tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Try to implement crowdsec everywhere, connected to central lapi

Browse source
This commit is contained in:
Théo Barnouin 2025-04-04 17:30:31 +02:00
parent 4d337df460
commit d90a031c68
4 changed files with 319 additions and 278 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
services/grafana/default.nix
View file

@ -33,7 +33,24 @@ in {
}; };
kuma-token.file = ./secrets/kuma-token.age; kuma-token.file = ./secrets/kuma-token.age;
}; };
services.rsyslogd = { services = {
crowdsec = {
hub.collections = [
"LePresidente/grafana"
];
localConfig = {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=grafana.service" ];
labels = {
type = "syslog";
};
}
];
};
};
rsyslogd = {
enable = true; enable = true;
extraConfig = '' extraConfig = ''
ruleset(name="remote"){ ruleset(name="remote"){
@ -47,10 +64,10 @@ in {
input(type="imtcp" port="514" ruleset="remote") input(type="imtcp" port="514" ruleset="remote")
''; '';
}; };
services.influxdb2 = { influxdb2 = {
enable = true; enable = true;
}; };
services.grafana = { grafana = {
enable = true; enable = true;
settings = { settings = {
server = { server = {
@ -83,7 +100,7 @@ in {
}; };
}; };
}; };
services.prometheus = { prometheus = {
enable = true; enable = true;
port = 9001; port = 9001;
scrapeConfigs = [ scrapeConfigs = [
@ -171,6 +188,14 @@ in {
} }
]; ];
} }
{
job_name = "crowdsec_nextcloud";
static_configs = [
{
targets = ["192.168.1.45:6060"];
}
];
}
{ {
job_name = "jellyfin"; job_name = "jellyfin";
static_configs = [ static_configs = [
@ -179,9 +204,17 @@ in {
} }
]; ];
} }
{
job_name = "crowdsec_jellyfin";
static_configs = [
{
targets = ["192.168.1.42:6060"];
}
];
}
]; ];
}; };
services.loki = { loki = {
enable = true; enable = true;
configuration = { configuration = {
server.http_listen_port = 3100; server.http_listen_port = 3100;
@ -248,7 +281,7 @@ in {
}; };
}; };
}; };
services.promtail = { promtail = {
enable = true; enable = true;
configuration = { configuration = {
server = { server = {
@ -304,6 +337,7 @@ in {
]; ];
}; };
}; };
};
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall.allowedTCPPorts = [3000 3100 3101 8086 9001 1514 514]; networking.firewall.allowedTCPPorts = [3000 3100 3101 8086 9001 1514 514];

22
services/minimalConfig/default.nix
View file

@ -91,6 +91,13 @@
]; ];
}; };
age.secrets = {
cs-lapi-key = {
file = ./secrets/cs-lapi-key.age;
owner = "crowdsec";
};
};
services = { services = {
openssh = { openssh = {
enable = true; enable = true;
@ -107,6 +114,21 @@
fail2ban = { fail2ban = {
enable = true; enable = true;
}; };
crowdsec = {
enable = true;
package = pkgs.crowdsec;
autoUpdateService = false;
openFirewall = true;
settings = {
general = {
prometheus.listen_addr = "0.0.0.0";
};
lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
};
hub.collections = [
"crowdsecurity/linux"
];
};
rsyslogd = { rsyslogd = {
enable = true; enable = true;
extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";

17
services/nginx/default.nix
View file

@ -15,12 +15,6 @@ in {
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
age.secrets = {
cs-lapi-key = {
file = ./secrets/cs-lapi-key.age;
owner = "crowdsec";
};
};
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "theo.barnouin@le43.eu"; defaults.email = "theo.barnouin@le43.eu";
@ -34,14 +28,10 @@ in {
package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer; package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer;
settings = { settings = {
api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg"; api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg";
api_url = "http://127.0.0.1:8080"; api_url = "http://${cfg.proxy_ip}:8080";
}; };
}; };
crowdsec = { crowdsec = {
enable = true;
package = pkgs.crowdsec;
autoUpdateService = false;
openFirewall = true;
settings = { settings = {
general = { general = {
api = { api = {
@ -50,19 +40,14 @@ in {
listen_uri = "${cfg.proxy_ip}:8080"; listen_uri = "${cfg.proxy_ip}:8080";
}; };
}; };
prometheus.listen_addr = "0.0.0.0";
}; };
lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
}; };
hub.collections = [ hub.collections = [
"firix/authentik" "firix/authentik"
"crowdsecurity/sshd" "crowdsecurity/sshd"
"crowdsecurity/linux" "crowdsecurity/linux"
"crowdsecurity/nginx" "crowdsecurity/nginx"
"LePresidente/grafana"
"LePresidente/jellyfin"
"crowdsecurity/http-cve" "crowdsecurity/http-cve"
"crowdsecurity/nextcloud"
"crowdsecurity/base-http-scenarios" "crowdsecurity/base-http-scenarios"
]; ];
localConfig = { localConfig = {

22
services/nginx/secrets/cs-lapi-key.age
View file

@ -1,13 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBPc0Q4 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyByTU5i
UU1TbDBWL3RKQ2VQRDZncE9sZC8vVVdESzYxNkQ0amoySFdNZFRJClVpS3ZaeFhP RzF4ZE4zQk8zeTNqN2hYVGU1cmZwYkR6bTAwZUlZUWNaNGdmc0RVClRwN1YyVnZj
WVNpQXJQbWp2aDMyMldkdVczdkZCTU5McFpRMTN6NXBtQkkKLT4gc3NoLWVkMjU1 a0pjRERBY0tPbjdyMVNpVHZONW9uKzA3aHNGbjUzeVNmbFEKLT4gc3NoLWVkMjU1
MTkgbXUwZm5BIFlxK0RKY0plTmtGV2FYZHBUMjlVa1FwYkRkalVyUEsvREJ3VmFz MTkgbXUwZm5BIHBxYWhuVDNyZVNFbjF1aTVVQjNERS9FalNSMGZKa2FSV2ZqaGFk
SXVUVWMKZGF1eW9MbkhuajU5aFhHcml4TDVHQVZtZ1ZDbXIzdXRXNERmOGtkYm50 Z2ZxeTQKcFFYNm5aTHRzWHJqb1pBdHAyd3c4OUZFSXdhZVp5T1BvcS9oQllENmlD
NAotPiBGLWdyZWFzZSBaUnNXYQo0U0ovMWZTaXhZdy96dWRpY1lud3V3cFNoSnFS YwotPiBrfmFlTnUtZ3JlYXNlICM8IH5iekBhWGo+CmsrNFE2eTkzamlLeGVSRUFP
WExsWEs5VVI2NG5XcHI4eVlJWFZoQVpCVEs2QnkxT3p6b01RCmIrbjZVTWU5U2VV M3JRTEVaaEpQVDhuOVhWQ3hPdjc5T21GU2xJKzhBaFprUXVWY3FmUm1NCi0tLSAr
VHpTcVIxM01ECi0tLSBqV0ZTbndQU2xQMjcwQUxRR1dCQ2JsSnlpUzlrMmRVUXRH QVY3S2kyOU1SL0NEaEJNMm9xR0lmUHVFU0VVYkhJcTBkdEl3Skp0N3F3Ck+9Y6el
aytLOStjYmJnCg2ocDo5O53RoiV3p9kGD+NulQKb1+01Ay1R2W0Upcgpu132Rexy QMrUREWKK7hxuZRE2gVoSQj/ia8xNWRALMOgY+FgskwRwFLaJhI+hwfAexUHuDbn
nwUvMrRbPgWUdgeUjkhKJ/ZR1gCVEav38aUsZugs39ndLYOwpluw5lUs+i2piB7k I80dUbUsM/ccELMs3nx6DWbchUWh9KMHYejyBMRX6NpHy1UDq+q80zile9WPygtk
rOC+NhPXSXJLMb4vKdkkioJehv+VbSZ9M4PW2vbsziQAhfWErm7RAi/FvtoUdypT fmVPd6OOd/84e3pFmIcgTteDVnadLiZNvDVapVVbJqm8B72h
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----