From afb6fe2ffffbcb864ca4df92635fb9fd473cc2e1 Mon Sep 17 00:00:00 2001 From: pennae Date: Sat, 24 Apr 2021 18:14:56 +0200 Subject: [PATCH] nixos/fail2ban: add extraPackages option some ban actions need additional packages (eg ipset). since actions can be provided by the user we need something general that's easy to configure. we could also enable ipset regardless of the actual configuration of the system if the iptables firewall is in use (like sshguard does), but that seems very clumsy and wouldn't easily solve the binary-not-found problems other actions may also have. --- nixos/modules/services/security/fail2ban.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 22abbb518ff..0c24972823d 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -62,6 +62,16 @@ in description = "The firewall package used by fail2ban service."; }; + extraPackages = mkOption { + default = []; + type = types.listOf types.package; + example = lib.literalExample "[ pkgs.ipset ]"; + description = '' + Extra packages to be made available to the fail2ban service. The example contains + the packages needed by the `iptables-ipset-proto6` action. + ''; + }; + maxretry = mkOption { default = 3; type = types.ints.unsigned; @@ -249,7 +259,7 @@ in restartTriggers = [ fail2banConf jailConf pathsConf ]; reloadIfChanged = true; - path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ]; + path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ] ++ cfg.extraPackages; unitConfig.Documentation = "man:fail2ban(1)";