diff --git a/hosts/nas/apps.nix b/hosts/nas/apps.nix index f3bb997..e6dc2a0 100755 --- a/hosts/nas/apps.nix +++ b/hosts/nas/apps.nix @@ -3,7 +3,7 @@ imports = [ ./apps/actual ./apps/arrs -# ./apps/crowdsec + ./apps/crowdsec ./apps/gitea ./apps/jellyfin ./apps/jellyseerr diff --git a/hosts/nas/apps/traefik/default.nix b/hosts/nas/apps/traefik/default.nix index 1cb77f0..296937e 100755 --- a/hosts/nas/apps/traefik/default.nix +++ b/hosts/nas/apps/traefik/default.nix @@ -85,6 +85,15 @@ in api.dashboard = true; # Access the Traefik dashboard on :8080 of your server api.insecure = true; + + experimental = { + plugins = { + bouncer = { + moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"; + version = "v1.4.2"; + }; + }; + }; }; dynamicConfigOptions = { @@ -115,6 +124,17 @@ in X-Forwarded-Proto = "https"; }; }; + crowdsec = { + plugin = { + bouncer = { + crowdsecAppsecEnabled = true; + crowdsecAppsecHost = "10.0.1.18:7422"; + crowdsecAppsecFailureBlock = true; + crowdsecAppsecUnreachableBlock = true; + crowdsecLapiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE"; + }; + }; + }; # test-errors = { # errors = { # status = [ @@ -196,6 +216,7 @@ in entryPoints = [ "websecure" ]; rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)"; service = "auth"; + middlewares = [ "crowdsec" ]; priority = 15; tls.certResolver = "letsencrypt"; }; @@ -203,50 +224,56 @@ in entryPoints = [ "websecure" ]; rule = "Host(`authentik.${domain}`)"; service = "authentik"; + middlewares = [ "crowdsec" ]; tls.certResolver = "letsencrypt"; }; onlyoffice = { entryPoints = [ "websecure" ]; rule = "Host(`office.${domain}`)"; service = "onlyoffice"; - middlewares = "onlyoffice-websocket"; + middlewares = [ "crowdsec" "onlyoffice-websocket" ]; tls.certResolver = "letsencrypt"; }; cloud = { entryPoints = [ "websecure" ]; rule = "Host(`cloud.${domain}`)"; service = "cloud"; + middlewares = [ "crowdsec" ]; tls.certResolver = "letsencrypt"; }; jellyfin = { entryPoints = [ "websecure" ]; rule = "Host(`jellyfin.${domain}`)"; service = "jellyfin"; + middlewares = [ "crowdsec" ]; tls.certResolver = "letsencrypt"; }; jellyseerr = { entryPoints = [ "websecure" ]; rule = "Host(`jellyseerr.${domain}`)"; service = "jellyseerr"; + middlewares = [ "crowdsec" ]; tls.certResolver = "letsencrypt"; }; gitea = { entryPoints = [ "websecure" ]; rule = "Host(`gitea.${domain}`)"; service = "gitea"; + middlewares = [ "crowdsec" ]; tls.certResolver = "letsencrypt"; }; actual = { entryPoints = [ "websecure" ]; rule = "Host(`actual.${domain}`)"; service = "actual"; + middlewares = [ "crowdsec" ]; tls.certResolver = "letsencrypt"; }; hass = { entryPoints = [ "websecure" ]; rule = "Host(`hass.${domain}`)"; service = "hass"; - middlewares = "authentik"; + middlewares = [ "crowdsec" "authentik" ]; priority = 10; tls.certResolver = "letsencrypt"; }; @@ -262,7 +289,7 @@ in entryPoints = [ "websecure" ]; rule = "Host(`cache.${domain}`)"; service = "cache"; - middlewares = "authentik"; + middlewares = [ "crowdsec" "authentik" ]; priority = 10; tls.certResolver = "letsencrypt"; }; diff --git a/hosts/nas/impermanence.nix b/hosts/nas/impermanence.nix index 385c99a..ae7a323 100755 --- a/hosts/nas/impermanence.nix +++ b/hosts/nas/impermanence.nix @@ -46,6 +46,12 @@ group = "crowdsec"; mode = "u=rwx,g=rwx,o=rx"; } + { + directory = "/plugins-storage"; + user = "traefik"; + group = "traefik"; + mode = "u=rwx,g=rwx,o=rx"; + } ]; files = [ "/var/cache-priv-key.pem" diff --git a/hosts/nas/networking.nix b/hosts/nas/networking.nix index b3c5efa..548017b 100755 --- a/hosts/nas/networking.nix +++ b/hosts/nas/networking.nix @@ -17,6 +17,7 @@ let 4080 # netbootxyz 3000 # gitea 3300 + 9898 ]; in {