pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #159103 from pacien/nixos-taskserver-firewall-no-port-open

nixos/taskserver: do not open firewall port implicitly, port helper to Python 3

Sandro 786f0c48 c085bfc9

options
unified split
Changed files
+28 -11
nixos
doc
manual
from_md
release-notes
rl-2205.section.xml
release-notes
rl-2205.section.md
modules
services
misc
taskserver
default.nix
helper-tool.py
tests
taskserver.nix
+8
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml 
···

       
1045

       
1045

       
 

       
      </listitem>


     

       
1046

       
1046

       
 

       
      <listitem>


     

       
1047

       
1047

       
 

       
        <para>


     

       

       
1048

       
+

       
          The <literal>taskserver</literal> module no longer implicitly


     

       

       
1049

       
+

       
          opens ports in the firewall configuration. This is now


     

       

       
1050

       
+

       
          controlled through the option


     

       

       
1051

       
+

       
          <literal>services.taskserver.openFirewall</literal>.


     

       

       
1052

       
+

       
        </para>


     

       

       
1053

       
+

       
      </listitem>


     

       

       
1054

       
+

       
      <listitem>


     

       

       
1055

       
+

       
        <para>


     

       
1048

       
1056

       
 

       
          The <literal>autorestic</literal> package has been upgraded


     

       
1049

       
1057

       
 

       
          from 1.3.0 to 1.5.0 which introduces breaking changes in


     

       
1050

       
1058

       
 

       
          config file, check
+4
nixos/doc/manual/release-notes/rl-2205.section.md 
···

       
443

       
443

       
 

       



     

       
444

       
444

       
 

       
- `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`.


     

       
445

       
445

       
 

       



     

       

       
446

       
+

       
- The `taskserver` module no longer implicitly opens ports in the firewall


     

       

       
447

       
+

       
  configuration. This is now controlled through the option


     

       

       
448

       
+

       
  `services.taskserver.openFirewall`.


     

       

       
449

       
+

       



     

       
446

       
450

       
 

       
- The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.


     

       
447

       
451

       
 

       



     

       
448

       
452

       
 

       
- For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`
+10 -6
nixos/modules/services/misc/taskserver/default.nix 
···

       
106

       
106

       
 

       



     

       
107

       
107

       
 

       
  certtool = "${pkgs.gnutls.bin}/bin/certtool";


     

       
108

       
108

       
 

       



     

       
109

       

       
-

       
  nixos-taskserver = with pkgs.python2.pkgs; buildPythonApplication {


     

       

       
109

       
+

       
  nixos-taskserver = with pkgs.python3.pkgs; buildPythonApplication {


     

       
110

       
110

       
 

       
    name = "nixos-taskserver";


     

       
111

       
111

       
 

       



     

       
112

       
112

       
 

       
    src = pkgs.runCommand "nixos-taskserver-src" { preferLocalBuild = true; } ''


     
···

       
277

       
277

       
 

       
        example = "::";


     

       
278

       
278

       
 

       
        description = ''


     

       
279

       
279

       
 

       
          The address (IPv4, IPv6 or DNS) to listen on.


     

       
280

       

       
-

       



     

       
281

       

       
-

       
          If the value is something else than <literal>localhost</literal> the


     

       
282

       

       
-

       
          port defined by <option>listenPort</option> is automatically added to


     

       
283

       

       
-

       
          <option>networking.firewall.allowedTCPPorts</option>.


     

       
284

       
280

       
 

       
        '';


     

       
285

       
281

       
 

       
      };


     

       
286

       
282

       
 

       



     
···

       
289

       
285

       
 

       
        default = 53589;


     

       
290

       
286

       
 

       
        description = ''


     

       
291

       
287

       
 

       
          Port number of the Taskserver.


     

       

       
288

       
+

       
        '';


     

       

       
289

       
+

       
      };


     

       

       
290

       
+

       



     

       

       
291

       
+

       
      openFirewall = mkOption {


     

       

       
292

       
+

       
        type = types.bool;


     

       

       
293

       
+

       
        default = false;


     

       

       
294

       
+

       
        description = ''


     

       

       
295

       
+

       
          Whether to open the firewall for the specified Taskserver port.


     

       
292

       
296

       
 

       
        '';


     

       
293

       
297

       
 

       
      };


     

       
294

       
298

       
 

       



     
···

       
560

       
564

       
 

       
        '';


     

       
561

       
565

       
 

       
      };


     

       
562

       
566

       
 

       
    })


     

       
563

       

       
-

       
    (mkIf (cfg.enable && cfg.listenHost != "localhost") {


     

       

       
567

       
+

       
    (mkIf (cfg.enable && cfg.openFirewall) {


     

       
564

       
568

       
 

       
      networking.firewall.allowedTCPPorts = [ cfg.listenPort ];


     

       
565

       
569

       
 

       
    })


     

       
566

       
570

       
 

       
  ];
+5 -5
nixos/modules/services/misc/taskserver/helper-tool.py 
···

       
90

       
90

       
 

       
    """


     

       
91

       
91

       
 

       
    return subprocess.check_output(


     

       
92

       
92

       
 

       
        [CERTTOOL_COMMAND] + list(args),


     

       
93

       

       
-

       
        preexec_fn=lambda: os.umask(0077),


     

       

       
93

       
+

       
        preexec_fn=lambda: os.umask(0o077),


     

       
94

       
94

       
 

       
        stderr=subprocess.STDOUT,


     

       
95

       
95

       
 

       
        **kwargs


     

       
96

       
96

       
 

       
    )


     
···

       
164

       
164

       
 

       
    pubcert = os.path.join(basedir, "public.cert")


     

       
165

       
165

       
 

       



     

       
166

       
166

       
 

       
    try:


     

       
167

       

       
-

       
        os.makedirs(basedir, mode=0700)


     

       

       
167

       
+

       
        os.makedirs(basedir, mode=0o700)


     

       
168

       
168

       
 

       



     

       
169

       
169

       
 

       
        certtool_cmd("-p", "--bits", CERT_BITS, "--outfile", privkey)


     

       
170

       
170

       
 

       



     
···

       
301

       
301

       
 

       
            return None


     

       
302

       
302

       
 

       
        if name not in self.users.keys():


     

       
303

       
303

       
 

       
            output = taskd_cmd("add", "user", self.name, name,


     

       
304

       

       
-

       
                               capture_stdout=True)


     

       

       
304

       
+

       
                               capture_stdout=True, encoding='utf-8')


     

       
305

       
305

       
 

       
            key = RE_USERKEY.search(output)


     

       
306

       
306

       
 

       
            if key is None:


     

       
307

       
307

       
 

       
                msg = "Unable to find key while creating user {}."


     
···

       
412

       
412

       
 

       
        if org is not None:


     

       
413

       
413

       
 

       
            if self.ignore_imperative and is_imperative(name):


     

       
414

       
414

       
 

       
                return


     

       
415

       

       
-

       
            for user in org.users.keys():


     

       

       
415

       
+

       
            for user in list(org.users.keys()):


     

       
416

       
416

       
 

       
                org.del_user(user)


     

       
417

       

       
-

       
            for group in org.groups.keys():


     

       

       
417

       
+

       
            for group in list(org.groups.keys()):


     

       
418

       
418

       
 

       
                org.del_group(group)


     

       
419

       
419

       
 

       
            taskd_cmd("remove", "org", name)


     

       
420

       
420

       
 

       
            del self._lazy_orgs[name]
+1
nixos/tests/taskserver.nix 
···

       
63

       
63

       
 

       
    server = {


     

       
64

       
64

       
 

       
      services.taskserver.enable = true;


     

       
65

       
65

       
 

       
      services.taskserver.listenHost = "::";


     

       

       
66

       
+

       
      services.taskserver.openFirewall = true;


     

       
66

       
67

       
 

       
      services.taskserver.fqdn = "server";


     

       
67

       
68

       
 

       
      services.taskserver.organisations = {


     

       
68

       
69

       
 

       
        testOrganisation.users = [ "alice" "foo" ];