Skip to content

Commit

Permalink
nixos/vaultwarden: Bind to localhost by default. See #100192
Browse files Browse the repository at this point in the history
  • Loading branch information
nh2 committed Jul 1, 2023
1 parent 01e209a commit 080757c
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
2 changes: 2 additions & 0 deletions nixos/doc/manual/release-notes/rl-2311.section.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@

- `fileSystems.<name>.autoResize` now uses `systemd-growfs` to resize the file system online in stage 2. This means that `f2fs` and `ext2` can no longer be auto resized, while `xfs` and `btrfs` now can be.

- The `services.vaultwarden.config` option default value was changed to make Vaultwarden only listen on localhost, following the [secure defaults for most NixOS services](https://github.com/NixOS/nixpkgs/issues/100192).

- `services.lemmy.settings.federation` was removed in 0.17.0 and no longer has any effect. To enable federation, the hostname must be set in the configuration file and then federation must be enabled in the admin web UI. See the [release notes](https://github.com/LemmyNet/lemmy/blob/c32585b03429f0f76d1e4ff738786321a0a9df98/RELEASES.md#upgrade-instructions) for more details.

- The following packages in `haskellPackages` have now a separate bin output: `cabal-fmt`, `calligraphy`, `eventlog2html`, `ghc-debug-brick`, `hindent`, `nixfmt`, `releaser`. This means you need to replace e.g. `"${pkgs.haskellPackages.nixfmt}/bin/nixfmt"` with `"${lib.getBin pkgs.haskellPackages.nixfmt}/bin/nixfmt"` or `"${lib.getExe pkgs.haskellPackages.nixfmt}"`. The binaries also won’t be in scope if you rely on them being installed e.g. via `ghcWithPackages`. `environment.packages` picks the `bin` output automatically, so for normal installation no intervention is required. Also, toplevel attributes like `pkgs.nixfmt` are not impacted negatively by this change.
Expand Down
7 changes: 6 additions & 1 deletion nixos/modules/services/security/vaultwarden/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,12 @@ in {

config = mkOption {
type = attrsOf (nullOr (oneOf [ bool int str ]));
default = {};
default = {
config = {
ROCKET_ADDRESS = "::1"; # default to localhost
ROCKET_PORT = 8222;
};
};
example = literalExpression ''
{
DOMAIN = "https://bitwarden.example.com";
Expand Down

2 comments on commit 080757c

@charmoniumQ
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this commit causes the following error:

       error: A definition for option `services.vaultwarden.config.config' is not of type `null or boolean or signed integer or string'. Definition values:
       - In `/nix/store/rh9r2vzd2v4q5fz7dqp8vyp44dan6r7n-source/nixos/modules/services/security/vaultwarden/default.nix':
           {
             ROCKET_ADDRESS = "::1";
             ROCKET_PORT = 8222;
           }

Perhaps we should change:

    config = mkOption {
      type = attrsOf (nullOr (oneOf [ bool int str ]));
      default = {
-        config = {
-          ROCKET_ADDRESS = "::1"; # default to localhost
-          ROCKET_PORT = 8222;
-        };
+        ROCKET_ADDRESS = "::1"; # default to localhost
+        ROCKET_PORT = 8222;
      };

@nh2
Copy link
Contributor Author

@nh2 nh2 commented on 080757c Sep 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@charmoniumQ Thanks for noticing, I opened PR #255977 to fix it.

Please sign in to comment.