nixos/snapserver: don't open ports by default

author: Tobias Mayer <tobim@fastmail.fm> 2022-01-04 08:44:10 +0100
committer: Tobias Mayer <tobim@fastmail.fm> 2022-04-20 23:25:28 +0200
commit: 0d49836dec33b6749c1775a48d019a4a52a41cc5 (patch)
tree: a73b10472d8a7e9bc863e5591175c075a2a43f52
parent: c81321c7f90eef6bedf0685d402294497af3e187 (diff)
4 files changed, 29 insertions, 7 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index c8a942f2abb93..53cacda0d7710 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -2333,6 +2333,15 @@
           generating host-global NNCP configuration.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The option <literal>services.snapserver.openFirewall</literal>
+          will no longer default to <literal>true</literal> starting
+          with NixOS 22.11. Enable it explicitly if you need to control
+          Snapserver remotely or connect streamig clients from other
+          hosts.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
 </section>
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 809f6f9068ebb..86383f85c45ea 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -824,4 +824,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - The `programs.nncp` options were added for generating host-global NNCP configuration.
 
+- The option `services.snapserver.openFirewall` will no longer default to
+  `true` starting with NixOS 22.11. Enable it explicitly if you need to control
+  Snapserver remotely or connect streamig clients from other hosts.
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
diff --git a/nixos/modules/services/audio/snapserver.nix b/nixos/modules/services/audio/snapserver.nix
index 6d5ce98df8956..91d97a0b551e2 100644
--- a/nixos/modules/services/audio/snapserver.nix
+++ b/nixos/modules/services/audio/snapserver.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, options, lib, pkgs, ... }:
 
 with lib;
 
@@ -101,6 +101,8 @@ in {
 
       openFirewall = mkOption {
         type = types.bool;
+        # Make the behavior consistent with other services. Set the default to
+        # false and remove the accompanying warning after NixOS 22.05 is released.
         default = true;
         description = ''
           Whether to automatically open the specified ports in the firewall.
@@ -273,10 +275,16 @@ in {
 
   config = mkIf cfg.enable {
 
-    # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85
-    warnings = filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then ''
-      services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead.
-    '' else "") cfg.streams);
+    warnings =
+      # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85
+      filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then ''
+        services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead.
+      '' else "") cfg.streams)
+      # Remove this warning after NixOS 22.05 is released.
+      ++ optional (options.services.snapserver.openFirewall.highestPrio >= (mkOptionDefault null).priority) ''
+        services.snapserver.openFirewall will no longer default to true starting with NixOS 22.11.
+        Enable it explicitly if you need to control Snapserver remotely.
+      '';
 
     systemd.services.snapserver = {
       after = [ "network.target" ];
@@ -304,8 +312,8 @@ in {
 
     networking.firewall.allowedTCPPorts =
       optionals cfg.openFirewall [ cfg.port ]
-      ++ optional cfg.tcp.enable cfg.tcp.port
-      ++ optional cfg.http.enable cfg.http.port;
+      ++ optional (cfg.openFirewall && cfg.tcp.enable) cfg.tcp.port
+      ++ optional (cfg.openFirewall && cfg.http.enable) cfg.http.port;
   };
 
   meta = {
diff --git a/nixos/tests/snapcast.nix b/nixos/tests/snapcast.nix
index 30b8343e2ffee..9b62e4724e757 100644
--- a/nixos/tests/snapcast.nix
+++ b/nixos/tests/snapcast.nix
@@ -19,6 +19,7 @@ in {
         port = port;
         tcp.port = tcpPort;
         http.port = httpPort;
+        openFirewall = true;
         buffer = bufferSize;
         streams = {
           mpd = {
author	Tobias Mayer <tobim@fastmail.fm>	2022-01-04 08:44:10 +0100
committer	Tobias Mayer <tobim@fastmail.fm>	2022-04-20 23:25:28 +0200
commit	0d49836dec33b6749c1775a48d019a4a52a41cc5 (patch)
tree	a73b10472d8a7e9bc863e5591175c075a2a43f52
parent	c81321c7f90eef6bedf0685d402294497af3e187 (diff)