tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Try to implement crowdsec everywhere, connected to central lapi

Browse source
This commit is contained in:
Théo Barnouin 2025-04-04 17:30:31 +02:00
parent 4d337df460
commit d90a031c68
4 changed files with 319 additions and 278 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

536
services/grafana/default.nix
View file

@ -33,276 +33,310 @@ in {
}; };
kuma-token.file = ./secrets/kuma-token.age; kuma-token.file = ./secrets/kuma-token.age;
}; };
services.rsyslogd = { services = {
enable = true; crowdsec = {
extraConfig = '' hub.collections = [
ruleset(name="remote"){ "LePresidente/grafana"
action(type="omfwd" Target="localhost" Port="1514" Protocol="tcp" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted")
}
module(load="imudp")
input(type="imudp" port="514" ruleset="remote")
module(load="imtcp")
input(type="imtcp" port="514" ruleset="remote")
'';
};
services.influxdb2 = {
enable = true;
};
services.grafana = {
enable = true;
settings = {
server = {
protocol = "http";
http_addr = "${cfg.vm_ip}";
http_port = 3000;
domain = "logs.le43.eu";
root_url = "https://logs.le43.eu";
serve_from_sub_path = false;
};
database = {
type = "postgres";
host = "${cfg.pgsql_ip}:5432";
name = "grafana";
user = "grafana";
password = "\$__file{${config.age.secrets.grafana-db.path}}";
};
"auth.generic_oauth" = {
enabled = "true";
name = "authentik";
allow_sign_up = "true";
client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy";
client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}";
scopes = "openid email profile";
auth_url = "https://authentik.le43.eu/application/o/authorize/";
token_url = "https://authentik.le43.eu/application/o/token/";
api_url = "https://authentik.le43.eu/application/o/userinfo/";
role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false";
allow_assign_grafana_admin = "true";
};
};
};
services.prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [
{
job_name = "kuma";
scrape_interval = "30s";
scheme = "http";
static_configs = [
{
targets = ["192.168.1.90:3001"];
}
];
basic_auth.username = "tbarnouin";
basic_auth.password_file = config.age.secrets.kuma-token.path;
}
{
job_name = "grafana";
static_configs = [
{
targets = ["127.0.0.1:9002"];
}
];
}
{
job_name = "opportunity";
static_configs = [
{
targets = ["192.168.1.125:9100"];
}
];
}
{
job_name = "nginx";
static_configs = [
{
targets = ["${cfg.proxy_ip}:9002"];
}
];
}
{
job_name = "crowdsec_nginx";
static_configs = [
{
targets = ["${cfg.proxy_ip}:6060"];
}
];
}
{
job_name = "redis";
static_configs = [
{
targets = ["192.168.1.16:9002"];
}
];
}
{
job_name = "ingenuity";
static_configs = [
{
targets = ["192.168.1.90:9100"];
}
];
}
{
job_name = "gitea";
static_configs = [
{
targets = ["192.168.1.14:9002"];
}
];
}
{
job_name = "postgresql";
static_configs = [
{
targets = ["192.168.1.13:9002"];
}
];
}
{
job_name = "nextcloud";
static_configs = [
{
targets = ["192.168.1.45:9100"];
}
];
}
{
job_name = "jellyfin";
static_configs = [
{
targets = ["192.168.1.42:9100"];
}
];
}
];
};
services.loki = {
enable = true;
configuration = {
server.http_listen_port = 3100;
server.grpc_listen_port = 9096;
auth_enabled = false;
ingester = {
lifecycler = {
address = "192.168.1.27";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
};
schema_config = {
configs = [
{
from = "2022-06-06";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
allow_structured_metadata = false;
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3101;
grpc_listen_port = 9095;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [
{
url = "http://127.0.0.1:3100/loki/api/v1/push";
}
]; ];
scrape_configs = [ localConfig = {
{ acquisitions = [
job_name = "syslog"; {
syslog = { source = "journalctl";
listen_address = "0.0.0.0:1514"; journalctl_filter = [ "_SYSTEMD_UNIT=grafana.service" ];
listen_protocol = "tcp";
idle_timeout = "60s";
labels = { labels = {
job = "syslog"; type = "syslog";
}; };
}; }
relabel_configs = [ ];
};
};
rsyslogd = {
enable = true;
extraConfig = ''
ruleset(name="remote"){
action(type="omfwd" Target="localhost" Port="1514" Protocol="tcp" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted")
}
module(load="imudp")
input(type="imudp" port="514" ruleset="remote")
module(load="imtcp")
input(type="imtcp" port="514" ruleset="remote")
'';
};
influxdb2 = {
enable = true;
};
grafana = {
enable = true;
settings = {
server = {
protocol = "http";
http_addr = "${cfg.vm_ip}";
http_port = 3000;
domain = "logs.le43.eu";
root_url = "https://logs.le43.eu";
serve_from_sub_path = false;
};
database = {
type = "postgres";
host = "${cfg.pgsql_ip}:5432";
name = "grafana";
user = "grafana";
password = "\$__file{${config.age.secrets.grafana-db.path}}";
};
"auth.generic_oauth" = {
enabled = "true";
name = "authentik";
allow_sign_up = "true";
client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy";
client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}";
scopes = "openid email profile";
auth_url = "https://authentik.le43.eu/application/o/authorize/";
token_url = "https://authentik.le43.eu/application/o/token/";
api_url = "https://authentik.le43.eu/application/o/userinfo/";
role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false";
allow_assign_grafana_admin = "true";
};
};
};
prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [
{
job_name = "kuma";
scrape_interval = "30s";
scheme = "http";
static_configs = [
{ {
source_labels = ["__syslog_message_hostname"]; targets = ["192.168.1.90:3001"];
target_label = "host";
} }
];
basic_auth.username = "tbarnouin";
basic_auth.password_file = config.age.secrets.kuma-token.path;
}
{
job_name = "grafana";
static_configs = [
{ {
source_labels = ["__syslog_message_hostname"]; targets = ["127.0.0.1:9002"];
target_label = "hostname";
} }
];
}
{
job_name = "opportunity";
static_configs = [
{ {
source_labels = ["__syslog_message_severity"]; targets = ["192.168.1.125:9100"];
target_label = "level";
} }
];
}
{
job_name = "nginx";
static_configs = [
{ {
source_labels = ["__syslog_message_app_name"]; targets = ["${cfg.proxy_ip}:9002"];
target_label = "application";
} }
];
}
{
job_name = "crowdsec_nginx";
static_configs = [
{ {
source_labels = ["__syslog_message_facility"]; targets = ["${cfg.proxy_ip}:6060"];
target_label = "facility";
} }
];
}
{
job_name = "redis";
static_configs = [
{ {
source_labels = ["__syslog_connection_hostname"]; targets = ["192.168.1.16:9002"];
target_label = "connection_hostname"; }
];
}
{
job_name = "ingenuity";
static_configs = [
{
targets = ["192.168.1.90:9100"];
}
];
}
{
job_name = "gitea";
static_configs = [
{
targets = ["192.168.1.14:9002"];
}
];
}
{
job_name = "postgresql";
static_configs = [
{
targets = ["192.168.1.13:9002"];
}
];
}
{
job_name = "nextcloud";
static_configs = [
{
targets = ["192.168.1.45:9100"];
}
];
}
{
job_name = "crowdsec_nextcloud";
static_configs = [
{
targets = ["192.168.1.45:6060"];
}
];
}
{
job_name = "jellyfin";
static_configs = [
{
targets = ["192.168.1.42:9100"];
}
];
}
{
job_name = "crowdsec_jellyfin";
static_configs = [
{
targets = ["192.168.1.42:6060"];
} }
]; ];
} }
]; ];
}; };
loki = {
enable = true;
configuration = {
server.http_listen_port = 3100;
server.grpc_listen_port = 9096;
auth_enabled = false;
ingester = {
lifecycler = {
address = "192.168.1.27";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
};
schema_config = {
configs = [
{
from = "2022-06-06";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
allow_structured_metadata = false;
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
};
promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3101;
grpc_listen_port = 9095;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [
{
url = "http://127.0.0.1:3100/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "syslog";
syslog = {
listen_address = "0.0.0.0:1514";
listen_protocol = "tcp";
idle_timeout = "60s";
labels = {
job = "syslog";
};
};
relabel_configs = [
{
source_labels = ["__syslog_message_hostname"];
target_label = "host";
}
{
source_labels = ["__syslog_message_hostname"];
target_label = "hostname";
}
{
source_labels = ["__syslog_message_severity"];
target_label = "level";
}
{
source_labels = ["__syslog_message_app_name"];
target_label = "application";
}
{
source_labels = ["__syslog_message_facility"];
target_label = "facility";
}
{
source_labels = ["__syslog_connection_hostname"];
target_label = "connection_hostname";
}
];
}
];
};
};
}; };
# Open ports in the firewall. # Open ports in the firewall.

22
services/minimalConfig/default.nix
View file

@ -91,6 +91,13 @@
]; ];
}; };
age.secrets = {
cs-lapi-key = {
file = ./secrets/cs-lapi-key.age;
owner = "crowdsec";
};
};
services = { services = {
openssh = { openssh = {
enable = true; enable = true;
@ -107,6 +114,21 @@
fail2ban = { fail2ban = {
enable = true; enable = true;
}; };
crowdsec = {
enable = true;
package = pkgs.crowdsec;
autoUpdateService = false;
openFirewall = true;
settings = {
general = {
prometheus.listen_addr = "0.0.0.0";
};
lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
};
hub.collections = [
"crowdsecurity/linux"
];
};
rsyslogd = { rsyslogd = {
enable = true; enable = true;
extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";

17
services/nginx/default.nix
View file

@ -15,12 +15,6 @@ in {
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
age.secrets = {
cs-lapi-key = {
file = ./secrets/cs-lapi-key.age;
owner = "crowdsec";
};
};
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "theo.barnouin@le43.eu"; defaults.email = "theo.barnouin@le43.eu";
@ -34,14 +28,10 @@ in {
package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer; package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer;
settings = { settings = {
api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg"; api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg";
api_url = "http://127.0.0.1:8080"; api_url = "http://${cfg.proxy_ip}:8080";
}; };
}; };
crowdsec = { crowdsec = {
enable = true;
package = pkgs.crowdsec;
autoUpdateService = false;
openFirewall = true;
settings = { settings = {
general = { general = {
api = { api = {
@ -50,19 +40,14 @@ in {
listen_uri = "${cfg.proxy_ip}:8080"; listen_uri = "${cfg.proxy_ip}:8080";
}; };
}; };
prometheus.listen_addr = "0.0.0.0";
}; };
lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
}; };
hub.collections = [ hub.collections = [
"firix/authentik" "firix/authentik"
"crowdsecurity/sshd" "crowdsecurity/sshd"
"crowdsecurity/linux" "crowdsecurity/linux"
"crowdsecurity/nginx" "crowdsecurity/nginx"
"LePresidente/grafana"
"LePresidente/jellyfin"
"crowdsecurity/http-cve" "crowdsecurity/http-cve"
"crowdsecurity/nextcloud"
"crowdsecurity/base-http-scenarios" "crowdsecurity/base-http-scenarios"
]; ];
localConfig = { localConfig = {

22
services/nginx/secrets/cs-lapi-key.age
View file

@ -1,13 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBPc0Q4 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyByTU5i
UU1TbDBWL3RKQ2VQRDZncE9sZC8vVVdESzYxNkQ0amoySFdNZFRJClVpS3ZaeFhP RzF4ZE4zQk8zeTNqN2hYVGU1cmZwYkR6bTAwZUlZUWNaNGdmc0RVClRwN1YyVnZj
WVNpQXJQbWp2aDMyMldkdVczdkZCTU5McFpRMTN6NXBtQkkKLT4gc3NoLWVkMjU1 a0pjRERBY0tPbjdyMVNpVHZONW9uKzA3aHNGbjUzeVNmbFEKLT4gc3NoLWVkMjU1
MTkgbXUwZm5BIFlxK0RKY0plTmtGV2FYZHBUMjlVa1FwYkRkalVyUEsvREJ3VmFz MTkgbXUwZm5BIHBxYWhuVDNyZVNFbjF1aTVVQjNERS9FalNSMGZKa2FSV2ZqaGFk
SXVUVWMKZGF1eW9MbkhuajU5aFhHcml4TDVHQVZtZ1ZDbXIzdXRXNERmOGtkYm50 Z2ZxeTQKcFFYNm5aTHRzWHJqb1pBdHAyd3c4OUZFSXdhZVp5T1BvcS9oQllENmlD
NAotPiBGLWdyZWFzZSBaUnNXYQo0U0ovMWZTaXhZdy96dWRpY1lud3V3cFNoSnFS YwotPiBrfmFlTnUtZ3JlYXNlICM8IH5iekBhWGo+CmsrNFE2eTkzamlLeGVSRUFP
WExsWEs5VVI2NG5XcHI4eVlJWFZoQVpCVEs2QnkxT3p6b01RCmIrbjZVTWU5U2VV M3JRTEVaaEpQVDhuOVhWQ3hPdjc5T21GU2xJKzhBaFprUXVWY3FmUm1NCi0tLSAr
VHpTcVIxM01ECi0tLSBqV0ZTbndQU2xQMjcwQUxRR1dCQ2JsSnlpUzlrMmRVUXRH QVY3S2kyOU1SL0NEaEJNMm9xR0lmUHVFU0VVYkhJcTBkdEl3Skp0N3F3Ck+9Y6el
aytLOStjYmJnCg2ocDo5O53RoiV3p9kGD+NulQKb1+01Ay1R2W0Upcgpu132Rexy QMrUREWKK7hxuZRE2gVoSQj/ia8xNWRALMOgY+FgskwRwFLaJhI+hwfAexUHuDbn
nwUvMrRbPgWUdgeUjkhKJ/ZR1gCVEav38aUsZugs39ndLYOwpluw5lUs+i2piB7k I80dUbUsM/ccELMs3nx6DWbchUWh9KMHYejyBMRX6NpHy1UDq+q80zile9WPygtk
rOC+NhPXSXJLMb4vKdkkioJehv+VbSZ9M4PW2vbsziQAhfWErm7RAi/FvtoUdypT fmVPd6OOd/84e3pFmIcgTteDVnadLiZNvDVapVVbJqm8B72h
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----