diff --git a/modules/nixos/services/collabora/default.nix b/modules/nixos/services/collabora/default.nix index 90e7c2e..1c66536 100644 --- a/modules/nixos/services/collabora/default.nix +++ b/modules/nixos/services/collabora/default.nix @@ -5,58 +5,50 @@ ... }: let - inherit (lib.${namespace}) mkOpt mkReverseProxyOpt; - cfg = config.${namespace}.services.collabora; - + name = "collabora"; + cfg = config.${namespace}.services.${name}; jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path; -in -{ - options.${namespace}.services.collabora = with lib; { - enable = lib.mkEnableOption ""; - port = mkOpt types.int 9980 "Port for opencloud to be hosted on"; + collaboraConfig = lib.${namespace}.mkModule { + inherit config name; + description = "collabora code server"; + options = { }; + moduleConfig = { + services.collabora-online = { + enable = true; + port = cfg.port; + settings = { + # Rely on reverse proxy for SSL + ssl = { + enable = false; + termination = true; + }; - configPath = mkOpt types.str "/media/nas/main/nix-app-data/collabora" "Path to the data dir"; + # Listen on loopback interface only, and accept requests from ::1 + net = { + listen = cfg.listenAddress; + post_allow.host = [ + "cloud.mjallen.dev" + "office.mjallen.dev" + "10.0.1.3" + "10.0.1.0/24" + ]; + frame_ancestors = "cloud.mjallen.dev"; + }; - puid = mkOpt types.str "911" "puid"; + # Restrict loading documents from WOPI Host + storage.wopi = { + "@allow" = true; + host = ["cloud.mjallen.dev"]; + }; - pgid = mkOpt types.str "1000" "pgid"; - - timeZone = mkOpt types.str "America/Chicago" "container tz"; - }; - - config = lib.mkIf cfg.enable { - services.collabora-online = { - enable = true; - port = cfg.port; - settings = { - # Rely on reverse proxy for SSL - ssl = { - enable = false; - termination = true; + # Set FQDN of server + server_name = "office.mjallen.dev"; }; - - # Listen on loopback interface only, and accept requests from ::1 - net = { - listen = "0.0.0.0"; - post_allow.host = [ - "cloud.mjallen.dev" - "office.mjallen.dev" - "10.0.1.3" - "10.0.1.0/24" - ]; - frame_ancestors = "cloud.mjallen.dev"; - }; - - # Restrict loading documents from WOPI Host - storage.wopi = { - "@allow" = true; - host = ["cloud.mjallen.dev"]; - }; - - # Set FQDN of server - server_name = "office.mjallen.dev"; }; }; }; +in +{ + imports = [ collaboraConfig ]; } diff --git a/modules/nixos/services/crowdsec/default.nix b/modules/nixos/services/crowdsec/default.nix index 0cef85d..676eb1b 100755 --- a/modules/nixos/services/crowdsec/default.nix +++ b/modules/nixos/services/crowdsec/default.nix @@ -5,115 +5,124 @@ ... }: let - cfg = config.${namespace}.services.crowdsec; -in -{ - imports = [ ./options.nix ]; - config = lib.mkIf cfg.enable { + inherit (lib.${namespace}) mkOpt; + name = "crowdsec"; + cfg = config.${namespace}.services.${name}; - services = { - crowdsec = { - enable = true; - openFirewall = true; - hub = { - appSecConfigs = [ - "crowdsecurity/appsec-default" - ]; - appSecRules = [ - "crowdsecurity/base-config" - ]; - collections = [ - "crowdsecurity/http-cve" - "crowdsecurity/http-dos" - "crowdsecurity/linux" - "crowdsecurity/nextcloud" - "crowdsecurity/pgsql" - "crowdsecurity/smb" - "crowdsecurity/sshd" - "crowdsecurity/traefik" - "firix/authentik" - ]; - parsers = [ - "crowdsecurity/actual-budget-whitelist" - "crowdsecurity/jellyfin-whitelist" - "crowdsecurity/jellyseerr-whitelist" - "crowdsecurity/nextcloud-logs" - "crowdsecurity/nextcloud-whitelist" - "crowdsecurity/pgsql-logs" - "crowdsecurity/smb-logs" - "crowdsecurity/sshd-logs" - "crowdsecurity/sshd-success-logs" - "crowdsecurity/syslog-logs" - ]; - postOverflows = [ - "crowdsecurity/auditd-nix-wrappers-whitelist-process" - ]; - scenarios = [ - "crowdsecurity/ssh-bf" - ]; - }; - localConfig = { - acquisitions = [ - { - journalctl_filter = [ - "_SYSTEMD_UNIT=authentik.service" - ]; - labels = { - type = "syslog"; - }; - source = "journalctl"; - } - { - journalctl_filter = [ - "_SYSTEMD_UNIT=postgresql.service" - ]; - labels = { - type = "syslog"; - }; - source = "journalctl"; - } - { - journalctl_filter = [ - "_SYSTEMD_UNIT=smbd.service" - ]; - labels = { - type = "syslog"; - }; - source = "journalctl"; - } - { - journalctl_filter = [ - "_SYSTEMD_UNIT=sshd.service" - ]; - labels = { - type = "syslog"; - }; - source = "journalctl"; - } - { - journalctl_filter = [ - "_SYSTEMD_UNIT=traefik.service" - ]; - labels = { - type = "syslog"; - }; - source = "journalctl"; - } - ]; - }; - settings = { - general.api = { - server = { - enable = true; - listen_uri = "${cfg.apiAddress}:${toString cfg.port}"; - }; - client = { - credentials_path = lib.mkForce "/media/nas/main/nix-app-data/crowdsec/client.yaml"; - }; + crowdsecConfig = lib.${namespace}.mkModule { + inherit config name; + description = "crowdsec"; + options = with lib; { + apiKey = mkOpt types.str "" "API key for crowdsec bouncer"; + }; + moduleConfig = { + services = { + crowdsec = { + enable = true; + openFirewall = cfg.openFirewall; + hub = { + appSecConfigs = [ + "crowdsecurity/appsec-default" + ]; + appSecRules = [ + "crowdsecurity/base-config" + ]; + collections = [ + "crowdsecurity/http-cve" + "crowdsecurity/http-dos" + "crowdsecurity/linux" + "crowdsecurity/nextcloud" + "crowdsecurity/pgsql" + "crowdsecurity/smb" + "crowdsecurity/sshd" + "crowdsecurity/traefik" + "firix/authentik" + ]; + parsers = [ + "crowdsecurity/actual-budget-whitelist" + "crowdsecurity/jellyfin-whitelist" + "crowdsecurity/jellyseerr-whitelist" + "crowdsecurity/nextcloud-logs" + "crowdsecurity/nextcloud-whitelist" + "crowdsecurity/pgsql-logs" + "crowdsecurity/smb-logs" + "crowdsecurity/sshd-logs" + "crowdsecurity/sshd-success-logs" + "crowdsecurity/syslog-logs" + ]; + postOverflows = [ + "crowdsecurity/auditd-nix-wrappers-whitelist-process" + ]; + scenarios = [ + "crowdsecurity/ssh-bf" + ]; + }; + localConfig = { + acquisitions = [ + { + journalctl_filter = [ + "_SYSTEMD_UNIT=authentik.service" + ]; + labels = { + type = "syslog"; + }; + source = "journalctl"; + } + { + journalctl_filter = [ + "_SYSTEMD_UNIT=postgresql.service" + ]; + labels = { + type = "syslog"; + }; + source = "journalctl"; + } + { + journalctl_filter = [ + "_SYSTEMD_UNIT=smbd.service" + ]; + labels = { + type = "syslog"; + }; + source = "journalctl"; + } + { + journalctl_filter = [ + "_SYSTEMD_UNIT=sshd.service" + ]; + labels = { + type = "syslog"; + }; + source = "journalctl"; + } + { + journalctl_filter = [ + "_SYSTEMD_UNIT=traefik.service" + ]; + labels = { + type = "syslog"; + }; + source = "journalctl"; + } + ]; + }; + settings = { + general.api = { + server = { + enable = true; + listen_uri = "${cfg.listenAddress}:${toString cfg.port}"; + }; + client = { + credentials_path = lib.mkForce "/media/nas/main/nix-app-data/crowdsec/client.yaml"; + }; + }; + capi.credentialsFile = lib.mkDefault "/media/nas/main/nix-app-data/crowdsec/capi.yaml"; }; - capi.credentialsFile = lib.mkDefault "/media/nas/main/nix-app-data/crowdsec/capi.yaml"; }; }; }; }; +in +{ + imports = [ crowdsecConfig ]; } diff --git a/overlays/redis/default.nix b/overlays/redis/default.nix index e824642..981d3ba 100644 --- a/overlays/redis/default.nix +++ b/overlays/redis/default.nix @@ -3,4 +3,10 @@ final: _prev: { redis = final.valkey; uv = final.stable.uv; onnxruntime = final.stable.onnxruntime; + firefox = final.stable.firefox; + orca-slicer = final.stable.orca-slicer; + kde-connect = final.stable.kde-connect; + kdeconnect-kde = final.stable.kdeconnect-kde; + webkit-gtk = final.stable.webkit-gtk; + qtwebengine = final.stable.qtwebengine; }