diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index c2cc42b708ff..5598709d59ae 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -1043,6 +1043,14 @@
admin and password.
+
+
+ The taskserver module no longer implicitly
+ opens ports in the firewall configuration. This is now
+ controlled through the option
+ services.taskserver.openFirewall.
+
+
The autorestic package has been upgraded
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 530a73941391..7373a5f4875d 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -443,6 +443,10 @@ In addition to numerous new and upgraded packages, this release has the followin
- `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`.
+- The `taskserver` module no longer implicitly opens ports in the firewall
+ configuration. This is now controlled through the option
+ `services.taskserver.openFirewall`.
+
- The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.
- For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`
diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix
index ff63c41e193c..e20804929981 100644
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@@ -106,7 +106,7 @@ let
certtool = "${pkgs.gnutls.bin}/bin/certtool";
- nixos-taskserver = with pkgs.python2.pkgs; buildPythonApplication {
+ nixos-taskserver = with pkgs.python3.pkgs; buildPythonApplication {
name = "nixos-taskserver";
src = pkgs.runCommand "nixos-taskserver-src" { preferLocalBuild = true; } ''
@@ -277,10 +277,6 @@ in {
example = "::";
description = ''
The address (IPv4, IPv6 or DNS) to listen on.
-
- If the value is something else than localhost the
- port defined by is automatically added to
- .
'';
};
@@ -292,6 +288,14 @@ in {
'';
};
+ openFirewall = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to open the firewall for the specified Taskserver port.
+ '';
+ };
+
fqdn = mkOption {
type = types.str;
default = "localhost";
@@ -560,7 +564,7 @@ in {
'';
};
})
- (mkIf (cfg.enable && cfg.listenHost != "localhost") {
+ (mkIf (cfg.enable && cfg.openFirewall) {
networking.firewall.allowedTCPPorts = [ cfg.listenPort ];
})
];
diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py
index 22a3d8d5311b..fec05728b2b6 100644
--- a/nixos/modules/services/misc/taskserver/helper-tool.py
+++ b/nixos/modules/services/misc/taskserver/helper-tool.py
@@ -90,7 +90,7 @@ def certtool_cmd(*args, **kwargs):
"""
return subprocess.check_output(
[CERTTOOL_COMMAND] + list(args),
- preexec_fn=lambda: os.umask(0077),
+ preexec_fn=lambda: os.umask(0o077),
stderr=subprocess.STDOUT,
**kwargs
)
@@ -164,7 +164,7 @@ def generate_key(org, user):
pubcert = os.path.join(basedir, "public.cert")
try:
- os.makedirs(basedir, mode=0700)
+ os.makedirs(basedir, mode=0o700)
certtool_cmd("-p", "--bits", CERT_BITS, "--outfile", privkey)
@@ -301,7 +301,7 @@ class Organisation(object):
return None
if name not in self.users.keys():
output = taskd_cmd("add", "user", self.name, name,
- capture_stdout=True)
+ capture_stdout=True, encoding='utf-8')
key = RE_USERKEY.search(output)
if key is None:
msg = "Unable to find key while creating user {}."
@@ -412,9 +412,9 @@ class Manager(object):
if org is not None:
if self.ignore_imperative and is_imperative(name):
return
- for user in org.users.keys():
+ for user in list(org.users.keys()):
org.del_user(user)
- for group in org.groups.keys():
+ for group in list(org.groups.keys()):
org.del_group(group)
taskd_cmd("remove", "org", name)
del self._lazy_orgs[name]
diff --git a/nixos/tests/taskserver.nix b/nixos/tests/taskserver.nix
index f34782c7059a..b2bd421e231f 100644
--- a/nixos/tests/taskserver.nix
+++ b/nixos/tests/taskserver.nix
@@ -63,6 +63,7 @@ in {
server = {
services.taskserver.enable = true;
services.taskserver.listenHost = "::";
+ services.taskserver.openFirewall = true;
services.taskserver.fqdn = "server";
services.taskserver.organisations = {
testOrganisation.users = [ "alice" "foo" ];