about summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorFlakebi <flakebi@t-online.de>2023-02-15 10:11:38 +0100
committerFlakebi <flakebi@t-online.de>2023-02-15 10:11:38 +0100
commit12db8314d734f9fbb2dc58dfe73c1b3410599b29 (patch)
tree8dd93cb2b3558cd334948b548e35ea2f546ece97 /nixos
parentd917136f550a8c36efb1724390c7245105f79023 (diff)
downloadnixlib-12db8314d734f9fbb2dc58dfe73c1b3410599b29.tar
nixlib-12db8314d734f9fbb2dc58dfe73c1b3410599b29.tar.gz
nixlib-12db8314d734f9fbb2dc58dfe73c1b3410599b29.tar.bz2
nixlib-12db8314d734f9fbb2dc58dfe73c1b3410599b29.tar.lz
nixlib-12db8314d734f9fbb2dc58dfe73c1b3410599b29.tar.xz
nixlib-12db8314d734f9fbb2dc58dfe73c1b3410599b29.tar.zst
nixlib-12db8314d734f9fbb2dc58dfe73c1b3410599b29.zip
fail2ban: 0.11.2 -> 1.0.2
Update to 1.0.2: https://github.com/fail2ban/fail2ban/blob/1.0.2/ChangeLog#ver-102-20221109---finally-war-game-test-tape-not-a-nuclear-alarm
1.0.1 contained a few breaking changes, but I think they have little
impact.

I changed the module to use the systemd service shipping with fail2ban
(now added to the package).
Diffstat (limited to 'nixos')
-rw-r--r--nixos/doc/manual/release-notes/rl-2305.section.md2
-rw-r--r--nixos/modules/services/security/fail2ban.nix12
2 files changed, 3 insertions, 11 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
index c81cbc69f94e..bcd277ba6f89 100644
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -95,6 +95,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.
 
+- `fail2ban` has been updated to 1.0.2, which has a few breaking changes compared to 0.11.2 ([changelog for 1.0.1](https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog), [changelog for 1.0.2](https://github.com/fail2ban/fail2ban/blob/1.0.2/ChangeLog))
+
 - Calling `makeSetupHook` without passing a `name` argument is deprecated.
 
 - Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually.
diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix
index 3c4bcd1ac265..ead24d147071 100644
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@@ -273,26 +273,16 @@ in
       "fail2ban/filter.d".source = "${cfg.package}/etc/fail2ban/filter.d/*.conf";
     };
 
+    systemd.packages = [ cfg.package ];
     systemd.services.fail2ban = {
-      description = "Fail2ban Intrusion Prevention System";
-
       wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
       partOf = optional config.networking.firewall.enable "firewall.service";
 
       restartTriggers = [ fail2banConf jailConf pathsConf ];
 
       path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ] ++ cfg.extraPackages;
 
-      unitConfig.Documentation = "man:fail2ban(1)";
-
       serviceConfig = {
-        ExecStart = "${cfg.package}/bin/fail2ban-server -xf start";
-        ExecStop = "${cfg.package}/bin/fail2ban-server stop";
-        ExecReload = "${cfg.package}/bin/fail2ban-server reload";
-        Type = "simple";
-        Restart = "on-failure";
-        PIDFile = "/run/fail2ban/fail2ban.pid";
         # Capabilities
         CapabilityBoundingSet = [ "CAP_AUDIT_READ" "CAP_DAC_READ_SEARCH" "CAP_NET_ADMIN" "CAP_NET_RAW" ];
         # Security
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-08-04 23:25:48 +0000