tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Working crowdsec config

Browse source
This commit is contained in:
Théo Barnouin 2025-04-04 16:48:14 +02:00
parent 88c4095a29
commit 4d337df460
3 changed files with 13 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -44,6 +44,7 @@
services = { services = {
vm_nginx = { vm_nginx = {
enable = true; enable = true;
proxy_ip = proxy_host;
}; };
}; };
} }

14
services/grafana/default.nix
View file

@ -151,7 +151,7 @@ in {
job_name = "gitea"; job_name = "gitea";
static_configs = [ static_configs = [
{ {
targets = ["192.168.1.14:9100"]; targets = ["192.168.1.14:9002"];
} }
]; ];
} }
@ -159,7 +159,7 @@ in {
job_name = "postgresql"; job_name = "postgresql";
static_configs = [ static_configs = [
{ {
targets = ["192.168.1.13:9100"]; targets = ["192.168.1.13:9002"];
} }
]; ];
} }
@ -171,14 +171,6 @@ in {
} }
]; ];
} }
{
job_name = "deluge";
static_configs = [
{
targets = ["192.168.1.18:9100"];
}
];
}
{ {
job_name = "jellyfin"; job_name = "jellyfin";
static_configs = [ static_configs = [
@ -197,7 +189,7 @@ in {
auth_enabled = false; auth_enabled = false;
ingester = { ingester = {
lifecycler = { lifecycler = {
address = "127.0.0.1"; address = "192.168.1.27";
ring = { ring = {
kvstore = { kvstore = {
store = "inmemory"; store = "inmemory";

31
services/nginx/default.nix
View file

@ -9,6 +9,10 @@
in { in {
options.services.vm_nginx = { options.services.vm_nginx = {
enable = lib.mkEnableOption "Enable minimal config"; enable = lib.mkEnableOption "Enable minimal config";
proxy_ip = lib.mkOption {
type = lib.types.str;
description = "The Nginx proxy IP address";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
age.secrets = { age.secrets = {
@ -30,7 +34,7 @@ in {
package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer; package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer;
settings = { settings = {
api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg"; api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg";
api_url = "http://localhost:8080"; api_url = "http://127.0.0.1:8080";
}; };
}; };
crowdsec = { crowdsec = {
@ -43,12 +47,12 @@ in {
api = { api = {
server = { server = {
enable = true; enable = true;
listen_uri = "127.0.0.1:8080"; listen_uri = "${cfg.proxy_ip}:8080";
}; };
}; };
prometheus.listen_addr = "0.0.0.0"; prometheus.listen_addr = "0.0.0.0";
}; };
lapi.credentialsFile = "${config.age.secrets.cs-api-key.path}"; lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
}; };
hub.collections = [ hub.collections = [
"firix/authentik" "firix/authentik"
@ -65,7 +69,7 @@ in {
acquisitions = [ acquisitions = [
{ {
source = "journalctl"; source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ]; journalctl_filter = [ "_SYSTEMD_UNIT=nginx.service" ];
labels = { labels = {
type = "syslog"; type = "syslog";
}; };
@ -74,6 +78,7 @@ in {
}; };
}; };
fail2ban = { fail2ban = {
enable = lib.mkForce false;
jails = { jails = {
nginx-http-auth = '' nginx-http-auth = ''
enabled = true enabled = true
@ -185,24 +190,6 @@ in {
recommendedProxySettings = true; recommendedProxySettings = true;
}; };
}; };
"office.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.125:8000";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
"collabora.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.19:9980";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
"git.le43.eu" = { "git.le43.eu" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;