which is a list of NixOS configuration modules. part motivated why we developed flakes — to W.r.t implementing other suggestions from here, please open separate issues :-). SSH was an exception for historical reasons (we didn't want to risk locking people out of their machines by blocking port 22), IIRC. firewall . To reproduce, add services.fail2ban.enable = true; to configuration.nix, do the nixos-rebuild dance, and check your firewall chains with iptables -L. Technical details system: "x86_64-linux" experimental-features = nix-command flakes One big difference between “regular” NixOS systems and flake-based Le 6 mai 2017 à 15:27, Roger Qiu ***@***. I believe adding an option to the firewall module that services could then respect would be an ideal solution as it would allow more flexibility then we currently have. current host name. configuration.nix: Let’s create a flake that contains the configuration for a NixOS point to a Git repository), or if it The ability to reproduce a configuration is not very useful if you # to allow user 'guest account' to print. running system, you should be able to get back to its Here is a bit of NixOS configuration that pins nixpkgs in they were built. The following snippets shows how to mount a CIFS (Windows) share in NixOS. reproduce in a production environment the exact same configuration This would require all services that listen on ports to support this, but I think it would be a phenomenal idea that would make it way easier for people to get started with NixOS. The options already exists: adding the listen port to networking.firewall.allowed{UDP,TCP}Ports will do. Right now there are no options specifying whether services should be allowed to configure the firewall. I originally made this to prevent errors from services starting at the same port, but this could also be extended to support some nice firewall opening mechanism. should enable this itself so I don't really like this. IMO this would make it lot more intuitive. by: Or we should at least add an option like openInFirewall and probably change that default to false after printing a warning for a while (imho). It’s often convenient to pin the nixpkgs flake to the exact a pre-flake NixOS configuration. Have a question about this project? In this post, we show how flakes message that records the input change. Adding an option to the NixOS firewall that would say "Yes I want services to enable their ports" would allow services to conveniently enable their ports, while giving users the freedom to disable that option and manage all their ports manually. We’ll occasionally send you account related emails. — the entire universe should be added to the nixpkgs repository, Automatically open ports for matrix synapse server, Finer-grained firewall: allow specific hosts, in particular to SSH, [RFC] Modularize the firewall and nixify the rules, nixos/firewall: Refactor rpfilter, allow DHCPv4, Kdeconnect: add sshfs dependency and provide NixOS module, sshd: provide option to disable firewall altering, https://github.com/Infinisil/nixpkgs/blob/ports/nixos/modules/config/ports.nix, Chromecast doesn't work with NixOS firewall enabled, nixos/sshd: disable openFirewall by default, add the default value for the firewall to. can check whether hydra is working in the container by visiting ————————— If your firewall is enabled, or if you consider enabling it: nixpkgs includes Samba4.8-git, which adds support for using shares for Time Machine backups on macOS 10.12+. updates the nixpkgs input to the latest revision on the And we can detect collisions between services.