Working crowdsec config

2025-04-04 16:48:14 +02:00 · 2025-04-04 16:48:14 +02:00 · 4d337df460
commit 4d337df460
parent 88c4095a29
3 changed files with 13 additions and 33 deletions
--- a/flake.nix
+++ b/flake.nix
@ -44,6 +44,7 @@
            services = {
              vm_nginx = {
                enable = true;
+                proxy_ip = proxy_host;
              };
            };
          }
--- a/services/grafana/default.nix
+++ b/services/grafana/default.nix
@ -151,7 +151,7 @@ in {
          job_name = "gitea";
          static_configs = [
            {
-              targets = ["192.168.1.14:9100"];
+              targets = ["192.168.1.14:9002"];
            }
          ];
        }
@ -159,7 +159,7 @@ in {
          job_name = "postgresql";
          static_configs = [
            {
-              targets = ["192.168.1.13:9100"];
+              targets = ["192.168.1.13:9002"];
            }
          ];
        }
@ -171,14 +171,6 @@ in {
            }
          ];
        }
-        {
-          job_name = "deluge";
-          static_configs = [
-            {
-              targets = ["192.168.1.18:9100"];
-            }
-          ];
-        }
        {
          job_name = "jellyfin";
          static_configs = [
@ -197,7 +189,7 @@ in {
        auth_enabled = false;
        ingester = {
          lifecycler = {
-            address = "127.0.0.1";
+            address = "192.168.1.27";
            ring = {
              kvstore = {
                store = "inmemory";
--- a/services/nginx/default.nix
+++ b/services/nginx/default.nix
@ -9,6 +9,10 @@
 in {
  options.services.vm_nginx = {
    enable = lib.mkEnableOption "Enable minimal config";
+    proxy_ip = lib.mkOption {
+      type = lib.types.str;
+      description = "The Nginx proxy IP address";
+    };
  };
  config = lib.mkIf cfg.enable {
    age.secrets = {
@ -30,7 +34,7 @@ in {
        package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer;
        settings = {
          api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg";
-          api_url = "http://localhost:8080";
+          api_url = "http://127.0.0.1:8080";
        };
      };
      crowdsec = {
@ -43,12 +47,12 @@ in {
            api = {
              server = {
                enable = true;
-                listen_uri = "127.0.0.1:8080";
+                listen_uri = "${cfg.proxy_ip}:8080";
              };
            };
            prometheus.listen_addr = "0.0.0.0";
          };
-          lapi.credentialsFile = "${config.age.secrets.cs-api-key.path}";
+          lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
        };
        hub.collections = [
          "firix/authentik"
@ -65,7 +69,7 @@ in {
          acquisitions = [
            {
              source = "journalctl";
-              journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+              journalctl_filter = [ "_SYSTEMD_UNIT=nginx.service" ];
              labels = {
                type = "syslog";
              };
@ -74,6 +78,7 @@ in {
        };
      };
      fail2ban = {
+        enable = lib.mkForce false;
        jails = {
          nginx-http-auth = ''
            enabled  = true
@ -185,24 +190,6 @@ in {
              recommendedProxySettings = true;
            };
          };
-          "office.le43.eu" = {
-            forceSSL = true;
-            enableACME = true;
-            locations."/" = {
-              proxyPass = "http://192.168.1.125:8000";
-              proxyWebsockets = true;
-              recommendedProxySettings = true;
-            };
-          };
-          "collabora.le43.eu" = {
-            forceSSL = true;
-            enableACME = true;
-            locations."/" = {
-              proxyPass = "http://192.168.1.19:9980";
-              proxyWebsockets = true;
-              recommendedProxySettings = true;
-            };
-          };
          "git.le43.eu" = {
            forceSSL = true;
            enableACME = true;