New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/sshguard: fix syslog identifiers and pid file #54495
Conversation
Looks good to me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The commits should also have the "nixos/sshguard:" prefix, instead of just "sshguard:"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you're doing some cleanups (very nice!), I'm suggesting 2 more
Also, commit message needs to be changed (something like "nixos/sshguard: fix syslog ids, no more pid file, cleanups")
unitConfig.Documentation = "man:sshguard(8)"; | ||
|
||
serviceConfig = { | ||
Type = "simple"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"simple" is the default, so this can be removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left this in on purpose, as systemd will be moving towards Type = "exec";
in one of the upcoming versions which will eventually become the default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason "exec" wouldn't work though? I doubt they'll make a change that breaks every such service.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There probably is no reason that exec
shouldn't work so this is just to make things explicit. I'm fully with you - there is normally no point to specify what's already the default but in this case, I think it makes sense to be explicit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really agree, we shouldn't make changes already for a future version that only potentially (with a low chance) could break it.
But I don't want to hold this PR back just because of this
767a6f4
to
3281964
Compare
1. Allow syslog identifiers with special characters 2. Do not write a pid file as we are running in foreground anyway 3. Clean up the module for readability Without this, when deploying using nixops, restarting sshguard would make nixops show an error about restarting the service although the service is actually being restarted.
###### implementation | ||
|
||
config = mkIf cfg.enable { | ||
|
||
environment.systemPackages = [ pkgs.sshguard pkgs.iptables pkgs.ipset ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is sshguard
useless on the command line? Is that the reason for the removal of this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct, you don't interact with sshguard. You could argue that ipset
should be there in case you want to manually inspect the ipset that sshguard manipulates but for all normal uses, neither of these are needed.
Motivation for this change
sshguard
runs in the foreground, so if we give thePIDFile
directive to systemd, it thinks the service should double-fork making service restarts when deploying with nixops fail.Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)Cc @sargon