This changes
* the plausible HTTP web server
to be listening on localhost only, explicitly.
This makes Plausible have an explicit safe default configuration,
like all other networked services in NixOS.
For background discussion, see: https://github.com/NixOS/nixpkgs/issues/130244
As per my upstream Plausible contribution
(https://github.com/plausible/analytics/pull/1190)
Plausible >= 1.5 also defaults to listening to localhost only;
nevertheless, this default should be stated explicitly in nixpkgs
for easier review and independence from upstream changes, and
a NixOS user must be able to configure the
`listenAddress`, as there are valid use cases for that.
Also, disable
* the Erlang Beam VM inter-node RPC port
* the Erlang EPMD port
because Plausible does not use them (see added comment).
This is done by setting `RELEASE_DISTRIBUTION=none`.
Thus, this commit also removes the NixOS setting `releaseCookiePath`,
because it now has no effect.
This fixes the case where users enable harmonia but also have allowed-users set.
Having extra-allowed-users is a no-op when nix.settings.allowed-users is set to "*" (the default)
Docker CE 20.10 seems to stop receiving security updates and bug fixes
after December 10, 2023[1].
1. https://github.com/moby/moby/discussions/45104
There is public commitment for longer maintenance and then it seems
risky to default to it during 23.11 life-cycle.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
In #256226, `backdoor.service` was changed to be part of
`sysinit.target` instead of having default dependencies. This broke
several tests that relied on `backdoor.service` starting after default
targets. For example, `systemd-boot.update` expects `/boot` to be
mounted as soon as the backdoor is running.
These tests really ought to be declaring their dependencies properly
with things like `machine.wait_for_unit("local-fs.target")`, because
it's useful for the backdoor to start as early as possible. But for
now, let's just order it the way it was before in stage 2, and use the
earlier ordering in the new stage 1 context.
This fixes the case where users enable nix-serve but also have allowed-users set.
Having extra-allowed-users is a no-op when nix.settings.allowed-users is set to "*" (the default)
In my earlier commit
manual: Don't suggest exposing VM port to local network.
I made a side change titled
Use `127.0.0.1` also on the VM side, otherwise connections to
services that, in the VM, bind to `127.0.0.1` only
(doing the safe approach) do not work.
Unfortunately, that was wrong:
QEMU inside the VM always communicates via the virtualised
Ethernet interface, not via the VM's loopback interface.
So trying to connect to `127.0.0.1` on the VM's side cannot work.
Newer version of the gitsrht-api service call setrlimit() on startup,
thus allow it in the `SystemCallFilter` definition for the service.
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
