fail2ban: Update to 0.8.10

Also fix random start failures due to a race between the fail2ban
server and the postStart script.

nixos/modules/services/security/fail2ban.nix

@@ -32,7 +32,8 @@ in
             [Definition]
             loglevel  = 3
             logtarget = SYSLOG
-            socket    = /var/run/fail2ban/fail2ban.sock
+            socket    = /run/fail2ban/fail2ban.sock
+            pidfile   = /run/fail2ban/fail2ban.pid
           '';
         type = types.string;
         description =
@@ -83,25 +84,10 @@ in
 
     environment.systemPackages = [ pkgs.fail2ban ];
 
-    environment.etc =
+    environment.etc."fail2ban/fail2ban.conf".source = fail2banConf;
-      [ { source = fail2banConf;
+    environment.etc."fail2ban/jail.conf".source = jailConf;
-          target = "fail2ban/fail2ban.conf";
+    environment.etc."fail2ban/action.d".source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf";
-        }
+    environment.etc."fail2ban/filter.d".source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf";
-        { source = jailConf;
-          target = "fail2ban/jail.conf";
-        }
-        { source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf";
-          target = "fail2ban/action.d";
-        }
-        { source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf";
-          target = "fail2ban/filter.d";
-        }
-      ];
-
-    system.activationScripts.fail2ban =
-      ''
-        mkdir -p /var/run/fail2ban -m 0755
-      '';
 
     systemd.services.fail2ban =
       { description = "Fail2ban intrusion prevention system";
@@ -112,15 +98,27 @@ in
         restartTriggers = [ fail2banConf jailConf ];
         path = [ pkgs.fail2ban pkgs.iptables ];
 
+        preStart =
+          ''
+            mkdir -p /run/fail2ban -m 0755
+          '';
+
         serviceConfig =
           { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
             ReadOnlyDirectories = "/";
-            ReadWriteDirectories = "/var/run/fail2ban /var/tmp";
+            ReadWriteDirectories = "/run/fail2ban /var/tmp";
-            CapabilityBoundingSet="CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
+            CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
           };
 
         postStart =
           ''
+            # Wait for the server to start listening.
+            for ((n = 0; n < 20; n++)); do
+              if fail2ban-client ping; then break; fi
+              sleep 0.5
+            done
+
+            # Reload its configuration.
             fail2ban-client reload
           '';
       };
@@ -137,7 +135,7 @@ in
       '';
 
     # Block SSH if there are too many failing connection attempts.
-    services.fail2ban.jails."ssh-iptables" =
+    services.fail2ban.jails.ssh-iptables =
       ''
         filter   = sshd
         action   = iptables[name=SSH, port=ssh, protocol=tcp]

pkgs/tools/security/fail2ban/default.nix

@@ -1,6 +1,6 @@
 { stdenv, fetchurl, pythonPackages, unzip, gamin }:
 
-let version = "0.8.6"; in
+let version = "0.8.10"; in
 
 pythonPackages.buildPythonPackage {
   name = "fail2ban-${version}";
@@ -9,7 +9,7 @@ pythonPackages.buildPythonPackage {
   src = fetchurl {
     url    = "https://github.com/fail2ban/fail2ban/zipball/${version}";
     name   = "fail2ban-${version}.zip";
-    sha256 = "0lbanfshr8kasa1bb7861w3mrm2d0c1bvv4s5703265s8zp5m284";
+    sha256 = "0zbjwnghpdnzan7hn40cjjh2r06p2ph5kblpm0w1r72djwsk67x9";
   };
 
   buildInputs = [ unzip ];
@@ -21,6 +21,7 @@ pythonPackages.buildPythonPackage {
       --replace /usr $out
 
     substituteInPlace setup.py \
+      --replace /usr $out \
       --replace /etc $out/etc \
       --replace /var $TMPDIR/var \