From 6adfb647ff3cd3c7bb00b68dafe79eec8786df3e Mon Sep 17 00:00:00 2001
From: Rob Vermaas <rob.vermaas@gmail.com>
Date: Thu, 25 Jul 2013 20:03:29 +0200
Subject: [PATCH] Limit the capabilities of what fail2ban service can do. Taken
 from ArchLinux wiki.

---
 modules/services/security/fail2ban.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/services/security/fail2ban.nix b/modules/services/security/fail2ban.nix
index 258a2d79163..a232d18a572 100644
--- a/modules/services/security/fail2ban.nix
+++ b/modules/services/security/fail2ban.nix
@@ -118,6 +118,7 @@ in
           { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
             ReadOnlyDirectories = "/";
             ReadWriteDirectories = "/var/run/fail2ban";
+            CapabilityBoundingSet="CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
           };
 
         postStart =