{ lib
, stdenv
, fetchFromGitHub
, cmake
, python3
, libboundscheck
}:
stdenv.mkDerivation rec {
  pname = "openhitls";
  version = "unstable-2024-12-31";
  src = fetchFromGitHub {
    owner = "openHiTLS";
    repo = "openHiTLS";
    rev = "main";
    sha256 = "sha256-sJJbKIJfJ0PDc7+ewF3OK/CogX4sfDpkx49ZK2VPTm4=";
  };
  nativeBuildInputs = [
    cmake
    python3
  ];
  buildInputs = [
    libboundscheck
  ];
  NIX_CFLAGS_COMPILE = [
    "-Wno-error=stringop-overflow"
  ];
  preConfigure = ''
    python3 configure.py --enable all --bits 64
  '';
  cmakeFlags = [
    "-DCMAKE_BUILD_TYPE=Release"
  ];
  postInstall = ''
    # Install config header files needed for compiling against openHiTLS
    mkdir -p $out/include/hitls/config
    # The config files are in the original source directory
    cd "$NIX_BUILD_TOP/$sourceRoot" || cd "$NIX_BUILD_TOP/source" || true
    if [ -d "config/macro_config" ] && [ -n "$(ls config/macro_config/*.h 2>/dev/null)" ]; then
      cp config/macro_config/*.h $out/include/hitls/config/
    fi
  '';
  meta = with lib; {
    description = "Highly efficient and agile open-source SDK for cryptography and transport layer security";
    longDescription = ''
      openHiTLS is an open-source SDK for cryptography and transport layer security.
      It provides a highly modular architecture with configurable components including:
      - Base Support Layer (BSL)
      - Cryptography (crypto)
      - TLS/DTLS protocols (supports TLS1.3, TLCP, DTLS)
      - PKI (Public Key Infrastructure)
      - Authentication (Auth)
      Supports post-quantum cryptography algorithms like ML-DSA and ML-KEM,
      as well as traditional algorithms like AES, SM4, RSA, and ECDSA.
      Performance optimized for ARM and x86 architectures.
    '';
    homepage = "https://github.com/openHiTLS/openHiTLS";
    license = licenses.mulan-psl2;
    platforms = platforms.linux;
    maintainers = [ ];
  };
}

{ lib
, stdenv
, fetchFromGitHub
, fetchgit
, cmake
, python3
, libxcrypt
, libboundscheck
, openhitls
, perl
, pcre2
, zlib
, modules ? []
, ...
}:
let
  # Build openHiTLS from source with specific configuration
  openhitlsSource = stdenv.mkDerivation {
    pname = "openhitls-source";
    version = "unstable-2024-12-31";
    src = fetchFromGitHub {
      owner = "openHiTLS";
      repo = "openHiTLS";
      rev = "c1536465be45d973bb93ae27470b219cf8a032e6";
      sha256 = "sha256-otIGrKHPtBJl3VWS012helKFCsUjxNg794agim3lcKA=";
      fetchSubmodules = true;
    };
    nativeBuildInputs = [ cmake python3 perl ];
    buildInputs = [ libboundscheck ];
    dontUseCmakeConfigure = true;
    configurePhase = ''
      python3 configure.py --enable hitls_bsl hitls_crypto hitls_tls hitls_pki hitls_auth --lib_type static --bits=64 --system=linux
    '';
    buildPhase = ''
      mkdir -p build
      cd build
      cmake ..
      make -j$NIX_BUILD_CORES
    '';
    installPhase = ''
      # Copy entire source tree for nginx build
      mkdir -p $out
      cp -r ../* $out/ || true
      # Ensure build directory exists with libraries
      mkdir -p $out/build
      cp *.a $out/build/ || true
    '';
    meta = {
      description = "OpenHiTLS source for nginx compilation";
      homepage = "https://github.com/openHiTLS/openHiTLS";
      license = lib.licenses.mulan-psl2;
    };
  };
in stdenv.mkDerivation rec {
  pname = "nginx-openhitls";
  version = "1.24.0";
  # Source from gitcode.com - use fetchgit with git protocol
  src = fetchgit {
    url = "https://gitcode.com/openHiTLS/nginx.git";
    rev = "5b8aceb6af138df09e2756d7ba383ca25673351f";
    sha256 = "sha256-ArTf0rMuNIldNtGGEGttPhY8qRtJkDM6XSSskq7yot0=";
  };
  buildInputs = [
    libxcrypt
    libboundscheck
    pcre2
    zlib
  ];
  nativeBuildInputs = [ perl ];
  prePatch = ''
    # Fix libboundscheck path in auto/lib/openhitls/conf
    sed -i 's|$OPENHITLS/platform/Secure_C/lib/libboundscheck.so|${libboundscheck}/lib/libboundscheck.so|' \
      auto/lib/openhitls/conf
    # Fix ngx_event_hitls.c bool type issue
    sed -i 's/unsigned char reused;/bool reused;/' \
      src/event/ngx_event_hitls.c
  '';
  configurePhase = ''
    cp auto/configure .
    ./configure \
      --prefix=$out \
      --with-cc-opt="-std=c99" \
      --with-ld-opt="-L${libxcrypt}/lib -lcrypt" \
      --with-http_ssl_module \
      --with-openhitls=${openhitlsSource} \
      --http-log-path=/var/log/nginx/access.log \
      --error-log-path=/var/log/nginx/error.log \
      --pid-path=/run/nginx/nginx.pid \
      --http-client-body-temp-path=/var/lib/nginx/client_body \
      --http-proxy-temp-path=/var/lib/nginx/proxy \
      --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
      --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
      --http-scgi-temp-path=/var/lib/nginx/scgi
  '';
  buildPhase = ''
    make -j$NIX_BUILD_CORES
  '';
  installPhase = ''
    # Patch Makefile to skip /run and /var creation
    sed -i '/test -d.*\/run\/nginx/d' objs/Makefile
    sed -i '/mkdir -p.*\/run\/nginx/d' objs/Makefile
    sed -i '/test -d.*\/var\/log\/nginx/d' objs/Makefile
    sed -i '/mkdir -p.*\/var\/log\/nginx/d' objs/Makefile
    make install
    # Create necessary directories
    mkdir -p $out/logs
    mkdir -p $out/html
    # Create a basic index.html
    echo "<h1>nginx with OpenHitls</h1>" > $out/html/index.html
    # Create a sample configuration
    cat > $out/conf/nginx-openhitls.conf <<EOF
worker_processes  1;
error_log  $out/logs/error.log;
pid        $out/logs/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    access_log  $out/logs/access.log;
    client_body_temp_path $out/temp/client_body;
    proxy_temp_path $out/temp/proxy;
    fastcgi_temp_path $out/temp/fastcgi;
    uwsgi_temp_path $out/temp/uwsgi;
    scgi_temp_path $out/temp/scgi;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       8080;
        server_name  localhost;
        location / {
            root   $out/html;
            index  index.html index.htm;
        }
    }
}
EOF
  '';
  passthru = {
    inherit modules;
  };
  meta = with lib; {
    description = "nginx with OpenHitls support for Chinese SM algorithms and TLCP protocol";
    longDescription = ''
      nginx compiled with OpenHitls library support, enabling:
      - Chinese SM2, SM3, SM4 cryptographic algorithms
      - TLCP (Transport Layer Cryptography Protocol) support
      - TLS 1.2 protocol
      - Client certificate verification
    '';
    homepage = "https://github.com/openHiTLS/nginx";
    license = licenses.bsd2;
    platforms = platforms.linux;
    maintainers = [ ];
  };
}

{ lib
, stdenv
, fetchgit
}:
stdenv.mkDerivation rec {
  pname = "libboundscheck";
  version = "1.1.16";
  src = fetchgit {
    url = "https://gitee.com/openeuler/libboundscheck.git";
    rev = "v${version}";
    sha256 = "sha256-cjztZQ1MbsMqWIi7Q2xAjzHX9/pIORy67ZX8dOUDa2g=";
  };
  makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" ];
  installPhase = ''
    runHook preInstall
    mkdir -p $out/lib
    mkdir -p $out/include
    cp lib/libboundscheck.so $out/lib/
    cp include/*.h $out/include/
    runHook postInstall
  '';
  meta = with lib; {
    description = "Bounds checking interfaces for C";
    longDescription = ''
      A C library that implements enhanced safety functions following the
      C11 Annex K (Bounds-checking interfaces) standard. Includes memory
      and string operation functions with enhanced safety checks.
    '';
    homepage = "https://gitee.com/openeuler/libboundscheck";
    license = licenses.mulan-psl2;
    platforms = platforms.linux;
    maintainers = [ ];
  };
}

callPackage的时候记得进行递归调用。
由于openHiTLS一直在更新，而这个包用的是main分支，使用时需要手动更新Hash值。