Open lunik1 opened 2 years ago
I think the evaluation warning makes the most sense, but it should mention some kind of deprecation window, so it can be removed in a year or so. Would be happy to review such a PR for services/networking/unifi.nix
, but I'm afraid I have no time currently to implement it myself.
I agree with a deprecation warning, but we should also put it into the release notes. I'll try to fix snapcast by the end of the year.
Pings for the remaining modules based off git blame, sorry if it should have been somebody else! @WilliButz (avahi) @illustris (hdfs).
Based on discussions here and on matrix we are leaning towards warning in 22.05 if not explicitly set and changing the default to false in 22.11.
In the case of Hadoop, any deployment would need multiple nodes communicating with each other by default. Although I do agree with printing a warning at evaluation, as this behavior goes against the convention.
I'm working on adding more features to the hadoop module. I should be done with those in about a month. I'll add the firewall warning and a few other minor changes along with that PR.
Issue description
Certain NixOS modules open firewall ports by default. According to the Nixpkgs manual this is not desired behaviour, with an exception for sshd https://github.com/NixOS/nixpkgs/pull/75454#issuecomment-564573908.
This could break existing setups, so I would be interested to here from maintainers what the best mitigations would be e.g.
open{Ports|Firewall}
is not explicitly set for these servicesstateVersion
checkKnown offending modules:
Notify Maintainers
@erictapen @pennae (unifi) @rsynnest (unifi-video) @tobim (snapserver)