diff options
| author | Maximilian Bosch <maximilian@mbosch.me> | 2022-12-05 18:13:39 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-05 18:13:39 +0100 |
| commit | 7f684f316083500f8f97849058d0db6640e31f59 (patch) | |
| tree | 9d4acb401c4235835c21ca76086e4c02c6e34bd6 | |
| parent | 98a5ae3e5ded52f2e4265fb614080b6e1fe41855 (diff) | |
| parent | 0d805d3a0b4a6913ac65a0d1e981e529779a22b5 (diff) | |
Merge pull request #204618 from rapenne-s/openFirewall_off_2
make openFirewall options to false for NixOS services
6 files changed, 53 insertions, 12 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index 0fd0382998c20..914be23576e08 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -72,6 +72,46 @@ </listitem> <listitem> <para> + The + <link linkend="opt-services.snapserver.openFirewall">services.snapserver.openFirewall</link> + module option default value has been changed from + <literal>true</literal> to <literal>false</literal>. You will + need to explicitely set this option to + <literal>true</literal>, or configure your firewall. + </para> + </listitem> + <listitem> + <para> + The + <link linkend="opt-services.avahi.openFirewall">services.avahi.openFirewall</link> + module option default value has been changed from + <literal>true</literal> to <literal>false</literal>. You will + need to explicitely set this option to + <literal>true</literal>, or configure your firewall. + </para> + </listitem> + <listitem> + <para> + The + <link linkend="opt-services.tmate-ssh-server.openFirewall">services.tmate-ssh-server.openFirewall</link> + module option default value has been changed from + <literal>true</literal> to <literal>false</literal>. You will + need to explicitely set this option to + <literal>true</literal>, or configure your firewall. + </para> + </listitem> + <listitem> + <para> + The + <link linkend="opt-services.unifi-video.openFirewall">services.unifi-video.openFirewall</link> + module option default value has been changed from + <literal>true</literal> to <literal>false</literal>. You will + need to explicitely set this option to + <literal>true</literal>, or configure your firewall. + </para> + </listitem> + <listitem> + <para> The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing <literal>/tmp</literal> on the diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 39550d44733ad..3640cf8e963ed 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -27,6 +27,14 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.sourcehut.dispatch` and the corresponding package (`sourcehut.dispatchsrht`) have been removed due to [upstream deprecation](https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/). +- The [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitely set this option to `true`, or configure your firewall. + +- The [services.avahi.openFirewall](#opt-services.avahi.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitely set this option to `true`, or configure your firewall. + +- The [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitely set this option to `true`, or configure your firewall. + +- The [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitely set this option to `true`, or configure your firewall. + - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. diff --git a/nixos/modules/services/audio/snapserver.nix b/nixos/modules/services/audio/snapserver.nix index fdc1f605bb32a..2af42eeb3705b 100644 --- a/nixos/modules/services/audio/snapserver.nix +++ b/nixos/modules/services/audio/snapserver.nix @@ -101,9 +101,7 @@ in { openFirewall = mkOption { type = types.bool; - # Make the behavior consistent with other services. Set the default to - # false and remove the accompanying warning after NixOS 22.05 is released. - default = true; + default = false; description = lib.mdDoc '' Whether to automatically open the specified ports in the firewall. ''; @@ -279,12 +277,7 @@ in { # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85 filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then '' services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead. - '' else "") cfg.streams) - # Remove this warning after NixOS 22.05 is released. - ++ optional (options.services.snapserver.openFirewall.highestPrio >= (mkOptionDefault null).priority) '' - services.snapserver.openFirewall will no longer default to true starting with NixOS 22.11. - Enable it explicitly if you need to control Snapserver remotely. - ''; + '' else "") cfg.streams); systemd.services.snapserver = { after = [ "network.target" ]; diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index 56113bd34594d..0875d8a85140a 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -103,7 +103,7 @@ in openFirewall = mkOption { type = types.bool; - default = true; + default = false; description = lib.mdDoc '' Whether to open the firewall for UDP port 5353. ''; diff --git a/nixos/modules/services/networking/tmate-ssh-server.nix b/nixos/modules/services/networking/tmate-ssh-server.nix index 1b8f6662ef4ca..f7740b1ddfccb 100644 --- a/nixos/modules/services/networking/tmate-ssh-server.nix +++ b/nixos/modules/services/networking/tmate-ssh-server.nix @@ -44,7 +44,7 @@ in openFirewall = mkOption { type = types.bool; - default = true; + default = false; description = mdDoc "Whether to automatically open the specified ports in the firewall."; }; diff --git a/nixos/modules/services/video/unifi-video.nix b/nixos/modules/services/video/unifi-video.nix index fcc3cb02a1b0e..450e92dd9a378 100644 --- a/nixos/modules/services/video/unifi-video.nix +++ b/nixos/modules/services/video/unifi-video.nix @@ -148,7 +148,7 @@ in openFirewall = mkOption { type = types.bool; - default = true; + default = false; description = lib.mdDoc '' Whether or not to open the required ports on the firewall. ''; |