nixos/snapserver: don't open ports by default

2 years ago · 0d49836dec
parent c81321c7f9
commit 0d49836dec
4 changed files with 29 additions and 7 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@ -2333,6 +2333,15 @@
          generating host-global NNCP configuration.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          The option <literal>services.snapserver.openFirewall</literal>
+          will no longer default to <literal>true</literal> starting
+          with NixOS 22.11. Enable it explicitly if you need to control
+          Snapserver remotely or connect streamig clients from other
+          hosts.
+        </para>
+      </listitem>
    </itemizedlist>
  </section>
 </section>
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@ -824,4 +824,8 @@ In addition to numerous new and upgraded packages, this release has the followin

 - The `programs.nncp` options were added for generating host-global NNCP configuration.

+- The option `services.snapserver.openFirewall` will no longer default to
+  `true` starting with NixOS 22.11. Enable it explicitly if you need to control
+  Snapserver remotely or connect streamig clients from other hosts.
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
--- a/nixos/modules/services/audio/snapserver.nix
+++ b/nixos/modules/services/audio/snapserver.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, options, lib, pkgs, ... }:

 with lib;

@ -101,6 +101,8 @@ in {

      openFirewall = mkOption {
        type = types.bool;
+        # Make the behavior consistent with other services. Set the default to
+        # false and remove the accompanying warning after NixOS 22.05 is released.
        default = true;
        description = ''
          Whether to automatically open the specified ports in the firewall.
@ -273,10 +275,16 @@ in {

  config = mkIf cfg.enable {

-    # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85
-    warnings = filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then ''
-      services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead.
-    '' else "") cfg.streams);
+    warnings =
+      # https://github.com/badaix/snapcast/blob/98ac8b2fb7305084376607b59173ce4097c620d8/server/streamreader/stream_manager.cpp#L85
+      filter (w: w != "") (mapAttrsToList (k: v: if v.type == "spotify" then ''
+        services.snapserver.streams.${k}.type = "spotify" is deprecated, use services.snapserver.streams.${k}.type = "librespot" instead.
+      '' else "") cfg.streams)
+      # Remove this warning after NixOS 22.05 is released.
+      ++ optional (options.services.snapserver.openFirewall.highestPrio >= (mkOptionDefault null).priority) ''
+        services.snapserver.openFirewall will no longer default to true starting with NixOS 22.11.
+        Enable it explicitly if you need to control Snapserver remotely.
+      '';

    systemd.services.snapserver = {
      after = [ "network.target" ];
@ -304,8 +312,8 @@ in {

    networking.firewall.allowedTCPPorts =
      optionals cfg.openFirewall [ cfg.port ]
-      ++ optional cfg.tcp.enable cfg.tcp.port
-      ++ optional cfg.http.enable cfg.http.port;
+      ++ optional (cfg.openFirewall && cfg.tcp.enable) cfg.tcp.port
+      ++ optional (cfg.openFirewall && cfg.http.enable) cfg.http.port;
  };

  meta = {
--- a/nixos/tests/snapcast.nix
+++ b/nixos/tests/snapcast.nix
@ -19,6 +19,7 @@ in {
        port = port;
        tcp.port = tcpPort;
        http.port = httpPort;
+        openFirewall = true;
        buffer = bufferSize;
        streams = {
          mpd = {