Merge pull request #209031 from ncfavier/fail2ban-nftables

author: Naïm Favier <n@monade.li> 2023-01-09 11:54:03 +0100
committer: GitHub <noreply@github.com> 2023-01-09 11:54:03 +0100
commit: 8cd3fc50f9f13a1dc93f237c97789fac3675d524 (patch)
tree: 59d5e588ba1096feba7444617c23b6d7a871aca2 /nixos
parent: 9f47b3e88927a7dd70f09a3efd3447cbe33d50b7 (diff)
parent: 88a72182360af04c1473c144927d88b861f14747 (diff)
1 files changed, 9 insertions, 10 deletions
diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix
index 3b124a4f0e08..8d923187941c 100644
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@@ -62,11 +62,10 @@ in
       };
 
       packageFirewall = mkOption {
-        default = pkgs.iptables;
-        defaultText = literalExpression "pkgs.iptables";
+        default = config.networking.firewall.package;
+        defaultText = literalExpression "config.networking.firewall.package";
         type = types.package;
-        example = literalExpression "pkgs.nftables";
-        description = lib.mdDoc "The firewall package used by fail2ban service.";
+        description = lib.mdDoc "The firewall package used by fail2ban service. Defaults to the package for your firewall (iptables or nftables).";
       };
 
       extraPackages = mkOption {
@@ -86,24 +85,24 @@ in
       };
 
       banaction = mkOption {
-        default = "iptables-multiport";
+        default = if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport";
+        defaultText = literalExpression '' if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport" '';
         type = types.str;
-        example = "nftables-multiport";
         description = lib.mdDoc ''
           Default banning action (e.g. iptables, iptables-new, iptables-multiport,
-          iptables-ipset-proto6-allports, shorewall, etc) It is used to
+          iptables-ipset-proto6-allports, shorewall, etc). It is used to
           define action_* variables. Can be overridden globally or per
           section within jail.local file
         '';
       };
 
       banaction-allports = mkOption {
-        default = "iptables-allport";
+        default = if config.networking.nftables.enable then "nftables-allport" else "iptables-allport";
+        defaultText = literalExpression '' if config.networking.nftables.enable then "nftables-allport" else "iptables-allport" '';
         type = types.str;
-        example = "nftables-allport";
         description = lib.mdDoc ''
           Default banning action (e.g. iptables, iptables-new, iptables-multiport,
-          shorewall, etc) It is used to define action_* variables. Can be overridden
+          shorewall, etc) for "allports" jails. It is used to define action_* variables. Can be overridden
           globally or per section within jail.local file
         '';
       };
author	Naïm Favier <n@monade.li>	2023-01-09 11:54:03 +0100
committer	GitHub <noreply@github.com>	2023-01-09 11:54:03 +0100
commit	8cd3fc50f9f13a1dc93f237c97789fac3675d524 (patch)
tree	59d5e588ba1096feba7444617c23b6d7a871aca2 /nixos
parent	9f47b3e88927a7dd70f09a3efd3447cbe33d50b7 (diff)
parent	88a72182360af04c1473c144927d88b861f14747 (diff)