tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Try pre-commit and formatting with alejandra
Some checks are pending
/ Build Nix targets (push) Waiting to run
Details

Browse source
This commit is contained in:
Théo Barnouin 2025-06-05 10:41:53 +02:00
parent 0eb6154c32
commit 32b60f1ff9
16 changed files with 325 additions and 248 deletions
Download patch file Download diff file Expand all files Collapse all files

76
flake.lock generated
View file

@ -105,6 +105,22 @@
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
@ -140,6 +156,27 @@
"type": "indirect"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -215,12 +252,49 @@
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1730768919,
"narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1747372754,
"narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"crowdsec": "crowdsec",
"home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks"
}
},
"rust-overlay": {

33
flake.nix
View file

@ -3,6 +3,7 @@
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
pre-commit-hooks.url = "github:cachix/git-hooks.nix";
home-manager = {
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs";
@ -27,11 +28,21 @@
proxy_host = "192.168.1.40";
pgsql_host = "192.168.1.13";
pkgs = import nixpkgs {inherit system;};
supportedSystems = ["x86_64-linux"];
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
in {
checks = forAllSystems (system: {
pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
alejandra.enable = true;
};
};
});
nixosConfigurations = {
nginx = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
specialArgs = {inherit inputs;};
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -52,7 +63,7 @@
};
pgsql = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
specialArgs = {inherit inputs;};
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -70,7 +81,7 @@
};
forgejo = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
specialArgs = {inherit inputs;};
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -89,7 +100,7 @@
};
onlyoffice = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
specialArgs = {inherit inputs;};
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -108,7 +119,7 @@
};
template = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
specialArgs = {inherit inputs;};
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -123,7 +134,7 @@
};
jellyfin = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
specialArgs = {inherit inputs;};
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -140,7 +151,7 @@
};
qbittorrent-vpn = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
specialArgs = {inherit inputs;};
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -157,7 +168,7 @@
};
nixarr = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
specialArgs = {inherit inputs;};
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -174,7 +185,7 @@
};
arr-box = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
specialArgs = {inherit inputs;};
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -191,7 +202,7 @@
};
redis = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
specialArgs = {inherit inputs;};
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -209,7 +220,7 @@
};
grafana-lxc = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
specialArgs = {inherit inputs;};
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer

397
modules/crowdsec.nix
View file

@ -3,10 +3,8 @@
pkgs,
lib,
...
}:
let
format = pkgs.formats.yaml { };
}: let
format = pkgs.formats.yaml {};
rootDir = "/var/lib/crowdsec";
stateDir = "${rootDir}/state";
@ -22,14 +20,11 @@ let
localParsersS01ParseDir = "${parsersDir}/s01-parse/";
localParsersS02EnrichDir = "${parsersDir}/s02-enrich/";
localContextsDir = "${confDir}/contexts/";
in
{
in {
options.services.crowdsec = with lib; {
enable = mkEnableOption "CrowdSec Security Engine";
package = mkPackageOption pkgs "crowdsec" { };
package = mkPackageOption pkgs "crowdsec" {};
autoUpdateService = mkEnableOption "Auto Hub Update";
@ -61,7 +56,7 @@ in
options = {
acquisitions = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of acquisition specifications, which define the data sources you want to be parsed.
See <https://docs.crowdsec.net/docs/data_sources/intro> for details.
@ -69,7 +64,7 @@ in
example = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
labels = {
type = "syslog";
};
@ -78,7 +73,7 @@ in
};
scenarios = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of scenarios specifications.
See <https://docs.crowdsec.net/docs/scenarios/intro> for details.
@ -100,7 +95,7 @@ in
options = {
s00Raw = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of stage s00-raw specifications. Most of the time, those are already included in the hub, but are presented here anyway.
See <https://docs.crowdsec.net/docs/parsers/intro> for details.
@ -108,7 +103,7 @@ in
};
s01Parse = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of stage s01-parse specifications.
See <https://docs.crowdsec.net/docs/parsers/intro> for details.
@ -135,7 +130,7 @@ in
};
s02Enrich = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of stage s02-enrich specifications. Inside this list, you can specify Parser Whitelists.
See <https://docs.crowdsec.net/docs/whitelist/intro> for details.
@ -158,14 +153,14 @@ in
};
};
};
default = { };
default = {};
};
postOverflows = mkOption {
type = types.submodule {
options = {
s01Whitelist = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of stage s01-whitelist specifications. Inside this list, you can specify Postoverflows Whitelists.
See <https://docs.crowdsec.net/docs/whitelist/intro> for details.
@ -185,7 +180,7 @@ in
};
};
};
default = { };
default = {};
};
contexts = mkOption {
type = types.listOf format.type;
@ -196,14 +191,14 @@ in
example = [
{
context = {
target_uri = [ "evt.Meta.http_path" ];
user_agent = [ "evt.Meta.http_user_agent" ];
method = [ "evt.Meta.http_verb" ];
status = [ "evt.Meta.http_status" ];
target_uri = ["evt.Meta.http_path"];
user_agent = ["evt.Meta.http_user_agent"];
method = ["evt.Meta.http_verb"];
status = ["evt.Meta.http_status"];
};
}
];
default = [ ];
default = [];
};
notifications = mkOption {
type = types.listOf format.type;
@ -223,7 +218,7 @@ in
method = "POST";
}
];
default = [ ];
default = [];
};
profiles = mkOption {
type = types.listOf format.type;
@ -290,14 +285,14 @@ in
};
patterns = mkOption {
type = types.listOf types.package;
default = [ ];
default = [];
example = lib.literalExpression ''
[ (pkgs.writeTextDir "custom_service_logs" (builtins.readFile ./custom_service_logs)) ]
'';
};
};
};
default = { };
default = {};
};
hub = mkOption {
@ -305,48 +300,48 @@ in
options = {
collections = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub collections to install";
example = [ "crowdsecurity/linux" ];
example = ["crowdsecurity/linux"];
};
scenarios = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub scenarios to install";
example = [ "crowdsecurity/ssh-bf" ];
example = ["crowdsecurity/ssh-bf"];
};
parsers = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub parsers to install";
example = [ "crowdsecurity/sshd-logs" ];
example = ["crowdsecurity/sshd-logs"];
};
postOverflows = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub postoverflows to install";
example = [ "crowdsecurity/auditd-nix-wrappers-whitelist-process" ];
example = ["crowdsecurity/auditd-nix-wrappers-whitelist-process"];
};
appSecConfigs = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub appsec configurations to install";
example = [ "crowdsecurity/appsec-default" ];
example = ["crowdsecurity/appsec-default"];
};
appSecRules = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub appsec rules to install";
example = [ "crowdsecurity/base-config" ];
example = ["crowdsecurity/base-config"];
};
};
};
default = { };
default = {};
description = ''
Hub collections, parsers, AppSec rules, etc.
'';
@ -361,7 +356,7 @@ in
Refer to the defaults at <https://github.com/crowdsecurity/crowdsec/blob/master/config/config.yaml>.
'';
type = format.type;
default = { };
default = {};
};
simulation = mkOption {
type = format.type;
@ -389,7 +384,7 @@ in
description = ''
LAPI Configuration attributes
'';
default = { };
default = {};
};
capi = mkOption {
type = types.submodule {
@ -407,7 +402,7 @@ in
description = ''
CAPI Configuration attributes
'';
default = { };
default = {};
};
console = mkOption {
type = types.submodule {
@ -437,133 +432,130 @@ in
description = ''
Console Configuration attributes
'';
default = { };
default = {};
};
};
};
};
};
config =
let
cfg = config.services.crowdsec;
configFile = format.generate "crowdsec.yaml" cfg.settings.general;
simulationFile = format.generate "simulation.yaml" cfg.settings.simulation;
consoleFile = format.generate "console.yaml" cfg.settings.console.configuration;
patternsDir = pkgs.buildPackages.symlinkJoin {
name = "crowdsec-patterns";
paths = [
cfg.localConfig.patterns
"${lib.attrsets.getOutput "out" cfg.package}/share/crowdsec/config/patterns/"
];
};
config = let
cfg = config.services.crowdsec;
configFile = format.generate "crowdsec.yaml" cfg.settings.general;
simulationFile = format.generate "simulation.yaml" cfg.settings.simulation;
consoleFile = format.generate "console.yaml" cfg.settings.console.configuration;
patternsDir = pkgs.buildPackages.symlinkJoin {
name = "crowdsec-patterns";
paths = [
cfg.localConfig.patterns
"${lib.attrsets.getOutput "out" cfg.package}/share/crowdsec/config/patterns/"
];
};
cscli = pkgs.writeShellScriptBin "cscli" ''
set -euo pipefail
# cscli needs crowdsec on it's path in order to be able to run `cscli explain`
export PATH="$PATH:${lib.makeBinPath [ cfg.package ]}"
sudo=exec
if [ "$USER" != "${cfg.user}" ]; then
sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}'
fi
$sudo ${lib.getExe' cfg.package "cscli"} -c=${configFile} "$@"
'';
cscli = pkgs.writeShellScriptBin "cscli" ''
set -euo pipefail
# cscli needs crowdsec on it's path in order to be able to run `cscli explain`
export PATH="$PATH:${lib.makeBinPath [cfg.package]}"
sudo=exec
if [ "$USER" != "${cfg.user}" ]; then
sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}'
fi
$sudo ${lib.getExe' cfg.package "cscli"} -c=${configFile} "$@"
'';
localScenariosMap = (map (format.generate "scenario.yaml") cfg.localConfig.scenarios);
localParsersS00RawMap = (
map (format.generate "parsers-s00-raw.yaml") cfg.localConfig.parsers.s00Raw
);
localParsersS01ParseMap = (
map (format.generate "parsers-s01-parse.yaml") cfg.localConfig.parsers.s01Parse
);
localParsersS02EnrichMap = (
map (format.generate "parsers-s02-enrich.yaml") cfg.localConfig.parsers.s02Enrich
);
localPostOverflowsS01WhitelistMap = (
map (format.generate "postoverflows-s01-whitelist.yaml") cfg.localConfig.postOverflows.s01Whitelist
);
localContextsMap = (map (format.generate "context.yaml") cfg.localConfig.contexts);
localNotificationsMap = (map (format.generate "notification.yaml") cfg.localConfig.notifications);
localProfilesFile = pkgs.writeText "local_profiles.yaml" ''
---
${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.profiles}
---
'';
localAcquisisionFile = pkgs.writeText "local_acquisisions.yaml" ''
---
${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.acquisitions}
---
'';
localScenariosMap = map (format.generate "scenario.yaml") cfg.localConfig.scenarios;
localParsersS00RawMap = (
map (format.generate "parsers-s00-raw.yaml") cfg.localConfig.parsers.s00Raw
);
localParsersS01ParseMap = (
map (format.generate "parsers-s01-parse.yaml") cfg.localConfig.parsers.s01Parse
);
localParsersS02EnrichMap = (
map (format.generate "parsers-s02-enrich.yaml") cfg.localConfig.parsers.s02Enrich
);
localPostOverflowsS01WhitelistMap = (
map (format.generate "postoverflows-s01-whitelist.yaml") cfg.localConfig.postOverflows.s01Whitelist
);
localContextsMap = map (format.generate "context.yaml") cfg.localConfig.contexts;
localNotificationsMap = map (format.generate "notification.yaml") cfg.localConfig.notifications;
localProfilesFile = pkgs.writeText "local_profiles.yaml" ''
---
${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.profiles}
---
'';
localAcquisisionFile = pkgs.writeText "local_acquisisions.yaml" ''
---
${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.acquisitions}
---
'';
scriptArray =
[
"set -euo pipefail"
"${lib.getExe cscli} hub update"
]
++ lib.optionals (cfg.hub.collections != [ ]) [
"${lib.getExe cscli} collections install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.collections
}"
]
++ lib.optionals (cfg.hub.scenarios != [ ]) [
"${lib.getExe cscli} scenarios install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.scenarios
}"
]
++ lib.optionals (cfg.hub.parsers != [ ]) [
"${lib.getExe cscli} parsers install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.parsers
}"
]
++ lib.optionals (cfg.hub.postOverflows != [ ]) [
"${lib.getExe cscli} postoverflows install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.postOverflows
}"
]
++ lib.optionals (cfg.hub.appSecConfigs != [ ]) [
"${lib.getExe cscli} appsec-configs install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecConfigs
}"
]
++ lib.optionals (cfg.hub.appSecRules != [ ]) [
"${lib.getExe cscli} appsec-rules install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecRules
}"
]
++ lib.optionals (cfg.settings.general.api.server.enable) [
''
if [ ! -s "${cfg.settings.general.api.client.credentials_path}" ]; then
${lib.getExe cscli} machine add "${cfg.name}" --auto
fi
''
]
++ lib.optionals (cfg.settings.capi.credentialsFile != null) [
''
if ! grep -q password "${cfg.settings.capi.credentialsFile}" ]; then
${lib.getExe cscli} capi register
fi
''
]
++ lib.optionals (cfg.settings.console.tokenFile != null) [
''
if [ ! -e "${cfg.settings.console.tokenFile}" ]; then
${lib.getExe cscli} console enroll "$(cat ${cfg.settings.console.tokenFile})" --name ${cfg.name}
fi
''
];
scriptArray =
[
"set -euo pipefail"
"${lib.getExe cscli} hub update"
]
++ lib.optionals (cfg.hub.collections != []) [
"${lib.getExe cscli} collections install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.collections
}"
]
++ lib.optionals (cfg.hub.scenarios != []) [
"${lib.getExe cscli} scenarios install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.scenarios
}"
]
++ lib.optionals (cfg.hub.parsers != []) [
"${lib.getExe cscli} parsers install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.parsers
}"
]
++ lib.optionals (cfg.hub.postOverflows != []) [
"${lib.getExe cscli} postoverflows install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.postOverflows
}"
]
++ lib.optionals (cfg.hub.appSecConfigs != []) [
"${lib.getExe cscli} appsec-configs install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecConfigs
}"
]
++ lib.optionals (cfg.hub.appSecRules != []) [
"${lib.getExe cscli} appsec-rules install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecRules
}"
]
++ lib.optionals (cfg.settings.general.api.server.enable) [
''
if [ ! -s "${cfg.settings.general.api.client.credentials_path}" ]; then
${lib.getExe cscli} machine add "${cfg.name}" --auto
fi
''
]
++ lib.optionals (cfg.settings.capi.credentialsFile != null) [
''
if ! grep -q password "${cfg.settings.capi.credentialsFile}" ]; then
${lib.getExe cscli} capi register
fi
''
]
++ lib.optionals (cfg.settings.console.tokenFile != null) [
''
if [ ! -e "${cfg.settings.console.tokenFile}" ]; then
${lib.getExe cscli} console enroll "$(cat ${cfg.settings.console.tokenFile})" --name ${cfg.name}
fi
''
];
setupScript = pkgs.writeShellScriptBin "crowdsec-setup" (
lib.strings.concatStringsSep "\n" scriptArray
);
in
setupScript = pkgs.writeShellScriptBin "crowdsec-setup" (
lib.strings.concatStringsSep "\n" scriptArray
);
in
lib.mkIf (cfg.enable) {
warnings =
[ ]
++ lib.optionals (cfg.localConfig.profiles == [ ]) [
[]
++ lib.optionals (cfg.localConfig.profiles == []) [
"By not specifying profiles in services.crowdsec.localConfig.profiles, CrowdSec will not react to any alert by default."
]
++ lib.optionals (cfg.localConfig.acquisitions == [ ]) [
++ lib.optionals (cfg.localConfig.acquisitions == []) [
"By not specifying acquisitions in services.crowdsec.localConfig.acquisitions, CrowdSec will not look for any data source."
];
@ -624,14 +616,14 @@ in
};
environment = {
systemPackages = [ cscli ];
systemPackages = [cscli];
};
systemd.packages = [ cfg.package ];
systemd.packages = [cfg.package];
systemd.timers.crowdsec-update-hub = lib.mkIf (cfg.autoUpdateService) {
description = "Update the crowdsec hub index";
wantedBy = [ "timers.target" ];
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "daily";
Persistent = "yes";
@ -696,16 +688,16 @@ in
RestrictSUIDSGID = true;
ExecStart = "${lib.getExe cscli} --error hub update";
ExecStartPost = "systemctl reload crowdsec.service";
LogLevelMax=5;
LogLevelMax = 5;
};
};
crowdsec = {
description = "CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network.";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = lib.mkForce [ ];
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
wants = ["network-online.target"];
path = lib.mkForce [];
environment = {
LC_ALL = "C";
LANG = "C";
@ -778,7 +770,7 @@ in
"${lib.getExe setupScript}"
"${lib.getExe' cfg.package "crowdsec"} -c ${configFile} -t -error"
];
LogLevelMax=5;
LogLevelMax = 5;
};
};
};
@ -787,32 +779,32 @@ in
"10-crowdsec" =
builtins.listToAttrs (
map
(dirName: {
inherit cfg;
name = lib.strings.normalizePath dirName;
value = {
d = {
user = cfg.user;
group = cfg.group;
mode = "0750";
};
(dirName: {
inherit cfg;
name = lib.strings.normalizePath dirName;
value = {
d = {
user = cfg.user;
group = cfg.group;
mode = "0750";
};
})
[
stateDir
hubDir
confDir
localScenariosDir
localPostOverflowsDir
localPostOverflowsS01WhitelistDir
parsersDir
localParsersS00RawDir
localParsersS01ParseDir
localParsersS02EnrichDir
localContextsDir
notificationsDir
pluginDir
]
};
})
[
stateDir
hubDir
confDir
localScenariosDir
localPostOverflowsDir
localPostOverflowsS01WhitelistDir
parsersDir
localParsersS00RawDir
localParsersS01ParseDir
localParsersS02EnrichDir
localContextsDir
notificationsDir
pluginDir
]
)
// builtins.listToAttrs (
map (scenarioFile: {
@ -824,7 +816,8 @@ in
argument = "${scenarioFile}";
};
};
}) localScenariosMap
})
localScenariosMap
)
// builtins.listToAttrs (
map (parser: {
@ -836,7 +829,8 @@ in
argument = "${parser}";
};
};
}) localParsersS00RawMap
})
localParsersS00RawMap
)
// builtins.listToAttrs (
map (parser: {
@ -848,7 +842,8 @@ in
argument = "${parser}";
};
};
}) localParsersS01ParseMap
})
localParsersS01ParseMap
)
// builtins.listToAttrs (
map (parser: {
@ -860,7 +855,8 @@ in
argument = "${parser}";
};
};
}) localParsersS02EnrichMap
})
localParsersS02EnrichMap
)
// builtins.listToAttrs (
map (postoverflow: {
@ -872,7 +868,8 @@ in
argument = "${postoverflow}";
};
};
}) localPostOverflowsS01WhitelistMap
})
localPostOverflowsS01WhitelistMap
)
// builtins.listToAttrs (
map (context: {
@ -884,7 +881,8 @@ in
argument = "${context}";
};
};
}) localContextsMap
})
localContextsMap
)
// builtins.listToAttrs (
map (notification: {
@ -896,7 +894,8 @@ in
argument = "${notification}";
};
};
}) localNotificationsMap
})
localNotificationsMap
);
};
@ -905,10 +904,10 @@ in
description = lib.mkDefault "CrowdSec service user";
isSystemUser = true;
group = cfg.group;
extraGroups = [ "systemd-journal" ];
extraGroups = ["systemd-journal"];
};
users.groups.${cfg.group} = lib.mapAttrs (name: lib.mkDefault) { };
users.groups.${cfg.group} = lib.mapAttrs (name: lib.mkDefault) {};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [
6060

2
secrets.nix
View file

@ -41,7 +41,7 @@ in {
"secrets/cs-lapi-key.age".publicKeys = users ++ systems;
"secrets/jellyfin-lapi-key.age".publicKeys = [tbarnouin jellyfin];
"secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis];
"services/qbittorrent-vpn/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin qbittorrent-vpn];

8
services/collabora/default.nix
View file

@ -17,14 +17,14 @@ in {
ssl.enable = false;
ssl.termination = true;
net = {
proto= "IPv4";
proto = "IPv4";
listen = "0.0.0.0";
post_allow.host = [ ''192\.168\.1\.[0-9]{1,3}'' ];
lok_allow.host = [ ''192\.168\.1\.[0-9]{1,3}'' ];
post_allow.host = [''192\.168\.1\.[0-9]{1,3}''];
lok_allow.host = [''192\.168\.1\.[0-9]{1,3}''];
};
storage.wopi = {
"@allow" = true;
host = [ "cloud.le43.eu" ];
host = ["cloud.le43.eu"];
};
remote_font_config.url = "https://cloud.le43.eu/apps/richdocuments/settings/fonts.json";
server_name = "collabora.le43.eu";

2
services/forgejo/default.nix
View file

@ -31,7 +31,7 @@ in {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=forgejo.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=forgejo.service"];
labels = {
type = "syslog";
};

2
services/grafana/default.nix
View file

@ -47,7 +47,7 @@ in {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=grafana.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=grafana.service"];
labels = {
type = "journald";
};

6
services/jellyfin-nvidia/default.nix
View file

@ -16,11 +16,11 @@ in {
];
};
# Nvidia Hardware Acceleration config
services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.videoDrivers = ["nvidia"];
hardware = {
graphics = {
enable = true;
extraPackages = with pkgs; [ cudaPackages.cudatoolkit ];
extraPackages = with pkgs; [cudaPackages.cudatoolkit];
};
nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.latest;
@ -32,7 +32,7 @@ in {
# of just the bare essentials.
powerManagement.enable = false;
powerManagement.finegrained = false;
# Use the NVidia open source kernel module
# Recommended by Nvidia for 20+ series GPU
open = true;

6
services/jellyfin/default.nix
View file

@ -21,7 +21,7 @@ in {
};
systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD";
environment = {
sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; };
sessionVariables = {LIBVA_DRIVER_NAME = "iHD";};
systemPackages = with pkgs; [
cifs-utils
s-tui
@ -56,7 +56,7 @@ in {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=jellyfin.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=jellyfin.service"];
labels = {
type = "syslog";
};
@ -64,7 +64,7 @@ in {
];
};
};
jellyfin= {
jellyfin = {
enable = true;
user = "tbarnouin";
openFirewall = true;

7
services/netbox/default.nix
View file

@ -15,9 +15,8 @@ in {
};
config = lib.mkIf cfg.enable {
age.secrets.netbox-lapi-key = {
file = ../../secrets/netbox-lapi-key.age;
owner = "crowdsec";
};
file = ../../secrets/netbox-lapi-key.age;
owner = "crowdsec";
};
services = {
crowdsec = {
@ -26,7 +25,7 @@ in {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=netbox.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=netbox.service"];
labels = {
type = "syslog";
};

2
services/nginx/default.nix
View file

@ -59,7 +59,7 @@ in {
localConfig.acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=nginx.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=nginx.service"];
labels = {
type = "syslog";
};

10
services/nixarr/default.nix
View file

@ -33,35 +33,35 @@ in {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=radarr.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=radarr.service"];
labels = {
type = "syslog";
};
}
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sonarr.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=sonarr.service"];
labels = {
type = "syslog";
};
}
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=bazarr.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=bazarr.service"];
labels = {
type = "syslog";
};
}
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=prowlarr.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=prowlarr.service"];
labels = {
type = "syslog";
};
}
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=jellyseerr.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=jellyseerr.service"];
labels = {
type = "syslog";
};

2
services/postgresql/default.nix
View file

@ -50,7 +50,7 @@ in {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=postgresql.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=postgresql.service"];
labels = {
type = "syslog";
};

2
services/redis/default.nix
View file

@ -21,7 +21,7 @@ in {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=redis.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=redis.service"];
labels = {
type = "syslog";
};

9
systems/minimalLXCConfig.nix
View file

@ -1,7 +1,4 @@
{
pkgs,
...
}: {
{pkgs, ...}: {
nix = {
settings.experimental-features = ["nix-command" "flakes"];
settings.trusted-users = ["root" "@wheel"];
@ -9,10 +6,10 @@
nixpkgs.overlays = [
(final: prev: {
crowdsec = prev.crowdsec.overrideAttrs ( prev: rec {
crowdsec = prev.crowdsec.overrideAttrs (prev: rec {
pname = "crowdsec";
version = "1.6.4";
src = pkgs.fetchFromGitHub {
src = pkgs.fetchFromGitHub {
owner = "crowdsecurity";
repo = "${pname}";
tag = "v${version}";

9
systems/minimalVMConfig.nix
View file

@ -1,7 +1,4 @@
{
pkgs,
...
}: {
{pkgs, ...}: {
nix = {
settings.experimental-features = ["nix-command" "flakes"];
settings.trusted-users = ["root" "@wheel"];
@ -9,10 +6,10 @@
nixpkgs.overlays = [
(final: prev: {
crowdsec = prev.crowdsec.overrideAttrs ( prev: rec {
crowdsec = prev.crowdsec.overrideAttrs (prev: rec {
pname = "crowdsec";
version = "1.6.4";
src = pkgs.fetchFromGitHub {
src = pkgs.fetchFromGitHub {
owner = "crowdsecurity";
repo = "${pname}";
tag = "v${version}";