redis service: Listen on localhost by default. Fixes NixOS#100192.

All other database servers in NixOS also use this safe-by-default setting.
nh2 · Nov 8, 2020 · 169ab0b · 169ab0b
1 parent c0f4be6
commit 169ab0b
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml
@@ -159,6 +159,11 @@
  to <package>nextcloud20</package>.
  </para>
  </listitem>
+ <listitem>
+ <para>
+ The setting <xref linkend="opt-services.redis.bind" /> defaults to <literal>127.0.0.1</literal> now, making Redis listen on the loopback interface only, and not all public network interfaces.
+ </para>
+ </listitem>
  <listitem>
  <para>
  NixOS now emits a deprecation warning if systemd's <literal>StartLimitInterval</literal> setting is used in a <literal>serviceConfig</literal> section instead of in a <literal>unitConfig</literal>; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/45785">#45785</link> for details.

diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix
@@ -87,9 +87,12 @@ in
 
  bind = mkOption {
  type = with types; nullOr str;
- default = null; # All interfaces
- description = "The IP interface to bind to.";
- example = "127.0.0.1";
+ default = "127.0.0.1";
+ description = ''
+ The IP interface to bind to.
+ <literal>null</literal> means "all interfaces".
+ '';
+ example = "192.0.2.1";
  };
 
  unixSocket = mkOption {