nixos/taskserver: do not open firewall port implicitly

This adds an option `services.taskserver.openFirewall` to allow the user to choose whether or not the firewall port should be opened for the service. This is no longer the case by default. See also NixOS#19504.
pacien · Mar 5, 2022 · 0091e31 · 0091e31
1 parent 9013352
commit 0091e31
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 5 deletions.
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -486,6 +486,14 @@
           <literal>admin</literal> and <literal>password</literal>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The <literal>taskserver</literal> module no longer implicitly
+          opens ports in the firewall configuration. This is now
+          controlled through the option
+          <literal>services.taskserver.openFirewall</literal>.
+        </para>
+      </listitem>
       <listitem>
         <para>
           The <literal>autorestic</literal> package has been upgraded

diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -157,6 +157,10 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`.
 
+- The `taskserver` module no longer implicitly opens ports in the firewall
+  configuration. This is now controlled through the option
+  `services.taskserver.openFirewall`.
+
 - The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.
 
 - For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`

diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix
@@ -277,10 +277,6 @@ in {
         example = "::";
         description = ''
           The address (IPv4, IPv6 or DNS) to listen on.
-
-          If the value is something else than <literal>localhost</literal> the
-          port defined by <option>listenPort</option> is automatically added to
-          <option>networking.firewall.allowedTCPPorts</option>.
         '';
       };
 
@@ -292,6 +288,14 @@ in {
         '';
       };
 
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to open the firewall for the specified Taskserver port.
+        '';
+      };
+
       fqdn = mkOption {
         type = types.str;
         default = "localhost";
@@ -560,7 +564,7 @@ in {
         '';
       };
     })
-    (mkIf (cfg.enable && cfg.listenHost != "localhost") {
+    (mkIf (cfg.enable && cfg.openFirewall) {
       networking.firewall.allowedTCPPorts = [ cfg.listenPort ];
     })
   ];

diff --git a/nixos/tests/taskserver.nix b/nixos/tests/taskserver.nix
@@ -63,6 +63,7 @@ in {
     server = {
       services.taskserver.enable = true;
       services.taskserver.listenHost = "::";
+      services.taskserver.openFirewall = true;
       services.taskserver.fqdn = "server";
       services.taskserver.organisations = {
         testOrganisation.users = [ "alice" "foo" ];