zigbee2mqtt supports having non-device ports (e.g. `tcp://`); those
should not be set in DeviceAllow. No URI will start with `/`, so use
that as the filter that it is a “real” device that needs to be allowed.
(cherry picked from commit 577e162073)
PostgreSQL with JIT support enabled doesn't work with plv8. Hence, we'd
get an evaluation failure for each
`nixosTests.postgresql.postgresql.postgresql_jit_X`.
This should be restructured in the future (less VM tests for custom
extensions, but a single VM test for this case to cover). For now, we
should get this fix out and this is a good-enough approach.
(cherry picked from commit 68d9643388)
The plv8 plugin requires access to pkey syscalls. The execution will
crash hard when it is not allowed by the syscall filter.
Co-Authored-By: Jan Tojnar <jtojnar@gmail.com>
(cherry picked from commit e198536d26)
By matching on the package names of the plugins passed into the package
we can relax the systemd unit hardening as needed.
(cherry picked from commit d370af0785)
This will be EOL at the end of November, so there's little reason to
keep it in 24.11[1]. As discussed, we'd like to keep it for as long as
possible to make sure there's a state in nixpkgs that has the latest
minor of postgresql_12 available with the most recent CVEs fixed for
people who cannot upgrade[2].
This aspect has been made explicit in the manual now for the next .11
release.
During the discussions it has been brought up that if people just do
`services.postgresql.enable = true;` and let the code decide the
postgresql version based on `system.stateVersion`, there's a chance that
such EOL dates will be missed. To make this harder, a warning will now
be raised when using the stateVersion-condition and the oldest still
available major is selected.
Additionally regrouped the postgresql things in the release notes to
make sure these are all shown consecutively. Otherwise it's a little
hard to keep track of all the changes made to postgresql in 24.11.
[1] https://endoflife.date/postgresql
[2] https://github.com/NixOS/nixpkgs/pull/353158#issuecomment-2453056692
(cherry picked from commit 0b3eef7441)
This was intended for quite some time already, but ever since enableJIT
was changed to be the source of truth of JIT-iness for the PostgreSQL
module, this hasn't worked for the tests anymore.
