tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Delete unused minimalConfig services (migrated to systems/) and working crowdsec config
Some checks are pending
/ Build Nix targets (push) Waiting to run
Details

Browse source
This commit is contained in:
Théo Barnouin 2025-04-14 14:33:41 +02:00
parent 50f70d01aa
commit 8b007885cd
7 changed files with 9 additions and 268 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
services/grafana/default.nix
View file

@ -23,6 +23,10 @@ in {
};
config = lib.mkIf cfg.enable {
age.secrets = {
grafana-lapi-key = {
file = ../../secrets/grafana-lapi-key.age;
owner = "crowdsec";
};
grafana-db = {
file = ./secrets/grafana-db.age;
owner = "grafana";
@ -35,6 +39,7 @@ in {
};
services = {
crowdsec = {
settings.lapi.credentialsFile = "${config.age.secrets.grafana-lapi-key.path}";
hub.collections = [
"LePresidente/grafana"
];
@ -44,7 +49,7 @@ in {
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=grafana.service" ];
labels = {
type = "syslog";
type = "journald";
};
}
];

8
services/jellyfin/default.nix
View file

@ -10,11 +10,9 @@ in {
enable = lib.mkEnableOption "Enable minimal config";
};
config = lib.mkIf cfg.enable {
age.secrets = {
cs-lapi-key = {
file = ../../secrets/jellyfin-lapi-key.age;
owner = "crowdsec";
};
age.secrets.jellyfin-lapi-key = {
file = ../../secrets/jellyfin-lapi-key.age;
owner = "crowdsec";
};
systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD";
environment = {

151
services/minimalConfig/default.nix
View file

@ -1,151 +0,0 @@
{
config,
pkgs,
lib,
inputs,
modulesPath,
...
}: {
imports = [
./lxc.nix
./vm.nix
];
nix = {
settings.experimental-features = ["nix-command" "flakes"];
settings.trusted-users = ["root" "@wheel"];
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [22 9002];
};
};
time.timeZone = "Europe/Paris";
console.keyMap = "fr";
i18n.defaultLocale = "fr_FR.UTF-8";
environment.sessionVariables = rec {
TERM = "xterm-256color";
};
nix.gc = {
automatic = true;
dates = "daily";
options = "--delete-old";
};
security.sudo.wheelNeedsPassword = false;
users = {
users.tbarnouin = {
isNormalUser = true;
extraGroups = ["wheel" "video" "render"];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr"
];
};
users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
];
};
};
programs = {
zsh = {
enable = true;
shellAliases = {
ll = "ls -l";
lla = "ls -lah";
};
ohMyZsh = {
enable = true;
plugins = ["git"];
theme = "bira";
};
};
tmux = {
enable = true;
};
};
nixpkgs.config.allowUnfree = true;
environment = {
localBinInPath = true;
systemPackages = with pkgs; [
vim
bash
wget
curl
git
htop
tree
dig
ncdu
nmap
iperf3
netcat-openbsd
];
};
age.secrets = {
cs-lapi-key = {
file = ./secrets/cs-lapi-key.age;
owner = "crowdsec";
};
};
services = {
openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "prohibit-password";
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
fail2ban = {
enable = true;
};
crowdsec = {
enable = true;
package = pkgs.crowdsec;
autoUpdateService = false;
openFirewall = true;
settings = {
general = {
prometheus.listen_addr = "0.0.0.0";
};
lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
};
hub.collections = [
"crowdsecurity/linux"
];
};
rsyslogd = {
enable = true;
extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";
};
prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
};
};
};
};
system = {
stateVersion = "24.11";
activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh";
};
}

26
services/minimalConfig/lxc.nix
View file

@ -1,26 +0,0 @@
{
lib,
config,
modulesPath,
...
}: let
cfg = config.services.lxc;
in {
options.services.lxc = {
enable = lib.mkEnableOption "Enable LXC container config";
};
config = lib.mkIf cfg.enable {
boot.isContainer = true;
proxmoxLXC = {
enable = true;
privileged = false;
manageNetwork = false;
manageHostName = false;
};
systemd.suppressedSystemUnits = [
"dev-mqueue.mount"
"sys-kernel-debug.mount"
"sys-fs-fuse-connections.mount"
];
};
}

24
services/minimalConfig/secrets/cs-lapi-key.age
View file

@ -1,24 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBxYmNh
UXErOHVUTG5OSjFZU1I0NlpuQWlWTkhQeWx0dmRqQ3IxRjhNY0hNCngySy8xZjR6
ZVRRRzJVb1lXYjErOVM1RE9rQk56ZzlaTE1IcnZiVUtRWGMKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IGhOYnVTdHB4ZmR1MHZ0YWNhOW8zcE5FR01mYlArZnhMalpreFdW
R3VvZ2MKeFdkdEZUa1BMZ3pyRlNEa2FKbmtLUTcxeUJzOGR5c25EWXRMU01ybWJr
RQotPiBzc2gtZWQyNTUxOSBubUtTK0EgT01yM1NQSUxqS1h3ZDhINERER01JQkxU
ZnNNSGhSYStRQXoyS1NnUVltOApRY09ueTVkSTRjTFdXZXBQd1RPcnBXRkN4TmI3
Z2ZkbmF3WE1yait1R0Q4Ci0+IHNzaC1lZDI1NTE5IHNpbmd2USBzK1JGVHk2c0py
aVNSWWNLRTlqUkYwdHkrcjVQZm9BRThIN0szTjd3aWhjClpYQVBqMStGMzUyY0lI
aFRQZXFCUEw1OEhtRjZiUTJ0OGo4bkZBN3VMRjgKLT4gc3NoLWVkMjU1MTkgeHFt
eWpBIHJJSzZORklZMWo0ZmRCTTN2TFY4R3hqc3QxdzNmU2ZOalA4S2JBMlFyblkK
SlhMU3JQdThodWNzSTRmN2F0UEsyNStDREVBZ2o4ZnhSSi91Z0E3anFYQQotPiBz
c2gtZWQyNTUxOSBtdTBmbkEgb1VOR3FIVzdleERSOUdCSUpCMTQ4eXdmSmpaS3Ri
cEtSV05iNHdVOUJqSQpwZ081SVNQV2ozVkZYMTNUNlFtWm1Ybk9vMVNqU0pZVHk3
YnJaRGRWMk04Ci0+IHNzaC1lZDI1NTE5IHVmRGxIQSBrWmh2ZlpDdTJvcHJWTkYx
enNqUDlHblA1WXRLSSs1cUZLdldMeUhmWUZjCmh5Zmc1U1JOOHphbDBiZ25NY2RU
WmdUWFFremtPOU8vS3ljemtyUkd6ajgKLT4gPy1ncmVhc2UgLGJlICF3UDMKSUlw
RzRxT2hSbFhqZDVrdDBQZmVpQ1VFMk9vL3VyOEFkajUrb3g5ZjNRY0dMKzBVR2pW
KwotLS0gMHJxTlhML0RQZnlTaUQ2b2NrT1FEbktmSXpUa0t0clpvSHM5M1F1Qkdw
TQpoSJHQulHF3CW1yg4XaWpnu6d6MxwKouIA48nlXSBWvTQEgzs4uskXWFaxRqGP
I/wXpZuekwtjIc8odvlRUw2rWZuJwJbBNBJVcUTERcvUJS+GDWidgM2R4lI1W20A
eQ9CxofpGd0Gwj+ra11ub9G/pPdLI8S2ZkgNVT39pYiSUPT2IG1qP67U8g==
-----END AGE ENCRYPTED FILE-----

53
services/minimalConfig/vm.nix
View file

@ -1,53 +0,0 @@
{
lib,
config,
modulesPath,
...
}: let
cfg = config.services.vm;
in {
options.services.vm = {
enable = lib.mkEnableOption "Enable LXC container config";
};
config = lib.mkIf cfg.enable {
security.sudo.wheelNeedsPassword = false;
networking = {
dhcpcd.enable = false;
};
systemd.network.enable = true;
services = {
qemuGuest.enable = true;
cloud-init = {
enable = true;
network.enable = true;
config = ''
system_info:
distro: nixos
network:
renderers: [ 'networkd' ]
default_user:
name: ops
users:
- default
ssh_pwauth: false
chpasswd:
expire: false
cloud_init_modules:
- migrator
- seed_random
- growpart
- resizefs
cloud_config_modules:
- disk_setup
- mounts
- set-passwords
- ssh
cloud_final_modules: []
'';
};
};
};
}

8
systems/minimalLXCConfig.nix
View file

@ -99,13 +99,6 @@
];
};
age.secrets = {
cs-lapi-key = {
file = ../secrets/cs-lapi-key.age;
owner = "crowdsec";
};
};
services = {
openssh = {
enable = true;
@ -131,7 +124,6 @@
general = {
prometheus.listen_addr = "0.0.0.0";
};
lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
};
hub.collections = [
"crowdsecurity/linux"