Merge pull request #155424 from tobim/nixos/snapserver-firewall

nixos/snapserver: don't open ports by default
This commit is contained in:
Pascal Bach 2022-04-21 19:40:20 +02:00 committed by GitHub
commit d9309f43b3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 29 additions and 7 deletions

View file

@ -2347,6 +2347,15 @@
generating host-global NNCP configuration.
</para>
</listitem>
<listitem>
<para>
The option <literal>services.snapserver.openFirewall</literal>
will no longer default to <literal>true</literal> starting
with NixOS 22.11. Enable it explicitly if you need to control
Snapserver remotely or connect streamig clients from other
hosts.
</para>
</listitem>
</itemizedlist>
</section>
</section>

View file

@ -830,4 +830,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `programs.nncp` options were added for generating host-global NNCP configuration.
- The option `services.snapserver.openFirewall` will no longer default to
`true` starting with NixOS 22.11. Enable it explicitly if you need to control
Snapserver remotely or connect streamig clients from other hosts.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, options, lib, pkgs, ... }:
with lib;
@ -101,6 +101,8 @@ in {
openFirewall = mkOption {
type = types.bool;
# Make the behavior consistent with other services. Set the default to
# false and remove the accompanying warning after NixOS 22.05 is released.
default = true;
description = ''
Whether to automatically open the specified ports in the firewall.
@ -273,10 +275,16 @@ in {
config = mkIf cfg.enable {
# https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85
warnings = filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then ''
services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead.
'' else "") cfg.streams);
warnings =
# https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85
filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then ''
services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead.
'' else "") cfg.streams)
# Remove this warning after NixOS 22.05 is released.
++ optional (options.services.snapserver.openFirewall.highestPrio >= (mkOptionDefault null).priority) ''
services.snapserver.openFirewall will no longer default to true starting with NixOS 22.11.
Enable it explicitly if you need to control Snapserver remotely.
'';
systemd.services.snapserver = {
after = [ "network.target" ];
@ -304,8 +312,8 @@ in {
networking.firewall.allowedTCPPorts =
optionals cfg.openFirewall [ cfg.port ]
++ optional cfg.tcp.enable cfg.tcp.port
++ optional cfg.http.enable cfg.http.port;
++ optional (cfg.openFirewall && cfg.tcp.enable) cfg.tcp.port
++ optional (cfg.openFirewall && cfg.http.enable) cfg.http.port;
};
meta = {

View file

@ -19,6 +19,7 @@ in {
port = port;
tcp.port = tcpPort;
http.port = httpPort;
openFirewall = true;
buffer = bufferSize;
streams = {
mpd = {