refactor(ops): Break out prometheus-fail2ban-exporter module

Break out the configuration for the prometheus fail2ban exporter, which
is a simple python script that exports stats from fail2ban as a
prometheus-scrapable textfile, from Mugwump into a reusable nixos module
in //ops/nixos/modules.

Change-Id: I5451c9c5de6c7bc4431150ae596a9c758bf1b693
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3136
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
This commit is contained in:
Griffin Smith 2021-05-23 13:58:24 +02:00 committed by grfn
parent 8587bb5f67
commit 702594ca64
4 changed files with 72 additions and 35 deletions

View file

@ -0,0 +1,52 @@
{ config, lib, pkgs, depot, ... }:
let
cfg = config.services.prometheus-fail2ban-exporter;
in
{
options.services.prometheus-fail2ban-exporter = with lib; {
enable = mkEnableOption "Prometheus Fail2ban Exporter";
interval = mkOption {
description = "Systemd calendar expression for how often to run the interval";
type = types.string;
default = "minutely";
example = "hourly";
};
};
config = lib.mkIf cfg.enable {
systemd.services."prometheus-fail2ban-exporter" = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "fail2ban.service" ];
serviceConfig = {
User = "root";
Type = "oneshot";
ExecStart = pkgs.writeShellScript "prometheus-fail2ban-exporter" ''
set -eo pipefail
mkdir -p /var/lib/prometheus/node-exporter
exec prometheus-fail2ban-exporter
'';
};
path = [
pkgs.fail2ban
depot.third_party.prometheus-fail2ban-exporter
];
};
systemd.timers."prometheus-fail2ban-exporter" = {
wantedBy = [ "multi-user.target" ];
timerConfig.OnCalendar = cfg.interval;
};
services.prometheus.exporters.node = {
enabledCollectors = [ "textfile" ];
extraFlags = [
"--collector.textfile.directory=/var/lib/prometheus/node-exporter"
];
};
};
}

View file

@ -0,0 +1,17 @@
{ pkgs, ... }:
let
script = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/jangrewe/prometheus-fail2ban-exporter/11066950b47bb2dbef96ea8544f76e46ed829e81/fail2ban-exporter.py";
sha256 = "049lsvw1nj65bbvp8ygyz3743ayzdawrbjixaxmpm03qbrcfmwc4";
};
python = pkgs.python3.withPackages (p: [
p.prometheus_client
]);
in pkgs.writeShellScriptBin "prometheus-fail2ban-exporter" ''
set -eo pipefail
exec "${python}/bin/python" "${script}"
''

View file

@ -9,9 +9,7 @@ rec {
mugwump = import ./machines/mugwump.nix;
mugwumpSystem = (depot.third_party.nixos {
configuration = mugwump;
}).system;
mugwumpSystem = (depot.ops.nixos.nixosFor mugwump).system;
roswell = import ./machines/roswell.nix;

View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, pkgs, modulesPath, depot, ... }:
with lib;
@ -6,6 +6,7 @@ with lib;
imports = [
../modules/common.nix
(modulesPath + "/installer/scan/not-detected.nix")
"${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix"
];
networking.hostName = "mugwump";
@ -158,11 +159,6 @@ with lib;
"systemd"
"tcpstat"
"wifi"
"textfile"
];
extraFlags = [
"--collector.textfile.directory=/var/lib/prometheus/node-exporter"
];
};
@ -230,32 +226,6 @@ with lib;
}];
};
systemd.services."prometheus-fail2ban-exporter" = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "fail2ban.service" ];
serviceConfig = {
User = "root";
Type = "oneshot";
ExecStart = pkgs.writeShellScript "prometheus-fail2ban-exporter" ''
set -eo pipefail
mkdir -p /var/lib/prometheus/node-exporter
exec ${pkgs.python3.withPackages (p: [
p.prometheus_client
])}/bin/python ${pkgs.fetchurl {
url = "https://raw.githubusercontent.com/jangrewe/prometheus-fail2ban-exporter/11066950b47bb2dbef96ea8544f76e46ed829e81/fail2ban-exporter.py";
sha256 = "049lsvw1nj65bbvp8ygyz3743ayzdawrbjixaxmpm03qbrcfmwc4";
}}
'';
};
path = with pkgs; [ fail2ban ];
};
systemd.timers."prometheus-fail2ban-exporter" = {
wantedBy = [ "multi-user.target" ];
timerConfig.OnCalendar = "minutely";
};
virtualisation.docker.enable = true;
services.buildkite-agents = listToAttrs (map (n: rec {