fail2ban: move /var/run/fail2ban creation to activation script to be able to restrict the write locations for the service properly, add configuration files to the restartTriggers.

2024-11-01 15:11:25 +00:00 · 2013-07-31 11:22:32 +02:00 · 2013-07-31 11:22:32 +02:00 · 9cf0a41925
commit 9cf0a41925
parent 3ca7d7b291
1 changed files with 6 additions and 8 deletions
--- a/modules/services/security/fail2ban.nix
+++ b/modules/services/security/fail2ban.nix
@ -98,22 +98,20 @@ in
        }
      ];

+    system.activationScripts.fail2ban =
+      ''
+        mkdir -p /var/run/fail2ban -m 0755
+      '';
+
    systemd.services.fail2ban =
      { description = "Fail2ban intrusion prevention system";

        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
      
+        restartTriggers = [ fail2banConf jailConf ];
        path = [ pkgs.fail2ban pkgs.iptables ];
        
-        preStart =
-          ''
-            # FIXME: this won't detect changes to
-            # /etc/fail2ban/{filter.d,action.d}.
-            # ${fail2banConf} ${jailConf}
-            mkdir -p /var/run/fail2ban -m 0755
-          '';
-          
        serviceConfig =
          { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
            ReadOnlyDirectories = "/";