Default Firewall in Fedora Server 26

One thing that I thought of while writing up my overseer email was this: We decided a couple weeks ago that the plan for Fedora 26 was to deliver two slightly different versions of Fedora Server: one with a GUI (Cockpit) and one that only included the capability for another Cockpit instance to manage it. This implies that we need two different default firewall configurations; one for Server w/ GUI and one without.[1] I see two ways that we could accomplish this: * Create two variants for use with /etc/os-release such as `VARIANT_ID=server` and `VARIANT_ID=server-gui`. This would allow us to deliver a different default systemd presets and firewall configuration to the system. If the Cockpit GUI was installed later, the administrator would need to explicitly enable cockpit.socket and grant firewall permission to allow it as a separate action. * Create a helper systemd service that would run as a dependency of the cockpit.socket service and open the firewall while that service is running. (This helper could be installed as part of the fedora-release-server package, so it wouldn't take effect on systems that aren't Fedora Server). I'm leaning towards the second one (though I'll probably have to come up with new packaging guidelines for how it would work). My concern with this option is that it *is* a deviation from how Fedora generally handles the installation of services; normally installation and starting them are independent. That said, I think an argument can be made that if someone is installing `cockpit-ws` on a Fedora Server system, we can make an assumption that they intend to use it to manage that system. I don't really like the first option because I'm worried that it will set a precedent that will lead to a combinatorial explosion of variants we need to test. But it *does* give us the option to avoid auto-starting cockpit-ws if we install it later. Other ideas are of course most welcome. [1] This is because Cockpit operates on a non-privileged port (9090) and therefore if we leave this port available by default, there's an opportunity for a user process to claim it.