From 702594ca64c6d9d7c29ee581a3ba1e1458746033 Mon Sep 17 00:00:00 2001 From: Griffin Smith Date: Sun, 23 May 2021 13:58:24 +0200 Subject: [PATCH] refactor(ops): Break out prometheus-fail2ban-exporter module Break out the configuration for the prometheus fail2ban exporter, which is a simple python script that exports stats from fail2ban as a prometheus-scrapable textfile, from Mugwump into a reusable nixos module in //ops/nixos/modules. Change-Id: I5451c9c5de6c7bc4431150ae596a9c758bf1b693 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3136 Tested-by: BuildkiteCI Reviewed-by: tazjin --- ops/modules/prometheus-fail2ban-exporter.nix | 52 +++++++++++++++++++ .../prometheus-fail2ban-exporter/default.nix | 17 ++++++ users/grfn/system/system/default.nix | 4 +- users/grfn/system/system/machines/mugwump.nix | 34 +----------- 4 files changed, 72 insertions(+), 35 deletions(-) create mode 100644 ops/modules/prometheus-fail2ban-exporter.nix create mode 100644 third_party/prometheus-fail2ban-exporter/default.nix diff --git a/ops/modules/prometheus-fail2ban-exporter.nix b/ops/modules/prometheus-fail2ban-exporter.nix new file mode 100644 index 000000000..349364f9b --- /dev/null +++ b/ops/modules/prometheus-fail2ban-exporter.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, depot, ... }: + +let + cfg = config.services.prometheus-fail2ban-exporter; +in + +{ + options.services.prometheus-fail2ban-exporter = with lib; { + enable = mkEnableOption "Prometheus Fail2ban Exporter"; + + interval = mkOption { + description = "Systemd calendar expression for how often to run the interval"; + type = types.string; + default = "minutely"; + example = "hourly"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services."prometheus-fail2ban-exporter" = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "fail2ban.service" ]; + serviceConfig = { + User = "root"; + Type = "oneshot"; + ExecStart = pkgs.writeShellScript "prometheus-fail2ban-exporter" '' + set -eo pipefail + mkdir -p /var/lib/prometheus/node-exporter + exec prometheus-fail2ban-exporter + ''; + }; + + path = [ + pkgs.fail2ban + depot.third_party.prometheus-fail2ban-exporter + ]; + }; + + systemd.timers."prometheus-fail2ban-exporter" = { + wantedBy = [ "multi-user.target" ]; + timerConfig.OnCalendar = cfg.interval; + }; + + services.prometheus.exporters.node = { + enabledCollectors = [ "textfile" ]; + + extraFlags = [ + "--collector.textfile.directory=/var/lib/prometheus/node-exporter" + ]; + }; + }; +} diff --git a/third_party/prometheus-fail2ban-exporter/default.nix b/third_party/prometheus-fail2ban-exporter/default.nix new file mode 100644 index 000000000..bed5bd630 --- /dev/null +++ b/third_party/prometheus-fail2ban-exporter/default.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: + +let + script = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/jangrewe/prometheus-fail2ban-exporter/11066950b47bb2dbef96ea8544f76e46ed829e81/fail2ban-exporter.py"; + sha256 = "049lsvw1nj65bbvp8ygyz3743ayzdawrbjixaxmpm03qbrcfmwc4"; + }; + + python = pkgs.python3.withPackages (p: [ + p.prometheus_client + ]); + +in pkgs.writeShellScriptBin "prometheus-fail2ban-exporter" '' + set -eo pipefail + + exec "${python}/bin/python" "${script}" +'' diff --git a/users/grfn/system/system/default.nix b/users/grfn/system/system/default.nix index 503b3a204..489be1369 100644 --- a/users/grfn/system/system/default.nix +++ b/users/grfn/system/system/default.nix @@ -9,9 +9,7 @@ rec { mugwump = import ./machines/mugwump.nix; - mugwumpSystem = (depot.third_party.nixos { - configuration = mugwump; - }).system; + mugwumpSystem = (depot.ops.nixos.nixosFor mugwump).system; roswell = import ./machines/roswell.nix; diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix index f9b6e0a1d..6a95635c9 100644 --- a/users/grfn/system/system/machines/mugwump.nix +++ b/users/grfn/system/system/machines/mugwump.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, pkgs, modulesPath, depot, ... }: with lib; @@ -6,6 +6,7 @@ with lib; imports = [ ../modules/common.nix (modulesPath + "/installer/scan/not-detected.nix") + "${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix" ]; networking.hostName = "mugwump"; @@ -158,11 +159,6 @@ with lib; "systemd" "tcpstat" "wifi" - "textfile" - ]; - - extraFlags = [ - "--collector.textfile.directory=/var/lib/prometheus/node-exporter" ]; }; @@ -230,32 +226,6 @@ with lib; }]; }; - systemd.services."prometheus-fail2ban-exporter" = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "fail2ban.service" ]; - serviceConfig = { - User = "root"; - Type = "oneshot"; - ExecStart = pkgs.writeShellScript "prometheus-fail2ban-exporter" '' - set -eo pipefail - mkdir -p /var/lib/prometheus/node-exporter - exec ${pkgs.python3.withPackages (p: [ - p.prometheus_client - ])}/bin/python ${pkgs.fetchurl { - url = "https://raw.githubusercontent.com/jangrewe/prometheus-fail2ban-exporter/11066950b47bb2dbef96ea8544f76e46ed829e81/fail2ban-exporter.py"; - sha256 = "049lsvw1nj65bbvp8ygyz3743ayzdawrbjixaxmpm03qbrcfmwc4"; - }} - ''; - }; - - path = with pkgs; [ fail2ban ]; - }; - - systemd.timers."prometheus-fail2ban-exporter" = { - wantedBy = [ "multi-user.target" ]; - timerConfig.OnCalendar = "minutely"; - }; - virtualisation.docker.enable = true; services.buildkite-agents = listToAttrs (map (n: rec {