From 12db8314d734f9fbb2dc58dfe73c1b3410599b29 Mon Sep 17 00:00:00 2001 From: Flakebi Date: Wed, 15 Feb 2023 10:11:38 +0100 Subject: [PATCH] fail2ban: 0.11.2 -> 1.0.2 Update to 1.0.2: https://github.com/fail2ban/fail2ban/blob/1.0.2/ChangeLog#ver-102-20221109---finally-war-game-test-tape-not-a-nuclear-alarm 1.0.1 contained a few breaking changes, but I think they have little impact. I changed the module to use the systemd service shipping with fail2ban (now added to the package). --- .../manual/release-notes/rl-2305.section.md | 2 ++ nixos/modules/services/security/fail2ban.nix | 12 +------ pkgs/tools/security/fail2ban/default.nix | 36 +++++-------------- 3 files changed, 12 insertions(+), 38 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index c81cbc69f94..bcd277ba6f8 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -95,6 +95,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. +- `fail2ban` has been updated to 1.0.2, which has a few breaking changes compared to 0.11.2 ([changelog for 1.0.1](https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog), [changelog for 1.0.2](https://github.com/fail2ban/fail2ban/blob/1.0.2/ChangeLog)) + - Calling `makeSetupHook` without passing a `name` argument is deprecated. - Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually. diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 3c4bcd1ac26..ead24d14707 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -273,26 +273,16 @@ in "fail2ban/filter.d".source = "${cfg.package}/etc/fail2ban/filter.d/*.conf"; }; + systemd.packages = [ cfg.package ]; systemd.services.fail2ban = { - description = "Fail2ban Intrusion Prevention System"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; partOf = optional config.networking.firewall.enable "firewall.service"; restartTriggers = [ fail2banConf jailConf pathsConf ]; path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ] ++ cfg.extraPackages; - unitConfig.Documentation = "man:fail2ban(1)"; - serviceConfig = { - ExecStart = "${cfg.package}/bin/fail2ban-server -xf start"; - ExecStop = "${cfg.package}/bin/fail2ban-server stop"; - ExecReload = "${cfg.package}/bin/fail2ban-server reload"; - Type = "simple"; - Restart = "on-failure"; - PIDFile = "/run/fail2ban/fail2ban.pid"; # Capabilities CapabilityBoundingSet = [ "CAP_AUDIT_READ" "CAP_DAC_READ_SEARCH" "CAP_NET_ADMIN" "CAP_NET_RAW" ]; # Security diff --git a/pkgs/tools/security/fail2ban/default.nix b/pkgs/tools/security/fail2ban/default.nix index daa0e847115..780f1b4dfb0 100644 --- a/pkgs/tools/security/fail2ban/default.nix +++ b/pkgs/tools/security/fail2ban/default.nix @@ -1,18 +1,17 @@ { lib, stdenv, fetchFromGitHub , python3 -, fetchpatch , installShellFiles }: python3.pkgs.buildPythonApplication rec { pname = "fail2ban"; - version = "0.11.2"; + version = "1.0.2"; src = fetchFromGitHub { owner = "fail2ban"; repo = "fail2ban"; rev = version; - sha256 = "q4U9iWCa1zg8sA+6pPNejt6v/41WGIKN5wITJCrCqQE="; + hash = "sha256-Zd8zLkFlvXTbeInEkNFyHgcAiOsX4WwF6hf5juSQvbY="; }; outputs = [ "out" "man" ]; @@ -25,31 +24,13 @@ python3.pkgs.buildPythonApplication rec { pyinotify ]; - patches = [ - # remove references to use_2to3, for setuptools>=58 - # has been merged into master, remove next release - (fetchpatch { - url = "https://github.com/fail2ban/fail2ban/commit/5ac303df8a171f748330d4c645ccbf1c2c7f3497.patch"; - sha256 = "sha256-aozQJHwPcJTe/D/PLQzBk1YH3OAP6Qm7wO7cai5CVYI="; - }) - # fix use of MutableMapping with Python >= 3.10 - # https://github.com/fail2ban/fail2ban/issues/3142 - (fetchpatch { - url = "https://github.com/fail2ban/fail2ban/commit/294ec73f629d0e29cece3a1eb5dd60b6fccea41f.patch"; - sha256 = "sha256-Eimm4xjBDYNn5QdTyMqGgT5EXsZdd/txxcWJojXlsFE="; - }) - ]; - preConfigure = '' - # workaround for setuptools 58+ - # https://github.com/fail2ban/fail2ban/issues/3098 patchShebangs fail2ban-2to3 ./fail2ban-2to3 for i in config/action.d/sendmail*.conf; do substituteInPlace $i \ - --replace /usr/sbin/sendmail sendmail \ - --replace /usr/bin/whois whois + --replace /usr/sbin/sendmail sendmail done substituteInPlace config/filter.d/dovecot.conf \ @@ -65,15 +46,17 @@ python3.pkgs.buildPythonApplication rec { ${python3.interpreter} setup.py install_data --install-dir=$out --root=$out ''; - postPatch = '' - ${stdenv.shell} ./fail2ban-2to3 - ''; - postInstall = let sitePackages = "$out/${python3.sitePackages}"; in '' + install -m 644 -D -t "$out/lib/systemd/system" build/fail2ban.service + # Replace binary paths + sed -i "s#build/bdist.*/wheel/fail2ban.*/scripts/#$out/bin/#g" $out/lib/systemd/system/fail2ban.service + # Delete creating the runtime directory, systemd does that + sed -i "/ExecStartPre/d" $out/lib/systemd/system/fail2ban.service + # see https://github.com/NixOS/nixpkgs/issues/4968 rm -r "${sitePackages}/etc" @@ -88,6 +71,5 @@ python3.pkgs.buildPythonApplication rec { description = "A program that scans log files for repeated failing login attempts and bans IP addresses"; license = licenses.gpl2Plus; maintainers = with maintainers; [ eelco lovek323 ]; - platforms = platforms.unix; }; }