Merge branch 'fail2ban_exporter' into 'master'

Add fail2ban exporter

See merge request archlinux/infrastructure!457

roles/prometheus_exporters/files/fail2ban-textcollector.sh

+#!/bin/bash
+
+set -o errexit
+set -o nounset
+
+if (( $# != 1 )); then
+  echo "Missing textcollector directory argument"
+  exit 1
+fi
+
+TEXTFILE_COLLECTOR_DIR=${1}
+PROM_FILE=$TEXTFILE_COLLECTOR_DIR/fail2ban.prom
+
+TMP_FILE=$PROM_FILE.$$
+[ -e $TMP_FILE ] && rm -f $TMP_FILE
+
+trap "rm -f $TMP_FILE" EXIT
+
+json=$(fail2ban-client banned | tr \' \")
+len=$(echo $json | jq '. | length')
+
+echo "# HELP fail2ban_bans" >> $TMP_FILE
+echo "# TYPE fail2ban_bans gauge" >> $TMP_FILE
+
+for ((i = 0; i < $len; i++ ));
+do
+  jail=$(echo $json | jq -r ".[${i}] | keys | .[0]")
+  bans=$(echo $json | jq -r ".[${i}] | to_entries | .[0].value | length")
+
+  echo "fail2ban_bans{jail=\"${jail}\"} $bans" >> $TMP_FILE
+done
+
+mv -f $TMP_FILE $PROM_FILE

roles/prometheus_exporters/tasks/main.yml

@@ -58,6 +58,7 @@
     - repository-textcollector.sh
     - btrfs-textcollector.sh
     - aur-textcollector.sh
+    - fail2ban-textcollector.sh
 
 - name: install arch textcollector service
   template: src=prometheus-arch-textcollector.service.j2 dest=/etc/systemd/system/prometheus-arch-textcollector.service owner=root group=root mode=644
@@ -80,6 +81,15 @@
   systemd: name=prometheus-borg-textcollector.timer enabled=yes daemon_reload=yes state=started
   when: "'borg_clients' in group_names"
 
+- name: install fail2ban textcollector service
+  template: src=prometheus-fail2ban-textcollector.service.j2 dest=/etc/systemd/system/prometheus-fail2ban-textcollector.service owner=root group=root mode=644
+
+- name: install fail2ban textcollector timer
+  template: src=prometheus-fail2ban-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-fail2ban-textcollector.timer owner=root group=root mode=644
+
+- name: enable and start prometheus fail2ban textcollector timer
+  systemd: name=prometheus-fail2ban-textcollector.timer enabled=yes daemon_reload=yes state=started
+
 - name: install blackbox exporter configuration
   copy: src=blackbox.yml dest=/etc/prometheus/blackbox.yml owner=root group=root mode=0644
   when: "'prometheus' in group_names"

roles/prometheus_exporters/templates/prometheus-fail2ban-textcollector.service.j2

+[Unit]
+Description=Prometheus Fail2ban Exporter
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/fail2ban-textcollector.sh {{ prometheus_textfile_dir }}
+
+NoNewPrivileges=true
+LockPersonality=true
+
+PrivateDevices=true
+PrivateTmp=true
+PrivateNetwork=true
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths={{ prometheus_textfile_dir }}
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+RestrictAddressFamilies=~AF_PACKET
+RestrictAddressFamilies=~AF_NETLINK
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+
+SystemCallArchitectures=native

roles/prometheus_exporters/templates/prometheus-fail2ban-textcollector.timer.j2

+[Unit]
+Description=Prometheus Fail2ban Exporter TextCollector Timer
+
+[Timer]
+OnUnitActiveSec=10min
+OnBootSec=15min
+RandomizedDelaySec=1min
+
+[Install]
+WantedBy=timers.target