forked from mirrors/nixpkgs
fail2ban: move /var/run/fail2ban creation to activation script to be able to restrict the write locations for the service properly, add configuration files to the restartTriggers.
This commit is contained in:
parent
3ca7d7b291
commit
9cf0a41925
|
@ -98,22 +98,20 @@ in
|
|||
}
|
||||
];
|
||||
|
||||
system.activationScripts.fail2ban =
|
||||
''
|
||||
mkdir -p /var/run/fail2ban -m 0755
|
||||
'';
|
||||
|
||||
systemd.services.fail2ban =
|
||||
{ description = "Fail2ban intrusion prevention system";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
|
||||
restartTriggers = [ fail2banConf jailConf ];
|
||||
path = [ pkgs.fail2ban pkgs.iptables ];
|
||||
|
||||
preStart =
|
||||
''
|
||||
# FIXME: this won't detect changes to
|
||||
# /etc/fail2ban/{filter.d,action.d}.
|
||||
# ${fail2banConf} ${jailConf}
|
||||
mkdir -p /var/run/fail2ban -m 0755
|
||||
'';
|
||||
|
||||
serviceConfig =
|
||||
{ ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
|
||||
ReadOnlyDirectories = "/";
|
||||
|
|
Loading…
Reference in a new issue