Merge branch 'fail2ban_exporter' into 'master'

Add fail2ban exporter See merge request !457

Merge branch 'fail2ban_exporter' into 'master'
82b91b4d · Jelle van der Waa · cbe8eab0 · 7b648d6b · 82b91b4d · 82b91b4d
Commit 82b91b4d authored 3 years ago by Jelle van der Waa
--- a/roles/prometheus_exporters/files/fail2ban-textcollector.sh
+++ b/roles/prometheus_exporters/files/fail2ban-textcollector.sh
+#!/bin/bash
+
+set -o errexit
+set -o nounset
+
+if (( $# != 1 )); then
+  echo "Missing textcollector directory argument"
+  exit 1
+fi
+
+TEXTFILE_COLLECTOR_DIR=${1}
+PROM_FILE=$TEXTFILE_COLLECTOR_DIR/fail2ban.prom
+
+TMP_FILE=$PROM_FILE.$$
+[ -e $TMP_FILE ] && rm -f $TMP_FILE
+
+trap "rm -f $TMP_FILE" EXIT
+
+json=$(fail2ban-client banned | tr \' \")
+len=$(echo $json | jq '. | length')
+
+echo "# HELP fail2ban_bans" >> $TMP_FILE
+echo "# TYPE fail2ban_bans gauge" >> $TMP_FILE
+
+for ((i = 0; i < $len; i++ ));
+do
+  jail=$(echo $json | jq -r ".[${i}] | keys | .[0]")
+  bans=$(echo $json | jq -r ".[${i}] | to_entries | .[0].value | length")
+
+  echo "fail2ban_bans{jail=\"${jail}\"} $bans" >> $TMP_FILE
+done
+
+mv -f $TMP_FILE $PROM_FILE
--- a/roles/prometheus_exporters/tasks/main.yml
+++ b/roles/prometheus_exporters/tasks/main.yml
@@ -58,6 +58,7 @@
    - repository-textcollector.sh
    - btrfs-textcollector.sh
    - aur-textcollector.sh
+    - fail2ban-textcollector.sh

 - name: install arch textcollector service
  template: src=prometheus-arch-textcollector.service.j2 dest=/etc/systemd/system/prometheus-arch-textcollector.service owner=root group=root mode=644
@@ -80,6 +81,15 @@
  systemd: name=prometheus-borg-textcollector.timer enabled=yes daemon_reload=yes state=started
  when: "'borg_clients' in group_names"

+- name: install fail2ban textcollector service
+  template: src=prometheus-fail2ban-textcollector.service.j2 dest=/etc/systemd/system/prometheus-fail2ban-textcollector.service owner=root group=root mode=644
+
+- name: install fail2ban textcollector timer
+  template: src=prometheus-fail2ban-textcollector.timer.j2 dest=/etc/systemd/system/prometheus-fail2ban-textcollector.timer owner=root group=root mode=644
+
+- name: enable and start prometheus fail2ban textcollector timer
+  systemd: name=prometheus-fail2ban-textcollector.timer enabled=yes daemon_reload=yes state=started
+
 - name: install blackbox exporter configuration
  copy: src=blackbox.yml dest=/etc/prometheus/blackbox.yml owner=root group=root mode=0644
  when: "'prometheus' in group_names"

--- a/roles/prometheus_exporters/templates/prometheus-fail2ban-textcollector.service.j2
+++ b/roles/prometheus_exporters/templates/prometheus-fail2ban-textcollector.service.j2
+[Unit]
+Description=Prometheus Fail2ban Exporter
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/fail2ban-textcollector.sh {{ prometheus_textfile_dir }}
+
+NoNewPrivileges=true
+LockPersonality=true
+
+PrivateDevices=true
+PrivateTmp=true
+PrivateNetwork=true
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths={{ prometheus_textfile_dir }}
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+RestrictAddressFamilies=~AF_PACKET
+RestrictAddressFamilies=~AF_NETLINK
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+
+SystemCallArchitectures=native
--- a/roles/prometheus_exporters/templates/prometheus-fail2ban-textcollector.timer.j2
+++ b/roles/prometheus_exporters/templates/prometheus-fail2ban-textcollector.timer.j2
+[Unit]
+Description=Prometheus Fail2ban Exporter TextCollector Timer
+
+[Timer]
+OnUnitActiveSec=10min
+OnBootSec=15min
+RandomizedDelaySec=1min
+
+[Install]
+WantedBy=timers.target