nixos/acme: Relax syscall filter after go upgrade; add acme to tested set

[mweinelt]

nixos/acme: Relax syscall filter after go upgrade; add acme to tested set

With Go 1.19 calls to setrlimit are required for lego to run.

While we could allow setrlimit alone, I think it is not unreasonable to
allow @resources in general.

Closes: #197513

nixos/release: add acme to tested set

The ACME module has long been an important part of every nixos server
deployment and we should therefore make sure the tests are working as
expected before allowing a channel bump to happen.

Related: #197443

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[mweinelt]

@ofborg test acme

[m1cr0man]

Ah thanks! I wasn't aware of the upstream go issue 🙂

[delroth]

Just hit into this issue as well, LGTM, this PR solves the lego/minica SIGSYS crash problem.

[SuperSandro2000]

tests.acme is failing on x86_64-linux

(finished: must succeed: /run/current-system/specialisation/http01lego/bin/switch-to-configuration test, in 1.92 seconds)
webserver: waiting for unit acme-finished-http.example.test.target
Test "Can request certificate with Lego's built in web server" failed with error: "unit "acme-finished-http.example.test.target" is inactive and there are no pending jobs"
cleanup
kill machine (pid 8)
acme # qemu-kvm: terminating on signal 15 from pid 6 (/nix/store/fkcl1wzq3106qqgl84bhgk1lp56q6bzg-python3-3.10.7/bin/python3.10)
kill machine (pid 19)
client # qemu-kvm: terminating on signal 15 from pid 6 (/nix/store/fkcl1wzq3106qqgl84bhgk1lp56q6bzg-python3-3.10.7/bin/python3.10)
kill machine (pid 30)
dnsserver # qemu-kvm: terminating on signal 15 from pid 6 (/nix/store/fkcl1wzq3106qqgl84bhgk1lp56q6bzg-python3-3.10.7/bin/python3.10)
kill machine (pid 41)
webserver # qemu-kvm: terminating on signal 15 from pid 6 (/nix/store/fkcl1wzq3106qqgl84bhgk1lp56q6bzg-python3-3.10.7/bin/python3.10)
(finished: cleanup, in 0.05 seconds)
kill vlan (pid 7)
error: builder for '/nix/store/pq767j6a5c9m72x7b93b9y496c4d3b1v-vm-test-run-acme.drv' failed with exit code 1;

[zowoq]

https://logs.nix.ci/?key=nixos/nixpkgs.197544&attempt_id=ceeb07bb-73d7-45c5-8bad-abec9975dda6

@ofborg test acme

[mweinelt]

tests.acme is failing on x86_64-linux

Only on ofborg. 🤷