From 968a0cf58acb0971e40ed4473caa2c76fa3e1d23 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Fri, 24 Jan 2025 00:34:25 +0800
Subject: [PATCH] feat: Remove fail2ban
---
configuration/default.nix | 1 -
configuration/services/fail2ban.nix | 43 -----------
configuration/services/gitea.nix | 18 -----
configuration/services/metrics/exporters.nix | 28 -------
configuration/services/metrics/options.nix | 1 +
configuration/services/nextcloud.nix | 23 ------
flake.lock | 78 +-------------------
flake.nix | 17 -----
pkgs/_sources_pkgs/generated.json | 22 ------
pkgs/_sources_pkgs/generated.nix | 17 -----
pkgs/default.nix | 3 -
pkgs/nvfetcher.toml | 3 -
pkgs/prometheus/fail2ban-exporter.nix | 5 --
13 files changed, 4 insertions(+), 255 deletions(-)
delete mode 100644 configuration/services/fail2ban.nix
delete mode 100644 pkgs/_sources_pkgs/generated.json
delete mode 100644 pkgs/_sources_pkgs/generated.nix
delete mode 100644 pkgs/nvfetcher.toml
delete mode 100644 pkgs/prometheus/fail2ban-exporter.nix
diff --git a/configuration/default.nix b/configuration/default.nix
index 504bd0b..8dddf76 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -18,7 +18,6 @@
./services/backups.nix
./services/battery-manager.nix
./services/conduit.nix
- ./services/fail2ban.nix
./services/foundryvtt.nix
./services/gitea.nix
./services/metrics
diff --git a/configuration/services/fail2ban.nix b/configuration/services/fail2ban.nix
deleted file mode 100644
index f09668c..0000000
--- a/configuration/services/fail2ban.nix
+++ /dev/null
@@ -1,43 +0,0 @@
-{ pkgs, ... }:
-{
- services.fail2ban = {
- enable = true;
- extraPackages = [ pkgs.ipset ];
- banaction = "iptables-ipset-proto6-allports";
- bantime-increment.enable = true;
-
- jails = {
- nginx-botsearch = ''
- enabled = true
- logpath = /var/log/nginx/access.log
- '';
- };
-
- ignoreIP = [
- "127.0.0.0/8"
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- ];
- };
-
- # Allow metrics services to connect to the socket as well
- users.groups.fail2ban = { };
- systemd.services.fail2ban.serviceConfig = {
- ExecStartPost =
- "+"
- + (pkgs.writeShellScript "fail2ban-post-start" ''
- while ! [ -S /var/run/fail2ban/fail2ban.sock ]; do
- sleep 1
- done
-
- while ! ${pkgs.netcat}/bin/nc -zU /var/run/fail2ban/fail2ban.sock; do
- sleep 1
- done
-
- ${pkgs.coreutils}/bin/chown root:fail2ban /var/run/fail2ban /var/run/fail2ban/fail2ban.sock
- ${pkgs.coreutils}/bin/chmod 660 /var/run/fail2ban/fail2ban.sock
- ${pkgs.coreutils}/bin/chmod 710 /var/run/fail2ban
- '');
- };
-}
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index c88dd01..da01cde 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -59,24 +59,6 @@ in
};
};
- # Block repeated failed login attempts
- #
- # TODO(tlater): Update this - we switched to forgejo, who knows what
- # the new matches are.
- # environment.etc = {
- # "fail2ban/filter.d/gitea.conf".text = ''
- # [Definition]
- # failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
- # journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
- # '';
- # };
-
- # services.fail2ban.jails = {
- # gitea = ''
- # enabled = true
- # '';
- # };
-
services.backups.forgejo = {
user = "forgejo";
paths = [
diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix
index e16b945..ecd69bd 100644
--- a/configuration/services/metrics/exporters.nix
+++ b/configuration/services/metrics/exporters.nix
@@ -68,34 +68,6 @@ in
};
};
- extraExporters = {
- fail2ban =
- let
- cfg = config.services.prometheus.extraExporters.fail2ban;
- in
- {
- port = 9191;
- serviceOpts = {
- after = [ "fail2ban.service" ];
- requires = [ "fail2ban.service" ];
- serviceConfig = {
- Group = "fail2ban";
- RestrictAddressFamilies = [
- "AF_UNIX"
- "AF_INET"
- "AF_INET6"
- ];
- ExecStart = lib.concatStringsSep " " [
- "${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter"
- "--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock"
- "--web.listen-address='${cfg.listenAddress}:${toString cfg.port}'"
- "--collector.f2b.exit-on-socket-connection-error=true"
- ];
- };
- };
- };
- };
-
# TODO(tlater):
# - wireguard (?)
# - postgres (?)
diff --git a/configuration/services/metrics/options.nix b/configuration/services/metrics/options.nix
index 69cbd6b..8868c6c 100644
--- a/configuration/services/metrics/options.nix
+++ b/configuration/services/metrics/options.nix
@@ -12,6 +12,7 @@ in
options = {
services.prometheus = {
extraExporters = mkOption {
+ default = { };
type = types.attrsOf (
types.submodule {
options = {
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index e54df14..b5cb691 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -70,29 +70,6 @@ in
# The upstream module already adds HSTS
};
- # Block repeated failed login attempts
- environment.etc = {
- "fail2ban/filter.d/nextcloud.conf".text = ''
- [Definition]
- _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
- failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
- \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
- datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
- journalmatch = SYSLOG_IDENTIFIER=Nextcloud
- '';
- };
-
- services.fail2ban.jails = {
- nextcloud = ''
- enabled = true
-
- # Nextcloud does some throttling already, so we need to set
- # these to something bigger.
- findtime = 43200
- bantime = 86400
- '';
- };
-
services.backups.nextcloud = {
user = "nextcloud";
paths = [
diff --git a/flake.lock b/flake.lock
index d349bea..d761f4f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -114,44 +114,10 @@
"type": "github"
}
},
- "flake-compat_3": {
- "flake": false,
- "locked": {
- "lastModified": 1696426674,
- "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
- "owner": "edolstra",
- "repo": "flake-compat",
- "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
- "type": "github"
- },
- "original": {
- "owner": "edolstra",
- "repo": "flake-compat",
- "type": "github"
- }
- },
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
- "locked": {
- "lastModified": 1731533236,
- "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
- "owner": "numtide",
- "repo": "flake-utils",
- "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
- "type": "github"
- },
- "original": {
- "owner": "numtide",
- "repo": "flake-utils",
- "type": "github"
- }
- },
- "flake-utils_2": {
- "inputs": {
- "systems": "systems_3"
- },
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
@@ -272,37 +238,15 @@
"type": "github"
}
},
- "nvfetcher": {
- "inputs": {
- "flake-compat": "flake-compat_2",
- "flake-utils": "flake-utils",
- "nixpkgs": [
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1732501185,
- "narHash": "sha256-Z0BpHelaGQsE5VD9hBsBHsvMU9h+Xt0kfkDJyFivZOU=",
- "owner": "berberman",
- "repo": "nvfetcher",
- "rev": "bdb14eab6fe9cefc29efe01e60c3a3f616d6b62a",
- "type": "github"
- },
- "original": {
- "owner": "berberman",
- "repo": "nvfetcher",
- "type": "github"
- }
- },
"poetry2nixi": {
"inputs": {
- "flake-utils": "flake-utils_2",
+ "flake-utils": "flake-utils",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"sonnenshift",
"nixpkgs"
],
- "systems": "systems_4",
+ "systems": "systems_3",
"treefmt-nix": "treefmt-nix"
},
"locked": {
@@ -321,7 +265,7 @@
},
"purescript-overlay": {
"inputs": {
- "flake-compat": "flake-compat_3",
+ "flake-compat": "flake-compat_2",
"nixpkgs": [
"tlaternet-webserver",
"dream2nix",
@@ -367,7 +311,6 @@
"foundryvtt": "foundryvtt",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
- "nvfetcher": "nvfetcher",
"sonnenshift": "sonnenshift",
"sops-nix": "sops-nix",
"tlaternet-webserver": "tlaternet-webserver"
@@ -485,21 +428,6 @@
}
},
"systems_3": {
- "locked": {
- "lastModified": 1681028828,
- "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
- "owner": "nix-systems",
- "repo": "default",
- "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
- "type": "github"
- },
- "original": {
- "owner": "nix-systems",
- "repo": "default",
- "type": "github"
- }
- },
- "systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
diff --git a/flake.nix b/flake.nix
index e6f1dcb..2253566 100644
--- a/flake.nix
+++ b/flake.nix
@@ -13,10 +13,6 @@
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
- nvfetcher = {
- url = "github:berberman/nvfetcher";
- inputs.nixpkgs.follows = "nixpkgs";
- };
tlaternet-webserver = {
url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
inputs.nixpkgs.follows = "nixpkgs";
@@ -37,7 +33,6 @@
self,
nixpkgs,
sops-nix,
- nvfetcher,
deploy-rs,
...
}@inputs:
@@ -120,18 +115,6 @@
${vm.config.system.build.vm.outPath}/bin/run-testvm-vm
'').outPath;
};
-
- update-pkgs = {
- type = "app";
- program =
- let
- nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher";
- in
- (pkgs.writeShellScript "update-pkgs" ''
- cd "$(git rev-parse --show-toplevel)/pkgs"
- ${nvfetcher-bin} -o _sources_pkgs -c nvfetcher.toml
- '').outPath;
- };
};
###########################
diff --git a/pkgs/_sources_pkgs/generated.json b/pkgs/_sources_pkgs/generated.json
deleted file mode 100644
index cec5a92..0000000
--- a/pkgs/_sources_pkgs/generated.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
- "prometheus-fail2ban-exporter": {
- "cargoLocks": null,
- "date": null,
- "extract": null,
- "name": "prometheus-fail2ban-exporter",
- "passthru": null,
- "pinned": false,
- "src": {
- "deepClone": false,
- "fetchSubmodules": false,
- "leaveDotGit": false,
- "name": null,
- "rev": "v0.10.1",
- "sha256": "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=",
- "sparseCheckout": [],
- "type": "git",
- "url": "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"
- },
- "version": "v0.10.1"
- }
-}
\ No newline at end of file
diff --git a/pkgs/_sources_pkgs/generated.nix b/pkgs/_sources_pkgs/generated.nix
deleted file mode 100644
index 95fd75e..0000000
--- a/pkgs/_sources_pkgs/generated.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-# This file was generated by nvfetcher, please do not modify it manually.
-{ fetchgit, fetchurl, fetchFromGitHub, dockerTools }:
-{
- prometheus-fail2ban-exporter = {
- pname = "prometheus-fail2ban-exporter";
- version = "v0.10.1";
- src = fetchgit {
- url = "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter";
- rev = "v0.10.1";
- fetchSubmodules = false;
- deepClone = false;
- leaveDotGit = false;
- sparseCheckout = [ ];
- sha256 = "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=";
- };
- };
-}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 131282d..036afd4 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -4,7 +4,4 @@ let
in
{
starbound = callPackage ./starbound { };
- prometheus-fail2ban-exporter = callPackage ./prometheus/fail2ban-exporter.nix {
- sources = pkgs.callPackage ./_sources_pkgs/generated.nix { };
- };
}
diff --git a/pkgs/nvfetcher.toml b/pkgs/nvfetcher.toml
deleted file mode 100644
index d0dfbe5..0000000
--- a/pkgs/nvfetcher.toml
+++ /dev/null
@@ -1,3 +0,0 @@
-[prometheus-fail2ban-exporter]
-src.manual = "v0.10.1" # No gitlab support in nvfetcher
-fetch.git = "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"
diff --git a/pkgs/prometheus/fail2ban-exporter.nix b/pkgs/prometheus/fail2ban-exporter.nix
deleted file mode 100644
index dc22b6c..0000000
--- a/pkgs/prometheus/fail2ban-exporter.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ buildGoModule, sources }:
-buildGoModule {
- inherit (sources.prometheus-fail2ban-exporter) pname src version;
- vendorHash = "sha256-5o8p5p0U/c0WAIV5dACnWA3ThzSh2tt5LIFMb59i9GY=";
-}