From d3c2b992d4350d5ed36139eab8ac4c5349de5a64 Mon Sep 17 00:00:00 2001
From: Ashish SHUKLA <ashish.is@lostca.se>
Date: Sat, 27 Jul 2019 10:59:50 +0530
Subject: sshguard: do not create ipset in post-start

Upstream switched to a different type of ipset table, whereas we
create ipset in post-start which overrides upstream, and renders
sshguard ineffective.

Remove ipset creation from post-start, and let it get automatically
by upstream script (sshg-fw-ipset) as part of startup
---
 nixos/modules/services/security/sshguard.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix
index 3892cd5c72b..25cec5b5b10 100644
--- a/nixos/modules/services/security/sshguard.nix
+++ b/nixos/modules/services/security/sshguard.nix
@@ -107,8 +107,6 @@ in {
       path = with pkgs; [ iptables ipset iproute systemd ];
 
       postStart = ''
-        ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:ip family inet
-        ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:ip family inet6
         ${pkgs.iptables}/bin/iptables  -I INPUT -m set --match-set sshguard4 src -j DROP
         ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
       '';
-- 
cgit 1.4.1