Try and install crwodsec on nginx
This commit is contained in:
Théo Barnouin
parent
6ec54454a2
commit
126dd2cf53
5 changed files with 93 additions and 104 deletions
56
flake.lock
generated
56
flake.lock
generated
|
|
@ -61,6 +61,27 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"crowdsec": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1742920128,
|
||||
"narHash": "sha256-VPjnjtAksihLezhc+ZmnqGu18mHr4QVKa1kSZQ8rJL4=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "40e937689d318ee85b1d9763189a65e6f0b4028d",
|
||||
"revCount": 40,
|
||||
"type": "git",
|
||||
"url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
|
||||
}
|
||||
},
|
||||
"darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
|
@ -106,6 +127,23 @@
|
|||
"inputs": {
|
||||
"systems": "systems_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1694529238,
|
||||
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "flake-utils",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"flake-utils_3": {
|
||||
"inputs": {
|
||||
"systems": "systems_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1731533236,
|
||||
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
|
||||
|
|
@ -165,7 +203,7 @@
|
|||
},
|
||||
"microvm": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_2",
|
||||
"flake-utils": "flake-utils_3",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
|
|
@ -220,6 +258,7 @@
|
|||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"crowdsec": "crowdsec",
|
||||
"home-manager": "home-manager_2",
|
||||
"microvm": "microvm",
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
|
|
@ -306,6 +345,21 @@
|
|||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_4": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
|
|
|||
30
flake.nix
30
flake.nix
|
|
@ -11,6 +11,10 @@
|
|||
url = "github:astro/microvm.nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
crowdsec = {
|
||||
url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
agenix.url = "github:yaxitech/ragenix";
|
||||
};
|
||||
|
||||
|
|
@ -20,12 +24,14 @@
|
|||
home-manager,
|
||||
microvm,
|
||||
agenix,
|
||||
crowdsec,
|
||||
...
|
||||
}: let
|
||||
system = "x86_64-linux";
|
||||
username = "tbarnouin";
|
||||
proxy_host = "192.168.1.40";
|
||||
pgsql_host = "192.168.1.13";
|
||||
pkgs = import nixpkgs {inherit system;};
|
||||
in {
|
||||
nixosConfigurations = {
|
||||
nixmox-curiosity = nixpkgs.lib.nixosSystem {
|
||||
|
|
@ -63,6 +69,17 @@
|
|||
inherit system;
|
||||
modules = [
|
||||
agenix.nixosModules.default
|
||||
crowdsec.nixosModules.crowdsec-firewall-bouncer
|
||||
({ pkgs, lib, ... }: {
|
||||
nixpkgs.overlays = [crowdsec.overlays.default];
|
||||
services.crowdsec-firewall-bouncer = {
|
||||
enable = true;
|
||||
settings = {
|
||||
api_key = "secret_api_key";
|
||||
api_url = "http://localhost:8080";
|
||||
};
|
||||
};
|
||||
})
|
||||
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
|
||||
"${inputs.self}/systems/minimalLXCConfig.nix"
|
||||
"${inputs.self}/services"
|
||||
|
|
@ -120,6 +137,19 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
systemd.services.crowdsec.serviceConfig = {
|
||||
ExecStartPre = let
|
||||
script = pkgs.writeScriptBin "register-bouncer" ''
|
||||
#!${pkgs.runtimeShell}
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
if ! cscli bouncers list | grep -q "my-bouncer"; then
|
||||
cscli bouncers add "my-bouncer" --key "secret_api_key"
|
||||
fi
|
||||
'';
|
||||
in ["${script}/bin/register-bouncer"];
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,102 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
cfg = config.services.crowdsec-firewall-bouncer;
|
||||
format = pkgs.formats.yaml {};
|
||||
configFile = format.generate "crowdsec.yaml" cfg.settings;
|
||||
|
||||
pkg = cfg.package;
|
||||
|
||||
backend =
|
||||
if config.networking.nftables.enable
|
||||
then "nftables"
|
||||
else "iptables";
|
||||
|
||||
defaultSettings = with lib; {
|
||||
log_mode = "stdout";
|
||||
|
||||
mode = mkDefault backend;
|
||||
ipset_type = mkDefault "nethash";
|
||||
update_frequency = mkDefault "10s";
|
||||
deny_action = mkDefault "DROP";
|
||||
blacklists_ipv4 = mkDefault "crowdsec-blacklists";
|
||||
blacklists_ipv6 = mkDefault "crowdsec6-blacklists";
|
||||
iptables_chains = mkDefault ["INPUT"];
|
||||
};
|
||||
in {
|
||||
options.services.crowdsec-firewall-bouncer = with lib; {
|
||||
enable = mkEnableOption "CrowSec Firewall Bouncer";
|
||||
package = mkPackageOption pkgs "crowdsec-firewall-bouncer" {};
|
||||
settings = mkOption {
|
||||
description = ''
|
||||
Settings for CrowdSec Firewall Bouncer. Refer to <https://docs.crowdsec.net/u/bouncers/firewall/#configuration-directives> for details.
|
||||
'';
|
||||
type = format.type;
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
config = lib.mkIf (cfg.enable) {
|
||||
services.crowdsec-firewall-bouncer.settings = defaultSettings;
|
||||
|
||||
systemd.packages = [pkg];
|
||||
systemd.services = {
|
||||
crowdsec-firewall-bouncer = {
|
||||
description = "Crowdsec Firewall Bouncer";
|
||||
|
||||
path = [pkg pkgs.ipset pkgs.iptables pkgs.nftables];
|
||||
|
||||
wantedBy = ["multi-user.target"];
|
||||
partOf = ["firewall.service"];
|
||||
|
||||
serviceConfig = with lib; {
|
||||
Type = "notify";
|
||||
Restart = "on-failure";
|
||||
RestartSec = 10;
|
||||
|
||||
LimitNOFILE = mkDefault 65536;
|
||||
|
||||
MemoryDenyWriteExecute = mkDefault true;
|
||||
|
||||
CapabilityBoundingSet = mkDefault ["CAP_NET_ADMIN" "CAP_NET_RAW"];
|
||||
|
||||
NoNewPrivileges = mkDefault true;
|
||||
LockPersonality = mkDefault true;
|
||||
RemoveIPC = mkDefault true;
|
||||
|
||||
ProtectSystem = mkDefault "strict";
|
||||
ProtectHome = mkDefault true;
|
||||
|
||||
PrivateTmp = mkDefault true;
|
||||
PrivateDevices = mkDefault true;
|
||||
ProtectHostname = mkDefault true;
|
||||
ProtectKernelTunables = mkDefault true;
|
||||
ProtectKernelModules = mkDefault true;
|
||||
ProtectControlGroups = mkDefault true;
|
||||
|
||||
ProtectProc = mkDefault "invisible";
|
||||
ProcSubset = mkDefault "pid";
|
||||
|
||||
RestrictNamespaces = mkDefault true;
|
||||
RestrictRealtime = mkDefault true;
|
||||
RestrictSUIDSGID = mkDefault true;
|
||||
|
||||
SystemCallFilter = mkDefault ["@system-service" "@network-io"];
|
||||
SystemCallArchitectures = ["native"];
|
||||
SystemCallErrorNumber = mkDefault "EPERM";
|
||||
|
||||
ExecPaths = ["/nix/store"];
|
||||
NoExecPaths = ["/"];
|
||||
|
||||
ExecStartPost = "${pkgs.coreutils}/bin/sleep 0.2";
|
||||
|
||||
ExecStart = "${pkg}/bin/cs-firewall-bouncer -c ${configFile}";
|
||||
ExecStartPre = ["${pkg}/bin/cs-firewall-bouncer -t -c ${configFile}"];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
|
|
@ -1,6 +1,5 @@
|
|||
{inputs, ...}: {
|
||||
imports = [
|
||||
./crowdsec.nix
|
||||
./cs-firewall-bouncer.nix
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -123,6 +123,14 @@ in {
|
|||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
job_name = "nginx";
|
||||
static_configs = [
|
||||
{
|
||||
targets = ["${cfg.proxy_ip}:6060"];
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
job_name = "redis";
|
||||
static_configs = [
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue