public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sshguard: make it run

Browse Source
This commit is contained in:
Peter Hoeg 2017-09-28 14:05:09 +08:00
parent 3571163858
commit 69d8b81b4b
1 changed files with 33 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
nixos/modules/services/security/sshguard.nix
View File

@ -87,23 +87,21 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.sshguard pkgs.iptables pkgs.ipset ];
environment.etc."sshguard.conf".text = let
list_services = ( name: "-t ${name} ");
in ''
BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset"
LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl -afb -p info -n1 ${toString (map list_services cfg.services)} -o cat"
BACKEND="${lib.getBin pkgs.sshguard}/libexec/sshg-fw-ipset"
LOGREADER="LANG=C ${lib.getBin pkgs.systemd}/bin/journalctl -afb -p info -n1 ${toString (map list_services cfg.services)} -o cat"
'';
systemd.services.sshguard =
{ description = "SSHGuard brute-force attacks protection system";
systemd.services.sshguard = {
description = "SSHGuard brute-force attacks protection system";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
partOf = optional config.networking.firewall.enable "firewall.service";
path = [ pkgs.iptables pkgs.ipset pkgs.iproute pkgs.systemd ];
path = with pkgs; [ iptables ipset iproute systemd ];
postStart = ''
mkdir -p /var/lib/sshguard
@ -127,13 +125,11 @@ in {
in ''
${pkgs.sshguard}/bin/sshguard -a ${toString cfg.attack_threshold} ${optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file} "}-i /run/sshguard/sshguard.pid -p ${toString cfg.blocktime} -s ${toString cfg.detection_time} ${toString (map list_whitelist cfg.whitelist)}
'';
PIDFile = "/run/sshguard/sshguard.pid";
Restart = "always";
ReadOnlyDirectories = "/";
ReadWriteDirectories = "/run/sshguard /var/lib/sshguard";
ProtectSystem = true;
PrivateTmp = true;
RuntimeDirectory = "sshguard";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
# CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
};
};
};