mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

temp

Browse Source
This commit is contained in:
mjallen18
2025-09-22 07:48:44 -05:00
parent 0a40f7712a
commit aa0d09d3c9
12 changed files with 469 additions and 366 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
modules/nixos/services/crowdsec/default.nix
View File

@@ -12,55 +12,68 @@ in
{
imports = [ ./options.nix ];
config = lib.mkIf cfg.enable {
services = {
crowdsec =
let
yaml = (pkgs.formats.yaml { }).generate;
acquisitions_file = yaml "acquisitions.yaml" {
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
labels.type = "syslog";
};
in
{
enable = true;
enrollKeyFile = "${cfg.dataDir}/enroll.key";
settings = {
crowdsec_service.acquisition_path = acquisitions_file;
api.server = {
listen_uri = "0.0.0.0:${toString cfg.port}";
};
};
};
crowdsec-firewall-bouncer = {
services = {
crowdsec = {
enable = true;
openFirewall = true;
hub = {
appSecConfigs = [
"crowdsecurity/appsec-default"
];
appSecRules = [
"crowdsecurity/base-config"
];
collections = [
"crowdsecurity/linux"
"crowdsecurity/traefik"
"firix/authentik"
];
parsers = [
"crowdsecurity/sshd-logs"
];
postOverflows = [
"crowdsecurity/auditd-nix-wrappers-whitelist-process"
];
scenarios = [
"crowdsecurity/ssh-bf"
];
};
localConfig = {
acquisitions = [
{
journalctl_filter = [
"_SYSTEMD_UNIT=sshd.service"
];
labels = {
type = "syslog";
};
source = "journalctl";
}
{
journalctl_filter = [
"_SYSTEMD_UNIT=traefik.service"
];
labels = {
type = "syslog";
};
source = "journalctl";
}
{
journalctl_filter = [
"_SYSTEMD_UNIT=authentik.service"
];
labels = {
type = "syslog";
};
source = "journalctl";
}
];
};
settings = {
api_key = cfg.apiKey;
api_url = "http://${cfg.apiAddress}:${toString cfg.port}";
capi.credentialsFile = cfg.apiKey;
};
};
};
systemd.services.crowdsec.serviceConfig = {
ExecStartPre =
let
script = pkgs.writeScriptBin "register-bouncer" ''
#!${pkgs.runtimeShell}
set -eu
set -o pipefail
if ! cscli bouncers list | grep -q "nas-bouncer"; then
cscli bouncers add "nas-bouncer" --key "${cfg.apiKey}"
fi
'';
in
[ "${script}/bin/register-bouncer" ];
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ];
};
};
}

226
modules/nixos/services/glance/default.nix Normal file
View File

@@ -0,0 +1,226 @@
{ config, lib, namespace, ... }:
let
inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
cfg = config.${namespace}.services.glance;
in
with lib;
{
options.${namespace}.services.glance = {
enable = mkEnableOption "glance service";
port = mkOpt types.int 80 "Port for glance to be hosted on";
localAddress = mkOpt types.str "127.0.0.1" "local address of the service";
dataDir = mkOpt types.str "" "Path to the data dir";
reverseProxy = mkReverseProxyOpt;
};
config = lib.mkIf cfg.enable {
services.glance = {
enable = true;
openFirewall = true;
settings = {
server = {
host = "0.0.0.0";
port = cfg.port;
};
pages = [
{
name = "Startpage";
width = "default";
hide-desktop-navigation = true;
center-vertically = true;
columns = [
{
size = "small";
widgets = [
{
type = "calendar";
first-day-of-week = "sunday";
}
{
type = "weather";
units = "metric";
hour-format = "12h";
location = "Saint Paul, Minnesota, United States";
}
{
type = "server-stats";
servers = [
{
type = "local";
name = "Jallen-NAS";
cpu-temp-sensor = "/sys/class/hwmon/hwmon2/temp2_input";
mountpoints = {
"/home" = {
name = "Home";
};
"/media/nas/main" = {
name = "nas_pool";
};
};
}
];
}
];
}
{
size = "full";
widgets = [
{
type = "search";
autofocus = true;
search-engine = "duckduckgo";
bangs = [
{
title = "YouTube";
shortcut = "!yt";
url = "https://www.youtube.com/results?search_query={QUERY}";
}
];
}
{
type = "monitor";
cache = "1m";
title = "Services";
sites = [
{
title = "Actual";
url = "https://actual.mjallen.dev/";
icon = "si:actualbudget";
}
{
title = "Jellyfin";
url = "https://jellyfin.mjallen.dev/";
icon = "si:jellyfin";
}
{
title = "Gitea";
url = "https://gitea.mjallen.dev/";
icon = "si:gitea";
}
{
title = "Nextcloud";
url = "https://cloud.mjallen.dev/";
icon = "si:nextcloud";
}
{
title = "Immich";
url = "https://immich.mjallen.dev/";
icon = "si:immich";
}
{
title = "AdGuard Home";
url = "http://10.0.1.2:3000/";
icon = "si:adguard";
allow-insecure = true;
}
{
title = "Home Assistant";
url = "https://hass.mjallen.dev/";
icon = "si:homeassistant";
}
{
title = "Manyfold";
url = "http://10.0.1.3:3214/collections";
icon = "sh:Manyfold";
allow-insecure = true;
}
{
title = "Sonarr";
url = "http://10.0.1.3:8989/";
icon = "si:sonarr";
allow-insecure = true;
basic-auth = {
username = "mjallen";
password = "BogieDudie1";
};
}
{
title = "Radarr";
url = "http://10.0.1.3:7878/";
icon = "si:radarr";
allow-insecure = true;
basic-auth = {
username = "mjallen";
password = "BogieDudie1";
};
}
# {
# title = "";
# url = "";
# icon = "si:";
# }
];
}
{
type = "bookmarks";
groups = [
{
title = "General";
links = [
{
title = "Gmail";
url = "https://mail.google.com/mail/u/0/";
}
{
title = "Proton Mail";
url = "https://mail.proton.me/u/0/inbox";
}
{
title = "MyNixOS";
url = "https://www.mynixos.com/";
}
{
title = "Github";
url = "https://github.com/";
}
];
}
{
title = "Entertainment";
links = [
{
title = "YouTube";
url = "https://www.youtube.com/";
}
{
title = "Prime Video";
url = "https://www.primevideo.com/";
}
{
title = "Disney+";
url = "https://www.disneyplus.com/";
}
];
}
{
title = "Social";
links = [
{
title = "Reddit";
url = "https://www.reddit.com/";
}
{
title = "Twitter";
url = "https://twitter.com/";
}
{
title = "Instagram";
url = "https://www.instagram.com/";
}
];
}
];
}
];
}
];
}
];
};
};
};
}

4
modules/nixos/services/matrix/default.nix
View File

@@ -129,7 +129,7 @@ let
# Create reverse proxy configuration using mkReverseProxy
reverseProxyConfig = lib.${namespace}.mkReverseProxy {
name = "actual";
name = "matrix";
subdomain = cfg.reverseProxy.subdomain;
url = "http://${cfg.localAddress}:${toString cfg.port}";
middlewares = cfg.reverseProxy.middlewares;
@@ -154,7 +154,7 @@ with lib;
options.${namespace}.services.matrix = {
enable = mkEnableOption "matrix service";
port = mkOpt types.int 8008 "Port for Actual to be hosted on";
port = mkOpt types.int 8008 "Port for matrix to be hosted on";
localAddress = mkOpt types.str "127.0.0.1" "local address of the service";

2
modules/nixos/services/matrix/default.nix.conduit
View File

@@ -69,7 +69,7 @@ with lib;
options.${namespace}.services.matrix = {
enable = mkEnableOption "matrix service";
port = mkOpt types.int 8008 "Port for Actual to be hosted on";
port = mkOpt types.int 8008 "Port for matrix to be hosted on";
localAddress = mkOpt types.str "127.0.0.1" "local address of the service";