nix/modules/knot: make ssh ports configurable #716

-15

1 changed file

Interdiff #0 → #1

expand all

unified split

nix

modules

knot.nix

-15

nix/modules/knot.nix

··· 32 32 description = "User that hosts git repos and performs git operations"; 33 33 }; 34 34 35 - sshPorts = mkOption { 36 - type = types.listOf types.port; 37 - default = [22]; 38 - description = "Specifies ports used for ssh"; 39 - }; 40 - 41 - openFirewall = mkOption { 42 - type = types.bool; 43 - default = true; 44 - description = "Open ssh port in the firewall"; 45 - }; 46 - 47 35 stateDir = mkOption { 48 36 type = types.path; 49 37 default = "/home/${cfg.gitUser}"; ··· 144 132 145 133 services.openssh = { 146 134 enable = true; 147 - ports = cfg.sshPorts; 148 135 extraConfig = '' 149 136 Match User ${cfg.gitUser} 150 137 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper ··· 212 199 Restart = "always"; 213 200 }; 214 201 }; 215 - 216 - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall cfg.sshPorts; 217 202 }; 218 203 }

History

3 rounds 4 comments

boltless.me submitted #2 4mo

diff interdiff

1 commit

expand

51e91003

nix/modules/knot: remove firewall settings

3/3 success

expand

expand 4 comments

oppi.li 4mo

if openFirewall is not set to true, this is already configurable is it not?

boltless.me 4mo

Well.. it is, but as ssh ports are also configurable and the firewall should follow the correct configured ssh ports, I think removing the firewall settings will make things simpler. Users can configure there networks by their own.

oppi.li 4mo

this is pretty common practice in nixpkgs.

https://github.com/NixOS/nixpkgs/blob/a84b0a7c509bdbaafbe6fe6e947bdaa98acafb99/nixos/modules/services/monitoring/vmagent.nix#L138

boltless.me 4mo

ok I'm closing this. the description explicitly states it opens hard-coded port 22, so I think it's fine to leave it not following config.services.openssh.posts.

closed without merging