diff options
Diffstat (limited to 'files')
-rwxr-xr-x | files/fail2ban-openrc.init | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/files/fail2ban-openrc.init b/files/fail2ban-openrc.init index 21e251db..8473da26 100755 --- a/files/fail2ban-openrc.init +++ b/files/fail2ban-openrc.init @@ -22,11 +22,23 @@ description="Ban hosts that cause multiple authentication errors" description_reload="reload configuration" extra_started_commands="reload" +# Can't (and shouldn't) be changed by the end-user. +FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}" +FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock" + +# This should be replaced by the build system, eventually. +FAIL2BAN_BINDIR="/usr/bin" + # The fail2ban-client program is also capable of starting and stopping # the server, but things are simpler if we let start-stop-daemon do it. -command="/usr/bin/fail2ban-server" -pidfile="/run/${RC_SVCNAME}/${RC_SVCNAME}.pid" -command_args="${FAIL2BAN_OPTIONS} -p ${pidfile}" +command="${FAIL2BAN_BINDIR}/fail2ban-server" +pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid" + +# We force the pidfile/socket location in this service script because +# we're taking responsibility for ensuring that their parent directory +# exists and has the correct permissions (which we can't do if the +# user is allowed to change them). +command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}" retry="30" depend() { @@ -35,7 +47,7 @@ depend() { } start_pre() { - checkpath -d "${pidfile%/*}" || return 1 + checkpath -d "${FAIL2BAN_RUNDIR}" || return 1 } reload() { @@ -43,6 +55,6 @@ reload() { # the server to reload(), so we have to use it here rather # than e.g. sending a signal to the server daemon. ebegin "Reloading ${RC_SVCNAME}" - "${command%/*}/fail2ban-client" ${command_args} reload + "${FAIL2BAN_BINDIR}/fail2ban-client" ${command_args} reload eend $? "Failed to reload ${RC_SVCNAME}" } |