pyrox.dev
Merge pull request #120541 from pennae/fail2ban
nixos/fail2ban: add maxretry/extraPackages options
authored by
Luke Granger-Brown
and committed by
GitHub
be598f39
20935f3e
+18
-2
nixos/modules/services/security/fail2ban.nix
+18
-2
nixos/modules/services/security/fail2ban.nix
···
62
62
description = "The firewall package used by fail2ban service.";
63
63
};
64
64
65
+
extraPackages = mkOption {
66
+
default = [];
67
+
type = types.listOf types.package;
68
+
example = lib.literalExample "[ pkgs.ipset ]";
69
+
description = ''
70
+
Extra packages to be made available to the fail2ban service. The example contains
71
+
the packages needed by the `iptables-ipset-proto6` action.
72
+
'';
73
+
};
74
+
75
+
maxretry = mkOption {
76
+
default = 3;
77
+
type = types.ints.unsigned;
78
+
description = "Number of failures before a host gets banned.";
79
+
};
80
+
65
81
banaction = mkOption {
66
82
default = "iptables-multiport";
67
83
type = types.str;
···
243
259
restartTriggers = [ fail2banConf jailConf pathsConf ];
244
260
reloadIfChanged = true;
245
261
246
-
path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ];
262
+
path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ] ++ cfg.extraPackages;
247
263
248
264
unitConfig.Documentation = "man:fail2ban(1)";
249
265
···
291
307
''}
292
308
# Miscellaneous options
293
309
ignoreip = 127.0.0.1/8 ${optionalString config.networking.enableIPv6 "::1"} ${concatStringsSep " " cfg.ignoreIP}
294
-
maxretry = 3
310
+
maxretry = ${toString cfg.maxretry}
295
311
backend = systemd
296
312
# Actions
297
313
banaction = ${cfg.banaction}