network.target is reached earlier, but with much fewer services
available. DNS is likely to be not functional before
network-online.target, so waiting for that seems better for that reason
alone. the existing backends for network-online.target all seem to do
reasonable things (wait until all links are in *some* stable state), so
we shouldn't lose anything from waiting.
This removes `/run/nixos/activation-reload-list` (which we will need in
the future when reworking the reload logic) and makes
`/run/nixos/activation-restart-list` honor `restartIfChanged` and
`reloadIfChanged`. This way activation scripts don't have to bother with
choosing between reloading and restarting.
Instead of referencing all library functions through `lib.` and
builtins through `builtins.` at every invocation, inherit them into
the appropriate scope.
The module option type `nonEmptyStr` was introduced in commit
a3c5f0cba8
The tsm modules previously simply used
`strMatching ".+"` to prevent empty option strings,
but the new type is more thorough as
it also catches space-only strings.
This enables some systemd sandboxing
options for the `tsm-backup.service`.
Those settings have been determined by expermentation.
This commit tries hard to protect the filesystem from
write access, but not to hide anything from read access,
so users can backup all files they choose to backup.
An exception are API filesystems (`/dev`, `/proc`, `/sys`):
As their "files" are not stored on persistent storage,
they are sandboxed away as much as possible.
Note that the service still has to run with root
privileges to reach files with limited access permissions.
The obvious alternative to use a dedicated user account and
the `CAP_DAC_READ_SEARCH` capability to permit system-wide
read access while blocking write access does not work.
Experiments have shown that `dsmc` verifies access permissions
for each file before attempting to open it for reading.
Hence `dsmc` refuses to copy files where the file permission
mode blocks read access -- even if process capabilities
would allow it to proceed irrespective of permissions.
Use systemd's LoadCredential mechanism to make the secret files
available to the service.
This gets rid of the privileged part of the ExecPreStart script which
only served to copy these files and assign the correct
permissions. There's been issues with this approach when used in
combination with DynamicUser, where sometimes the user isn't created
before the ExecPreStart script runs, causing the error
install: invalid user ‘keycloak’
This should fix that issue.
Unfortunately, all of the ExecPreStart script had to be moved to
ExecStart, since credentials aren't provided to ExecPreStart. See
https://github.com/systemd/systemd/issues/19604.
Without this option `DefaultSearchProviderSearchURL` and
`DefaultSearchProviderSuggestURL` are really wastefull as it does not
set search engine, at least for me.
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
This together with extraConfig:
{
"subsystem=undertow"."server=default-server"."http-listener=default"."proxy-address-forwarding" = true;
"subsystem=undertow"."server=default-server"."https-listener=https"."proxy-address-forwarding" = true;
}
Allows to run Keycloak behind a reverse proxy that provides
X-Forwarded-* headers.
Allow update commands in the script to be ordered using `mkOrder`.
If we encounter ordered sub-objects we sort them by priority.
To implement this we now explicitly pass current node in `recurse`,
which also allows us to clean up edge case for top-level node.
Also refactor `recurse` to avoid passing result text argument; we
weren't tail recursive before anyway.
Still actively developed and yet stuck on python2. Also marked as
vulnerable and their issue tracker contains yet another security issue
reported in 2021/10 that the upstream hasn't acknowledged yet.
Mind blown.
Closes: #135543, #97274, #97275
