nixos/qbittorrent: add default serverConfig & fix test
Migrate to runTest
Replace lib.optional with lib.optionals
nixos/qbittorrent: update release notes to 2511
(cherry picked from commit 84d174e312)
This will allow dropping the linuxPackages_ham variant. Fedora sets
these in their default kernel, so I don't anticipate any problem with
us doing the same.
Tested building linux_5_4, linux, and linux_latest on x86_64.
(cherry picked from commit d735743b39)
Same as with other services giving postfix access, this needs to happen
for the postfix user. Adding supplementary group permissions to the
systemd unit does not propagate to child processes that ultimately call
the unix domain socket.
(cherry picked from commit e48d12554c)
This fixes postfix' membership in the postfix-tlspol group, since
memberships in a dynamically allocated group don't seem to work out.
Additionally this fixes a typo in the systemd hardening and the test now
prints the results of systemd-analyze security.
(cherry picked from commit df0eb78b31)
Fixes the group membership for postfix processes in the postfix-tlspol
group.
Makes the postfix.service start up after postfix-tlspol.service, because
it depends on it for the TLS policy lookups.
(cherry picked from commit 64e7fad038)
The fetcher would then error out and not return the proper protocol
version to the reportd instance, causing an error message.
This is annoying, because I want to match success in the test.
(cherry picked from commit 35e471ad45)
instead of search/replace libvips-cpp.so which does not work anymore
for old CPUs since sharp 0.34.0 due to
3fd818c4b5
(cherry picked from commit ad0130f577)
Test already makes sure that the to-be-tested format is the only one that gets installed,
and OfBorg seems to get stuck on these sonmetimes. Just remove it.
(cherry picked from commit 23274a2a2a)
- Generate image & video data once, ahead of time
- Use wait_for_console_text to detect when we're close to displaying text
- Programmatically generate per-image-format tests
- Switch to fullscreen for better OCR success odds
(cherry picked from commit 8bf28aa1aa)
Previously, if you set group memberships in both locations, they will
get replaced by the ones in extraJsonFile, which is unexpected as it
kicks users from the group. Now the state files get merged recursively,
including the arrays.
(cherry picked from commit 3b6b50dfad)
make the client wait for its network to come up before starting test
without the wait, the client might try to access the network before its
own network stack is up, as evidenced in
https://hydra.nixos.org/build/299048133/nixlog/9/tail
(cherry picked from commit 962db80796)
Basic auth is deprecated, so exchange credentials must be set at runtime
because it requires a token from the bank.
(cherry picked from commit 21ad6f743c)
Stalwart 0.11.0 changed the `config.resource.spam-filter` and
`config.resource.webadmin` keys to be `spam-filter.resource` and
`webadmin.resource` respectively. The NixOS has been updated
accordingly, but unfortunately it has mistakenly used
`config.spam-filter.resource` and `config.webadmin.resource`, which are
incorrect and do not do anything.
This commit changes the default configuration to use the correct keys.
Note that due to infinite recursion, the `optionalAttrs` has been
replaced with `mkIf`.
Additionally, some tests were added to catch this regression in the
future.
Fixes#411351
(cherry picked from commit b7ab1fa981)
This fixes the test for pam file contents.
The pam file started using fully-qualified paths in the following
commit.
7306423158
(cherry picked from commit d04bf86381)
- Add long sleep before sending math question, to give math library time to load
Ideally, we would modify the app to emit a log message when it's actually ready to accept math questions?
(cherry picked from commit e8a1053857)
We immediately expected for the other peer to be available in the peer
list, right after startup, but that's racy.
Instead try the pinging multiple times until it succeeds (max 10 times),
then check the list of peers for completion.
(cherry picked from commit bb05bee4e5)
This patch resolves an issue where systemd-udevd outputs events like:
/nix/store/jm9paymkapbi6pzwbjgmi634vaf2y5va-udev-rules/49-brother-mfp-brscan5-1.0.2-2.rules:17 Invalid key 'SYSFS'.
(cherry picked from commit ff62fe4136)
Containers did not have *systemd-journald-audit.socket* in *additionalUpstreamSystemUnits*, which meant that the unit was not provided.
However the *wantedBy* was added without any additional check, therefore creating an empty unit with just the *WantedBy* on *boot.isContainer* machines.
This caused `systemd-analyze verify` to fail:
```text
systemd-journald-audit.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
```
The upstream unit already contains the following, which should make it safe to include regardless:
```ini
[Unit]
ConditionSecurity=audit
ConditionCapability=CAP_AUDIT_READ
```
For reference, this popped up in the context of #[360426](https://redirect.github.com/NixOS/nixpkgs/issues/360426) as well as #[407696](https://redirect.github.com/NixOS/nixpkgs/pull/407696).
Co-authored-by: Bruce Toll <4109762+tollb@users.noreply.github.com>
Signed-off-by: benaryorg <binary@benary.org>
(cherry picked from commit e434130d0b)
Fix regression from https://github.com/NixOS/nixpkgs/pull/379629.
The systemd-journal test has been failing on hydra since 2025-02-10.
See, for instance: https://hydra.nixos.org/build/290855155.
This commit enables auditing, as expected by the tests. It also
addresses an issue where audit messages were getting dropped due to
rate limits.
(cherry picked from commit 22d51e08cf)
