libbrotli wasn't listed as a dependency for the AppArmor profile of the transmission-daemon binary.
As a result, transmission wouldn't run and would fail, logging this audit message to dmesg:
audit[11595]: AVC apparmor=DENIED operation=open profile=/nix/store/08i1rmakmnpwyxpvp0sfc5hcm106am7w-transmission-3.00/bin/transmission-daemon name=/proc/11595/environ pid=11595 comm=transmission-da requested_mask=r denied_mask=r fsuid=70 ouid=70
This reverts commit d9e18f4e7f.
This change is broken, since it doesn't configure the proper database
username in keycloak when provisioning a local database with a custom
username. Its intended behavior is also potentially confusing and
dangerous, so rather than fixing it, let's revert to the old one.
This adds a basic test for Sway. Because Sway is an important part of
the Wayland ecosystem, is stable, and has few dependencies this test
should also be suitable for testing core packages it depends on (e.g.
wayland, wayland-protocols, wlroots, xwayland, mesa, libglvnd, libdrm,
and soon libseat).
The test is modeled after the suggested way of using Sway, i.e. logging
in via a virtual console (tty1) and copying the configuration from
/etc/sway/config (we replace Mod4 (the GNU/Tux key - you've replaced
that evil logo, right? :D) with Mod1 (Alt key) because QEMU monitor's
sendkey command doesn't support the former).
The shell aliases are used to make the sendkey log output shorter.
Co-authored-by: Patrick Hilhorst <git@hilhorst.be>
On my system I have XWayland disabled and therefore only WAYLAND_DISPLAY
is set. This ensures that the graphical output will still be enabled on
such setups (both Wayland and X11 are supported by the viewer).
Follow RFC 42 by having a settings option that is
then converted into an unbound configuration file
instead of having an extraConfig option.
Existing options have been renamed or kept if
possible.
An enableRemoteAccess has been added. It sets remote-control setting to
true in unbound.conf which in turn enables the new wrapping of
unbound-control to access the server locally. Also includes options
'remoteAccessInterfaces' and 'remoteAccessPort' for remote access.
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
This is a patch I filed against upstream[1] a while ago. As it isn't
merged yet and fixes configurations with all stats enabled in knot
(otherwise it'd crash when sending a request to `localhost:9433`), I
decided that it makes sense to add it to the package directly.
I extended the test to make sure that it only passes with this patch.
[1] https://github.com/ghedo/knot_exporter/pull/6
The reap function culls expired pastes outside of the process serving
the pastes. Previously the database could accumulate a large number of
pastes and while they were expired they would not be deleted unless
accessed from the frontend.
Individual settings would previously overwrite the whole config, but
now individual values can be overwritten.
Fix missing slash to make the database path an absolute path per
https://docs.sqlalchemy.org/en/14/core/engines.html#sqlite.
Drop preferred_lexers, it's not set to anything meaningful anyway.
Currently, the installer tests just hang after the initial install phase
on i686 because qemu just quits because of the gic parameter.
Fix this by doing x86 things for both x86-64 and i686.
Home-assistant through its `--runner` commandline flag supports sending
exit code 100 when the `homeassistant.restart` service is called.
With `RestartForceExitStatus` we can listen for that specific exit code
and restart the whole systemd unit, providing an actual clean restart
with fresh processes. Additional treat exit code 100 as a successful
termination.
Configures the emulated_hue component and expects CAP_NET_BIND_SERVICE
to be passed in order to be able to bind to 80/tcp.
Also print the systemd security analysis, so we can spot changes more
quickly.
This is what is still exposed, and it should still allow things to work
as usual.
✗ PrivateNetwork= Service has access to the host's … 0.5
✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc… 0.3
✗ DeviceAllow= Service has a device ACL with som… 0.1
✗ IPAddressDeny= Service does not define an IP add… 0.2
✗ PrivateDevices= Service potentially has access to… 0.2
✗ PrivateUsers= Service has access to other users 0.2
✗ SystemCallFilter=~@resources System call allow list defined fo… 0.2
✗ RootDirectory=/RootImage= Service runs within the host's ro… 0.1
✗ SupplementaryGroups= Service runs with supplementary g… 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
→ Overall exposure level for home-assistant.service: 1.6 OK :-)
This can grow to as much as ~1.9 if you use one of the bluetooth or nmap
trackers or the emulated_hue component, all of which required elevated
permisssions.
git-daemon won't start up if its project directory (here /git) doesn't
exist. If we try to create it using the test harness, then we're racing
whether we manage to connect to the backdoor vs. the startup speed of
git-daemon.
Instead, use systemd-tmpfiles, which is guaranteed(?) to run before
network.target and thus before git-daemon.service starts.
rspamd seems to be consuming more memory now sometimes, causing OOMs in
the test.
Increase the memory given to these VMs to make the tests pass more
reliably.
Postfix has started outputting an error on startup that it can't parse
the compatibility level 9999.
Instead, just set the compatibility level to be identical to the current
version, which seems to be the (new) intent for the compatibility level.
This test was failing because Firefox was displaying a download prompt
rather than the page content, presumably because mumble mumble
content-type sniffing.
By explicitly setting a content-type, the test now passes.
Looks like GRUB has issues loading EFI binaries from (cd0), which is
what would be used in e.g. qemu with OVMF with `-cdrom`. Apparently also
what is used with AArch64 + U-Boot USB.