feat: add fail2ban and scrutiny

modules/homelab/default.nix

@@ -17,6 +17,8 @@
     ./prometheus.nix
     ./qbittorrent.nix
     ./restic.nix
+    ./scrutiny.nix
+    ./security.nix
     ./sso.nix
     ./vaultwarden.nix
   ];

modules/homelab/glance.nix

@@ -251,6 +251,18 @@ in {
                       icon = "sh:zitadel";
                       same-tab = true;
                     }
+                    {
+                      title = "Scrutiny";
+                      url = "https://scrutiny.nickolaj.com";
+                      icon = "sh:scrutiny";
+                      same-tab = true;
+                    }
+                    {
+                      title = "Grafana";
+                      url = "https://fireproof.grafana.net/a/grafana-setupguide-app/home";
+                      icon = "si:grafana";
+                      same-tab = true;
+                    }
                   ];
                 }
                 {

modules/homelab/nginx.nix

@@ -13,6 +13,19 @@ lib.mkIf config.fireproof.homelab.enable {
     recommendedProxySettings = true;
     recommendedGzipSettings = true;
     recommendedBrotliSettings = true;
+
+    virtualHosts."status.localhost" = {
+      listen = [{ addr = "127.0.0.1"; port = 8070; }];
+      locations."/metrics" = {
+        extraConfig = ''
+          stub_status;
+          access_log off;
+          allow 127.0.0.1;
+          allow ::1;
+          deny all;
+        '';
+      };
+    };
   };
   security.acme = {
     acceptTerms = true;

modules/homelab/prometheus.nix

@@ -14,7 +14,7 @@ lib.mkIf config.fireproof.homelab.enable (let
         };
 
         targets = [
-          "${toString config.services.prometheus.exporters.${name}.listenAddress}:${toString config.services.prometheus.exporters.${name}.port}"
+          "127.0.0.1:${toString config.services.prometheus.exporters.${name}.port}"
         ];
       }
     ];
@@ -42,13 +42,25 @@ in {
 
     scrapeConfigs = [
       (mkScrapeConfig "node")
+      (mkScrapeConfig "nginx")
+      (mkScrapeConfig "postgres")
     ];
 
-    exporters.node = {
-      enable = true;
-      extraFlags = [
-        "--web.disable-exporter-metrics"
-      ];
+    exporters = {
+      node = {
+        enable = true;
+        extraFlags = [
+          "--web.disable-exporter-metrics"
+        ];
+      };
+      nginx = {
+        enable = true;
+        scrapeUri = "http://127.0.0.1:8070/metrics";
+      };
+      postgres = {
+        enable = true;
+        runAsLocalSuperUser = true;
+      };
     };
   };
 })

modules/homelab/scrutiny.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  ...
+}:
+lib.mkIf config.fireproof.homelab.enable {
+  services.restic.backups.homelab.paths = ["/var/lib/scrutiny"];
+
+  services.scrutiny = {
+    enable = true;
+    collector.enable = true;
+    settings = {
+      web.listen.port = 8089;
+    };
+  };
+
+  services.oauth2-proxy.nginx.virtualHosts."scrutiny.nickolaj.com".allowed_groups = ["admin"];
+
+  services.nginx.virtualHosts."scrutiny.nickolaj.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:8089";
+    };
+  };
+}

modules/homelab/security.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  ...
+}:
+lib.mkIf config.fireproof.homelab.enable {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+      "127.0.0.1/8"
+      "10.0.0.0/8"
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+    ];
+    jails = {
+      nginx-http-auth.settings = {
+        enabled = true;
+        filter = "nginx-http-auth";
+        port = "http,https";
+        logpath = "/var/log/nginx/error.log";
+      };
+      nginx-botsearch.settings = {
+        enabled = true;
+        filter = "nginx-botsearch";
+        port = "http,https";
+        logpath = "/var/log/nginx/error.log";
+      };
+      nginx-bad-request.settings = {
+        enabled = true;
+        port = "http,https";
+        logpath = "/var/log/nginx/error.log";
+      };
+    };
+  };
+}