talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos/services.sshguard: remove with lib;

Browse Source
This commit is contained in:
Felix Buehler 2024-12-29 21:50:38 +01:00
parent f956ab771b
commit 5d738347e5
1 changed files with 25 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
nixos/modules/services/security/sshguard.nix
View File

@ -4,9 +4,6 @@
pkgs, pkgs,
... ...
}: }:
with lib;
let let
cfg = config.services.sshguard; cfg = config.services.sshguard;
@ -19,7 +16,7 @@ let
"-o cat" "-o cat"
"-n1" "-n1"
] ]
++ (map (name: "-t ${escapeShellArg name}") cfg.services) ++ (map (name: "-t ${lib.escapeShellArg name}") cfg.services)
); );
backend = if config.networking.nftables.enable then "sshg-fw-nft-sets" else "sshg-fw-ipset"; backend = if config.networking.nftables.enable then "sshg-fw-nft-sets" else "sshg-fw-ipset";
in in
@ -36,40 +33,40 @@ in
options = { options = {
services.sshguard = { services.sshguard = {
enable = mkOption { enable = lib.mkOption {
default = false; default = false;
type = types.bool; type = lib.types.bool;
description = "Whether to enable the sshguard service."; description = "Whether to enable the sshguard service.";
}; };
attack_threshold = mkOption { attack_threshold = lib.mkOption {
default = 30; default = 30;
type = types.int; type = lib.types.int;
description = '' description = ''
Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10. Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.
''; '';
}; };
blacklist_threshold = mkOption { blacklist_threshold = lib.mkOption {
default = null; default = null;
example = 120; example = 120;
type = types.nullOr types.int; type = lib.types.nullOr lib.types.int;
description = '' description = ''
Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
''; '';
}; };
blacklist_file = mkOption { blacklist_file = lib.mkOption {
default = "/var/lib/sshguard/blacklist.db"; default = "/var/lib/sshguard/blacklist.db";
type = types.path; type = lib.types.path;
description = '' description = ''
Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
''; '';
}; };
blocktime = mkOption { blocktime = lib.mkOption {
default = 120; default = 120;
type = types.int; type = lib.types.int;
description = '' description = ''
Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5. Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.
@ -77,33 +74,33 @@ in
''; '';
}; };
detection_time = mkOption { detection_time = lib.mkOption {
default = 1800; default = 1800;
type = types.int; type = lib.types.int;
description = '' description = ''
Remember potential attackers for up to detection_time seconds before resetting their score. Remember potential attackers for up to detection_time seconds before resetting their score.
''; '';
}; };
whitelist = mkOption { whitelist = lib.mkOption {
default = [ ]; default = [ ];
example = [ example = [
"198.51.100.56" "198.51.100.56"
"198.51.100.2" "198.51.100.2"
]; ];
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
description = '' description = ''
Whitelist a list of addresses, hostnames, or address blocks. Whitelist a list of addresses, hostnames, or address blocks.
''; '';
}; };
services = mkOption { services = lib.mkOption {
default = [ "sshd" ]; default = [ "sshd" ];
example = [ example = [
"sshd" "sshd"
"exim" "exim"
]; ];
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
description = '' description = ''
Systemd services sshguard should receive logs of. Systemd services sshguard should receive logs of.
''; '';
@ -113,7 +110,7 @@ in
###### implementation ###### implementation
config = mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.etc."sshguard.conf".source = configFile; environment.etc."sshguard.conf".source = configFile;
@ -122,7 +119,7 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
partOf = optional config.networking.firewall.enable "firewall.service"; partOf = lib.optional config.networking.firewall.enable "firewall.service";
restartTriggers = [ configFile ]; restartTriggers = [ configFile ];
@ -149,21 +146,21 @@ in
# of the ipsets. So instead, we create both the ipsets and # of the ipsets. So instead, we create both the ipsets and
# firewall rules before sshguard starts. # firewall rules before sshguard starts.
preStart = preStart =
optionalString config.networking.firewall.enable '' lib.optionalString config.networking.firewall.enable ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP
'' ''
+ optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
''; '';
postStop = postStop =
optionalString config.networking.firewall.enable '' lib.optionalString config.networking.firewall.enable ''
${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4
'' ''
+ optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard6 ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6
''; '';
@ -179,11 +176,11 @@ in
"-a ${toString cfg.attack_threshold}" "-a ${toString cfg.attack_threshold}"
"-p ${toString cfg.blocktime}" "-p ${toString cfg.blocktime}"
"-s ${toString cfg.detection_time}" "-s ${toString cfg.detection_time}"
(optionalString ( (lib.optionalString (
cfg.blacklist_threshold != null cfg.blacklist_threshold != null
) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}") ) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")
] ]
++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist) ++ (map (name: "-w ${lib.escapeShellArg name}") cfg.whitelist)
); );
in in
"${pkgs.sshguard}/bin/sshguard ${args}"; "${pkgs.sshguard}/bin/sshguard ${args}";