qbit/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

forgejo,forgejo-lts: remove PAM support

Browse Source 
https://forgejo.org/docs/latest/user/authentication/#pam-pluggable-authentication-module

PAM support has to be enabled at compile time and upstream considers it
opt-in.

Official upstream binaries have it disabled.

We enabled it by default because we simply inherited most of it from
Gitea when the split in nixpkgs happened.

Reasons why it had been enabled in nixpkgs for Gitea are unknown.

See 9406f240a7.

There is reason to believe not a single Forgejo instance running on
NixOS uses this feature because it literally segfaults due to our
sandboxing.
This commit is contained in:
emilylange 2024-08-17 21:07:23 +02:00
parent d8c8d5c847
commit 07641a91c9
No known key found for this signature in database
GPG Key ID: 0AD773CE46FD0F87
2 changed files with 3 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -180,6 +180,8 @@
`services.forgejo.secrets` is a small wrapper over systemd's `LoadCredential=`. It has the same structure (sections/keys) as
`services.forgejo.settings` but takes file paths that will be read before service startup instead of some plaintext value.
- `forgejo` and `forgejo-lts` no longer support the opt-in feature [PAM (Pluggable Authentication Module)](https://forgejo.org/docs/latest/user/authentication/#pam-pluggable-authentication-module).
- `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead.
- `teleport` has been upgraded from major version 15 to major version 16.

8
pkgs/by-name/fo/forgejo/generic.nix
View File

@ -17,8 +17,6 @@
, nix-update-script
, nixosTests
, openssh
, pam
, pamSupport ? true
, sqliteSupport ? true
, xorg
, runCommand
@ -68,8 +66,6 @@ buildGoModule rec {
makeWrapper
];
buildInputs = lib.optional pamSupport pam;
nativeCheckInputs = [
git
openssh
@ -83,8 +79,7 @@ buildGoModule rec {
substituteInPlace modules/setting/server.go --subst-var data
'';
tags = lib.optional pamSupport "pam"
++ lib.optionals sqliteSupport [ "sqlite" "sqlite_unlock_notify" ];
tags = lib.optionals sqliteSupport [ "sqlite" "sqlite_unlock_notify" ];
ldflags = [
"-s"
@ -115,7 +110,6 @@ buildGoModule rec {
skippedTests = [
"Test_SSHParsePublicKey/dsa-1024/SSHKeygen" # dsa-1024 is deprecated in openssh and requires opting-in at compile time
"Test_calcFingerprint/dsa-1024/SSHKeygen" # dsa-1024 is deprecated in openssh and requires opting-in at compile time
"TestPamAuth" # we don't have PAM set up in the build sandbox
"TestPassword" # requires network: api.pwnedpasswords.com
"TestCaptcha" # requires network: hcaptcha.com
"TestDNSUpdate" # requires network: release.forgejo.org