From 17a46028b978a68ed613716fbe0daaab71d311ac Mon Sep 17 00:00:00 2001 From: Vivek Date: Wed, 4 Sep 2024 20:02:22 -0700 Subject: [PATCH] nixos/endlessh-go: fix firewall bugs this change fixes 2 major bugs in the endlessh-go service's firewall options: 1. prometheus port unexpectedly allowed through firewall (services.endlessh-go.openFirewall) the description of the option is "Whether to open a firewall port for the SSH listener." however as we can see, both the ssh listener AND the prometheus listener have their ports opened. this is especially troublesome because endlessh-go (i guess as an artifact of being developed for docker) defaults the prometheus listener to 0.0.0.0. 2. the prometheus port unexpectedly allowed through firewall when prometheus is disabled (services.endlessh-go.prometheus.enable) even when prometheus is disabled, its port is allowed through the firewall --- nixos/modules/services/security/endlessh-go.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/security/endlessh-go.nix b/nixos/modules/services/security/endlessh-go.nix index 480bfc8cb9ef..20c3a3da4112 100644 --- a/nixos/modules/services/security/endlessh-go.nix +++ b/nixos/modules/services/security/endlessh-go.nix @@ -131,7 +131,7 @@ in }; networking.firewall.allowedTCPPorts = with cfg; - optionals openFirewall [ port prometheus.port ]; + optionals openFirewall [ port ]; }; meta.maintainers = with maintainers; [ azahi ];