nixos/unifi: add deprecation warning for openPorts

modules are discouraged from opening ports in the firewall unless
explicitly told to do so. add a deprecation notice for this in unifi.

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

@@ -159,6 +159,14 @@
           compatibilty, but will be removed at a later date.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The <literal>services.unifi.openPorts</literal> option default
+          value of <literal>true</literal> is now deprecated and will be
+          changed to <literal>false</literal> in 22.11. Configurations
+          using this default will print a warning when rebuilt.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
 </section>

nixos/doc/manual/release-notes/rl-2205.section.md

@@ -65,3 +65,6 @@ In addition to numerous new and upgraded packages, this release has the followin
   `influxdb2-cli`, matching the split that took place upstream. A
   combined `influxdb2` package is still provided in this release for
   backwards compatibilty, but will be removed at a later date.
+
+- The `services.unifi.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11.
+  Configurations using this default will print a warning when rebuilt.

nixos/modules/services/networking/unifi.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, utils, ... }:
+{ config, options, lib, pkgs, utils, ... }:
 with lib;
 let
   cfg = config.services.unifi;
@@ -86,6 +86,10 @@ in
 
   config = mkIf cfg.enable {
 
+    warnings = optional
+      (options.services.unifi.openPorts.highestPrio >= (mkOptionDefault null).priority)
+      "The current services.unifi.openPorts = true default is deprecated and will change to false in 22.11. Set it explicitly to silence this warning.";
+
     users.users.unifi = {
       isSystemUser = true;
       group = "unifi";