From 43ecae9920d6851f22287349f050f82e26a85a58 Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Thu, 20 Feb 2025 09:25:23 -0600 Subject: [PATCH] initial crowdsec --- flake.lock | 128 ++++++++++++++++++++-------- flake.nix | 14 +++ hosts/nas/apps.nix | 1 + hosts/nas/apps/crowdsec/default.nix | 44 ++++++++++ hosts/nas/configuration.nix | 1 + hosts/nas/impermanence.nix | 6 ++ 6 files changed, 157 insertions(+), 37 deletions(-) create mode 100644 hosts/nas/apps/crowdsec/default.nix diff --git a/flake.lock b/flake.lock index a196916..f571f3a 100644 --- a/flake.lock +++ b/flake.lock @@ -53,11 +53,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1739212779, - "narHash": "sha256-7U7fOAOVy/AaOtw3HflnwEeXZJ9+ldxVU/Mx5tGN9A4=", + "lastModified": 1740016447, + "narHash": "sha256-96hBRGwuG+CFI5+inRIDCh0Za4LOt1dlbO3pFOokw6Y=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "175a7f545d07bd08c14709f0d0849a8cddaaf460", + "rev": "ed7900391a1969bb0bde432fd3952a6dda37114c", "type": "github" }, "original": { @@ -82,6 +82,27 @@ "type": "github" } }, + "crowdsec": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs-stable" + ] + }, + "locked": { + "lastModified": 1735050278, + "narHash": "sha256-vOVVbmuS83mjd5aWfU4uLdbig/r/OBA4v/NyQW8RD7w=", + "ref": "refs/heads/main", + "rev": "c6aa259c883e3810167b754fed72fc06119734a0", + "revCount": 35, + "type": "git", + "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -91,11 +112,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1739082714, - "narHash": "sha256-cylMa750pId3Hqvzyurd86qJIYyyMWB0M7Gbh7ZB2tY=", + "lastModified": 1739946876, + "narHash": "sha256-ek0u5FT5yjqYKjF/0HQKwDH2ISZzyvYwu+My5hmSwbU=", "owner": "nix-community", "repo": "fenix", - "rev": "e84058a7fe56aa01f2db19373cce190098494698", + "rev": "95c1eab59767a3dbb11d6616d4ff736813ce41d2", "type": "github" }, "original": { @@ -237,6 +258,23 @@ "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, "original": { "owner": "numtide", "repo": "flake-utils", @@ -273,11 +311,11 @@ ] }, "locked": { - "lastModified": 1739802995, - "narHash": "sha256-kZv0upOigS/4sUEgZuZd6/uO6s8X8oYOLk9/sGMsl+c=", + "lastModified": 1739913864, + "narHash": "sha256-WhzgQjadrwnwPJQLLxZUUEIxojxa7UWDkf7raAkB1Lw=", "owner": "nix-community", "repo": "home-manager", - "rev": "9d0d48f4c3d2fb1a8c8607da143bb567a741d914", + "rev": "97ac0801d187b2911e8caa45316399de12f6f199", "type": "github" }, "original": { @@ -314,11 +352,11 @@ ] }, "locked": { - "lastModified": 1738610386, - "narHash": "sha256-yb6a5efA1e8xze1vcdN2HBxqYr340EsxFMrDUHL3WZM=", + "lastModified": 1740060750, + "narHash": "sha256-FOC9OzJ5Ckh6VjzGSRh4F3UCUOdM8NrzQT19PQcQJ44=", "owner": "nix-community", "repo": "home-manager", - "rev": "066ba0c5cfddbc9e0dddaec73b1561ad38aa8abe", + "rev": "0c0b0ac8af6ca76b1fcb514483a9bd73c18f1e8c", "type": "github" }, "original": { @@ -351,11 +389,11 @@ ] }, "locked": { - "lastModified": 1738875499, - "narHash": "sha256-P3VbO2IkEW+0d0pJU7CuX8e+obSoiDw/YCVL1mnA26w=", + "lastModified": 1739952453, + "narHash": "sha256-+tyFW6nNj1fJ1VTtLeqe1PMp5F7Fb9zIkT6mUvdQHrM=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "4642ec1073a7417e6303484d8f2e7d29dc24a50f", + "rev": "b2ed82d3ff837960df4518308dfe409dda3ae406", "type": "github" }, "original": { @@ -370,11 +408,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1739640234, - "narHash": "sha256-+o3AWAC0GICcvdn+vXGmQ5hXJSALdD3rgnt+SZLRQKU=", + "lastModified": 1739983147, + "narHash": "sha256-bl1k7pI/YFS7gfI8d0OkKarGwOTroxadY57ketJzAug=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "dc10b4ba56665c66562a5e993c9734fe89c29c65", + "rev": "27089501f8cd53f8ef8ced7cec2e4ad114e9ffea", "type": "github" }, "original": { @@ -411,7 +449,7 @@ }, "manyfold": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs_3" }, "locked": { @@ -459,11 +497,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1739548217, - "narHash": "sha256-rlv64erpr36xdmMDPgf9rhRXBYZ0BZb5nrw2ZPSk1sQ=", + "lastModified": 1739933872, + "narHash": "sha256-UhuvTR4OrWR+WBaRCZm4YMkvjJhZ1KZo/jRjE41m+Ek=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "678b22642abde2ee77ae2218ab41d802f010e5b0", + "rev": "6ab392f626a19f1122d1955c401286e1b7cf6b53", "type": "github" }, "original": { @@ -577,11 +615,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1739214665, - "narHash": "sha256-26L8VAu3/1YRxS8MHgBOyOM8xALdo6N0I04PgorE7UM=", + "lastModified": 1739866667, + "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "64e75cd44acf21c7933d61d7721e812eac1b5a0a", + "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680", "type": "github" }, "original": { @@ -621,11 +659,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1739624908, - "narHash": "sha256-f84lBmLl4tkDp1ZU5LBTSFzlxXP4926DVW3KnXrke10=", + "lastModified": 1739923778, + "narHash": "sha256-BqUY8tz0AQ4to2Z4+uaKczh81zsGZSYxjgvtw+fvIfM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a60651b217d2e529729cbc7d989c19f3941b9250", + "rev": "36864ed72f234b9540da4cf7a0c49e351d30d3f1", "type": "github" }, "original": { @@ -637,11 +675,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1739736696, - "narHash": "sha256-zON2GNBkzsIyALlOCFiEBcIjI4w38GYOb+P+R4S8Jsw=", + "lastModified": 1739866667, + "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f", + "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680", "type": "github" }, "original": { @@ -653,11 +691,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1738546358, - "narHash": "sha256-nLivjIygCiqLp5QcL7l56Tca/elVqM9FG1hGd9ZSsrg=", + "lastModified": 1739214665, + "narHash": "sha256-26L8VAu3/1YRxS8MHgBOyOM8xALdo6N0I04PgorE7UM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c6e957d81b96751a3d5967a0fd73694f303cc914", + "rev": "64e75cd44acf21c7933d61d7721e812eac1b5a0a", "type": "github" }, "original": { @@ -777,6 +815,7 @@ "inputs": { "authentik-nix": "authentik-nix", "chaotic": "chaotic", + "crowdsec": "crowdsec", "home-manager": "home-manager_2", "home-manager-stable": "home-manager-stable", "impermanence": "impermanence", @@ -794,11 +833,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1738997488, - "narHash": "sha256-jeNdFVtEDLypGIbNqBjURovfw9hMkVtlLR7j/5fRh54=", + "lastModified": 1739913186, + "narHash": "sha256-7MSzs64dLDgq1wFw2eujZ01qdj9K+TwIlQMyWebotE8=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "208bc52b5dc177badc081c64eb0584a313c73242", + "rev": "3028f844c5898dcf115f6bc67a5ce793989b04a1", "type": "github" }, "original": { @@ -895,6 +934,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 53604be..17f7e29 100644 --- a/flake.nix +++ b/flake.nix @@ -50,6 +50,11 @@ inputs.nixpkgs.follows = "nixpkgs-stable"; }; + crowdsec = { + url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git"; + inputs.nixpkgs.follows = "nixpkgs-stable"; + }; + #Apple nixos-apple-silicon.url = "github:tpwrules/nixos-apple-silicon"; # nixos-apple-silicon.url = "github:mjallen18/nixos-apple-silicon"; @@ -83,6 +88,7 @@ # cosmic, authentik-nix, sops-nix, + crowdsec, manyfold, jovian, }@inputs: @@ -146,6 +152,14 @@ sops-nix.nixosModules.sops + crowdsec.nixosModules.crowdsec + crowdsec.nixosModules.crowdsec-firewall-bouncer + + ({ ... }: + { + nixpkgs.overlays = [ crowdsec.overlays.default ]; + }) + nixos-hardware.nixosModules.common-pc nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-hidpi diff --git a/hosts/nas/apps.nix b/hosts/nas/apps.nix index a7e8a1d..54ba60e 100644 --- a/hosts/nas/apps.nix +++ b/hosts/nas/apps.nix @@ -2,6 +2,7 @@ { imports = [ ./apps/arrs + ./apps/crowdsec ./apps/jellyfin ./apps/jellyseerr ./apps/nextcloud diff --git a/hosts/nas/apps/crowdsec/default.nix b/hosts/nas/apps/crowdsec/default.nix new file mode 100644 index 0000000..7640d0e --- /dev/null +++ b/hosts/nas/apps/crowdsec/default.nix @@ -0,0 +1,44 @@ +{ outputs, pkgs, ... }: +{ + services = { + crowdsec = let + yaml = (pkgs.formats.yaml {}).generate; + acquisitions_file = yaml "acquisitions.yaml" { + source = "journalctl"; + journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"]; + labels.type = "syslog"; + }; + in { + enable = true; + enrollKeyFile = "/media/nas/ssd/nix-app-data/crowdsec/enroll.key"; + settings = { + crowdsec_service.acquisition_path = acquisitions_file; + api.server = { + listen_uri = "0.0.0.0:9898"; + }; + }; + }; + + crowdsec-firewall-bouncer = { + enable = true; + settings = { + api_key = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE"; + api_url = "http://10.0.1.18:9898"; + }; + }; + }; + + systemd.services.crowdsec.serviceConfig = { + ExecStartPre = let + script = pkgs.writeScriptBin "register-bouncer" '' + #!${pkgs.runtimeShell} + set -eu + set -o pipefail + + if ! cscli bouncers list | grep -q "nas-bouncer"; then + cscli bouncers add "nas-bouncer" --key "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE" + fi + ''; + in ["${script}/bin/register-bouncer"]; + }; +} \ No newline at end of file diff --git a/hosts/nas/configuration.nix b/hosts/nas/configuration.nix index 012a160..58f7bd2 100755 --- a/hosts/nas/configuration.nix +++ b/hosts/nas/configuration.nix @@ -96,6 +96,7 @@ in glances gparted htop + ipset jq lm_sensors nano diff --git a/hosts/nas/impermanence.nix b/hosts/nas/impermanence.nix index c4b21eb..385c99a 100644 --- a/hosts/nas/impermanence.nix +++ b/hosts/nas/impermanence.nix @@ -40,6 +40,12 @@ group = "jallen-nas"; mode = "u=rwx,g=rx,o=rx"; } + { + directory = "/var/lib/crowdsec"; + user = "crowdsec"; + group = "crowdsec"; + mode = "u=rwx,g=rwx,o=rx"; + } ]; files = [ "/var/cache-priv-key.pem"