diff options
author | pennae <github@quasiparticle.net> | 2021-04-23 12:15:27 +0200 |
---|---|---|
committer | pennae <github@quasiparticle.net> | 2021-04-23 16:16:37 +0200 |
commit | 265d31bcbd6599c38499354bc5f111589814f101 (patch) | |
tree | 886239dd44085b1218c3de6527298ecfa634c01f /nixos | |
parent | 842f900e73c7ce985218cc4f455e34d1d56475c1 (diff) |
nixos/sshguard: restart sshguard when services/backend changes
backends changing shouldn't be very likely, but services may well change. we should restart sshguard from nixos-rebuild instead of merely plopping down a new config file and waiting for the user to restart sshguard.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/security/sshguard.nix | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 033ff5ef4b5a2..53bd9efa5ac7b 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -5,6 +5,21 @@ with lib; let cfg = config.services.sshguard; + configFile = let + args = lib.concatStringsSep " " ([ + "-afb" + "-p info" + "-o cat" + "-n1" + ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); + backend = if config.networking.nftables.enable + then "sshg-fw-nft-sets" + else "sshg-fw-ipset"; + in pkgs.writeText "sshguard.conf" '' + BACKEND="${pkgs.sshguard}/libexec/${backend}" + LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" + ''; + in { ###### interface @@ -85,20 +100,7 @@ in { config = mkIf cfg.enable { - environment.etc."sshguard.conf".text = let - args = lib.concatStringsSep " " ([ - "-afb" - "-p info" - "-o cat" - "-n1" - ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); - backend = if config.networking.nftables.enable - then "sshg-fw-nft-sets" - else "sshg-fw-ipset"; - in '' - BACKEND="${pkgs.sshguard}/libexec/${backend}" - LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" - ''; + environment.etc."sshguard.conf".source = configFile; systemd.services.sshguard = { description = "SSHGuard brute-force attacks protection system"; @@ -107,6 +109,8 @@ in { after = [ "network.target" ]; partOf = optional config.networking.firewall.enable "firewall.service"; + restartTriggers = [ configFile ]; + path = with pkgs; if config.networking.nftables.enable then [ nftables iproute2 systemd ] else [ iptables ipset iproute2 systemd ]; |