New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/sshd: disable openFirewall by default #75454
Conversation
Previous discussions about this: #19504 (comment) #19504 (comment) |
I'm concerned about this because some NixOS systems may be unknowingly relying on the default setting (true) to open the SSH port on the firewall. Personally, I didn't even know this option existed. What about removing the default setting altogether. Wouldn't that cause a build-time failure, forcing the system admin to explicitly set it to true or false? In addition, given the change is not backwards compatible, I think it should be documented in the release notes. |
Consensus up to now was that sshd was the only exception allowed to open a firewall port automatically. If we were to disable that, I'm sure we would receive another PR to re-enable it pretty quickly. Instead, maybe there is some doc to enhance to emphasize that the first things a concerned admin should do after a NixOS install is to look at and review the sshd config. |
@@ -160,7 +160,7 @@ in | |||
|
|||
openFirewall = mkOption { | |||
type = types.bool; | |||
default = true; | |||
default = false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this particular case I don't believe the default should change but if it changes anyway then it should be for stateVersion ≥ 20.03
only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've made the change anyway.
👎 - As already stated we had these discussions in the past and we are (AFAIK) fine with having an open tcp/22 port for UX reasons.
Understandable. But I'd rather vote for adding either a warning (if only the default value is set) or to mention this in the manual at a more "prominent" position.
Full ack! I already found several corner cases that caused me to lock myself out of a remote NixOS. By disabling an open
In case there are more folks in favor of dropping that default, I'd be fine with this solution. |
As discussed a number of times in the past this is on purpose. Some suggestions about throwing a warning seem like a good idea. Maybe forcing users to choose a value for What do you think @edolstra? |
Motivation for this change
Please follow up to #81490
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)Notify maintainers
cc @