Follow RFC 42 by having a settings option that is
then converted into an unbound configuration file
instead of having an extraConfig option.
Existing options have been renamed or kept if
possible.
An enableRemoteAccess has been added. It sets remote-control setting to
true in unbound.conf which in turn enables the new wrapping of
unbound-control to access the server locally. Also includes options
'remoteAccessInterfaces' and 'remoteAccessPort' for remote access.
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Currently, the installer tests just hang after the initial install phase
on i686 because qemu just quits because of the gic parameter.
Fix this by doing x86 things for both x86-64 and i686.
Configures the emulated_hue component and expects CAP_NET_BIND_SERVICE
to be passed in order to be able to bind to 80/tcp.
Also print the systemd security analysis, so we can spot changes more
quickly.
git-daemon won't start up if its project directory (here /git) doesn't
exist. If we try to create it using the test harness, then we're racing
whether we manage to connect to the backdoor vs. the startup speed of
git-daemon.
Instead, use systemd-tmpfiles, which is guaranteed(?) to run before
network.target and thus before git-daemon.service starts.
rspamd seems to be consuming more memory now sometimes, causing OOMs in
the test.
Increase the memory given to these VMs to make the tests pass more
reliably.
This test was failing because Firefox was displaying a download prompt
rather than the page content, presumably because mumble mumble
content-type sniffing.
By explicitly setting a content-type, the test now passes.
See [0]: "QEMU_OPTS is something that should be set by people running VM
tests interactively, to do port forwardings etc.
We really should not poke with it from the test script - that's what
virtualisation.qemu.options is for."
[0]: https://github.com/NixOS/nixpkgs/pull/119615#discussion_r624145020
Co-authored-by: Florian Klink <flokli@flokli.de>
It can still network, it can only access the ssl related files if ssl is
enabled.
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
→ Overall exposure level for mosquitto.service: 1.1 OK 🙂
See #119615 for more details. The aarch64-linux test failed with
"qemu-system-aarch64: Virtio VGA not available" so I've restricted the
test to x86_64-linux (the virtio paravirtualized 3D graphics driver is
likely only available on very few platforms).
The result still looks far from ideal but at least it gets recognized
now. "-fa Monospace" is required to switch to a font from the FreeType
library so that "-fs 24" works.
Note: Using linuxPackages_latest is not required anymore.
This reverts commit d6e0d38b84.
We need shorter secrets to continue working, since the earlier
recommendation was too short and there's no way to rotate the them.
