diff options
| author | Joel Taylor <me@joelt.io> | 2014-08-01 18:11:09 -0700 |
|---|---|---|
| committer | Rok Garbas <rok@garbas.si> | 2014-08-08 00:10:19 +0200 |
| commit | d8cca3d624399316f7abefc9e9d6747d2e32bed2 (patch) | |
| tree | 0c92ed1932f4f9523a1541490c917e99e01943ca /nixos/modules/services/security/fail2ban.nix | |
| parent | b18d0eee051229a6d0c8ee37efc7dce3852cb7ed (diff) | |
| download | nixpkgs-d8cca3d624399316f7abefc9e9d6747d2e32bed2.tar nixpkgs-d8cca3d624399316f7abefc9e9d6747d2e32bed2.tar.gz nixpkgs-d8cca3d624399316f7abefc9e9d6747d2e32bed2.tar.bz2 nixpkgs-d8cca3d624399316f7abefc9e9d6747d2e32bed2.tar.lz nixpkgs-d8cca3d624399316f7abefc9e9d6747d2e32bed2.tar.xz nixpkgs-d8cca3d624399316f7abefc9e9d6747d2e32bed2.tar.zst nixpkgs-d8cca3d624399316f7abefc9e9d6747d2e32bed2.zip | |
fail2ban: systemd support
- upgrade fail2ban to 0.9 - override systemd to enable python support and include sqlite3 module - make fail2ban enablable
Diffstat (limited to 'nixos/modules/services/security/fail2ban.nix')
| -rw-r--r-- | nixos/modules/services/security/fail2ban.nix | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index af545016637..3758652ebdd 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -25,12 +25,17 @@ in options = { services.fail2ban = { + enable = mkOption { + default = false; + type = types.bool; + description = "Whether to enable the fail2ban service."; + }; daemonConfig = mkOption { default = '' [Definition] - loglevel = 3 + loglevel = INFO logtarget = SYSLOG socket = /run/fail2ban/fail2ban.sock pidfile = /run/fail2ban/fail2ban.pid @@ -80,7 +85,7 @@ in ###### implementation - config = { + config = mkIf cfg.enable { environment.systemPackages = [ pkgs.fail2ban ]; @@ -101,12 +106,13 @@ in preStart = '' mkdir -p /run/fail2ban -m 0755 + mkdir -p /var/lib/fail2ban ''; serviceConfig = { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run /var/tmp"; + ReadWriteDirectories = "/run /var/tmp /var/lib"; CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; }; @@ -131,15 +137,14 @@ in bantime = 600 findtime = 600 maxretry = 3 - backend = auto - ''; + backend = systemd + ''; # Block SSH if there are too many failing connection attempts. services.fail2ban.jails.ssh-iptables = '' filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] - logpath = /var/log/warn maxretry = 5 ''; |