Add grafana

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-04-07 21:51:34 +01:00
parent b3dd72de22
commit dc5a91ebf7
14 changed files with 533 additions and 9 deletions
--- a/hosts/common/configs/system/sshd/default.nix
+++ b/hosts/common/configs/system/sshd/default.nix
@@ -1,5 +1,13 @@
 { ... }:
 {
+  nixpkgs.overlays = [
+    (final: prev: {
+      fail2ban = prev.fail2ban.overrideAttrs (oldAttrs: {
+        patches = oldAttrs.patches or [ ] ++ [ ./remove-umask.patch ];
+      });
+    })
+  ];
+
  environment = {
    enableAllTerminfo = true;
    persistence."/persist/state"."/var/lib/fail2ban" = { };
@@ -24,4 +32,12 @@
      };
    };
  };
+
+  systemd.services.fail2ban.serviceConfig = {
+    User = "root";
+    Group = "fail2ban";
+    UMask = "0117";
+  };
+
+  users.groups.fail2ban = { };
 }
--- a/hosts/common/configs/system/sshd/remove-umask.patch
+++ b/hosts/common/configs/system/sshd/remove-umask.patch
@@ -0,0 +1,15 @@
+diff --git a/fail2ban/server/server.py b/fail2ban/server/server.py
+index e438c4ca..aeee4075 100644
+--- a/fail2ban/server/server.py
+++ b/fail2ban/server/server.py
+@@ -108,9 +108,7 @@ class Server:
+ 		signal.signal(s, new)
+ 
+ 	def start(self, sock, pidfile, force=False, observer=True, conf={}):
+-		# First set the mask to only allow access to owner
+-		os.umask(0o077)
+-		# Second daemonize before logging etc, because it will close all handles:
+		# Daemonize before logging etc, because it will close all handles:
+ 		if self.__daemon: # pragma: no cover
+ 			logSys.info("Starting in daemon mode")
+ 			ret = self.__createDaemon()