mediatomb/gerbera: Improve firewall rules and open firewall option

This changes the default behavior which opened by default the firewall rules. The users now need to declare explicitely they want to open the firewall.
4 years ago · 3248506a00
parent 9fdd11c6a8
commit 3248506a00
2 changed files with 29 additions and 9 deletions
--- a/nixos/modules/services/misc/mediatomb.nix
+++ b/nixos/modules/services/misc/mediatomb.nix
@ -182,6 +182,13 @@ let
    ${transcodingConfig}
  </config>
 '';
+  defaultFirewallRules = {
+    # udp 1900 port needs to be opened for SSDP (not configurable within
+    # mediatomb/gerbera) cf.
+    # http://docs.gerbera.io/en/latest/run.html?highlight=udp%20port#network-setup
+    allowedUDPPorts = [ 1900 cfg.port ];
+    allowedTCPPorts = [ cfg.port ];
+  };

 in {

@ -294,6 +301,18 @@ in {
        '';
      };

+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If false (the default), this is up to the user to declare the firewall rules.
+          If true, this opens the 1900 (tcp and udp) and ${toString cfg.port} (tcp) ports.
+          If the option cfg.interface is set, the firewall rules opened are
+          dedicated to that interface. Otherwise, those rules are opened
+          globally.
+        '';
+      };
+
      uuid = mkOption {
        type = types.str;
        default = "fdfc8a4e-a3ad-4c1d-b43d-a2eedb03a687";
@ -324,6 +343,7 @@ in {
          ${cfg.dataDir}/config.xml. It's up to the user to make a correct configuration file.
        '';
      };
+
    };
  };

@ -356,9 +376,12 @@ in {
      };
    };

-    networking.firewall.interfaces."${cfg.interface}" = {
-      allowedUDPPorts = [ 1900 cfg.port ];
-      allowedTCPPorts = [ cfg.port ];
-    };
+    # Open firewall only if users enable it
+    networking.firewall = mkMerge [
+      (mkIf (cfg.openFirewall && cfg.interface != "") {
+        interfaces."${cfg.interface}" = defaultFirewallRules;
+      })
+      (mkIf (cfg.openFirewall && cfg.interface == "") defaultFirewallRules)
+    ];
  };
 }
--- a/nixos/tests/mediatomb.nix
+++ b/nixos/tests/mediatomb.nix
@ -14,15 +14,12 @@ import ./make-test-python.nix ({ pkgs, ... }:
          serverName = "Gerbera";
          package = pkgs.gerbera;
          interface = "eth1";  # accessible from test
+          openFirewall = true;
          mediaDirectories = [
            { path = "/var/lib/gerbera/pictures"; recursive = false; hidden-files = false; }
            { path = "/var/lib/gerbera/audio"; recursive = true; hidden-files = false; }
          ];
        };
-        networking.firewall = {
-          allowedUDPPorts = [ 1900 port ];
-          allowedTCPPorts = [ port ];
-        };
      };

    serverMediatomb =
@ -41,7 +38,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
            { path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; }
          ];
        };
-        networking.firewall = {
+        networking.firewall.interfaces.eth1 = {
          allowedUDPPorts = [ 1900 port ];
          allowedTCPPorts = [ port ];
        };