diff --git a/flake.lock b/flake.lock index 9de8365..a1819e7 100644 --- a/flake.lock +++ b/flake.lock @@ -61,6 +61,27 @@ "type": "github" } }, + "crowdsec": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1742920128, + "narHash": "sha256-VPjnjtAksihLezhc+ZmnqGu18mHr4QVKa1kSZQ8rJL4=", + "ref": "refs/heads/main", + "rev": "40e937689d318ee85b1d9763189a65e6f0b4028d", + "revCount": 40, + "type": "git", + "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -106,6 +127,23 @@ "inputs": { "systems": "systems_3" }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_4" + }, "locked": { "lastModified": 1731533236, "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", @@ -165,7 +203,7 @@ }, "microvm": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ], @@ -220,6 +258,7 @@ "root": { "inputs": { "agenix": "agenix", + "crowdsec": "crowdsec", "home-manager": "home-manager_2", "microvm": "microvm", "nixpkgs": "nixpkgs_2" @@ -306,6 +345,21 @@ "repo": "default", "type": "github" } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 279be37..7daaf1f 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,10 @@ url = "github:astro/microvm.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + crowdsec = { + url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git"; + inputs.nixpkgs.follows = "nixpkgs"; + }; agenix.url = "github:yaxitech/ragenix"; }; @@ -20,12 +24,14 @@ home-manager, microvm, agenix, + crowdsec, ... }: let system = "x86_64-linux"; username = "tbarnouin"; proxy_host = "192.168.1.40"; pgsql_host = "192.168.1.13"; + pkgs = import nixpkgs {inherit system;}; in { nixosConfigurations = { nixmox-curiosity = nixpkgs.lib.nixosSystem { @@ -63,6 +69,17 @@ inherit system; modules = [ agenix.nixosModules.default + crowdsec.nixosModules.crowdsec-firewall-bouncer + ({ pkgs, lib, ... }: { + nixpkgs.overlays = [crowdsec.overlays.default]; + services.crowdsec-firewall-bouncer = { + enable = true; + settings = { + api_key = "secret_api_key"; + api_url = "http://localhost:8080"; + }; + }; + }) "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" @@ -120,6 +137,19 @@ }; }; }; + systemd.services.crowdsec.serviceConfig = { + ExecStartPre = let + script = pkgs.writeScriptBin "register-bouncer" '' + #!${pkgs.runtimeShell} + set -eu + set -o pipefail + + if ! cscli bouncers list | grep -q "my-bouncer"; then + cscli bouncers add "my-bouncer" --key "secret_api_key" + fi + ''; + in ["${script}/bin/register-bouncer"]; + }; } ]; }; diff --git a/modules/cs-firewall-bouncer.nix b/modules/cs-firewall-bouncer.nix deleted file mode 100644 index ea3896e..0000000 --- a/modules/cs-firewall-bouncer.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: let - cfg = config.services.crowdsec-firewall-bouncer; - format = pkgs.formats.yaml {}; - configFile = format.generate "crowdsec.yaml" cfg.settings; - - pkg = cfg.package; - - backend = - if config.networking.nftables.enable - then "nftables" - else "iptables"; - - defaultSettings = with lib; { - log_mode = "stdout"; - - mode = mkDefault backend; - ipset_type = mkDefault "nethash"; - update_frequency = mkDefault "10s"; - deny_action = mkDefault "DROP"; - blacklists_ipv4 = mkDefault "crowdsec-blacklists"; - blacklists_ipv6 = mkDefault "crowdsec6-blacklists"; - iptables_chains = mkDefault ["INPUT"]; - }; -in { - options.services.crowdsec-firewall-bouncer = with lib; { - enable = mkEnableOption "CrowSec Firewall Bouncer"; - package = mkPackageOption pkgs "crowdsec-firewall-bouncer" {}; - settings = mkOption { - description = '' - Settings for CrowdSec Firewall Bouncer. Refer to for details. - ''; - type = format.type; - default = {}; - }; - }; - config = lib.mkIf (cfg.enable) { - services.crowdsec-firewall-bouncer.settings = defaultSettings; - - systemd.packages = [pkg]; - systemd.services = { - crowdsec-firewall-bouncer = { - description = "Crowdsec Firewall Bouncer"; - - path = [pkg pkgs.ipset pkgs.iptables pkgs.nftables]; - - wantedBy = ["multi-user.target"]; - partOf = ["firewall.service"]; - - serviceConfig = with lib; { - Type = "notify"; - Restart = "on-failure"; - RestartSec = 10; - - LimitNOFILE = mkDefault 65536; - - MemoryDenyWriteExecute = mkDefault true; - - CapabilityBoundingSet = mkDefault ["CAP_NET_ADMIN" "CAP_NET_RAW"]; - - NoNewPrivileges = mkDefault true; - LockPersonality = mkDefault true; - RemoveIPC = mkDefault true; - - ProtectSystem = mkDefault "strict"; - ProtectHome = mkDefault true; - - PrivateTmp = mkDefault true; - PrivateDevices = mkDefault true; - ProtectHostname = mkDefault true; - ProtectKernelTunables = mkDefault true; - ProtectKernelModules = mkDefault true; - ProtectControlGroups = mkDefault true; - - ProtectProc = mkDefault "invisible"; - ProcSubset = mkDefault "pid"; - - RestrictNamespaces = mkDefault true; - RestrictRealtime = mkDefault true; - RestrictSUIDSGID = mkDefault true; - - SystemCallFilter = mkDefault ["@system-service" "@network-io"]; - SystemCallArchitectures = ["native"]; - SystemCallErrorNumber = mkDefault "EPERM"; - - ExecPaths = ["/nix/store"]; - NoExecPaths = ["/"]; - - ExecStartPost = "${pkgs.coreutils}/bin/sleep 0.2"; - - ExecStart = "${pkg}/bin/cs-firewall-bouncer -c ${configFile}"; - ExecStartPre = ["${pkg}/bin/cs-firewall-bouncer -t -c ${configFile}"]; - }; - }; - }; - }; -} - diff --git a/modules/default.nix b/modules/default.nix index cde80b7..935f8a1 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,6 +1,5 @@ {inputs, ...}: { imports = [ ./crowdsec.nix - ./cs-firewall-bouncer.nix ]; } diff --git a/services/grafana/default.nix b/services/grafana/default.nix index 785c19c..68b9526 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -123,6 +123,14 @@ in { } ]; } + { + job_name = "nginx"; + static_configs = [ + { + targets = ["${cfg.proxy_ip}:6060"]; + } + ]; + } { job_name = "redis"; static_configs = [