commit 5f2a8deb170dc388ff28878ceee994fb58212339 · pyrox.dev/nixpkgs

+18 -14
nixos/modules/services/security/sshguard.nix
···

       5
       5
        
       let

     

       6
       6
        
         cfg = config.services.sshguard;

     

       7
       7
        
       

     

       8
       8
       +
         configFile = let

     

       9
       9
       +
           args = lib.concatStringsSep " " ([

     

       10
       10
       +
             "-afb"

     

       11
       11
       +
             "-p info"

     

       12
       12
       +
             "-o cat"

     

       13
       13
       +
             "-n1"

     

       14
       14
       +
           ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services));

     

       15
       15
       +
           backend = if config.networking.nftables.enable

     

       16
       16
       +
             then "sshg-fw-nft-sets"

     

       17
       17
       +
             else "sshg-fw-ipset";

     

       18
       18
       +
         in pkgs.writeText "sshguard.conf" ''

     

       19
       19
       +
           BACKEND="${pkgs.sshguard}/libexec/${backend}"

     

       20
       20
       +
           LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}"

     

       21
       21
       +
         '';

     

       22
       22
       +
       

     

       8
       23
        
       in {

     

       9
       24
        
       

     

       10
       25
        
         ###### interface

     
···

       85
       100
        
       

     

       86
       101
        
         config = mkIf cfg.enable {

     

       87
       102
        
       

     

       88
       88
       -
           environment.etc."sshguard.conf".text = let

     

       89
       89
       -
             args = lib.concatStringsSep " " ([

     

       90
       90
       -
               "-afb"

     

       91
       91
       -
               "-p info"

     

       92
       92
       -
               "-o cat"

     

       93
       93
       -
               "-n1"

     

       94
       94
       -
             ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services));

     

       95
       95
       -
             backend = if config.networking.nftables.enable

     

       96
       96
       -
               then "sshg-fw-nft-sets"

     

       97
       97
       -
               else "sshg-fw-ipset";

     

       98
       98
       -
           in ''

     

       99
       99
       -
             BACKEND="${pkgs.sshguard}/libexec/${backend}"

     

       100
       100
       -
             LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}"

     

       101
       101
       -
           '';

     

       103
       103
       +
           environment.etc."sshguard.conf".source = configFile;

     

       102
       104
        
       

     

       103
       105
        
           systemd.services.sshguard = {

     

       104
       106
        
             description = "SSHGuard brute-force attacks protection system";

     
···

       106
       108
        
             wantedBy = [ "multi-user.target" ];

     

       107
       109
        
             after = [ "network.target" ];

     

       108
       110
        
             partOf = optional config.networking.firewall.enable "firewall.service";

     

       111
       111
       +
       

     

       112
       112
       +
             restartTriggers = [ configFile ];

     

       109
       113
        
       

     

       110
       114
        
             path = with pkgs; if config.networking.nftables.enable

     

       111
       115
        
               then [ nftables iproute2 systemd ]