nixos/sshguard: fix syslog ids, no more pid file, cleanups

1. Allow syslog identifiers with special characters
2. Do not write a pid file as we are running in foreground anyway
3. Clean up the module for readability

Without this, when deploying using nixops, restarting sshguard would make
nixops show an error about restarting the service although the service is
actually being restarted.

nixos/modules/services/security/sshguard.nix

@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.services.sshguard;
+
 in {
 
   ###### interface
@@ -77,65 +78,65 @@ in {
             Systemd services sshguard should receive logs of.
           '';
       };
-
     };
-
   };
 
-
   ###### implementation
 
   config = mkIf cfg.enable {
 
-    environment.systemPackages = [ pkgs.sshguard pkgs.iptables pkgs.ipset ];
-
     environment.etc."sshguard.conf".text = let
-        list_services = ( name:  "-t ${name} ");
+      args = lib.concatStringsSep " " ([
-      in ''
+        "-afb"
-        BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset"
+        "-p info"
-        LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl -afb -p info -n1 ${toString (map list_services cfg.services)} -o cat"
+        "-o cat"
+        "-n1"
+      ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services));
+    in ''
+      BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset"
+      LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}"
+    '';
+
+    systemd.services.sshguard = {
+      description = "SSHGuard brute-force attacks protection system";
+
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      partOf = optional config.networking.firewall.enable "firewall.service";
+
+      path = with pkgs; [ iptables ipset iproute systemd ];
+
+      postStart = ''
+        ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:ip family inet
+        ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:ip family inet6
+        ${pkgs.iptables}/bin/iptables  -I INPUT -m set --match-set sshguard4 src -j DROP
+        ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
       '';
 
-    systemd.services.sshguard =
+      preStop = ''
-      { description = "SSHGuard brute-force attacks protection system";
+        ${pkgs.iptables}/bin/iptables  -D INPUT -m set --match-set sshguard4 src -j DROP
+        ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
+      '';
 
-        wantedBy = [ "multi-user.target" ];
+      unitConfig.Documentation = "man:sshguard(8)";
-        after = [ "network.target" ];
-        partOf = optional config.networking.firewall.enable "firewall.service";
 
-        path = [ pkgs.iptables pkgs.ipset pkgs.iproute pkgs.systemd ];
+      serviceConfig = {
-
+        Type = "simple";
-        postStart = ''
+        ExecStart = let
-          mkdir -p /var/lib/sshguard
+          args = lib.concatStringsSep " " ([
-          ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:ip family inet
+            "-a ${toString cfg.attack_threshold}"
-          ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:ip family inet6
+            "-p ${toString cfg.blocktime}"
-          ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP
+            "-s ${toString cfg.detection_time}"
-          ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
+            (optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")
-        '';
+          ] ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist));
-
+        in "${pkgs.sshguard}/bin/sshguard ${args}";
-        preStop = ''
+        Restart = "always";
-          ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP
+        ProtectSystem = "strict";
-          ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
+        ProtectHome = "tmpfs";
-        '';
+        RuntimeDirectory = "sshguard";
-
+        StateDirectory = "sshguard";
-        unitConfig.Documentation = "man:sshguard(8)";
+        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
-
-        serviceConfig = {
-            Type = "simple";
-            ExecStart = let
-                list_whitelist = ( name:  "-w ${name} ");
-              in ''
-                 ${pkgs.sshguard}/bin/sshguard -a ${toString cfg.attack_threshold} ${optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file} "}-i /run/sshguard/sshguard.pid -p ${toString cfg.blocktime} -s ${toString cfg.detection_time} ${toString (map list_whitelist cfg.whitelist)}
-              '';
-            PIDFile = "/run/sshguard/sshguard.pid";
-            Restart = "always";
-
-            ReadOnlyDirectories = "/";
-            ReadWriteDirectories = "/run/sshguard /var/lib/sshguard";
-            RuntimeDirectory = "sshguard";
-            StateDirectory = "sshguard";
-            CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
-         };
       };
+    };
   };
 }