From d8cca3d624399316f7abefc9e9d6747d2e32bed2 Mon Sep 17 00:00:00 2001 From: Joel Taylor Date: Fri, 1 Aug 2014 18:11:09 -0700 Subject: [PATCH] fail2ban: systemd support - upgrade fail2ban to 0.9 - override systemd to enable python support and include sqlite3 module - make fail2ban enablable --- nixos/modules/services/security/fail2ban.nix | 17 +++++++++++------ pkgs/tools/security/fail2ban/default.nix | 8 ++++---- pkgs/top-level/all-packages.nix | 6 +++++- 3 files changed, 20 insertions(+), 11 deletions(-) diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index af5450166379..3758652ebddf 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -25,12 +25,17 @@ in options = { services.fail2ban = { + enable = mkOption { + default = false; + type = types.bool; + description = "Whether to enable the fail2ban service."; + }; daemonConfig = mkOption { default = '' [Definition] - loglevel = 3 + loglevel = INFO logtarget = SYSLOG socket = /run/fail2ban/fail2ban.sock pidfile = /run/fail2ban/fail2ban.pid @@ -80,7 +85,7 @@ in ###### implementation - config = { + config = mkIf cfg.enable { environment.systemPackages = [ pkgs.fail2ban ]; @@ -101,12 +106,13 @@ in preStart = '' mkdir -p /run/fail2ban -m 0755 + mkdir -p /var/lib/fail2ban ''; serviceConfig = { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run /var/tmp"; + ReadWriteDirectories = "/run /var/tmp /var/lib"; CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; }; @@ -131,15 +137,14 @@ in bantime = 600 findtime = 600 maxretry = 3 - backend = auto - ''; + backend = systemd + ''; # Block SSH if there are too many failing connection attempts. services.fail2ban.jails.ssh-iptables = '' filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] - logpath = /var/log/warn maxretry = 5 ''; diff --git a/pkgs/tools/security/fail2ban/default.nix b/pkgs/tools/security/fail2ban/default.nix index 8d6a6241ad3f..6b5c69c3d2e2 100644 --- a/pkgs/tools/security/fail2ban/default.nix +++ b/pkgs/tools/security/fail2ban/default.nix @@ -1,6 +1,6 @@ -{ stdenv, fetchurl, pythonPackages, unzip, gamin }: +{ stdenv, fetchurl, python, pythonPackages, unzip, systemd, gamin }: -let version = "0.8.13"; in +let version = "0.9"; in pythonPackages.buildPythonPackage { name = "fail2ban-${version}"; @@ -9,12 +9,12 @@ pythonPackages.buildPythonPackage { src = fetchurl { url = "https://github.com/fail2ban/fail2ban/zipball/${version}"; name = "fail2ban-${version}.zip"; - sha256 = "0c63i5jsn2n6hv6fb6q922ksxfpppah9415vpydiv0vpf23pq0cb"; + sha256 = "0dawl0vvdvpnkg1hc4l0c8sj8ikcr2l48d6khfx0174nq8yfcg93"; }; buildInputs = [ unzip ]; - pythonPath = [ gamin ]; + pythonPath = [ systemd python.modules.sqlite3 gamin ]; preConfigure = '' substituteInPlace setup.cfg \ diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 8590aa747421..30f7acb93605 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1008,7 +1008,11 @@ let fabric = pythonPackages.fabric; - fail2ban = callPackage ../tools/security/fail2ban { }; + fail2ban = callPackage ../tools/security/fail2ban { + systemd = systemd.override { + pythonSupport = true; + }; + }; fakeroot = callPackage ../tools/system/fakeroot { };