···
cfg = config.services.sshguard;
···
22
-
++ (map (name: "-t ${escapeShellArg name}") cfg.services)
19
+
++ (map (name: "-t ${lib.escapeShellArg name}") cfg.services)
backend = if config.networking.nftables.enable then "sshg-fw-nft-sets" else "sshg-fw-ipset";
···
36
+
enable = lib.mkOption {
38
+
type = lib.types.bool;
description = "Whether to enable the sshguard service.";
45
-
attack_threshold = mkOption {
42
+
attack_threshold = lib.mkOption {
44
+
type = lib.types.int;
Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.
53
-
blacklist_threshold = mkOption {
50
+
blacklist_threshold = lib.mkOption {
56
-
type = types.nullOr types.int;
53
+
type = lib.types.nullOr lib.types.int;
Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
62
-
blacklist_file = mkOption {
59
+
blacklist_file = lib.mkOption {
default = "/var/lib/sshguard/blacklist.db";
61
+
type = lib.types.path;
Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
70
-
blocktime = mkOption {
67
+
blocktime = lib.mkOption {
69
+
type = lib.types.int;
Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.
···
80
-
detection_time = mkOption {
77
+
detection_time = lib.mkOption {
79
+
type = lib.types.int;
Remember potential attackers for up to detection_time seconds before resetting their score.
88
-
whitelist = mkOption {
85
+
whitelist = lib.mkOption {
94
-
type = types.listOf types.str;
91
+
type = lib.types.listOf lib.types.str;
Whitelist a list of addresses, hostnames, or address blocks.
100
-
services = mkOption {
97
+
services = lib.mkOption {
106
-
type = types.listOf types.str;
103
+
type = lib.types.listOf lib.types.str;
Systemd services sshguard should receive logs of.
···
116
-
config = mkIf cfg.enable {
113
+
config = lib.mkIf cfg.enable {
environment.etc."sshguard.conf".source = configFile;
···
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
125
-
partOf = optional config.networking.firewall.enable "firewall.service";
122
+
partOf = lib.optional config.networking.firewall.enable "firewall.service";
restartTriggers = [ configFile ];
···
# of the ipsets. So instead, we create both the ipsets and
# firewall rules before sshguard starts.
152
-
optionalString config.networking.firewall.enable ''
149
+
lib.optionalString config.networking.firewall.enable ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP
156
-
+ optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
153
+
+ lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
162
-
optionalString config.networking.firewall.enable ''
159
+
lib.optionalString config.networking.firewall.enable ''
${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard4
166
-
+ optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
163
+
+ lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard6
···
"-a ${toString cfg.attack_threshold}"
"-p ${toString cfg.blocktime}"
"-s ${toString cfg.detection_time}"
179
+
(lib.optionalString (
cfg.blacklist_threshold != null
) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")
186
-
++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist)
183
+
++ (map (name: "-w ${lib.escapeShellArg name}") cfg.whitelist)
"${pkgs.sshguard}/bin/sshguard ${args}";
pyrox.dev