nixos/fail2ban: add extraPackages option

some ban actions need additional packages (eg ipset). since actions can be provided by the user we need something general that's easy to configure. we could also enable ipset regardless of the actual configuration of the system if the iptables firewall is in use (like sshguard does), but that seems very clumsy and wouldn't easily solve the binary-not-found problems other actions may also have.
3 years ago · afb6fe2fff
parent 25c827b3cc
commit afb6fe2fff
1 changed files with 11 additions and 1 deletions
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@ -62,6 +62,16 @@ in
        description = "The firewall package used by fail2ban service.";
      };

+      extraPackages = mkOption {
+        default = [];
+        type = types.listOf types.package;
+        example = lib.literalExample "[ pkgs.ipset ]";
+        description = ''
+          Extra packages to be made available to the fail2ban service. The example contains
+          the packages needed by the `iptables-ipset-proto6` action.
+        '';
+      };
+
      maxretry = mkOption {
        default = 3;
        type = types.ints.unsigned;
@ -249,7 +259,7 @@ in
      restartTriggers = [ fail2banConf jailConf pathsConf ];
      reloadIfChanged = true;

-      path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ];
+      path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ] ++ cfg.extraPackages;

      unitConfig.Documentation = "man:fail2ban(1)";