This commit is contained in:
mjallen18
2025-12-15 19:51:42 -06:00
parent 367c3a16c5
commit e74ea5f13b
3 changed files with 157 additions and 150 deletions

View File

@@ -5,58 +5,50 @@
... ...
}: }:
let let
inherit (lib.${namespace}) mkOpt mkReverseProxyOpt; name = "collabora";
cfg = config.${namespace}.services.collabora; cfg = config.${namespace}.services.${name};
jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path; jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
in
{
options.${namespace}.services.collabora = with lib; {
enable = lib.mkEnableOption "";
port = mkOpt types.int 9980 "Port for opencloud to be hosted on"; collaboraConfig = lib.${namespace}.mkModule {
inherit config name;
description = "collabora code server";
options = { };
moduleConfig = {
services.collabora-online = {
enable = true;
port = cfg.port;
settings = {
# Rely on reverse proxy for SSL
ssl = {
enable = false;
termination = true;
};
configPath = mkOpt types.str "/media/nas/main/nix-app-data/collabora" "Path to the data dir"; # Listen on loopback interface only, and accept requests from ::1
net = {
listen = cfg.listenAddress;
post_allow.host = [
"cloud.mjallen.dev"
"office.mjallen.dev"
"10.0.1.3"
"10.0.1.0/24"
];
frame_ancestors = "cloud.mjallen.dev";
};
puid = mkOpt types.str "911" "puid"; # Restrict loading documents from WOPI Host
storage.wopi = {
"@allow" = true;
host = ["cloud.mjallen.dev"];
};
pgid = mkOpt types.str "1000" "pgid"; # Set FQDN of server
server_name = "office.mjallen.dev";
timeZone = mkOpt types.str "America/Chicago" "container tz";
};
config = lib.mkIf cfg.enable {
services.collabora-online = {
enable = true;
port = cfg.port;
settings = {
# Rely on reverse proxy for SSL
ssl = {
enable = false;
termination = true;
}; };
# Listen on loopback interface only, and accept requests from ::1
net = {
listen = "0.0.0.0";
post_allow.host = [
"cloud.mjallen.dev"
"office.mjallen.dev"
"10.0.1.3"
"10.0.1.0/24"
];
frame_ancestors = "cloud.mjallen.dev";
};
# Restrict loading documents from WOPI Host
storage.wopi = {
"@allow" = true;
host = ["cloud.mjallen.dev"];
};
# Set FQDN of server
server_name = "office.mjallen.dev";
}; };
}; };
}; };
in
{
imports = [ collaboraConfig ];
} }

View File

@@ -5,115 +5,124 @@
... ...
}: }:
let let
cfg = config.${namespace}.services.crowdsec; inherit (lib.${namespace}) mkOpt;
in name = "crowdsec";
{ cfg = config.${namespace}.services.${name};
imports = [ ./options.nix ];
config = lib.mkIf cfg.enable {
services = { crowdsecConfig = lib.${namespace}.mkModule {
crowdsec = { inherit config name;
enable = true; description = "crowdsec";
openFirewall = true; options = with lib; {
hub = { apiKey = mkOpt types.str "" "API key for crowdsec bouncer";
appSecConfigs = [ };
"crowdsecurity/appsec-default" moduleConfig = {
]; services = {
appSecRules = [ crowdsec = {
"crowdsecurity/base-config" enable = true;
]; openFirewall = cfg.openFirewall;
collections = [ hub = {
"crowdsecurity/http-cve" appSecConfigs = [
"crowdsecurity/http-dos" "crowdsecurity/appsec-default"
"crowdsecurity/linux" ];
"crowdsecurity/nextcloud" appSecRules = [
"crowdsecurity/pgsql" "crowdsecurity/base-config"
"crowdsecurity/smb" ];
"crowdsecurity/sshd" collections = [
"crowdsecurity/traefik" "crowdsecurity/http-cve"
"firix/authentik" "crowdsecurity/http-dos"
]; "crowdsecurity/linux"
parsers = [ "crowdsecurity/nextcloud"
"crowdsecurity/actual-budget-whitelist" "crowdsecurity/pgsql"
"crowdsecurity/jellyfin-whitelist" "crowdsecurity/smb"
"crowdsecurity/jellyseerr-whitelist" "crowdsecurity/sshd"
"crowdsecurity/nextcloud-logs" "crowdsecurity/traefik"
"crowdsecurity/nextcloud-whitelist" "firix/authentik"
"crowdsecurity/pgsql-logs" ];
"crowdsecurity/smb-logs" parsers = [
"crowdsecurity/sshd-logs" "crowdsecurity/actual-budget-whitelist"
"crowdsecurity/sshd-success-logs" "crowdsecurity/jellyfin-whitelist"
"crowdsecurity/syslog-logs" "crowdsecurity/jellyseerr-whitelist"
]; "crowdsecurity/nextcloud-logs"
postOverflows = [ "crowdsecurity/nextcloud-whitelist"
"crowdsecurity/auditd-nix-wrappers-whitelist-process" "crowdsecurity/pgsql-logs"
]; "crowdsecurity/smb-logs"
scenarios = [ "crowdsecurity/sshd-logs"
"crowdsecurity/ssh-bf" "crowdsecurity/sshd-success-logs"
]; "crowdsecurity/syslog-logs"
}; ];
localConfig = { postOverflows = [
acquisitions = [ "crowdsecurity/auditd-nix-wrappers-whitelist-process"
{ ];
journalctl_filter = [ scenarios = [
"_SYSTEMD_UNIT=authentik.service" "crowdsecurity/ssh-bf"
]; ];
labels = { };
type = "syslog"; localConfig = {
}; acquisitions = [
source = "journalctl"; {
} journalctl_filter = [
{ "_SYSTEMD_UNIT=authentik.service"
journalctl_filter = [ ];
"_SYSTEMD_UNIT=postgresql.service" labels = {
]; type = "syslog";
labels = { };
type = "syslog"; source = "journalctl";
}; }
source = "journalctl"; {
} journalctl_filter = [
{ "_SYSTEMD_UNIT=postgresql.service"
journalctl_filter = [ ];
"_SYSTEMD_UNIT=smbd.service" labels = {
]; type = "syslog";
labels = { };
type = "syslog"; source = "journalctl";
}; }
source = "journalctl"; {
} journalctl_filter = [
{ "_SYSTEMD_UNIT=smbd.service"
journalctl_filter = [ ];
"_SYSTEMD_UNIT=sshd.service" labels = {
]; type = "syslog";
labels = { };
type = "syslog"; source = "journalctl";
}; }
source = "journalctl"; {
} journalctl_filter = [
{ "_SYSTEMD_UNIT=sshd.service"
journalctl_filter = [ ];
"_SYSTEMD_UNIT=traefik.service" labels = {
]; type = "syslog";
labels = { };
type = "syslog"; source = "journalctl";
}; }
source = "journalctl"; {
} journalctl_filter = [
]; "_SYSTEMD_UNIT=traefik.service"
}; ];
settings = { labels = {
general.api = { type = "syslog";
server = { };
enable = true; source = "journalctl";
listen_uri = "${cfg.apiAddress}:${toString cfg.port}"; }
}; ];
client = { };
credentials_path = lib.mkForce "/media/nas/main/nix-app-data/crowdsec/client.yaml"; settings = {
}; general.api = {
server = {
enable = true;
listen_uri = "${cfg.listenAddress}:${toString cfg.port}";
};
client = {
credentials_path = lib.mkForce "/media/nas/main/nix-app-data/crowdsec/client.yaml";
};
};
capi.credentialsFile = lib.mkDefault "/media/nas/main/nix-app-data/crowdsec/capi.yaml";
}; };
capi.credentialsFile = lib.mkDefault "/media/nas/main/nix-app-data/crowdsec/capi.yaml";
}; };
}; };
}; };
}; };
in
{
imports = [ crowdsecConfig ];
} }

View File

@@ -3,4 +3,10 @@ final: _prev: {
redis = final.valkey; redis = final.valkey;
uv = final.stable.uv; uv = final.stable.uv;
onnxruntime = final.stable.onnxruntime; onnxruntime = final.stable.onnxruntime;
firefox = final.stable.firefox;
orca-slicer = final.stable.orca-slicer;
kde-connect = final.stable.kde-connect;
kdeconnect-kde = final.stable.kdeconnect-kde;
webkit-gtk = final.stable.webkit-gtk;
qtwebengine = final.stable.qtwebengine;
} }