From 07641a91c96ddb9030ac13d62e3a3e0bb1495842 Mon Sep 17 00:00:00 2001
From: emilylange <git@emilylange.de>
Date: Sat, 17 Aug 2024 21:07:23 +0200
Subject: [PATCH] forgejo,forgejo-lts: remove PAM support

https://forgejo.org/docs/latest/user/authentication/#pam-pluggable-authentication-module

PAM support has to be enabled at compile time and upstream considers it
opt-in.

Official upstream binaries have it disabled.

We enabled it by default because we simply inherited most of it from
Gitea when the split in nixpkgs happened.

Reasons why it had been enabled in nixpkgs for Gitea are unknown.

See 9406f240a7b5ed68e8e633b8c764cfd69c470696.

There is reason to believe not a single Forgejo instance running on
NixOS uses this feature because it literally segfaults due to our
sandboxing.
---
 nixos/doc/manual/release-notes/rl-2411.section.md | 2 ++
 pkgs/by-name/fo/forgejo/generic.nix               | 8 +-------
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 972e13852eca..2792f3f2ad8b 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -180,6 +180,8 @@
   `services.forgejo.secrets` is a small wrapper over systemd's `LoadCredential=`. It has the same structure (sections/keys) as
   `services.forgejo.settings` but takes file paths that will be read before service startup instead of some plaintext value.
 
+- `forgejo` and `forgejo-lts` no longer support the opt-in feature [PAM (Pluggable Authentication Module)](https://forgejo.org/docs/latest/user/authentication/#pam-pluggable-authentication-module).
+
 - `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead.
 
 - `teleport` has been upgraded from major version 15 to major version 16.
diff --git a/pkgs/by-name/fo/forgejo/generic.nix b/pkgs/by-name/fo/forgejo/generic.nix
index 080789bec45e..a2a1e51850bc 100644
--- a/pkgs/by-name/fo/forgejo/generic.nix
+++ b/pkgs/by-name/fo/forgejo/generic.nix
@@ -17,8 +17,6 @@
 , nix-update-script
 , nixosTests
 , openssh
-, pam
-, pamSupport ? true
 , sqliteSupport ? true
 , xorg
 , runCommand
@@ -68,8 +66,6 @@ buildGoModule rec {
     makeWrapper
   ];
 
-  buildInputs = lib.optional pamSupport pam;
-
   nativeCheckInputs = [
     git
     openssh
@@ -83,8 +79,7 @@ buildGoModule rec {
     substituteInPlace modules/setting/server.go --subst-var data
   '';
 
-  tags = lib.optional pamSupport "pam"
-    ++ lib.optionals sqliteSupport [ "sqlite" "sqlite_unlock_notify" ];
+  tags = lib.optionals sqliteSupport [ "sqlite" "sqlite_unlock_notify" ];
 
   ldflags = [
     "-s"
@@ -115,7 +110,6 @@ buildGoModule rec {
       skippedTests = [
         "Test_SSHParsePublicKey/dsa-1024/SSHKeygen" # dsa-1024 is deprecated in openssh and requires opting-in at compile time
         "Test_calcFingerprint/dsa-1024/SSHKeygen" # dsa-1024 is deprecated in openssh and requires opting-in at compile time
-        "TestPamAuth" # we don't have PAM set up in the build sandbox
         "TestPassword" # requires network: api.pwnedpasswords.com
         "TestCaptcha" # requires network: hcaptcha.com
         "TestDNSUpdate" # requires network: release.forgejo.org