nixos/sshguard: fix syslog ids, no more pid file, cleanups

1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted.
2019-01-23 18:20:28 +08:00 · 2019-01-23 18:20:28 +08:00 · ee472e4521
parent bc41317e24
commit ee472e4521
1 changed files with 48 additions and 47 deletions
--- a/nixos/modules/services/security/sshguard.nix
+++ b/nixos/modules/services/security/sshguard.nix
@ -4,6 +4,7 @@ with lib;

 let
  cfg = config.services.sshguard;
+
 in {

  ###### interface
@ -77,36 +78,35 @@ in {
            Systemd services sshguard should receive logs of.
          '';
      };
-
    };
-
  };

-
  ###### implementation

  config = mkIf cfg.enable {

-    environment.systemPackages = [ pkgs.sshguard pkgs.iptables pkgs.ipset ];
-
    environment.etc."sshguard.conf".text = let
-        list_services = ( name:  "-t ${name} ");
+      args = lib.concatStringsSep " " ([
+        "-afb"
+        "-p info"
+        "-o cat"
+        "-n1"
+      ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services));
    in ''
      BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset"
-        LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl -afb -p info -n1 ${toString (map list_services cfg.services)} -o cat"
+      LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}"
    '';

-    systemd.services.sshguard =
-      { description = "SSHGuard brute-force attacks protection system";
+    systemd.services.sshguard = {
+      description = "SSHGuard brute-force attacks protection system";

      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      partOf = optional config.networking.firewall.enable "firewall.service";

-        path = [ pkgs.iptables pkgs.ipset pkgs.iproute pkgs.systemd ];
+      path = with pkgs; [ iptables ipset iproute systemd ];

      postStart = ''
-          mkdir -p /var/lib/sshguard
        ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:ip family inet
        ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:ip family inet6
        ${pkgs.iptables}/bin/iptables  -I INPUT -m set --match-set sshguard4 src -j DROP
@ -123,15 +123,16 @@ in {
      serviceConfig = {
        Type = "simple";
        ExecStart = let
-                list_whitelist = ( name:  "-w ${name} ");
-              in ''
-                 ${pkgs.sshguard}/bin/sshguard -a ${toString cfg.attack_threshold} ${optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file} "}-i /run/sshguard/sshguard.pid -p ${toString cfg.blocktime} -s ${toString cfg.detection_time} ${toString (map list_whitelist cfg.whitelist)}
-              '';
-            PIDFile = "/run/sshguard/sshguard.pid";
+          args = lib.concatStringsSep " " ([
+            "-a ${toString cfg.attack_threshold}"
+            "-p ${toString cfg.blocktime}"
+            "-s ${toString cfg.detection_time}"
+            (optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")
+          ] ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist));
+        in "${pkgs.sshguard}/bin/sshguard ${args}";
        Restart = "always";
-
-            ReadOnlyDirectories = "/";
-            ReadWriteDirectories = "/run/sshguard /var/lib/sshguard";
+        ProtectSystem = "strict";
+        ProtectHome = "tmpfs";
        RuntimeDirectory = "sshguard";
        StateDirectory = "sshguard";
        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";