Compare commits

...

2 commits

Author SHA1 Message Date
Tristan Daniël Maat ec0afc6085
fail2ban: Add metrics 2023-10-03 02:26:57 +02:00
Tristan Daniël Maat c7d46f1c2b
WIP: nginx: Add metrics 2023-10-03 02:26:54 +02:00
15 changed files with 229 additions and 24 deletions

View file

@ -16,9 +16,10 @@
./services/backups.nix
./services/conduit.nix
./services/fail2ban.nix
./services/foundryvtt.nix
./services/gitea.nix
./services/metrics.nix
./services/metrics
./services/nextcloud.nix
./services/webserver.nix
./services/wireguard.nix
@ -137,34 +138,27 @@
recommendedProxySettings = true;
clientMaxBodySize = "10G";
domain = "tlater.net";
statusPage = true; # For metrics, should be accessible only from localhost
commonHttpConfig = ''
log_format upstream_time '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'rt=$request_time uct="$upstream_connect_time" '
'uht="$upstream_header_time" urt="$upstream_response_time"';
'';
};
systemd.tmpfiles.rules =
lib.mapAttrsToList (virtualHost: config: "d /var/log/nginx/${virtualHost} 0750 nginx nginx")
config.services.nginx.virtualHosts;
security.acme = {
defaults.email = "tm@tlater.net";
acceptTerms = true;
};
services.fail2ban = {
enable = true;
extraPackages = [pkgs.ipset];
banaction = "iptables-ipset-proto6-allports";
bantime-increment.enable = true;
jails = {
nginx-botsearch = ''
enabled = true
logpath = /var/log/nginx/access.log
'';
};
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
};
# Remove some unneeded packages
environment.defaultPackages = [];

View file

@ -205,6 +205,7 @@ in {
addSSL = true;
extraConfig = ''
merge_slashes off;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations = {

View file

@ -0,0 +1,42 @@
{pkgs, ...}: {
services.fail2ban = {
enable = true;
extraPackages = [pkgs.ipset];
banaction = "iptables-ipset-proto6-allports";
bantime-increment.enable = true;
jails = {
nginx-botsearch = ''
enabled = true
logpath = /var/log/nginx/access.log
'';
};
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
};
# Allow metrics services to connect to the socket as well
users.groups.fail2ban = {};
systemd.services.fail2ban.serviceConfig = {
ExecStartPost =
"+"
+ (pkgs.writeShellScript "fail2ban-post-start" ''
while ! [ -S /var/run/fail2ban/fail2ban.sock ]; do
sleep 1
done
while ! ${pkgs.netcat}/bin/nc -zU /var/run/fail2ban/fail2ban.sock; do
sleep 1
done
${pkgs.coreutils}/bin/chown root:fail2ban /var/run/fail2ban /var/run/fail2ban/fail2ban.sock
${pkgs.coreutils}/bin/chmod 660 /var/run/fail2ban/fail2ban.sock
${pkgs.coreutils}/bin/chmod 710 /var/run/fail2ban
'');
};
}

View file

@ -25,6 +25,7 @@ in {
enableACME = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/" = {

View file

@ -33,6 +33,7 @@ in {
enableACME = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";

View file

@ -7,6 +7,10 @@
domain = "metrics.${config.services.nginx.domain}";
yaml = pkgs.formats.yaml {};
in {
imports = [
./exporters.nix
];
services.victoriametrics.enable = true;
services.grafana = {
@ -50,6 +54,59 @@ in {
enabledCollectors = ["systemd"];
listenAddress = "127.0.0.1";
};
nginx = {
enable = true;
listenAddress = "127.0.0.1";
};
nginxlog = {
enable = true;
listenAddress = "127.0.0.1";
group = "nginx";
settings.namespaces =
lib.mapAttrsToList (name: virtualHost: {
inherit name;
metrics_override.prefix = "nginxlog";
namespace_label = "vhost";
format = lib.concatStringsSep " " [
"$remote_addr - $remote_user [$time_local]"
''"$request" $status $body_bytes_sent''
''"$http_referer" "$http_user_agent"''
''rt=$request_time uct="$upstream_connect_time"''
''uht="$upstream_header_time" urt="$upstream_response_time"''
];
source.files = [
"/var/log/nginx/${name}/access.log"
];
})
config.services.nginx.virtualHosts;
};
};
services.prometheus.local-exporters = {
prometheus-fail2ban-exporter = rec {
enable = true;
after = ["fail2ban.service"];
port = 9191;
listenAddress = "127.0.0.1";
serviceConfig = {
Group = "fail2ban";
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
ExecStart = lib.concatStringsSep " " [
"${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter"
"--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock"
"--web.listen-address='${listenAddress}:${toString port}'"
];
};
};
};
systemd.services.export-to-victoriametrics = let
@ -62,7 +119,7 @@ in {
targets =
lib.mapAttrsToList (name: exporter: "${exporter.listenAddress}:${toString exporter.port}")
(lib.filterAttrs (name: exporter: (builtins.isAttrs exporter) && exporter.enable)
config.services.prometheus.exporters);
(config.services.prometheus.exporters // config.services.prometheus.local-exporters));
}
];
}
@ -80,6 +137,7 @@ in {
enableACME = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/".proxyPass = "http://localhost:3001";
};

View file

@ -0,0 +1,45 @@
{
config,
lib,
...
}: {
options.services.prometheus.local-exporters = lib.mkOption {
type = lib.types.anything;
};
config.systemd.services = lib.mapAttrs (_: exporter:
lib.mkMerge [
{
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
Restart = "always";
PrivateTmp = true;
WorkingDirectory = "/tmp";
DynamicUser = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
NonNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = lib.mkDefault ["AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
};
}
(removeAttrs exporter ["port" "listenAddress"])
])
config.services.prometheus.local-exporters;
}

View file

@ -50,6 +50,9 @@ in {
services.nginx.virtualHosts."${hostName}" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
access_log /var/log/nginx/${hostName}/access.log upstream_time;
'';
};
# Block repeated failed login attempts

View file

@ -19,6 +19,7 @@ in {
enableACME = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/".proxyPass = "http://${addr}:${toString port}";

View file

@ -78,7 +78,7 @@
# Utility scripts #
###################
packages.${system} = let
inherit (nixpkgs.legacyPackages.${system}) writeShellScript;
inherit (nixpkgs.legacyPackages.${system}) writeShellScript writeShellScriptBin;
vm = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs.flake-inputs = inputs;
@ -106,6 +106,14 @@
"${vm.config.system.build.vm}/bin/run-tlaternet-vm"
'';
update-pkgs = let
nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher";
in
writeShellScriptBin "update-pkgs" ''
cd "$(git rev-parse --show-toplevel)/pkgs"
${nvfetcher-bin} -o _sources_pkgs -c nvfetcher.toml
'';
update-nextcloud-apps = let
nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher";
in

View file

@ -0,0 +1,21 @@
{
"prometheus-fail2ban-exporter": {
"cargoLocks": null,
"date": null,
"extract": null,
"name": "prometheus-fail2ban-exporter",
"passthru": null,
"pinned": false,
"src": {
"deepClone": false,
"fetchSubmodules": false,
"leaveDotGit": false,
"name": null,
"rev": "v0.10.0",
"sha256": "sha256-8nIW1XaHCBqQCoLkV1ZYE3NTbVZ6c+UOqYD08XQiv+4=",
"type": "git",
"url": "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"
},
"version": "v0.10.0"
}
}

View file

@ -0,0 +1,16 @@
# This file was generated by nvfetcher, please do not modify it manually.
{ fetchgit, fetchurl, fetchFromGitHub, dockerTools }:
{
prometheus-fail2ban-exporter = {
pname = "prometheus-fail2ban-exporter";
version = "v0.10.0";
src = fetchgit {
url = "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter";
rev = "v0.10.0";
fetchSubmodules = false;
deepClone = false;
leaveDotGit = false;
sha256 = "sha256-8nIW1XaHCBqQCoLkV1ZYE3NTbVZ6c+UOqYD08XQiv+4=";
};
};
}

View file

@ -7,6 +7,9 @@
in
{
starbound = callPackage ./starbound {};
prometheus-fail2ban-exporter = callPackage ./prometheus/fail2ban-exporter.nix {
sources = pkgs.callPackage ./_sources_pkgs/generated.nix {};
};
}
// (
# Add nextcloud apps

3
pkgs/nvfetcher.toml Normal file
View file

@ -0,0 +1,3 @@
[prometheus-fail2ban-exporter]
src.manual = "v0.10.0" # No gitlab support in nvfetcher
fetch.git = "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"

View file

@ -0,0 +1,8 @@
{
buildGoModule,
sources,
}:
buildGoModule {
inherit (sources.prometheus-fail2ban-exporter) pname src version;
vendorHash = "sha256-qU6opwhhvzbQOhfGVyiVgKhfCSB0Z4eSRAJnv6ht2I0=";
}