From 9cf0a419251e8dc2234fb940e5f36301eb1fcd09 Mon Sep 17 00:00:00 2001
From: Rob Vermaas <rob.vermaas@gmail.com>
Date: Wed, 31 Jul 2013 11:22:32 +0200
Subject: [PATCH] fail2ban: move /var/run/fail2ban creation to activation
 script to be able to restrict the write locations for the service properly,
 add configuration files to the restartTriggers.

---
 modules/services/security/fail2ban.nix | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/modules/services/security/fail2ban.nix b/modules/services/security/fail2ban.nix
index ee57a41888b..2b2a54ef409 100644
--- a/modules/services/security/fail2ban.nix
+++ b/modules/services/security/fail2ban.nix
@@ -98,22 +98,20 @@ in
         }
       ];
 
+    system.activationScripts.fail2ban =
+      ''
+        mkdir -p /var/run/fail2ban -m 0755
+      '';
+
     systemd.services.fail2ban =
       { description = "Fail2ban intrusion prevention system";
 
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
       
+        restartTriggers = [ fail2banConf jailConf ];
         path = [ pkgs.fail2ban pkgs.iptables ];
         
-        preStart =
-          ''
-            # FIXME: this won't detect changes to
-            # /etc/fail2ban/{filter.d,action.d}.
-            # ${fail2banConf} ${jailConf}
-            mkdir -p /var/run/fail2ban -m 0755
-          '';
-          
         serviceConfig =
           { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
             ReadOnlyDirectories = "/";