fail2ban: systemd support

- upgrade fail2ban to 0.9 - override systemd to enable python support and include sqlite3 module - make fail2ban enablable
2024-11-16 06:45:16 +01:00 · 2014-08-01 18:11:09 -07:00 · 2014-08-01 18:11:09 -07:00 · d8cca3d624
commit d8cca3d624
parent b18d0eee05
3 changed files with 20 additions and 11 deletions
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@ -25,12 +25,17 @@ in
  options = {

    services.fail2ban = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = "Whether to enable the fail2ban service.";
+      };

      daemonConfig = mkOption {
        default =
          ''
            [Definition]
-            loglevel  = 3
+            loglevel  = INFO
            logtarget = SYSLOG
            socket    = /run/fail2ban/fail2ban.sock
            pidfile   = /run/fail2ban/fail2ban.pid
@ -80,7 +85,7 @@ in

  ###### implementation

-  config = {
+  config = mkIf cfg.enable {

    environment.systemPackages = [ pkgs.fail2ban ];

@ -101,12 +106,13 @@ in
        preStart =
          ''
            mkdir -p /run/fail2ban -m 0755
+            mkdir -p /var/lib/fail2ban
          '';

        serviceConfig =
          { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
            ReadOnlyDirectories = "/";
-            ReadWriteDirectories = "/run /var/tmp";
+            ReadWriteDirectories = "/run /var/tmp /var/lib";
            CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
          };

@ -131,15 +137,14 @@ in
        bantime  = 600
        findtime = 600
        maxretry = 3
-        backend  = auto
-      '';
+        backend  = systemd
+       '';

    # Block SSH if there are too many failing connection attempts.
    services.fail2ban.jails.ssh-iptables =
      ''
        filter   = sshd
        action   = iptables[name=SSH, port=ssh, protocol=tcp]
-        logpath  = /var/log/warn
        maxretry = 5
      '';

--- a/pkgs/tools/security/fail2ban/default.nix
+++ b/pkgs/tools/security/fail2ban/default.nix
@ -1,6 +1,6 @@
-{ stdenv, fetchurl, pythonPackages, unzip, gamin }:
+{ stdenv, fetchurl, python, pythonPackages, unzip, systemd, gamin }:

-let version = "0.8.13"; in
+let version = "0.9"; in

 pythonPackages.buildPythonPackage {
  name = "fail2ban-${version}";
@ -9,12 +9,12 @@ pythonPackages.buildPythonPackage {
  src = fetchurl {
    url    = "https://github.com/fail2ban/fail2ban/zipball/${version}";
    name   = "fail2ban-${version}.zip";
-    sha256 = "0c63i5jsn2n6hv6fb6q922ksxfpppah9415vpydiv0vpf23pq0cb";
+    sha256 = "0dawl0vvdvpnkg1hc4l0c8sj8ikcr2l48d6khfx0174nq8yfcg93";
  };

  buildInputs = [ unzip ];

-  pythonPath = [ gamin ];
+  pythonPath = [ systemd python.modules.sqlite3 gamin ];

  preConfigure = ''
    substituteInPlace setup.cfg \
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -1008,7 +1008,11 @@ let

  fabric = pythonPackages.fabric;

-  fail2ban = callPackage ../tools/security/fail2ban { };
+  fail2ban = callPackage ../tools/security/fail2ban {
+    systemd = systemd.override {
+      pythonSupport = true;
+    };
+  };

  fakeroot = callPackage ../tools/system/fakeroot { };