diff --git a/flake.lock b/flake.lock index edab3b2..9de8365 100644 --- a/flake.lock +++ b/flake.lock @@ -61,27 +61,6 @@ "type": "github" } }, - "crowdsec": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1742920128, - "narHash": "sha256-VPjnjtAksihLezhc+ZmnqGu18mHr4QVKa1kSZQ8rJL4=", - "ref": "refs/heads/main", - "rev": "40e937689d318ee85b1d9763189a65e6f0b4028d", - "revCount": 40, - "type": "git", - "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git" - }, - "original": { - "type": "git", - "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git" - } - }, "darwin": { "inputs": { "nixpkgs": [ @@ -136,8 +115,9 @@ "type": "github" }, "original": { - "id": "flake-utils", - "type": "indirect" + "owner": "numtide", + "repo": "flake-utils", + "type": "github" } }, "home-manager": { @@ -169,11 +149,11 @@ ] }, "locked": { - "lastModified": 1743387206, - "narHash": "sha256-24N3NAuZZbYqZ39NgToZgHUw6M7xHrtrAm18kv0+2Wo=", + "lastModified": 1739757849, + "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=", "owner": "nix-community", "repo": "home-manager", - "rev": "15c5f9d04fabd176f30286c8f52bbdb2c853a146", + "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe", "type": "github" }, "original": { @@ -183,6 +163,28 @@ "type": "github" } }, + "microvm": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "spectrum": "spectrum" + }, + "locked": { + "lastModified": 1741275356, + "narHash": "sha256-VMeqnLv2O6Lg3/pka1tUzzbOjSmEb6RQOp9OuJRcx0A=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "5e1b3dba5b52405dab79412392b9c799d49bd8c0", + "type": "github" + }, + "original": { + "owner": "astro", + "repo": "microvm.nix", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1741379970, @@ -201,11 +203,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1743576891, - "narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=", + "lastModified": 1741600792, + "narHash": "sha256-yfDy6chHcM7pXpMF4wycuuV+ILSTG486Z/vLx/Bdi6Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "44a69ed688786e98a101f02b712c313f1ade37ab", + "rev": "ebe2788eafd539477f83775ef93c3c7e244421d3", "type": "github" }, "original": { @@ -218,8 +220,8 @@ "root": { "inputs": { "agenix": "agenix", - "crowdsec": "crowdsec", "home-manager": "home-manager_2", + "microvm": "microvm", "nixpkgs": "nixpkgs_2" } }, @@ -244,6 +246,22 @@ "type": "github" } }, + "spectrum": { + "flake": false, + "locked": { + "lastModified": 1733308308, + "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=", + "ref": "refs/heads/main", + "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2", + "revCount": 792, + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + }, + "original": { + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index f0e8afe..63a471c 100644 --- a/flake.nix +++ b/flake.nix @@ -7,8 +7,8 @@ url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; }; - crowdsec = { - url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git"; + microvm = { + url = "github:astro/microvm.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; agenix.url = "github:yaxitech/ragenix"; @@ -18,48 +18,69 @@ self, nixpkgs, home-manager, + microvm, agenix, - crowdsec, ... }: let system = "x86_64-linux"; username = "tbarnouin"; proxy_host = "192.168.1.40"; pgsql_host = "192.168.1.13"; - pkgs = import nixpkgs {inherit system;}; in { nixosConfigurations = { - nginx = nixpkgs.lib.nixosSystem { + nixmox-curiosity = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + ./hosts/nixmox-curiosity/configuration.nix + { + networking.hostName = "nixmox-curiosity"; + } + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.${username} = import ./hosts/nixmox-curiosity/home.nix; + } + microvm.nixosModules.host + { + microvm = { + autostart = []; + vms = {}; + }; + } + ]; + + specialArgs = { + inherit inputs; + inherit username; + inherit proxy_host; + inherit pgsql_host; + inherit system; + }; + }; + nginx = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default - crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" - "${inputs.self}/modules" { networking.hostName = "nginx"; - services = { - vm_nginx = { - enable = true; - proxy_ip = proxy_host; - }; + services.vm_nginx = { + enable = true; }; } ]; }; pgsql = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default - crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" - "${inputs.self}/modules" { networking.hostName = "pgsql"; services.vm_postgresql = { @@ -68,16 +89,44 @@ } ]; }; - forgejo = nixpkgs.lib.nixosSystem { + onlyoffice = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + networking.hostName = "onlyoffice"; + services.vm_onlyoffice = { + enable = true; + pgsql_ip = pgsql_host; + }; + } + ]; + }; + collabora = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + networking.hostName = "collabora"; + services.vm_collabora = { + enable = true; + }; + } + ]; + }; + forgejo = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default - crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" - "${inputs.self}/modules" { networking.hostName = "forgejo"; services.vm_forgejo = { @@ -87,29 +136,23 @@ } ]; }; - template = nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = { inherit inputs; }; - modules = [ - agenix.nixosModules.default - crowdsec.nixosModules.crowdsec-firewall-bouncer - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix" - "${inputs.self}/systems/minimalVMConfig.nix" - { - networking.hostName = "nixos"; - } - ]; - }; +# template = nixpkgs.lib.nixosSystem { +# inherit system; +# modules = [ +# agenix.nixosModules.default +# "${inputs.self}/systems/minimalVMConfig.nix" +# { +# networking.hostName = "nixos"; +# } +# ]; +# }; jellyfin = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default - crowdsec.nixosModules.crowdsec-firewall-bouncer - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix" + microvm.nixosModules.microvm "${inputs.self}/systems/minimalVMConfig.nix" "${inputs.self}/services" - "${inputs.self}/modules" { services.vm_jellyfin = { enable = true; @@ -119,14 +162,11 @@ }; redis = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default - crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" - "${inputs.self}/modules" { networking.hostName = "redis"; services.vm_redis = { @@ -137,14 +177,11 @@ }; grafana-lxc = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs; }; modules = [ agenix.nixosModules.default - crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" "${inputs.self}/systems/minimalLXCConfig.nix" "${inputs.self}/services" - "${inputs.self}/modules" { services.vm_grafana = { enable = true; @@ -155,6 +192,31 @@ } ]; }; + grafana = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + microvm.nixosModules.microvm + "${inputs.self}/systems/minimalMicrovmConfig.nix" + "${inputs.self}/services" + { + services.vm_grafana = { + enable = true; + vm_ip = "192.168.1.27"; + proxy_ip = proxy_host; + pgsql_ip = pgsql_host; + }; + services.micro_vm = { + enable = true; + hostname = "grafana"; + vm_ip = "192.168.1.20"; + vm_cpu = 1; + vm_mem = 512; + macAddr = "02:00:00:00:00:20"; + }; + } + ]; + }; }; }; } diff --git a/modules/crowdsec.nix b/modules/crowdsec.nix index 76d9999..fd9f702 100644 --- a/modules/crowdsec.nix +++ b/modules/crowdsec.nix @@ -602,14 +602,14 @@ in console_path = mkDefault consoleFile; profiles_path = mkDefault localProfilesFile; - #online_client = mkDefault { - # sharing = mkDefault true; - # pull = mkDefault { - # community = mkDefault true; - # blocklists = mkDefault true; - # }; - # credentials_path = cfg.settings.capi.credentialsFile; - #}; + online_client = mkDefault { + sharing = mkDefault true; + pull = mkDefault { + community = mkDefault true; + blocklists = mkDefault true; + }; + credentials_path = cfg.settings.capi.credentialsFile; + }; }; }; prometheus = { diff --git a/modules/default.nix b/modules/default.nix deleted file mode 100644 index 935f8a1..0000000 --- a/modules/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{inputs, ...}: { - imports = [ - ./crowdsec.nix - ]; -} diff --git a/packages/cs-firewall-bouncer/default.nix b/packages/cs-firewall-bouncer/default.nix deleted file mode 100644 index d894b8a..0000000 --- a/packages/cs-firewall-bouncer/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - lib, - buildGoModule, - fetchFromGitHub, -}: -buildGoModule rec { - pname = "cs-firewall-bouncer"; - version = "0.0.31"; - - src = fetchFromGitHub { - owner = "crowdsecurity"; - repo = pname; - rev = "v${version}"; - hash = "sha256-59MWll8v00CF4WA53gjHZSTFc8hpYaHENg9O7LgTCrA="; - }; - - vendorHash = "sha256-7Jxvg8UEjUxnIz1llvXyI2AefJ31OVdNzhWD/C8wU/Y="; - - meta = with lib; { - homepage = "https://crowdsec.net/"; - changelog = "https://github.com/crowdsecurity/${pname}/releases/tag/v${version}"; - description = "Crowdsec bouncer for firewalls."; - longDescription = '' - crowdsec-firewall-bouncer will fetch new and old decisions from a CrowdSec API to add them in a blocklist used by supported firewalls. - ''; - license = licenses.mit; - }; -} diff --git a/secrets/cs-lapi-key.age b/secrets/cs-lapi-key.age deleted file mode 100644 index 167fee1..0000000 --- a/secrets/cs-lapi-key.age +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBLZUNM -VWJ2TVRoSVp0amJaQmhpZGdKRXpHc0ErM1BoRlhNODJGa3VDWG1ZCnVycGRWQnhP -SU14VUpRanNUc1lzT3dXak5tMGVROVJOVXFaNjh1MUZjcFUKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IE16anVFaFFGRmlZVkY5SDlyWW1nckxoZUd3Z1YvdStEOGNXdS9O -WkNlUVkKZHYrZ05QeGc5bS9UWFRLellPQnptem5TQ21NY0NXUFVJSkY0RHdsdHNy -UQotPiBzc2gtZWQyNTUxOSBubUtTK0EgRkk2MWU5b0lPMEFlTXNRWWNWaTFaS0NL -RkN4eitLbnp2OTRlOHFvVVRDdwozR2p4SEJoNndobTBQeWRLYy9ONGxXcEZTZU5L -bW1remcyUDRqRDBGdDhjCi0+IHNzaC1lZDI1NTE5IHNpbmd2USBBQXk0b1BCTkgz -VG1CbDB6QVBreXFIQS9wRG9nYUUxWnF4YzhGM1NFTTFJCk55UkF6NWdPeVUvL3ZC -anFSdTFFaGJQQjJtQ0l1ZEpUQmZkS3BVc1c5aUkKLT4gc3NoLWVkMjU1MTkgeHFt -eWpBIDMvOGJZV1o1aE5jYWdVUDhRR3BZd2pxY1FvQVJUS1JTZktrbThjS3BRMkEK -R2dXcHN6MVk0UGlNZERRbHpiWFBuVkw2KzJwejJCV1FSbG5JTVg4WnVRNAotPiBz -c2gtZWQyNTUxOSBtdTBmbkEgaU8zcGVhK1BrUWplcVJIRGh1R0N5U1VGZTA5Tlpj -R2g4RWhBYnBNQVltNAp1Lzc1WlpSWjc1RGdCenVEQ2x2cTZtY3ZwTnFuVkR2RjRI -d0xYM25MSGFnCi0+IDdYSyV+QT5OLWdyZWFzZSBDJCdsIGxaZnsKMXZFY0x4Q0hT -QVNXd1RHWFpJZml0ZzBsbHhNWmNORVZjUWxmQ2ltZGxFUm1WdmVsMENSMDFmRGJ5 -dVpsUDlGSwprSTA1Q0JSczloNjFuT3B2Ci0tLSBEWGFMYTU1aTJvdE53dk1qRlpu -Y2tOVDVUcDRIaG52bmhMa2N5Z0xNWUI0Cjy/5eYpl5iwNd2YwC0o1lO2eTr2ggPs -Xq2JxNg5IbFYkBqMiw68yEtMmQf243rvGn8h9jQxL1VnSi+wpueZqxgczICzcqGn -OPOa08liEIvA+UtU4+z11c2fIiZ/BdfzF/s0wzB9uEChpOHSOf0SX8hrwlkq6fIr -w4z9OXceDiUQ5ITlBCl+Kaeb ------END AGE ENCRYPTED FILE----- diff --git a/secrets/initialPassword.age b/secrets/initialPassword.age index bea0f06..bedb9bb 100644 --- a/secrets/initialPassword.age +++ b/secrets/initialPassword.age @@ -1,21 +1,18 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA1QzZE -cHhwUnk5dm8xU29CNlhlU1JsV0tYaDVHV3g2MzI1dnZsVUxVODNNCjFwanh0aUhT -c016dUpONndPL0pRVUtBY2dNZCtYMk1Va2hoaUpsL3I4cjAKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IFhIVExqYlhTTWt1Q2l5T0RFRWdPN3dRdXVrbjNZTFFXV3pVZ0p5 -TldNU0kKZXdpZ3I1MEk1VzVsNXBuMmlZZjl6YmVKTmNwMDU2VFVSYUhMeURJSjh1 -NAotPiBzc2gtZWQyNTUxOSBubUtTK0EgSVpFeUpySkdsTldpamFqdGJaV3d3ZmU3 -S1VvU3JkTzAyZk5vRXMranIxSQpQYTFRcmlYWFFldFJKelNEVU0rQU5zNDN6bjVq -ZkxBL0E1UTNVVC9DK1hrCi0+IHNzaC1lZDI1NTE5IHNpbmd2USBsVWhhdUVxUnBB -Nzk0OEJrY1V4UkpMNlVvWG95Z0hlSDNIaWQzNjNReXl3Cm1RdlJxRzBNaTQvUmlP -V0hhZXNhVUJrRklNc3U4dURsYkpjdHErNUljTUkKLT4gc3NoLWVkMjU1MTkgeHFt -eWpBIDVKdjA5S0Z5cU5OeTMzL2crN2c4bW9VQm12SUJiMGZ2ZUI0bFB6emNyM2sK -T2o4UUJBYTNzNlp2L0IwSE9yZVJQWnJJdVh4Q0c0ZlcvMSswOHJJM1VzZwotPiBz -c2gtZWQyNTUxOSBtdTBmbkEgellndXoxbmRyV2YrLzZNTnBTeHF6Q2RhQnE4R0NB -L0VSOGVLaDRzYlcyNAplbnNtb1JzN2hUOThQT1ZFcHNvNUlJeVZnT1dudjI1RDdC -T0hSakZ5Qk1nCi0+ID40MHUtZ3JlYXNlIHcjSCwgQApBWERhZXJKbEFsN0NUdjRp -M3RJbWtUV1dSZVBNQWtTbFIrZEhHZmRpVW9TckR5U0RVeDZvSWZDN0o4VTY5T3Ew -CjlORWpkOUhVdkFYTWpSNUdoVHA5VVAyK1dSYlc3RnhKSmcKLS0tIGlqcnAxK1da -QkFqdG0zOVgvWmhmUVNacVZnaUliSUpEeEN2U3Q1cXZHV3cK/UjHuI4IFTOckk9c -KvePereu3ontxUGl393gcI9x1Eacg0b9HZEfwnDKT4dIX2vGXx2aMLo= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBkcDhX +WHFGRlJFUll0TFlEVzBiUmkxd3duVHFEdFU0K3hta2JGZzdENzJrCnNBcVRtUkkz +NFFoamExVjNhOXh0UjBJS3p0WmtBOWFGZTNkTTdlMm9aMWsKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IGpKemJpTGJlMU0zU0hPaFpVd2pZcGFlNUhYTHdxS1NlemlwaWY0 +UFRBMDAKbm9CSlpxZE1JNnNsZHdtL0R6U2Q3STVLbGQxd1F1ZzY1VkNXeWlSQk55 +TQotPiBzc2gtZWQyNTUxOSBubUtTK0EgUzMyMGJXczlic2NUOUl1d1N6MGhxZlZ6 +UXlPNEVMYk1zR3UxZkozcXVTbwpyd1UyK0dGSWhIcXpPTk5TU2ZRTjFadGRXRVlY +OG9tbVhvZzNLcjlQL3FZCi0+IHNzaC1lZDI1NTE5IHNpbmd2USA4a0JFRmlBQjV4 +VTNhbCtMVUE2YzFwTTFwT09HT240RHRGUFdsUFNsN25nCi9zdllEcHRudmFRTC84 +c2QrbjR6eThUdW0zclBFdzVXRTRPU0R1YzlTb2cKLT4gc3NoLWVkMjU1MTkgeHFt +eWpBIGR5ZlljUVZSZHFFZThIcHJJc1J1R2o3eGpyQ3A5T1Q2ODRyTFFqN0JyU0EK +TFBpdTVjdTQzUmdRUUVkZDVOSlh4KzM1T1FDUXhaMVAwM2t1ZHFhdmhHVQotPiA9 +LWdyZWFzZSBlc2h8UitCIHsyIC41KS4gX1JBdnwKdUpQSm1tdXQwUFZPb0FMNENj +TFZRM3o0Wk1lN3RobHpxZUVnZHFiT2hWcmoKLS0tIDV0d3NTWUZFNHFpQTJqNGh4 +UFdtVGJ2ZFFBMkVpaDdKN0hFcC9tSGwrWTAKSJMImvBdD1SGCFOYFpEqj0xcohO4 +9Eb1cfj6OeUsC5GMsXXJ78/XSjYtCu1wtWBml3HeQzg= -----END AGE ENCRYPTED FILE----- diff --git a/secrets.nix b/secrets/secrets.nix similarity index 80% rename from secrets.nix rename to secrets/secrets.nix index 593a27e..305f201 100644 --- a/secrets.nix +++ b/secrets/secrets.nix @@ -6,9 +6,8 @@ let onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEHTFFQoi8PtzkdTEeA5lGELFS01J51GLLjrnySJM7R root@onlyoffice"; postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7qA7j1sICuu1RAfs9ifR9dmOlHq45tKu1ga7CKaob root@pgsql"; forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMf3Cc/S0p/LFcW+RLMEqpxOOv8q/HrKO4I9joHmRxl root@forgejo"; - nginx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKX2wkS9bpMy1+ITPtQclRkthOwksWBZOLa3bT9oLAe1 root@nixos-nginx"; - systems = [grafana onlyoffice postgresql forgejo nginx]; + systems = [grafana onlyoffice postgresql forgejo]; in { "secrets/initialPassword.age".publicKeys = users ++ systems; @@ -26,8 +25,4 @@ in { "services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql]; - - "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx]; - "services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems; - "secrets/cs-lapi-key.age".publicKeys = users ++ systems; } diff --git a/services/forgejo/secrets/forgejoDBPass.age b/services/forgejo/secrets/forgejoDBPass.age index b7e6965..dbefd2a 100644 --- a/services/forgejo/secrets/forgejoDBPass.age +++ b/services/forgejo/secrets/forgejoDBPass.age @@ -1,12 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB2R1B1 -TXQzcHZLOVpqeXU4dE4rdks5S0tRVjlpVGF0K0w4U2hsRlBJU1VrCnNmSGdNNmxt -TlRhbzdWSzlnbDk4dTZPSitpT1NoU2cwWWlmd3FSSGdmek0KLT4gc3NoLWVkMjU1 -MTkgeHFteWpBIDZjZU5uWWlHME1OVFAzV1QvVjdaS1I2UjNyaTFYS090TUJUaWQx -TGJZUm8KdlVNM1dKQzdKcTEwZHRvWWQvVTVXT1huYkZqalF5cWZ5dkNCU2Q2YUp4 -SQotPiB7VD9eMCwiXC1ncmVhc2UgIkhYIENabi1iYTogOUoKaEo2N0QvZUVzTGY0 -eEhyTFp6QWNCQ3YxcmtacXJqZnpRYnhjRmdZdGl1ckNNSGxxU01HcDdWZ255QXFX -M3YrZgpDVVVWbjlmQmY1Zk9mTXZIZ3ZTTG9aaUExZwotLS0gb3A5RUpiYkVxVzRW -Tm1NMkJjMW5yQ2x3MzhvQWNGbXhyVEFEN1BJUS94OAqqLC4vCYHEG5CWZjtEdAu8 -ekrBlJWaVOdA1nV2rCOciHc+p0/QI74zmzQ1eA== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBibzZy +TVF2MnoyblpvVmJtNEsvQnR1Y1YxMkNPakpUWmNUdzcyY283MFM0CnpkaDkxcFp5 +VGc1aWZFUkF0bTZMU2tHV05ZYk1JSnpPWmpzbXhHNFlQNUEKLT4gc3NoLWVkMjU1 +MTkgeHFteWpBIG82LzhFd2JsaVpHZVA5cFE2ekwwTU9JZ3hoc3ZoWDliUHdmK3R1 +V293VUEKSWpUYk9iQkpXSXNKcnhQSVJJbkR6RXdnK0lIWUdJbHZWUm9Fc1ZpZ1hq +RQotPiBiQnZNWy4tZ3JlYXNlIDMmID00QyMuV2ggQQpGRk1TT3FhVFBldWpvRXpr +Sk81d0RIYi9obUQ0cUxraXBDYmJaSWlKVDFPVWVHSVQ0dlNySjZLNG1HRktaNGVN +CndEaHNNdVdqVFEKLS0tIG8rdEJ1VXpxRnJLUGkxblRwaXBJUVBLaGNrWXM0TkJH +REYveDhLTmFyZUEK4ptpcutNLxsjRtwUIq95en3faY2H6GuLjtmDKP3Cp+gdOL31 +D0wzCw14zDU= -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/default.nix b/services/grafana/default.nix index 537a0de..0bf3000 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -33,317 +33,291 @@ in { }; kuma-token.file = ./secrets/kuma-token.age; }; - services = { - crowdsec = { - hub.collections = [ - "LePresidente/grafana" - ]; - localConfig = { - acquisitions = [ + services.rsyslogd = { + enable = true; + extraConfig = '' + ruleset(name="remote"){ + action(type="omfwd" Target="localhost" Port="1514" Protocol="tcp" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted") + } + + module(load="imudp") + input(type="imudp" port="514" ruleset="remote") + + module(load="imtcp") + input(type="imtcp" port="514" ruleset="remote") + ''; + }; + services.influxdb2 = { + enable = true; + }; + services.grafana = { + enable = true; + settings = { + server = { + protocol = "http"; + http_addr = "${cfg.vm_ip}"; + http_port = 3000; + domain = "logs.le43.eu"; + root_url = "https://logs.le43.eu"; + serve_from_sub_path = false; + }; + database = { + type = "postgres"; + host = "${cfg.pgsql_ip}:5432"; + name = "grafana"; + user = "grafana"; + password = "\$__file{${config.age.secrets.grafana-db.path}}"; + }; + "auth.generic_oauth" = { + enabled = "true"; + name = "authentik"; + allow_sign_up = "true"; + client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; + client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}"; + scopes = "openid email profile"; + auth_url = "https://authentik.le43.eu/application/o/authorize/"; + token_url = "https://authentik.le43.eu/application/o/token/"; + api_url = "https://authentik.le43.eu/application/o/userinfo/"; + role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false"; + allow_assign_grafana_admin = "true"; + }; + }; + }; + services.prometheus = { + enable = true; + port = 9001; + scrapeConfigs = [ + { + job_name = "kuma"; + scrape_interval = "30s"; + scheme = "http"; + static_configs = [ { - source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=grafana.service" ]; - labels = { - type = "syslog"; - }; + targets = ["192.168.1.90:3001"]; } ]; - }; - }; - rsyslogd = { - enable = true; - extraConfig = '' - ruleset(name="remote"){ - action(type="omfwd" Target="localhost" Port="1514" Protocol="tcp" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted") - } - - module(load="imudp") - input(type="imudp" port="514" ruleset="remote") - - module(load="imtcp") - input(type="imtcp" port="514" ruleset="remote") - ''; - }; - influxdb2 = { - enable = true; - }; - grafana = { - enable = true; - settings = { - server = { - protocol = "http"; - http_addr = "${cfg.vm_ip}"; - http_port = 3000; - domain = "logs.le43.eu"; - root_url = "https://logs.le43.eu"; - serve_from_sub_path = false; - }; - database = { - type = "postgres"; - host = "${cfg.pgsql_ip}:5432"; - name = "grafana"; - user = "grafana"; - password = "\$__file{${config.age.secrets.grafana-db.path}}"; - }; - "auth.generic_oauth" = { - enabled = "true"; - name = "authentik"; - allow_sign_up = "true"; - client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; - client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}"; - scopes = "openid email profile"; - auth_url = "https://authentik.le43.eu/application/o/authorize/"; - token_url = "https://authentik.le43.eu/application/o/token/"; - api_url = "https://authentik.le43.eu/application/o/userinfo/"; - role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false"; - allow_assign_grafana_admin = "true"; - }; - }; - }; - prometheus = { - enable = true; - port = 9001; - scrapeConfigs = [ - { - job_name = "kuma"; - scrape_interval = "30s"; - scheme = "http"; - static_configs = [ - { - targets = ["192.168.1.90:3001"]; - } - ]; - basic_auth.username = "tbarnouin"; - basic_auth.password_file = config.age.secrets.kuma-token.path; - } - { - job_name = "grafana"; - static_configs = [ - { - targets = ["127.0.0.1:9002"]; - } - ]; - } - { - job_name = "opportunity"; - static_configs = [ - { - targets = ["192.168.1.125:9100"]; - } - ]; - } - { - job_name = "crowdsec_authentik"; - static_configs = [ - { - targets = ["192.168.1.125:6060"]; - } - ]; - } - { - job_name = "nginx"; - static_configs = [ - { - targets = ["${cfg.proxy_ip}:9002"]; - } - ]; - } - { - job_name = "crowdsec_nginx"; - static_configs = [ - { - targets = ["${cfg.proxy_ip}:6060"]; - } - ]; - } - { - job_name = "redis"; - static_configs = [ - { - targets = ["192.168.1.16:9002"]; - } - ]; - } - { - job_name = "ingenuity"; - static_configs = [ - { - targets = ["192.168.1.90:9100"]; - } - ]; - } - { - job_name = "gitea"; - static_configs = [ - { - targets = ["192.168.1.14:9002"]; - } - ]; - } - { - job_name = "postgresql"; - static_configs = [ - { - targets = ["192.168.1.13:9002"]; - } - ]; - } - { - job_name = "nextcloud"; - static_configs = [ - { - targets = ["192.168.1.45:9100"]; - } - ]; - } - { - job_name = "crowdsec_nextcloud"; - static_configs = [ - { - targets = ["192.168.1.45:6060"]; - } - ]; - } - { - job_name = "jellyfin"; - static_configs = [ - { - targets = ["192.168.1.42:9100"]; - } - ]; - } - { - job_name = "crowdsec_jellyfin"; - static_configs = [ - { - targets = ["192.168.1.42:6060"]; - } - ]; - } - ]; - }; - loki = { - enable = true; - configuration = { - server.http_listen_port = 3100; - server.grpc_listen_port = 9096; - auth_enabled = false; - ingester = { - lifecycler = { - address = "192.168.1.27"; - ring = { - kvstore = { - store = "inmemory"; - }; - replication_factor = 1; - }; - }; - chunk_idle_period = "1h"; - max_chunk_age = "1h"; - chunk_target_size = 999999; - chunk_retain_period = "30s"; - }; - schema_config = { - configs = [ - { - from = "2022-06-06"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - ]; - }; - storage_config = { - boltdb_shipper = { - active_index_directory = "/var/lib/loki/boltdb-shipper-active"; - cache_location = "/var/lib/loki/boltdb-shipper-cache"; - cache_ttl = "24h"; - }; - - filesystem = { - directory = "/var/lib/loki/chunks"; - }; - }; - - limits_config = { - reject_old_samples = true; - reject_old_samples_max_age = "168h"; - allow_structured_metadata = false; - }; - - table_manager = { - retention_deletes_enabled = false; - retention_period = "0s"; - }; - compactor = { - working_directory = "/var/lib/loki"; - compactor_ring = { + basic_auth.username = "tbarnouin"; + basic_auth.password_file = config.age.secrets.kuma-token.path; + } + { + job_name = "grafana"; + static_configs = [ + { + targets = ["127.0.0.1:9002"]; + } + ]; + } + { + job_name = "opportunity"; + static_configs = [ + { + targets = ["192.168.1.125:9100"]; + } + ]; + } + { + job_name = "nginx"; + static_configs = [ + { + targets = ["${cfg.proxy_ip}:9002"]; + } + ]; + } + { + job_name = "redis"; + static_configs = [ + { + targets = ["192.168.1.16:9002"]; + } + ]; + } + { + job_name = "ingenuity"; + static_configs = [ + { + targets = ["192.168.1.90:9100"]; + } + ]; + } + { + job_name = "gitea"; + static_configs = [ + { + targets = ["192.168.1.14:9100"]; + } + ]; + } + { + job_name = "postgresql"; + static_configs = [ + { + targets = ["192.168.1.13:9100"]; + } + ]; + } + { + job_name = "nextcloud"; + static_configs = [ + { + targets = ["192.168.1.45:9100"]; + } + ]; + } + { + job_name = "crowdsec_nextcloud"; + static_configs = [ + { + targets = ["192.168.1.45:6060"]; + } + ]; + } + { + job_name = "deluge"; + static_configs = [ + { + targets = ["192.168.1.18:9100"]; + } + ]; + } + { + job_name = "jellyfin"; + static_configs = [ + { + targets = ["192.168.1.42:9100"]; + } + ]; + } + { + job_name = "crowdsec_jellyfin"; + static_configs = [ + { + targets = ["192.168.1.42:6060"]; + } + ]; + } + ]; + }; + services.loki = { + enable = true; + configuration = { + server.http_listen_port = 3100; + server.grpc_listen_port = 9096; + auth_enabled = false; + ingester = { + lifecycler = { + address = "127.0.0.1"; + ring = { kvstore = { store = "inmemory"; }; + replication_factor = 1; + }; + }; + chunk_idle_period = "1h"; + max_chunk_age = "1h"; + chunk_target_size = 999999; + chunk_retain_period = "30s"; + }; + schema_config = { + configs = [ + { + from = "2022-06-06"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + }; + storage_config = { + boltdb_shipper = { + active_index_directory = "/var/lib/loki/boltdb-shipper-active"; + cache_location = "/var/lib/loki/boltdb-shipper-cache"; + cache_ttl = "24h"; + }; + + filesystem = { + directory = "/var/lib/loki/chunks"; + }; + }; + + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "168h"; + allow_structured_metadata = false; + }; + + table_manager = { + retention_deletes_enabled = false; + retention_period = "0s"; + }; + compactor = { + working_directory = "/var/lib/loki"; + compactor_ring = { + kvstore = { + store = "inmemory"; }; }; }; }; - promtail = { - enable = true; - configuration = { - server = { - http_listen_port = 3101; - grpc_listen_port = 9095; - }; - positions = { - filename = "/tmp/positions.yaml"; - }; - clients = [ - { - url = "http://127.0.0.1:3100/loki/api/v1/push"; - } - ]; - scrape_configs = [ - { - job_name = "syslog"; - syslog = { - listen_address = "0.0.0.0:1514"; - listen_protocol = "tcp"; - idle_timeout = "60s"; - labels = { - job = "syslog"; - }; - }; - relabel_configs = [ - { - source_labels = ["__syslog_message_hostname"]; - target_label = "host"; - } - { - source_labels = ["__syslog_message_hostname"]; - target_label = "hostname"; - } - { - source_labels = ["__syslog_message_severity"]; - target_label = "level"; - } - { - source_labels = ["__syslog_message_app_name"]; - target_label = "application"; - } - { - source_labels = ["__syslog_message_facility"]; - target_label = "facility"; - } - { - source_labels = ["__syslog_connection_hostname"]; - target_label = "connection_hostname"; - } - ]; - } - ]; + }; + services.promtail = { + enable = true; + configuration = { + server = { + http_listen_port = 3101; + grpc_listen_port = 9095; }; + positions = { + filename = "/tmp/positions.yaml"; + }; + clients = [ + { + url = "http://127.0.0.1:3100/loki/api/v1/push"; + } + ]; + scrape_configs = [ + { + job_name = "syslog"; + syslog = { + listen_address = "0.0.0.0:1514"; + listen_protocol = "tcp"; + idle_timeout = "60s"; + labels = { + job = "syslog"; + }; + }; + relabel_configs = [ + { + source_labels = ["__syslog_message_hostname"]; + target_label = "host"; + } + { + source_labels = ["__syslog_message_hostname"]; + target_label = "hostname"; + } + { + source_labels = ["__syslog_message_severity"]; + target_label = "level"; + } + { + source_labels = ["__syslog_message_app_name"]; + target_label = "application"; + } + { + source_labels = ["__syslog_message_facility"]; + target_label = "facility"; + } + { + source_labels = ["__syslog_connection_hostname"]; + target_label = "connection_hostname"; + } + ]; + } + ]; }; }; diff --git a/services/grafana/secrets/grafana-db.age b/services/grafana/secrets/grafana-db.age index 7beaeb4..8e877c3 100644 --- a/services/grafana/secrets/grafana-db.age +++ b/services/grafana/secrets/grafana-db.age @@ -1,11 +1,10 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBTTDNK -K3Z0alIwY0FzQlBCeTQwTS9oQ3U4dThSUUZMSXBIcU55em1KSmdnCnBWN2FaZnhs -N1NLdk0xQ09PMTFwb1FEMjJDNzg4bzBEL0p5aGh1MEs4b0UKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IEIyL2VrYlVrazJTdktJbUVOUzZySlhZbnNvNlIrY0dlckZrdlE4 -Q2E1RFkKZFFlUUZoRmUxck5OZjZwVmZQbklzdDZ5Q0xpd3dyTTVEdjFOQ3pGMGxN -ZwotPiBVLWdyZWFzZSBHbiA7OApIeEE5RWx1ZjFkZ3Z6TDMwcnRJSGNFVXo2UUdT -VVdNaTJQUmllSnVWeng0SmVmaCtiUXMKLS0tIC9GVjdhQWFyK09xcmQ3OFZWUUdT -cG5OTWs5QU9JOHorMFhuYUkraWFVc2sKXuXtNqrwCgD4SmTo9caBnH5Ieaotok43 -rzPGYHVRNma0rlEZpXh4K1RiC4GPDw== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB2Mmts +SGNkcnhPak5uei90a3ZoTlZyakxTUUZUV0xaQnBZKy82YStDbHhzCmw0Rk5MN2E3 +WFdsQ3NOSXJXY1RqQTJvMFh4Y29NblhPOUxGZWFwRFl5ZzgKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IFNMaC91cFZaNk53anZ6cWFSRmVYYm1DVFFEanJXejQreE5yKzFV +bU13VmsKclpQQ2tvZGtERmRBam9DUXVrRkd3amt4V2psUkhaY0ZNUXBLeHFhSExj +MAotPiBoLWdyZWFzZSBQbGUnfHhDXQpzcXdteFZrKzFEQWFmVmcKLS0tIHRYOXMy +cXNnaUk0c3QrUHRaUXVNNWN1dTJVcWM4UWIyWEtuYWxRdk4rUTQKyaaS0dtamqzZ +dPOcuIxUDx/G/lzes6ABI1gB2i+vr20/DvtTaNklcXHQY2BO4Q== -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/grafana-oauth_secret.age b/services/grafana/secrets/grafana-oauth_secret.age index 43e229a..ca36679 100644 --- a/services/grafana/secrets/grafana-oauth_secret.age +++ b/services/grafana/secrets/grafana-oauth_secret.age @@ -1,14 +1,14 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA5K1k4 -eTYzME9YYkVKc09uL0IwSkVoL2tXODdJSWt4MEdSR29QOXZMWkdrCnJqS1pYa3d4 -TUJUN3d1N0tPNTN0eDd6Z1B5RXlVWFkxMk10STF1Zi9jY1kKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IDZqVDh0YS9iWDFMbmtDamZQYjc3MGk0QXZJVnlKRmR3MmI5bGNH -bEkzUWcKTkZpejZkRTcxbEw2dk8xaEFQempHekRtcnROR0FHTi9BMjhhZnZBWnlY -cwotPiA5OHYtZ3JlYXNlIEQ/IDcmIE1WICIKWEF1VC8zOXdkdlpZMEV3SlF6RDg5 -Z3k1V3lzclVVbkplYkdoTlhOL3VSUFk2a0g5TlpyTzB2WGE2QQotLS0gb1ByMTZT -V2NyRnJ5ZVpqc3NGbTNhTFhZK0gvTUN5YStzVXUyMmlwMDlBWQoCsJBEa8QT1b3E -8uCGIuxq1OvWfq3CHSnIHtVPPPz9Dwdp2XZ9XGN1mwGOcDWvnn6xVedeHXk95vNw -79Dx6bMfB9O3TmS4CyQ4UdFKt7ysjuDXw5LIe3FvpjmbRRJGKw+t8pDNFUi7MGif -/y00Ss8yI9xEatUXBUCfO8pMqoBqbzA2xfsAZ+FTYOELZppZhlp6c1+b30gyzNEx -+QdkVxVX9g== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtM3Fu +K0RUSmtPd0sxd2Z0dEZkN1FpVTBjTkJhYWI3V2dJR3FnZk1vaXo4CkgrRUNRc0ZO +TXdhTGhkWVpobUY2eENGT0h3aDVpNGt1dVJJM2JrQ3pERkkKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IGhNYmZwdWp0YXB4VWdmbHh1TjlSNEljNFFSajRNbkpkaElwS0dj +VTZTVGMKYkU3ZC9KZW54ZVFqTFk0S1dTL2JnVEFPNVBCR3JscjBLUWVWb2ZYNXJO +QQotPiBEVVpNLWdyZWFzZSBKN24yXCBcVnYrXkcKcmptQ09wRlRLWEI2WlA3bnBo +NExuM1YwTWZsd1JmN05mMG1wMjVmbW5RTWpncVZ0YUpwVjA4b3Urajk5TjJnCi0t +LSB0Q1NRYjJBb0ZpNVQ3Q2dSZVFwYXN5ZG93N0JMWENjQU11QWxQWC8zZEI0Cpi4 +5dU4RfIEAsKkX79fe3Vjt7EAO5Qmszzy0N0Jlkagn/ZxAsn8Y4NVH/WmD4l3xyTO +pzq5Cc6zL/TU9LMjcq1hXzwbQuueWkQTrVop+pfa5KRH1PCh4ntVVMIXBmlHpjoL +pfx7k1PzTMwO0ACw2sClHM40kafeGG0Rb0SgmyyfcQtO/JpdgC1rLFAO+4lM+UlC +4CR3D2IfaeL1ojFGKHgU -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/kuma-token.age b/services/grafana/secrets/kuma-token.age index 6130f1b..6099526 100644 --- a/services/grafana/secrets/kuma-token.age +++ b/services/grafana/secrets/kuma-token.age @@ -1,11 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBPbktx -UWlmTXJOYnFDSjBMUUZJZzN1R09ldWpHdlVONzJOR0NwODdsRzFJCkdPT1R6b1lx -dThHczN0WWJaOENiTW0wRnI0OG5PeTllVXBUWkhVVVlkeFEKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IFJrV0FkUERiZkVJNmZWUUZWRytHTTM0RHN4MzczalM4VDVsMmtt -S2dVVkkKdXZFRitOYSt1M1IwbXlZNDNCOEpkbDA5MzVrV3NPWHA1a3NXSXhVM0Vw -UQotPiBgby1ncmVhc2UgRiw3Cktud3Izd21LNGJiMXVrQi9sWVB5T1VoMVhEZ1JX -bVh6eWZMWHN3Ci0tLSBId2M0T1d1ZkxQK0ZMcHJBRHRwQ2drT1RHSWhJbnd6YTR0 -T0tGNmtCTE44CiymjrDgkjwfLRhDCKZin3sV5je3Ho3fUyMu6vHp1ybmlYZxPXa9 -996BaKlD5RQWjAXyWRFVFQzVwnP8iNULxA0Uo3a5SUxQ5YlQPf+V +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBMY0Z6 +STRvMWVUVDRMM2I3bkFsUEo3OFJyNDVPQzlWcHRFSVplUXEyaW13CnJoclhhL2Vo +d1M1cVhLcXVpNEZzdmtsZUlTZjVMamJHdC8xekNzM01oWE0KLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IGYyeTlEeEpTWkZsMFdvVzhlU2p0Yk0zMmtRL1ZRTHp5YzEwNk5q +ZGNHMEkKaFNMQW1RTXJkLzlYR0Zjd09YNlhVVlhPV0tpWkJOLzIva0NsWGtGbHk5 +dwotPiBmeyVXdS1ncmVhc2UgPF9kIyNNNm4geidlbUMgL1R6Xz5YCk1rMnZPYnI2 +Q1Q4RGlDRDIxRmFaMStqakxud244d2YrMWttUUxGWVBuZVBrTHZMbVdHN3p6ZnYr +eUEKLS0tIGVOUlJaZU01UGpTVXBxSjZjL3RuL3JlQWlDVkIreHZJdEZRTVExeGRi +OHMKBgnrlp1sTW9RJkzeHCgKExVm909fmlzm4J0OkaJDTNBeehEZsRLg72J7G8Em +u4FvLjakI+VMbsOJ5HmDsCXTGDLSJevK9e45o3Ik3sw= -----END AGE ENCRYPTED FILE----- diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix index d46bc57..3993631 100644 --- a/services/minimalConfig/default.nix +++ b/services/minimalConfig/default.nix @@ -91,13 +91,6 @@ ]; }; - age.secrets = { - cs-lapi-key = { - file = ./secrets/cs-lapi-key.age; - owner = "crowdsec"; - }; - }; - services = { openssh = { enable = true; @@ -114,21 +107,6 @@ fail2ban = { enable = true; }; - crowdsec = { - enable = true; - package = pkgs.crowdsec; - autoUpdateService = false; - openFirewall = true; - settings = { - general = { - prometheus.listen_addr = "0.0.0.0"; - }; - lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}"; - }; - hub.collections = [ - "crowdsecurity/linux" - ]; - }; rsyslogd = { enable = true; extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; diff --git a/services/minimalConfig/secrets/cs-lapi-key.age b/services/minimalConfig/secrets/cs-lapi-key.age deleted file mode 100644 index a1f7f2a..0000000 --- a/services/minimalConfig/secrets/cs-lapi-key.age +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB3eCs0 -Nk9UMzBuKzh0MHdNQW9sM2JRZUFjS3lXRm13U2F0SmxwM0szcG04CmkrMm1BRlls -bXZacTIyR3RWMWlGSUMxcytYRGUzSExYd055emNEQTVuc00KLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IGNuRmFFa1lYd0xsV0d2WkRhYmFEVjlkc1g4NWJURitnNzBhMHBj -WWhnWFEKSkw1K0V2WXdpT2krQ3ZtbHJZT0hGczJ3ck00SC92TFZVdWIwYmoxRDlP -NAotPiBzc2gtZWQyNTUxOSBubUtTK0EgcGJyTXpoTkF1Z212ZHUrVDFoVXFualNM -MkNyQXpNWmJReGoxWGF6N2dHMAppY0ZiVWVMNkp4eVB0VGsxUmRmaDN1RG0wRXM0 -QkhyYUF1OGdPdHN4dUpJCi0+IHNzaC1lZDI1NTE5IHNpbmd2USBuSHpPaG91UXZG -YmdvQUNVQTlEeG5DTWtiSDJCQ3dzeWM3RXlCQW9kMXpFCkw0bUxuVzZlMThXUytT -Znd1MlE1WnpOQlg2bCtnT21pVGwyYTdjb2xGNlkKLT4gc3NoLWVkMjU1MTkgeHFt -eWpBIHNqUUxQM2QvSkV6Y0FucU5kSWd5SURObXN4czJiN29ISW11UTJjOTB4azQK -ekN0RUkwVWsxSHhqelNueGNGOTNoMWExNkxRd3RaVkluNmpIYnk1WXY3awotPiBz -c2gtZWQyNTUxOSBtdTBmbkEgSm50VlB2NEh5ZzBmNVpaTE5sbHZEcnE2ek43T2RH -M1hwOFRIN3ZXcmx4YwoyK3QzeU1ZT2F5MUM3blg3aytLTGsxSmtxZ3VDUkNFVjZs -eFdjMTBSeHVFCi0+IDk4cFViLWdyZWFzZSBYekczVnVnbCBpfXpGIC5HClRvVDlB -R09XcDYxQzNWOVBhU256a2MwRHlxK3VJd25teDJZMDBRCi0tLSBBZXdLcy9sVTFn -TEpESU1IWE1aOGowcjlGQW5wZEhwZjFMaWxMZmN2MC93Cic+Mcw6l7P3Pog/UL3J -M2HIcSjqjtLKtk52uNIb8b7A/fOdrUhogyYVfAt7nWhQ0CCE+cE/Z+JnI3g8skG5 -4ZGF/r9Y+9orKLdskFdrkWBYX1jx3Xcwme+Kg86AO9P3Os3thXo8iDctAFFiAWvo -AgOOjmobsPfXKQfRZw84nDB1CXzFZkDngYrB ------END AGE ENCRYPTED FILE----- diff --git a/services/nginx/default.nix b/services/nginx/default.nix index 4ed3d52..293d062 100644 --- a/services/nginx/default.nix +++ b/services/nginx/default.nix @@ -2,17 +2,12 @@ config, pkgs, lib, - inputs, ... }: let cfg = config.services.vm_nginx; in { options.services.vm_nginx = { enable = lib.mkEnableOption "Enable minimal config"; - proxy_ip = lib.mkOption { - type = lib.types.str; - description = "The Nginx proxy IP address"; - }; }; config = lib.mkIf cfg.enable { security.acme = { @@ -23,59 +18,7 @@ in { ]; }; services = { - crowdsec-firewall-bouncer = { - enable = true; - package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer; - settings = { - api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg"; - api_url = "http://${cfg.proxy_ip}:8080"; - }; - }; - crowdsec = { - settings = { - general = { - api = { - server = { - enable = true; - listen_uri = "${cfg.proxy_ip}:8080"; - }; - }; - }; - }; - hub.collections = [ - "firix/authentik" - "crowdsecurity/sshd" - "crowdsecurity/linux" - "crowdsecurity/nginx" - "crowdsecurity/http-cve" - "crowdsecurity/base-http-scenarios" - ]; - localConfig = { - acquisitions = [ - { - source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=nginx.service" ]; - labels = { - type = "syslog"; - }; - } - ]; - parsers.s02Enrich = [ - { - name = "gateway"; - description = "Whitelist Gateway IP for VPN access"; - whitelist = { - reason = "Gateway IP"; - ip = [ - "192.168.1.1" - ]; - }; - } - ]; - }; - }; fail2ban = { - enable = lib.mkForce false; jails = { nginx-http-auth = '' enabled = true @@ -187,6 +130,24 @@ in { recommendedProxySettings = true; }; }; + "office.le43.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.125:8000"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + "collabora.le43.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.19:9980"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; "git.le43.eu" = { forceSSL = true; enableACME = true; diff --git a/services/nginx/secrets/cs-lapi-key.age b/services/nginx/secrets/cs-lapi-key.age deleted file mode 100644 index 46606e3..0000000 --- a/services/nginx/secrets/cs-lapi-key.age +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBCRlBx -TDRERktFbE1xSXNpUXd4UE5vdHJpWmRNQUdjZ3hLejlmaWVjd2lRCm10aStweldV -aE5lWnJ4T3l3dTFlYWR2eUtjZHYrdTJ1VmFQMFc2UlIxUWcKLT4gc3NoLWVkMjU1 -MTkgbXUwZm5BIFh5dDY0c1hMTDE5aTFsRU5JbERvTXlWSDZwZGgzaExraitLSmQr -Ukp5VkEKT0ZQS1AzQTFWRGJneWVjaU5sbHVaME83RnZuQzBPNCtzb20yNWtNR0Rk -ZwotPiBwdygwZ11ZLWdyZWFzZSBEXGFWV2JvCjZPenNoMVhjbHZycjhqZURQWExi -NmZkZDdJaTQ5NkFCZmtmWU1zZEdrQndnSnBkNmZhY1dOeENqeTNpL3BlcXMKN0VQ -VmgvaWdONzF2TWFuS0tTQ2Y5M0NUMGJkOFVaMi85K01vdHNRRUJ3d1VLbmxUN0cv -SVIvcwotLS0gOW9sZjBuUmxRK1JMZ1NYWlRiL1BMZGd1SmJML0I5SlpLMWlOakhR -L01DdwpzAKzZ6lqTmdlFPWlj3ElxZJhWKZI9iPpP9QW/TzrAAAmHivSmSfLrAKwE -uBgXo+unc+c9KUCypY8z1nMzbmijDKhMrryBsj7++IyfG5cqhX4J+Y73mdutKtfY -JzsfH7ku3cvSxl1MypQdj7+F//7hkcn5IoSKLT/AcTqqFEcoUorf5QYaD5Rnrg== ------END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-dbpass.age b/services/onlyoffice/secrets/office-dbpass.age index c54ba53..d173e0c 100644 --- a/services/onlyoffice/secrets/office-dbpass.age +++ b/services/onlyoffice/secrets/office-dbpass.age @@ -1,11 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBlRXJL -U09lMEFhTm14UDBvK0RneU1rUEExOW1XLzBYaFVIUE11WnhXT2pnCkVSYTlxT0pC -dEdhTlp6MnhVVGdjaU5sNkw4UEJqRDh0S2VjMXFpbVdDaE0KLT4gc3NoLWVkMjU1 -MTkgbm1LUytBIFEzTldxVFNPQ0k4anI3eGtROHh5K2NDNE9vbGRKdGpZdmZONFJF -Z3E4aE0KeFlSTkliYldSeGkvOWJtVGNJaDIrbnFWT3kzUVh3T3pRMEFQVUptSDhs -YwotPiBrd3ZcWDBdeC1ncmVhc2UgfApURFdhNmlIOVR0T1c5ZFhHbURNbkx3YnhS -L1ZMWjg5dGlZM0FCZUJ3WVpYTU5HRjV6cTllYkxmcVNXWFJQeUlOCnlKcwotLS0g -RUIxbW1BVW05WGlRZlVJcDNINGRQTU8zSytqZGU3aVNldkNGakdFYllRVQpyT8qx -VmPmwWiaRIx1JjhOPLnLnK3x2h2FepWW37HPANVrD51o8x9PPzbzpe/j+DI= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA0YWdJ +cnphWUxTeldXM25FZGg3NC9sVlppbHE4N2szS00vK2VQL1VPendJCmhTME1MUzhI +MTZRSG0rcVFvdjllZ05Ockkwam1kYVpObnJSdEYydGgyN3cKLT4gc3NoLWVkMjU1 +MTkgbm1LUytBIGM5NCtPVGZJWVhNR1ZvTGVGODF0M2N3aXdzeVVDYU10aGc5bkVO +ZmNPd2MKa2xiZy94cjEyOFRBU1NvSHpvckQweWh3OGRQejhQQVpqMnJLQjI1RVQx +QQotPiBcJC1ncmVhc2UgXDFcUyAqfV53PyArZSFFc0sgenxXek0KdTh0UFU2V25T +bWNoSWsrUmpkbzNabmdJZ2t5OHh1RTgzY0ExaGNLS09hZHl0eXM3MXB4RwotLS0g +UkxxWURhVzg5Q09EUGtObEhOeWN3MXk4U1ZxeXZWLzFXVURpQWNrYzBmWQqn7LYQ +6fgnb/DRZjA8yhMgTSIcIJSm4t/+y6fGTOMmWK9Sjsjx+bK1kazPnPZgp6A= -----END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-jwtpass.age b/services/onlyoffice/secrets/office-jwtpass.age index 429ab29..12ebce5 100644 --- a/services/onlyoffice/secrets/office-jwtpass.age +++ b/services/onlyoffice/secrets/office-jwtpass.age @@ -1,12 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB6YTZF -SSt4bEFvY0xCT1ZTUldNSkdveG44cWZYei9DdDhRQnlId2xnM1M0Cnp1T0dlWFZz -b2FBOUMwT2dKaEpxU0c4aWQvRTBaVFV5L2ZWdDYzUjQvaTQKLT4gc3NoLWVkMjU1 -MTkgbm1LUytBIGl1VHJLN0JOZUhuUmtQbnF5b3Q5QVF6eEFvREFSaG5VTS9yWDJP -TXdDSFUKS1k1M211ZWNLeXVHYWlzeDJwQWJBLzlZUWI3TkNzVTVyTHNWdkxlWkRN -TQotPiBaP2E+MlctZ3JlYXNlIFNzYiBjKnI1fkEgO1pgIDw+CkN2aktUQ1FoMDlv -VHpHSEVuaW1ORE14dWRyS0U1amY5Ny9HV3hpODVnNUY5T3lXdGdMMS8zNy9xUXVV -QUhXNEsKekR2SytYcWlHY0VScXZhWUw0Ty9Qd2t6VWcKLS0tIFRCWW9KTWUxNXJv -NC9rTWpnNTdPbitqL1RtQWRxTFYyaXVzcmptdWpVaVUKHjTjNodh7Gq5bTJ0WXAo -DbfiQMUsv90ipf+og4AkLfVzSkcNrpNeREzCj7wZvPE6LA== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA1QnNv +L1U2eUljam4wM01lOURXQ2luRkVGbk96OVFuVm9kS1NxaFJ0N0QwCmZxak82eW1w +SVBMeEZWUDh3a3lmRkJhSkcxcW5kSUg3R1RiVUxpMTlPZE0KLT4gc3NoLWVkMjU1 +MTkgbm1LUytBIENxbWI5ZG4rbVFEb3lvQVZLMW1tUFo5N2hzYzQyN1hSZnZUdHlv +Q2hDUlUKdDdmd2JyREdPYWdLSFBUN3orOUJkSk9WK1JYTElhV2JyaWR1cUJLM3BI +QQotPiBWYSo7KlItZ3JlYXNlIHBJXCYgNWZjb1RjIGVPOT87JF0yCkFkbVFkTWlN +bXk5b0VZdmNza09JanVXbFlCUkNVdkNZZ243TzRLMTB1bkkzTGJzS1pIdkdmQnNt +T2liSWdjdjQKbnBITzM5L0JlS283MndTenE1UTMveHRXL0UwCi0tLSA0eHZFQnhQ +ajd1SkNvanNuQTQ2VWpKYU0vbGRmVkZJWUZURG5xbnh0UDhJCtVjowaW++5XN5JY +pZSLB0peh5Zu7P/yeAmDvnjO2BhfgQ+9sZzNzAcVwM8We03Tr8M= -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/authentikDBPass.age b/services/postgresql/secrets/authentikDBPass.age index f92c43f..77169bc 100644 --- a/services/postgresql/secrets/authentikDBPass.age +++ b/services/postgresql/secrets/authentikDBPass.age @@ -1,11 +1,10 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBnSGtm -R1dGQlBySDlVTy9Mb1QraTZLRFFPSmRqYUF3cTNRbmNnV2VUQlVzCkxKcjRHN0p3 -SUlnSUpXVXc5VURRSEVMWEF0bHZkRGQ0VHZLcnJPV3pkMVEKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIEJGUlB4N3l1Zlc4bkNQRVBxK0QyNU1GZUQrQmw4d3NHYkNDelR3 -QmVGUWcKSGJ3MUZLNjZqbWUrc0l5aEpHYWNyY0p5SWpGcGxqMG4rd1BaaG8vQUlD -OAotPiAsOTV1LWdyZWFzZSAoU3tAUUIgIjx1IEpeIHkmXU8KNlpiUC9ZNVR0a2Uw -NHp5dC9oRUZQMWRPT2lMRHZXWUFMZjhVQW04NUlsNWd3YjRzc1h2bGQ1QmdEaDgK -LS0tIGk5dXBuV3hsOEUxUWtmbjFsTVNqUXdlaSthd0VBMFh1NkFYQ0hGZXhaOEEK -xLmozB0O+dnzu9y/M0BNrl+FrZlxFfZUTaGRpD4VhQF+xmA5JhRFDre0fflnBkZF +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAxVEMw +KzViTWJzNEtlb3NiZ1F3Rk1ud2V5dU05VzZLWjVCcnpCNnI1eENZCmQvWE9OUU1M +c0xFVjMwUHZCMzJHMjZXYy8vR3g4VXNQUjd0SExGVzFTSm8KLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIEk1YWFub1VHVkE0cWpVNG9mL0g4bk82cnFPM2NQaDI0cnAwdTZE +eUxiQzgKS3g3S2JOWnE3eVpweGEzczlHaFlSdG1jbTczOU51TjRoTG5KMExBMXdY +SQotPiAhLWdyZWFzZSBJfShjciQxIDpxayBiYyAiXk5FSzYKMlA5MEQ0VUo1UncK +LS0tIEMzaFpMRGo5cTBMczBOeUMrSlhMWS85WVQ3UDRSeXM5RlJWS1dWR2VhTXcK +a3qm9ASifZqqohCsRoGnW9ijFoy2bb1Myg/jaZBD1P9/2KQ4yHV92nap271Sq86R -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/giteaDBPass.age b/services/postgresql/secrets/giteaDBPass.age index d11fcdc..b81b5ba 100644 --- a/services/postgresql/secrets/giteaDBPass.age +++ b/services/postgresql/secrets/giteaDBPass.age @@ -1,13 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB6K3RY -Qy9yU0ZkVG9mSGRvOFQ5aUozNHNGVUpMTGUvOGU4US9yeWExaWtnCnkyTDlXQUE4 -K01scktWMTJkWldUOTQzUUZNWHQrcHlNeElwVG1vL0hDQlUKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIE1qclVJYlQ3UHhXaE5ub3JWNDVUVTB4c0Y1c2NSSno2aDNkVCts -S054RzAKclljZkJoSUhtUXp2dng2eDJlUkphMXRFbXJQdUxPYm1OTUtMQkxZaWcz -OAotPiAmbi1ncmVhc2UgU2NUIHluCnp4TjhnVk01OWRVZUJVMnlPNmlzNWNJZk5J -OHpsTnpGLzA4eE0zNitKSWF5d05BcEhjU0xCd2lRMXpLVXB1TlgKLzB2VFMzcmJo -aThSMDQrU0JaSWNUMVZnOXRUNlhDVVoyVkRRTndUS1pnMUhhSTQwKzdXVFIwTFFi -NkdTYkZScQpaRHp6Ci0tLSBRVFlXSGpLYzd1QXNkRlJjdDFkejdyM1ZzelRIN05o -UkR4a3JTSWhIQlN3CtTJA3S9lKiHg1j+GiDIZtbLjWlnCQG6R8XbApPIWPPNm+wt -mtCq8RC9uHH+ +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBhSllo +UjhSeHFNangxcWVlQVR4NGJxRXU0cDB2NjdyU1FTUmZZcmg4ZUZZCjNJVjB3UnB2 +dmhoRncrTTR1dURtbHVHeTByaWZwYTRha3dTWnZMRWdCVjAKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIERLL1l5R0VVWTRlMDNCYXpTb09zWWdhTmlLQTdIMVhPZXM0ZFdX +N3VpeE0KUE9rWFNJL2dpK2VGMkNucTZWZDVqcGt5NlVkOXJ3amhybmFQR3ZVVjNP +VQotPiAubyNQcXtpfC1ncmVhc2UgKyRRTFl8VkkgZEgKRWFjTDdzL1ordGg0czFQ +Q3NtWjdLK2tNVUhsaCtXZGxCRysxYjU1YTNDNDJnZHc2a0kyQVNGVjZOYndGYjBS +ZApNM1JJQmE2WXpXaEJGcnNCbVk5WnQrMHdrMEgzMGRqL21WSGUzWFM0WlREVVdO +T0Z4MUEKLS0tIGcxcVZWQWMzS0FlclNJYW9jSldoc3huUXl2eXVoQ1dzdVc5YVBa +aGRvcmsK9L6wCJ22CZeAuJQWW8t/i7M5ysRJJUjvzOAKvI+gO5G9hagP2t+qEK9e +hvE= -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/grafanaDBPass.age b/services/postgresql/secrets/grafanaDBPass.age index 273e1b6..e6fc19a 100644 --- a/services/postgresql/secrets/grafanaDBPass.age +++ b/services/postgresql/secrets/grafanaDBPass.age @@ -1,11 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBneXc1 -enhZNFEwV0xNbWhqVTl0VlUvZ1E4V3RlZElDNEFTeUh5alFqdkg0CmxjV0d6QXJm -cXovM25wM1VHdG5wbVJhZytMUEpSU3VvYXUvaGpJTC9ocDgKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIDY2OGJGUENPckxrcnNKMFlWNC8yOGgwUDJUcDMyS1VnSC93dXpw -UWo0U1kKbnQ1TUlZc2RrbTRuRmVhVlNwUVpBMkc3Ukl1dXR1RzNKK3ovUnR6UWln -cwotPiBwSlU2ci1ncmVhc2UgPFRSdjkgKlAzUyBQYXhVN3MgQGwKMWdWOWYyRUFK -MC9ETEg0QgotLS0gZGtTdHVBbm9KeUxDYVUvQjlTb3Q5UllFb2F5YU5wUXhEc1Bs -RTJXaUI2RQoYkHT7kLqp50j9knk/D14UTvt0FJQO7NpmhISbCoeXQ+X9Y7td4P4J -s8VDQLEe +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBPTW1I +Skp5c0oxTmk1VWRPM3ZuelNBblF2UkZOYWUvOGNXTGJPRGlISGxzCmhCVWlCSUZZ +UkR5RW5SWjN3SzlneXA5ZDJUL21LS2lXcndidmxnWUtpMlkKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIFN4MHplVDJZbEozMEtYZ3N2amZDdHpLTmpOUlhMNXUzMHZFSFRT +amhCMDgKMDUzc042UklCSUs4YUVTY2xjZUFaRlRBM09TTEhwQmNKQVA3YkgxZVly +OAotPiAraXswWVwlaS1ncmVhc2UgNGdhM30gZ0xHRE11KEYgM2pMPy8uTQptMWYy +T2JMVTB0b29lNHpqN0dPdXNMZEtwTWtOb1dxQ2Q0S1c4WFpLVExaczQrNjhVTEJH +Ci0tLSA2MjUwM1pqWTZWd3RndHd6N3krenYyUkM4aDd2WFVsQVllZEg3S09ZSFlF +CiDdh9xPzRx0vUkFn+5DHSXNOd3aF4DJHS2+Rc5bBvJsik+E9gBcBHN5eawHmJg= -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/nextcloudDBPass.age b/services/postgresql/secrets/nextcloudDBPass.age index aab9aa5..e673de8 100644 --- a/services/postgresql/secrets/nextcloudDBPass.age +++ b/services/postgresql/secrets/nextcloudDBPass.age @@ -1,11 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4Wm9k -YlJJbUswNjcrQkVHdk0wc0g0ampYb1Mvbzd4Rk5IVW9ZS0RSTlZrCjdjK3BhYjdV -cWQ1NUh3bi9ZakxOajIxbDRST0FwQ0R0c3BHY1BGNXY5UHcKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIGtDSlZkUm5DTEpPdXJsTCtQSHA2ejdtRU9WU3ZJdGtaRVdScUNj -TFg1VDAKcWs0S0s5REgreG5PZDZkM0lGQ0RBdDR3R2kwY2tmK1RmaWE0R2pJb05j -UQotPiA5OVMxUkVhXy1ncmVhc2UgK0xfdnUoOgpnbVFETkc1ZS81Kyt4U1NoOWJv -L1NVM1BzeGdQRDg0Ci0tLSA3VnpKZTRBbWN6NGMxWnNobHVEdDUyRTJORTlabXRH -UllITmVGVHlrSGlNCoMnkbrU86Cjj6jnsZjSPwKIzLpdyzxYBQDxoj9mv139Rdae -bFLdtG8sIabo6hNIxg== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBicitL +VnR4WFh6TGZkZnhpZEZ1MFZjditqeXFzSXFOUW9ienhjdHFsam1JCnkvY254cmZN +cTNYRDdtWUNHQkNmMzFCU1N1dllqQTdvTm4xamhvS2F6RjAKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIHhDcERwWkl5QXgzamdlNlgrOXlMWkpSb0JWSUtSTmwraHFTdEwy +U0Ixa2cKMS9zUVR1WDdDYlBic3RIbXd3d3JGVHlNVmVsRHY0elNWZ0o5aWVUazgw +ZwotPiAsSjwtZ3JlYXNlIF8xcCBKU3oKb1RoZnFyOENMWHQxSUlUS2xmN0RWQWxV +UXFlTFhmdVZRVXY0ekJYQmRBWWxJYWovcW1EQjRHSHloWnRqaTEwTQpnZDNmMktm +b2xWUFRFamtvTVRoYjJRYwotLS0gMlNvRC9nY1pTWWx1ZHlJMmE3ZkpQUGgrclAw +bERjMVhMa1RpVzZwUHA3TQrcYKrxC2Ij+0RmtDozhBTBh3Th8NehZ+FUSl3Okyol +XX4KB2lT5urYECGsan+HOKo= -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/onlyofficeDBPass.age b/services/postgresql/secrets/onlyofficeDBPass.age index 7c6628d..7ea56d2 100644 --- a/services/postgresql/secrets/onlyofficeDBPass.age +++ b/services/postgresql/secrets/onlyofficeDBPass.age @@ -1,12 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBvWEZM -MTJGUzQ2a3Q2SE9QeE1hWUxDRmMvODhxRVFOQlcxaVYvZEFaNFRnCnZWME02QVlH -TU1lUUt4TnhabzBkNGJVS2pxaytPY0tic1NRR29Ka0k5em8KLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIDAvTVFwR3VOWUVpZk5xUkJsZW9CMVhzYkd1ejhwUHhGejNQc1hG -eXVqbXcKM282Z3JlUS9yMURSa3lnaitpZ3NhMTVvamR4MGV2USttcmp1bDNEYXVP -bwotPiB7MHlWLWdyZWFzZSBqW2hxWm0/SSA2Klh8OyBOOiBtbFlTJjAKVkhZcFla -VVdsbnRlRUI1bzdNWEJUNjNEdWpZY3JBWlduQUxrRU4xdG1kWU8zSjExbUd6UlNG -clZYQTVMVkNFNAp5dlcwZmhxQTNKN1h0dUhUM1prCi0tLSB1UXlaQUd3b1JkM29K -bjFJTVpzUTk1MjZIbEhmTkVXYlNtN3k0OW50TTJBCoB7YGQ+R1yzNbS9ZiTcgoZk -LGeyAB/x+izkhu54XzrxpjQKeXAQftnHks6lzzqZ5w== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBuS0xp +Znc2ajhKemNNSFJpUDdvdFBVbW93SDFmaEpaRXBIck9PcXJxang4CnlzZzJ0MXdT +V2U4Ykl4aTlydGRaeHIxRmZkVHg0dWpnV1dtOS9WdXkxZXcKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIDJnS0xoWFAvTVJXdnJBSDc2dis4bWcrTEhmdmE0aEJJZzFZSm1z +akU0Z3cKMGZNcG5ZNWVrdWVWQjhWQXVIL1RtcExBcFhJUU9pa2ZaOGdqaFdWc1pL +YwotPiA3LWA2RXs7LWdyZWFzZSBESUoKd25SMDg0czBNcmRIb0JGVDRLdEZ5OGph +eDJRZjJodXgKLS0tIExLTDlPSE1Kd0lXMlo5YzhpeEI4K3BDUGtrem41cFdsYTVz +QjQ3OWdJVjQKEnu24xPsxg8m+TYOsFp02Rv1lm61lwFsPgVEvfq+siEm2bvJiCut +LQBgsEpiyzvv -----END AGE ENCRYPTED FILE----- diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix index ef84f83..a2e426c 100644 --- a/systems/minimalLXCConfig.nix +++ b/systems/minimalLXCConfig.nix @@ -98,12 +98,6 @@ netcat-openbsd ]; }; - age.secrets = { - cs-lapi-key = { - file = ../secrets/cs-lapi-key.age; - owner = "crowdsec"; - }; - }; services = { openssh = { @@ -121,21 +115,6 @@ fail2ban = { enable = true; }; - crowdsec = { - enable = true; - package = pkgs.crowdsec; - autoUpdateService = false; - openFirewall = true; - settings = { - general = { - prometheus.listen_addr = "0.0.0.0"; - }; - lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}"; - }; - hub.collections = [ - "crowdsecurity/linux" - ]; - }; rsyslogd = { enable = true; extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";