From 42792ec4d8f2fae9ed344d93c1eebbed87c361af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Fri, 4 Apr 2025 15:30:24 +0200 Subject: [PATCH] Try to use age for crowdsec lapi config --- flake.nix | 95 ++++++++---------------------------- modules/crowdsec.nix | 16 +++--- secrets/secrets.nix | 2 + services/grafana/default.nix | 2 +- services/nginx/default.nix | 55 +++++++++++++++++++++ 5 files changed, 85 insertions(+), 85 deletions(-) diff --git a/flake.nix b/flake.nix index cb6059f..06ec83a 100644 --- a/flake.nix +++ b/flake.nix @@ -31,74 +31,34 @@ nixosConfigurations = { nginx = nixpkgs.lib.nixosSystem { inherit system; + specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default crowdsec.nixosModules.crowdsec-firewall-bouncer - { - services.crowdsec-firewall-bouncer = { - enable = true; - package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer; - }; - } "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" "${inputs.self}/modules" { + networking.hostName = "nginx"; services = { vm_nginx = { enable = true; }; - crowdsec = { - enable = true; - package = pkgs.crowdsec; - autoUpdateService = false; - settings = { - general = { - api = { - server = { - enable = false; - #listen_uri = "127.0.0.1:8080"; - }; - }; - prometheus.listen_addr = "0.0.0.0"; - }; - }; - hub.collections = [ - "firix/authentik" - "crowdsecurity/sshd" - "crowdsecurity/linux" - "crowdsecurity/nginx" - "LePresidente/grafana" - "LePresidente/jellyfin" - "crowdsecurity/http-cve" - "crowdsecurity/nextcloud" - "crowdsecurity/base-http-scenarios" - ]; - localConfig = { - acquisitions = [ - { - source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ]; - labels = { - type = "syslog"; - }; - } - ]; - }; - }; }; - networking.hostName = "nginx"; } ]; }; pgsql = nixpkgs.lib.nixosSystem { inherit system; + specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default + crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" + "${inputs.self}/modules" { networking.hostName = "pgsql"; services.vm_postgresql = { @@ -107,44 +67,16 @@ } ]; }; - onlyoffice = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - networking.hostName = "onlyoffice"; - services.vm_onlyoffice = { - enable = true; - pgsql_ip = pgsql_host; - }; - } - ]; - }; - collabora = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - networking.hostName = "collabora"; - services.vm_collabora = { - enable = true; - }; - } - ]; - }; forgejo = nixpkgs.lib.nixosSystem { inherit system; + specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default + crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" + "${inputs.self}/modules" { networking.hostName = "forgejo"; services.vm_forgejo = { @@ -156,8 +88,10 @@ }; template = nixpkgs.lib.nixosSystem { inherit system; + specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default + crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix" "${inputs.self}/systems/minimalVMConfig.nix" { @@ -167,11 +101,14 @@ }; jellyfin = nixpkgs.lib.nixosSystem { inherit system; + specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default + crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix" "${inputs.self}/systems/minimalVMConfig.nix" "${inputs.self}/services" + "${inputs.self}/modules" { services.vm_jellyfin = { enable = true; @@ -181,11 +118,14 @@ }; redis = nixpkgs.lib.nixosSystem { inherit system; + specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default + crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" + "${inputs.self}/modules" { networking.hostName = "redis"; services.vm_redis = { @@ -196,11 +136,14 @@ }; grafana-lxc = nixpkgs.lib.nixosSystem { inherit system; + specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default + crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" + "${inputs.self}/modules" { services.vm_grafana = { enable = true; diff --git a/modules/crowdsec.nix b/modules/crowdsec.nix index fd9f702..76d9999 100644 --- a/modules/crowdsec.nix +++ b/modules/crowdsec.nix @@ -602,14 +602,14 @@ in console_path = mkDefault consoleFile; profiles_path = mkDefault localProfilesFile; - online_client = mkDefault { - sharing = mkDefault true; - pull = mkDefault { - community = mkDefault true; - blocklists = mkDefault true; - }; - credentials_path = cfg.settings.capi.credentialsFile; - }; + #online_client = mkDefault { + # sharing = mkDefault true; + # pull = mkDefault { + # community = mkDefault true; + # blocklists = mkDefault true; + # }; + # credentials_path = cfg.settings.capi.credentialsFile; + #}; }; }; prometheus = { diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 759f84b..4f7e172 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -26,4 +26,6 @@ in { "services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql]; + + "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx]; } diff --git a/services/grafana/default.nix b/services/grafana/default.nix index 68b9526..e3f9f2d 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -124,7 +124,7 @@ in { ]; } { - job_name = "nginx"; + job_name = "crowdsec_nginx"; static_configs = [ { targets = ["${cfg.proxy_ip}:6060"]; diff --git a/services/nginx/default.nix b/services/nginx/default.nix index 293d062..f64308c 100644 --- a/services/nginx/default.nix +++ b/services/nginx/default.nix @@ -2,6 +2,7 @@ config, pkgs, lib, + inputs, ... }: let cfg = config.services.vm_nginx; @@ -10,6 +11,12 @@ in { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { + age.secrets = { + cs-lapi-key = { + file = ./secrets/cs-lapi-key.age; + owner = "crowdsec"; + }; + }; security.acme = { acceptTerms = true; defaults.email = "theo.barnouin@le43.eu"; @@ -18,6 +25,54 @@ in { ]; }; services = { + crowdsec-firewall-bouncer = { + enable = true; + package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer; + settings = { + api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg"; + api_url = "http://localhost:8080"; + }; + }; + crowdsec = { + enable = true; + package = pkgs.crowdsec; + autoUpdateService = false; + openFirewall = true; + settings = { + general = { + api = { + server = { + enable = true; + listen_uri = "127.0.0.1:8080"; + }; + }; + prometheus.listen_addr = "0.0.0.0"; + }; + lapi.credentialsFile = "${config.age.secrets.cs-api-key.path}"; + }; + hub.collections = [ + "firix/authentik" + "crowdsecurity/sshd" + "crowdsecurity/linux" + "crowdsecurity/nginx" + "LePresidente/grafana" + "LePresidente/jellyfin" + "crowdsecurity/http-cve" + "crowdsecurity/nextcloud" + "crowdsecurity/base-http-scenarios" + ]; + localConfig = { + acquisitions = [ + { + source = "journalctl"; + journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ]; + labels = { + type = "syslog"; + }; + } + ]; + }; + }; fail2ban = { jails = { nginx-http-auth = ''