tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: tbarnouin:e96f16f2fabc675059a65a9c1900e738532599ca
Branches Tags
tbarnouin:main
..
compare: tbarnouin:7e84f9861de803343d591be9a9138fb4854f48ce
Branches Tags
tbarnouin:main

No commits in common. "e96f16f2fabc675059a65a9c1900e738532599ca" and "7e84f9861de803343d591be9a9138fb4854f48ce" have entirely different histories.
e96f16f2fa ... 7e84f9861d

25 changed files with 576 additions and 705 deletions
Show stats Expand all files Collapse all files

78
flake.lock generated
View file

@ -61,27 +61,6 @@
"type": "github"
}
},
"crowdsec": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1742920128,
"narHash": "sha256-VPjnjtAksihLezhc+ZmnqGu18mHr4QVKa1kSZQ8rJL4=",
"ref": "refs/heads/main",
"rev": "40e937689d318ee85b1d9763189a65e6f0b4028d",
"revCount": 40,
"type": "git",
"url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
},
"original": {
"type": "git",
"url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
@ -136,8 +115,9 @@
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
@ -169,11 +149,11 @@
]
},
"locked": {
"lastModified": 1743387206,
"narHash": "sha256-24N3NAuZZbYqZ39NgToZgHUw6M7xHrtrAm18kv0+2Wo=",
"lastModified": 1739757849,
"narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "15c5f9d04fabd176f30286c8f52bbdb2c853a146",
"rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
"type": "github"
},
"original": {
@ -183,6 +163,28 @@
"type": "github"
}
},
"microvm": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1741275356,
"narHash": "sha256-VMeqnLv2O6Lg3/pka1tUzzbOjSmEb6RQOp9OuJRcx0A=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "5e1b3dba5b52405dab79412392b9c799d49bd8c0",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "microvm.nix",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1741379970,
@ -201,11 +203,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1743576891,
"narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=",
"lastModified": 1741600792,
"narHash": "sha256-yfDy6chHcM7pXpMF4wycuuV+ILSTG486Z/vLx/Bdi6Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "44a69ed688786e98a101f02b712c313f1ade37ab",
"rev": "ebe2788eafd539477f83775ef93c3c7e244421d3",
"type": "github"
},
"original": {
@ -218,8 +220,8 @@
"root": {
"inputs": {
"agenix": "agenix",
"crowdsec": "crowdsec",
"home-manager": "home-manager_2",
"microvm": "microvm",
"nixpkgs": "nixpkgs_2"
}
},
@ -244,6 +246,22 @@
"type": "github"
}
},
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1733308308,
"narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
"ref": "refs/heads/main",
"rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
"revCount": 792,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,

148
flake.nix
View file

@ -7,8 +7,8 @@
url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs";
};
crowdsec = {
url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git";
microvm = {
url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:yaxitech/ragenix";
@ -18,48 +18,69 @@
self,
nixpkgs,
home-manager,
microvm,
agenix,
crowdsec,
...
}: let
system = "x86_64-linux";
username = "tbarnouin";
proxy_host = "192.168.1.40";
pgsql_host = "192.168.1.13";
pkgs = import nixpkgs {inherit system;};
in {
nixosConfigurations = {
nginx = nixpkgs.lib.nixosSystem {
nixmox-curiosity = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
./hosts/nixmox-curiosity/configuration.nix
{
networking.hostName = "nixmox-curiosity";
}
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.${username} = import ./hosts/nixmox-curiosity/home.nix;
}
microvm.nixosModules.host
{
microvm = {
autostart = [];
vms = {};
};
}
];
specialArgs = {
inherit inputs;
inherit username;
inherit proxy_host;
inherit pgsql_host;
inherit system;
};
};
nginx = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
"${inputs.self}/modules"
{
networking.hostName = "nginx";
services = {
vm_nginx = {
enable = true;
proxy_ip = proxy_host;
};
services.vm_nginx = {
enable = true;
};
}
];
};
pgsql = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
"${inputs.self}/modules"
{
networking.hostName = "pgsql";
services.vm_postgresql = {
@ -68,16 +89,44 @@
}
];
};
forgejo = nixpkgs.lib.nixosSystem {
onlyoffice = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
{
networking.hostName = "onlyoffice";
services.vm_onlyoffice = {
enable = true;
pgsql_ip = pgsql_host;
};
}
];
};
collabora = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
{
networking.hostName = "collabora";
services.vm_collabora = {
enable = true;
};
}
];
};
forgejo = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
"${inputs.self}/modules"
{
networking.hostName = "forgejo";
services.vm_forgejo = {
@ -87,29 +136,23 @@
}
];
};
template = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix"
"${inputs.self}/systems/minimalVMConfig.nix"
{
networking.hostName = "nixos";
}
];
};
# template = nixpkgs.lib.nixosSystem {
# inherit system;
# modules = [
# agenix.nixosModules.default
# "${inputs.self}/systems/minimalVMConfig.nix"
# {
# networking.hostName = "nixos";
# }
# ];
# };
jellyfin = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix"
microvm.nixosModules.microvm
"${inputs.self}/systems/minimalVMConfig.nix"
"${inputs.self}/services"
"${inputs.self}/modules"
{
services.vm_jellyfin = {
enable = true;
@ -119,14 +162,11 @@
};
redis = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
"${inputs.self}/modules"
{
networking.hostName = "redis";
services.vm_redis = {
@ -137,14 +177,11 @@
};
grafana-lxc = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
modules = [
agenix.nixosModules.default
crowdsec.nixosModules.crowdsec-firewall-bouncer
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
"${inputs.self}/modules"
{
services.vm_grafana = {
enable = true;
@ -155,6 +192,31 @@
}
];
};
grafana = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
microvm.nixosModules.microvm
"${inputs.self}/systems/minimalMicrovmConfig.nix"
"${inputs.self}/services"
{
services.vm_grafana = {
enable = true;
vm_ip = "192.168.1.27";
proxy_ip = proxy_host;
pgsql_ip = pgsql_host;
};
services.micro_vm = {
enable = true;
hostname = "grafana";
vm_ip = "192.168.1.20";
vm_cpu = 1;
vm_mem = 512;
macAddr = "02:00:00:00:00:20";
};
}
];
};
};
};
}

16
modules/crowdsec.nix
View file

@ -602,14 +602,14 @@ in
console_path = mkDefault consoleFile;
profiles_path = mkDefault localProfilesFile;
#online_client = mkDefault {
# sharing = mkDefault true;
# pull = mkDefault {
# community = mkDefault true;
# blocklists = mkDefault true;
# };
# credentials_path = cfg.settings.capi.credentialsFile;
#};
online_client = mkDefault {
sharing = mkDefault true;
pull = mkDefault {
community = mkDefault true;
blocklists = mkDefault true;
};
credentials_path = cfg.settings.capi.credentialsFile;
};
};
};
prometheus = {

5
modules/default.nix
View file

@ -1,5 +0,0 @@
{inputs, ...}: {
imports = [
./crowdsec.nix
];
}

28
packages/cs-firewall-bouncer/default.nix
View file

@ -1,28 +0,0 @@
{
lib,
buildGoModule,
fetchFromGitHub,
}:
buildGoModule rec {
pname = "cs-firewall-bouncer";
version = "0.0.31";
src = fetchFromGitHub {
owner = "crowdsecurity";
repo = pname;
rev = "v${version}";
hash = "sha256-59MWll8v00CF4WA53gjHZSTFc8hpYaHENg9O7LgTCrA=";
};
vendorHash = "sha256-7Jxvg8UEjUxnIz1llvXyI2AefJ31OVdNzhWD/C8wU/Y=";
meta = with lib; {
homepage = "https://crowdsec.net/";
changelog = "https://github.com/crowdsecurity/${pname}/releases/tag/v${version}";
description = "Crowdsec bouncer for firewalls.";
longDescription = ''
crowdsec-firewall-bouncer will fetch new and old decisions from a CrowdSec API to add them in a blocklist used by supported firewalls.
'';
license = licenses.mit;
};
}

23
secrets/cs-lapi-key.age
View file

@ -1,23 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBLZUNM
VWJ2TVRoSVp0amJaQmhpZGdKRXpHc0ErM1BoRlhNODJGa3VDWG1ZCnVycGRWQnhP
SU14VUpRanNUc1lzT3dXak5tMGVROVJOVXFaNjh1MUZjcFUKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IE16anVFaFFGRmlZVkY5SDlyWW1nckxoZUd3Z1YvdStEOGNXdS9O
WkNlUVkKZHYrZ05QeGc5bS9UWFRLellPQnptem5TQ21NY0NXUFVJSkY0RHdsdHNy
UQotPiBzc2gtZWQyNTUxOSBubUtTK0EgRkk2MWU5b0lPMEFlTXNRWWNWaTFaS0NL
RkN4eitLbnp2OTRlOHFvVVRDdwozR2p4SEJoNndobTBQeWRLYy9ONGxXcEZTZU5L
bW1remcyUDRqRDBGdDhjCi0+IHNzaC1lZDI1NTE5IHNpbmd2USBBQXk0b1BCTkgz
VG1CbDB6QVBreXFIQS9wRG9nYUUxWnF4YzhGM1NFTTFJCk55UkF6NWdPeVUvL3ZC
anFSdTFFaGJQQjJtQ0l1ZEpUQmZkS3BVc1c5aUkKLT4gc3NoLWVkMjU1MTkgeHFt
eWpBIDMvOGJZV1o1aE5jYWdVUDhRR3BZd2pxY1FvQVJUS1JTZktrbThjS3BRMkEK
R2dXcHN6MVk0UGlNZERRbHpiWFBuVkw2KzJwejJCV1FSbG5JTVg4WnVRNAotPiBz
c2gtZWQyNTUxOSBtdTBmbkEgaU8zcGVhK1BrUWplcVJIRGh1R0N5U1VGZTA5Tlpj
R2g4RWhBYnBNQVltNAp1Lzc1WlpSWjc1RGdCenVEQ2x2cTZtY3ZwTnFuVkR2RjRI
d0xYM25MSGFnCi0+IDdYSyV+QT5OLWdyZWFzZSBDJCdsIGxaZnsKMXZFY0x4Q0hT
QVNXd1RHWFpJZml0ZzBsbHhNWmNORVZjUWxmQ2ltZGxFUm1WdmVsMENSMDFmRGJ5
dVpsUDlGSwprSTA1Q0JSczloNjFuT3B2Ci0tLSBEWGFMYTU1aTJvdE53dk1qRlpu
Y2tOVDVUcDRIaG52bmhMa2N5Z0xNWUI0Cjy/5eYpl5iwNd2YwC0o1lO2eTr2ggPs
Xq2JxNg5IbFYkBqMiw68yEtMmQf243rvGn8h9jQxL1VnSi+wpueZqxgczICzcqGn
OPOa08liEIvA+UtU4+z11c2fIiZ/BdfzF/s0wzB9uEChpOHSOf0SX8hrwlkq6fIr
w4z9OXceDiUQ5ITlBCl+Kaeb
-----END AGE ENCRYPTED FILE-----

35
secrets/initialPassword.age
View file

@ -1,21 +1,18 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA1QzZE
cHhwUnk5dm8xU29CNlhlU1JsV0tYaDVHV3g2MzI1dnZsVUxVODNNCjFwanh0aUhT
c016dUpONndPL0pRVUtBY2dNZCtYMk1Va2hoaUpsL3I4cjAKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IFhIVExqYlhTTWt1Q2l5T0RFRWdPN3dRdXVrbjNZTFFXV3pVZ0p5
TldNU0kKZXdpZ3I1MEk1VzVsNXBuMmlZZjl6YmVKTmNwMDU2VFVSYUhMeURJSjh1
NAotPiBzc2gtZWQyNTUxOSBubUtTK0EgSVpFeUpySkdsTldpamFqdGJaV3d3ZmU3
S1VvU3JkTzAyZk5vRXMranIxSQpQYTFRcmlYWFFldFJKelNEVU0rQU5zNDN6bjVq
ZkxBL0E1UTNVVC9DK1hrCi0+IHNzaC1lZDI1NTE5IHNpbmd2USBsVWhhdUVxUnBB
Nzk0OEJrY1V4UkpMNlVvWG95Z0hlSDNIaWQzNjNReXl3Cm1RdlJxRzBNaTQvUmlP
V0hhZXNhVUJrRklNc3U4dURsYkpjdHErNUljTUkKLT4gc3NoLWVkMjU1MTkgeHFt
eWpBIDVKdjA5S0Z5cU5OeTMzL2crN2c4bW9VQm12SUJiMGZ2ZUI0bFB6emNyM2sK
T2o4UUJBYTNzNlp2L0IwSE9yZVJQWnJJdVh4Q0c0ZlcvMSswOHJJM1VzZwotPiBz
c2gtZWQyNTUxOSBtdTBmbkEgellndXoxbmRyV2YrLzZNTnBTeHF6Q2RhQnE4R0NB
L0VSOGVLaDRzYlcyNAplbnNtb1JzN2hUOThQT1ZFcHNvNUlJeVZnT1dudjI1RDdC
T0hSakZ5Qk1nCi0+ID40MHUtZ3JlYXNlIHcjSCwgQApBWERhZXJKbEFsN0NUdjRp
M3RJbWtUV1dSZVBNQWtTbFIrZEhHZmRpVW9TckR5U0RVeDZvSWZDN0o4VTY5T3Ew
CjlORWpkOUhVdkFYTWpSNUdoVHA5VVAyK1dSYlc3RnhKSmcKLS0tIGlqcnAxK1da
QkFqdG0zOVgvWmhmUVNacVZnaUliSUpEeEN2U3Q1cXZHV3cK/UjHuI4IFTOckk9c
KvePereu3ontxUGl393gcI9x1Eacg0b9HZEfwnDKT4dIX2vGXx2aMLo=
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBkcDhX
WHFGRlJFUll0TFlEVzBiUmkxd3duVHFEdFU0K3hta2JGZzdENzJrCnNBcVRtUkkz
NFFoamExVjNhOXh0UjBJS3p0WmtBOWFGZTNkTTdlMm9aMWsKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IGpKemJpTGJlMU0zU0hPaFpVd2pZcGFlNUhYTHdxS1NlemlwaWY0
UFRBMDAKbm9CSlpxZE1JNnNsZHdtL0R6U2Q3STVLbGQxd1F1ZzY1VkNXeWlSQk55
TQotPiBzc2gtZWQyNTUxOSBubUtTK0EgUzMyMGJXczlic2NUOUl1d1N6MGhxZlZ6
UXlPNEVMYk1zR3UxZkozcXVTbwpyd1UyK0dGSWhIcXpPTk5TU2ZRTjFadGRXRVlY
OG9tbVhvZzNLcjlQL3FZCi0+IHNzaC1lZDI1NTE5IHNpbmd2USA4a0JFRmlBQjV4
VTNhbCtMVUE2YzFwTTFwT09HT240RHRGUFdsUFNsN25nCi9zdllEcHRudmFRTC84
c2QrbjR6eThUdW0zclBFdzVXRTRPU0R1YzlTb2cKLT4gc3NoLWVkMjU1MTkgeHFt
eWpBIGR5ZlljUVZSZHFFZThIcHJJc1J1R2o3eGpyQ3A5T1Q2ODRyTFFqN0JyU0EK
TFBpdTVjdTQzUmdRUUVkZDVOSlh4KzM1T1FDUXhaMVAwM2t1ZHFhdmhHVQotPiA9
LWdyZWFzZSBlc2h8UitCIHsyIC41KS4gX1JBdnwKdUpQSm1tdXQwUFZPb0FMNENj
TFZRM3o0Wk1lN3RobHpxZUVnZHFiT2hWcmoKLS0tIDV0d3NTWUZFNHFpQTJqNGh4
UFdtVGJ2ZFFBMkVpaDdKN0hFcC9tSGwrWTAKSJMImvBdD1SGCFOYFpEqj0xcohO4
9Eb1cfj6OeUsC5GMsXXJ78/XSjYtCu1wtWBml3HeQzg=
-----END AGE ENCRYPTED FILE-----

7
secrets.nix → secrets/secrets.nix
View file

@ -6,9 +6,8 @@ let
onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEHTFFQoi8PtzkdTEeA5lGELFS01J51GLLjrnySJM7R root@onlyoffice";
postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7qA7j1sICuu1RAfs9ifR9dmOlHq45tKu1ga7CKaob root@pgsql";
forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMf3Cc/S0p/LFcW+RLMEqpxOOv8q/HrKO4I9joHmRxl root@forgejo";
nginx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKX2wkS9bpMy1+ITPtQclRkthOwksWBZOLa3bT9oLAe1 root@nixos-nginx";
systems = [grafana onlyoffice postgresql forgejo nginx];
systems = [grafana onlyoffice postgresql forgejo];
in {
"secrets/initialPassword.age".publicKeys = users ++ systems;
@ -26,8 +25,4 @@ in {
"services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql];
"services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql];
"services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql];
"services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx];
"services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems;
"secrets/cs-lapi-key.age".publicKeys = users ++ systems;
}

20
services/forgejo/secrets/forgejoDBPass.age
View file

@ -1,12 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB2R1B1
TXQzcHZLOVpqeXU4dE4rdks5S0tRVjlpVGF0K0w4U2hsRlBJU1VrCnNmSGdNNmxt
TlRhbzdWSzlnbDk4dTZPSitpT1NoU2cwWWlmd3FSSGdmek0KLT4gc3NoLWVkMjU1
MTkgeHFteWpBIDZjZU5uWWlHME1OVFAzV1QvVjdaS1I2UjNyaTFYS090TUJUaWQx
TGJZUm8KdlVNM1dKQzdKcTEwZHRvWWQvVTVXT1huYkZqalF5cWZ5dkNCU2Q2YUp4
SQotPiB7VD9eMCwiXC1ncmVhc2UgIkhYIENabi1iYTogOUoKaEo2N0QvZUVzTGY0
eEhyTFp6QWNCQ3YxcmtacXJqZnpRYnhjRmdZdGl1ckNNSGxxU01HcDdWZ255QXFX
M3YrZgpDVVVWbjlmQmY1Zk9mTXZIZ3ZTTG9aaUExZwotLS0gb3A5RUpiYkVxVzRW
Tm1NMkJjMW5yQ2x3MzhvQWNGbXhyVEFEN1BJUS94OAqqLC4vCYHEG5CWZjtEdAu8
ekrBlJWaVOdA1nV2rCOciHc+p0/QI74zmzQ1eA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBibzZy
TVF2MnoyblpvVmJtNEsvQnR1Y1YxMkNPakpUWmNUdzcyY283MFM0CnpkaDkxcFp5
VGc1aWZFUkF0bTZMU2tHV05ZYk1JSnpPWmpzbXhHNFlQNUEKLT4gc3NoLWVkMjU1
MTkgeHFteWpBIG82LzhFd2JsaVpHZVA5cFE2ekwwTU9JZ3hoc3ZoWDliUHdmK3R1
V293VUEKSWpUYk9iQkpXSXNKcnhQSVJJbkR6RXdnK0lIWUdJbHZWUm9Fc1ZpZ1hq
RQotPiBiQnZNWy4tZ3JlYXNlIDMmID00QyMuV2ggQQpGRk1TT3FhVFBldWpvRXpr
Sk81d0RIYi9obUQ0cUxraXBDYmJaSWlKVDFPVWVHSVQ0dlNySjZLNG1HRktaNGVN
CndEaHNNdVdqVFEKLS0tIG8rdEJ1VXpxRnJLUGkxblRwaXBJUVBLaGNrWXM0TkJH
REYveDhLTmFyZUEK4ptpcutNLxsjRtwUIq95en3faY2H6GuLjtmDKP3Cp+gdOL31
D0wzCw14zDU=
-----END AGE ENCRYPTED FILE-----

574
services/grafana/default.nix
View file

@ -33,317 +33,291 @@ in {
};
kuma-token.file = ./secrets/kuma-token.age;
};
services = {
crowdsec = {
hub.collections = [
"LePresidente/grafana"
];
localConfig = {
acquisitions = [
services.rsyslogd = {
enable = true;
extraConfig = ''
ruleset(name="remote"){
action(type="omfwd" Target="localhost" Port="1514" Protocol="tcp" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted")
}
module(load="imudp")
input(type="imudp" port="514" ruleset="remote")
module(load="imtcp")
input(type="imtcp" port="514" ruleset="remote")
'';
};
services.influxdb2 = {
enable = true;
};
services.grafana = {
enable = true;
settings = {
server = {
protocol = "http";
http_addr = "${cfg.vm_ip}";
http_port = 3000;
domain = "logs.le43.eu";
root_url = "https://logs.le43.eu";
serve_from_sub_path = false;
};
database = {
type = "postgres";
host = "${cfg.pgsql_ip}:5432";
name = "grafana";
user = "grafana";
password = "\$__file{${config.age.secrets.grafana-db.path}}";
};
"auth.generic_oauth" = {
enabled = "true";
name = "authentik";
allow_sign_up = "true";
client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy";
client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}";
scopes = "openid email profile";
auth_url = "https://authentik.le43.eu/application/o/authorize/";
token_url = "https://authentik.le43.eu/application/o/token/";
api_url = "https://authentik.le43.eu/application/o/userinfo/";
role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false";
allow_assign_grafana_admin = "true";
};
};
};
services.prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [
{
job_name = "kuma";
scrape_interval = "30s";
scheme = "http";
static_configs = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=grafana.service" ];
labels = {
type = "syslog";
};
targets = ["192.168.1.90:3001"];
}
];
};
};
rsyslogd = {
enable = true;
extraConfig = ''
ruleset(name="remote"){
action(type="omfwd" Target="localhost" Port="1514" Protocol="tcp" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted")
}
module(load="imudp")
input(type="imudp" port="514" ruleset="remote")
module(load="imtcp")
input(type="imtcp" port="514" ruleset="remote")
'';
};
influxdb2 = {
enable = true;
};
grafana = {
enable = true;
settings = {
server = {
protocol = "http";
http_addr = "${cfg.vm_ip}";
http_port = 3000;
domain = "logs.le43.eu";
root_url = "https://logs.le43.eu";
serve_from_sub_path = false;
};
database = {
type = "postgres";
host = "${cfg.pgsql_ip}:5432";
name = "grafana";
user = "grafana";
password = "\$__file{${config.age.secrets.grafana-db.path}}";
};
"auth.generic_oauth" = {
enabled = "true";
name = "authentik";
allow_sign_up = "true";
client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy";
client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}";
scopes = "openid email profile";
auth_url = "https://authentik.le43.eu/application/o/authorize/";
token_url = "https://authentik.le43.eu/application/o/token/";
api_url = "https://authentik.le43.eu/application/o/userinfo/";
role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false";
allow_assign_grafana_admin = "true";
};
};
};
prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [
{
job_name = "kuma";
scrape_interval = "30s";
scheme = "http";
static_configs = [
{
targets = ["192.168.1.90:3001"];
}
];
basic_auth.username = "tbarnouin";
basic_auth.password_file = config.age.secrets.kuma-token.path;
}
{
job_name = "grafana";
static_configs = [
{
targets = ["127.0.0.1:9002"];
}
];
}
{
job_name = "opportunity";
static_configs = [
{
targets = ["192.168.1.125:9100"];
}
];
}
{
job_name = "crowdsec_authentik";
static_configs = [
{
targets = ["192.168.1.125:6060"];
}
];
}
{
job_name = "nginx";
static_configs = [
{
targets = ["${cfg.proxy_ip}:9002"];
}
];
}
{
job_name = "crowdsec_nginx";
static_configs = [
{
targets = ["${cfg.proxy_ip}:6060"];
}
];
}
{
job_name = "redis";
static_configs = [
{
targets = ["192.168.1.16:9002"];
}
];
}
{
job_name = "ingenuity";
static_configs = [
{
targets = ["192.168.1.90:9100"];
}
];
}
{
job_name = "gitea";
static_configs = [
{
targets = ["192.168.1.14:9002"];
}
];
}
{
job_name = "postgresql";
static_configs = [
{
targets = ["192.168.1.13:9002"];
}
];
}
{
job_name = "nextcloud";
static_configs = [
{
targets = ["192.168.1.45:9100"];
}
];
}
{
job_name = "crowdsec_nextcloud";
static_configs = [
{
targets = ["192.168.1.45:6060"];
}
];
}
{
job_name = "jellyfin";
static_configs = [
{
targets = ["192.168.1.42:9100"];
}
];
}
{
job_name = "crowdsec_jellyfin";
static_configs = [
{
targets = ["192.168.1.42:6060"];
}
];
}
];
};
loki = {
enable = true;
configuration = {
server.http_listen_port = 3100;
server.grpc_listen_port = 9096;
auth_enabled = false;
ingester = {
lifecycler = {
address = "192.168.1.27";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
};
schema_config = {
configs = [
{
from = "2022-06-06";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
allow_structured_metadata = false;
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
compactor_ring = {
basic_auth.username = "tbarnouin";
basic_auth.password_file = config.age.secrets.kuma-token.path;
}
{
job_name = "grafana";
static_configs = [
{
targets = ["127.0.0.1:9002"];
}
];
}
{
job_name = "opportunity";
static_configs = [
{
targets = ["192.168.1.125:9100"];
}
];
}
{
job_name = "nginx";
static_configs = [
{
targets = ["${cfg.proxy_ip}:9002"];
}
];
}
{
job_name = "redis";
static_configs = [
{
targets = ["192.168.1.16:9002"];
}
];
}
{
job_name = "ingenuity";
static_configs = [
{
targets = ["192.168.1.90:9100"];
}
];
}
{
job_name = "gitea";
static_configs = [
{
targets = ["192.168.1.14:9100"];
}
];
}
{
job_name = "postgresql";
static_configs = [
{
targets = ["192.168.1.13:9100"];
}
];
}
{
job_name = "nextcloud";
static_configs = [
{
targets = ["192.168.1.45:9100"];
}
];
}
{
job_name = "crowdsec_nextcloud";
static_configs = [
{
targets = ["192.168.1.45:6060"];
}
];
}
{
job_name = "deluge";
static_configs = [
{
targets = ["192.168.1.18:9100"];
}
];
}
{
job_name = "jellyfin";
static_configs = [
{
targets = ["192.168.1.42:9100"];
}
];
}
{
job_name = "crowdsec_jellyfin";
static_configs = [
{
targets = ["192.168.1.42:6060"];
}
];
}
];
};
services.loki = {
enable = true;
configuration = {
server.http_listen_port = 3100;
server.grpc_listen_port = 9096;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
};
schema_config = {
configs = [
{
from = "2022-06-06";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
allow_structured_metadata = false;
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3101;
grpc_listen_port = 9095;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [
{
url = "http://127.0.0.1:3100/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "syslog";
syslog = {
listen_address = "0.0.0.0:1514";
listen_protocol = "tcp";
idle_timeout = "60s";
labels = {
job = "syslog";
};
};
relabel_configs = [
{
source_labels = ["__syslog_message_hostname"];
target_label = "host";
}
{
source_labels = ["__syslog_message_hostname"];
target_label = "hostname";
}
{
source_labels = ["__syslog_message_severity"];
target_label = "level";
}
{
source_labels = ["__syslog_message_app_name"];
target_label = "application";
}
{
source_labels = ["__syslog_message_facility"];
target_label = "facility";
}
{
source_labels = ["__syslog_connection_hostname"];
target_label = "connection_hostname";
}
];
}
];
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3101;
grpc_listen_port = 9095;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [
{
url = "http://127.0.0.1:3100/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "syslog";
syslog = {
listen_address = "0.0.0.0:1514";
listen_protocol = "tcp";
idle_timeout = "60s";
labels = {
job = "syslog";
};
};
relabel_configs = [
{
source_labels = ["__syslog_message_hostname"];
target_label = "host";
}
{
source_labels = ["__syslog_message_hostname"];
target_label = "hostname";
}
{
source_labels = ["__syslog_message_severity"];
target_label = "level";
}
{
source_labels = ["__syslog_message_app_name"];
target_label = "application";
}
{
source_labels = ["__syslog_message_facility"];
target_label = "facility";
}
{
source_labels = ["__syslog_connection_hostname"];
target_label = "connection_hostname";
}
];
}
];
};
};

17
services/grafana/secrets/grafana-db.age
View file

@ -1,11 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBTTDNK
K3Z0alIwY0FzQlBCeTQwTS9oQ3U4dThSUUZMSXBIcU55em1KSmdnCnBWN2FaZnhs
N1NLdk0xQ09PMTFwb1FEMjJDNzg4bzBEL0p5aGh1MEs4b0UKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IEIyL2VrYlVrazJTdktJbUVOUzZySlhZbnNvNlIrY0dlckZrdlE4
Q2E1RFkKZFFlUUZoRmUxck5OZjZwVmZQbklzdDZ5Q0xpd3dyTTVEdjFOQ3pGMGxN
ZwotPiBVLWdyZWFzZSBHbiA7OApIeEE5RWx1ZjFkZ3Z6TDMwcnRJSGNFVXo2UUdT
VVdNaTJQUmllSnVWeng0SmVmaCtiUXMKLS0tIC9GVjdhQWFyK09xcmQ3OFZWUUdT
cG5OTWs5QU9JOHorMFhuYUkraWFVc2sKXuXtNqrwCgD4SmTo9caBnH5Ieaotok43
rzPGYHVRNma0rlEZpXh4K1RiC4GPDw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB2Mmts
SGNkcnhPak5uei90a3ZoTlZyakxTUUZUV0xaQnBZKy82YStDbHhzCmw0Rk5MN2E3
WFdsQ3NOSXJXY1RqQTJvMFh4Y29NblhPOUxGZWFwRFl5ZzgKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IFNMaC91cFZaNk53anZ6cWFSRmVYYm1DVFFEanJXejQreE5yKzFV
bU13VmsKclpQQ2tvZGtERmRBam9DUXVrRkd3amt4V2psUkhaY0ZNUXBLeHFhSExj
MAotPiBoLWdyZWFzZSBQbGUnfHhDXQpzcXdteFZrKzFEQWFmVmcKLS0tIHRYOXMy
cXNnaUk0c3QrUHRaUXVNNWN1dTJVcWM4UWIyWEtuYWxRdk4rUTQKyaaS0dtamqzZ
dPOcuIxUDx/G/lzes6ABI1gB2i+vr20/DvtTaNklcXHQY2BO4Q==
-----END AGE ENCRYPTED FILE-----

24
services/grafana/secrets/grafana-oauth_secret.age
View file

@ -1,14 +1,14 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA5K1k4
eTYzME9YYkVKc09uL0IwSkVoL2tXODdJSWt4MEdSR29QOXZMWkdrCnJqS1pYa3d4
TUJUN3d1N0tPNTN0eDd6Z1B5RXlVWFkxMk10STF1Zi9jY1kKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IDZqVDh0YS9iWDFMbmtDamZQYjc3MGk0QXZJVnlKRmR3MmI5bGNH
bEkzUWcKTkZpejZkRTcxbEw2dk8xaEFQempHekRtcnROR0FHTi9BMjhhZnZBWnlY
cwotPiA5OHYtZ3JlYXNlIEQ/IDcmIE1WICIKWEF1VC8zOXdkdlpZMEV3SlF6RDg5
Z3k1V3lzclVVbkplYkdoTlhOL3VSUFk2a0g5TlpyTzB2WGE2QQotLS0gb1ByMTZT
V2NyRnJ5ZVpqc3NGbTNhTFhZK0gvTUN5YStzVXUyMmlwMDlBWQoCsJBEa8QT1b3E
8uCGIuxq1OvWfq3CHSnIHtVPPPz9Dwdp2XZ9XGN1mwGOcDWvnn6xVedeHXk95vNw
79Dx6bMfB9O3TmS4CyQ4UdFKt7ysjuDXw5LIe3FvpjmbRRJGKw+t8pDNFUi7MGif
/y00Ss8yI9xEatUXBUCfO8pMqoBqbzA2xfsAZ+FTYOELZppZhlp6c1+b30gyzNEx
+QdkVxVX9g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtM3Fu
K0RUSmtPd0sxd2Z0dEZkN1FpVTBjTkJhYWI3V2dJR3FnZk1vaXo4CkgrRUNRc0ZO
TXdhTGhkWVpobUY2eENGT0h3aDVpNGt1dVJJM2JrQ3pERkkKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IGhNYmZwdWp0YXB4VWdmbHh1TjlSNEljNFFSajRNbkpkaElwS0dj
VTZTVGMKYkU3ZC9KZW54ZVFqTFk0S1dTL2JnVEFPNVBCR3JscjBLUWVWb2ZYNXJO
QQotPiBEVVpNLWdyZWFzZSBKN24yXCBcVnYrXkcKcmptQ09wRlRLWEI2WlA3bnBo
NExuM1YwTWZsd1JmN05mMG1wMjVmbW5RTWpncVZ0YUpwVjA4b3Urajk5TjJnCi0t
LSB0Q1NRYjJBb0ZpNVQ3Q2dSZVFwYXN5ZG93N0JMWENjQU11QWxQWC8zZEI0Cpi4
5dU4RfIEAsKkX79fe3Vjt7EAO5Qmszzy0N0Jlkagn/ZxAsn8Y4NVH/WmD4l3xyTO
pzq5Cc6zL/TU9LMjcq1hXzwbQuueWkQTrVop+pfa5KRH1PCh4ntVVMIXBmlHpjoL
pfx7k1PzTMwO0ACw2sClHM40kafeGG0Rb0SgmyyfcQtO/JpdgC1rLFAO+4lM+UlC
4CR3D2IfaeL1ojFGKHgU
-----END AGE ENCRYPTED FILE-----

19
services/grafana/secrets/kuma-token.age
View file

@ -1,11 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBPbktx
UWlmTXJOYnFDSjBMUUZJZzN1R09ldWpHdlVONzJOR0NwODdsRzFJCkdPT1R6b1lx
dThHczN0WWJaOENiTW0wRnI0OG5PeTllVXBUWkhVVVlkeFEKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IFJrV0FkUERiZkVJNmZWUUZWRytHTTM0RHN4MzczalM4VDVsMmtt
S2dVVkkKdXZFRitOYSt1M1IwbXlZNDNCOEpkbDA5MzVrV3NPWHA1a3NXSXhVM0Vw
UQotPiBgby1ncmVhc2UgRiw3Cktud3Izd21LNGJiMXVrQi9sWVB5T1VoMVhEZ1JX
bVh6eWZMWHN3Ci0tLSBId2M0T1d1ZkxQK0ZMcHJBRHRwQ2drT1RHSWhJbnd6YTR0
T0tGNmtCTE44CiymjrDgkjwfLRhDCKZin3sV5je3Ho3fUyMu6vHp1ybmlYZxPXa9
996BaKlD5RQWjAXyWRFVFQzVwnP8iNULxA0Uo3a5SUxQ5YlQPf+V
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBMY0Z6
STRvMWVUVDRMM2I3bkFsUEo3OFJyNDVPQzlWcHRFSVplUXEyaW13CnJoclhhL2Vo
d1M1cVhLcXVpNEZzdmtsZUlTZjVMamJHdC8xekNzM01oWE0KLT4gc3NoLWVkMjU1
MTkgd25FVXB3IGYyeTlEeEpTWkZsMFdvVzhlU2p0Yk0zMmtRL1ZRTHp5YzEwNk5q
ZGNHMEkKaFNMQW1RTXJkLzlYR0Zjd09YNlhVVlhPV0tpWkJOLzIva0NsWGtGbHk5
dwotPiBmeyVXdS1ncmVhc2UgPF9kIyNNNm4geidlbUMgL1R6Xz5YCk1rMnZPYnI2
Q1Q4RGlDRDIxRmFaMStqakxud244d2YrMWttUUxGWVBuZVBrTHZMbVdHN3p6ZnYr
eUEKLS0tIGVOUlJaZU01UGpTVXBxSjZjL3RuL3JlQWlDVkIreHZJdEZRTVExeGRi
OHMKBgnrlp1sTW9RJkzeHCgKExVm909fmlzm4J0OkaJDTNBeehEZsRLg72J7G8Em
u4FvLjakI+VMbsOJ5HmDsCXTGDLSJevK9e45o3Ik3sw=
-----END AGE ENCRYPTED FILE-----

22
services/minimalConfig/default.nix
View file

@ -91,13 +91,6 @@
];
};
age.secrets = {
cs-lapi-key = {
file = ./secrets/cs-lapi-key.age;
owner = "crowdsec";
};
};
services = {
openssh = {
enable = true;
@ -114,21 +107,6 @@
fail2ban = {
enable = true;
};
crowdsec = {
enable = true;
package = pkgs.crowdsec;
autoUpdateService = false;
openFirewall = true;
settings = {
general = {
prometheus.listen_addr = "0.0.0.0";
};
lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
};
hub.collections = [
"crowdsecurity/linux"
];
};
rsyslogd = {
enable = true;
extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";

22
services/minimalConfig/secrets/cs-lapi-key.age
View file

@ -1,22 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB3eCs0
Nk9UMzBuKzh0MHdNQW9sM2JRZUFjS3lXRm13U2F0SmxwM0szcG04CmkrMm1BRlls
bXZacTIyR3RWMWlGSUMxcytYRGUzSExYd055emNEQTVuc00KLT4gc3NoLWVkMjU1
MTkgd25FVXB3IGNuRmFFa1lYd0xsV0d2WkRhYmFEVjlkc1g4NWJURitnNzBhMHBj
WWhnWFEKSkw1K0V2WXdpT2krQ3ZtbHJZT0hGczJ3ck00SC92TFZVdWIwYmoxRDlP
NAotPiBzc2gtZWQyNTUxOSBubUtTK0EgcGJyTXpoTkF1Z212ZHUrVDFoVXFualNM
MkNyQXpNWmJReGoxWGF6N2dHMAppY0ZiVWVMNkp4eVB0VGsxUmRmaDN1RG0wRXM0
QkhyYUF1OGdPdHN4dUpJCi0+IHNzaC1lZDI1NTE5IHNpbmd2USBuSHpPaG91UXZG
YmdvQUNVQTlEeG5DTWtiSDJCQ3dzeWM3RXlCQW9kMXpFCkw0bUxuVzZlMThXUytT
Znd1MlE1WnpOQlg2bCtnT21pVGwyYTdjb2xGNlkKLT4gc3NoLWVkMjU1MTkgeHFt
eWpBIHNqUUxQM2QvSkV6Y0FucU5kSWd5SURObXN4czJiN29ISW11UTJjOTB4azQK
ekN0RUkwVWsxSHhqelNueGNGOTNoMWExNkxRd3RaVkluNmpIYnk1WXY3awotPiBz
c2gtZWQyNTUxOSBtdTBmbkEgSm50VlB2NEh5ZzBmNVpaTE5sbHZEcnE2ek43T2RH
M1hwOFRIN3ZXcmx4YwoyK3QzeU1ZT2F5MUM3blg3aytLTGsxSmtxZ3VDUkNFVjZs
eFdjMTBSeHVFCi0+IDk4cFViLWdyZWFzZSBYekczVnVnbCBpfXpGIC5HClRvVDlB
R09XcDYxQzNWOVBhU256a2MwRHlxK3VJd25teDJZMDBRCi0tLSBBZXdLcy9sVTFn
TEpESU1IWE1aOGowcjlGQW5wZEhwZjFMaWxMZmN2MC93Cic+Mcw6l7P3Pog/UL3J
M2HIcSjqjtLKtk52uNIb8b7A/fOdrUhogyYVfAt7nWhQ0CCE+cE/Z+JnI3g8skG5
4ZGF/r9Y+9orKLdskFdrkWBYX1jx3Xcwme+Kg86AO9P3Os3thXo8iDctAFFiAWvo
AgOOjmobsPfXKQfRZw84nDB1CXzFZkDngYrB
-----END AGE ENCRYPTED FILE-----

75
services/nginx/default.nix
View file

@ -2,17 +2,12 @@
config,
pkgs,
lib,
inputs,
...
}: let
cfg = config.services.vm_nginx;
in {
options.services.vm_nginx = {
enable = lib.mkEnableOption "Enable minimal config";
proxy_ip = lib.mkOption {
type = lib.types.str;
description = "The Nginx proxy IP address";
};
};
config = lib.mkIf cfg.enable {
security.acme = {
@ -23,59 +18,7 @@ in {
];
};
services = {
crowdsec-firewall-bouncer = {
enable = true;
package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer;
settings = {
api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg";
api_url = "http://${cfg.proxy_ip}:8080";
};
};
crowdsec = {
settings = {
general = {
api = {
server = {
enable = true;
listen_uri = "${cfg.proxy_ip}:8080";
};
};
};
};
hub.collections = [
"firix/authentik"
"crowdsecurity/sshd"
"crowdsecurity/linux"
"crowdsecurity/nginx"
"crowdsecurity/http-cve"
"crowdsecurity/base-http-scenarios"
];
localConfig = {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=nginx.service" ];
labels = {
type = "syslog";
};
}
];
parsers.s02Enrich = [
{
name = "gateway";
description = "Whitelist Gateway IP for VPN access";
whitelist = {
reason = "Gateway IP";
ip = [
"192.168.1.1"
];
};
}
];
};
};
fail2ban = {
enable = lib.mkForce false;
jails = {
nginx-http-auth = ''
enabled = true
@ -187,6 +130,24 @@ in {
recommendedProxySettings = true;
};
};
"office.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.125:8000";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
"collabora.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.19:9980";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
"git.le43.eu" = {
forceSSL = true;
enableACME = true;

14
services/nginx/secrets/cs-lapi-key.age
View file

@ -1,14 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBCRlBx
TDRERktFbE1xSXNpUXd4UE5vdHJpWmRNQUdjZ3hLejlmaWVjd2lRCm10aStweldV
aE5lWnJ4T3l3dTFlYWR2eUtjZHYrdTJ1VmFQMFc2UlIxUWcKLT4gc3NoLWVkMjU1
MTkgbXUwZm5BIFh5dDY0c1hMTDE5aTFsRU5JbERvTXlWSDZwZGgzaExraitLSmQr
Ukp5VkEKT0ZQS1AzQTFWRGJneWVjaU5sbHVaME83RnZuQzBPNCtzb20yNWtNR0Rk
ZwotPiBwdygwZ11ZLWdyZWFzZSBEXGFWV2JvCjZPenNoMVhjbHZycjhqZURQWExi
NmZkZDdJaTQ5NkFCZmtmWU1zZEdrQndnSnBkNmZhY1dOeENqeTNpL3BlcXMKN0VQ
VmgvaWdONzF2TWFuS0tTQ2Y5M0NUMGJkOFVaMi85K01vdHNRRUJ3d1VLbmxUN0cv
SVIvcwotLS0gOW9sZjBuUmxRK1JMZ1NYWlRiL1BMZGd1SmJML0I5SlpLMWlOakhR
L01DdwpzAKzZ6lqTmdlFPWlj3ElxZJhWKZI9iPpP9QW/TzrAAAmHivSmSfLrAKwE
uBgXo+unc+c9KUCypY8z1nMzbmijDKhMrryBsj7++IyfG5cqhX4J+Y73mdutKtfY
JzsfH7ku3cvSxl1MypQdj7+F//7hkcn5IoSKLT/AcTqqFEcoUorf5QYaD5Rnrg==
-----END AGE ENCRYPTED FILE-----

18
services/onlyoffice/secrets/office-dbpass.age
View file

@ -1,11 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBlRXJL
U09lMEFhTm14UDBvK0RneU1rUEExOW1XLzBYaFVIUE11WnhXT2pnCkVSYTlxT0pC
dEdhTlp6MnhVVGdjaU5sNkw4UEJqRDh0S2VjMXFpbVdDaE0KLT4gc3NoLWVkMjU1
MTkgbm1LUytBIFEzTldxVFNPQ0k4anI3eGtROHh5K2NDNE9vbGRKdGpZdmZONFJF
Z3E4aE0KeFlSTkliYldSeGkvOWJtVGNJaDIrbnFWT3kzUVh3T3pRMEFQVUptSDhs
YwotPiBrd3ZcWDBdeC1ncmVhc2UgfApURFdhNmlIOVR0T1c5ZFhHbURNbkx3YnhS
L1ZMWjg5dGlZM0FCZUJ3WVpYTU5HRjV6cTllYkxmcVNXWFJQeUlOCnlKcwotLS0g
RUIxbW1BVW05WGlRZlVJcDNINGRQTU8zSytqZGU3aVNldkNGakdFYllRVQpyT8qx
VmPmwWiaRIx1JjhOPLnLnK3x2h2FepWW37HPANVrD51o8x9PPzbzpe/j+DI=
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA0YWdJ
cnphWUxTeldXM25FZGg3NC9sVlppbHE4N2szS00vK2VQL1VPendJCmhTME1MUzhI
MTZRSG0rcVFvdjllZ05Ockkwam1kYVpObnJSdEYydGgyN3cKLT4gc3NoLWVkMjU1
MTkgbm1LUytBIGM5NCtPVGZJWVhNR1ZvTGVGODF0M2N3aXdzeVVDYU10aGc5bkVO
ZmNPd2MKa2xiZy94cjEyOFRBU1NvSHpvckQweWh3OGRQejhQQVpqMnJLQjI1RVQx
QQotPiBcJC1ncmVhc2UgXDFcUyAqfV53PyArZSFFc0sgenxXek0KdTh0UFU2V25T
bWNoSWsrUmpkbzNabmdJZ2t5OHh1RTgzY0ExaGNLS09hZHl0eXM3MXB4RwotLS0g
UkxxWURhVzg5Q09EUGtObEhOeWN3MXk4U1ZxeXZWLzFXVURpQWNrYzBmWQqn7LYQ
6fgnb/DRZjA8yhMgTSIcIJSm4t/+y6fGTOMmWK9Sjsjx+bK1kazPnPZgp6A=
-----END AGE ENCRYPTED FILE-----

20
services/onlyoffice/secrets/office-jwtpass.age
View file

@ -1,12 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB6YTZF
SSt4bEFvY0xCT1ZTUldNSkdveG44cWZYei9DdDhRQnlId2xnM1M0Cnp1T0dlWFZz
b2FBOUMwT2dKaEpxU0c4aWQvRTBaVFV5L2ZWdDYzUjQvaTQKLT4gc3NoLWVkMjU1
MTkgbm1LUytBIGl1VHJLN0JOZUhuUmtQbnF5b3Q5QVF6eEFvREFSaG5VTS9yWDJP
TXdDSFUKS1k1M211ZWNLeXVHYWlzeDJwQWJBLzlZUWI3TkNzVTVyTHNWdkxlWkRN
TQotPiBaP2E+MlctZ3JlYXNlIFNzYiBjKnI1fkEgO1pgIDw+CkN2aktUQ1FoMDlv
VHpHSEVuaW1ORE14dWRyS0U1amY5Ny9HV3hpODVnNUY5T3lXdGdMMS8zNy9xUXVV
QUhXNEsKekR2SytYcWlHY0VScXZhWUw0Ty9Qd2t6VWcKLS0tIFRCWW9KTWUxNXJv
NC9rTWpnNTdPbitqL1RtQWRxTFYyaXVzcmptdWpVaVUKHjTjNodh7Gq5bTJ0WXAo
DbfiQMUsv90ipf+og4AkLfVzSkcNrpNeREzCj7wZvPE6LA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA1QnNv
L1U2eUljam4wM01lOURXQ2luRkVGbk96OVFuVm9kS1NxaFJ0N0QwCmZxak82eW1w
SVBMeEZWUDh3a3lmRkJhSkcxcW5kSUg3R1RiVUxpMTlPZE0KLT4gc3NoLWVkMjU1
MTkgbm1LUytBIENxbWI5ZG4rbVFEb3lvQVZLMW1tUFo5N2hzYzQyN1hSZnZUdHlv
Q2hDUlUKdDdmd2JyREdPYWdLSFBUN3orOUJkSk9WK1JYTElhV2JyaWR1cUJLM3BI
QQotPiBWYSo7KlItZ3JlYXNlIHBJXCYgNWZjb1RjIGVPOT87JF0yCkFkbVFkTWlN
bXk5b0VZdmNza09JanVXbFlCUkNVdkNZZ243TzRLMTB1bkkzTGJzS1pIdkdmQnNt
T2liSWdjdjQKbnBITzM5L0JlS283MndTenE1UTMveHRXL0UwCi0tLSA0eHZFQnhQ
ajd1SkNvanNuQTQ2VWpKYU0vbGRmVkZJWUZURG5xbnh0UDhJCtVjowaW++5XN5JY
pZSLB0peh5Zu7P/yeAmDvnjO2BhfgQ+9sZzNzAcVwM8We03Tr8M=
-----END AGE ENCRYPTED FILE-----

17
services/postgresql/secrets/authentikDBPass.age
View file

@ -1,11 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBnSGtm
R1dGQlBySDlVTy9Mb1QraTZLRFFPSmRqYUF3cTNRbmNnV2VUQlVzCkxKcjRHN0p3
SUlnSUpXVXc5VURRSEVMWEF0bHZkRGQ0VHZLcnJPV3pkMVEKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIEJGUlB4N3l1Zlc4bkNQRVBxK0QyNU1GZUQrQmw4d3NHYkNDelR3
QmVGUWcKSGJ3MUZLNjZqbWUrc0l5aEpHYWNyY0p5SWpGcGxqMG4rd1BaaG8vQUlD
OAotPiAsOTV1LWdyZWFzZSAoU3tAUUIgIjx1IEpeIHkmXU8KNlpiUC9ZNVR0a2Uw
NHp5dC9oRUZQMWRPT2lMRHZXWUFMZjhVQW04NUlsNWd3YjRzc1h2bGQ1QmdEaDgK
LS0tIGk5dXBuV3hsOEUxUWtmbjFsTVNqUXdlaSthd0VBMFh1NkFYQ0hGZXhaOEEK
xLmozB0O+dnzu9y/M0BNrl+FrZlxFfZUTaGRpD4VhQF+xmA5JhRFDre0fflnBkZF
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAxVEMw
KzViTWJzNEtlb3NiZ1F3Rk1ud2V5dU05VzZLWjVCcnpCNnI1eENZCmQvWE9OUU1M
c0xFVjMwUHZCMzJHMjZXYy8vR3g4VXNQUjd0SExGVzFTSm8KLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIEk1YWFub1VHVkE0cWpVNG9mL0g4bk82cnFPM2NQaDI0cnAwdTZE
eUxiQzgKS3g3S2JOWnE3eVpweGEzczlHaFlSdG1jbTczOU51TjRoTG5KMExBMXdY
SQotPiAhLWdyZWFzZSBJfShjciQxIDpxayBiYyAiXk5FSzYKMlA5MEQ0VUo1UncK
LS0tIEMzaFpMRGo5cTBMczBOeUMrSlhMWS85WVQ3UDRSeXM5RlJWS1dWR2VhTXcK
a3qm9ASifZqqohCsRoGnW9ijFoy2bb1Myg/jaZBD1P9/2KQ4yHV92nap271Sq86R
-----END AGE ENCRYPTED FILE-----

22
services/postgresql/secrets/giteaDBPass.age
View file

@ -1,13 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB6K3RY
Qy9yU0ZkVG9mSGRvOFQ5aUozNHNGVUpMTGUvOGU4US9yeWExaWtnCnkyTDlXQUE4
K01scktWMTJkWldUOTQzUUZNWHQrcHlNeElwVG1vL0hDQlUKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIE1qclVJYlQ3UHhXaE5ub3JWNDVUVTB4c0Y1c2NSSno2aDNkVCts
S054RzAKclljZkJoSUhtUXp2dng2eDJlUkphMXRFbXJQdUxPYm1OTUtMQkxZaWcz
OAotPiAmbi1ncmVhc2UgU2NUIHluCnp4TjhnVk01OWRVZUJVMnlPNmlzNWNJZk5J
OHpsTnpGLzA4eE0zNitKSWF5d05BcEhjU0xCd2lRMXpLVXB1TlgKLzB2VFMzcmJo
aThSMDQrU0JaSWNUMVZnOXRUNlhDVVoyVkRRTndUS1pnMUhhSTQwKzdXVFIwTFFi
NkdTYkZScQpaRHp6Ci0tLSBRVFlXSGpLYzd1QXNkRlJjdDFkejdyM1ZzelRIN05o
UkR4a3JTSWhIQlN3CtTJA3S9lKiHg1j+GiDIZtbLjWlnCQG6R8XbApPIWPPNm+wt
mtCq8RC9uHH+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBhSllo
UjhSeHFNangxcWVlQVR4NGJxRXU0cDB2NjdyU1FTUmZZcmg4ZUZZCjNJVjB3UnB2
dmhoRncrTTR1dURtbHVHeTByaWZwYTRha3dTWnZMRWdCVjAKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIERLL1l5R0VVWTRlMDNCYXpTb09zWWdhTmlLQTdIMVhPZXM0ZFdX
N3VpeE0KUE9rWFNJL2dpK2VGMkNucTZWZDVqcGt5NlVkOXJ3amhybmFQR3ZVVjNP
VQotPiAubyNQcXtpfC1ncmVhc2UgKyRRTFl8VkkgZEgKRWFjTDdzL1ordGg0czFQ
Q3NtWjdLK2tNVUhsaCtXZGxCRysxYjU1YTNDNDJnZHc2a0kyQVNGVjZOYndGYjBS
ZApNM1JJQmE2WXpXaEJGcnNCbVk5WnQrMHdrMEgzMGRqL21WSGUzWFM0WlREVVdO
T0Z4MUEKLS0tIGcxcVZWQWMzS0FlclNJYW9jSldoc3huUXl2eXVoQ1dzdVc5YVBa
aGRvcmsK9L6wCJ22CZeAuJQWW8t/i7M5ysRJJUjvzOAKvI+gO5G9hagP2t+qEK9e
hvE=
-----END AGE ENCRYPTED FILE-----

18
services/postgresql/secrets/grafanaDBPass.age
View file

@ -1,11 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBneXc1
enhZNFEwV0xNbWhqVTl0VlUvZ1E4V3RlZElDNEFTeUh5alFqdkg0CmxjV0d6QXJm
cXovM25wM1VHdG5wbVJhZytMUEpSU3VvYXUvaGpJTC9ocDgKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIDY2OGJGUENPckxrcnNKMFlWNC8yOGgwUDJUcDMyS1VnSC93dXpw
UWo0U1kKbnQ1TUlZc2RrbTRuRmVhVlNwUVpBMkc3Ukl1dXR1RzNKK3ovUnR6UWln
cwotPiBwSlU2ci1ncmVhc2UgPFRSdjkgKlAzUyBQYXhVN3MgQGwKMWdWOWYyRUFK
MC9ETEg0QgotLS0gZGtTdHVBbm9KeUxDYVUvQjlTb3Q5UllFb2F5YU5wUXhEc1Bs
RTJXaUI2RQoYkHT7kLqp50j9knk/D14UTvt0FJQO7NpmhISbCoeXQ+X9Y7td4P4J
s8VDQLEe
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBPTW1I
Skp5c0oxTmk1VWRPM3ZuelNBblF2UkZOYWUvOGNXTGJPRGlISGxzCmhCVWlCSUZZ
UkR5RW5SWjN3SzlneXA5ZDJUL21LS2lXcndidmxnWUtpMlkKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIFN4MHplVDJZbEozMEtYZ3N2amZDdHpLTmpOUlhMNXUzMHZFSFRT
amhCMDgKMDUzc042UklCSUs4YUVTY2xjZUFaRlRBM09TTEhwQmNKQVA3YkgxZVly
OAotPiAraXswWVwlaS1ncmVhc2UgNGdhM30gZ0xHRE11KEYgM2pMPy8uTQptMWYy
T2JMVTB0b29lNHpqN0dPdXNMZEtwTWtOb1dxQ2Q0S1c4WFpLVExaczQrNjhVTEJH
Ci0tLSA2MjUwM1pqWTZWd3RndHd6N3krenYyUkM4aDd2WFVsQVllZEg3S09ZSFlF
CiDdh9xPzRx0vUkFn+5DHSXNOd3aF4DJHS2+Rc5bBvJsik+E9gBcBHN5eawHmJg=
-----END AGE ENCRYPTED FILE-----

19
services/postgresql/secrets/nextcloudDBPass.age
View file

@ -1,11 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4Wm9k
YlJJbUswNjcrQkVHdk0wc0g0ampYb1Mvbzd4Rk5IVW9ZS0RSTlZrCjdjK3BhYjdV
cWQ1NUh3bi9ZakxOajIxbDRST0FwQ0R0c3BHY1BGNXY5UHcKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIGtDSlZkUm5DTEpPdXJsTCtQSHA2ejdtRU9WU3ZJdGtaRVdScUNj
TFg1VDAKcWs0S0s5REgreG5PZDZkM0lGQ0RBdDR3R2kwY2tmK1RmaWE0R2pJb05j
UQotPiA5OVMxUkVhXy1ncmVhc2UgK0xfdnUoOgpnbVFETkc1ZS81Kyt4U1NoOWJv
L1NVM1BzeGdQRDg0Ci0tLSA3VnpKZTRBbWN6NGMxWnNobHVEdDUyRTJORTlabXRH
UllITmVGVHlrSGlNCoMnkbrU86Cjj6jnsZjSPwKIzLpdyzxYBQDxoj9mv139Rdae
bFLdtG8sIabo6hNIxg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBicitL
VnR4WFh6TGZkZnhpZEZ1MFZjditqeXFzSXFOUW9ienhjdHFsam1JCnkvY254cmZN
cTNYRDdtWUNHQkNmMzFCU1N1dllqQTdvTm4xamhvS2F6RjAKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIHhDcERwWkl5QXgzamdlNlgrOXlMWkpSb0JWSUtSTmwraHFTdEwy
U0Ixa2cKMS9zUVR1WDdDYlBic3RIbXd3d3JGVHlNVmVsRHY0elNWZ0o5aWVUazgw
ZwotPiAsSjwtZ3JlYXNlIF8xcCBKU3oKb1RoZnFyOENMWHQxSUlUS2xmN0RWQWxV
UXFlTFhmdVZRVXY0ekJYQmRBWWxJYWovcW1EQjRHSHloWnRqaTEwTQpnZDNmMktm
b2xWUFRFamtvTVRoYjJRYwotLS0gMlNvRC9nY1pTWWx1ZHlJMmE3ZkpQUGgrclAw
bERjMVhMa1RpVzZwUHA3TQrcYKrxC2Ij+0RmtDozhBTBh3Th8NehZ+FUSl3Okyol
XX4KB2lT5urYECGsan+HOKo=
-----END AGE ENCRYPTED FILE-----

19
services/postgresql/secrets/onlyofficeDBPass.age
View file

@ -1,12 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBvWEZM
MTJGUzQ2a3Q2SE9QeE1hWUxDRmMvODhxRVFOQlcxaVYvZEFaNFRnCnZWME02QVlH
TU1lUUt4TnhabzBkNGJVS2pxaytPY0tic1NRR29Ka0k5em8KLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIDAvTVFwR3VOWUVpZk5xUkJsZW9CMVhzYkd1ejhwUHhGejNQc1hG
eXVqbXcKM282Z3JlUS9yMURSa3lnaitpZ3NhMTVvamR4MGV2USttcmp1bDNEYXVP
bwotPiB7MHlWLWdyZWFzZSBqW2hxWm0/SSA2Klh8OyBOOiBtbFlTJjAKVkhZcFla
VVdsbnRlRUI1bzdNWEJUNjNEdWpZY3JBWlduQUxrRU4xdG1kWU8zSjExbUd6UlNG
clZYQTVMVkNFNAp5dlcwZmhxQTNKN1h0dUhUM1prCi0tLSB1UXlaQUd3b1JkM29K
bjFJTVpzUTk1MjZIbEhmTkVXYlNtN3k0OW50TTJBCoB7YGQ+R1yzNbS9ZiTcgoZk
LGeyAB/x+izkhu54XzrxpjQKeXAQftnHks6lzzqZ5w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBuS0xp
Znc2ajhKemNNSFJpUDdvdFBVbW93SDFmaEpaRXBIck9PcXJxang4CnlzZzJ0MXdT
V2U4Ykl4aTlydGRaeHIxRmZkVHg0dWpnV1dtOS9WdXkxZXcKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIDJnS0xoWFAvTVJXdnJBSDc2dis4bWcrTEhmdmE0aEJJZzFZSm1z
akU0Z3cKMGZNcG5ZNWVrdWVWQjhWQXVIL1RtcExBcFhJUU9pa2ZaOGdqaFdWc1pL
YwotPiA3LWA2RXs7LWdyZWFzZSBESUoKd25SMDg0czBNcmRIb0JGVDRLdEZ5OGph
eDJRZjJodXgKLS0tIExLTDlPSE1Kd0lXMlo5YzhpeEI4K3BDUGtrem41cFdsYTVz
QjQ3OWdJVjQKEnu24xPsxg8m+TYOsFp02Rv1lm61lwFsPgVEvfq+siEm2bvJiCut
LQBgsEpiyzvv
-----END AGE ENCRYPTED FILE-----

21
systems/minimalLXCConfig.nix
View file

@ -98,12 +98,6 @@
netcat-openbsd
];
};
age.secrets = {
cs-lapi-key = {
file = ../secrets/cs-lapi-key.age;
owner = "crowdsec";
};
};
services = {
openssh = {
@ -121,21 +115,6 @@
fail2ban = {
enable = true;
};
crowdsec = {
enable = true;
package = pkgs.crowdsec;
autoUpdateService = false;
openFirewall = true;
settings = {
general = {
prometheus.listen_addr = "0.0.0.0";
};
lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
};
hub.collections = [
"crowdsecurity/linux"
];
};
rsyslogd = {
enable = true;
extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";