From da4ee48f724c2a41073117707913b7e17fc0e554 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Fri, 4 Apr 2025 17:44:19 +0200 Subject: [PATCH] Try to implement crowdsec everywhere, connected to central lapi --- secrets.nix | 6 ++++-- secrets/cs-lapi-key.age | 21 +++++++++++++++++++ .../minimalConfig/secrets/cs-lapi-key.age | 20 ++++++++++++++++++ systems/minimalLXCConfig.nix | 21 +++++++++++++++++++ 4 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 secrets/cs-lapi-key.age create mode 100644 services/minimalConfig/secrets/cs-lapi-key.age diff --git a/secrets.nix b/secrets.nix index 4f7e172..593a27e 100644 --- a/secrets.nix +++ b/secrets.nix @@ -8,9 +8,9 @@ let forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMf3Cc/S0p/LFcW+RLMEqpxOOv8q/HrKO4I9joHmRxl root@forgejo"; nginx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKX2wkS9bpMy1+ITPtQclRkthOwksWBZOLa3bT9oLAe1 root@nixos-nginx"; - systems = [grafana onlyoffice postgresql forgejo]; + systems = [grafana onlyoffice postgresql forgejo nginx]; in { - "initialPassword.age".publicKeys = users ++ systems; + "secrets/initialPassword.age".publicKeys = users ++ systems; "services/grafana/secrets/grafana-db.age".publicKeys = [tbarnouin grafana]; "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [tbarnouin grafana]; @@ -28,4 +28,6 @@ in { "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql]; "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx]; + "services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems; + "secrets/cs-lapi-key.age".publicKeys = users ++ systems; } diff --git a/secrets/cs-lapi-key.age b/secrets/cs-lapi-key.age new file mode 100644 index 0000000..3a7dfb6 --- /dev/null +++ b/secrets/cs-lapi-key.age @@ -0,0 +1,21 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtSzM1 +UEtIRlNNOVFqb2Z1bC9IVVBDcDlQV0xKN01VZjV5WHU5VEUrWmwwCnFiaDRDcWxV +WFBsbjNhaXpmTkdsaWR1WmdtLzZKbHp0TEdDODJseGI3R1kKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IEhETUdtYnhJeXVBYzJSYUZXTjBVK2tvZnJKOWxOcDh6Q0lpeGNV +VkZSRlEKZWplWThuZVo4aFlndkxYa2R4cXhCOXFYZC9YWGdIUktrSWh5YUYyYTc4 +WQotPiBzc2gtZWQyNTUxOSBubUtTK0EgbVRrc05IT0ZFK3owbUlmS2h4cVZCYjdy +UGIrdmlvTEdOVEs2Ulg5MlBTbwpDYWhtYStNYjVBaS9IT3ZVMnY1YTA0RkRyYzd6 +dEppeFNOZHRxUUE5QitZCi0+IHNzaC1lZDI1NTE5IHNpbmd2USB1eXE3SzZ4aHJU +T1BXVUUzL1QydmdiLytQcUQyejg3dDlQWlZyVDBJb3l3CnZRNE5kbDFwakx6WEVX +N1E4T2FnWUlreXZHRk5PWTJzUkFwbERxMDN4V2MKLT4gc3NoLWVkMjU1MTkgeHFt +eWpBIFZxL1R1Q2pHTDBSaWt2RVM1aFlNOHBmeFRobGpaTGR2dFR4aThoYlRieGcK +VzJQZDNOTFA4dllFb2J4YWkwSlJYSEgyYkFBZHZsTFBBVGRwdzRHOE40MAotPiBG +MXFyXC1ncmVhc2UgNm0mTzgyKwpGVmRvbmhzSzRLemM1V0RPd2puV1puU1duL1BQ +Y0EvODZWSkdEWWQ3UzNVRTRQRHcrb29VN3RjQ1F5QVd3UkU2CnltQ0VLQUZRVlhO +K1cvTUhFTm56Ci0tLSAyYml0dXU5L01Lc3ZZblgrRklxUUFRQUhRL0c0MjVydVhp +VHkrMXVRVFRBClanb1k/SsDaLPXwFGBVjixWNP/Vn5WvHzem3k1ySCLLasBcEnab +Qg4jwrEAhETRp/o+xmY9UX/k6jD+4jTymjJrt2NfZuz0NYfLT8v3HHLTLPfSX1nH +gL1x1KdWNB6MFO8K4x7Hzsi6GU3MJfkDb4SL+NPUWQTP2zko9zPpYCilBtccCW11 +gUhq +-----END AGE ENCRYPTED FILE----- diff --git a/services/minimalConfig/secrets/cs-lapi-key.age b/services/minimalConfig/secrets/cs-lapi-key.age new file mode 100644 index 0000000..ffe9fc8 --- /dev/null +++ b/services/minimalConfig/secrets/cs-lapi-key.age @@ -0,0 +1,20 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtZWll +YTJ0MkNaT3BMSGpYSVdvNUlDUlpYT2NtVVZMWG0zcFo0RFdHZUh3Cm1pU096ME1W +OElITmVzZkQ0VFVTcVBMaU5XL2I5Rkp0QTkwUzYxQVFOalEKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IHRCZktlYjVqTEVhU0paRS9TQTlhU2VhaElacnk1MkJvVkFvTE05 +NmN4VmsKenNLaUordTdkc1hiU0VIQ0x6eHh6ei9WZ2dVN1Y1WUZIU0NHNHlHNGFx +dwotPiBzc2gtZWQyNTUxOSBubUtTK0EgdW9ENDkrYkdrZXlTbHNPTkRBbWtaZEUy +L3czL2g3T1RCSTJuNFJtdGhCTQp3amhCUGIxVlRPQ0JISnJ6WkhQT2ozRktFWHFN +b21TR2QzNnBNUlVTWXdRCi0+IHNzaC1lZDI1NTE5IHNpbmd2USB0ZWhuSUhzQndM +WmpVa1NUN2hnUDBiSmlzWithelg4ZnZ4RFNyUVAvRUVvCmNiOUtLTFYvVU9QUXhH +Z0pZK0QwamI1N2FCaWE1alVKYzlwVVN1SnBnOHMKLT4gc3NoLWVkMjU1MTkgeHFt +eWpBIEJTa0kxemlBdG1wVXl5S0Y2d216VTNJYUhDMThPOEJmWjRTNGhRZHZaeGsK +S3FuNG0xaE4xQUorbkhNU3hJY2tvR2lYL1ZlbFI3Z2lJS1grVTQramNPNAotPiAm +JnwtZ3JlYXNlCmcyQUxzeHNlNlZtcSs3TjZCKzhmMEVOSHJob3lmYXBLbm9wNU1u +eDNaWWoyT1hwT2RNdHJSbTU5MXhZTkx3Ci0tLSBBYW9MUE1yL09lMVVqUXpSeHMx +OGpIdE14djRGbGFEN2U4SUtRQm9CZmlBCnPlYADB+W2yzvad9xUJSpdNoL0241Kv +u0AXJa6yoIk94tBiWlSyee8slru8229VT9Yqd3AkGsbvaUQV+FPTay/VvZKp7CAV +MhzeGdjjqssSIKWBzdMsHgrQzVvr9/nfiacCiMCMnv0dJ8KC2fgCDzR724Ta9Noh +AAoiBphunk91WQzfzeiQ+RXi +-----END AGE ENCRYPTED FILE----- diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix index a2e426c..ef84f83 100644 --- a/systems/minimalLXCConfig.nix +++ b/systems/minimalLXCConfig.nix @@ -98,6 +98,12 @@ netcat-openbsd ]; }; + age.secrets = { + cs-lapi-key = { + file = ../secrets/cs-lapi-key.age; + owner = "crowdsec"; + }; + }; services = { openssh = { @@ -115,6 +121,21 @@ fail2ban = { enable = true; }; + crowdsec = { + enable = true; + package = pkgs.crowdsec; + autoUpdateService = false; + openFirewall = true; + settings = { + general = { + prometheus.listen_addr = "0.0.0.0"; + }; + lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}"; + }; + hub.collections = [ + "crowdsecurity/linux" + ]; + }; rsyslogd = { enable = true; extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";