diff options
author | Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com> | 2020-07-20 08:47:16 +0200 |
---|---|---|
committer | Antoine R. Dumont (@ardumont) <ardumont@softwareheritage.org> | 2020-10-08 08:59:49 +0200 |
commit | 3248506a002a668f8697d4752f1db211501c2823 (patch) | |
tree | 53843a3e3aa6d4e4737292015e4a12b75952f01a | |
parent | 9fdd11c6a82f1480bcd6285e55623a60ebd3e0e5 (diff) | |
download | nixpkgs-3248506a002a668f8697d4752f1db211501c2823.tar nixpkgs-3248506a002a668f8697d4752f1db211501c2823.tar.gz nixpkgs-3248506a002a668f8697d4752f1db211501c2823.tar.bz2 nixpkgs-3248506a002a668f8697d4752f1db211501c2823.tar.lz nixpkgs-3248506a002a668f8697d4752f1db211501c2823.tar.xz nixpkgs-3248506a002a668f8697d4752f1db211501c2823.tar.zst nixpkgs-3248506a002a668f8697d4752f1db211501c2823.zip |
mediatomb/gerbera: Improve firewall rules and open firewall option
This changes the default behavior which opened by default the firewall rules. The users now need to declare explicitely they want to open the firewall.
-rw-r--r-- | nixos/modules/services/misc/mediatomb.nix | 31 | ||||
-rw-r--r-- | nixos/tests/mediatomb.nix | 7 |
2 files changed, 29 insertions, 9 deletions
diff --git a/nixos/modules/services/misc/mediatomb.nix b/nixos/modules/services/misc/mediatomb.nix index 9e5a0463faa..ec6ef3d7b53 100644 --- a/nixos/modules/services/misc/mediatomb.nix +++ b/nixos/modules/services/misc/mediatomb.nix @@ -182,6 +182,13 @@ let ${transcodingConfig} </config> ''; + defaultFirewallRules = { + # udp 1900 port needs to be opened for SSDP (not configurable within + # mediatomb/gerbera) cf. + # http://docs.gerbera.io/en/latest/run.html?highlight=udp%20port#network-setup + allowedUDPPorts = [ 1900 cfg.port ]; + allowedTCPPorts = [ cfg.port ]; + }; in { @@ -294,6 +301,18 @@ in { ''; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + If false (the default), this is up to the user to declare the firewall rules. + If true, this opens the 1900 (tcp and udp) and ${toString cfg.port} (tcp) ports. + If the option cfg.interface is set, the firewall rules opened are + dedicated to that interface. Otherwise, those rules are opened + globally. + ''; + }; + uuid = mkOption { type = types.str; default = "fdfc8a4e-a3ad-4c1d-b43d-a2eedb03a687"; @@ -324,6 +343,7 @@ in { ${cfg.dataDir}/config.xml. It's up to the user to make a correct configuration file. ''; }; + }; }; @@ -356,9 +376,12 @@ in { }; }; - networking.firewall.interfaces."${cfg.interface}" = { - allowedUDPPorts = [ 1900 cfg.port ]; - allowedTCPPorts = [ cfg.port ]; - }; + # Open firewall only if users enable it + networking.firewall = mkMerge [ + (mkIf (cfg.openFirewall && cfg.interface != "") { + interfaces."${cfg.interface}" = defaultFirewallRules; + }) + (mkIf (cfg.openFirewall && cfg.interface == "") defaultFirewallRules) + ]; }; } diff --git a/nixos/tests/mediatomb.nix b/nixos/tests/mediatomb.nix index f07e453aadc..b7a126a01ad 100644 --- a/nixos/tests/mediatomb.nix +++ b/nixos/tests/mediatomb.nix @@ -14,15 +14,12 @@ import ./make-test-python.nix ({ pkgs, ... }: serverName = "Gerbera"; package = pkgs.gerbera; interface = "eth1"; # accessible from test + openFirewall = true; mediaDirectories = [ { path = "/var/lib/gerbera/pictures"; recursive = false; hidden-files = false; } { path = "/var/lib/gerbera/audio"; recursive = true; hidden-files = false; } ]; }; - networking.firewall = { - allowedUDPPorts = [ 1900 port ]; - allowedTCPPorts = [ port ]; - }; }; serverMediatomb = @@ -41,7 +38,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; } ]; }; - networking.firewall = { + networking.firewall.interfaces.eth1 = { allowedUDPPorts = [ 1900 port ]; allowedTCPPorts = [ port ]; }; |