Merge pull request #155424 from tobim/nixos/snapserver-firewall
nixos/snapserver: don't open ports by default
This commit is contained in:
commit
d9309f43b3
4 changed files with 29 additions and 7 deletions
|
@ -2347,6 +2347,15 @@
|
|||
generating host-global NNCP configuration.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The option <literal>services.snapserver.openFirewall</literal>
|
||||
will no longer default to <literal>true</literal> starting
|
||||
with NixOS 22.11. Enable it explicitly if you need to control
|
||||
Snapserver remotely or connect streamig clients from other
|
||||
hosts.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
|
|
@ -830,4 +830,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- The `programs.nncp` options were added for generating host-global NNCP configuration.
|
||||
|
||||
- The option `services.snapserver.openFirewall` will no longer default to
|
||||
`true` starting with NixOS 22.11. Enable it explicitly if you need to control
|
||||
Snapserver remotely or connect streamig clients from other hosts.
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, options, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
|
@ -101,6 +101,8 @@ in {
|
|||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
# Make the behavior consistent with other services. Set the default to
|
||||
# false and remove the accompanying warning after NixOS 22.05 is released.
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to automatically open the specified ports in the firewall.
|
||||
|
@ -273,10 +275,16 @@ in {
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85
|
||||
warnings = filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then ''
|
||||
services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead.
|
||||
'' else "") cfg.streams);
|
||||
warnings =
|
||||
# https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85
|
||||
filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then ''
|
||||
services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead.
|
||||
'' else "") cfg.streams)
|
||||
# Remove this warning after NixOS 22.05 is released.
|
||||
++ optional (options.services.snapserver.openFirewall.highestPrio >= (mkOptionDefault null).priority) ''
|
||||
services.snapserver.openFirewall will no longer default to true starting with NixOS 22.11.
|
||||
Enable it explicitly if you need to control Snapserver remotely.
|
||||
'';
|
||||
|
||||
systemd.services.snapserver = {
|
||||
after = [ "network.target" ];
|
||||
|
@ -304,8 +312,8 @@ in {
|
|||
|
||||
networking.firewall.allowedTCPPorts =
|
||||
optionals cfg.openFirewall [ cfg.port ]
|
||||
++ optional cfg.tcp.enable cfg.tcp.port
|
||||
++ optional cfg.http.enable cfg.http.port;
|
||||
++ optional (cfg.openFirewall && cfg.tcp.enable) cfg.tcp.port
|
||||
++ optional (cfg.openFirewall && cfg.http.enable) cfg.http.port;
|
||||
};
|
||||
|
||||
meta = {
|
||||
|
|
|
@ -19,6 +19,7 @@ in {
|
|||
port = port;
|
||||
tcp.port = tcpPort;
|
||||
http.port = httpPort;
|
||||
openFirewall = true;
|
||||
buffer = bufferSize;
|
||||
streams = {
|
||||
mpd = {
|
||||
|
|
Loading…
Reference in a new issue