diff options
Diffstat (limited to 'nixos/modules/services/security/sshguard.nix')
-rw-r--r-- | nixos/modules/services/security/sshguard.nix | 42 |
1 files changed, 24 insertions, 18 deletions
diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index e7a9cefdef3..53bd9efa5ac 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -5,6 +5,21 @@ with lib; let cfg = config.services.sshguard; + configFile = let + args = lib.concatStringsSep " " ([ + "-afb" + "-p info" + "-o cat" + "-n1" + ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); + backend = if config.networking.nftables.enable + then "sshg-fw-nft-sets" + else "sshg-fw-ipset"; + in pkgs.writeText "sshguard.conf" '' + BACKEND="${pkgs.sshguard}/libexec/${backend}" + LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" + ''; + in { ###### interface @@ -85,20 +100,7 @@ in { config = mkIf cfg.enable { - environment.etc."sshguard.conf".text = let - args = lib.concatStringsSep " " ([ - "-afb" - "-p info" - "-o cat" - "-n1" - ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); - backend = if config.networking.nftables.enable - then "sshg-fw-nft-sets" - else "sshg-fw-ipset"; - in '' - BACKEND="${pkgs.sshguard}/libexec/${backend}" - LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" - ''; + environment.etc."sshguard.conf".source = configFile; systemd.services.sshguard = { description = "SSHGuard brute-force attacks protection system"; @@ -107,9 +109,11 @@ in { after = [ "network.target" ]; partOf = optional config.networking.firewall.enable "firewall.service"; + restartTriggers = [ configFile ]; + path = with pkgs; if config.networking.nftables.enable - then [ nftables iproute systemd ] - else [ iptables ipset iproute systemd ]; + then [ nftables iproute2 systemd ] + else [ iptables ipset iproute2 systemd ]; # The sshguard ipsets must exist before we invoke # iptables. sshguard creates the ipsets after startup if @@ -119,15 +123,17 @@ in { # firewall rules before sshguard starts. preStart = optionalString config.networking.firewall.enable '' ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet - ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP + '' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP ''; postStop = optionalString config.networking.firewall.enable '' ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP - ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 + '' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' + ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6 ''; |