diff options
| -rw-r--r-- | nixos/modules/services/network-filesystems/glusterfs.nix | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/nixos/modules/services/network-filesystems/glusterfs.nix b/nixos/modules/services/network-filesystems/glusterfs.nix index 518ae74ee5ab..a697bb25da51 100644 --- a/nixos/modules/services/network-filesystems/glusterfs.nix +++ b/nixos/modules/services/network-filesystems/glusterfs.nix @@ -41,6 +41,25 @@ in default = "INFO"; }; + useRpcbind = mkOption { + type = types.bool; + description = '' + Enable use of rpcbind. This is required for Gluster's NFS functionality. + + You may want to turn it off to reduce the attack surface for DDoS reflection attacks. + + See https://davelozier.com/glusterfs-and-rpcbind-portmap-ddos-reflection-attacks/ + and https://bugzilla.redhat.com/show_bug.cgi?id=1426842 for details. + ''; + default = true; + }; + + enableGlustereventsd = mkOption { + type = types.bool; + description = "Whether to enable the GlusterFS Events Daemon"; + default = true; + }; + extraFlags = mkOption { type = types.listOf types.str; description = "Extra flags passed to the GlusterFS daemon"; @@ -89,7 +108,7 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.glusterfs ]; - services.rpcbind.enable = true; + services.rpcbind.enable = cfg.useRpcbind; environment.etc = mkIf (cfg.tlsSettings != null) { "ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem; @@ -104,8 +123,8 @@ in wantedBy = [ "multi-user.target" ]; - requires = [ "rpcbind.service" ]; - after = [ "rpcbind.service" "network.target" "local-fs.target" ]; + requires = lib.optional cfg.useRpcbind "rpcbind.service"; + after = [ "network.target" "local-fs.target" ] ++ lib.optional cfg.useRpcbind [ "rpcbind.service" ]; preStart = '' install -m 0755 -d /var/log/glusterfs @@ -133,7 +152,7 @@ in }; }; - systemd.services.glustereventsd = { + systemd.services.glustereventsd = mkIf cfg.enableGlustereventsd { inherit restartTriggers; description = "Gluster Events Notifier"; |