From ce0954020c71007b7a9ec2822949d31f18aea170 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Tue, 12 Apr 2016 05:13:04 +0200
Subject: [PATCH] nixos/taskserver: Set allowedTCPPorts accordingly

As suggested by @matthiasbeyer:

"We might add a short note that this port has to be opened in the
firewall, or is this done by the service automatically?"

This commit now adds the listenPort to
networking.firewall.allowedTCPPorts as soon as the listenHost is not
"localhost".

In addition to that, this is now also documented in the listenHost
option declaration and I have removed disabling of the firewall from the
VM test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 nixos/modules/services/misc/taskserver/default.nix | 8 ++++++++
 nixos/tests/taskserver.nix                         | 2 --
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix
index 520a9c2ee1e..8054dbe9f66 100644
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@@ -324,8 +324,13 @@ in {
       listenHost = mkOption {
         type = types.str;
         default = "localhost";
+        example = "::";
         description = ''
           The address (IPv4, IPv6 or DNS) to listen on.
+
+          If the value is something else than <literal>localhost</literal> the
+          port defined by <option>listenPort</option> is automatically added to
+          <option>networking.firewall.allowedTCPPorts</option>.
         '';
       };
 
@@ -519,6 +524,9 @@ in {
         '';
       };
     })
+    (mkIf (cfg.listenHost != "localhost") {
+      networking.firewall.allowedTCPPorts = [ cfg.listenPort ];
+    })
     { meta.doc = ./taskserver.xml; }
   ];
 }
diff --git a/nixos/tests/taskserver.nix b/nixos/tests/taskserver.nix
index 79a7703f037..0521f97431b 100644
--- a/nixos/tests/taskserver.nix
+++ b/nixos/tests/taskserver.nix
@@ -3,7 +3,6 @@ import ./make-test.nix {
 
   nodes = rec {
     server = {
-      networking.firewall.enable = false;
       services.taskserver.enable = true;
       services.taskserver.listenHost = "::";
       services.taskserver.fqdn = "server";
@@ -14,7 +13,6 @@ import ./make-test.nix {
     };
 
     client1 = { pkgs, ... }: {
-      networking.firewall.enable = false;
       environment.systemPackages = [ pkgs.taskwarrior pkgs.gnutls ];
       users.users.alice.isNormalUser = true;
       users.users.bob.isNormalUser = true;