initial crowdsec

2025-02-20 09:25:23 -06:00
parent debc590187
commit 43ecae9920
6 changed files with 157 additions and 37 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -53,11 +53,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1739212779,
+        "lastModified": 1740016447,
-        "narHash": "sha256-7U7fOAOVy/AaOtw3HflnwEeXZJ9+ldxVU/Mx5tGN9A4=",
+        "narHash": "sha256-96hBRGwuG+CFI5+inRIDCh0Za4LOt1dlbO3pFOokw6Y=",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "175a7f545d07bd08c14709f0d0849a8cddaaf460",
+        "rev": "ed7900391a1969bb0bde432fd3952a6dda37114c",
        "type": "github"
      },
      "original": {
@@ -82,6 +82,27 @@
        "type": "github"
      }
    },
    "crowdsec": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs-stable"
        ]
      },
      "locked": {
        "lastModified": 1735050278,
        "narHash": "sha256-vOVVbmuS83mjd5aWfU4uLdbig/r/OBA4v/NyQW8RD7w=",
        "ref": "refs/heads/main",
        "rev": "c6aa259c883e3810167b754fed72fc06119734a0",
        "revCount": 35,
        "type": "git",
        "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
      },
      "original": {
        "type": "git",
        "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
      }
    },
    "fenix": {
      "inputs": {
        "nixpkgs": [
@@ -91,11 +112,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1739082714,
+        "lastModified": 1739946876,
-        "narHash": "sha256-cylMa750pId3Hqvzyurd86qJIYyyMWB0M7Gbh7ZB2tY=",
+        "narHash": "sha256-ek0u5FT5yjqYKjF/0HQKwDH2ISZzyvYwu+My5hmSwbU=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "e84058a7fe56aa01f2db19373cce190098494698",
+        "rev": "95c1eab59767a3dbb11d6616d4ff736813ce41d2",
        "type": "github"
      },
      "original": {
@@ -237,6 +258,23 @@
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "id": "flake-utils",
        "type": "indirect"
      }
    },
    "flake-utils_3": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
@@ -273,11 +311,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1739802995,
+        "lastModified": 1739913864,
-        "narHash": "sha256-kZv0upOigS/4sUEgZuZd6/uO6s8X8oYOLk9/sGMsl+c=",
+        "narHash": "sha256-WhzgQjadrwnwPJQLLxZUUEIxojxa7UWDkf7raAkB1Lw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "9d0d48f4c3d2fb1a8c8607da143bb567a741d914",
+        "rev": "97ac0801d187b2911e8caa45316399de12f6f199",
        "type": "github"
      },
      "original": {
@@ -314,11 +352,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738610386,
+        "lastModified": 1740060750,
-        "narHash": "sha256-yb6a5efA1e8xze1vcdN2HBxqYr340EsxFMrDUHL3WZM=",
+        "narHash": "sha256-FOC9OzJ5Ckh6VjzGSRh4F3UCUOdM8NrzQT19PQcQJ44=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "066ba0c5cfddbc9e0dddaec73b1561ad38aa8abe",
+        "rev": "0c0b0ac8af6ca76b1fcb514483a9bd73c18f1e8c",
        "type": "github"
      },
      "original": {
@@ -351,11 +389,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1738875499,
+        "lastModified": 1739952453,
-        "narHash": "sha256-P3VbO2IkEW+0d0pJU7CuX8e+obSoiDw/YCVL1mnA26w=",
+        "narHash": "sha256-+tyFW6nNj1fJ1VTtLeqe1PMp5F7Fb9zIkT6mUvdQHrM=",
        "owner": "Jovian-Experiments",
        "repo": "Jovian-NixOS",
-        "rev": "4642ec1073a7417e6303484d8f2e7d29dc24a50f",
+        "rev": "b2ed82d3ff837960df4518308dfe409dda3ae406",
        "type": "github"
      },
      "original": {
@@ -370,11 +408,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1739640234,
+        "lastModified": 1739983147,
-        "narHash": "sha256-+o3AWAC0GICcvdn+vXGmQ5hXJSALdD3rgnt+SZLRQKU=",
+        "narHash": "sha256-bl1k7pI/YFS7gfI8d0OkKarGwOTroxadY57ketJzAug=",
        "owner": "Jovian-Experiments",
        "repo": "Jovian-NixOS",
-        "rev": "dc10b4ba56665c66562a5e993c9734fe89c29c65",
+        "rev": "27089501f8cd53f8ef8ced7cec2e4ad114e9ffea",
        "type": "github"
      },
      "original": {
@@ -411,7 +449,7 @@
    },
    "manyfold": {
      "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils_3",
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
@@ -459,11 +497,11 @@
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1739548217,
+        "lastModified": 1739933872,
-        "narHash": "sha256-rlv64erpr36xdmMDPgf9rhRXBYZ0BZb5nrw2ZPSk1sQ=",
+        "narHash": "sha256-UhuvTR4OrWR+WBaRCZm4YMkvjJhZ1KZo/jRjE41m+Ek=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "678b22642abde2ee77ae2218ab41d802f010e5b0",
+        "rev": "6ab392f626a19f1122d1955c401286e1b7cf6b53",
        "type": "github"
      },
      "original": {
@@ -577,11 +615,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1739214665,
+        "lastModified": 1739866667,
-        "narHash": "sha256-26L8VAu3/1YRxS8MHgBOyOM8xALdo6N0I04PgorE7UM=",
+        "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "64e75cd44acf21c7933d61d7721e812eac1b5a0a",
+        "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680",
        "type": "github"
      },
      "original": {
@@ -621,11 +659,11 @@
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1739624908,
+        "lastModified": 1739923778,
-        "narHash": "sha256-f84lBmLl4tkDp1ZU5LBTSFzlxXP4926DVW3KnXrke10=",
+        "narHash": "sha256-BqUY8tz0AQ4to2Z4+uaKczh81zsGZSYxjgvtw+fvIfM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a60651b217d2e529729cbc7d989c19f3941b9250",
+        "rev": "36864ed72f234b9540da4cf7a0c49e351d30d3f1",
        "type": "github"
      },
      "original": {
@@ -637,11 +675,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1739736696,
+        "lastModified": 1739866667,
-        "narHash": "sha256-zON2GNBkzsIyALlOCFiEBcIjI4w38GYOb+P+R4S8Jsw=",
+        "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f",
+        "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680",
        "type": "github"
      },
      "original": {
@@ -653,11 +691,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1738546358,
+        "lastModified": 1739214665,
-        "narHash": "sha256-nLivjIygCiqLp5QcL7l56Tca/elVqM9FG1hGd9ZSsrg=",
+        "narHash": "sha256-26L8VAu3/1YRxS8MHgBOyOM8xALdo6N0I04PgorE7UM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c6e957d81b96751a3d5967a0fd73694f303cc914",
+        "rev": "64e75cd44acf21c7933d61d7721e812eac1b5a0a",
        "type": "github"
      },
      "original": {
@@ -777,6 +815,7 @@
      "inputs": {
        "authentik-nix": "authentik-nix",
        "chaotic": "chaotic",
        "crowdsec": "crowdsec",
        "home-manager": "home-manager_2",
        "home-manager-stable": "home-manager-stable",
        "impermanence": "impermanence",
@@ -794,11 +833,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1738997488,
+        "lastModified": 1739913186,
-        "narHash": "sha256-jeNdFVtEDLypGIbNqBjURovfw9hMkVtlLR7j/5fRh54=",
+        "narHash": "sha256-7MSzs64dLDgq1wFw2eujZ01qdj9K+TwIlQMyWebotE8=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "208bc52b5dc177badc081c64eb0584a313c73242",
+        "rev": "3028f844c5898dcf115f6bc67a5ce793989b04a1",
        "type": "github"
      },
      "original": {
@@ -895,6 +934,21 @@
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
--- a/flake.nix
+++ b/flake.nix
@@ -50,6 +50,11 @@
      inputs.nixpkgs.follows = "nixpkgs-stable";
    };
    crowdsec = {
      url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git";
      inputs.nixpkgs.follows = "nixpkgs-stable";
    };
    #Apple
    nixos-apple-silicon.url = "github:tpwrules/nixos-apple-silicon";
    # nixos-apple-silicon.url = "github:mjallen18/nixos-apple-silicon";
@@ -83,6 +88,7 @@
      # cosmic,
      authentik-nix,
      sops-nix,
      crowdsec,
      manyfold,
      jovian,
    }@inputs:
@@ -146,6 +152,14 @@
            sops-nix.nixosModules.sops
            crowdsec.nixosModules.crowdsec
            crowdsec.nixosModules.crowdsec-firewall-bouncer
            ({ ... }:
            {
              nixpkgs.overlays = [ crowdsec.overlays.default ];
            })
            nixos-hardware.nixosModules.common-pc
            nixos-hardware.nixosModules.common-cpu-amd
            nixos-hardware.nixosModules.common-hidpi
--- a/hosts/nas/apps.nix
+++ b/hosts/nas/apps.nix
@@ -2,6 +2,7 @@
 {
  imports = [
    ./apps/arrs
    ./apps/crowdsec
    ./apps/jellyfin
    ./apps/jellyseerr
    ./apps/nextcloud
--- a/hosts/nas/apps/crowdsec/default.nix
+++ b/hosts/nas/apps/crowdsec/default.nix
@@ -0,0 +1,44 @@
 { outputs, pkgs, ... }:
 {
  services = {
    crowdsec = let
      yaml = (pkgs.formats.yaml {}).generate;
      acquisitions_file = yaml "acquisitions.yaml" {
        source = "journalctl";
        journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
        labels.type = "syslog";
      };
    in  {
      enable = true;
      enrollKeyFile = "/media/nas/ssd/nix-app-data/crowdsec/enroll.key";
      settings = {
        crowdsec_service.acquisition_path = acquisitions_file;
        api.server = {
          listen_uri = "0.0.0.0:9898";
        };
      };
    };
    crowdsec-firewall-bouncer = {
      enable = true;
      settings = {
        api_key = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
        api_url = "http://10.0.1.18:9898";
      };
    };
  };
  systemd.services.crowdsec.serviceConfig = {
    ExecStartPre = let
      script = pkgs.writeScriptBin "register-bouncer" ''
        #!${pkgs.runtimeShell}
        set -eu
        set -o pipefail
        if ! cscli bouncers list | grep -q "nas-bouncer"; then
          cscli bouncers add "nas-bouncer" --key "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE"
        fi
      '';
    in ["${script}/bin/register-bouncer"];
  };
 }
--- a/hosts/nas/configuration.nix
+++ b/hosts/nas/configuration.nix
@@ -96,6 +96,7 @@ in
      glances
      gparted
      htop
      ipset
      jq
      lm_sensors
      nano
--- a/hosts/nas/impermanence.nix
+++ b/hosts/nas/impermanence.nix
@@ -40,6 +40,12 @@
        group = "jallen-nas";
        mode = "u=rwx,g=rx,o=rx";
      }
      {
        directory = "/var/lib/crowdsec";
        user = "crowdsec";
        group = "crowdsec";
        mode = "u=rwx,g=rwx,o=rx";
      }
    ];
    files = [
      "/var/cache-priv-key.pem"