To reduce the danger of accidentally exposing sensitive files processed
by a restic backup to other services/users, enable the `PrivateTmp=`
feature of restic service units, which provides a per service isolation
of `/tmp` and `/var/tmp`.
Co-authored-by: Daniel Nagy <danielnagy@posteo.de>
The status page is inaccessible by default, unless a virtual host is
added with a `server_name` that's not `localhost`.
This commit moves the status page configuration, so that
it's matched before the main server blocks.
* cloud-init: 22.4 -> 23.1.1
* cloud-init: add udhcpc support
Cloud-init use as dhcp client, dhclient, which is coming from the unmaintained package, isc-dhcp-client (refer https://www.isc.org/dhcp/) which ended support in 2022. dhclient is deprecated in nixos
Add patch to use `udhcpc` dhcp client coming from busybox instead.
PR based on #226173
refs #215571
upstream PR: https://github.com/canonical/cloud-init/pull/2125
Prior to this change, arguments were not escaped nor was the possiblity
for arguments to be empty accounted for. This led to a kinda broken
startup script were arguments were "shifted", e.g. leaving allowedIPs
empty in order to use the default would cause `--bird` (the following
arguments key) to be used as the value. This was also observable when
e.g. the navbarBrand had a space in it where only everything until the
first space would show up.
With the new approach, all arguments are consistently escaped and empty
ones left out.
`extraConfig` now supports and prefers lists of strings instead of
lines (still supported but warned). This is due to the fragility with
respect to e.g. forgetting trailing backslashes after each line.
`frontend.{servers,domain}` are unset by default since the frontend
needs (the upstream project itself has no empty defaults here) needs
them to be set. If not set, an error is caused at build-time.
`proxy.birdSocket` has a new default: The projects README[^1] states
`/var/run/bird/bird.ctl` as the current default value. And bird2 on
NixOS does use this path too.
[^1]: https://github.com/xddxdd/bird-lg-go#proxy
When using Roundcube with a non local PostgreSQL database wait for
network start before running roundcube-setup.service
Otherwise the database is not reachable and the service fails.
Extract PostgreSQL database password for Roundcube from .pgpass file.
The password file is used in two locations:
1. in the Roundcube config.php
2. in the systemd setup service that initializes the roundcube
database
These two services need the password in different formats.
Keep the password file in PostgreSQL standard format and extract the
password for the Roundcube config (see #215986).
