fix nix flake check
This commit is contained in:
mjallen18
@@ -10,9 +10,6 @@ let
|
||||
name = "crowdsec";
|
||||
cfg = config.${namespace}.services.${name};
|
||||
|
||||
ntfyServer = "https://ntfy.mjallen.dev";
|
||||
ntfyTopic = "crowdsec";
|
||||
|
||||
# Build the notification-http plugin binary from the crowdsec source.
|
||||
# The nixpkgs crowdsec package omits all notification plugin binaries;
|
||||
# we build just the http one we need.
|
||||
@@ -223,30 +220,61 @@ let
|
||||
# a nix store path via -c and never creates that file. Expose the full
|
||||
# NixOS-generated config (which includes plugin_config via
|
||||
# settings.general.plugin_config) at the well-known path.
|
||||
environment.etc."crowdsec/config.yaml" =
|
||||
let
|
||||
execStart = builtins.elemAt config.systemd.services.crowdsec.serviceConfig.ExecStart 1;
|
||||
configPath = builtins.head (builtins.match ".* -c ([^ ]+) .*" execStart);
|
||||
in
|
||||
{
|
||||
source = configPath;
|
||||
mode = "0440";
|
||||
environment.etc = {
|
||||
"crowdsec/config.yaml" =
|
||||
let
|
||||
execStart = builtins.elemAt config.systemd.services.crowdsec.serviceConfig.ExecStart 1;
|
||||
configPath = builtins.head (builtins.match ".* -c ([^ ]+) .*" execStart);
|
||||
in
|
||||
{
|
||||
source = configPath;
|
||||
mode = "0440";
|
||||
user = "crowdsec";
|
||||
group = "crowdsec";
|
||||
};
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# ntfy notifications via the CrowdSec HTTP notification plugin
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
# Place the notification-http binary at the path the NixOS crowdsec module
|
||||
# hardcodes for plugin_dir (/etc/crowdsec/plugins/). CrowdSec matches
|
||||
# plugins by their filename — it expects "notification-http" for type=http.
|
||||
"crowdsec/plugins/notification-http" = lib.mkIf cfg.ntfy.enable {
|
||||
source = "${crowdsecHttpPlugin}/bin/notification-http";
|
||||
mode = "0550";
|
||||
user = "crowdsec";
|
||||
group = "crowdsec";
|
||||
};
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# ntfy notifications via the CrowdSec HTTP notification plugin
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
# Place the notification-http binary at the path the NixOS crowdsec module
|
||||
# hardcodes for plugin_dir (/etc/crowdsec/plugins/). CrowdSec matches
|
||||
# plugins by their filename — it expects "notification-http" for type=http.
|
||||
environment.etc."crowdsec/plugins/notification-http" = lib.mkIf cfg.ntfy.enable {
|
||||
source = "${crowdsecHttpPlugin}/bin/notification-http";
|
||||
mode = "0550";
|
||||
user = "crowdsec";
|
||||
group = "crowdsec";
|
||||
# CrowdSec profiles.yaml: route every alert to the ntfy plugin.
|
||||
# This replaces the default "do nothing" profile.
|
||||
"crowdsec/profiles.yaml" = lib.mkIf cfg.ntfy.enable {
|
||||
text = ''
|
||||
name: default_ip_remediation
|
||||
filters:
|
||||
- Alert.Remediation == true && Alert.GetScope() == "Ip"
|
||||
decisions:
|
||||
- type: ban
|
||||
duration: 4h
|
||||
notifications:
|
||||
- ntfy_plugin
|
||||
on_success: break
|
||||
---
|
||||
name: default_range_remediation
|
||||
filters:
|
||||
- Alert.Remediation == true && Alert.GetScope() == "Range"
|
||||
decisions:
|
||||
- type: ban
|
||||
duration: 4h
|
||||
notifications:
|
||||
- ntfy_plugin
|
||||
on_success: break
|
||||
'';
|
||||
mode = "0440";
|
||||
user = "crowdsec";
|
||||
group = "crowdsec";
|
||||
};
|
||||
};
|
||||
|
||||
# The ntfy plugin config YAML (with credentials baked in) is managed as a
|
||||
@@ -260,35 +288,6 @@ let
|
||||
}"
|
||||
];
|
||||
|
||||
# CrowdSec profiles.yaml: route every alert to the ntfy plugin.
|
||||
# This replaces the default "do nothing" profile.
|
||||
environment.etc."crowdsec/profiles.yaml" = lib.mkIf cfg.ntfy.enable {
|
||||
text = ''
|
||||
name: default_ip_remediation
|
||||
filters:
|
||||
- Alert.Remediation == true && Alert.GetScope() == "Ip"
|
||||
decisions:
|
||||
- type: ban
|
||||
duration: 4h
|
||||
notifications:
|
||||
- ntfy_plugin
|
||||
on_success: break
|
||||
---
|
||||
name: default_range_remediation
|
||||
filters:
|
||||
- Alert.Remediation == true && Alert.GetScope() == "Range"
|
||||
decisions:
|
||||
- type: ban
|
||||
duration: 4h
|
||||
notifications:
|
||||
- ntfy_plugin
|
||||
on_success: break
|
||||
'';
|
||||
mode = "0440";
|
||||
user = "crowdsec";
|
||||
group = "crowdsec";
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
in
|
||||
|
||||
@@ -17,12 +17,12 @@ let
|
||||
sops = {
|
||||
secrets = {
|
||||
"jallen-nas/matrix/client-id" = {
|
||||
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
||||
sopsFile = lib.snowfall.fs.get-file "secrets/nas-secrets.yaml";
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
};
|
||||
"jallen-nas/matrix/client-secret" = {
|
||||
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
||||
sopsFile = lib.snowfall.fs.get-file "secrets/nas-secrets.yaml";
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
};
|
||||
@@ -72,7 +72,7 @@ let
|
||||
|
||||
listeners = [
|
||||
{
|
||||
port = cfg.port;
|
||||
inherit (cfg) port;
|
||||
tls = false;
|
||||
x_forwarded = true;
|
||||
bind_addresses = [
|
||||
|
||||
@@ -9,7 +9,6 @@ let
|
||||
|
||||
serverName = "sparky-fitness-server";
|
||||
frontendName = "sparky-fitness";
|
||||
dbName = "sparky-fitness-db";
|
||||
|
||||
serverCfg = config.${namespace}.services.${serverName};
|
||||
frontendCfg = config.${namespace}.services.${frontendName};
|
||||
|
||||
Reference in New Issue
Block a user