nix/modules/knot: make ssh ports configurable #716

+9 -2

1 changed file

Diff round #0

expand all

unified split

nix

modules

knot.nix

+9 -2

nix/modules/knot.nix

··· 32 32 description = "User that hosts git repos and performs git operations"; 33 33 }; 34 34 35 + sshPorts = mkOption { 36 + type = types.listOf types.port; 37 + default = [22]; 38 + description = "Specifies ports used for ssh"; 39 + }; 40 + 35 41 openFirewall = mkOption { 36 42 type = types.bool; 37 43 default = true; 38 - description = "Open port 22 in the firewall for ssh"; 44 + description = "Open ssh port in the firewall"; 39 45 }; 40 46 41 47 stateDir = mkOption { ··· 138 144 139 145 services.openssh = { 140 146 enable = true; 147 + ports = cfg.sshPorts; 141 148 extraConfig = '' 142 149 Match User ${cfg.gitUser} 143 150 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper ··· 206 213 }; 207 214 }; 208 215 209 - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22]; 216 + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall cfg.sshPorts; 210 217 }; 211 218 }

History

3 rounds 4 comments

boltless.me submitted #2 4mo

diff interdiff

1 commit

expand

51e91003

nix/modules/knot: remove firewall settings

3/3 success

expand

expand 4 comments

oppi.li 4mo

if openFirewall is not set to true, this is already configurable is it not?

boltless.me 4mo

Well.. it is, but as ssh ports are also configurable and the firewall should follow the correct configured ssh ports, I think removing the firewall settings will make things simpler. Users can configure there networks by their own.

oppi.li 4mo

this is pretty common practice in nixpkgs.

https://github.com/NixOS/nixpkgs/blob/a84b0a7c509bdbaafbe6fe6e947bdaa98acafb99/nixos/modules/services/monitoring/vmagent.nix#L138

boltless.me 4mo

ok I'm closing this. the description explicitly states it opens hard-coded port 22, so I think it's fine to leave it not following config.services.openssh.posts.

closed without merging