Documentation
¶
Overview ¶
============================================================================= NFTBan v1.73 - Installer Stale File Cleanup ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-services-cleanup" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Remove stale files, polkit rules, and legacy units from prior versions" meta:inventory.files="internal/installer/services/cleanup.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
============================================================================= NFTBan v1.73 - Installer Daemon Start ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-services-daemon" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Enable and start nftband socket+service with retry" meta:inventory.files="internal/installer/services/daemon.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="nftband.socket, nftband.service" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
============================================================================= NFTBan v1.73 - Installer Login Monitoring Enable ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-services-login" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Enable login monitoring via nftban login enable" meta:inventory.files="internal/installer/services/login.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
============================================================================= NFTBan v1.75.1 - Installer Panel Enable ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-services-panel" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Enable panel integration for detected hosting panels" meta:inventory.files="internal/installer/services/panel.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
============================================================================= NFTBan v1.76.0 - Installer systemd Helpers ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-services-systemd" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-05" meta:description="systemd-tmpfiles --create and polkit restart for installer parity" meta:inventory.files="internal/installer/services/systemd.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
============================================================================= NFTBan v1.75.1 - Installer Timer Reconciliation ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-services-timers" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Reconcile core systemd timers (enable+start)" meta:inventory.files="internal/installer/services/timers.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="/etc/nftban/nftban.conf" meta:inventory.systemd_units="nftban-maintenance.timer, nftban-health.timer, nftban-unified-exporter.timer, nftban-core-geoip.timer, nftban-core-feeds.timer, nftban-watchdog.timer, nftban-queue.timer, nftban-update-check.timer" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
============================================================================= NFTBan v1.154.0 - Installer Post-Install Timer Wedge Recovery ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-services-timers-post-install" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-06-06" meta:description="D-INSTALL-TIMER-RELOAD: conditional daemon-reload + restart of wedged nftban timers at end of phaseValidate" meta:inventory.files="internal/installer/services/timers_post_install.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="nftban-*.timer" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
============================================================================= NFTBan v1.73 - Installer Whitelist Sync ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-services-whitelist" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Run nftban sync to load whitelists and feeds after rebuild" meta:inventory.files="internal/installer/services/whitelist.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
Index ¶
- func ApplyTmpfiles(exec executor.Executor, log *logging.Logger)
- func CleanStaleFiles(exec executor.Executor, log *logging.Logger)
- func CriticalCoreTimers() []string
- func EnableLogin(exec executor.Executor, log *logging.Logger)
- func EnablePanel(exec executor.Executor, panel detect.PanelType, log *logging.Logger)
- func KnownTimers() []string
- func ReconcileTimers(exec executor.Executor, log *logging.Logger)
- func RestartPolkit(exec executor.Executor, log *logging.Logger)
- func RestartWedgedTimers(ctx context.Context, exec executor.Executor, log *logging.Logger, ...)
- func ShouldReconcile(exec executor.Executor) bool
- func StartDaemon(exec executor.Executor, log *logging.Logger)
- func SyncWhitelist(exec executor.Executor, log *logging.Logger)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyTmpfiles ¶ added in v1.76.0
ApplyTmpfiles runs systemd-tmpfiles --create to create runtime directories with correct ownership. The tmpfiles.d config is installed by the package manager to /usr/lib/tmpfiles.d/nftban.conf. This call ensures /run/nftban and other tmpfiles-managed paths exist with correct owner/mode immediately after install (not just on next boot).
func CleanStaleFiles ¶
CleanStaleFiles removes all known stale files from prior NFTBan versions. Errors are logged but never fatal.
func CriticalCoreTimers ¶ added in v1.135.0
func CriticalCoreTimers() []string
CriticalCoreTimers returns the critical core timer unit names, for the install_state critical-timer validator (which lives in another package).
func EnableLogin ¶
EnableLogin runs "nftban login enable" to activate login monitoring. Non-fatal — logs warnings.
func EnablePanel ¶
EnablePanel runs "nftban panel <name> enable" for the detected panel. Non-fatal — logs warnings.
func KnownTimers ¶ added in v1.154.0
func KnownTimers() []string
KnownTimers returns a copy of the canonical full list of nftban timer unit names (every install/systemd/*.timer). Callers that need to iterate all nftban timers — such as the post-install wedge-recovery hardening — use this rather than duplicating a const list. The returned slice is a copy; callers may sort/mutate it freely.
func ReconcileTimers ¶
ReconcileTimers enables and starts all core timers. Controlled by NFTBAN_RECONCILE_CORE_TIMERS in nftban.conf (default: true).
func RestartPolkit ¶ added in v1.76.0
RestartPolkit restarts the polkit service so that newly installed or removed polkit rules take effect. Non-fatal — polkit may not be installed.
func RestartWedgedTimers ¶ added in v1.154.0
func RestartWedgedTimers(ctx context.Context, exec executor.Executor, log *logging.Logger, installedTimers []string)
RestartWedgedTimers performs the D-INSTALL-TIMER-RELOAD post-install hardening pass: a defensive, CONDITIONAL daemon-reload + timer-restart for any nftban timer left in the "wedged" state after install.
Background (fleet finding, V1_142_0_FLEET_ROLLOUT_RECORD §3.3): on one of ten hosts (dns2), nftban-unified-exporter.timer ended up:
Active: active (elapsed) ← active but NOT "waiting" Trigger: n/a ← never scheduled 0 runs in 24h ← never fired
The manual fix that resolved it was exactly:
systemctl daemon-reload && systemctl restart nftban-unified-exporter.timer
after which the timer returned to `active (waiting), Trigger in Xs`.
This function reproduces that fix defensively at the END of phaseValidate. It is CONDITIONAL (audit-bot 2026-06-01): only timers that are actually wedged are restarted — healthy and inactive timers are left untouched, so the blast radius is "restart only the wedged ones" rather than "restart all timers on every install".
Failure policy is WARN-ONLY / non-fatal (operator-locked), matching the existing installer daemon-reload at phases.go (phaseSwitch step 6). Any error from daemon-reload, the wedge probe, or a restart is logged at Warn and iteration continues; the install state machine is never affected.
installedTimers is the canonical full timer set to consider (pass services.KnownTimers()); timers whose unit file is not installed on this host are skipped.
func ShouldReconcile ¶ added in v1.135.0
ShouldReconcile checks if NFTBAN_RECONCILE_CORE_TIMERS is set to true in nftban.conf or nftban.conf.local. Default: true (reconcile).
func StartDaemon ¶
StartDaemon enables nftband.socket and nftband.service. Retries up to 3 times with 1s delay. Non-fatal — logs warnings.
Types ¶
This section is empty.
Source Files