From 7c7bfa817a046e89e6cd73c0db7314fec4a8ff2b Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 15 Oct 2013 18:36:45 +0200
Subject: [PATCH] fail2ban: Update to 0.8.10

Also fix random start failures due to a race between the fail2ban
server and the postStart script.
---
 nixos/modules/services/security/fail2ban.nix | 56 ++++++++++----------
 pkgs/tools/security/fail2ban/default.nix     |  9 ++--
 2 files changed, 32 insertions(+), 33 deletions(-)

diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix
index 2b2a54ef409..395a5df8af0 100644
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@@ -10,7 +10,7 @@ let
 
   jailConf = pkgs.writeText "jail.conf"
     (concatStringsSep "\n" (attrValues (flip mapAttrs cfg.jails (name: def:
-      optionalString (def != "") 
+      optionalString (def != "")
         ''
           [${name}]
           ${def}
@@ -32,7 +32,8 @@ in
             [Definition]
             loglevel  = 3
             logtarget = SYSLOG
-            socket    = /var/run/fail2ban/fail2ban.sock
+            socket    = /run/fail2ban/fail2ban.sock
+            pidfile   = /run/fail2ban/fail2ban.pid
           '';
         type = types.string;
         description =
@@ -71,56 +72,53 @@ in
             <filename>/etc/fail2ban/filter.d</filename>.
           '';
       };
-      
+
     };
 
   };
 
-  
+
   ###### implementation
 
   config = {
 
     environment.systemPackages = [ pkgs.fail2ban ];
 
-    environment.etc =
-      [ { source = fail2banConf;
-          target = "fail2ban/fail2ban.conf";
-        }
-        { source = jailConf;
-          target = "fail2ban/jail.conf";
-        }
-        { source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf";
-          target = "fail2ban/action.d";
-        }
-        { source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf";
-          target = "fail2ban/filter.d";
-        }
-      ];
-
-    system.activationScripts.fail2ban =
-      ''
-        mkdir -p /var/run/fail2ban -m 0755
-      '';
+    environment.etc."fail2ban/fail2ban.conf".source = fail2banConf;
+    environment.etc."fail2ban/jail.conf".source = jailConf;
+    environment.etc."fail2ban/action.d".source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf";
+    environment.etc."fail2ban/filter.d".source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf";
 
     systemd.services.fail2ban =
       { description = "Fail2ban intrusion prevention system";
 
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
-      
+
         restartTriggers = [ fail2banConf jailConf ];
         path = [ pkgs.fail2ban pkgs.iptables ];
-        
+
+        preStart =
+          ''
+            mkdir -p /run/fail2ban -m 0755
+          '';
+
         serviceConfig =
           { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
             ReadOnlyDirectories = "/";
-            ReadWriteDirectories = "/var/run/fail2ban /var/tmp";
-            CapabilityBoundingSet="CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
+            ReadWriteDirectories = "/run/fail2ban /var/tmp";
+            CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
           };
 
         postStart =
           ''
+            # Wait for the server to start listening.
+            for ((n = 0; n < 20; n++)); do
+              if fail2ban-client ping; then break; fi
+              sleep 0.5
+            done
+
+            # Reload its configuration.
             fail2ban-client reload
           '';
       };
@@ -137,14 +135,14 @@ in
       '';
 
     # Block SSH if there are too many failing connection attempts.
-    services.fail2ban.jails."ssh-iptables" =
+    services.fail2ban.jails.ssh-iptables =
       ''
         filter   = sshd
         action   = iptables[name=SSH, port=ssh, protocol=tcp]
         logpath  = /var/log/warn
         maxretry = 5
       '';
-    
+
   };
 
 }
diff --git a/pkgs/tools/security/fail2ban/default.nix b/pkgs/tools/security/fail2ban/default.nix
index dd869714e05..1a443fc18b6 100644
--- a/pkgs/tools/security/fail2ban/default.nix
+++ b/pkgs/tools/security/fail2ban/default.nix
@@ -1,6 +1,6 @@
 { stdenv, fetchurl, pythonPackages, unzip, gamin }:
 
-let version = "0.8.6"; in
+let version = "0.8.10"; in
 
 pythonPackages.buildPythonPackage {
   name = "fail2ban-${version}";
@@ -9,7 +9,7 @@ pythonPackages.buildPythonPackage {
   src = fetchurl {
     url    = "https://github.com/fail2ban/fail2ban/zipball/${version}";
     name   = "fail2ban-${version}.zip";
-    sha256 = "0lbanfshr8kasa1bb7861w3mrm2d0c1bvv4s5703265s8zp5m284";
+    sha256 = "0zbjwnghpdnzan7hn40cjjh2r06p2ph5kblpm0w1r72djwsk67x9";
   };
 
   buildInputs = [ unzip ];
@@ -21,6 +21,7 @@ pythonPackages.buildPythonPackage {
       --replace /usr $out
 
     substituteInPlace setup.py \
+      --replace /usr $out \
       --replace /etc $out/etc \
       --replace /var $TMPDIR/var \
 
@@ -28,7 +29,7 @@ pythonPackages.buildPythonPackage {
       substituteInPlace $i \
         --replace /usr/share/fail2ban $out/share/fail2ban
     done
-    
+
     for i in config/action.d/sendmail*.conf; do
       substituteInPlace $i \
         --replace /usr/sbin/sendmail sendmail \
@@ -37,7 +38,7 @@ pythonPackages.buildPythonPackage {
   '';
 
   doCheck = false;
-  
+
   installCommand = ''
     python setup.py install --prefix=$out
   '';