diff --git a/services/grafana/default.nix b/services/grafana/default.nix index 0bfa2ba..05bdb2f 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -23,6 +23,10 @@ in { }; config = lib.mkIf cfg.enable { age.secrets = { + grafana-lapi-key = { + file = ../../secrets/grafana-lapi-key.age; + owner = "crowdsec"; + }; grafana-db = { file = ./secrets/grafana-db.age; owner = "grafana"; @@ -35,6 +39,7 @@ in { }; services = { crowdsec = { + settings.lapi.credentialsFile = "${config.age.secrets.grafana-lapi-key.path}"; hub.collections = [ "LePresidente/grafana" ]; @@ -44,7 +49,7 @@ in { source = "journalctl"; journalctl_filter = [ "_SYSTEMD_UNIT=grafana.service" ]; labels = { - type = "syslog"; + type = "journald"; }; } ]; diff --git a/services/jellyfin/default.nix b/services/jellyfin/default.nix index 0b44380..e135fbe 100644 --- a/services/jellyfin/default.nix +++ b/services/jellyfin/default.nix @@ -10,11 +10,9 @@ in { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { - age.secrets = { - cs-lapi-key = { - file = ../../secrets/jellyfin-lapi-key.age; - owner = "crowdsec"; - }; + age.secrets.jellyfin-lapi-key = { + file = ../../secrets/jellyfin-lapi-key.age; + owner = "crowdsec"; }; systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD"; environment = { diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix deleted file mode 100644 index d90a32e..0000000 --- a/services/minimalConfig/default.nix +++ /dev/null @@ -1,151 +0,0 @@ -{ - config, - pkgs, - lib, - inputs, - modulesPath, - ... -}: { - imports = [ - ./lxc.nix - ./vm.nix - ]; - - nix = { - settings.experimental-features = ["nix-command" "flakes"]; - settings.trusted-users = ["root" "@wheel"]; - }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [22 9002]; - }; - }; - - time.timeZone = "Europe/Paris"; - console.keyMap = "fr"; - i18n.defaultLocale = "fr_FR.UTF-8"; - environment.sessionVariables = rec { - TERM = "xterm-256color"; - }; - - nix.gc = { - automatic = true; - dates = "daily"; - options = "--delete-old"; - }; - - security.sudo.wheelNeedsPassword = false; - users = { - users.tbarnouin = { - isNormalUser = true; - extraGroups = ["wheel" "video" "render"]; - shell = pkgs.zsh; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr" - ]; - }; - users.root = { - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" - ]; - }; - }; - - programs = { - zsh = { - enable = true; - shellAliases = { - ll = "ls -l"; - lla = "ls -lah"; - }; - ohMyZsh = { - enable = true; - plugins = ["git"]; - theme = "bira"; - }; - }; - tmux = { - enable = true; - }; - }; - - nixpkgs.config.allowUnfree = true; - environment = { - localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; - - age.secrets = { - cs-lapi-key = { - file = ./secrets/cs-lapi-key.age; - owner = "crowdsec"; - }; - }; - - services = { - openssh = { - enable = true; - settings.PasswordAuthentication = false; - settings.KbdInteractiveAuthentication = false; - settings.PermitRootLogin = "prohibit-password"; - hostKeys = [ - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; - fail2ban = { - enable = true; - }; - crowdsec = { - enable = true; - package = pkgs.crowdsec; - autoUpdateService = false; - openFirewall = true; - settings = { - general = { - prometheus.listen_addr = "0.0.0.0"; - }; - lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}"; - }; - hub.collections = [ - "crowdsecurity/linux" - ]; - }; - rsyslogd = { - enable = true; - extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; - }; - prometheus = { - exporters = { - node = { - enable = true; - enabledCollectors = ["systemd"]; - port = 9002; - }; - }; - }; - }; - - system = { - stateVersion = "24.11"; - activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh"; - }; -} diff --git a/services/minimalConfig/lxc.nix b/services/minimalConfig/lxc.nix deleted file mode 100644 index fe92334..0000000 --- a/services/minimalConfig/lxc.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - lib, - config, - modulesPath, - ... -}: let - cfg = config.services.lxc; -in { - options.services.lxc = { - enable = lib.mkEnableOption "Enable LXC container config"; - }; - config = lib.mkIf cfg.enable { - boot.isContainer = true; - proxmoxLXC = { - enable = true; - privileged = false; - manageNetwork = false; - manageHostName = false; - }; - systemd.suppressedSystemUnits = [ - "dev-mqueue.mount" - "sys-kernel-debug.mount" - "sys-fs-fuse-connections.mount" - ]; - }; -} diff --git a/services/minimalConfig/secrets/cs-lapi-key.age b/services/minimalConfig/secrets/cs-lapi-key.age deleted file mode 100644 index d1ef0c7..0000000 --- a/services/minimalConfig/secrets/cs-lapi-key.age +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBxYmNh -UXErOHVUTG5OSjFZU1I0NlpuQWlWTkhQeWx0dmRqQ3IxRjhNY0hNCngySy8xZjR6 -ZVRRRzJVb1lXYjErOVM1RE9rQk56ZzlaTE1IcnZiVUtRWGMKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IGhOYnVTdHB4ZmR1MHZ0YWNhOW8zcE5FR01mYlArZnhMalpreFdW -R3VvZ2MKeFdkdEZUa1BMZ3pyRlNEa2FKbmtLUTcxeUJzOGR5c25EWXRMU01ybWJr -RQotPiBzc2gtZWQyNTUxOSBubUtTK0EgT01yM1NQSUxqS1h3ZDhINERER01JQkxU -ZnNNSGhSYStRQXoyS1NnUVltOApRY09ueTVkSTRjTFdXZXBQd1RPcnBXRkN4TmI3 -Z2ZkbmF3WE1yait1R0Q4Ci0+IHNzaC1lZDI1NTE5IHNpbmd2USBzK1JGVHk2c0py -aVNSWWNLRTlqUkYwdHkrcjVQZm9BRThIN0szTjd3aWhjClpYQVBqMStGMzUyY0lI -aFRQZXFCUEw1OEhtRjZiUTJ0OGo4bkZBN3VMRjgKLT4gc3NoLWVkMjU1MTkgeHFt -eWpBIHJJSzZORklZMWo0ZmRCTTN2TFY4R3hqc3QxdzNmU2ZOalA4S2JBMlFyblkK -SlhMU3JQdThodWNzSTRmN2F0UEsyNStDREVBZ2o4ZnhSSi91Z0E3anFYQQotPiBz -c2gtZWQyNTUxOSBtdTBmbkEgb1VOR3FIVzdleERSOUdCSUpCMTQ4eXdmSmpaS3Ri -cEtSV05iNHdVOUJqSQpwZ081SVNQV2ozVkZYMTNUNlFtWm1Ybk9vMVNqU0pZVHk3 -YnJaRGRWMk04Ci0+IHNzaC1lZDI1NTE5IHVmRGxIQSBrWmh2ZlpDdTJvcHJWTkYx -enNqUDlHblA1WXRLSSs1cUZLdldMeUhmWUZjCmh5Zmc1U1JOOHphbDBiZ25NY2RU -WmdUWFFremtPOU8vS3ljemtyUkd6ajgKLT4gPy1ncmVhc2UgLGJlICF3UDMKSUlw -RzRxT2hSbFhqZDVrdDBQZmVpQ1VFMk9vL3VyOEFkajUrb3g5ZjNRY0dMKzBVR2pW -KwotLS0gMHJxTlhML0RQZnlTaUQ2b2NrT1FEbktmSXpUa0t0clpvSHM5M1F1Qkdw -TQpoSJHQulHF3CW1yg4XaWpnu6d6MxwKouIA48nlXSBWvTQEgzs4uskXWFaxRqGP -I/wXpZuekwtjIc8odvlRUw2rWZuJwJbBNBJVcUTERcvUJS+GDWidgM2R4lI1W20A -eQ9CxofpGd0Gwj+ra11ub9G/pPdLI8S2ZkgNVT39pYiSUPT2IG1qP67U8g== ------END AGE ENCRYPTED FILE----- diff --git a/services/minimalConfig/vm.nix b/services/minimalConfig/vm.nix deleted file mode 100644 index cfe1faa..0000000 --- a/services/minimalConfig/vm.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ - lib, - config, - modulesPath, - ... -}: let - cfg = config.services.vm; -in { - options.services.vm = { - enable = lib.mkEnableOption "Enable LXC container config"; - }; - config = lib.mkIf cfg.enable { - security.sudo.wheelNeedsPassword = false; - - networking = { - dhcpcd.enable = false; - }; - - systemd.network.enable = true; - - services = { - qemuGuest.enable = true; - cloud-init = { - enable = true; - network.enable = true; - config = '' - system_info: - distro: nixos - network: - renderers: [ 'networkd' ] - default_user: - name: ops - users: - - default - ssh_pwauth: false - chpasswd: - expire: false - cloud_init_modules: - - migrator - - seed_random - - growpart - - resizefs - cloud_config_modules: - - disk_setup - - mounts - - set-passwords - - ssh - cloud_final_modules: [] - ''; - }; - }; - }; -} diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix index 13bb00b..cf89677 100644 --- a/systems/minimalLXCConfig.nix +++ b/systems/minimalLXCConfig.nix @@ -99,13 +99,6 @@ ]; }; - age.secrets = { - cs-lapi-key = { - file = ../secrets/cs-lapi-key.age; - owner = "crowdsec"; - }; - }; - services = { openssh = { enable = true; @@ -131,7 +124,6 @@ general = { prometheus.listen_addr = "0.0.0.0"; }; - lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}"; }; hub.collections = [ "crowdsecurity/linux"