fail2ban: Update to 0.8.10

Also fix random start failures due to a race between the fail2ban
server and the postStart script.

nixos/modules/services/security/fail2ban.nix

@@ -10,7 +10,7 @@ let
 
   jailConf = pkgs.writeText "jail.conf"
     (concatStringsSep "\n" (attrValues (flip mapAttrs cfg.jails (name: def:
-      optionalString (def != "") 
+      optionalString (def != "")
         ''
           [${name}]
           ${def}
@@ -32,7 +32,8 @@ in
             [Definition]
             loglevel  = 3
             logtarget = SYSLOG
-            socket    = /var/run/fail2ban/fail2ban.sock
+            socket    = /run/fail2ban/fail2ban.sock
+            pidfile   = /run/fail2ban/fail2ban.pid
           '';
         type = types.string;
         description =
@@ -71,56 +72,53 @@ in
             <filename>/etc/fail2ban/filter.d</filename>.
           '';
       };
-      
+
     };
 
   };
 
-  
+
   ###### implementation
 
   config = {
 
     environment.systemPackages = [ pkgs.fail2ban ];
 
-    environment.etc =
+    environment.etc."fail2ban/fail2ban.conf".source = fail2banConf;
-      [ { source = fail2banConf;
+    environment.etc."fail2ban/jail.conf".source = jailConf;
-          target = "fail2ban/fail2ban.conf";
+    environment.etc."fail2ban/action.d".source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf";
-        }
+    environment.etc."fail2ban/filter.d".source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf";
-        { source = jailConf;
-          target = "fail2ban/jail.conf";
-        }
-        { source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf";
-          target = "fail2ban/action.d";
-        }
-        { source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf";
-          target = "fail2ban/filter.d";
-        }
-      ];
-
-    system.activationScripts.fail2ban =
-      ''
-        mkdir -p /var/run/fail2ban -m 0755
-      '';
 
     systemd.services.fail2ban =
       { description = "Fail2ban intrusion prevention system";
 
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
-      
+
         restartTriggers = [ fail2banConf jailConf ];
         path = [ pkgs.fail2ban pkgs.iptables ];
-        
+
+        preStart =
+          ''
+            mkdir -p /run/fail2ban -m 0755
+          '';
+
         serviceConfig =
           { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
             ReadOnlyDirectories = "/";
-            ReadWriteDirectories = "/var/run/fail2ban /var/tmp";
+            ReadWriteDirectories = "/run/fail2ban /var/tmp";
-            CapabilityBoundingSet="CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
+            CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
           };
 
         postStart =
           ''
+            # Wait for the server to start listening.
+            for ((n = 0; n < 20; n++)); do
+              if fail2ban-client ping; then break; fi
+              sleep 0.5
+            done
+
+            # Reload its configuration.
             fail2ban-client reload
           '';
       };
@@ -137,14 +135,14 @@ in
       '';
 
     # Block SSH if there are too many failing connection attempts.
-    services.fail2ban.jails."ssh-iptables" =
+    services.fail2ban.jails.ssh-iptables =
       ''
         filter   = sshd
         action   = iptables[name=SSH, port=ssh, protocol=tcp]
         logpath  = /var/log/warn
         maxretry = 5
       '';
-    
+
   };
 
 }

pkgs/tools/security/fail2ban/default.nix

@@ -1,6 +1,6 @@
 { stdenv, fetchurl, pythonPackages, unzip, gamin }:
 
-let version = "0.8.6"; in
+let version = "0.8.10"; in
 
 pythonPackages.buildPythonPackage {
   name = "fail2ban-${version}";
@@ -9,7 +9,7 @@ pythonPackages.buildPythonPackage {
   src = fetchurl {
     url    = "https://github.com/fail2ban/fail2ban/zipball/${version}";
     name   = "fail2ban-${version}.zip";
-    sha256 = "0lbanfshr8kasa1bb7861w3mrm2d0c1bvv4s5703265s8zp5m284";
+    sha256 = "0zbjwnghpdnzan7hn40cjjh2r06p2ph5kblpm0w1r72djwsk67x9";
   };
 
   buildInputs = [ unzip ];
@@ -21,6 +21,7 @@ pythonPackages.buildPythonPackage {
       --replace /usr $out
 
     substituteInPlace setup.py \
+      --replace /usr $out \
       --replace /etc $out/etc \
       --replace /var $TMPDIR/var \
 
@@ -28,7 +29,7 @@ pythonPackages.buildPythonPackage {
       substituteInPlace $i \
         --replace /usr/share/fail2ban $out/share/fail2ban
     done
-    
+
     for i in config/action.d/sendmail*.conf; do
       substituteInPlace $i \
         --replace /usr/sbin/sendmail sendmail \
@@ -37,7 +38,7 @@ pythonPackages.buildPythonPackage {
   '';
 
   doCheck = false;
-  
+
   installCommand = ''
     python setup.py install --prefix=$out
   '';