The fix for #62874 introduced a race condition on startup: the postStart
commands that configure the firewall run concurrently with sshguard's
creation of the ipsets that the rules depend on. Unfortunately iptables
fails hard when referencing an ipset that doesn't exist, so this causes
non-deterministic crashlooping until sshguard wins the race.
This change fixes that race condition by always creating the ipset and
reconfiguring the firewall before starting sshguard, so that the order
of operations is always deterministic.
This change also cleans up the ipsets on sshguard shutdown, so that
removing sshguard from a running system doesn't leave state behind.
Fixes#65985.
For some reason it doesn't seem to load things in the cache directory
properly without this slash.
Looks like this regression may have been introduced in:
commit 19851ec1fce3fabec3c6f951c3fb7d5814d24691
nixos/zoneminder: Fix nginx config check
Cc: Daniel Schaefer <git@danielschaefer.me>
Cc: Peter Hoeg <peter@hoeg.com>
Signed-off-by: William Casarin <jb55@jb55.com>
This adds a simple configuration for sending snapshots to a remote
system using zfs-replicate that ties into the autoSnapshot settings
already present in services.zfs.autoSnapshot.
The following configuration generates a systemd unit that doesn't
start.
```nix
{
services.syncthing = {
enable = true;
user = "my-user";
};
}
```
It fails with
```
systemd[1]: Started Syncthing service.
systemd[6745]: syncthing.service: Failed to determine group credentials: No such process
systemd[6745]: syncthing.service: Failed at step GROUP spawning /nix/store/n1ydz3i08nqp1ajc50ycy1zribmphqc9-syncthing-1.1.4-bin/bin/syncthing: No such process
systemd[1]: syncthing.service: Main process exited, code=exited, status=216/GROUP
systemd[1]: syncthing.service: Failed with result 'exit-code'.
```
This is due to the fact that `syncthing` group (default) is not
created if the user is overridden.
Add a separate check for setting up the default group, so that
user/group are created independently.
Upstream switched to a different type of ipset table, whereas we
create ipset in post-start which overrides upstream, and renders
sshguard ineffective.
Remove ipset creation from post-start, and let it get automatically
by upstream script (sshg-fw-ipset) as part of startup
