JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #164377 from rsynnest/master

Browse Source 
nixos/unifi-video: add deprecation warning for openFirewall
This commit is contained in:
pennae 2022-03-29 12:03:18 +00:00 committed by GitHub
commit e7da834115
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 97 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View File

@ -1411,6 +1411,15 @@
using this default will print a warning when rebuilt. using this default will print a warning when rebuilt.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <literal>services.unifi-video.openPorts</literal> option
default value of <literal>true</literal> is now deprecated and
will be changed to <literal>false</literal> in 22.11.
Configurations using this default will print a warning when
rebuilt.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<literal>security.acme</literal> certificates will now <literal>security.acme</literal> certificates will now

3
nixos/doc/manual/release-notes/rl-2205.section.md
View File

@ -506,6 +506,9 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `services.unifi.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11. - The `services.unifi.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11.
Configurations using this default will print a warning when rebuilt. Configurations using this default will print a warning when rebuilt.
- The `services.unifi-video.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11.
Configurations using this default will print a warning when rebuilt.
- `security.acme` certificates will now correctly check for CA - `security.acme` certificates will now correctly check for CA
revokation before reaching their minimum age. revokation before reaching their minimum age.

166
nixos/modules/services/video/unifi-video.nix
View File

@ -16,7 +16,7 @@ let
-pidfile ${cfg.pidFile} \ -pidfile ${cfg.pidFile} \
-procname unifi-video \ -procname unifi-video \
-Djava.security.egd=file:/dev/./urandom \ -Djava.security.egd=file:/dev/./urandom \
-Xmx${cfg.maximumJavaHeapSize}M \ -Xmx${toString cfg.maximumJavaHeapSize}M \
-Xss512K \ -Xss512K \
-XX:+UseG1GC \ -XX:+UseG1GC \
-XX:+UseStringDeduplication \ -XX:+UseStringDeduplication \
@ -91,98 +91,102 @@ let
stateDir = "/var/lib/unifi-video"; stateDir = "/var/lib/unifi-video";
in in
{ {
options.services.unifi-video = { options.services.unifi-video = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether or not to enable the unifi-video service.
'';
};
jrePackage = mkOption { enable = mkOption {
type = types.package; type = types.bool;
default = pkgs.jre8; default = false;
defaultText = literalExpression "pkgs.jre8"; description = ''
description = '' Whether or not to enable the unifi-video service.
The JRE package to use. Check the release notes to ensure it is supported. '';
''; };
};
unifiVideoPackage = mkOption { jrePackage = mkOption {
type = types.package; type = types.package;
default = pkgs.unifi-video; default = pkgs.jre8;
defaultText = literalExpression "pkgs.unifi-video"; defaultText = literalExpression "pkgs.jre8";
description = '' description = ''
The unifi-video package to use. The JRE package to use. Check the release notes to ensure it is supported.
''; '';
}; };
mongodbPackage = mkOption { unifiVideoPackage = mkOption {
type = types.package; type = types.package;
default = pkgs.mongodb-4_0; default = pkgs.unifi-video;
defaultText = literalExpression "pkgs.mongodb"; defaultText = literalExpression "pkgs.unifi-video";
description = '' description = ''
The mongodb package to use. The unifi-video package to use.
''; '';
}; };
logDir = mkOption { mongodbPackage = mkOption {
type = types.str; type = types.package;
default = "${stateDir}/logs"; default = pkgs.mongodb-4_0;
description = '' defaultText = literalExpression "pkgs.mongodb";
Where to store the logs. description = ''
''; The mongodb package to use.
}; '';
};
dataDir = mkOption { logDir = mkOption {
type = types.str; type = types.str;
default = "${stateDir}/data"; default = "${stateDir}/logs";
description = '' description = ''
Where to store the database and other data. Where to store the logs.
''; '';
}; };
openPorts = mkOption { dataDir = mkOption {
type = types.bool; type = types.str;
default = true; default = "${stateDir}/data";
description = '' description = ''
Whether or not to open the required ports on the firewall. Where to store the database and other data.
''; '';
}; };
maximumJavaHeapSize = mkOption { openFirewall = mkOption {
type = types.nullOr types.int; type = types.bool;
default = 1024; default = true;
example = 4096; description = ''
description = '' Whether or not to open the required ports on the firewall.
Set the maximimum heap size for the JVM in MB. '';
''; };
};
pidFile = mkOption { maximumJavaHeapSize = mkOption {
type = types.path; type = types.nullOr types.int;
default = "${cfg.dataDir}/unifi-video.pid"; default = 1024;
defaultText = literalExpression ''"''${config.${opt.dataDir}}/unifi-video.pid"''; example = 4096;
description = "Location of unifi-video pid file."; description = ''
}; Set the maximimum heap size for the JVM in MB.
'';
};
}; pidFile = mkOption {
type = types.path;
default = "${cfg.dataDir}/unifi-video.pid";
defaultText = literalExpression ''"''${config.${opt.dataDir}}/unifi-video.pid"'';
description = "Location of unifi-video pid file.";
};
config = mkIf cfg.enable { };
users = {
users.unifi-video = { config = mkIf cfg.enable {
warnings = optional
(options.services.unifi-video.openFirewall.highestPrio >= (mkOptionDefault null).priority)
"The current services.unifi-video.openFirewall = true default is deprecated and will change to false in 22.11. Set it explicitly to silence this warning.";
users.users.unifi-video = {
description = "UniFi Video controller daemon user"; description = "UniFi Video controller daemon user";
home = stateDir; home = stateDir;
group = "unifi-video"; group = "unifi-video";
isSystemUser = true; isSystemUser = true;
}; };
groups.unifi-video = {}; users.groups.unifi-video = {};
};
networking.firewall = mkIf cfg.openPorts { networking.firewall = mkIf cfg.openFirewall {
# https://help.ui.com/hc/en-us/articles/217875218-UniFi-Video-Ports-Used # https://help.ui.com/hc/en-us/articles/217875218-UniFi-Video-Ports-Used
allowedTCPPorts = [ allowedTCPPorts = [
7080 # HTTP portal 7080 # HTTP portal
@ -237,7 +241,6 @@ config = mkIf cfg.enable {
"L+ '${stateDir}/conf/server.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/server.xml" "L+ '${stateDir}/conf/server.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/server.xml"
"L+ '${stateDir}/conf/tomcat-users.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/tomcat-users.xml" "L+ '${stateDir}/conf/tomcat-users.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/tomcat-users.xml"
"L+ '${stateDir}/conf/web.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/web.xml" "L+ '${stateDir}/conf/web.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/web.xml"
]; ];
systemd.services.unifi-video = { systemd.services.unifi-video = {
@ -258,10 +261,11 @@ config = mkIf cfg.enable {
WorkingDirectory = "${stateDir}"; WorkingDirectory = "${stateDir}";
}; };
}; };
}; };
meta = { imports = [
maintainers = with lib.maintainers; [ rsynnest ]; (mkRenamedOptionModule [ "services" "unifi-video" "openPorts" ] [ "services" "unifi-video" "openFirewall" ])
}; ];
meta.maintainers = with lib.maintainers; [ rsynnest ];
} }