Merge pull request #159103 from pacien/nixos-taskserver-firewall-no-port-open

nixos/taskserver: do not open firewall port implicitly, port helper to Python 3
2022-04-21 01:56:36 +02:00 · 2022-04-21 01:56:36 +02:00 · 786f0c486b
commit 786f0c486b
parent c085bfc9af 0091e3198a
5 changed files with 28 additions and 11 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@ -1043,6 +1043,14 @@
          <literal>admin</literal> and <literal>password</literal>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          The <literal>taskserver</literal> module no longer implicitly
+          opens ports in the firewall configuration. This is now
+          controlled through the option
+          <literal>services.taskserver.openFirewall</literal>.
+        </para>
+      </listitem>
      <listitem>
        <para>
          The <literal>autorestic</literal> package has been upgraded
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@ -443,6 +443,10 @@ In addition to numerous new and upgraded packages, this release has the followin

 - `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`.

+- The `taskserver` module no longer implicitly opens ports in the firewall
+  configuration. This is now controlled through the option
+  `services.taskserver.openFirewall`.
+
 - The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.

 - For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@ -106,7 +106,7 @@ let

  certtool = "${pkgs.gnutls.bin}/bin/certtool";

-  nixos-taskserver = with pkgs.python2.pkgs; buildPythonApplication {
+  nixos-taskserver = with pkgs.python3.pkgs; buildPythonApplication {
    name = "nixos-taskserver";

    src = pkgs.runCommand "nixos-taskserver-src" { preferLocalBuild = true; } ''
@ -277,10 +277,6 @@ in {
        example = "::";
        description = ''
          The address (IPv4, IPv6 or DNS) to listen on.
-
-          If the value is something else than <literal>localhost</literal> the
-          port defined by <option>listenPort</option> is automatically added to
-          <option>networking.firewall.allowedTCPPorts</option>.
        '';
      };

@ -292,6 +288,14 @@ in {
        '';
      };

+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to open the firewall for the specified Taskserver port.
+        '';
+      };
+
      fqdn = mkOption {
        type = types.str;
        default = "localhost";
@ -560,7 +564,7 @@ in {
        '';
      };
    })
-    (mkIf (cfg.enable && cfg.listenHost != "localhost") {
+    (mkIf (cfg.enable && cfg.openFirewall) {
      networking.firewall.allowedTCPPorts = [ cfg.listenPort ];
    })
  ];
--- a/nixos/modules/services/misc/taskserver/helper-tool.py
+++ b/nixos/modules/services/misc/taskserver/helper-tool.py
@ -90,7 +90,7 @@ def certtool_cmd(*args, **kwargs):
    """
    return subprocess.check_output(
        [CERTTOOL_COMMAND] + list(args),
-        preexec_fn=lambda: os.umask(0077),
+        preexec_fn=lambda: os.umask(0o077),
        stderr=subprocess.STDOUT,
        **kwargs
    )
@ -164,7 +164,7 @@ def generate_key(org, user):
    pubcert = os.path.join(basedir, "public.cert")

    try:
-        os.makedirs(basedir, mode=0700)
+        os.makedirs(basedir, mode=0o700)

        certtool_cmd("-p", "--bits", CERT_BITS, "--outfile", privkey)

@ -301,7 +301,7 @@ class Organisation(object):
            return None
        if name not in self.users.keys():
            output = taskd_cmd("add", "user", self.name, name,
-                               capture_stdout=True)
+                               capture_stdout=True, encoding='utf-8')
            key = RE_USERKEY.search(output)
            if key is None:
                msg = "Unable to find key while creating user {}."
@ -412,9 +412,9 @@ class Manager(object):
        if org is not None:
            if self.ignore_imperative and is_imperative(name):
                return
-            for user in org.users.keys():
+            for user in list(org.users.keys()):
                org.del_user(user)
-            for group in org.groups.keys():
+            for group in list(org.groups.keys()):
                org.del_group(group)
            taskd_cmd("remove", "org", name)
            del self._lazy_orgs[name]
--- a/nixos/tests/taskserver.nix
+++ b/nixos/tests/taskserver.nix
@ -63,6 +63,7 @@ in {
    server = {
      services.taskserver.enable = true;
      services.taskserver.listenHost = "::";
+      services.taskserver.openFirewall = true;
      services.taskserver.fqdn = "server";
      services.taskserver.organisations = {
        testOrganisation.users = [ "alice" "foo" ];