refactor(ops): Break out prometheus-fail2ban-exporter module
Break out the configuration for the prometheus fail2ban exporter, which is a simple python script that exports stats from fail2ban as a prometheus-scrapable textfile, from Mugwump into a reusable nixos module in //ops/nixos/modules. Change-Id: I5451c9c5de6c7bc4431150ae596a9c758bf1b693 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3136 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
This commit is contained in:
parent
8587bb5f67
commit
702594ca64
4 changed files with 72 additions and 35 deletions
52
ops/modules/prometheus-fail2ban-exporter.nix
Normal file
52
ops/modules/prometheus-fail2ban-exporter.nix
Normal file
|
@ -0,0 +1,52 @@
|
|||
{ config, lib, pkgs, depot, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.prometheus-fail2ban-exporter;
|
||||
in
|
||||
|
||||
{
|
||||
options.services.prometheus-fail2ban-exporter = with lib; {
|
||||
enable = mkEnableOption "Prometheus Fail2ban Exporter";
|
||||
|
||||
interval = mkOption {
|
||||
description = "Systemd calendar expression for how often to run the interval";
|
||||
type = types.string;
|
||||
default = "minutely";
|
||||
example = "hourly";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.services."prometheus-fail2ban-exporter" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" "fail2ban.service" ];
|
||||
serviceConfig = {
|
||||
User = "root";
|
||||
Type = "oneshot";
|
||||
ExecStart = pkgs.writeShellScript "prometheus-fail2ban-exporter" ''
|
||||
set -eo pipefail
|
||||
mkdir -p /var/lib/prometheus/node-exporter
|
||||
exec prometheus-fail2ban-exporter
|
||||
'';
|
||||
};
|
||||
|
||||
path = [
|
||||
pkgs.fail2ban
|
||||
depot.third_party.prometheus-fail2ban-exporter
|
||||
];
|
||||
};
|
||||
|
||||
systemd.timers."prometheus-fail2ban-exporter" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
timerConfig.OnCalendar = cfg.interval;
|
||||
};
|
||||
|
||||
services.prometheus.exporters.node = {
|
||||
enabledCollectors = [ "textfile" ];
|
||||
|
||||
extraFlags = [
|
||||
"--collector.textfile.directory=/var/lib/prometheus/node-exporter"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
17
third_party/prometheus-fail2ban-exporter/default.nix
vendored
Normal file
17
third_party/prometheus-fail2ban-exporter/default.nix
vendored
Normal file
|
@ -0,0 +1,17 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
script = pkgs.fetchurl {
|
||||
url = "https://raw.githubusercontent.com/jangrewe/prometheus-fail2ban-exporter/11066950b47bb2dbef96ea8544f76e46ed829e81/fail2ban-exporter.py";
|
||||
sha256 = "049lsvw1nj65bbvp8ygyz3743ayzdawrbjixaxmpm03qbrcfmwc4";
|
||||
};
|
||||
|
||||
python = pkgs.python3.withPackages (p: [
|
||||
p.prometheus_client
|
||||
]);
|
||||
|
||||
in pkgs.writeShellScriptBin "prometheus-fail2ban-exporter" ''
|
||||
set -eo pipefail
|
||||
|
||||
exec "${python}/bin/python" "${script}"
|
||||
''
|
|
@ -9,9 +9,7 @@ rec {
|
|||
|
||||
mugwump = import ./machines/mugwump.nix;
|
||||
|
||||
mugwumpSystem = (depot.third_party.nixos {
|
||||
configuration = mugwump;
|
||||
}).system;
|
||||
mugwumpSystem = (depot.ops.nixos.nixosFor mugwump).system;
|
||||
|
||||
roswell = import ./machines/roswell.nix;
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{ config, lib, pkgs, modulesPath, depot, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
|
@ -6,6 +6,7 @@ with lib;
|
|||
imports = [
|
||||
../modules/common.nix
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
"${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix"
|
||||
];
|
||||
|
||||
networking.hostName = "mugwump";
|
||||
|
@ -158,11 +159,6 @@ with lib;
|
|||
"systemd"
|
||||
"tcpstat"
|
||||
"wifi"
|
||||
"textfile"
|
||||
];
|
||||
|
||||
extraFlags = [
|
||||
"--collector.textfile.directory=/var/lib/prometheus/node-exporter"
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -230,32 +226,6 @@ with lib;
|
|||
}];
|
||||
};
|
||||
|
||||
systemd.services."prometheus-fail2ban-exporter" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" "fail2ban.service" ];
|
||||
serviceConfig = {
|
||||
User = "root";
|
||||
Type = "oneshot";
|
||||
ExecStart = pkgs.writeShellScript "prometheus-fail2ban-exporter" ''
|
||||
set -eo pipefail
|
||||
mkdir -p /var/lib/prometheus/node-exporter
|
||||
exec ${pkgs.python3.withPackages (p: [
|
||||
p.prometheus_client
|
||||
])}/bin/python ${pkgs.fetchurl {
|
||||
url = "https://raw.githubusercontent.com/jangrewe/prometheus-fail2ban-exporter/11066950b47bb2dbef96ea8544f76e46ed829e81/fail2ban-exporter.py";
|
||||
sha256 = "049lsvw1nj65bbvp8ygyz3743ayzdawrbjixaxmpm03qbrcfmwc4";
|
||||
}}
|
||||
'';
|
||||
};
|
||||
|
||||
path = with pkgs; [ fail2ban ];
|
||||
};
|
||||
|
||||
systemd.timers."prometheus-fail2ban-exporter" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
services.buildkite-agents = listToAttrs (map (n: rec {
|
||||
|
|
Loading…
Reference in a new issue