mode 100644
index 000000000000..0b49273ba80a
--- /dev/null
+++ b/www-nginx/ngx_devel_kit/Manifest
@@ -0,0 +1 @@
+DIST ngx_devel_kit-0.3.3.tar.gz 66561 BLAKE2B c617a35fe2dc3dd3c6e3bd0d9bd664879c5e7162dfb54bf6f3177e59978ecc9a44e1776c5426257eb09bf56c20e0761d44784e0f19c5f973d27775d81ee96dc3 SHA512 a255e3a4a9b902b3e15140dc88bbbb152b0a9cdc64604152de41e1b254e81aa2a1e2c95c06cb4905c1520886acf9070031d63913b53fe98b034f8adad2bccf61
diff --git a/app-admin/apachetop/metadata.xml b/www-nginx/ngx_devel_kit/metadata.xml
similarity index 75%
copy from app-admin/apachetop/metadata.xml
copy to www-nginx/ngx_devel_kit/metadata.xml
index 3e1e79272826..6f012c474999 100644
--- a/app-admin/apachetop/metadata.xml
+++ b/www-nginx/ngx_devel_kit/metadata.xml
@@ -3,6 +3,6 @@
 <pkgmetadata>
 	<!-- maintainer-needed -->
 	<upstream>
-		<remote-id type="github">tessus/apachetop</remote-id>
+		<remote-id type="github">vision5/ngx_devel_kit</remote-id>
 	</upstream>
 </pkgmetadata>
diff --git a/www-nginx/ngx_devel_kit/ngx_devel_kit-0.3.3.ebuild b/www-nginx/ngx_devel_kit/ngx_devel_kit-0.3.3.ebuild
new file mode 100644
index 000000000000..36aea5d644bc
--- /dev/null
+++ b/www-nginx/ngx_devel_kit/ngx_devel_kit-0.3.3.ebuild
@@ -0,0 +1,28 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+DESCRIPTION="An NGINX module that adds generic tools for third-party modules"
+HOMEPAGE="https://github.com/vision5/ngx_devel_kit"
+
+SRC_URI="
+	https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz
+"
+LICENSE="BSD"
+
+SLOT=0
+
+inherit nginx-module
+
+src_configure() {
+	append-cflags -DNDK_ALL
+	nginx-module_src_configure
+}
+
+src_install() {
+	nginx-module_src_install
+	cd "${NGINX_MOD_S}" || die "cd failed"
+	# Install ngx_devel_kit's headers for use by other modules.
+	insinto /usr/include/nginx/modules
+	find objs src -maxdepth 1 -type f -name '*.h' -print0 | xargs -0 doins || die "doins failed"
+}
-- 
2.44.2

[gentoo-dev] [RFC PATCH 17/19] www-nginx/ngx-echo: new package, add 0.63

[Zurab Kvachadze]

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 www-nginx/ngx-echo/Manifest                    |  1 +
 .../evtest => www-nginx/ngx-echo}/metadata.xml |  2 +-
 www-nginx/ngx-echo/ngx-echo-0.63.ebuild        | 18 ++++++++++++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 www-nginx/ngx-echo/Manifest
 copy {app-misc/evtest => www-nginx/ngx-echo}/metadata.xml (75%)
 create mode 100644 www-nginx/ngx-echo/ngx-echo-0.63.ebuild

diff --git a/www-nginx/ngx-echo/Manifest b/www-nginx/ngx-echo/Manifest
new file mode 100644
index 000000000000..a6f587dfaa80
--- /dev/null
+++ b/www-nginx/ngx-echo/Manifest
@@ -0,0 +1 @@
+DIST ngx-echo-0.63.tar.gz 53421 BLAKE2B 613d4f265b9bcf9b4a44a18749314075e797dca4b350e6c4bc2e7ddd52edadc52660504ee57d0c859ec0a20f6b2e425727e5ec4b30282e67498010fc8d959baa SHA512 c325ac4e3f3f735739e156d8c7ada503b34475c62533b4830231ff1b42c25cb0c841aae06b3448b589c2ab35da8d211436ed194d6fd062cad925af8152c5e789
diff --git a/app-misc/evtest/metadata.xml b/www-nginx/ngx-echo/metadata.xml
similarity index 75%
copy from app-misc/evtest/metadata.xml
copy to www-nginx/ngx-echo/metadata.xml
index 9b4bef61e542..47ca4e8b3ba4 100644
--- a/app-misc/evtest/metadata.xml
+++ b/www-nginx/ngx-echo/metadata.xml
@@ -3,6 +3,6 @@
 <pkgmetadata>
 	<!-- maintainer-needed -->
 	<upstream>
-		<remote-id type="freedesktop-gitlab">libevdev/evtest</remote-id>
+		<remote-id type="github">openresty/echo-nginx-module</remote-id>
 	</upstream>
 </pkgmetadata>
diff --git a/www-nginx/ngx-echo/ngx-echo-0.63.ebuild b/www-nginx/ngx-echo/ngx-echo-0.63.ebuild
new file mode 100644
index 000000000000..5a2c31bc6f66
--- /dev/null
+++ b/www-nginx/ngx-echo/ngx-echo-0.63.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+DESCRIPTION='An NGINX module bringing the power of "echo", "sleep", "time" and more to NGINX'
+HOMEPAGE="https://github.com/openresty/echo-nginx-module"
+
+SRC_URI="
+	https://github.com/openresty/echo-nginx-module/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz
+"
+LICENSE="BSD-2"
+
+SLOT=0
+
+MY_PN="echo-nginx-module"
+inherit nginx-module
+
+NGINX_MOD_S="${WORKDIR}/${MY_PN}-${PV}"
-- 
2.44.2

[gentoo-dev] [RFC PATCH 18/19] www-nginx/ngx-encrypted-session: new package, add 0.09

[Zurab Kvachadze]

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 www-nginx/ngx-encrypted-session/Manifest      |  1 +
 .../ngx-encrypted-session}/metadata.xml       |  2 +-
 .../ngx-encrypted-session-0.09.ebuild         | 32 +++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 www-nginx/ngx-encrypted-session/Manifest
 copy {app-admin/apachetop => www-nginx/ngx-encrypted-session}/metadata.xml (70%)
 create mode 100644 www-nginx/ngx-encrypted-session/ngx-encrypted-session-0.09.ebuild

diff --git a/www-nginx/ngx-encrypted-session/Manifest b/www-nginx/ngx-encrypted-session/Manifest
new file mode 100644
index 000000000000..bf079459db04
--- /dev/null
+++ b/www-nginx/ngx-encrypted-session/Manifest
@@ -0,0 +1 @@
+DIST ngx-encrypted-session-0.09.tar.gz 11847 BLAKE2B 2e923054c34c9b2d3c799280c331c8288444c7f59bc6ea4858e680c81e28f7d8595006474326739c804d6949e3b74b67ce643ed9e196695affb8c275065a4fee SHA512 399ce2690e85ee27802e8031954a1a3aa3fdc9246e17323a72a298d235931a8dbebdcb121ac8788e074872df0ef5b5a8a3d512b17fbe860b38f696ce42de3655
diff --git a/app-admin/apachetop/metadata.xml b/www-nginx/ngx-encrypted-session/metadata.xml
similarity index 70%
copy from app-admin/apachetop/metadata.xml
copy to www-nginx/ngx-encrypted-session/metadata.xml
index 3e1e79272826..b2aff3f9f809 100644
--- a/app-admin/apachetop/metadata.xml
+++ b/www-nginx/ngx-encrypted-session/metadata.xml
@@ -3,6 +3,6 @@
 <pkgmetadata>
 	<!-- maintainer-needed -->
 	<upstream>
-		<remote-id type="github">tessus/apachetop</remote-id>
+		<remote-id type="github">openresty/encrypted-session-nginx-module</remote-id>
 	</upstream>
 </pkgmetadata>
diff --git a/www-nginx/ngx-encrypted-session/ngx-encrypted-session-0.09.ebuild b/www-nginx/ngx-encrypted-session/ngx-encrypted-session-0.09.ebuild
new file mode 100644
index 000000000000..d74c968f7037
--- /dev/null
+++ b/www-nginx/ngx-encrypted-session/ngx-encrypted-session-0.09.ebuild
@@ -0,0 +1,32 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+DESCRIPTION="An NGINX module that encrypts and decrypts NGINX variable values"
+HOMEPAGE="https://github.com/openresty/encrypted-session-nginx-module"
+
+SRC_URI="
+	https://github.com/openresty/encrypted-session-nginx-module/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz
+"
+LICENSE="BSD-2"
+
+SLOT=0
+
+MY_PN="encrypted-session-nginx-module"
+inherit nginx-module
+
+NGINX_MOD_S="${WORKDIR}/${MY_PN}-${PV}"
+
+DEPEND="
+	dev-libs/openssl
+	www-nginx/ngx_devel_kit
+"
+RDEPEND="${DEPEND}"
+
+src_configure() {
+	append-cflags -DNDK
+	sed -E -i 's/^(\s*ngx_module_libs)=$/\1=-lcrypto/' "${NGINX_MOD_S}/config" ||
+		die "sed failed"
+	export NDK_SRCS="ndk.c"
+	nginx-module_src_configure
+}
-- 
2.44.2

[gentoo-dev] [RFC PATCH 19/19] www-nginx/ngx-set-misc: new package, add 0.33

[Zurab Kvachadze]

The build system of this package automagically enables HMAC support
based on SSL functionality being enabled in the installed NGINX.

In order to enable this support independently, via a USE flag, a "hack"
is applied: only if GENTOO_USE_HMAC environmental variable and
preprocessor definition are defined, HMAC support is enabled.

Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
---
 www-nginx/ngx-set-misc/Manifest               |  1 +
 .../ngx-set-misc}/metadata.xml                |  9 ++--
 .../ngx-set-misc/ngx-set-misc-0.33.ebuild     | 50 +++++++++++++++++++
 3 files changed, 55 insertions(+), 5 deletions(-)
 create mode 100644 www-nginx/ngx-set-misc/Manifest
 copy {app-containers/apptainer => www-nginx/ngx-set-misc}/metadata.xml (54%)
 create mode 100644 www-nginx/ngx-set-misc/ngx-set-misc-0.33.ebuild

diff --git a/www-nginx/ngx-set-misc/Manifest b/www-nginx/ngx-set-misc/Manifest
new file mode 100644
index 000000000000..34be9e483747
--- /dev/null
+++ b/www-nginx/ngx-set-misc/Manifest
@@ -0,0 +1 @@
+DIST ngx-set-misc-0.33.tar.gz 30084 BLAKE2B 1aabf47e86946054d128a10290c36829152d427cf415378f5042e00e428baaf94a91e1d8ee1037b8a40197637c721492b01a82c800064decb9471149ad47bcff SHA512 1ff4c947538a5bd5f9d6adcd87b37f2702f5cc90e3342bc08359cbe8f290b705a3a2daa3dedfb1df3ce4bc19478c8fcac07081c4a53a804fc2862d50078278dc
diff --git a/app-containers/apptainer/metadata.xml b/www-nginx/ngx-set-misc/metadata.xml
similarity index 54%
copy from app-containers/apptainer/metadata.xml
copy to www-nginx/ngx-set-misc/metadata.xml
index c461d956342a..4a396a61a564 100644
--- a/app-containers/apptainer/metadata.xml
+++ b/www-nginx/ngx-set-misc/metadata.xml
@@ -2,11 +2,10 @@
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<!-- maintainer-needed -->
-	<use>
-		<flag name="network">Install network plug-ins</flag>
-		<flag name="suid">Install SUID helper binary</flag>
-	</use>
 	<upstream>
-		<remote-id type="github">apptainer/apptainer</remote-id>
+		<remote-id type="github">openresty/set-misc-nginx-module</remote-id>
 	</upstream>
+	<use>
+		<flag name="hmac">Enable support for generating HMAC digests using <pkg>dev-libs/openssl</pkg></flag>
+	</use>
 </pkgmetadata>
diff --git a/www-nginx/ngx-set-misc/ngx-set-misc-0.33.ebuild b/www-nginx/ngx-set-misc/ngx-set-misc-0.33.ebuild
new file mode 100644
index 000000000000..9869cf207c11
--- /dev/null
+++ b/www-nginx/ngx-set-misc/ngx-set-misc-0.33.ebuild
@@ -0,0 +1,50 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+DESCRIPTION="An NGINX module that adds various set_xxx directives to NGINX's rewrite module"
+HOMEPAGE="https://github.com/openresty/set-misc-nginx-module"
+
+SRC_URI="
+	https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz
+"
+LICENSE="BSD-2"
+
+SLOT=0
+
+MY_PN="set-misc-nginx-module"
+
+inherit nginx-module
+
+NGINX_MOD_S="${WORKDIR}/${MY_PN}-${PV}"
+
+IUSE="+hmac"
+
+DEPEND="
+	www-nginx/ngx_devel_kit
+	hmac? ( dev-libs/openssl )
+"
+RDEPEND="${DEPEND}"
+
+src_prepare() {
+	sed -E -i 's/USE_OPENSSL|MAIL_SSL/GENTOO_USE_HMAC/g' \
+		"${NGINX_MOD_S}/config" || die "sed failed"
+	sed -i 's/NGX_OPENSSL/GENTOO_USE_HMAC/g' \
+		"${NGINX_MOD_S}/src/ngx_http_set_misc_module.c" || die "sed failed"
+	if use hmac; then
+		sed -E -i 's/^(\s*ngx_module_libs)=$/\1=-lcrypto/' \
+			"${NGINX_MOD_S}/config" || die "sed failed"
+	fi
+	nginx-module_src_prepare
+}
+
+src_configure() {
+	append-cflags -DNDK
+	export NDK_SRCS="ndk.c"
+	export GENTOO_USE_HMAC=NO
+	if use hmac; then
+		export GENTOO_USE_HMAC=YES
+		append-cflags -DGENTOO_USE_HMAC=1
+	fi
+	nginx-module_src_configure
+}
-- 
2.44.2

Re: [gentoo-dev] [RFC PATCH 04/19] www-servers/nginx: add nginx-r5.initd

[Michael Orlitzky]

On Wed, 2024-07-17 at 15:05 +0300, Zurab Kvachadze wrote:
> 
> +NGINX_CONFIGFILE=${NGINX_CONFIGFILE:-/etc/nginx/nginx.conf}
> +pidfile=${NGINX_PIDFILE:-/run/nginx.pid}

OpenRC allows you to run multiple instances of the same service by
creating symlinks in /etc/init.d. For example, I might symlink nginx-
internal to nginx, and then run,

  # rc-service nginx-internal start

The two configurable variables above make this possible, but require
the user to create a new /etc/conf.d/nginx-internal file to override
them. It would be a small improvement to use $RC_SVCNAME instead of
"nginx" as the default. That way, for the new service, they would be
/run/nginx-internal.pid and /etc/nginx/nginx-internal.conf.

In fact, I would delete the NGINX_PIDFILE variable entirely, leaving it
at /run/${RC_SVCNAME}.pid. There's no reason for anyone to change it.
You can force the daemon to use that path with -g "pid ${pidfile}",
relieving you of the responsibility to coordinate with the config file.



> +depend() {
> +	need net
> +	use dns logger netmount
> +}

I don't think "need net" is right here because nginx starts fine on
localhost or 0.0.0.0 until you configure it to use a specific address.

There's a section called "Be wary of 'need net' dependencies" in,

  /usr/share/doc/openrc-*/service-script-guide.md.bz2

that talks about this.


> +start_pre() {
> +	checkpath -d -o root:root /var/tmp/nginx || return 1
> +}
> +

The old script had,

    if [ "${RC_CMD}" != "restart" ]; then
        configtest || return 1
    fi

here. If "nginx -t" produces better error messages that plain nginx,
that might be the reason. But otherwise it's redundant.

Re: [gentoo-dev] [RFC PATCH 04/19] www-servers/nginx: add nginx-r5.initd

[Zurab Kvachadze]

I apologise for such delayed response. We're having major electricity
outages here and I couldn't find the possibility to address your review.
Nonetheless, here we are :)

On Wed, 2024-07-17 at 08:41 +0000, Michael Orlitzky wrote:
> On Wed, 2024-07-17 at 15:05 +0300, Zurab Kvachadze wrote:
> > 
> > +NGINX_CONFIGFILE=${NGINX_CONFIGFILE:-/etc/nginx/nginx.conf}
> > +pidfile=${NGINX_PIDFILE:-/run/nginx.pid}
>
> [...]
> 
> In fact, I would delete the NGINX_PIDFILE variable entirely, leaving it
> at /run/${RC_SVCNAME}.pid. There's no reason for anyone to change it.
> You can force the daemon to use that path with -g "pid ${pidfile}",
> relieving you of the responsibility to coordinate with the config file.

I haven't even known of this OpenRC feature! As you explained it, the
removal of NGINX_{CONFIG,PID}FILE totally makes sense. Should I also add
'-g "pid ${pidfile};"' to command_args for your example with
'nginx-internal' to work automatically without any conf.d tinkering?
Anyway, I will apply both (or only the first one) changes to the v2 of
patch series.


> > +depend() {
> > +	need net
> > +	use dns logger netmount
> > +}
> 
> I don't think "need net" is right here because nginx starts fine on
> localhost or 0.0.0.0 until you configure it to use a specific address.

Initially, I've also wanted to remove the aforementioned line, but my
end decision was to leave it alone, because I wasn't really sure of its
uselessness. Now that you've explained it (and after reading the service
writing guide) I see that this directive is of no use and, thus, will be
removed in the second version of this MR.


> > +start_pre() {
> > +	checkpath -d -o root:root /var/tmp/nginx || return 1
> > +}
> > +
> 
> The old script had,
> 
>     if [ "${RC_CMD}" != "restart" ]; then
>         configtest || return 1
>     fi
> 
> here. If "nginx -t" produces better error messages that plain nginx,
> that might be the reason. But otherwise it's redundant.

With nginx.eclass, the build flags now configure NGINX to store its
temporary files in /var/tmp/nginx. Yet, NGINX doesn't create it by
itself, but rather aborts its execution if /var/tmp/nginx doesn't exist.
This is why I added the 'checkpath' line. As for the configtest, it's
redundant.

When NGINX is executed, it checks the configuration, making it
unnecessary to check the same thing beforehand (the error reporting is
identical anyway). configtest just duplicates NGINX's work and this may
lead to twice the time to bring NGINX up, which may matter if large "geo
module bases" are used[1].

[1]: https://bugs.gentoo.org/481456#c0

Re: [gentoo-dev] [RFC PATCH 04/19] www-servers/nginx: add nginx-r5.initd

[Michael Orlitzky]

On Fri, 2024-07-19 at 09:20 +0000, Zurab Kvachadze wrote:
> 
> I haven't even known of this OpenRC feature! As you explained it, the
> removal of NGINX_{CONFIG,PID}FILE totally makes sense. Should I also add
> '-g "pid ${pidfile};"' to command_args for your example with
> 'nginx-internal' to work automatically without any conf.d tinkering?

Yes I think so. The ability to specify the PID path inside of a config
file is a misfeature IMO. The person starting the daemon (OpenRC, in
this case) is the only one who needs to care about the PID file, and
having it in a config file just means that you have to change it in two
places if you ever do decide to change it. It's much simpler to ignore
the conf file (with -g pid ...) and let the init script be the source
of truth.

Very rarely someone will complain that they tried to change the PID
location in their config file and it didn't work... but if you think
about it for a second, that wouldn't have worked anyway.



> With nginx.eclass, the build flags now configure NGINX to store its
> temporary files in /var/tmp/nginx. Yet, NGINX doesn't create it by
> itself, but rather aborts its execution if /var/tmp/nginx doesn't exist.
> This is why I added the 'checkpath' line. As for the configtest, it's
> redundant.
> 
> When NGINX is executed, it checks the configuration, making it
> unnecessary to check the same thing beforehand (the error reporting is
> identical anyway). configtest just duplicates NGINX's work and this may
> lead to twice the time to bring NGINX up, which may matter if large "geo
> module bases" are used[1].
> 

Ok, no problem. I understood the checkpath but was curious about the
quality of the error message with checkconfig() vs start(). Thanks for
working on this!

Re: [gentoo-dev] [RFC PATCH 04/19] www-servers/nginx: add nginx-r5.initd

[Zurab Kvachadze]

On Fri, 2024-07-19 at 06:31 +0000, Michael Orlitzky wrote:
> Ok, no problem. I understood the checkpath but was curious about the 
> quality of the error message with checkconfig() vs start(). Thanks for 
> working on this!

Applied all the changes you've suggested to the branch specified in the
cover letter. Thank you!

Re: [gentoo-dev] [RFC PATCH 06/19] www-servers/nginx: add nginx-r2.service

[Alexander Tsoy]

В Ср, 17/07/2024 в 15:05 +0300, Zurab Kvachadze пишет:
> This is the second revision of the systemd service file for NGINX.
> 
> This commit removes redundant Exec{Stop,Reload} lines that restate
> the
> systemd defaults and changes the ExecStartPre directive from "nginx -
> t"
> (testing the NGINX configuration that is done anyway by the main
> process, bug 481456) to "mkdir -p /var/tmp/nginx", making sure the
> required directory for the NGINX temp files is present. ExecStopPost
> has
> also been removed, since sleeping for 100 ms serves no purpose.
> 
> The second revision also changes the Exec* directives to use the
> plain
> file names, instead of the absolute ones, per systemd.service(5)
> guidelines:
> > It is thus safe to use just the executable name in case of
> > executables
> > located in any of the "standard" directories, and an absolute path
> > must be used in other cases.
> 
> Bug: https://bugs.gentoo.org/481456
> Signed-off-by: Zurab Kvachadze <zurabid2016@gmail.com>
> ---
>  www-servers/nginx/files/nginx-r2.service | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
>  create mode 100644 www-servers/nginx/files/nginx-r2.service
> 
> diff --git a/www-servers/nginx/files/nginx-r2.service b/www-
> servers/nginx/files/nginx-r2.service
> new file mode 100644
> index 000000000000..2916aba391a2
> --- /dev/null
> +++ b/www-servers/nginx/files/nginx-r2.service
> @@ -0,0 +1,12 @@
> +[Unit]
> +Description=The NGINX HTTP and reverse proxy server
> +After=network.target remote-fs.target nss-lookup.target
> +
> +[Service]
> +Type=forking
> +PIDFile=/run/nginx.pid
> +ExecStartPre=mkdir -p /var/tmp/nginx

Please note that systemd-tmpfiles can remove the whole /var/tmp/nginx
directory if it and its contents are not touched for a long time. And
then reload of nginx might fail. So it is better to create this
directory via tmpfiles.d.

> +ExecStart=nginx
> +
> +[Install]
> +WantedBy=multi-user.target

Re: [gentoo-dev] [RFC PATCH 06/19] www-servers/nginx: add nginx-r2.service

[Michael Orlitzky]

On Sat, 2024-07-20 at 19:58 +0300, Alexander Tsoy wrote:
> 
> Please note that systemd-tmpfiles can remove the whole /var/tmp/nginx
> directory if it and its contents are not touched for a long time. And
> then reload of nginx might fail. So it is better to create this
> directory via tmpfiles.d.
> > 

Good catch. Using a fixed path under /tmp (or /var/tmp) is also a
security issue, because another user can "steal" the path before nginx
tries to create it. For example,

  $ mkdir /var/tmp/nginx
  $ ls -lh /var/tmp/
  total 4.0K
  drwxr-xr-x 2 mjo mjo 4.0K Jul 20 13:07 nginx

Since I own that directory, I will ultimately be able to write to
nginx's temporary files.

The OpenRC script is using "checkpath" which is a bit safer, so I
didn't say anything there, and systemd-tmpfiles is similarly safe. But
so long as we're talking about it: what do the file names under
/var/tmp/nginx look like? Hopefully they're random. Otherwise we have
to worry about the bad guy pre-creating not only the directory, but
also the files inside it.

Re: [gentoo-dev] [RFC PATCH 06/19] www-servers/nginx: add nginx-r2.service

[Alexander Tsoy]

В Сб, 20/07/2024 в 13:15 -0400, Michael Orlitzky пишет:
> But so long as we're talking about it: what do the file names under
> /var/tmp/nginx look like? Hopefully they're random. Otherwise we have
> to worry about the bad guy pre-creating not only the directory, but
> also the files inside it.

No, their names are predefined. For example with the current in-tree
nginx:

$ sudo ls -1 /var/lib/nginx/tmp/
client
fastcgi
proxy
scgi
uwsgi

Re: [gentoo-dev] [RFC PATCH 06/19] www-servers/nginx: add nginx-r2.service

[Alexander Tsoy]

В Сб, 20/07/2024 в 20:25 +0300, Alexander Tsoy пишет:
> В Сб, 20/07/2024 в 13:15 -0400, Michael Orlitzky пишет:
> > But so long as we're talking about it: what do the file names under
> > /var/tmp/nginx look like? Hopefully they're random. Otherwise we
> > have
> > to worry about the bad guy pre-creating not only the directory, but
> > also the files inside it.
> 
> No, their names are predefined. For example with the current in-tree
> nginx:
> 
> $ sudo ls -1 /var/lib/nginx/tmp/
> client
> fastcgi
> proxy
> scgi
> uwsgi
> 
Sorry, these are directories. I cannot check file names right now.

Re: [gentoo-dev] [RFC PATCH 06/19] www-servers/nginx: add nginx-r2.service

[Michael Orlitzky]

On Sat, 2024-07-20 at 20:25 +0300, Alexander Tsoy wrote:
> 
> No, their names are predefined. For example with the current in-tree
> nginx:
> 
> $ sudo ls -1 /var/lib/nginx/tmp/
> client
> fastcgi
> proxy
> scgi
> uwsgi

Ok, thanks. I see them now in the eclass (for the list: they're being
grepped out of ./configure --help).

Those directories will have to be included in the tmpfiles entry to
ensure that they are owned by nginx. Otherwise I can run e.g.

  $ mkdir -p /var/tmp/nginx/client

and then systemd-tmpfiles will correct the ownership on /var/tmp/nginx,
but not on the subdirectory. With that out of the way, my comment now
applies recursively to the contents of client, fastcgi, proxy, scgi,
and uwsgi...

Rather than maintain the list twice (once for checkpath, and once for
tmpfiles), you can let OpenRC use the tmpfiles entry too. This should
happen by default once the tmpfiles entry is installed. It does tie the
OpenRC script to systemd-tmpfiles, but most of the reasons for
objecting to that are not very rational and I wouldn't worry about
portability of the init script to non-Linux systems for now.

Re: [gentoo-dev] [RFC PATCH 06/19] www-servers/nginx: add nginx-r2.service

[Zurab Kvachadze]

I apologise in advance for the formatting, I am writing this from my
phone.

On July 20, 2024 9:07:03 PM UTC, Michael Orlitzky <mjo@gentoo.org> wrote:
> [...]
> Rather than maintain the list twice (once for checkpath, and once for
> tmpfiles), you can let OpenRC use the tmpfiles entry too. This should
> happen by default once the tmpfiles entry is installed. It does tie the
> OpenRC script to systemd-tmpfiles, but most of the reasons for
> objecting to that are not very rational and I wouldn't worry about
> portability of the init script to non-Linux systems for now.
 
You are correct, I haven't noticed that /var/tmp is world writable. With
that in mind, bundling a tmpfiles.d configuration file for both OpenRC
and systemd seems to be the best way to solve the issue. I will include
the file in the v2 of the patch series.