Merge pull request #159103 from pacien/nixos-taskserver-firewall-no-port-open

tjh.dev / nixpkgs

fork atom

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

nixos/taskserver: do not open firewall port implicitly, port helper to Python 3

authored by

Sandro and committed by

GitHub 3 years ago 786f0c48 c085bfc9

+28 -11

5 changed files

expand all

unified split

nixos

doc

manual

from_md

release-notes

rl-2205.section.xml

release-notes

rl-2205.section.md

modules

services

misc

taskserver

default.nix

helper-tool.py

tests

taskserver.nix

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

··· 1045 1045 </listitem> 1046 1046 <listitem> 1047 1047 <para> 1048 + The <literal>taskserver</literal> module no longer implicitly 1049 + opens ports in the firewall configuration. This is now 1050 + controlled through the option 1051 + <literal>services.taskserver.openFirewall</literal>. 1052 + </para> 1053 + </listitem> 1054 + <listitem> 1055 + <para> 1048 1056 The <literal>autorestic</literal> package has been upgraded 1049 1057 from 1.3.0 to 1.5.0 which introduces breaking changes in 1050 1058 config file, check

nixos/doc/manual/release-notes/rl-2205.section.md

··· 443 443 444 444 - `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`. 445 445 446 + - The `taskserver` module no longer implicitly opens ports in the firewall 447 + configuration. This is now controlled through the option 448 + `services.taskserver.openFirewall`. 449 + 446 450 - The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details. 447 451 448 452 - For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`

+10 -6

nixos/modules/services/misc/taskserver/default.nix

··· 106 106 107 107 certtool = "${pkgs.gnutls.bin}/bin/certtool"; 108 108 109 - nixos-taskserver = with pkgs.python2.pkgs; buildPythonApplication { 109 + nixos-taskserver = with pkgs.python3.pkgs; buildPythonApplication { 110 110 name = "nixos-taskserver"; 111 111 112 112 src = pkgs.runCommand "nixos-taskserver-src" { preferLocalBuild = true; } '' ··· 277 277 example = "::"; 278 278 description = '' 279 279 The address (IPv4, IPv6 or DNS) to listen on. 280 - 281 - If the value is something else than <literal>localhost</literal> the 282 - port defined by <option>listenPort</option> is automatically added to 283 - <option>networking.firewall.allowedTCPPorts</option>. 284 280 ''; 285 281 }; 286 282 ··· 289 285 default = 53589; 290 286 description = '' 291 287 Port number of the Taskserver. 288 + ''; 289 + }; 290 + 291 + openFirewall = mkOption { 292 + type = types.bool; 293 + default = false; 294 + description = '' 295 + Whether to open the firewall for the specified Taskserver port. 292 296 ''; 293 297 }; 294 298 ··· 560 564 ''; 561 565 }; 562 566 }) 563 - (mkIf (cfg.enable && cfg.listenHost != "localhost") { 567 + (mkIf (cfg.enable && cfg.openFirewall) { 564 568 networking.firewall.allowedTCPPorts = [ cfg.listenPort ]; 565 569 }) 566 570 ];

+5 -5

nixos/modules/services/misc/taskserver/helper-tool.py

··· 90 90 """ 91 91 return subprocess.check_output( 92 92 [CERTTOOL_COMMAND] + list(args), 93 - preexec_fn=lambda: os.umask(0077), 93 + preexec_fn=lambda: os.umask(0o077), 94 94 stderr=subprocess.STDOUT, 95 95 **kwargs 96 96 ) ··· 164 164 pubcert = os.path.join(basedir, "public.cert") 165 165 166 166 try: 167 - os.makedirs(basedir, mode=0700) 167 + os.makedirs(basedir, mode=0o700) 168 168 169 169 certtool_cmd("-p", "--bits", CERT_BITS, "--outfile", privkey) 170 170 ··· 301 301 return None 302 302 if name not in self.users.keys(): 303 303 output = taskd_cmd("add", "user", self.name, name, 304 - capture_stdout=True) 304 + capture_stdout=True, encoding='utf-8') 305 305 key = RE_USERKEY.search(output) 306 306 if key is None: 307 307 msg = "Unable to find key while creating user {}." ··· 412 412 if org is not None: 413 413 if self.ignore_imperative and is_imperative(name): 414 414 return 415 - for user in org.users.keys(): 415 + for user in list(org.users.keys()): 416 416 org.del_user(user) 417 - for group in org.groups.keys(): 417 + for group in list(org.groups.keys()): 418 418 org.del_group(group) 419 419 taskd_cmd("remove", "org", name) 420 420 del self._lazy_orgs[name]

nixos/tests/taskserver.nix

··· 63 63 server = { 64 64 services.taskserver.enable = true; 65 65 services.taskserver.listenHost = "::"; 66 + services.taskserver.openFirewall = true; 66 67 services.taskserver.fqdn = "server"; 67 68 services.taskserver.organisations = { 68 69 testOrganisation.users = [ "alice" "foo" ];