tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Try to use age for crowdsec lapi config

Browse source
This commit is contained in:
Théo Barnouin 2025-04-04 15:30:24 +02:00
parent 64986d2883
commit 42792ec4d8
5 changed files with 85 additions and 85 deletions
Download patch file Download diff file Expand all files Collapse all files

55
services/nginx/default.nix
View file

@ -2,6 +2,7 @@
config,
pkgs,
lib,
inputs,
...
}: let
cfg = config.services.vm_nginx;
@ -10,6 +11,12 @@ in {
enable = lib.mkEnableOption "Enable minimal config";
};
config = lib.mkIf cfg.enable {
age.secrets = {
cs-lapi-key = {
file = ./secrets/cs-lapi-key.age;
owner = "crowdsec";
};
};
security.acme = {
acceptTerms = true;
defaults.email = "theo.barnouin@le43.eu";
@ -18,6 +25,54 @@ in {
];
};
services = {
crowdsec-firewall-bouncer = {
enable = true;
package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer;
settings = {
api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg";
api_url = "http://localhost:8080";
};
};
crowdsec = {
enable = true;
package = pkgs.crowdsec;
autoUpdateService = false;
openFirewall = true;
settings = {
general = {
api = {
server = {
enable = true;
listen_uri = "127.0.0.1:8080";
};
};
prometheus.listen_addr = "0.0.0.0";
};
lapi.credentialsFile = "${config.age.secrets.cs-api-key.path}";
};
hub.collections = [
"firix/authentik"
"crowdsecurity/sshd"
"crowdsecurity/linux"
"crowdsecurity/nginx"
"LePresidente/grafana"
"LePresidente/jellyfin"
"crowdsecurity/http-cve"
"crowdsecurity/nextcloud"
"crowdsecurity/base-http-scenarios"
];
localConfig = {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
labels = {
type = "syslog";
};
}
];
};
};
fail2ban = {
jails = {
nginx-http-auth = ''