summary refs log tree commit diff
path: root/nixos/modules/services/network-filesystems
diff options
context:
space:
mode:
authorNiklas Hambüchen <mail@nh2.me>2017-05-07 00:32:41 +0200
committerNiklas Hambüchen <mail@nh2.me>2017-09-27 19:51:42 +0200
commitbd54b72676893d1519b217b23b3b868c8421d04a (patch)
tree3579f9524d4a9bd8804bca0f457db09202c77068 /nixos/modules/services/network-filesystems
parent5e2815dfb733ea042cd64188cd91158356ca1a11 (diff)
downloadnixlib-bd54b72676893d1519b217b23b3b868c8421d04a.tar
nixlib-bd54b72676893d1519b217b23b3b868c8421d04a.tar.gz
nixlib-bd54b72676893d1519b217b23b3b868c8421d04a.tar.bz2
nixlib-bd54b72676893d1519b217b23b3b868c8421d04a.tar.lz
nixlib-bd54b72676893d1519b217b23b3b868c8421d04a.tar.xz
nixlib-bd54b72676893d1519b217b23b3b868c8421d04a.tar.zst
nixlib-bd54b72676893d1519b217b23b3b868c8421d04a.zip
glusterfs service: Add settings to disable rpcbind and the events daemon.
See also https://github.com/NixOS/nixpkgs/pull/22225#pullrequestreview-26459886
Diffstat (limited to 'nixos/modules/services/network-filesystems')
-rw-r--r--nixos/modules/services/network-filesystems/glusterfs.nix27
1 files changed, 23 insertions, 4 deletions
diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix
index 518ae74ee5ab..a697bb25da51 100644
--- a/nixos/modules/services/network-filesystems/glusterfs.nix
+++ b/nixos/modules/services/network-filesystems/glusterfs.nix
@@ -41,6 +41,25 @@ in
         default = "INFO";
       };
 
+      useRpcbind = mkOption {
+        type = types.bool;
+        description = ''
+          Enable use of rpcbind. This is required for Gluster's NFS functionality.
+
+          You may want to turn it off to reduce the attack surface for DDoS reflection attacks.
+
+          See https://davelozier.com/glusterfs-and-rpcbind-portmap-ddos-reflection-attacks/
+          and https://bugzilla.redhat.com/show_bug.cgi?id=1426842 for details.
+        '';
+        default = true;
+      };
+
+      enableGlustereventsd = mkOption {
+        type = types.bool;
+        description = "Whether to enable the GlusterFS Events Daemon";
+        default = true;
+      };
+
       extraFlags = mkOption {
         type = types.listOf types.str;
         description = "Extra flags passed to the GlusterFS daemon";
@@ -89,7 +108,7 @@ in
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.glusterfs ];
 
-    services.rpcbind.enable = true;
+    services.rpcbind.enable = cfg.useRpcbind;
 
     environment.etc = mkIf (cfg.tlsSettings != null) {
       "ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem;
@@ -104,8 +123,8 @@ in
 
       wantedBy = [ "multi-user.target" ];
 
-      requires = [ "rpcbind.service" ];
-      after = [ "rpcbind.service" "network.target" "local-fs.target" ];
+      requires = lib.optional cfg.useRpcbind "rpcbind.service";
+      after = [ "network.target" "local-fs.target" ] ++ lib.optional cfg.useRpcbind [ "rpcbind.service" ];
 
       preStart = ''
         install -m 0755 -d /var/log/glusterfs
@@ -133,7 +152,7 @@ in
       };
     };
 
-    systemd.services.glustereventsd = {
+    systemd.services.glustereventsd = mkIf cfg.enableGlustereventsd {
       inherit restartTriggers;
 
       description = "Gluster Events Notifier";
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-20 18:10:48 +0000