From fc941899a356efd76e2390c829c59459bfd0d8e9 Mon Sep 17 00:00:00 2001 From: Alexander Ried Date: Mon, 25 Apr 2016 23:13:03 +0200 Subject: fail2ban: rework service --- nixos/modules/services/security/fail2ban.nix | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index afbd81be91f2..33c4910fc0ce 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -99,34 +99,32 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + partOf = optional config.networking.firewall.enable "firewall.service"; restartTriggers = [ fail2banConf jailConf ]; path = [ pkgs.fail2ban pkgs.iptables ]; preStart = '' - mkdir -p /run/fail2ban -m 0755 mkdir -p /var/lib/fail2ban ''; + unitConfig.Documentation = "man:fail2ban(1)"; + serviceConfig = - { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; + { Type = "forking"; + ExecStart = "${pkgs.fail2ban}/bin/fail2ban-client -x start"; + ExecStop = "${pkgs.fail2ban}/bin/fail2ban-client stop"; + ExecReload = "${pkgs.fail2ban}/bin/fail2ban-client reload"; + PIDFile = "/run/fail2ban/fail2ban.pid"; + Restart = "always"; + ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run /var/tmp /var/lib"; + ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib"; + PrivateTmp = "true"; + RuntimeDirectory = "fail2ban"; CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; }; - - postStart = - '' - # Wait for the server to start listening. - for ((n = 0; n < 20; n++)); do - if fail2ban-client ping; then break; fi - sleep 0.5 - done - - # Reload its configuration. - fail2ban-client reload - ''; }; # Add some reasonable default jails. The special "DEFAULT" jail -- cgit 1.4.1