diff options
| author | Niklas Hambüchen <mail@nh2.me> | 2022-01-13 03:21:32 +0000 |
|---|---|---|
| committer | Niklas Hambüchen <mail@nh2.me> | 2023-11-14 10:51:16 +0100 |
| commit | 65a471717c53c5b8fa617680140a045da336dabc (patch) | |
| tree | 9b311ad27d08b578916aa55c8573f47ad6870b5a /nixos/tests | |
| parent | 85f1ba3e51676fa8cc604a3d863d729026a6b8eb (diff) | |
| download | nixpkgs-65a471717c53c5b8fa617680140a045da336dabc.tar nixpkgs-65a471717c53c5b8fa617680140a045da336dabc.tar.gz nixpkgs-65a471717c53c5b8fa617680140a045da336dabc.tar.bz2 nixpkgs-65a471717c53c5b8fa617680140a045da336dabc.tar.lz nixpkgs-65a471717c53c5b8fa617680140a045da336dabc.tar.xz nixpkgs-65a471717c53c5b8fa617680140a045da336dabc.tar.zst nixpkgs-65a471717c53c5b8fa617680140a045da336dabc.zip | |
plausible, nixos/plausible: Add `listenAddress` option.
This changes * the plausible HTTP web server to be listening on localhost only, explicitly. This makes Plausible have an explicit safe default configuration, like all other networked services in NixOS. For background discussion, see: https://github.com/NixOS/nixpkgs/issues/130244 As per my upstream Plausible contribution (https://github.com/plausible/analytics/pull/1190) Plausible >= 1.5 also defaults to listening to localhost only; nevertheless, this default should be stated explicitly in nixpkgs for easier review and independence from upstream changes, and a NixOS user must be able to configure the `listenAddress`, as there are valid use cases for that. Also, disable * the Erlang Beam VM inter-node RPC port * the Erlang EPMD port because Plausible does not use them (see added comment). This is done by setting `RELEASE_DISTRIBUTION=none`. Thus, this commit also removes the NixOS setting `releaseCookiePath`, because it now has no effect.
Diffstat (limited to 'nixos/tests')
| -rw-r--r-- | nixos/tests/plausible.nix | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/nixos/tests/plausible.nix b/nixos/tests/plausible.nix index 9afd3db75de..9c26c509a5a 100644 --- a/nixos/tests/plausible.nix +++ b/nixos/tests/plausible.nix @@ -8,9 +8,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { virtualisation.memorySize = 4096; services.plausible = { enable = true; - releaseCookiePath = "${pkgs.runCommand "cookie" { } '' - ${pkgs.openssl}/bin/openssl rand -base64 64 >"$out" - ''}"; adminUser = { email = "admin@example.org"; passwordFile = "${pkgs.writeText "pwd" "foobar"}"; @@ -28,6 +25,10 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.wait_for_unit("plausible.service") machine.wait_for_open_port(8000) + # Ensure that the software does not make not make the machine + # listen on any public interfaces by default. + machine.fail("ss -tlpn 'src = 0.0.0.0 or src = [::]' | grep LISTEN") + machine.succeed("curl -f localhost:8000 >&2") machine.succeed("curl -f localhost:8000/js/script.js >&2") |