From c5c92feff79f44c85b4ed00cbc6a3e1e84840d5e Mon Sep 17 00:00:00 2001
From: Jakob Klepp <jakob.klepp@moonvision.io>
Date: Thu, 18 Jul 2024 14:29:06 +0200
Subject: [PATCH] nixos/oci-containers: document firewall bypass

Add explanation about the security impact of the
ports option.
Provide a safer example.

The problem is discussed in greater depth here:
https://github.com/NixOS/nixpkgs/issues/111852
---
 nixos/modules/virtualisation/oci-containers.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix
index f4fa93423179..5494b9ecf0f6 100644
--- a/nixos/modules/virtualisation/oci-containers.nix
+++ b/nixos/modules/virtualisation/oci-containers.nix
@@ -148,12 +148,17 @@ let
             somewhere within the specified `hostPort` range.
             Example: `1234-1236:1234/tcp`
 
+            Publishing a port bypasses the NixOS firewall. If the port is not
+            supposed to be shared on the network, make sure to publish the
+            port to localhost.
+            Example: `127.0.0.1:1234:1234`
+
             Refer to the
             [Docker engine documentation](https://docs.docker.com/engine/reference/run/#expose-incoming-ports) for full details.
           '';
           example = literalExpression ''
             [
-              "8080:9000"
+              "127.0.0.1:8080:9000"
             ]
           '';
         };