prometheus-fail2ban-exporter: init at 0.10.3, nixos/prometheus-exporters/fail2ban: init (#494160) (dd3c9801) · Commits · nix / nixpkgs

maintainers/maintainer-list.nix

+8 −0

Original line number	Diff line number	Diff line
		@@ -3023,6 +3023,14 @@
		githubId = 75235;
		name = "Michael Walker";
		};
		bartoostveen = {
		name = "Bart Oostveen";
		github = "bartoostveen";
		githubId = 50515369;
		email = "bart@bartoostveen.nl";
		matrix = "@bart:bartoostveen.nl";
		keys = [ { fingerprint = "81FF AB19 BAA5 6FFD 6571 890B 992D 94B5 7AC4 3430"; } ];
		};
		bartuka = {
		email = "wand@hey.com";
		github = "wandersoncferreira";

nixos/modules/services/monitoring/prometheus/exporters.nix

+26 −0

Original line number	Diff line number	Diff line
		@@ -62,6 +62,7 @@ let
		"domain"
		"dovecot"
		"ebpf"
		"fail2ban"
		"fastly"
		"flow"
		"fritz"
		@@ -337,6 +338,31 @@ let
		services.udev.extraRules = mkIf (name == "smartctl") ''
		ACTION=="add", SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", RUN+="${pkgs.acl}/bin/setfacl -m g:smartctl-exporter-access:rw /dev/$kernel"
		'';
		systemd.services.prometheus-fail2ban-exporter-setup =
		mkIf (config.services.fail2ban.enable && name == "fail2ban")
		{
		description = "Set fail2ban socket ACLs";
		after = [ "fail2ban.service" ];
		requires = [ "fail2ban.service" ];
		before = [ "prometheus-fail2ban-exporter.service" ];
		wantedBy = [ "prometheus-fail2ban-exporter.service" ];
		path = [
		pkgs.acl
		pkgs.coreutils
		];
		script = ''
		while [ ! -S ${conf.fail2banSocket} ]; do
		sleep 0.1
		done

		setfacl -m u:${conf.user}:x $(dirname ${conf.fail2banSocket})
		setfacl -m u:${conf.user}:rwx ${conf.fail2banSocket}
		'';
		serviceConfig = {
		Type = "oneshot";
		User = "root";
		};
		};
		networking.firewall.extraCommands = mkIf (conf.openFirewall && !nftables) (concatStrings [
		"ip46tables -A nixos-fw ${conf.firewallFilter} "
		"-m comment --comment ${name}-exporter -j nixos-fw-accept"

nixos/modules/services/monitoring/prometheus/exporters/fail2ban.nix

0 → 100644

+82 −0

Original line number	Diff line number	Diff line
		{
		config,
		lib,
		pkgs,
		...
		}:

		let
		cfg = config.services.prometheus.exporters.fail2ban;

		inherit (lib)
		mkOption
		types
		getExe
		optionalString
		mkIf
		;
		in
		{
		port = 9191;
		extraOpts = {
		host = mkOption {
		description = "The host that the fail2ban exporter should listen on";
		type = types.str;
		default = "127.0.0.1";
		example = "0.0.0.0";
		};
		fail2banSocket = mkOption {
		description = "Path to the fail2ban server socket. Permissions will be set automatically if fail2ban runs on this system.";
		type = types.str;
		default = config.services.fail2ban.daemonSettings.Definition.socket;
		defaultText = "config.services.fail2ban.daemonSettings.Definition.socket";
		};
		exitOnError = mkOption {
		description = "When set to true the exporter will immediately exit on a fail2ban socket connection error";
		type = types.bool;
		default = true;
		example = false;
		};
		username = mkOption {
		description = "Username to protect endpoints with HTTP basic authentication";
		type = types.nullOr types.str;
		default = null;
		example = "admin";
		};
		passwordFile = mkOption {
		description = "File that contains the password to protect endpoints with HTTP basic authentication";
		type = types.nullOr types.path;
		default = null;
		example = "/run/secrets/prometheus-fail2ban-exporter-password.txt";
		};
		};

		assertions = [
		{
		assertion = (cfg.username != null) -> (cfg.passwordFile != null);
		message = "Setting an http basic auth username requires the password to be non-null";
		}
		];

		serviceOpts = {
		requires = mkIf config.services.fail2ban.enable [ "prometheus-fail2ban-exporter-setup.service" ];
		serviceConfig = {
		DynamicUser = false;
		ExecStart = ''
		${getExe pkgs.prometheus-fail2ban-exporter} \
		${optionalString cfg.exitOnError ''--collector.f2b.exit-on-socket-connection-error \''}
		${optionalString (cfg.username != null) ''
		--web.basic-auth.username="${cfg.username}" \
		--web.basic-auth.password="$(cat ${cfg.passwordFile})" \
		''}
		--web.listen-address="${cfg.host}:${toString cfg.port}" \
		--collector.f2b.socket=${cfg.fail2banSocket}
		'';
		RestrictAddressFamilies = [
		"AF_INET"
		"AF_INET6"
		"AF_UNIX"
		];
		};
		};
		}

nixos/tests/prometheus-exporters.nix

+18 −0

Original line number	Diff line number	Diff line
		@@ -436,6 +436,24 @@ let
		'';
		};

		fail2ban =
		{ ... }:
		{
		exporterConfig = {
		enable = true;
		exitOnError = true;
		};
		metricProvider = {
		services.fail2ban.enable = true;
		};
		exporterTest = ''
		wait_for_unit("fail2ban.service")
		wait_for_unit("prometheus-fail2ban-exporter.service")
		wait_for_open_port(9191)
		succeed("curl -sSf http://localhost:9191/metrics \| grep 'f2b_errors'")
		'';
		};

		fastly =
		{ pkgs, ... }:
		{

pkgs/by-name/pr/prometheus-fail2ban-exporter/package.nix

0 → 100644

+31 −0

Original line number	Diff line number	Diff line
		{
		lib,
		buildGoModule,
		fetchFromGitLab,
		}:

		buildGoModule (finalAttrs: {
		pname = "prometheus-fail2ban-exporter";
		version = "0.10.3";

		src = fetchFromGitLab {
		owner = "hctrdev";
		repo = "fail2ban-prometheus-exporter";
		tag = "v${finalAttrs.version}";
		hash = "sha256-CyYGY6SovnvgExB22G+LEKRDRzbDZWhWUjctJMkprYs=";
		};

		vendorHash = "sha256-ogdRXbS1EG402qlnj5SfuI/1P/Pi0+xwJrJsc6vwdds=";

		ldflags = [ "-s" ];

		meta = {
		description = "Collect and export metrics on Fail2Ban";
		homepage = "https://gitlab.com/hctrdev/fail2ban-prometheus-exporter";
		license = lib.licenses.mit;
		mainProgram = "fail2ban-prometheus-exporter";
		maintainers = with lib.maintainers; [
		bartoostveen
		];
		};
		})