Containers did not have *systemd-journald-audit.socket* in *additionalUpstreamSystemUnits*, which meant that the unit was not provided.
However the *wantedBy* was added without any additional check, therefore creating an empty unit with just the *WantedBy* on *boot.isContainer* machines.
This caused `systemd-analyze verify` to fail:
```text
systemd-journald-audit.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
```
The upstream unit already contains the following, which should make it safe to include regardless:
```ini
[Unit]
ConditionSecurity=audit
ConditionCapability=CAP_AUDIT_READ
```
For reference, this popped up in the context of #[360426](https://redirect.github.com/NixOS/nixpkgs/issues/360426) as well as #[407696](https://redirect.github.com/NixOS/nixpkgs/pull/407696).
Co-authored-by: Bruce Toll <4109762+tollb@users.noreply.github.com>
Signed-off-by: benaryorg <binary@benary.org>
Fix regression from https://github.com/NixOS/nixpkgs/pull/379629.
The systemd-journal test has been failing on hydra since 2025-02-10.
See, for instance: https://hydra.nixos.org/build/290855155.
This commit enables auditing, as expected by the tests. It also
addresses an issue where audit messages were getting dropped due to
rate limits.
We use a NixOS VM test to execute the upstream tests of curl-impersonate
because they require networking which cannot be mocked easily in the
sandbox.
Of those upstream tests, test_http2_headers spawns nghttpd2, makes
request against it and then tries to parse the logs it emits.
The last step, the parsing of the logs, it extremely fragile and version
dependent. The version of nghttp2 that we carry in nixpkgs is newer than
the one curl-impersonate expects and happens to emit a different log
format.
So to fix the remaining test suite of curl-impersonate, we simply skip
test_http2_headers.
Nextcloud manages the CA bundle on its own by default, but we patch this
out and replace it with the system-wide bundle.
Since this was originally designed for the objectstore feature, this
test ensures that an S3 behind a reverse proxy with TLS and its own CA
works fine.
This patch resolves an issue where systemd-udevd outputs events like:
/nix/store/jm9paymkapbi6pzwbjgmi634vaf2y5va-udev-rules/49-brother-mfp-brscan5-1.0.2-2.rules:17 Invalid key 'SYSFS'.
Before this change, this NetBox test required NIXPKGS_ALLOW_INSECURE=1,
because of its use of the end-of-line NetBox version.
This meant that the GitHub CI failed to evaluate the tests,
and so didn't run them.
