diff options
author | pacien <pacien.trangirard@pacien.net> | 2022-02-11 02:30:44 +0100 |
---|---|---|
committer | pacien <pacien.trangirard@pacien.net> | 2022-03-05 15:15:50 +0100 |
commit | 0091e3198a81cfc5cd867f676f3711a63979b938 (patch) | |
tree | 2a26eddb99c41cea5a716dd0b65159169577d208 /nixos | |
parent | 9013352e3f1941f6ee4430baaa69b0b0927adb15 (diff) | |
download | nixpkgs-0091e3198a81cfc5cd867f676f3711a63979b938.tar nixpkgs-0091e3198a81cfc5cd867f676f3711a63979b938.tar.gz nixpkgs-0091e3198a81cfc5cd867f676f3711a63979b938.tar.bz2 nixpkgs-0091e3198a81cfc5cd867f676f3711a63979b938.tar.lz nixpkgs-0091e3198a81cfc5cd867f676f3711a63979b938.tar.xz nixpkgs-0091e3198a81cfc5cd867f676f3711a63979b938.tar.zst nixpkgs-0091e3198a81cfc5cd867f676f3711a63979b938.zip |
nixos/taskserver: do not open firewall port implicitly
This adds an option `services.taskserver.openFirewall` to allow the user to choose whether or not the firewall port should be opened for the service. This is no longer the case by default. See also https://github.com/NixOS/nixpkgs/issues/19504.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 8 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2205.section.md | 4 | ||||
-rw-r--r-- | nixos/modules/services/misc/taskserver/default.nix | 14 | ||||
-rw-r--r-- | nixos/tests/taskserver.nix | 1 |
4 files changed, 22 insertions, 5 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 2bcfc86b432..d18606caa51 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -488,6 +488,14 @@ </listitem> <listitem> <para> + The <literal>taskserver</literal> module no longer implicitly + opens ports in the firewall configuration. This is now + controlled through the option + <literal>services.taskserver.openFirewall</literal>. + </para> + </listitem> + <listitem> + <para> The <literal>autorestic</literal> package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 650ace8d9d2..e0f87f98dec 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -157,6 +157,10 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`. +- The `taskserver` module no longer implicitly opens ports in the firewall + configuration. This is now controlled through the option + `services.taskserver.openFirewall`. + - The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details. - For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline` diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index 33f4d0c103a..e2080492998 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -277,10 +277,6 @@ in { example = "::"; description = '' The address (IPv4, IPv6 or DNS) to listen on. - - If the value is something else than <literal>localhost</literal> the - port defined by <option>listenPort</option> is automatically added to - <option>networking.firewall.allowedTCPPorts</option>. ''; }; @@ -292,6 +288,14 @@ in { ''; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the firewall for the specified Taskserver port. + ''; + }; + fqdn = mkOption { type = types.str; default = "localhost"; @@ -560,7 +564,7 @@ in { ''; }; }) - (mkIf (cfg.enable && cfg.listenHost != "localhost") { + (mkIf (cfg.enable && cfg.openFirewall) { networking.firewall.allowedTCPPorts = [ cfg.listenPort ]; }) ]; diff --git a/nixos/tests/taskserver.nix b/nixos/tests/taskserver.nix index f34782c7059..b2bd421e231 100644 --- a/nixos/tests/taskserver.nix +++ b/nixos/tests/taskserver.nix @@ -63,6 +63,7 @@ in { server = { services.taskserver.enable = true; services.taskserver.listenHost = "::"; + services.taskserver.openFirewall = true; services.taskserver.fqdn = "server"; services.taskserver.organisations = { testOrganisation.users = [ "alice" "foo" ]; |