diff --git a/services/grafana/default.nix b/services/grafana/default.nix index 670d17e..8450b40 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -33,276 +33,310 @@ in { }; kuma-token.file = ./secrets/kuma-token.age; }; - services.rsyslogd = { - enable = true; - extraConfig = '' - ruleset(name="remote"){ - action(type="omfwd" Target="localhost" Port="1514" Protocol="tcp" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted") - } - - module(load="imudp") - input(type="imudp" port="514" ruleset="remote") - - module(load="imtcp") - input(type="imtcp" port="514" ruleset="remote") - ''; - }; - services.influxdb2 = { - enable = true; - }; - services.grafana = { - enable = true; - settings = { - server = { - protocol = "http"; - http_addr = "${cfg.vm_ip}"; - http_port = 3000; - domain = "logs.le43.eu"; - root_url = "https://logs.le43.eu"; - serve_from_sub_path = false; - }; - database = { - type = "postgres"; - host = "${cfg.pgsql_ip}:5432"; - name = "grafana"; - user = "grafana"; - password = "\$__file{${config.age.secrets.grafana-db.path}}"; - }; - "auth.generic_oauth" = { - enabled = "true"; - name = "authentik"; - allow_sign_up = "true"; - client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; - client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}"; - scopes = "openid email profile"; - auth_url = "https://authentik.le43.eu/application/o/authorize/"; - token_url = "https://authentik.le43.eu/application/o/token/"; - api_url = "https://authentik.le43.eu/application/o/userinfo/"; - role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false"; - allow_assign_grafana_admin = "true"; - }; - }; - }; - services.prometheus = { - enable = true; - port = 9001; - scrapeConfigs = [ - { - job_name = "kuma"; - scrape_interval = "30s"; - scheme = "http"; - static_configs = [ - { - targets = ["192.168.1.90:3001"]; - } - ]; - basic_auth.username = "tbarnouin"; - basic_auth.password_file = config.age.secrets.kuma-token.path; - } - { - job_name = "grafana"; - static_configs = [ - { - targets = ["127.0.0.1:9002"]; - } - ]; - } - { - job_name = "opportunity"; - static_configs = [ - { - targets = ["192.168.1.125:9100"]; - } - ]; - } - { - job_name = "nginx"; - static_configs = [ - { - targets = ["${cfg.proxy_ip}:9002"]; - } - ]; - } - { - job_name = "crowdsec_nginx"; - static_configs = [ - { - targets = ["${cfg.proxy_ip}:6060"]; - } - ]; - } - { - job_name = "redis"; - static_configs = [ - { - targets = ["192.168.1.16:9002"]; - } - ]; - } - { - job_name = "ingenuity"; - static_configs = [ - { - targets = ["192.168.1.90:9100"]; - } - ]; - } - { - job_name = "gitea"; - static_configs = [ - { - targets = ["192.168.1.14:9002"]; - } - ]; - } - { - job_name = "postgresql"; - static_configs = [ - { - targets = ["192.168.1.13:9002"]; - } - ]; - } - { - job_name = "nextcloud"; - static_configs = [ - { - targets = ["192.168.1.45:9100"]; - } - ]; - } - { - job_name = "jellyfin"; - static_configs = [ - { - targets = ["192.168.1.42:9100"]; - } - ]; - } - ]; - }; - services.loki = { - enable = true; - configuration = { - server.http_listen_port = 3100; - server.grpc_listen_port = 9096; - auth_enabled = false; - ingester = { - lifecycler = { - address = "192.168.1.27"; - ring = { - kvstore = { - store = "inmemory"; - }; - replication_factor = 1; - }; - }; - chunk_idle_period = "1h"; - max_chunk_age = "1h"; - chunk_target_size = 999999; - chunk_retain_period = "30s"; - }; - schema_config = { - configs = [ - { - from = "2022-06-06"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - ]; - }; - storage_config = { - boltdb_shipper = { - active_index_directory = "/var/lib/loki/boltdb-shipper-active"; - cache_location = "/var/lib/loki/boltdb-shipper-cache"; - cache_ttl = "24h"; - }; - - filesystem = { - directory = "/var/lib/loki/chunks"; - }; - }; - - limits_config = { - reject_old_samples = true; - reject_old_samples_max_age = "168h"; - allow_structured_metadata = false; - }; - - table_manager = { - retention_deletes_enabled = false; - retention_period = "0s"; - }; - compactor = { - working_directory = "/var/lib/loki"; - compactor_ring = { - kvstore = { - store = "inmemory"; - }; - }; - }; - }; - }; - services.promtail = { - enable = true; - configuration = { - server = { - http_listen_port = 3101; - grpc_listen_port = 9095; - }; - positions = { - filename = "/tmp/positions.yaml"; - }; - clients = [ - { - url = "http://127.0.0.1:3100/loki/api/v1/push"; - } + services = { + crowdsec = { + hub.collections = [ + "LePresidente/grafana" ]; - scrape_configs = [ - { - job_name = "syslog"; - syslog = { - listen_address = "0.0.0.0:1514"; - listen_protocol = "tcp"; - idle_timeout = "60s"; + localConfig = { + acquisitions = [ + { + source = "journalctl"; + journalctl_filter = [ "_SYSTEMD_UNIT=grafana.service" ]; labels = { - job = "syslog"; + type = "syslog"; }; - }; - relabel_configs = [ + } + ]; + }; + }; + rsyslogd = { + enable = true; + extraConfig = '' + ruleset(name="remote"){ + action(type="omfwd" Target="localhost" Port="1514" Protocol="tcp" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted") + } + + module(load="imudp") + input(type="imudp" port="514" ruleset="remote") + + module(load="imtcp") + input(type="imtcp" port="514" ruleset="remote") + ''; + }; + influxdb2 = { + enable = true; + }; + grafana = { + enable = true; + settings = { + server = { + protocol = "http"; + http_addr = "${cfg.vm_ip}"; + http_port = 3000; + domain = "logs.le43.eu"; + root_url = "https://logs.le43.eu"; + serve_from_sub_path = false; + }; + database = { + type = "postgres"; + host = "${cfg.pgsql_ip}:5432"; + name = "grafana"; + user = "grafana"; + password = "\$__file{${config.age.secrets.grafana-db.path}}"; + }; + "auth.generic_oauth" = { + enabled = "true"; + name = "authentik"; + allow_sign_up = "true"; + client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; + client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}"; + scopes = "openid email profile"; + auth_url = "https://authentik.le43.eu/application/o/authorize/"; + token_url = "https://authentik.le43.eu/application/o/token/"; + api_url = "https://authentik.le43.eu/application/o/userinfo/"; + role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false"; + allow_assign_grafana_admin = "true"; + }; + }; + }; + prometheus = { + enable = true; + port = 9001; + scrapeConfigs = [ + { + job_name = "kuma"; + scrape_interval = "30s"; + scheme = "http"; + static_configs = [ { - source_labels = ["__syslog_message_hostname"]; - target_label = "host"; + targets = ["192.168.1.90:3001"]; } + ]; + basic_auth.username = "tbarnouin"; + basic_auth.password_file = config.age.secrets.kuma-token.path; + } + { + job_name = "grafana"; + static_configs = [ { - source_labels = ["__syslog_message_hostname"]; - target_label = "hostname"; + targets = ["127.0.0.1:9002"]; } + ]; + } + { + job_name = "opportunity"; + static_configs = [ { - source_labels = ["__syslog_message_severity"]; - target_label = "level"; + targets = ["192.168.1.125:9100"]; } + ]; + } + { + job_name = "nginx"; + static_configs = [ { - source_labels = ["__syslog_message_app_name"]; - target_label = "application"; + targets = ["${cfg.proxy_ip}:9002"]; } + ]; + } + { + job_name = "crowdsec_nginx"; + static_configs = [ { - source_labels = ["__syslog_message_facility"]; - target_label = "facility"; + targets = ["${cfg.proxy_ip}:6060"]; } + ]; + } + { + job_name = "redis"; + static_configs = [ { - source_labels = ["__syslog_connection_hostname"]; - target_label = "connection_hostname"; + targets = ["192.168.1.16:9002"]; + } + ]; + } + { + job_name = "ingenuity"; + static_configs = [ + { + targets = ["192.168.1.90:9100"]; + } + ]; + } + { + job_name = "gitea"; + static_configs = [ + { + targets = ["192.168.1.14:9002"]; + } + ]; + } + { + job_name = "postgresql"; + static_configs = [ + { + targets = ["192.168.1.13:9002"]; + } + ]; + } + { + job_name = "nextcloud"; + static_configs = [ + { + targets = ["192.168.1.45:9100"]; + } + ]; + } + { + job_name = "crowdsec_nextcloud"; + static_configs = [ + { + targets = ["192.168.1.45:6060"]; + } + ]; + } + { + job_name = "jellyfin"; + static_configs = [ + { + targets = ["192.168.1.42:9100"]; + } + ]; + } + { + job_name = "crowdsec_jellyfin"; + static_configs = [ + { + targets = ["192.168.1.42:6060"]; } ]; } ]; }; + loki = { + enable = true; + configuration = { + server.http_listen_port = 3100; + server.grpc_listen_port = 9096; + auth_enabled = false; + ingester = { + lifecycler = { + address = "192.168.1.27"; + ring = { + kvstore = { + store = "inmemory"; + }; + replication_factor = 1; + }; + }; + chunk_idle_period = "1h"; + max_chunk_age = "1h"; + chunk_target_size = 999999; + chunk_retain_period = "30s"; + }; + schema_config = { + configs = [ + { + from = "2022-06-06"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + }; + storage_config = { + boltdb_shipper = { + active_index_directory = "/var/lib/loki/boltdb-shipper-active"; + cache_location = "/var/lib/loki/boltdb-shipper-cache"; + cache_ttl = "24h"; + }; + + filesystem = { + directory = "/var/lib/loki/chunks"; + }; + }; + + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "168h"; + allow_structured_metadata = false; + }; + + table_manager = { + retention_deletes_enabled = false; + retention_period = "0s"; + }; + compactor = { + working_directory = "/var/lib/loki"; + compactor_ring = { + kvstore = { + store = "inmemory"; + }; + }; + }; + }; + }; + promtail = { + enable = true; + configuration = { + server = { + http_listen_port = 3101; + grpc_listen_port = 9095; + }; + positions = { + filename = "/tmp/positions.yaml"; + }; + clients = [ + { + url = "http://127.0.0.1:3100/loki/api/v1/push"; + } + ]; + scrape_configs = [ + { + job_name = "syslog"; + syslog = { + listen_address = "0.0.0.0:1514"; + listen_protocol = "tcp"; + idle_timeout = "60s"; + labels = { + job = "syslog"; + }; + }; + relabel_configs = [ + { + source_labels = ["__syslog_message_hostname"]; + target_label = "host"; + } + { + source_labels = ["__syslog_message_hostname"]; + target_label = "hostname"; + } + { + source_labels = ["__syslog_message_severity"]; + target_label = "level"; + } + { + source_labels = ["__syslog_message_app_name"]; + target_label = "application"; + } + { + source_labels = ["__syslog_message_facility"]; + target_label = "facility"; + } + { + source_labels = ["__syslog_connection_hostname"]; + target_label = "connection_hostname"; + } + ]; + } + ]; + }; + }; }; # Open ports in the firewall. diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix index 3993631..d46bc57 100644 --- a/services/minimalConfig/default.nix +++ b/services/minimalConfig/default.nix @@ -91,6 +91,13 @@ ]; }; + age.secrets = { + cs-lapi-key = { + file = ./secrets/cs-lapi-key.age; + owner = "crowdsec"; + }; + }; + services = { openssh = { enable = true; @@ -107,6 +114,21 @@ fail2ban = { enable = true; }; + crowdsec = { + enable = true; + package = pkgs.crowdsec; + autoUpdateService = false; + openFirewall = true; + settings = { + general = { + prometheus.listen_addr = "0.0.0.0"; + }; + lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}"; + }; + hub.collections = [ + "crowdsecurity/linux" + ]; + }; rsyslogd = { enable = true; extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; diff --git a/services/nginx/default.nix b/services/nginx/default.nix index 6c3ef29..3ffdaaf 100644 --- a/services/nginx/default.nix +++ b/services/nginx/default.nix @@ -15,12 +15,6 @@ in { }; }; config = lib.mkIf cfg.enable { - age.secrets = { - cs-lapi-key = { - file = ./secrets/cs-lapi-key.age; - owner = "crowdsec"; - }; - }; security.acme = { acceptTerms = true; defaults.email = "theo.barnouin@le43.eu"; @@ -34,14 +28,10 @@ in { package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer; settings = { api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg"; - api_url = "http://127.0.0.1:8080"; + api_url = "http://${cfg.proxy_ip}:8080"; }; }; crowdsec = { - enable = true; - package = pkgs.crowdsec; - autoUpdateService = false; - openFirewall = true; settings = { general = { api = { @@ -50,19 +40,14 @@ in { listen_uri = "${cfg.proxy_ip}:8080"; }; }; - prometheus.listen_addr = "0.0.0.0"; }; - lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}"; }; hub.collections = [ "firix/authentik" "crowdsecurity/sshd" "crowdsecurity/linux" "crowdsecurity/nginx" - "LePresidente/grafana" - "LePresidente/jellyfin" "crowdsecurity/http-cve" - "crowdsecurity/nextcloud" "crowdsecurity/base-http-scenarios" ]; localConfig = { diff --git a/services/nginx/secrets/cs-lapi-key.age b/services/nginx/secrets/cs-lapi-key.age index 1894af4..76ce123 100644 --- a/services/nginx/secrets/cs-lapi-key.age +++ b/services/nginx/secrets/cs-lapi-key.age @@ -1,13 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBPc0Q4 -UU1TbDBWL3RKQ2VQRDZncE9sZC8vVVdESzYxNkQ0amoySFdNZFRJClVpS3ZaeFhP -WVNpQXJQbWp2aDMyMldkdVczdkZCTU5McFpRMTN6NXBtQkkKLT4gc3NoLWVkMjU1 -MTkgbXUwZm5BIFlxK0RKY0plTmtGV2FYZHBUMjlVa1FwYkRkalVyUEsvREJ3VmFz -SXVUVWMKZGF1eW9MbkhuajU5aFhHcml4TDVHQVZtZ1ZDbXIzdXRXNERmOGtkYm50 -NAotPiBGLWdyZWFzZSBaUnNXYQo0U0ovMWZTaXhZdy96dWRpY1lud3V3cFNoSnFS -WExsWEs5VVI2NG5XcHI4eVlJWFZoQVpCVEs2QnkxT3p6b01RCmIrbjZVTWU5U2VV -VHpTcVIxM01ECi0tLSBqV0ZTbndQU2xQMjcwQUxRR1dCQ2JsSnlpUzlrMmRVUXRH -aytLOStjYmJnCg2ocDo5O53RoiV3p9kGD+NulQKb1+01Ay1R2W0Upcgpu132Rexy -nwUvMrRbPgWUdgeUjkhKJ/ZR1gCVEav38aUsZugs39ndLYOwpluw5lUs+i2piB7k -rOC+NhPXSXJLMb4vKdkkioJehv+VbSZ9M4PW2vbsziQAhfWErm7RAi/FvtoUdypT +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyByTU5i +RzF4ZE4zQk8zeTNqN2hYVGU1cmZwYkR6bTAwZUlZUWNaNGdmc0RVClRwN1YyVnZj +a0pjRERBY0tPbjdyMVNpVHZONW9uKzA3aHNGbjUzeVNmbFEKLT4gc3NoLWVkMjU1 +MTkgbXUwZm5BIHBxYWhuVDNyZVNFbjF1aTVVQjNERS9FalNSMGZKa2FSV2ZqaGFk +Z2ZxeTQKcFFYNm5aTHRzWHJqb1pBdHAyd3c4OUZFSXdhZVp5T1BvcS9oQllENmlD +YwotPiBrfmFlTnUtZ3JlYXNlICM8IH5iekBhWGo+CmsrNFE2eTkzamlLeGVSRUFP +M3JRTEVaaEpQVDhuOVhWQ3hPdjc5T21GU2xJKzhBaFprUXVWY3FmUm1NCi0tLSAr +QVY3S2kyOU1SL0NEaEJNMm9xR0lmUHVFU0VVYkhJcTBkdEl3Skp0N3F3Ck+9Y6el +QMrUREWKK7hxuZRE2gVoSQj/ia8xNWRALMOgY+FgskwRwFLaJhI+hwfAexUHuDbn +I80dUbUsM/ccELMs3nx6DWbchUWh9KMHYejyBMRX6NpHy1UDq+q80zile9WPygtk +fmVPd6OOd/84e3pFmIcgTteDVnadLiZNvDVapVVbJqm8B72h -----END AGE ENCRYPTED FILE-----