Flake -> 23.05. Patch/update sarek

hosts/sarek/configuration.nix

@@ -30,14 +30,24 @@
   };
 
   sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml;
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers.backend = "docker";
 
-  virtualisation.podman = {
-    enable = true;
-    dockerCompat = true; # Make `docker` shell alias
-    defaultNetwork.settings.dns_enabled = true;
-  };
-
-  virtualisation.oci-containers.backend = "podman";
+  # Undo https://github.com/NixOS/nixpkgs/commit/59e37267556eb917146ca3110ab7c96905b9ffbd to work on unprivileged LXC containers
+  system.activationScripts.var = lib.mkForce ''
+    # Various log/runtime directories.
+    mkdir -p /var/tmp
+    chmod 1777 /var/tmp
+    # Empty, immutable home directory of many system accounts.
+    mkdir -p /var/empty
+    # Make sure it's really empty
+    ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true
+    find /var/empty -mindepth 1 -delete
+    chmod 0555 /var/empty
+    chown root:root /var/empty
+    ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
+  '';
+  systemd.tmpfiles.rules = lib.mkForce [];
 
   system.stateVersion = "23.05";
 }

hosts/sarek/services/hedgedoc.nix

@@ -78,7 +78,7 @@ in {
         UMask = "0007";
         RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
         SystemCallArchitectures = "native";
-        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
+        # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
       };
     };
 
@@ -88,9 +88,7 @@ in {
       ensureDatabases = [ "hedgedoc" ];
       ensureUsers = [{
         name = "hedgedoc";
-        ensurePermissions = {
-          "DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
-        };
+        ensureDBOwnership = true;
       }];
     };
 }