Try and install crwodsec on nginx

2025-04-04 11:10:06 +02:00 · 2025-04-04 11:10:06 +02:00 · 126dd2cf53
commit 126dd2cf53
parent 6ec54454a2
5 changed files with 93 additions and 104 deletions
--- a/flake.lock
+++ b/flake.lock
@ -61,6 +61,27 @@
        "type": "github"
      }
    },
    "crowdsec": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1742920128,
        "narHash": "sha256-VPjnjtAksihLezhc+ZmnqGu18mHr4QVKa1kSZQ8rJL4=",
        "ref": "refs/heads/main",
        "rev": "40e937689d318ee85b1d9763189a65e6f0b4028d",
        "revCount": 40,
        "type": "git",
        "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
      },
      "original": {
        "type": "git",
        "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@ -106,6 +127,23 @@
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1694529238,
        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
        "type": "github"
      },
      "original": {
        "id": "flake-utils",
        "type": "indirect"
      }
    },
    "flake-utils_3": {
      "inputs": {
        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@ -165,7 +203,7 @@
    },
    "microvm": {
      "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils_3",
        "nixpkgs": [
          "nixpkgs"
        ],
@ -220,6 +258,7 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
        "crowdsec": "crowdsec",
        "home-manager": "home-manager_2",
        "microvm": "microvm",
        "nixpkgs": "nixpkgs_2"
@ -306,6 +345,21 @@
        "repo": "default",
        "type": "github"
      }
    },
    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -11,6 +11,10 @@
      url = "github:astro/microvm.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    crowdsec = {
      url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix.url = "github:yaxitech/ragenix";
  };
@ -20,12 +24,14 @@
    home-manager,
    microvm,
    agenix,
    crowdsec,
    ...
  }: let
    system = "x86_64-linux";
    username = "tbarnouin";
    proxy_host = "192.168.1.40";
    pgsql_host = "192.168.1.13";
    pkgs = import nixpkgs {inherit system;};
  in {
    nixosConfigurations = {
      nixmox-curiosity = nixpkgs.lib.nixosSystem {
@ -63,6 +69,17 @@
        inherit system;
        modules = [
          agenix.nixosModules.default
          crowdsec.nixosModules.crowdsec-firewall-bouncer
          ({ pkgs, lib, ... }: {
            nixpkgs.overlays = [crowdsec.overlays.default];
            services.crowdsec-firewall-bouncer = {
              enable = true;
              settings = {
                api_key = "secret_api_key";
                api_url = "http://localhost:8080";
              };
            };
          })
          "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
          "${inputs.self}/systems/minimalLXCConfig.nix"
          "${inputs.self}/services"
@ -120,6 +137,19 @@
                };
              };
            };
            systemd.services.crowdsec.serviceConfig = {
              ExecStartPre = let
                script = pkgs.writeScriptBin "register-bouncer" ''
                  #!${pkgs.runtimeShell}
                  set -eu
                  set -o pipefail
                  if ! cscli bouncers list | grep -q "my-bouncer"; then
                    cscli bouncers add "my-bouncer" --key "secret_api_key"
                  fi
                '';
              in ["${script}/bin/register-bouncer"];
            };
          }
        ];
      };
--- a/modules/cs-firewall-bouncer.nix
+++ b/modules/cs-firewall-bouncer.nix
@ -1,102 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
  cfg = config.services.crowdsec-firewall-bouncer;
  format = pkgs.formats.yaml {};
  configFile = format.generate "crowdsec.yaml" cfg.settings;
  pkg = cfg.package;
  backend =
    if config.networking.nftables.enable
    then "nftables"
    else "iptables";
  defaultSettings = with lib; {
    log_mode = "stdout";
    mode = mkDefault backend;
    ipset_type = mkDefault "nethash";
    update_frequency = mkDefault "10s";
    deny_action = mkDefault "DROP";
    blacklists_ipv4 = mkDefault "crowdsec-blacklists";
    blacklists_ipv6 = mkDefault "crowdsec6-blacklists";
    iptables_chains = mkDefault ["INPUT"];
  };
 in {
  options.services.crowdsec-firewall-bouncer = with lib; {
    enable = mkEnableOption "CrowSec Firewall Bouncer";
    package = mkPackageOption pkgs "crowdsec-firewall-bouncer" {};
    settings = mkOption {
      description = ''
        Settings for CrowdSec Firewall Bouncer. Refer to <https://docs.crowdsec.net/u/bouncers/firewall/#configuration-directives> for details.
      '';
      type = format.type;
      default = {};
    };
  };
  config = lib.mkIf (cfg.enable) {
    services.crowdsec-firewall-bouncer.settings = defaultSettings;
    systemd.packages = [pkg];
    systemd.services = {
      crowdsec-firewall-bouncer = {
        description = "Crowdsec Firewall Bouncer";
        path = [pkg pkgs.ipset pkgs.iptables pkgs.nftables];
        wantedBy = ["multi-user.target"];
        partOf = ["firewall.service"];
        serviceConfig = with lib; {
          Type = "notify";
          Restart = "on-failure";
          RestartSec = 10;
          LimitNOFILE = mkDefault 65536;
          MemoryDenyWriteExecute = mkDefault true;
          CapabilityBoundingSet = mkDefault ["CAP_NET_ADMIN" "CAP_NET_RAW"];
          NoNewPrivileges = mkDefault true;
          LockPersonality = mkDefault true;
          RemoveIPC = mkDefault true;
          ProtectSystem = mkDefault "strict";
          ProtectHome = mkDefault true;
          PrivateTmp = mkDefault true;
          PrivateDevices = mkDefault true;
          ProtectHostname = mkDefault true;
          ProtectKernelTunables = mkDefault true;
          ProtectKernelModules = mkDefault true;
          ProtectControlGroups = mkDefault true;
          ProtectProc = mkDefault "invisible";
          ProcSubset = mkDefault "pid";
          RestrictNamespaces = mkDefault true;
          RestrictRealtime = mkDefault true;
          RestrictSUIDSGID = mkDefault true;
          SystemCallFilter = mkDefault ["@system-service" "@network-io"];
          SystemCallArchitectures = ["native"];
          SystemCallErrorNumber = mkDefault "EPERM";
          ExecPaths = ["/nix/store"];
          NoExecPaths = ["/"];
          ExecStartPost = "${pkgs.coreutils}/bin/sleep 0.2";
          ExecStart = "${pkg}/bin/cs-firewall-bouncer -c ${configFile}";
          ExecStartPre = ["${pkg}/bin/cs-firewall-bouncer -t -c ${configFile}"];
        };
      };
    };
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,6 +1,5 @@
 {inputs, ...}: {
  imports = [
    ./crowdsec.nix
    ./cs-firewall-bouncer.nix
  ];
 }
--- a/services/grafana/default.nix
+++ b/services/grafana/default.nix
@ -123,6 +123,14 @@ in {
            }
          ];
        }
        {
          job_name = "nginx";
          static_configs = [
            {
              targets = ["${cfg.proxy_ip}:6060"];
            }
          ];
        }
        {
          job_name = "redis";
          static_configs = [