feat: Remove fail2ban

configuration/default.nix

@@ -18,7 +18,6 @@
     ./services/backups.nix
     ./services/battery-manager.nix
     ./services/conduit.nix
-    ./services/fail2ban.nix
     ./services/foundryvtt.nix
     ./services/gitea.nix
     ./services/metrics

configuration/services/fail2ban.nix

@@ -1,43 +0,0 @@
-{ pkgs, ... }:
-{
-  services.fail2ban = {
-    enable = true;
-    extraPackages = [ pkgs.ipset ];
-    banaction = "iptables-ipset-proto6-allports";
-    bantime-increment.enable = true;
-
-    jails = {
-      nginx-botsearch = ''
-        enabled = true
-        logpath = /var/log/nginx/access.log
-      '';
-    };
-
-    ignoreIP = [
-      "127.0.0.0/8"
-      "10.0.0.0/8"
-      "172.16.0.0/12"
-      "192.168.0.0/16"
-    ];
-  };
-
-  # Allow metrics services to connect to the socket as well
-  users.groups.fail2ban = { };
-  systemd.services.fail2ban.serviceConfig = {
-    ExecStartPost =
-      "+"
-      + (pkgs.writeShellScript "fail2ban-post-start" ''
-        while ! [ -S /var/run/fail2ban/fail2ban.sock ]; do
-            sleep 1
-        done
-
-        while ! ${pkgs.netcat}/bin/nc -zU /var/run/fail2ban/fail2ban.sock; do
-            sleep 1
-        done
-
-        ${pkgs.coreutils}/bin/chown root:fail2ban /var/run/fail2ban /var/run/fail2ban/fail2ban.sock
-        ${pkgs.coreutils}/bin/chmod 660 /var/run/fail2ban/fail2ban.sock
-        ${pkgs.coreutils}/bin/chmod 710 /var/run/fail2ban
-      '');
-  };
-}

configuration/services/gitea.nix

@@ -59,24 +59,6 @@ in
       };
     };
 
-  # Block repeated failed login attempts
-  #
-  # TODO(tlater): Update this - we switched to forgejo, who knows what
-  # the new matches are.
-  # environment.etc = {
-  #   "fail2ban/filter.d/gitea.conf".text = ''
-  #     [Definition]
-  #     failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
-  #     journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
-  #   '';
-  # };
-
-  # services.fail2ban.jails = {
-  #   gitea = ''
-  #     enabled = true
-  #   '';
-  # };
-
   services.backups.forgejo = {
     user = "forgejo";
     paths = [

configuration/services/metrics/exporters.nix

@@ -68,34 +68,6 @@ in
       };
     };
 
-    extraExporters = {
-      fail2ban =
-        let
-          cfg = config.services.prometheus.extraExporters.fail2ban;
-        in
-        {
-          port = 9191;
-          serviceOpts = {
-            after = [ "fail2ban.service" ];
-            requires = [ "fail2ban.service" ];
-            serviceConfig = {
-              Group = "fail2ban";
-              RestrictAddressFamilies = [
-                "AF_UNIX"
-                "AF_INET"
-                "AF_INET6"
-              ];
-              ExecStart = lib.concatStringsSep " " [
-                "${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter"
-                "--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock"
-                "--web.listen-address='${cfg.listenAddress}:${toString cfg.port}'"
-                "--collector.f2b.exit-on-socket-connection-error=true"
-              ];
-            };
-          };
-        };
-    };
-
     # TODO(tlater):
     #   - wireguard (?)
     #   - postgres (?)

configuration/services/metrics/options.nix

@@ -12,6 +12,7 @@ in
   options = {
     services.prometheus = {
       extraExporters = mkOption {
+        default = { };
         type = types.attrsOf (
           types.submodule {
             options = {

configuration/services/nextcloud.nix

@@ -70,29 +70,6 @@ in
     # The upstream module already adds HSTS
   };
 
-  # Block repeated failed login attempts
-  environment.etc = {
-    "fail2ban/filter.d/nextcloud.conf".text = ''
-      [Definition]
-      _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
-      failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
-                  \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
-      datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
-      journalmatch = SYSLOG_IDENTIFIER=Nextcloud
-    '';
-  };
-
-  services.fail2ban.jails = {
-    nextcloud = ''
-      enabled = true
-
-      # Nextcloud does some throttling already, so we need to set
-      # these to something bigger.
-      findtime = 43200
-      bantime = 86400
-    '';
-  };
-
   services.backups.nextcloud = {
     user = "nextcloud";
     paths = [

flake.lock

@@ -114,44 +114,10 @@
         "type": "github"
       }
     },
-    "flake-compat_3": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "inputs": {
         "systems": "systems_2"
       },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_3"
-      },
       "locked": {
         "lastModified": 1726560853,
         "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
@@ -272,37 +238,15 @@
         "type": "github"
       }
     },
-    "nvfetcher": {
-      "inputs": {
-        "flake-compat": "flake-compat_2",
-        "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1732501185,
-        "narHash": "sha256-Z0BpHelaGQsE5VD9hBsBHsvMU9h+Xt0kfkDJyFivZOU=",
-        "owner": "berberman",
-        "repo": "nvfetcher",
-        "rev": "bdb14eab6fe9cefc29efe01e60c3a3f616d6b62a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "berberman",
-        "repo": "nvfetcher",
-        "type": "github"
-      }
-    },
     "poetry2nixi": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
         "nix-github-actions": "nix-github-actions",
         "nixpkgs": [
           "sonnenshift",
           "nixpkgs"
         ],
-        "systems": "systems_4",
+        "systems": "systems_3",
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
@@ -321,7 +265,7 @@
     },
     "purescript-overlay": {
       "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
         "nixpkgs": [
           "tlaternet-webserver",
           "dream2nix",
@@ -367,7 +311,6 @@
         "foundryvtt": "foundryvtt",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
-        "nvfetcher": "nvfetcher",
         "sonnenshift": "sonnenshift",
         "sops-nix": "sops-nix",
         "tlaternet-webserver": "tlaternet-webserver"
@@ -485,21 +428,6 @@
       }
     },
     "systems_3": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_4": {
       "locked": {
         "lastModified": 1681028828,
         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

flake.nix

@@ -13,10 +13,6 @@
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nvfetcher = {
-      url = "github:berberman/nvfetcher";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     tlaternet-webserver = {
       url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -37,7 +33,6 @@
       self,
       nixpkgs,
       sops-nix,
-      nvfetcher,
       deploy-rs,
       ...
     }@inputs:
@@ -120,18 +115,6 @@
               ${vm.config.system.build.vm.outPath}/bin/run-testvm-vm
             '').outPath;
         };
-
-        update-pkgs = {
-          type = "app";
-          program =
-            let
-              nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher";
-            in
-            (pkgs.writeShellScript "update-pkgs" ''
-              cd "$(git rev-parse --show-toplevel)/pkgs"
-              ${nvfetcher-bin} -o _sources_pkgs -c nvfetcher.toml
-            '').outPath;
-        };
       };
 
       ###########################

pkgs/_sources_pkgs/generated.json

@@ -1,22 +0,0 @@
-{
-    "prometheus-fail2ban-exporter": {
-        "cargoLocks": null,
-        "date": null,
-        "extract": null,
-        "name": "prometheus-fail2ban-exporter",
-        "passthru": null,
-        "pinned": false,
-        "src": {
-            "deepClone": false,
-            "fetchSubmodules": false,
-            "leaveDotGit": false,
-            "name": null,
-            "rev": "v0.10.1",
-            "sha256": "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=",
-            "sparseCheckout": [],
-            "type": "git",
-            "url": "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"
-        },
-        "version": "v0.10.1"
-    }
-}

pkgs/_sources_pkgs/generated.nix

@@ -1,17 +0,0 @@
-# This file was generated by nvfetcher, please do not modify it manually.
-{ fetchgit, fetchurl, fetchFromGitHub, dockerTools }:
-{
-  prometheus-fail2ban-exporter = {
-    pname = "prometheus-fail2ban-exporter";
-    version = "v0.10.1";
-    src = fetchgit {
-      url = "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter";
-      rev = "v0.10.1";
-      fetchSubmodules = false;
-      deepClone = false;
-      leaveDotGit = false;
-      sparseCheckout = [ ];
-      sha256 = "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=";
-    };
-  };
-}

pkgs/default.nix

@@ -4,7 +4,4 @@ let
 in
 {
   starbound = callPackage ./starbound { };
-  prometheus-fail2ban-exporter = callPackage ./prometheus/fail2ban-exporter.nix {
-    sources = pkgs.callPackage ./_sources_pkgs/generated.nix { };
-  };
 }

pkgs/nvfetcher.toml

@@ -1,3 +0,0 @@
-[prometheus-fail2ban-exporter]
-src.manual = "v0.10.1" # No gitlab support in nvfetcher
-fetch.git = "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"

pkgs/prometheus/fail2ban-exporter.nix

@@ -1,5 +0,0 @@
-{ buildGoModule, sources }:
-buildGoModule {
-  inherit (sources.prometheus-fail2ban-exporter) pname src version;
-  vendorHash = "sha256-5o8p5p0U/c0WAIV5dACnWA3ThzSh2tt5LIFMb59i9GY=";
-}