pyrox.dev / nixpkgs
lol
fork atom

nixos/services.sshguard: remove `with lib;`

Felix Buehler 5d738347 f956ab77

options
unified split
Changed files
+25 -28
nixos
modules
services
security
sshguard.nix
+25 -28
nixos/modules/services/security/sshguard.nix 
···

       
4

       
 

       
  pkgs,


     

       
5

       
 

       
  ...


     

       
6

       
 

       
}:


     

       
7

       
-

       



     

       
8

       
-

       
with lib;


     

       
9

       
-

       



     

       
10

       
 

       
let


     

       
11

       
 

       
  cfg = config.services.sshguard;


     

       
12

       
 

       



     
···

       
19

       
 

       
          "-o cat"


     

       
20

       
 

       
          "-n1"


     

       
21

       
 

       
        ]


     

       
22

       
-

       
        ++ (map (name: "-t ${escapeShellArg name}") cfg.services)


     

       
23

       
 

       
      );


     

       
24

       
 

       
      backend = if config.networking.nftables.enable then "sshg-fw-nft-sets" else "sshg-fw-ipset";


     

       
25

       
 

       
    in


     
···

       
36

       
 

       
  options = {


     

       
37

       
 

       



     

       
38

       
 

       
    services.sshguard = {


     

       
39

       
-

       
      enable = mkOption {


     

       
40

       
 

       
        default = false;


     

       
41

       
-

       
        type = types.bool;


     

       
42

       
 

       
        description = "Whether to enable the sshguard service.";


     

       
43

       
 

       
      };


     

       
44

       
 

       



     

       
45

       
-

       
      attack_threshold = mkOption {


     

       
46

       
 

       
        default = 30;


     

       
47

       
-

       
        type = types.int;


     

       
48

       
 

       
        description = ''


     

       
49

       
 

       
          Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.


     

       
50

       
 

       
        '';


     

       
51

       
 

       
      };


     

       
52

       
 

       



     

       
53

       
-

       
      blacklist_threshold = mkOption {


     

       
54

       
 

       
        default = null;


     

       
55

       
 

       
        example = 120;


     

       
56

       
-

       
        type = types.nullOr types.int;


     

       
57

       
 

       
        description = ''


     

       
58

       
 

       
          Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.


     

       
59

       
 

       
        '';


     

       
60

       
 

       
      };


     

       
61

       
 

       



     

       
62

       
-

       
      blacklist_file = mkOption {


     

       
63

       
 

       
        default = "/var/lib/sshguard/blacklist.db";


     

       
64

       
-

       
        type = types.path;


     

       
65

       
 

       
        description = ''


     

       
66

       
 

       
          Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.


     

       
67

       
 

       
        '';


     

       
68

       
 

       
      };


     

       
69

       
 

       



     

       
70

       
-

       
      blocktime = mkOption {


     

       
71

       
 

       
        default = 120;


     

       
72

       
-

       
        type = types.int;


     

       
73

       
 

       
        description = ''


     

       
74

       
 

       
          Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.


     

       
75

       
 

       



     
···

       
77

       
 

       
        '';


     

       
78

       
 

       
      };


     

       
79

       
 

       



     

       
80

       
-

       
      detection_time = mkOption {


     

       
81

       
 

       
        default = 1800;


     

       
82

       
-

       
        type = types.int;


     

       
83

       
 

       
        description = ''


     

       
84

       
 

       
          Remember potential attackers for up to detection_time seconds before resetting their score.


     

       
85

       
 

       
        '';


     

       
86

       
 

       
      };


     

       
87

       
 

       



     

       
88

       
-

       
      whitelist = mkOption {


     

       
89

       
 

       
        default = [ ];


     

       
90

       
 

       
        example = [


     

       
91

       
 

       
          "198.51.100.56"


     

       
92

       
 

       
          "198.51.100.2"


     

       
93

       
 

       
        ];


     

       
94

       
-

       
        type = types.listOf types.str;


     

       
95

       
 

       
        description = ''


     

       
96

       
 

       
          Whitelist a list of addresses, hostnames, or address blocks.


     

       
97

       
 

       
        '';


     

       
98

       
 

       
      };


     

       
99

       
 

       



     

       
100

       
-

       
      services = mkOption {


     

       
101

       
 

       
        default = [ "sshd" ];


     

       
102

       
 

       
        example = [


     

       
103

       
 

       
          "sshd"


     

       
104

       
 

       
          "exim"


     

       
105

       
 

       
        ];


     

       
106

       
-

       
        type = types.listOf types.str;


     

       
107

       
 

       
        description = ''


     

       
108

       
 

       
          Systemd services sshguard should receive logs of.


     

       
109

       
 

       
        '';


     
···

       
113

       
 

       



     

       
114

       
 

       
  ###### implementation


     

       
115

       
 

       



     

       
116

       
-

       
  config = mkIf cfg.enable {


     

       
117

       
 

       



     

       
118

       
 

       
    environment.etc."sshguard.conf".source = configFile;


     

       
119

       
 

       



     
···

       
122

       
 

       



     

       
123

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
124

       
 

       
      after = [ "network.target" ];


     

       
125

       
-

       
      partOf = optional config.networking.firewall.enable "firewall.service";


     

       
126

       
 

       



     

       
127

       
 

       
      restartTriggers = [ configFile ];


     

       
128

       
 

       



     
···

       
149

       
 

       
      # of the ipsets. So instead, we create both the ipsets and


     

       
150

       
 

       
      # firewall rules before sshguard starts.


     

       
151

       
 

       
      preStart =


     

       
152

       
-

       
        optionalString config.networking.firewall.enable ''


     

       
153

       
 

       
          ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet


     

       
154

       
 

       
          ${pkgs.iptables}/bin/iptables  -I INPUT -m set --match-set sshguard4 src -j DROP


     

       
155

       
 

       
        ''


     

       
156

       
-

       
        + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''


     

       
157

       
 

       
          ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6


     

       
158

       
 

       
          ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP


     

       
159

       
 

       
        '';


     

       
160

       
 

       



     

       
161

       
 

       
      postStop =


     

       
162

       
-

       
        optionalString config.networking.firewall.enable ''


     

       
163

       
 

       
          ${pkgs.iptables}/bin/iptables  -D INPUT -m set --match-set sshguard4 src -j DROP


     

       
164

       
 

       
          ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4


     

       
165

       
 

       
        ''


     

       
166

       
-

       
        + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''


     

       
167

       
 

       
          ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP


     

       
168

       
 

       
          ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6


     

       
169

       
 

       
        '';


     
···

       
179

       
 

       
                "-a ${toString cfg.attack_threshold}"


     

       
180

       
 

       
                "-p ${toString cfg.blocktime}"


     

       
181

       
 

       
                "-s ${toString cfg.detection_time}"


     

       
182

       
-

       
                (optionalString (


     

       
183

       
 

       
                  cfg.blacklist_threshold != null


     

       
184

       
 

       
                ) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")


     

       
185

       
 

       
              ]


     

       
186

       
-

       
              ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist)


     

       
187

       
 

       
            );


     

       
188

       
 

       
          in


     

       
189

       
 

       
          "${pkgs.sshguard}/bin/sshguard ${args}";


     
···

       
4

       
 

       
  pkgs,


     

       
5

       
 

       
  ...


     

       
6

       
 

       
}:


     

       

       

       
     

       

       

       
     

       

       

       
     

       
7

       
 

       
let


     

       
8

       
 

       
  cfg = config.services.sshguard;


     

       
9

       
 

       



     
···

       
16

       
 

       
          "-o cat"


     

       
17

       
 

       
          "-n1"


     

       
18

       
 

       
        ]


     

       
19

       
+

       
        ++ (map (name: "-t ${lib.escapeShellArg name}") cfg.services)


     

       
20

       
 

       
      );


     

       
21

       
 

       
      backend = if config.networking.nftables.enable then "sshg-fw-nft-sets" else "sshg-fw-ipset";


     

       
22

       
 

       
    in


     
···

       
33

       
 

       
  options = {


     

       
34

       
 

       



     

       
35

       
 

       
    services.sshguard = {


     

       
36

       
+

       
      enable = lib.mkOption {


     

       
37

       
 

       
        default = false;


     

       
38

       
+

       
        type = lib.types.bool;


     

       
39

       
 

       
        description = "Whether to enable the sshguard service.";


     

       
40

       
 

       
      };


     

       
41

       
 

       



     

       
42

       
+

       
      attack_threshold = lib.mkOption {


     

       
43

       
 

       
        default = 30;


     

       
44

       
+

       
        type = lib.types.int;


     

       
45

       
 

       
        description = ''


     

       
46

       
 

       
          Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.


     

       
47

       
 

       
        '';


     

       
48

       
 

       
      };


     

       
49

       
 

       



     

       
50

       
+

       
      blacklist_threshold = lib.mkOption {


     

       
51

       
 

       
        default = null;


     

       
52

       
 

       
        example = 120;


     

       
53

       
+

       
        type = lib.types.nullOr lib.types.int;


     

       
54

       
 

       
        description = ''


     

       
55

       
 

       
          Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.


     

       
56

       
 

       
        '';


     

       
57

       
 

       
      };


     

       
58

       
 

       



     

       
59

       
+

       
      blacklist_file = lib.mkOption {


     

       
60

       
 

       
        default = "/var/lib/sshguard/blacklist.db";


     

       
61

       
+

       
        type = lib.types.path;


     

       
62

       
 

       
        description = ''


     

       
63

       
 

       
          Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.


     

       
64

       
 

       
        '';


     

       
65

       
 

       
      };


     

       
66

       
 

       



     

       
67

       
+

       
      blocktime = lib.mkOption {


     

       
68

       
 

       
        default = 120;


     

       
69

       
+

       
        type = lib.types.int;


     

       
70

       
 

       
        description = ''


     

       
71

       
 

       
          Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.


     

       
72

       
 

       



     
···

       
74

       
 

       
        '';


     

       
75

       
 

       
      };


     

       
76

       
 

       



     

       
77

       
+

       
      detection_time = lib.mkOption {


     

       
78

       
 

       
        default = 1800;


     

       
79

       
+

       
        type = lib.types.int;


     

       
80

       
 

       
        description = ''


     

       
81

       
 

       
          Remember potential attackers for up to detection_time seconds before resetting their score.


     

       
82

       
 

       
        '';


     

       
83

       
 

       
      };


     

       
84

       
 

       



     

       
85

       
+

       
      whitelist = lib.mkOption {


     

       
86

       
 

       
        default = [ ];


     

       
87

       
 

       
        example = [


     

       
88

       
 

       
          "198.51.100.56"


     

       
89

       
 

       
          "198.51.100.2"


     

       
90

       
 

       
        ];


     

       
91

       
+

       
        type = lib.types.listOf lib.types.str;


     

       
92

       
 

       
        description = ''


     

       
93

       
 

       
          Whitelist a list of addresses, hostnames, or address blocks.


     

       
94

       
 

       
        '';


     

       
95

       
 

       
      };


     

       
96

       
 

       



     

       
97

       
+

       
      services = lib.mkOption {


     

       
98

       
 

       
        default = [ "sshd" ];


     

       
99

       
 

       
        example = [


     

       
100

       
 

       
          "sshd"


     

       
101

       
 

       
          "exim"


     

       
102

       
 

       
        ];


     

       
103

       
+

       
        type = lib.types.listOf lib.types.str;


     

       
104

       
 

       
        description = ''


     

       
105

       
 

       
          Systemd services sshguard should receive logs of.


     

       
106

       
 

       
        '';


     
···

       
110

       
 

       



     

       
111

       
 

       
  ###### implementation


     

       
112

       
 

       



     

       
113

       
+

       
  config = lib.mkIf cfg.enable {


     

       
114

       
 

       



     

       
115

       
 

       
    environment.etc."sshguard.conf".source = configFile;


     

       
116

       
 

       



     
···

       
119

       
 

       



     

       
120

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
121

       
 

       
      after = [ "network.target" ];


     

       
122

       
+

       
      partOf = lib.optional config.networking.firewall.enable "firewall.service";


     

       
123

       
 

       



     

       
124

       
 

       
      restartTriggers = [ configFile ];


     

       
125

       
 

       



     
···

       
146

       
 

       
      # of the ipsets. So instead, we create both the ipsets and


     

       
147

       
 

       
      # firewall rules before sshguard starts.


     

       
148

       
 

       
      preStart =


     

       
149

       
+

       
        lib.optionalString config.networking.firewall.enable ''


     

       
150

       
 

       
          ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet


     

       
151

       
 

       
          ${pkgs.iptables}/bin/iptables  -I INPUT -m set --match-set sshguard4 src -j DROP


     

       
152

       
 

       
        ''


     

       
153

       
+

       
        + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''


     

       
154

       
 

       
          ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6


     

       
155

       
 

       
          ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP


     

       
156

       
 

       
        '';


     

       
157

       
 

       



     

       
158

       
 

       
      postStop =


     

       
159

       
+

       
        lib.optionalString config.networking.firewall.enable ''


     

       
160

       
 

       
          ${pkgs.iptables}/bin/iptables  -D INPUT -m set --match-set sshguard4 src -j DROP


     

       
161

       
 

       
          ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4


     

       
162

       
 

       
        ''


     

       
163

       
+

       
        + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''


     

       
164

       
 

       
          ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP


     

       
165

       
 

       
          ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6


     

       
166

       
 

       
        '';


     
···

       
176

       
 

       
                "-a ${toString cfg.attack_threshold}"


     

       
177

       
 

       
                "-p ${toString cfg.blocktime}"


     

       
178

       
 

       
                "-s ${toString cfg.detection_time}"


     

       
179

       
+

       
                (lib.optionalString (


     

       
180

       
 

       
                  cfg.blacklist_threshold != null


     

       
181

       
 

       
                ) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")


     

       
182

       
 

       
              ]


     

       
183

       
+

       
              ++ (map (name: "-w ${lib.escapeShellArg name}") cfg.whitelist)


     

       
184

       
 

       
            );


     

       
185

       
 

       
          in


     

       
186

       
 

       
          "${pkgs.sshguard}/bin/sshguard ${args}";