From 1401b7e042f7523ac7ac583ae1d153e19bbdd108 Mon Sep 17 00:00:00 2001
From: magic_rb <magic_rb@redalder.org>
Date: Sat, 2 Mar 2024 21:48:07 +0100
Subject: [PATCH] Update Nomads docker forcefully to avoid runc CVE

Signed-off-by: magic_rb <magic_rb@redalder.org>
---
 nixos/systems/blowhole/nomad.nix | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/nixos/systems/blowhole/nomad.nix b/nixos/systems/blowhole/nomad.nix
index bedec98..abaa34d 100644
--- a/nixos/systems/blowhole/nomad.nix
+++ b/nixos/systems/blowhole/nomad.nix
@@ -159,6 +159,25 @@ in
   };
 
   virtualisation.docker.enable = true;
+  virtualisation.docker.package = pkgs.docker.override rec {
+    version = "24.0.5";
+    cliRev = "v${version}";
+    cliHash = "sha256-u1quVGTx/p8BDyRn33vYyyuE5BOhWMnGQ5uVX0PZ5mg=";
+    mobyRev = "v${version}";
+    mobyHash = "sha256-JQjRz1fHZlQRkNw/R8WWLV8caN3/U3mrKKQXbZt2crU=";
+    # version = "25.0.3";
+    # cliRev = "v${version}";
+    # cliHash = "sha256-Jvb0plV1O/UzrcpzN4zH5OulmTVF+p9UQQQ9xqkiObQ=";
+    # mobyRev = "v${version}";
+    # mobyHash = "sha256-cDlRVdQNzH/X2SJUYHK1QLUHlKQtSyRYCVbz3wPx1ZM=";
+    runcRev = "v1.1.12";
+    runcHash = "sha256-N77CU5XiGYIdwQNPFyluXjseTeaYuNJ//OsEUS0g/v0=";
+    containerdRev = "v1.7.13";
+    containerdHash = "sha256-y3CYDZbA2QjIn1vyq/p1F1pAVxQHi/0a6hGWZCRWzyk=";
+    tiniRev = "v0.19.0";
+    tiniHash = "sha256-ZDKu/8yE5G0RYFJdhgmCdN3obJNyRWv6K/Gd17zc1sI=";
+  };
+
   virtualisation.docker.daemon.settings.dns = [
     (secret.network.ips.blowhole.ip or "")
   ];