feat(gs/mugwump): Enable prometheus-fail2ban-exporter

Change-Id: I200f206b609675632ad6103c84cc37b629ef9708
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2025
Reviewed-by: glittershark <grfn@gws.fyi>
Tested-by: BuildkiteCI

users/glittershark/system/system/machines/mugwump.nix

@@ -123,6 +123,11 @@ with lib;
           "systemd"
           "tcpstat"
           "wifi"
+          "textfile"
+        ];
+
+        extraFlags = [
+          "--collector.textfile.directory=/var/lib/prometheus/node-exporter"
         ];
       };
 
@@ -141,6 +146,32 @@ with lib;
     }];
   };
 
+  systemd.services."prometheus-fail2ban-exporter" = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" "fail2ban.service" ];
+    serviceConfig = {
+      User = "root";
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "prometheus-fail2ban-exporter" ''
+        set -eo pipefail
+        mkdir -p /var/lib/prometheus/node-exporter
+        exec ${pkgs.python3.withPackages (p: [
+          p.prometheus_client
+        ])}/bin/python ${pkgs.fetchurl {
+          url = "https://raw.githubusercontent.com/jangrewe/prometheus-fail2ban-exporter/11066950b47bb2dbef96ea8544f76e46ed829e81/fail2ban-exporter.py";
+          sha256 = "049lsvw1nj65bbvp8ygyz3743ayzdawrbjixaxmpm03qbrcfmwc4";
+        }}
+      '';
+    };
+
+    path = with pkgs; [ fail2ban ];
+  };
+
+  systemd.timers."prometheus-fail2ban-exporter" = {
+    wantedBy = [ "multi-user.target" ];
+    timerConfig.OnCalendar = "minutely";
+  };
+
   security.acme.certs."metrics.gws.fyi" = {
     dnsProvider = "namecheap";
     credentialsFile = "/etc/secrets/namecheap.env";