diff options
author | Peter Hoeg <peter@hoeg.com> | 2019-01-23 18:20:28 +0800 |
---|---|---|
committer | Peter Hoeg <peter@hoeg.com> | 2019-01-28 11:36:29 +0800 |
commit | ee472e4521f828a484f4c349e7404a20d16ac0cc (patch) | |
tree | a537371cc4d4058b0b3fd61cb5adced6200951c3 /nixos/modules | |
parent | bc41317e24317b0f506287f2d5bab00140b9b50e (diff) | |
download | nixpkgs-ee472e4521f828a484f4c349e7404a20d16ac0cc.tar nixpkgs-ee472e4521f828a484f4c349e7404a20d16ac0cc.tar.gz nixpkgs-ee472e4521f828a484f4c349e7404a20d16ac0cc.tar.bz2 nixpkgs-ee472e4521f828a484f4c349e7404a20d16ac0cc.tar.lz nixpkgs-ee472e4521f828a484f4c349e7404a20d16ac0cc.tar.xz nixpkgs-ee472e4521f828a484f4c349e7404a20d16ac0cc.tar.zst nixpkgs-ee472e4521f828a484f4c349e7404a20d16ac0cc.zip |
nixos/sshguard: fix syslog ids, no more pid file, cleanups
1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/security/sshguard.nix | 99 |
1 files changed, 50 insertions, 49 deletions
diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 137c3d61018..3892cd5c72b 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.services.sshguard; + in { ###### interface @@ -77,65 +78,65 @@ in { Systemd services sshguard should receive logs of. ''; }; - }; - }; - ###### implementation config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.sshguard pkgs.iptables pkgs.ipset ]; - environment.etc."sshguard.conf".text = let - list_services = ( name: "-t ${name} "); - in '' - BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset" - LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl -afb -p info -n1 ${toString (map list_services cfg.services)} -o cat" + args = lib.concatStringsSep " " ([ + "-afb" + "-p info" + "-o cat" + "-n1" + ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); + in '' + BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset" + LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" + ''; + + systemd.services.sshguard = { + description = "SSHGuard brute-force attacks protection system"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + partOf = optional config.networking.firewall.enable "firewall.service"; + + path = with pkgs; [ iptables ipset iproute systemd ]; + + postStart = '' + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:ip family inet + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:ip family inet6 + ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP + ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP + ''; + + preStop = '' + ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP + ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP ''; - systemd.services.sshguard = - { description = "SSHGuard brute-force attacks protection system"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - partOf = optional config.networking.firewall.enable "firewall.service"; - - path = [ pkgs.iptables pkgs.ipset pkgs.iproute pkgs.systemd ]; - - postStart = '' - mkdir -p /var/lib/sshguard - ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:ip family inet - ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:ip family inet6 - ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP - ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP - ''; - - preStop = '' - ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP - ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP - ''; - - unitConfig.Documentation = "man:sshguard(8)"; - - serviceConfig = { - Type = "simple"; - ExecStart = let - list_whitelist = ( name: "-w ${name} "); - in '' - ${pkgs.sshguard}/bin/sshguard -a ${toString cfg.attack_threshold} ${optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file} "}-i /run/sshguard/sshguard.pid -p ${toString cfg.blocktime} -s ${toString cfg.detection_time} ${toString (map list_whitelist cfg.whitelist)} - ''; - PIDFile = "/run/sshguard/sshguard.pid"; - Restart = "always"; - - ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run/sshguard /var/lib/sshguard"; - RuntimeDirectory = "sshguard"; - StateDirectory = "sshguard"; - CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; - }; + unitConfig.Documentation = "man:sshguard(8)"; + + serviceConfig = { + Type = "simple"; + ExecStart = let + args = lib.concatStringsSep " " ([ + "-a ${toString cfg.attack_threshold}" + "-p ${toString cfg.blocktime}" + "-s ${toString cfg.detection_time}" + (optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}") + ] ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist)); + in "${pkgs.sshguard}/bin/sshguard ${args}"; + Restart = "always"; + ProtectSystem = "strict"; + ProtectHome = "tmpfs"; + RuntimeDirectory = "sshguard"; + StateDirectory = "sshguard"; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; }; + }; }; } |