forgejo,forgejo-lts: remove PAM support

emilylange · emilylange · commit 07641a91c96d · 2024-08-17T21:07:23.000+02:00
https://forgejo.org/docs/latest/user/authentication/#pam-pluggable-authentication-module PAM support has to be enabled at compile time and upstream considers it opt-in. Official upstream binaries have it disabled. We enabled it by default because we simply inherited most of it from Gitea when the split in nixpkgs happened. Reasons why it had been enabled in nixpkgs for Gitea are unknown. See 9406f24. There is reason to believe not a single Forgejo instance running on NixOS uses this feature because it literally segfaults due to our sandboxing.
diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -180,6 +180,8 @@
   `services.forgejo.secrets` is a small wrapper over systemd's `LoadCredential=`. It has the same structure (sections/keys) as
   `services.forgejo.settings` but takes file paths that will be read before service startup instead of some plaintext value.
 
+- `forgejo` and `forgejo-lts` no longer support the opt-in feature [PAM (Pluggable Authentication Module)](https://forgejo.org/docs/latest/user/authentication/#pam-pluggable-authentication-module).
+
 - `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead.
 
 - `teleport` has been upgraded from major version 15 to major version 16.
diff --git a/pkgs/by-name/fo/forgejo/generic.nix b/pkgs/by-name/fo/forgejo/generic.nix
@@ -17,8 +17,6 @@
 , nix-update-script
 , nixosTests
 , openssh
-, pam
-, pamSupport ? true
 , sqliteSupport ? true
 , xorg
 , runCommand
@@ -68,8 +66,6 @@ buildGoModule rec {
     makeWrapper
   ];
 
-  buildInputs = lib.optional pamSupport pam;
-
   nativeCheckInputs = [
     git
     openssh
@@ -83,8 +79,7 @@ buildGoModule rec {
     substituteInPlace modules/setting/server.go --subst-var data
   '';
 
-  tags = lib.optional pamSupport "pam"
-    ++ lib.optionals sqliteSupport [ "sqlite" "sqlite_unlock_notify" ];
+  tags = lib.optionals sqliteSupport [ "sqlite" "sqlite_unlock_notify" ];
 
   ldflags = [
     "-s"
@@ -115,7 +110,6 @@ buildGoModule rec {
       skippedTests = [
         "Test_SSHParsePublicKey/dsa-1024/SSHKeygen" # dsa-1024 is deprecated in openssh and requires opting-in at compile time
         "Test_calcFingerprint/dsa-1024/SSHKeygen" # dsa-1024 is deprecated in openssh and requires opting-in at compile time
-        "TestPamAuth" # we don't have PAM set up in the build sandbox
         "TestPassword" # requires network: api.pwnedpasswords.com
         "TestCaptcha" # requires network: hcaptcha.com
         "TestDNSUpdate" # requires network: release.forgejo.org
