diff --git a/flake.lock b/flake.lock index 4f176ab..aef7b94 100644 --- a/flake.lock +++ b/flake.lock @@ -105,6 +105,22 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems_2" @@ -140,6 +156,27 @@ "type": "indirect" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -215,12 +252,49 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1730768919, + "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1747372754, + "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", "crowdsec": "crowdsec", "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "pre-commit-hooks": "pre-commit-hooks" } }, "rust-overlay": { diff --git a/flake.nix b/flake.nix index d93fae9..4d0b785 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + pre-commit-hooks.url = "github:cachix/git-hooks.nix"; home-manager = { url = "github:nix-community/home-manager/release-25.05"; inputs.nixpkgs.follows = "nixpkgs"; @@ -27,11 +28,21 @@ proxy_host = "192.168.1.40"; pgsql_host = "192.168.1.13"; pkgs = import nixpkgs {inherit system;}; + supportedSystems = ["x86_64-linux"]; + forAllSystems = nixpkgs.lib.genAttrs supportedSystems; in { + checks = forAllSystems (system: { + pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run { + src = ./.; + hooks = { + alejandra.enable = true; + }; + }; + }); nixosConfigurations = { nginx = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; + specialArgs = {inherit inputs;}; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer @@ -52,7 +63,7 @@ }; pgsql = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; + specialArgs = {inherit inputs;}; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer @@ -70,7 +81,7 @@ }; forgejo = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; + specialArgs = {inherit inputs;}; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer @@ -89,7 +100,7 @@ }; onlyoffice = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; + specialArgs = {inherit inputs;}; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer @@ -108,7 +119,7 @@ }; template = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; + specialArgs = {inherit inputs;}; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer @@ -123,7 +134,7 @@ }; jellyfin = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; + specialArgs = {inherit inputs;}; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer @@ -140,7 +151,7 @@ }; qbittorrent-vpn = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; + specialArgs = {inherit inputs;}; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer @@ -157,7 +168,7 @@ }; nixarr = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; + specialArgs = {inherit inputs;}; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer @@ -174,7 +185,7 @@ }; arr-box = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; + specialArgs = {inherit inputs;}; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer @@ -191,7 +202,7 @@ }; redis = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; + specialArgs = {inherit inputs;}; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer @@ -209,7 +220,7 @@ }; grafana-lxc = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; + specialArgs = {inherit inputs;}; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer diff --git a/modules/crowdsec.nix b/modules/crowdsec.nix index fce55f0..962a6de 100644 --- a/modules/crowdsec.nix +++ b/modules/crowdsec.nix @@ -3,10 +3,8 @@ pkgs, lib, ... -}: -let - - format = pkgs.formats.yaml { }; +}: let + format = pkgs.formats.yaml {}; rootDir = "/var/lib/crowdsec"; stateDir = "${rootDir}/state"; @@ -22,14 +20,11 @@ let localParsersS01ParseDir = "${parsersDir}/s01-parse/"; localParsersS02EnrichDir = "${parsersDir}/s02-enrich/"; localContextsDir = "${confDir}/contexts/"; - -in -{ - +in { options.services.crowdsec = with lib; { enable = mkEnableOption "CrowdSec Security Engine"; - package = mkPackageOption pkgs "crowdsec" { }; + package = mkPackageOption pkgs "crowdsec" {}; autoUpdateService = mkEnableOption "Auto Hub Update"; @@ -61,7 +56,7 @@ in options = { acquisitions = mkOption { type = types.listOf format.type; - default = [ ]; + default = []; description = '' A list of acquisition specifications, which define the data sources you want to be parsed. See for details. @@ -69,7 +64,7 @@ in example = [ { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"]; labels = { type = "syslog"; }; @@ -78,7 +73,7 @@ in }; scenarios = mkOption { type = types.listOf format.type; - default = [ ]; + default = []; description = '' A list of scenarios specifications. See for details. @@ -100,7 +95,7 @@ in options = { s00Raw = mkOption { type = types.listOf format.type; - default = [ ]; + default = []; description = '' A list of stage s00-raw specifications. Most of the time, those are already included in the hub, but are presented here anyway. See for details. @@ -108,7 +103,7 @@ in }; s01Parse = mkOption { type = types.listOf format.type; - default = [ ]; + default = []; description = '' A list of stage s01-parse specifications. See for details. @@ -135,7 +130,7 @@ in }; s02Enrich = mkOption { type = types.listOf format.type; - default = [ ]; + default = []; description = '' A list of stage s02-enrich specifications. Inside this list, you can specify Parser Whitelists. See for details. @@ -158,14 +153,14 @@ in }; }; }; - default = { }; + default = {}; }; postOverflows = mkOption { type = types.submodule { options = { s01Whitelist = mkOption { type = types.listOf format.type; - default = [ ]; + default = []; description = '' A list of stage s01-whitelist specifications. Inside this list, you can specify Postoverflows Whitelists. See for details. @@ -185,7 +180,7 @@ in }; }; }; - default = { }; + default = {}; }; contexts = mkOption { type = types.listOf format.type; @@ -196,14 +191,14 @@ in example = [ { context = { - target_uri = [ "evt.Meta.http_path" ]; - user_agent = [ "evt.Meta.http_user_agent" ]; - method = [ "evt.Meta.http_verb" ]; - status = [ "evt.Meta.http_status" ]; + target_uri = ["evt.Meta.http_path"]; + user_agent = ["evt.Meta.http_user_agent"]; + method = ["evt.Meta.http_verb"]; + status = ["evt.Meta.http_status"]; }; } ]; - default = [ ]; + default = []; }; notifications = mkOption { type = types.listOf format.type; @@ -223,7 +218,7 @@ in method = "POST"; } ]; - default = [ ]; + default = []; }; profiles = mkOption { type = types.listOf format.type; @@ -290,14 +285,14 @@ in }; patterns = mkOption { type = types.listOf types.package; - default = [ ]; + default = []; example = lib.literalExpression '' [ (pkgs.writeTextDir "custom_service_logs" (builtins.readFile ./custom_service_logs)) ] ''; }; }; }; - default = { }; + default = {}; }; hub = mkOption { @@ -305,48 +300,48 @@ in options = { collections = mkOption { type = types.listOf types.str; - default = [ ]; + default = []; description = "List of hub collections to install"; - example = [ "crowdsecurity/linux" ]; + example = ["crowdsecurity/linux"]; }; scenarios = mkOption { type = types.listOf types.str; - default = [ ]; + default = []; description = "List of hub scenarios to install"; - example = [ "crowdsecurity/ssh-bf" ]; + example = ["crowdsecurity/ssh-bf"]; }; parsers = mkOption { type = types.listOf types.str; - default = [ ]; + default = []; description = "List of hub parsers to install"; - example = [ "crowdsecurity/sshd-logs" ]; + example = ["crowdsecurity/sshd-logs"]; }; postOverflows = mkOption { type = types.listOf types.str; - default = [ ]; + default = []; description = "List of hub postoverflows to install"; - example = [ "crowdsecurity/auditd-nix-wrappers-whitelist-process" ]; + example = ["crowdsecurity/auditd-nix-wrappers-whitelist-process"]; }; appSecConfigs = mkOption { type = types.listOf types.str; - default = [ ]; + default = []; description = "List of hub appsec configurations to install"; - example = [ "crowdsecurity/appsec-default" ]; + example = ["crowdsecurity/appsec-default"]; }; appSecRules = mkOption { type = types.listOf types.str; - default = [ ]; + default = []; description = "List of hub appsec rules to install"; - example = [ "crowdsecurity/base-config" ]; + example = ["crowdsecurity/base-config"]; }; }; }; - default = { }; + default = {}; description = '' Hub collections, parsers, AppSec rules, etc. ''; @@ -361,7 +356,7 @@ in Refer to the defaults at . ''; type = format.type; - default = { }; + default = {}; }; simulation = mkOption { type = format.type; @@ -389,7 +384,7 @@ in description = '' LAPI Configuration attributes ''; - default = { }; + default = {}; }; capi = mkOption { type = types.submodule { @@ -407,7 +402,7 @@ in description = '' CAPI Configuration attributes ''; - default = { }; + default = {}; }; console = mkOption { type = types.submodule { @@ -437,133 +432,130 @@ in description = '' Console Configuration attributes ''; - default = { }; + default = {}; }; }; }; }; }; - config = - let - cfg = config.services.crowdsec; - configFile = format.generate "crowdsec.yaml" cfg.settings.general; - simulationFile = format.generate "simulation.yaml" cfg.settings.simulation; - consoleFile = format.generate "console.yaml" cfg.settings.console.configuration; - patternsDir = pkgs.buildPackages.symlinkJoin { - name = "crowdsec-patterns"; - paths = [ - cfg.localConfig.patterns - "${lib.attrsets.getOutput "out" cfg.package}/share/crowdsec/config/patterns/" - ]; - }; + config = let + cfg = config.services.crowdsec; + configFile = format.generate "crowdsec.yaml" cfg.settings.general; + simulationFile = format.generate "simulation.yaml" cfg.settings.simulation; + consoleFile = format.generate "console.yaml" cfg.settings.console.configuration; + patternsDir = pkgs.buildPackages.symlinkJoin { + name = "crowdsec-patterns"; + paths = [ + cfg.localConfig.patterns + "${lib.attrsets.getOutput "out" cfg.package}/share/crowdsec/config/patterns/" + ]; + }; - cscli = pkgs.writeShellScriptBin "cscli" '' - set -euo pipefail - # cscli needs crowdsec on it's path in order to be able to run `cscli explain` - export PATH="$PATH:${lib.makeBinPath [ cfg.package ]}" - sudo=exec - if [ "$USER" != "${cfg.user}" ]; then - sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}' - fi - $sudo ${lib.getExe' cfg.package "cscli"} -c=${configFile} "$@" - ''; + cscli = pkgs.writeShellScriptBin "cscli" '' + set -euo pipefail + # cscli needs crowdsec on it's path in order to be able to run `cscli explain` + export PATH="$PATH:${lib.makeBinPath [cfg.package]}" + sudo=exec + if [ "$USER" != "${cfg.user}" ]; then + sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}' + fi + $sudo ${lib.getExe' cfg.package "cscli"} -c=${configFile} "$@" + ''; - localScenariosMap = (map (format.generate "scenario.yaml") cfg.localConfig.scenarios); - localParsersS00RawMap = ( - map (format.generate "parsers-s00-raw.yaml") cfg.localConfig.parsers.s00Raw - ); - localParsersS01ParseMap = ( - map (format.generate "parsers-s01-parse.yaml") cfg.localConfig.parsers.s01Parse - ); - localParsersS02EnrichMap = ( - map (format.generate "parsers-s02-enrich.yaml") cfg.localConfig.parsers.s02Enrich - ); - localPostOverflowsS01WhitelistMap = ( - map (format.generate "postoverflows-s01-whitelist.yaml") cfg.localConfig.postOverflows.s01Whitelist - ); - localContextsMap = (map (format.generate "context.yaml") cfg.localConfig.contexts); - localNotificationsMap = (map (format.generate "notification.yaml") cfg.localConfig.notifications); - localProfilesFile = pkgs.writeText "local_profiles.yaml" '' - --- - ${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.profiles} - --- - ''; - localAcquisisionFile = pkgs.writeText "local_acquisisions.yaml" '' - --- - ${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.acquisitions} - --- - ''; + localScenariosMap = map (format.generate "scenario.yaml") cfg.localConfig.scenarios; + localParsersS00RawMap = ( + map (format.generate "parsers-s00-raw.yaml") cfg.localConfig.parsers.s00Raw + ); + localParsersS01ParseMap = ( + map (format.generate "parsers-s01-parse.yaml") cfg.localConfig.parsers.s01Parse + ); + localParsersS02EnrichMap = ( + map (format.generate "parsers-s02-enrich.yaml") cfg.localConfig.parsers.s02Enrich + ); + localPostOverflowsS01WhitelistMap = ( + map (format.generate "postoverflows-s01-whitelist.yaml") cfg.localConfig.postOverflows.s01Whitelist + ); + localContextsMap = map (format.generate "context.yaml") cfg.localConfig.contexts; + localNotificationsMap = map (format.generate "notification.yaml") cfg.localConfig.notifications; + localProfilesFile = pkgs.writeText "local_profiles.yaml" '' + --- + ${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.profiles} + --- + ''; + localAcquisisionFile = pkgs.writeText "local_acquisisions.yaml" '' + --- + ${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.acquisitions} + --- + ''; - scriptArray = - [ - "set -euo pipefail" - "${lib.getExe cscli} hub update" - ] - ++ lib.optionals (cfg.hub.collections != [ ]) [ - "${lib.getExe cscli} collections install ${ - lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.collections - }" - ] - ++ lib.optionals (cfg.hub.scenarios != [ ]) [ - "${lib.getExe cscli} scenarios install ${ - lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.scenarios - }" - ] - ++ lib.optionals (cfg.hub.parsers != [ ]) [ - "${lib.getExe cscli} parsers install ${ - lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.parsers - }" - ] - ++ lib.optionals (cfg.hub.postOverflows != [ ]) [ - "${lib.getExe cscli} postoverflows install ${ - lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.postOverflows - }" - ] - ++ lib.optionals (cfg.hub.appSecConfigs != [ ]) [ - "${lib.getExe cscli} appsec-configs install ${ - lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecConfigs - }" - ] - ++ lib.optionals (cfg.hub.appSecRules != [ ]) [ - "${lib.getExe cscli} appsec-rules install ${ - lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecRules - }" - ] - ++ lib.optionals (cfg.settings.general.api.server.enable) [ - '' - if [ ! -s "${cfg.settings.general.api.client.credentials_path}" ]; then - ${lib.getExe cscli} machine add "${cfg.name}" --auto - fi - '' - ] - ++ lib.optionals (cfg.settings.capi.credentialsFile != null) [ - '' - if ! grep -q password "${cfg.settings.capi.credentialsFile}" ]; then - ${lib.getExe cscli} capi register - fi - '' - ] - ++ lib.optionals (cfg.settings.console.tokenFile != null) [ - '' - if [ ! -e "${cfg.settings.console.tokenFile}" ]; then - ${lib.getExe cscli} console enroll "$(cat ${cfg.settings.console.tokenFile})" --name ${cfg.name} - fi - '' - ]; + scriptArray = + [ + "set -euo pipefail" + "${lib.getExe cscli} hub update" + ] + ++ lib.optionals (cfg.hub.collections != []) [ + "${lib.getExe cscli} collections install ${ + lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.collections + }" + ] + ++ lib.optionals (cfg.hub.scenarios != []) [ + "${lib.getExe cscli} scenarios install ${ + lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.scenarios + }" + ] + ++ lib.optionals (cfg.hub.parsers != []) [ + "${lib.getExe cscli} parsers install ${ + lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.parsers + }" + ] + ++ lib.optionals (cfg.hub.postOverflows != []) [ + "${lib.getExe cscli} postoverflows install ${ + lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.postOverflows + }" + ] + ++ lib.optionals (cfg.hub.appSecConfigs != []) [ + "${lib.getExe cscli} appsec-configs install ${ + lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecConfigs + }" + ] + ++ lib.optionals (cfg.hub.appSecRules != []) [ + "${lib.getExe cscli} appsec-rules install ${ + lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecRules + }" + ] + ++ lib.optionals (cfg.settings.general.api.server.enable) [ + '' + if [ ! -s "${cfg.settings.general.api.client.credentials_path}" ]; then + ${lib.getExe cscli} machine add "${cfg.name}" --auto + fi + '' + ] + ++ lib.optionals (cfg.settings.capi.credentialsFile != null) [ + '' + if ! grep -q password "${cfg.settings.capi.credentialsFile}" ]; then + ${lib.getExe cscli} capi register + fi + '' + ] + ++ lib.optionals (cfg.settings.console.tokenFile != null) [ + '' + if [ ! -e "${cfg.settings.console.tokenFile}" ]; then + ${lib.getExe cscli} console enroll "$(cat ${cfg.settings.console.tokenFile})" --name ${cfg.name} + fi + '' + ]; - setupScript = pkgs.writeShellScriptBin "crowdsec-setup" ( - lib.strings.concatStringsSep "\n" scriptArray - ); - - in + setupScript = pkgs.writeShellScriptBin "crowdsec-setup" ( + lib.strings.concatStringsSep "\n" scriptArray + ); + in lib.mkIf (cfg.enable) { - warnings = - [ ] - ++ lib.optionals (cfg.localConfig.profiles == [ ]) [ + [] + ++ lib.optionals (cfg.localConfig.profiles == []) [ "By not specifying profiles in services.crowdsec.localConfig.profiles, CrowdSec will not react to any alert by default." ] - ++ lib.optionals (cfg.localConfig.acquisitions == [ ]) [ + ++ lib.optionals (cfg.localConfig.acquisitions == []) [ "By not specifying acquisitions in services.crowdsec.localConfig.acquisitions, CrowdSec will not look for any data source." ]; @@ -624,14 +616,14 @@ in }; environment = { - systemPackages = [ cscli ]; + systemPackages = [cscli]; }; - systemd.packages = [ cfg.package ]; + systemd.packages = [cfg.package]; systemd.timers.crowdsec-update-hub = lib.mkIf (cfg.autoUpdateService) { description = "Update the crowdsec hub index"; - wantedBy = [ "timers.target" ]; + wantedBy = ["timers.target"]; timerConfig = { OnCalendar = "daily"; Persistent = "yes"; @@ -696,16 +688,16 @@ in RestrictSUIDSGID = true; ExecStart = "${lib.getExe cscli} --error hub update"; ExecStartPost = "systemctl reload crowdsec.service"; - LogLevelMax=5; + LogLevelMax = 5; }; }; crowdsec = { description = "CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network."; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - path = lib.mkForce [ ]; + wantedBy = ["multi-user.target"]; + after = ["network-online.target"]; + wants = ["network-online.target"]; + path = lib.mkForce []; environment = { LC_ALL = "C"; LANG = "C"; @@ -778,7 +770,7 @@ in "${lib.getExe setupScript}" "${lib.getExe' cfg.package "crowdsec"} -c ${configFile} -t -error" ]; - LogLevelMax=5; + LogLevelMax = 5; }; }; }; @@ -787,32 +779,32 @@ in "10-crowdsec" = builtins.listToAttrs ( map - (dirName: { - inherit cfg; - name = lib.strings.normalizePath dirName; - value = { - d = { - user = cfg.user; - group = cfg.group; - mode = "0750"; - }; + (dirName: { + inherit cfg; + name = lib.strings.normalizePath dirName; + value = { + d = { + user = cfg.user; + group = cfg.group; + mode = "0750"; }; - }) - [ - stateDir - hubDir - confDir - localScenariosDir - localPostOverflowsDir - localPostOverflowsS01WhitelistDir - parsersDir - localParsersS00RawDir - localParsersS01ParseDir - localParsersS02EnrichDir - localContextsDir - notificationsDir - pluginDir - ] + }; + }) + [ + stateDir + hubDir + confDir + localScenariosDir + localPostOverflowsDir + localPostOverflowsS01WhitelistDir + parsersDir + localParsersS00RawDir + localParsersS01ParseDir + localParsersS02EnrichDir + localContextsDir + notificationsDir + pluginDir + ] ) // builtins.listToAttrs ( map (scenarioFile: { @@ -824,7 +816,8 @@ in argument = "${scenarioFile}"; }; }; - }) localScenariosMap + }) + localScenariosMap ) // builtins.listToAttrs ( map (parser: { @@ -836,7 +829,8 @@ in argument = "${parser}"; }; }; - }) localParsersS00RawMap + }) + localParsersS00RawMap ) // builtins.listToAttrs ( map (parser: { @@ -848,7 +842,8 @@ in argument = "${parser}"; }; }; - }) localParsersS01ParseMap + }) + localParsersS01ParseMap ) // builtins.listToAttrs ( map (parser: { @@ -860,7 +855,8 @@ in argument = "${parser}"; }; }; - }) localParsersS02EnrichMap + }) + localParsersS02EnrichMap ) // builtins.listToAttrs ( map (postoverflow: { @@ -872,7 +868,8 @@ in argument = "${postoverflow}"; }; }; - }) localPostOverflowsS01WhitelistMap + }) + localPostOverflowsS01WhitelistMap ) // builtins.listToAttrs ( map (context: { @@ -884,7 +881,8 @@ in argument = "${context}"; }; }; - }) localContextsMap + }) + localContextsMap ) // builtins.listToAttrs ( map (notification: { @@ -896,7 +894,8 @@ in argument = "${notification}"; }; }; - }) localNotificationsMap + }) + localNotificationsMap ); }; @@ -905,10 +904,10 @@ in description = lib.mkDefault "CrowdSec service user"; isSystemUser = true; group = cfg.group; - extraGroups = [ "systemd-journal" ]; + extraGroups = ["systemd-journal"]; }; - users.groups.${cfg.group} = lib.mapAttrs (name: lib.mkDefault) { }; + users.groups.${cfg.group} = lib.mapAttrs (name: lib.mkDefault) {}; networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 6060 diff --git a/secrets.nix b/secrets.nix index ecf641f..73b43a0 100644 --- a/secrets.nix +++ b/secrets.nix @@ -41,7 +41,7 @@ in { "secrets/cs-lapi-key.age".publicKeys = users ++ systems; "secrets/jellyfin-lapi-key.age".publicKeys = [tbarnouin jellyfin]; - + "secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis]; "services/qbittorrent-vpn/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin qbittorrent-vpn]; diff --git a/services/collabora/default.nix b/services/collabora/default.nix index ee1bf74..8d15c2a 100644 --- a/services/collabora/default.nix +++ b/services/collabora/default.nix @@ -17,14 +17,14 @@ in { ssl.enable = false; ssl.termination = true; net = { - proto= "IPv4"; + proto = "IPv4"; listen = "0.0.0.0"; - post_allow.host = [ ''192\.168\.1\.[0-9]{1,3}'' ]; - lok_allow.host = [ ''192\.168\.1\.[0-9]{1,3}'' ]; + post_allow.host = [''192\.168\.1\.[0-9]{1,3}'']; + lok_allow.host = [''192\.168\.1\.[0-9]{1,3}'']; }; storage.wopi = { "@allow" = true; - host = [ "cloud.le43.eu" ]; + host = ["cloud.le43.eu"]; }; remote_font_config.url = "https://cloud.le43.eu/apps/richdocuments/settings/fonts.json"; server_name = "collabora.le43.eu"; diff --git a/services/forgejo/default.nix b/services/forgejo/default.nix index dc4187c..c49675f 100644 --- a/services/forgejo/default.nix +++ b/services/forgejo/default.nix @@ -31,7 +31,7 @@ in { acquisitions = [ { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=forgejo.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=forgejo.service"]; labels = { type = "syslog"; }; diff --git a/services/grafana/default.nix b/services/grafana/default.nix index 01386de..82e72f2 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -47,7 +47,7 @@ in { acquisitions = [ { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=grafana.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=grafana.service"]; labels = { type = "journald"; }; diff --git a/services/jellyfin-nvidia/default.nix b/services/jellyfin-nvidia/default.nix index 9acce30..6375d4e 100644 --- a/services/jellyfin-nvidia/default.nix +++ b/services/jellyfin-nvidia/default.nix @@ -16,11 +16,11 @@ in { ]; }; # Nvidia Hardware Acceleration config - services.xserver.videoDrivers = [ "nvidia" ]; + services.xserver.videoDrivers = ["nvidia"]; hardware = { graphics = { enable = true; - extraPackages = with pkgs; [ cudaPackages.cudatoolkit ]; + extraPackages = with pkgs; [cudaPackages.cudatoolkit]; }; nvidia = { package = config.boot.kernelPackages.nvidiaPackages.latest; @@ -32,7 +32,7 @@ in { # of just the bare essentials. powerManagement.enable = false; powerManagement.finegrained = false; - + # Use the NVidia open source kernel module # Recommended by Nvidia for 20+ series GPU open = true; diff --git a/services/jellyfin/default.nix b/services/jellyfin/default.nix index 8af5929..4c62cf5 100644 --- a/services/jellyfin/default.nix +++ b/services/jellyfin/default.nix @@ -21,7 +21,7 @@ in { }; systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD"; environment = { - sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; }; + sessionVariables = {LIBVA_DRIVER_NAME = "iHD";}; systemPackages = with pkgs; [ cifs-utils s-tui @@ -56,7 +56,7 @@ in { acquisitions = [ { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=jellyfin.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=jellyfin.service"]; labels = { type = "syslog"; }; @@ -64,7 +64,7 @@ in { ]; }; }; - jellyfin= { + jellyfin = { enable = true; user = "tbarnouin"; openFirewall = true; diff --git a/services/netbox/default.nix b/services/netbox/default.nix index 7e634e9..d2257b5 100644 --- a/services/netbox/default.nix +++ b/services/netbox/default.nix @@ -15,9 +15,8 @@ in { }; config = lib.mkIf cfg.enable { age.secrets.netbox-lapi-key = { - file = ../../secrets/netbox-lapi-key.age; - owner = "crowdsec"; - }; + file = ../../secrets/netbox-lapi-key.age; + owner = "crowdsec"; }; services = { crowdsec = { @@ -26,7 +25,7 @@ in { acquisitions = [ { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=netbox.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=netbox.service"]; labels = { type = "syslog"; }; diff --git a/services/nginx/default.nix b/services/nginx/default.nix index 401d4a6..b18158d 100644 --- a/services/nginx/default.nix +++ b/services/nginx/default.nix @@ -59,7 +59,7 @@ in { localConfig.acquisitions = [ { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=nginx.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=nginx.service"]; labels = { type = "syslog"; }; diff --git a/services/nixarr/default.nix b/services/nixarr/default.nix index 8ef1d24..daccd54 100644 --- a/services/nixarr/default.nix +++ b/services/nixarr/default.nix @@ -33,35 +33,35 @@ in { acquisitions = [ { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=radarr.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=radarr.service"]; labels = { type = "syslog"; }; } { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=sonarr.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=sonarr.service"]; labels = { type = "syslog"; }; } { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=bazarr.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=bazarr.service"]; labels = { type = "syslog"; }; } { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=prowlarr.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=prowlarr.service"]; labels = { type = "syslog"; }; } { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=jellyseerr.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=jellyseerr.service"]; labels = { type = "syslog"; }; diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index f26c865..c97a620 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -50,7 +50,7 @@ in { acquisitions = [ { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=postgresql.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=postgresql.service"]; labels = { type = "syslog"; }; diff --git a/services/redis/default.nix b/services/redis/default.nix index aa3e705..3492285 100644 --- a/services/redis/default.nix +++ b/services/redis/default.nix @@ -21,7 +21,7 @@ in { acquisitions = [ { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=redis.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=redis.service"]; labels = { type = "syslog"; }; diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix index e88dd7d..8ab6b08 100644 --- a/systems/minimalLXCConfig.nix +++ b/systems/minimalLXCConfig.nix @@ -1,7 +1,4 @@ -{ - pkgs, - ... -}: { +{pkgs, ...}: { nix = { settings.experimental-features = ["nix-command" "flakes"]; settings.trusted-users = ["root" "@wheel"]; @@ -9,10 +6,10 @@ nixpkgs.overlays = [ (final: prev: { - crowdsec = prev.crowdsec.overrideAttrs ( prev: rec { + crowdsec = prev.crowdsec.overrideAttrs (prev: rec { pname = "crowdsec"; version = "1.6.4"; - src = pkgs.fetchFromGitHub { + src = pkgs.fetchFromGitHub { owner = "crowdsecurity"; repo = "${pname}"; tag = "v${version}"; diff --git a/systems/minimalVMConfig.nix b/systems/minimalVMConfig.nix index 96c12e2..fecf2c1 100644 --- a/systems/minimalVMConfig.nix +++ b/systems/minimalVMConfig.nix @@ -1,7 +1,4 @@ -{ - pkgs, - ... -}: { +{pkgs, ...}: { nix = { settings.experimental-features = ["nix-command" "flakes"]; settings.trusted-users = ["root" "@wheel"]; @@ -9,10 +6,10 @@ nixpkgs.overlays = [ (final: prev: { - crowdsec = prev.crowdsec.overrideAttrs ( prev: rec { + crowdsec = prev.crowdsec.overrideAttrs (prev: rec { pname = "crowdsec"; version = "1.6.4"; - src = pkgs.fetchFromGitHub { + src = pkgs.fetchFromGitHub { owner = "crowdsecurity"; repo = "${pname}"; tag = "v${version}";