diff options
Diffstat (limited to 'nixos/modules/services/security/fail2ban.nix')
| -rw-r--r-- | nixos/modules/services/security/fail2ban.nix | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index afbd81be91f2..33c4910fc0ce 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -99,34 +99,32 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + partOf = optional config.networking.firewall.enable "firewall.service"; restartTriggers = [ fail2banConf jailConf ]; path = [ pkgs.fail2ban pkgs.iptables ]; preStart = '' - mkdir -p /run/fail2ban -m 0755 mkdir -p /var/lib/fail2ban ''; + unitConfig.Documentation = "man:fail2ban(1)"; + serviceConfig = - { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; + { Type = "forking"; + ExecStart = "${pkgs.fail2ban}/bin/fail2ban-client -x start"; + ExecStop = "${pkgs.fail2ban}/bin/fail2ban-client stop"; + ExecReload = "${pkgs.fail2ban}/bin/fail2ban-client reload"; + PIDFile = "/run/fail2ban/fail2ban.pid"; + Restart = "always"; + ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run /var/tmp /var/lib"; + ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib"; + PrivateTmp = "true"; + RuntimeDirectory = "fail2ban"; CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; }; - - postStart = - '' - # Wait for the server to start listening. - for ((n = 0; n < 20; n++)); do - if fail2ban-client ping; then break; fi - sleep 0.5 - done - - # Reload its configuration. - fail2ban-client reload - ''; }; # Add some reasonable default jails. The special "DEFAULT" jail |