b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #204618 from rapenne-s/openFirewall_off_2

Browse source 
make openFirewall options to false for NixOS services
This commit is contained in:
Maximilian Bosch 2022-12-05 18:13:39 +01:00 committed by GitHub
parent 98a5ae3e5d 0d805d3a0b
commit 7f684f3160
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 53 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
View file

@ -70,6 +70,46 @@
deprecation</link>.
</para>
</listitem>
<listitem>
<para>
The
<link linkend="opt-services.snapserver.openFirewall">services.snapserver.openFirewall</link>
module option default value has been changed from
<literal>true</literal> to <literal>false</literal>. You will
need to explicitely set this option to
<literal>true</literal>, or configure your firewall.
</para>
</listitem>
<listitem>
<para>
The
<link linkend="opt-services.avahi.openFirewall">services.avahi.openFirewall</link>
module option default value has been changed from
<literal>true</literal> to <literal>false</literal>. You will
need to explicitely set this option to
<literal>true</literal>, or configure your firewall.
</para>
</listitem>
<listitem>
<para>
The
<link linkend="opt-services.tmate-ssh-server.openFirewall">services.tmate-ssh-server.openFirewall</link>
module option default value has been changed from
<literal>true</literal> to <literal>false</literal>. You will
need to explicitely set this option to
<literal>true</literal>, or configure your firewall.
</para>
</listitem>
<listitem>
<para>
The
<link linkend="opt-services.unifi-video.openFirewall">services.unifi-video.openFirewall</link>
module option default value has been changed from
<literal>true</literal> to <literal>false</literal>. You will
need to explicitely set this option to
<literal>true</literal>, or configure your firewall.
</para>
</listitem>
<listitem>
<para>
The EC2 image module previously detected and automatically

8
nixos/doc/manual/release-notes/rl-2305.section.md
View file

@ -27,6 +27,14 @@ In addition to numerous new and upgraded packages, this release has the followin
- `services.sourcehut.dispatch` and the corresponding package (`sourcehut.dispatchsrht`) have been removed due to [upstream deprecation](https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/).
- The [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitely set this option to `true`, or configure your firewall.
- The [services.avahi.openFirewall](#opt-services.avahi.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitely set this option to `true`, or configure your firewall.
- The [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitely set this option to `true`, or configure your firewall.
- The [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitely set this option to `true`, or configure your firewall.
- The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.
- The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.

11
nixos/modules/services/audio/snapserver.nix
View file

@ -101,9 +101,7 @@ in {
openFirewall = mkOption {
type = types.bool;
# Make the behavior consistent with other services. Set the default to
# false and remove the accompanying warning after NixOS 22.05 is released.
default = true;
default = false;
description = lib.mdDoc ''
Whether to automatically open the specified ports in the firewall.
'';
@ -279,12 +277,7 @@ in {
# https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85
filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then ''
services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead.
'' else "") cfg.streams)
# Remove this warning after NixOS 22.05 is released.
++ optional (options.services.snapserver.openFirewall.highestPrio >= (mkOptionDefault null).priority) ''
services.snapserver.openFirewall will no longer default to true starting with NixOS 22.11.
Enable it explicitly if you need to control Snapserver remotely.
'';
'' else "") cfg.streams);
systemd.services.snapserver = {
after = [ "network.target" ];

2
nixos/modules/services/networking/avahi-daemon.nix
View file

@ -103,7 +103,7 @@ in
openFirewall = mkOption {
type = types.bool;
default = true;
default = false;
description = lib.mdDoc ''
Whether to open the firewall for UDP port 5353.
'';

2
nixos/modules/services/networking/tmate-ssh-server.nix
View file

@ -44,7 +44,7 @@ in
openFirewall = mkOption {
type = types.bool;
default = true;
default = false;
description = mdDoc "Whether to automatically open the specified ports in the firewall.";
};

2
nixos/modules/services/video/unifi-video.nix
View file

@ -148,7 +148,7 @@ in
openFirewall = mkOption {
type = types.bool;
default = true;
default = false;
description = lib.mdDoc ''
Whether or not to open the required ports on the firewall.
'';