teml

2025-12-15 19:51:42 -06:00
parent 367c3a16c5
commit e74ea5f13b
3 changed files with 157 additions and 150 deletions
--- a/modules/nixos/services/collabora/default.nix
+++ b/modules/nixos/services/collabora/default.nix
@@ -5,58 +5,50 @@
  ...
 }:
 let
-  inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
-  cfg = config.${namespace}.services.collabora;
-
+  name = "collabora";
+  cfg = config.${namespace}.services.${name};
  jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
-in
-{
-  options.${namespace}.services.collabora = with lib; {
-    enable = lib.mkEnableOption "";

-    port = mkOpt types.int 9980 "Port for opencloud to be hosted on";
+  collaboraConfig = lib.${namespace}.mkModule {
+    inherit config name;
+    description = "collabora code server";
+    options = { };
+    moduleConfig = {
+      services.collabora-online = {
+        enable = true;
+        port = cfg.port;
+        settings = {
+          # Rely on reverse proxy for SSL
+          ssl = {
+            enable = false;
+            termination = true;
+          };

-    configPath = mkOpt types.str "/media/nas/main/nix-app-data/collabora" "Path to the data dir";
+          # Listen on loopback interface only, and accept requests from ::1
+          net = {
+            listen = cfg.listenAddress;
+            post_allow.host = [
+              "cloud.mjallen.dev"
+              "office.mjallen.dev"
+              "10.0.1.3"
+              "10.0.1.0/24"
+            ];
+            frame_ancestors = "cloud.mjallen.dev";
+          };

-    puid = mkOpt types.str "911" "puid";
+          # Restrict loading documents from WOPI Host
+          storage.wopi = {
+            "@allow" = true;
+            host = ["cloud.mjallen.dev"];
+          };

-    pgid = mkOpt types.str "1000" "pgid";
-
-    timeZone = mkOpt types.str "America/Chicago" "container tz";
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.collabora-online = {
-      enable = true;
-      port = cfg.port;
-      settings = {
-        # Rely on reverse proxy for SSL
-        ssl = {
-          enable = false;
-          termination = true;
+          # Set FQDN of server
+          server_name = "office.mjallen.dev";
        };
-
-        # Listen on loopback interface only, and accept requests from ::1
-        net = {
-          listen = "0.0.0.0";
-          post_allow.host = [
-            "cloud.mjallen.dev"
-            "office.mjallen.dev"
-            "10.0.1.3"
-            "10.0.1.0/24"
-          ];
-          frame_ancestors = "cloud.mjallen.dev";
-        };
-
-        # Restrict loading documents from WOPI Host
-        storage.wopi = {
-          "@allow" = true;
-          host = ["cloud.mjallen.dev"];
-        };
-
-        # Set FQDN of server
-        server_name = "office.mjallen.dev";
      };
    };
  };
+in
+{
+  imports = [ collaboraConfig ];
 }
--- a/modules/nixos/services/crowdsec/default.nix
+++ b/modules/nixos/services/crowdsec/default.nix
@@ -5,115 +5,124 @@
  ...
 }:
 let
-  cfg = config.${namespace}.services.crowdsec;
-in
-{
-  imports = [ ./options.nix ];
-  config = lib.mkIf cfg.enable {
+  inherit (lib.${namespace}) mkOpt;
+  name = "crowdsec";
+  cfg = config.${namespace}.services.${name};

-    services = {
-      crowdsec = {
-        enable = true;
-        openFirewall = true;
-        hub = {
-          appSecConfigs = [
-            "crowdsecurity/appsec-default"
-          ];
-          appSecRules = [
-            "crowdsecurity/base-config"
-          ];
-          collections = [
-            "crowdsecurity/http-cve"
-            "crowdsecurity/http-dos"
-            "crowdsecurity/linux"
-            "crowdsecurity/nextcloud"
-            "crowdsecurity/pgsql"
-            "crowdsecurity/smb"
-            "crowdsecurity/sshd"
-            "crowdsecurity/traefik"
-            "firix/authentik"
-          ];
-          parsers = [
-            "crowdsecurity/actual-budget-whitelist"
-            "crowdsecurity/jellyfin-whitelist"
-            "crowdsecurity/jellyseerr-whitelist"
-            "crowdsecurity/nextcloud-logs"
-            "crowdsecurity/nextcloud-whitelist"
-            "crowdsecurity/pgsql-logs"
-            "crowdsecurity/smb-logs"
-            "crowdsecurity/sshd-logs"
-            "crowdsecurity/sshd-success-logs"
-            "crowdsecurity/syslog-logs"
-          ];
-          postOverflows = [
-            "crowdsecurity/auditd-nix-wrappers-whitelist-process"
-          ];
-          scenarios = [
-            "crowdsecurity/ssh-bf"
-          ];
-        };
-        localConfig = {
-          acquisitions = [
-            {
-              journalctl_filter = [
-                "_SYSTEMD_UNIT=authentik.service"
-              ];
-              labels = {
-                type = "syslog";
-              };
-              source = "journalctl";
-            }
-            {
-              journalctl_filter = [
-                "_SYSTEMD_UNIT=postgresql.service"
-              ];
-              labels = {
-                type = "syslog";
-              };
-              source = "journalctl";
-            }
-            {
-              journalctl_filter = [
-                "_SYSTEMD_UNIT=smbd.service"
-              ];
-              labels = {
-                type = "syslog";
-              };
-              source = "journalctl";
-            }
-            {
-              journalctl_filter = [
-                "_SYSTEMD_UNIT=sshd.service"
-              ];
-              labels = {
-                type = "syslog";
-              };
-              source = "journalctl";
-            }
-            {
-              journalctl_filter = [
-                "_SYSTEMD_UNIT=traefik.service"
-              ];
-              labels = {
-                type = "syslog";
-              };
-              source = "journalctl";
-            }
-          ];
-        };
-        settings = {
-          general.api = {
-            server = {
-              enable = true;
-              listen_uri = "${cfg.apiAddress}:${toString cfg.port}";
-            };
-            client = {
-              credentials_path = lib.mkForce "/media/nas/main/nix-app-data/crowdsec/client.yaml";
-            };
+  crowdsecConfig = lib.${namespace}.mkModule {
+    inherit config name;
+    description = "crowdsec";
+    options = with lib; {
+      apiKey = mkOpt types.str "" "API key for crowdsec bouncer";
+    };
+    moduleConfig = {
+      services = {
+        crowdsec = {
+          enable = true;
+          openFirewall = cfg.openFirewall;
+          hub = {
+            appSecConfigs = [
+              "crowdsecurity/appsec-default"
+            ];
+            appSecRules = [
+              "crowdsecurity/base-config"
+            ];
+            collections = [
+              "crowdsecurity/http-cve"
+              "crowdsecurity/http-dos"
+              "crowdsecurity/linux"
+              "crowdsecurity/nextcloud"
+              "crowdsecurity/pgsql"
+              "crowdsecurity/smb"
+              "crowdsecurity/sshd"
+              "crowdsecurity/traefik"
+              "firix/authentik"
+            ];
+            parsers = [
+              "crowdsecurity/actual-budget-whitelist"
+              "crowdsecurity/jellyfin-whitelist"
+              "crowdsecurity/jellyseerr-whitelist"
+              "crowdsecurity/nextcloud-logs"
+              "crowdsecurity/nextcloud-whitelist"
+              "crowdsecurity/pgsql-logs"
+              "crowdsecurity/smb-logs"
+              "crowdsecurity/sshd-logs"
+              "crowdsecurity/sshd-success-logs"
+              "crowdsecurity/syslog-logs"
+            ];
+            postOverflows = [
+              "crowdsecurity/auditd-nix-wrappers-whitelist-process"
+            ];
+            scenarios = [
+              "crowdsecurity/ssh-bf"
+            ];
+          };
+          localConfig = {
+            acquisitions = [
+              {
+                journalctl_filter = [
+                  "_SYSTEMD_UNIT=authentik.service"
+                ];
+                labels = {
+                  type = "syslog";
+                };
+                source = "journalctl";
+              }
+              {
+                journalctl_filter = [
+                  "_SYSTEMD_UNIT=postgresql.service"
+                ];
+                labels = {
+                  type = "syslog";
+                };
+                source = "journalctl";
+              }
+              {
+                journalctl_filter = [
+                  "_SYSTEMD_UNIT=smbd.service"
+                ];
+                labels = {
+                  type = "syslog";
+                };
+                source = "journalctl";
+              }
+              {
+                journalctl_filter = [
+                  "_SYSTEMD_UNIT=sshd.service"
+                ];
+                labels = {
+                  type = "syslog";
+                };
+                source = "journalctl";
+              }
+              {
+                journalctl_filter = [
+                  "_SYSTEMD_UNIT=traefik.service"
+                ];
+                labels = {
+                  type = "syslog";
+                };
+                source = "journalctl";
+              }
+            ];
+          };
+          settings = {
+            general.api = {
+              server = {
+                enable = true;
+                listen_uri = "${cfg.listenAddress}:${toString cfg.port}";
+              };
+              client = {
+                credentials_path = lib.mkForce "/media/nas/main/nix-app-data/crowdsec/client.yaml";
+              };
+            };
+            capi.credentialsFile = lib.mkDefault "/media/nas/main/nix-app-data/crowdsec/capi.yaml";
          };
-          capi.credentialsFile = lib.mkDefault "/media/nas/main/nix-app-data/crowdsec/capi.yaml";
        };
      };
    };
  };
+in
+{
+  imports = [ crowdsecConfig ];
 }