fail2ban: 0.11.2 -> 1.0.2

Update to 1.0.2: https://github.com/fail2ban/fail2ban/blob/1.0.2/ChangeLog#ver-102-20221109---finally-war-game-test-tape-not-a-nuclear-alarm 1.0.1 contained a few breaking changes, but I think they have little impact. I changed the module to use the systemd service shipping with fail2ban (now added to the package).
NixOS · Feb 15, 2023 · 12db831 · 12db831
1 parent d917136
commit 12db831
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 38 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -95,6 +95,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.
 
+- `fail2ban` has been updated to 1.0.2, which has a few breaking changes compared to 0.11.2 ([changelog for 1.0.1](https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog), [changelog for 1.0.2](https://github.com/fail2ban/fail2ban/blob/1.0.2/ChangeLog))
+
 - Calling `makeSetupHook` without passing a `name` argument is deprecated.
 
 - Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually.

diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix
@@ -273,26 +273,16 @@ in
       "fail2ban/filter.d".source = "${cfg.package}/etc/fail2ban/filter.d/*.conf";
     };
 
+    systemd.packages = [ cfg.package ];
     systemd.services.fail2ban = {
-      description = "Fail2ban Intrusion Prevention System";
-
       wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
       partOf = optional config.networking.firewall.enable "firewall.service";
 
       restartTriggers = [ fail2banConf jailConf pathsConf ];
 
       path = [ cfg.package cfg.packageFirewall pkgs.iproute2 ] ++ cfg.extraPackages;
 
-      unitConfig.Documentation = "man:fail2ban(1)";
-
       serviceConfig = {
-        ExecStart = "${cfg.package}/bin/fail2ban-server -xf start";
-        ExecStop = "${cfg.package}/bin/fail2ban-server stop";
-        ExecReload = "${cfg.package}/bin/fail2ban-server reload";
-        Type = "simple";
-        Restart = "on-failure";
-        PIDFile = "/run/fail2ban/fail2ban.pid";
         # Capabilities
         CapabilityBoundingSet = [ "CAP_AUDIT_READ" "CAP_DAC_READ_SEARCH" "CAP_NET_ADMIN" "CAP_NET_RAW" ];
         # Security

diff --git a/pkgs/tools/security/fail2ban/default.nix b/pkgs/tools/security/fail2ban/default.nix
@@ -1,18 +1,17 @@
 { lib, stdenv, fetchFromGitHub
 , python3
-, fetchpatch
 , installShellFiles
 }:
 
 python3.pkgs.buildPythonApplication rec {
   pname = "fail2ban";
-  version = "0.11.2";
+  version = "1.0.2";
 
   src = fetchFromGitHub {
     owner = "fail2ban";
     repo = "fail2ban";
     rev = version;
-    sha256 = "q4U9iWCa1zg8sA+6pPNejt6v/41WGIKN5wITJCrCqQE=";
+    hash = "sha256-Zd8zLkFlvXTbeInEkNFyHgcAiOsX4WwF6hf5juSQvbY=";
   };
 
   outputs = [ "out" "man" ];
@@ -25,31 +24,13 @@ python3.pkgs.buildPythonApplication rec {
       pyinotify
     ];
 
-  patches = [
-    # remove references to use_2to3, for setuptools>=58
-    # has been merged into master, remove next release
-    (fetchpatch {
-      url = "https://github.com/fail2ban/fail2ban/commit/5ac303df8a171f748330d4c645ccbf1c2c7f3497.patch";
-      sha256 = "sha256-aozQJHwPcJTe/D/PLQzBk1YH3OAP6Qm7wO7cai5CVYI=";
-    })
-    # fix use of MutableMapping with Python >= 3.10
-    # https://github.com/fail2ban/fail2ban/issues/3142
-    (fetchpatch {
-      url = "https://github.com/fail2ban/fail2ban/commit/294ec73f629d0e29cece3a1eb5dd60b6fccea41f.patch";
-      sha256 = "sha256-Eimm4xjBDYNn5QdTyMqGgT5EXsZdd/txxcWJojXlsFE=";
-    })
-  ];
-
   preConfigure = ''
-    # workaround for setuptools 58+
-    # https://github.com/fail2ban/fail2ban/issues/3098
     patchShebangs fail2ban-2to3
     ./fail2ban-2to3
 
     for i in config/action.d/sendmail*.conf; do
       substituteInPlace $i \
-        --replace /usr/sbin/sendmail sendmail \
-        --replace /usr/bin/whois whois
+        --replace /usr/sbin/sendmail sendmail
     done
 
     substituteInPlace config/filter.d/dovecot.conf \
@@ -65,15 +46,17 @@ python3.pkgs.buildPythonApplication rec {
     ${python3.interpreter} setup.py install_data --install-dir=$out --root=$out
   '';
 
-  postPatch = ''
-    ${stdenv.shell} ./fail2ban-2to3
-  '';
-
   postInstall =
     let
       sitePackages = "$out/${python3.sitePackages}";
     in
     ''
+      install -m 644 -D -t "$out/lib/systemd/system" build/fail2ban.service
+      # Replace binary paths
+      sed -i "s#build/bdist.*/wheel/fail2ban.*/scripts/#$out/bin/#g" $out/lib/systemd/system/fail2ban.service
+      # Delete creating the runtime directory, systemd does that
+      sed -i "/ExecStartPre/d" $out/lib/systemd/system/fail2ban.service
+
       # see https://github.com/NixOS/nixpkgs/issues/4968
       rm -r "${sitePackages}/etc"
 
@@ -88,6 +71,5 @@ python3.pkgs.buildPythonApplication rec {
     description = "A program that scans log files for repeated failing login attempts and bans IP addresses";
     license = licenses.gpl2Plus;
     maintainers = with maintainers; [ eelco lovek323 ];
-    platforms = platforms.unix;
   };
 }