diff options
author | Tuomas Tynkkynen <tuomas@tuxera.com> | 2016-05-03 23:12:48 +0300 |
---|---|---|
committer | Tuomas Tynkkynen <tuomas@tuxera.com> | 2016-05-03 23:12:48 +0300 |
commit | aadaa913792b0fdeb68b02425e4f03d2f8286a1f (patch) | |
tree | ea582b078a00e6ba27e2c887a9df5a792c37fb0e /nixos/modules/services/security/fail2ban.nix | |
parent | 2362891dc815160e343e52458f25db22508ac487 (diff) | |
parent | e7d3166656af0d98da9f59c78e2213cec842d743 (diff) | |
download | nixlib-aadaa913792b0fdeb68b02425e4f03d2f8286a1f.tar nixlib-aadaa913792b0fdeb68b02425e4f03d2f8286a1f.tar.gz nixlib-aadaa913792b0fdeb68b02425e4f03d2f8286a1f.tar.bz2 nixlib-aadaa913792b0fdeb68b02425e4f03d2f8286a1f.tar.lz nixlib-aadaa913792b0fdeb68b02425e4f03d2f8286a1f.tar.xz nixlib-aadaa913792b0fdeb68b02425e4f03d2f8286a1f.tar.zst nixlib-aadaa913792b0fdeb68b02425e4f03d2f8286a1f.zip |
Merge remote-tracking branch 'upstream/master' into staging
Conflicts: pkgs/applications/networking/browsers/vivaldi/default.nix pkgs/misc/emulators/wine/base.nix
Diffstat (limited to 'nixos/modules/services/security/fail2ban.nix')
-rw-r--r-- | nixos/modules/services/security/fail2ban.nix | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index afbd81be91f2..33c4910fc0ce 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -99,34 +99,32 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + partOf = optional config.networking.firewall.enable "firewall.service"; restartTriggers = [ fail2banConf jailConf ]; path = [ pkgs.fail2ban pkgs.iptables ]; preStart = '' - mkdir -p /run/fail2ban -m 0755 mkdir -p /var/lib/fail2ban ''; + unitConfig.Documentation = "man:fail2ban(1)"; + serviceConfig = - { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; + { Type = "forking"; + ExecStart = "${pkgs.fail2ban}/bin/fail2ban-client -x start"; + ExecStop = "${pkgs.fail2ban}/bin/fail2ban-client stop"; + ExecReload = "${pkgs.fail2ban}/bin/fail2ban-client reload"; + PIDFile = "/run/fail2ban/fail2ban.pid"; + Restart = "always"; + ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run /var/tmp /var/lib"; + ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib"; + PrivateTmp = "true"; + RuntimeDirectory = "fail2ban"; CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; }; - - postStart = - '' - # Wait for the server to start listening. - for ((n = 0; n < 20; n++)); do - if fail2ban-client ping; then break; fi - sleep 0.5 - done - - # Reload its configuration. - fail2ban-client reload - ''; }; # Add some reasonable default jails. The special "DEFAULT" jail |