tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Try pre-commit and formatting with alejandra
Some checks are pending
/ Build Nix targets (push) Waiting to run
Details

Browse source
This commit is contained in:
Théo Barnouin 2025-06-05 10:41:53 +02:00
parent 0eb6154c32
commit 32b60f1ff9
16 changed files with 325 additions and 248 deletions
Download patch file Download diff file Expand all files Collapse all files

76
flake.lock generated
View file

@ -105,6 +105,22 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_2"
@ -140,6 +156,27 @@
"type": "indirect" "type": "indirect"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -215,12 +252,49 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": {
"locked": {
"lastModified": 1730768919,
"narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1747372754,
"narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"crowdsec": "crowdsec", "crowdsec": "crowdsec",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks"
} }
}, },
"rust-overlay": { "rust-overlay": {

33
flake.nix
View file

@ -3,6 +3,7 @@
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
pre-commit-hooks.url = "github:cachix/git-hooks.nix";
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-25.05"; url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -27,11 +28,21 @@
proxy_host = "192.168.1.40"; proxy_host = "192.168.1.40";
pgsql_host = "192.168.1.13"; pgsql_host = "192.168.1.13";
pkgs = import nixpkgs {inherit system;}; pkgs = import nixpkgs {inherit system;};
supportedSystems = ["x86_64-linux"];
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
in { in {
checks = forAllSystems (system: {
pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
alejandra.enable = true;
};
};
});
nixosConfigurations = { nixosConfigurations = {
nginx = nixpkgs.lib.nixosSystem { nginx = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs; }; specialArgs = {inherit inputs;};
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -52,7 +63,7 @@
}; };
pgsql = nixpkgs.lib.nixosSystem { pgsql = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs; }; specialArgs = {inherit inputs;};
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -70,7 +81,7 @@
}; };
forgejo = nixpkgs.lib.nixosSystem { forgejo = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs; }; specialArgs = {inherit inputs;};
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -89,7 +100,7 @@
}; };
onlyoffice = nixpkgs.lib.nixosSystem { onlyoffice = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs; }; specialArgs = {inherit inputs;};
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -108,7 +119,7 @@
}; };
template = nixpkgs.lib.nixosSystem { template = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs; }; specialArgs = {inherit inputs;};
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -123,7 +134,7 @@
}; };
jellyfin = nixpkgs.lib.nixosSystem { jellyfin = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs; }; specialArgs = {inherit inputs;};
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -140,7 +151,7 @@
}; };
qbittorrent-vpn = nixpkgs.lib.nixosSystem { qbittorrent-vpn = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs; }; specialArgs = {inherit inputs;};
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -157,7 +168,7 @@
}; };
nixarr = nixpkgs.lib.nixosSystem { nixarr = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs; }; specialArgs = {inherit inputs;};
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -174,7 +185,7 @@
}; };
arr-box = nixpkgs.lib.nixosSystem { arr-box = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs; }; specialArgs = {inherit inputs;};
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -191,7 +202,7 @@
}; };
redis = nixpkgs.lib.nixosSystem { redis = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs; }; specialArgs = {inherit inputs;};
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -209,7 +220,7 @@
}; };
grafana-lxc = nixpkgs.lib.nixosSystem { grafana-lxc = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs; }; specialArgs = {inherit inputs;};
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer crowdsec.nixosModules.crowdsec-firewall-bouncer

155
modules/crowdsec.nix
View file

@ -3,10 +3,8 @@
pkgs, pkgs,
lib, lib,
... ...
}: }: let
let format = pkgs.formats.yaml {};
format = pkgs.formats.yaml { };
rootDir = "/var/lib/crowdsec"; rootDir = "/var/lib/crowdsec";
stateDir = "${rootDir}/state"; stateDir = "${rootDir}/state";
@ -22,14 +20,11 @@ let
localParsersS01ParseDir = "${parsersDir}/s01-parse/"; localParsersS01ParseDir = "${parsersDir}/s01-parse/";
localParsersS02EnrichDir = "${parsersDir}/s02-enrich/"; localParsersS02EnrichDir = "${parsersDir}/s02-enrich/";
localContextsDir = "${confDir}/contexts/"; localContextsDir = "${confDir}/contexts/";
in {
in
{
options.services.crowdsec = with lib; { options.services.crowdsec = with lib; {
enable = mkEnableOption "CrowdSec Security Engine"; enable = mkEnableOption "CrowdSec Security Engine";
package = mkPackageOption pkgs "crowdsec" { }; package = mkPackageOption pkgs "crowdsec" {};
autoUpdateService = mkEnableOption "Auto Hub Update"; autoUpdateService = mkEnableOption "Auto Hub Update";
@ -61,7 +56,7 @@ in
options = { options = {
acquisitions = mkOption { acquisitions = mkOption {
type = types.listOf format.type; type = types.listOf format.type;
default = [ ]; default = [];
description = '' description = ''
A list of acquisition specifications, which define the data sources you want to be parsed. A list of acquisition specifications, which define the data sources you want to be parsed.
See <https://docs.crowdsec.net/docs/data_sources/intro> for details. See <https://docs.crowdsec.net/docs/data_sources/intro> for details.
@ -69,7 +64,7 @@ in
example = [ example = [
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };
@ -78,7 +73,7 @@ in
}; };
scenarios = mkOption { scenarios = mkOption {
type = types.listOf format.type; type = types.listOf format.type;
default = [ ]; default = [];
description = '' description = ''
A list of scenarios specifications. A list of scenarios specifications.
See <https://docs.crowdsec.net/docs/scenarios/intro> for details. See <https://docs.crowdsec.net/docs/scenarios/intro> for details.
@ -100,7 +95,7 @@ in
options = { options = {
s00Raw = mkOption { s00Raw = mkOption {
type = types.listOf format.type; type = types.listOf format.type;
default = [ ]; default = [];
description = '' description = ''
A list of stage s00-raw specifications. Most of the time, those are already included in the hub, but are presented here anyway. A list of stage s00-raw specifications. Most of the time, those are already included in the hub, but are presented here anyway.
See <https://docs.crowdsec.net/docs/parsers/intro> for details. See <https://docs.crowdsec.net/docs/parsers/intro> for details.
@ -108,7 +103,7 @@ in
}; };
s01Parse = mkOption { s01Parse = mkOption {
type = types.listOf format.type; type = types.listOf format.type;
default = [ ]; default = [];
description = '' description = ''
A list of stage s01-parse specifications. A list of stage s01-parse specifications.
See <https://docs.crowdsec.net/docs/parsers/intro> for details. See <https://docs.crowdsec.net/docs/parsers/intro> for details.
@ -135,7 +130,7 @@ in
}; };
s02Enrich = mkOption { s02Enrich = mkOption {
type = types.listOf format.type; type = types.listOf format.type;
default = [ ]; default = [];
description = '' description = ''
A list of stage s02-enrich specifications. Inside this list, you can specify Parser Whitelists. A list of stage s02-enrich specifications. Inside this list, you can specify Parser Whitelists.
See <https://docs.crowdsec.net/docs/whitelist/intro> for details. See <https://docs.crowdsec.net/docs/whitelist/intro> for details.
@ -158,14 +153,14 @@ in
}; };
}; };
}; };
default = { }; default = {};
}; };
postOverflows = mkOption { postOverflows = mkOption {
type = types.submodule { type = types.submodule {
options = { options = {
s01Whitelist = mkOption { s01Whitelist = mkOption {
type = types.listOf format.type; type = types.listOf format.type;
default = [ ]; default = [];
description = '' description = ''
A list of stage s01-whitelist specifications. Inside this list, you can specify Postoverflows Whitelists. A list of stage s01-whitelist specifications. Inside this list, you can specify Postoverflows Whitelists.
See <https://docs.crowdsec.net/docs/whitelist/intro> for details. See <https://docs.crowdsec.net/docs/whitelist/intro> for details.
@ -185,7 +180,7 @@ in
}; };
}; };
}; };
default = { }; default = {};
}; };
contexts = mkOption { contexts = mkOption {
type = types.listOf format.type; type = types.listOf format.type;
@ -196,14 +191,14 @@ in
example = [ example = [
{ {
context = { context = {
target_uri = [ "evt.Meta.http_path" ]; target_uri = ["evt.Meta.http_path"];
user_agent = [ "evt.Meta.http_user_agent" ]; user_agent = ["evt.Meta.http_user_agent"];
method = [ "evt.Meta.http_verb" ]; method = ["evt.Meta.http_verb"];
status = [ "evt.Meta.http_status" ]; status = ["evt.Meta.http_status"];
}; };
} }
]; ];
default = [ ]; default = [];
}; };
notifications = mkOption { notifications = mkOption {
type = types.listOf format.type; type = types.listOf format.type;
@ -223,7 +218,7 @@ in
method = "POST"; method = "POST";
} }
]; ];
default = [ ]; default = [];
}; };
profiles = mkOption { profiles = mkOption {
type = types.listOf format.type; type = types.listOf format.type;
@ -290,14 +285,14 @@ in
}; };
patterns = mkOption { patterns = mkOption {
type = types.listOf types.package; type = types.listOf types.package;
default = [ ]; default = [];
example = lib.literalExpression '' example = lib.literalExpression ''
[ (pkgs.writeTextDir "custom_service_logs" (builtins.readFile ./custom_service_logs)) ] [ (pkgs.writeTextDir "custom_service_logs" (builtins.readFile ./custom_service_logs)) ]
''; '';
}; };
}; };
}; };
default = { }; default = {};
}; };
hub = mkOption { hub = mkOption {
@ -305,48 +300,48 @@ in
options = { options = {
collections = mkOption { collections = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [];
description = "List of hub collections to install"; description = "List of hub collections to install";
example = [ "crowdsecurity/linux" ]; example = ["crowdsecurity/linux"];
}; };
scenarios = mkOption { scenarios = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [];
description = "List of hub scenarios to install"; description = "List of hub scenarios to install";
example = [ "crowdsecurity/ssh-bf" ]; example = ["crowdsecurity/ssh-bf"];
}; };
parsers = mkOption { parsers = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [];
description = "List of hub parsers to install"; description = "List of hub parsers to install";
example = [ "crowdsecurity/sshd-logs" ]; example = ["crowdsecurity/sshd-logs"];
}; };
postOverflows = mkOption { postOverflows = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [];
description = "List of hub postoverflows to install"; description = "List of hub postoverflows to install";
example = [ "crowdsecurity/auditd-nix-wrappers-whitelist-process" ]; example = ["crowdsecurity/auditd-nix-wrappers-whitelist-process"];
}; };
appSecConfigs = mkOption { appSecConfigs = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [];
description = "List of hub appsec configurations to install"; description = "List of hub appsec configurations to install";
example = [ "crowdsecurity/appsec-default" ]; example = ["crowdsecurity/appsec-default"];
}; };
appSecRules = mkOption { appSecRules = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [];
description = "List of hub appsec rules to install"; description = "List of hub appsec rules to install";
example = [ "crowdsecurity/base-config" ]; example = ["crowdsecurity/base-config"];
}; };
}; };
}; };
default = { }; default = {};
description = '' description = ''
Hub collections, parsers, AppSec rules, etc. Hub collections, parsers, AppSec rules, etc.
''; '';
@ -361,7 +356,7 @@ in
Refer to the defaults at <https://github.com/crowdsecurity/crowdsec/blob/master/config/config.yaml>. Refer to the defaults at <https://github.com/crowdsecurity/crowdsec/blob/master/config/config.yaml>.
''; '';
type = format.type; type = format.type;
default = { }; default = {};
}; };
simulation = mkOption { simulation = mkOption {
type = format.type; type = format.type;
@ -389,7 +384,7 @@ in
description = '' description = ''
LAPI Configuration attributes LAPI Configuration attributes
''; '';
default = { }; default = {};
}; };
capi = mkOption { capi = mkOption {
type = types.submodule { type = types.submodule {
@ -407,7 +402,7 @@ in
description = '' description = ''
CAPI Configuration attributes CAPI Configuration attributes
''; '';
default = { }; default = {};
}; };
console = mkOption { console = mkOption {
type = types.submodule { type = types.submodule {
@ -437,14 +432,13 @@ in
description = '' description = ''
Console Configuration attributes Console Configuration attributes
''; '';
default = { }; default = {};
}; };
}; };
}; };
}; };
}; };
config = config = let
let
cfg = config.services.crowdsec; cfg = config.services.crowdsec;
configFile = format.generate "crowdsec.yaml" cfg.settings.general; configFile = format.generate "crowdsec.yaml" cfg.settings.general;
simulationFile = format.generate "simulation.yaml" cfg.settings.simulation; simulationFile = format.generate "simulation.yaml" cfg.settings.simulation;
@ -460,7 +454,7 @@ in
cscli = pkgs.writeShellScriptBin "cscli" '' cscli = pkgs.writeShellScriptBin "cscli" ''
set -euo pipefail set -euo pipefail
# cscli needs crowdsec on it's path in order to be able to run `cscli explain` # cscli needs crowdsec on it's path in order to be able to run `cscli explain`
export PATH="$PATH:${lib.makeBinPath [ cfg.package ]}" export PATH="$PATH:${lib.makeBinPath [cfg.package]}"
sudo=exec sudo=exec
if [ "$USER" != "${cfg.user}" ]; then if [ "$USER" != "${cfg.user}" ]; then
sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}' sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}'
@ -468,7 +462,7 @@ in
$sudo ${lib.getExe' cfg.package "cscli"} -c=${configFile} "$@" $sudo ${lib.getExe' cfg.package "cscli"} -c=${configFile} "$@"
''; '';
localScenariosMap = (map (format.generate "scenario.yaml") cfg.localConfig.scenarios); localScenariosMap = map (format.generate "scenario.yaml") cfg.localConfig.scenarios;
localParsersS00RawMap = ( localParsersS00RawMap = (
map (format.generate "parsers-s00-raw.yaml") cfg.localConfig.parsers.s00Raw map (format.generate "parsers-s00-raw.yaml") cfg.localConfig.parsers.s00Raw
); );
@ -481,8 +475,8 @@ in
localPostOverflowsS01WhitelistMap = ( localPostOverflowsS01WhitelistMap = (
map (format.generate "postoverflows-s01-whitelist.yaml") cfg.localConfig.postOverflows.s01Whitelist map (format.generate "postoverflows-s01-whitelist.yaml") cfg.localConfig.postOverflows.s01Whitelist
); );
localContextsMap = (map (format.generate "context.yaml") cfg.localConfig.contexts); localContextsMap = map (format.generate "context.yaml") cfg.localConfig.contexts;
localNotificationsMap = (map (format.generate "notification.yaml") cfg.localConfig.notifications); localNotificationsMap = map (format.generate "notification.yaml") cfg.localConfig.notifications;
localProfilesFile = pkgs.writeText "local_profiles.yaml" '' localProfilesFile = pkgs.writeText "local_profiles.yaml" ''
--- ---
${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.profiles} ${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.profiles}
@ -499,32 +493,32 @@ in
"set -euo pipefail" "set -euo pipefail"
"${lib.getExe cscli} hub update" "${lib.getExe cscli} hub update"
] ]
++ lib.optionals (cfg.hub.collections != [ ]) [ ++ lib.optionals (cfg.hub.collections != []) [
"${lib.getExe cscli} collections install ${ "${lib.getExe cscli} collections install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.collections lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.collections
}" }"
] ]
++ lib.optionals (cfg.hub.scenarios != [ ]) [ ++ lib.optionals (cfg.hub.scenarios != []) [
"${lib.getExe cscli} scenarios install ${ "${lib.getExe cscli} scenarios install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.scenarios lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.scenarios
}" }"
] ]
++ lib.optionals (cfg.hub.parsers != [ ]) [ ++ lib.optionals (cfg.hub.parsers != []) [
"${lib.getExe cscli} parsers install ${ "${lib.getExe cscli} parsers install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.parsers lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.parsers
}" }"
] ]
++ lib.optionals (cfg.hub.postOverflows != [ ]) [ ++ lib.optionals (cfg.hub.postOverflows != []) [
"${lib.getExe cscli} postoverflows install ${ "${lib.getExe cscli} postoverflows install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.postOverflows lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.postOverflows
}" }"
] ]
++ lib.optionals (cfg.hub.appSecConfigs != [ ]) [ ++ lib.optionals (cfg.hub.appSecConfigs != []) [
"${lib.getExe cscli} appsec-configs install ${ "${lib.getExe cscli} appsec-configs install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecConfigs lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecConfigs
}" }"
] ]
++ lib.optionals (cfg.hub.appSecRules != [ ]) [ ++ lib.optionals (cfg.hub.appSecRules != []) [
"${lib.getExe cscli} appsec-rules install ${ "${lib.getExe cscli} appsec-rules install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecRules lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecRules
}" }"
@ -554,16 +548,14 @@ in
setupScript = pkgs.writeShellScriptBin "crowdsec-setup" ( setupScript = pkgs.writeShellScriptBin "crowdsec-setup" (
lib.strings.concatStringsSep "\n" scriptArray lib.strings.concatStringsSep "\n" scriptArray
); );
in in
lib.mkIf (cfg.enable) { lib.mkIf (cfg.enable) {
warnings = warnings =
[ ] []
++ lib.optionals (cfg.localConfig.profiles == [ ]) [ ++ lib.optionals (cfg.localConfig.profiles == []) [
"By not specifying profiles in services.crowdsec.localConfig.profiles, CrowdSec will not react to any alert by default." "By not specifying profiles in services.crowdsec.localConfig.profiles, CrowdSec will not react to any alert by default."
] ]
++ lib.optionals (cfg.localConfig.acquisitions == [ ]) [ ++ lib.optionals (cfg.localConfig.acquisitions == []) [
"By not specifying acquisitions in services.crowdsec.localConfig.acquisitions, CrowdSec will not look for any data source." "By not specifying acquisitions in services.crowdsec.localConfig.acquisitions, CrowdSec will not look for any data source."
]; ];
@ -624,14 +616,14 @@ in
}; };
environment = { environment = {
systemPackages = [ cscli ]; systemPackages = [cscli];
}; };
systemd.packages = [ cfg.package ]; systemd.packages = [cfg.package];
systemd.timers.crowdsec-update-hub = lib.mkIf (cfg.autoUpdateService) { systemd.timers.crowdsec-update-hub = lib.mkIf (cfg.autoUpdateService) {
description = "Update the crowdsec hub index"; description = "Update the crowdsec hub index";
wantedBy = [ "timers.target" ]; wantedBy = ["timers.target"];
timerConfig = { timerConfig = {
OnCalendar = "daily"; OnCalendar = "daily";
Persistent = "yes"; Persistent = "yes";
@ -696,16 +688,16 @@ in
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
ExecStart = "${lib.getExe cscli} --error hub update"; ExecStart = "${lib.getExe cscli} --error hub update";
ExecStartPost = "systemctl reload crowdsec.service"; ExecStartPost = "systemctl reload crowdsec.service";
LogLevelMax=5; LogLevelMax = 5;
}; };
}; };
crowdsec = { crowdsec = {
description = "CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network."; description = "CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network.";
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
after = [ "network-online.target" ]; after = ["network-online.target"];
wants = [ "network-online.target" ]; wants = ["network-online.target"];
path = lib.mkForce [ ]; path = lib.mkForce [];
environment = { environment = {
LC_ALL = "C"; LC_ALL = "C";
LANG = "C"; LANG = "C";
@ -778,7 +770,7 @@ in
"${lib.getExe setupScript}" "${lib.getExe setupScript}"
"${lib.getExe' cfg.package "crowdsec"} -c ${configFile} -t -error" "${lib.getExe' cfg.package "crowdsec"} -c ${configFile} -t -error"
]; ];
LogLevelMax=5; LogLevelMax = 5;
}; };
}; };
}; };
@ -824,7 +816,8 @@ in
argument = "${scenarioFile}"; argument = "${scenarioFile}";
}; };
}; };
}) localScenariosMap })
localScenariosMap
) )
// builtins.listToAttrs ( // builtins.listToAttrs (
map (parser: { map (parser: {
@ -836,7 +829,8 @@ in
argument = "${parser}"; argument = "${parser}";
}; };
}; };
}) localParsersS00RawMap })
localParsersS00RawMap
) )
// builtins.listToAttrs ( // builtins.listToAttrs (
map (parser: { map (parser: {
@ -848,7 +842,8 @@ in
argument = "${parser}"; argument = "${parser}";
}; };
}; };
}) localParsersS01ParseMap })
localParsersS01ParseMap
) )
// builtins.listToAttrs ( // builtins.listToAttrs (
map (parser: { map (parser: {
@ -860,7 +855,8 @@ in
argument = "${parser}"; argument = "${parser}";
}; };
}; };
}) localParsersS02EnrichMap })
localParsersS02EnrichMap
) )
// builtins.listToAttrs ( // builtins.listToAttrs (
map (postoverflow: { map (postoverflow: {
@ -872,7 +868,8 @@ in
argument = "${postoverflow}"; argument = "${postoverflow}";
}; };
}; };
}) localPostOverflowsS01WhitelistMap })
localPostOverflowsS01WhitelistMap
) )
// builtins.listToAttrs ( // builtins.listToAttrs (
map (context: { map (context: {
@ -884,7 +881,8 @@ in
argument = "${context}"; argument = "${context}";
}; };
}; };
}) localContextsMap })
localContextsMap
) )
// builtins.listToAttrs ( // builtins.listToAttrs (
map (notification: { map (notification: {
@ -896,7 +894,8 @@ in
argument = "${notification}"; argument = "${notification}";
}; };
}; };
}) localNotificationsMap })
localNotificationsMap
); );
}; };
@ -905,10 +904,10 @@ in
description = lib.mkDefault "CrowdSec service user"; description = lib.mkDefault "CrowdSec service user";
isSystemUser = true; isSystemUser = true;
group = cfg.group; group = cfg.group;
extraGroups = [ "systemd-journal" ]; extraGroups = ["systemd-journal"];
}; };
users.groups.${cfg.group} = lib.mapAttrs (name: lib.mkDefault) { }; users.groups.${cfg.group} = lib.mapAttrs (name: lib.mkDefault) {};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [
6060 6060

8
services/collabora/default.nix
View file

@ -17,14 +17,14 @@ in {
ssl.enable = false; ssl.enable = false;
ssl.termination = true; ssl.termination = true;
net = { net = {
proto= "IPv4"; proto = "IPv4";
listen = "0.0.0.0"; listen = "0.0.0.0";
post_allow.host = [ ''192\.168\.1\.[0-9]{1,3}'' ]; post_allow.host = [''192\.168\.1\.[0-9]{1,3}''];
lok_allow.host = [ ''192\.168\.1\.[0-9]{1,3}'' ]; lok_allow.host = [''192\.168\.1\.[0-9]{1,3}''];
}; };
storage.wopi = { storage.wopi = {
"@allow" = true; "@allow" = true;
host = [ "cloud.le43.eu" ]; host = ["cloud.le43.eu"];
}; };
remote_font_config.url = "https://cloud.le43.eu/apps/richdocuments/settings/fonts.json"; remote_font_config.url = "https://cloud.le43.eu/apps/richdocuments/settings/fonts.json";
server_name = "collabora.le43.eu"; server_name = "collabora.le43.eu";

2
services/forgejo/default.nix
View file

@ -31,7 +31,7 @@ in {
acquisitions = [ acquisitions = [
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=forgejo.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=forgejo.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };

2
services/grafana/default.nix
View file

@ -47,7 +47,7 @@ in {
acquisitions = [ acquisitions = [
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=grafana.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=grafana.service"];
labels = { labels = {
type = "journald"; type = "journald";
}; };

4
services/jellyfin-nvidia/default.nix
View file

@ -16,11 +16,11 @@ in {
]; ];
}; };
# Nvidia Hardware Acceleration config # Nvidia Hardware Acceleration config
services.xserver.videoDrivers = [ "nvidia" ]; services.xserver.videoDrivers = ["nvidia"];
hardware = { hardware = {
graphics = { graphics = {
enable = true; enable = true;
extraPackages = with pkgs; [ cudaPackages.cudatoolkit ]; extraPackages = with pkgs; [cudaPackages.cudatoolkit];
}; };
nvidia = { nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.latest; package = config.boot.kernelPackages.nvidiaPackages.latest;

6
services/jellyfin/default.nix
View file

@ -21,7 +21,7 @@ in {
}; };
systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD"; systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD";
environment = { environment = {
sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; }; sessionVariables = {LIBVA_DRIVER_NAME = "iHD";};
systemPackages = with pkgs; [ systemPackages = with pkgs; [
cifs-utils cifs-utils
s-tui s-tui
@ -56,7 +56,7 @@ in {
acquisitions = [ acquisitions = [
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=jellyfin.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=jellyfin.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };
@ -64,7 +64,7 @@ in {
]; ];
}; };
}; };
jellyfin= { jellyfin = {
enable = true; enable = true;
user = "tbarnouin"; user = "tbarnouin";
openFirewall = true; openFirewall = true;

3
services/netbox/default.nix
View file

@ -18,7 +18,6 @@ in {
file = ../../secrets/netbox-lapi-key.age; file = ../../secrets/netbox-lapi-key.age;
owner = "crowdsec"; owner = "crowdsec";
}; };
};
services = { services = {
crowdsec = { crowdsec = {
settings.lapi.credentialsFile = "${config.age.secrets.netbox-lapi-key.path}"; settings.lapi.credentialsFile = "${config.age.secrets.netbox-lapi-key.path}";
@ -26,7 +25,7 @@ in {
acquisitions = [ acquisitions = [
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=netbox.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=netbox.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };

2
services/nginx/default.nix
View file

@ -59,7 +59,7 @@ in {
localConfig.acquisitions = [ localConfig.acquisitions = [
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=nginx.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=nginx.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };

10
services/nixarr/default.nix
View file

@ -33,35 +33,35 @@ in {
acquisitions = [ acquisitions = [
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=radarr.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=radarr.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };
} }
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sonarr.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=sonarr.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };
} }
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=bazarr.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=bazarr.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };
} }
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=prowlarr.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=prowlarr.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };
} }
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=jellyseerr.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=jellyseerr.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };

2
services/postgresql/default.nix
View file

@ -50,7 +50,7 @@ in {
acquisitions = [ acquisitions = [
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=postgresql.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=postgresql.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };

2
services/redis/default.nix
View file

@ -21,7 +21,7 @@ in {
acquisitions = [ acquisitions = [
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=redis.service" ]; journalctl_filter = ["_SYSTEMD_UNIT=redis.service"];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };

7
systems/minimalLXCConfig.nix
View file

@ -1,7 +1,4 @@
{ {pkgs, ...}: {
pkgs,
...
}: {
nix = { nix = {
settings.experimental-features = ["nix-command" "flakes"]; settings.experimental-features = ["nix-command" "flakes"];
settings.trusted-users = ["root" "@wheel"]; settings.trusted-users = ["root" "@wheel"];
@ -9,7 +6,7 @@
nixpkgs.overlays = [ nixpkgs.overlays = [
(final: prev: { (final: prev: {
crowdsec = prev.crowdsec.overrideAttrs ( prev: rec { crowdsec = prev.crowdsec.overrideAttrs (prev: rec {
pname = "crowdsec"; pname = "crowdsec";
version = "1.6.4"; version = "1.6.4";
src = pkgs.fetchFromGitHub { src = pkgs.fetchFromGitHub {

7
systems/minimalVMConfig.nix
View file

@ -1,7 +1,4 @@
{ {pkgs, ...}: {
pkgs,
...
}: {
nix = { nix = {
settings.experimental-features = ["nix-command" "flakes"]; settings.experimental-features = ["nix-command" "flakes"];
settings.trusted-users = ["root" "@wheel"]; settings.trusted-users = ["root" "@wheel"];
@ -9,7 +6,7 @@
nixpkgs.overlays = [ nixpkgs.overlays = [
(final: prev: { (final: prev: {
crowdsec = prev.crowdsec.overrideAttrs ( prev: rec { crowdsec = prev.crowdsec.overrideAttrs (prev: rec {
pname = "crowdsec"; pname = "crowdsec";
version = "1.6.4"; version = "1.6.4";
src = pkgs.fetchFromGitHub { src = pkgs.fetchFromGitHub {