The priviledge separation mode has several downsides:
- it's incompatible with alternative memory allocators, including
graphene-hardened;
- it needs an unreleased patch to fix a crash;
- it results in none less than 6 subprocesses running at any time,
increasing the memory usage;
- the privileged process (albeit not doing any networking related
tasks) is still running as root, so it has complete access to the
system.
Let's disable this by default and instead run dhcpcd as an unpriviledge
user with only the necessary capabilities.
After discussing on Matrix in the [#staging](https://matrix.to/#/#staging:nixos.org) room, I'm merging this as-is without waiting for changes to the `enableParallelBuilding = false;` line.
There are several in-the-wings PRs (one from @emilazy) that attempt to bring load-limit, which is a more sensible accounting of the work that a derivation is doing, into Nix itself. If and when that lands, we'll be able to just set `enableParallelBuilding = true;` again, without any specific casing around the `NIX_BUILD_CORES` stdenv variable.
- add `services.quorum.genesis.config.homesteadBlock = 1`.
Without it test fails with error:
'quorum-pre-start[822]: Fatal: Failed to write genesis block:
unsupported fork ordering: homesteadBlock not enabled, but eip150Block
enabled at 1'
- remove extra 'CREATE EXTENSION' statements added with sed to test.sql,
current test.sql already has them.
- change 'nodes.master.config' to 'nodes.master' according to eval warn:
evaluation warning: Module argument `nodes.master.config` is deprecated.
Use `nodes.master` instead.
Since `connectionStringFile` reads the file and puts it into the
invocation of the exporter, it's part of the cmdline and thus
effectively world-readable.
Added a new `connectionEnvFile` which is supposed to be an environment
file of the form
PGBOUNCER_EXPORTER_CONNECTION_STRING=...
that will be added to the systemd service. The exporter will read the
connection string from that value.
