crowdsec
This commit is contained in:
mjallen18
@@ -62,7 +62,7 @@
|
|||||||
libgbm
|
libgbm
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
seahorse.enable = lib.mkDefault false;
|
seahorse.enable = lib.mkDefault true;
|
||||||
};
|
};
|
||||||
environment = {
|
environment = {
|
||||||
systemPackages = with pkgs; [
|
systemPackages = with pkgs; [
|
||||||
|
|||||||
@@ -25,7 +25,6 @@ let
|
|||||||
userFiles = "${dataDir}/user-files";
|
userFiles = "${dataDir}/user-files";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
users.users.actual = {
|
users.users.actual = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
|
|||||||
@@ -1,6 +1,5 @@
|
|||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
pkgs,
|
|
||||||
lib,
|
lib,
|
||||||
namespace,
|
namespace,
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -1,6 +1,5 @@
|
|||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
pkgs,
|
|
||||||
lib,
|
lib,
|
||||||
namespace,
|
namespace,
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -69,8 +69,16 @@ in
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
settings = {
|
settings = {
|
||||||
# general.api.server.enable = true;
|
general.api = {
|
||||||
capi.credentialsFile = cfg.apiKey;
|
server = {
|
||||||
|
enable = true;
|
||||||
|
listen_uri = "${cfg.apiAddress}:${toString cfg.port}";
|
||||||
|
};
|
||||||
|
client = {
|
||||||
|
credentials_path = lib.mkForce "/media/nas/main/nix-app-data/crowdsec/client.yaml";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
capi.credentialsFile = lib.mkDefault "/media/nas/main/nix-app-data/crowdsec/capi.yaml";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ with lib;
|
|||||||
|
|
||||||
port = mkOption {
|
port = mkOption {
|
||||||
type = types.port;
|
type = types.port;
|
||||||
default = 9898;
|
default = 8080;
|
||||||
description = "Port for crowdsec API";
|
description = "Port for crowdsec API";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -27,7 +27,8 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [ ./options.nix ];
|
imports = [ ./options.nix ];
|
||||||
config = mkIf cfg.enable {
|
config =
|
||||||
|
mkIf cfg.enable {
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
stateDir = cfg.dataDir;
|
stateDir = cfg.dataDir;
|
||||||
@@ -57,5 +58,6 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
} // traefik;
|
}
|
||||||
|
// traefik;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -76,7 +76,7 @@ let
|
|||||||
traefikPlugins = {
|
traefikPlugins = {
|
||||||
bouncer = {
|
bouncer = {
|
||||||
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
|
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
|
||||||
version = "v1.4.2";
|
version = "v1.4.5";
|
||||||
};
|
};
|
||||||
geoblock = {
|
geoblock = {
|
||||||
moduleName = "github.com/PascalMinder/geoblock";
|
moduleName = "github.com/PascalMinder/geoblock";
|
||||||
@@ -84,9 +84,6 @@ let
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
crowdsecAppsecHost = "${serverIp}:7422";
|
|
||||||
crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path;
|
|
||||||
|
|
||||||
# Ports
|
# Ports
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
@@ -111,7 +108,21 @@ in
|
|||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
sops = {
|
sops = {
|
||||||
secrets = {
|
secrets = {
|
||||||
"jallen-nas/traefik/crowdsec-lapi-key" = {
|
"jallen-nas/traefik/crowdsec/lapi-key" = {
|
||||||
|
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
||||||
|
owner = config.users.users.traefik.name;
|
||||||
|
group = config.users.users.traefik.group;
|
||||||
|
restartUnits = [ "traefik.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
"jallen-nas/traefik/crowdsec/capi-machine-id" = {
|
||||||
|
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
||||||
|
owner = config.users.users.traefik.name;
|
||||||
|
group = config.users.users.traefik.group;
|
||||||
|
restartUnits = [ "traefik.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
"jallen-nas/traefik/crowdsec/capi-password" = {
|
||||||
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
||||||
owner = config.users.users.traefik.name;
|
owner = config.users.users.traefik.name;
|
||||||
group = config.users.users.traefik.group;
|
group = config.users.users.traefik.group;
|
||||||
@@ -119,15 +130,27 @@ in
|
|||||||
};
|
};
|
||||||
"jallen-nas/traefik/cloudflare-dns-api-token" = {
|
"jallen-nas/traefik/cloudflare-dns-api-token" = {
|
||||||
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
||||||
|
owner = config.users.users.traefik.name;
|
||||||
|
group = config.users.users.traefik.group;
|
||||||
|
restartUnits = [ "traefik.service" ];
|
||||||
};
|
};
|
||||||
"jallen-nas/traefik/cloudflare-zone-api-token" = {
|
"jallen-nas/traefik/cloudflare-zone-api-token" = {
|
||||||
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
||||||
|
owner = config.users.users.traefik.name;
|
||||||
|
group = config.users.users.traefik.group;
|
||||||
|
restartUnits = [ "traefik.service" ];
|
||||||
};
|
};
|
||||||
"jallen-nas/traefik/cloudflare-api-key" = {
|
"jallen-nas/traefik/cloudflare-api-key" = {
|
||||||
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
||||||
|
owner = config.users.users.traefik.name;
|
||||||
|
group = config.users.users.traefik.group;
|
||||||
|
restartUnits = [ "traefik.service" ];
|
||||||
};
|
};
|
||||||
"jallen-nas/traefik/cloudflare-email" = {
|
"jallen-nas/traefik/cloudflare-email" = {
|
||||||
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
|
||||||
|
owner = config.users.users.traefik.name;
|
||||||
|
group = config.users.users.traefik.group;
|
||||||
|
restartUnits = [ "traefik.service" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
templates = {
|
templates = {
|
||||||
@@ -250,11 +273,15 @@ in
|
|||||||
crowdsec = {
|
crowdsec = {
|
||||||
plugin = {
|
plugin = {
|
||||||
bouncer = {
|
bouncer = {
|
||||||
crowdsecAppsecEnabled = true;
|
enabled = true;
|
||||||
crowdsecAppsecHost = crowdsecAppsecHost;
|
crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec/lapi-key".path;
|
||||||
crowdsecAppsecFailureBlock = true;
|
crowdsecLapiScheme = "http";
|
||||||
crowdsecAppsecUnreachableBlock = true;
|
crowdsecLapiHost = "localhost:8181";
|
||||||
crowdsecLapiKeyFile = crowdsecLapiKeyFile;
|
crowdsecLapiPath = "/";
|
||||||
|
crowdsecLapiTLSInsecureVerify = false;
|
||||||
|
crowdsecCapiMachineIdFile = config.sops.secrets."jallen-nas/traefik/crowdsec/capi-machine-id".path;
|
||||||
|
crowdsecCapiPasswordFile = config.sops.secrets."jallen-nas/traefik/crowdsec/capi-password".path;
|
||||||
|
crowdsecCapiScenarios = [ ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
{ inputs, ... }:
|
{ ... }:
|
||||||
final: _prev: {
|
_final: _prev: {
|
||||||
# rcon = inputs.nixpkgs-stable.legacyPackages."x86_64-linux".rcon;
|
# rcon = inputs.nixpkgs-stable.legacyPackages."x86_64-linux".rcon;
|
||||||
# llama-cpp = inputs.nixpkgs-stable.legacyPackages."x86_64-linux".llama-cpp;
|
# llama-cpp = inputs.nixpkgs-stable.legacyPackages."x86_64-linux".llama-cpp;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,7 +4,10 @@ jallen-nas:
|
|||||||
ups_password: ENC[AES256_GCM,data:tYuJ9nU3E2/Ko6Y=,iv:lQq+g68lKCp1rmPvS/84xGIXHxD9zY5zZrrjEJlY8Hs=,tag:p6McEr+sXGAQyMAz1Kaxfw==,type:str]
|
ups_password: ENC[AES256_GCM,data:tYuJ9nU3E2/Ko6Y=,iv:lQq+g68lKCp1rmPvS/84xGIXHxD9zY5zZrrjEJlY8Hs=,tag:p6McEr+sXGAQyMAz1Kaxfw==,type:str]
|
||||||
authentik-env: ENC[AES256_GCM,data:AzHHGyhoyMp/ebnK6LQ5apBUhQT04SPJrtA6XcdaQ38C+fYuG2ph2iWFb+giafxCe8IXWAYT8CWoeqcspM7CPSAAKgqfVaPhMvjXqLxCY/rpegb5jBD1U6tURhPsH3ADrERk+kCmTV2eUpuV+nluiGM+fRdwhB0zu378HKwhXCpSO4L24aXhe9pxxxaTQzncWH6zW5iaRdouDVr1bAUzLi9BpnmS0ZK/rfLq2whErCeN++Srx6aCgwJ7jaqetBglQkIl3YG6flS8u3vsKtI+RVaNJ5tzrWR/qv0vBy8y1PZEuuXZdiHjn1hjiPE1T31j2+aQdbX70RaJfIt6E4lVtArQHv8PTUDxUoxcnUv52xLTStT5/UdIlNoZjPMwvaknpK7Z0uw9w4j76gmgk06xsxoCpnXIGTm1QpGqviBhgfNs5Va/qi4MBfByaym3UAz9LPHs4keuvJNN8dS0q5OMnRswl14PjIb1MIKB/QCVHvb4hO7eIRiWOkA7nb9LP/y1mjAYslr+I+GNpU8oIYTAvKoMS7ZgC49RoLWytAXUru2I7CqDR9zgPzlDQ9gLPoFKw2uKulpAy0ayQWPcgPA2CFmF+5zdINNSNKn0gRZ/2RTc3DiWmzo4P13EmrOwvkWCkiswFu1d6ctKZFhQnfPuj9LRGp/Os55JpLrreSyRJug6lgR4bPdC3x8sbxNmb5S2Y+4aFfgPXfdCdXs5b+8j28d1d4EoOO/arUzNADz9ODD5esb2g8UC2QtQd0RRYX/qmiM=,iv:YKvFxz3M8HKlg56JfN6uv8hvCFlEbhBkaSQz1v9l3zk=,tag:rz7UixSDqOXH7Ga6mkVYAw==,type:str]
|
authentik-env: ENC[AES256_GCM,data:AzHHGyhoyMp/ebnK6LQ5apBUhQT04SPJrtA6XcdaQ38C+fYuG2ph2iWFb+giafxCe8IXWAYT8CWoeqcspM7CPSAAKgqfVaPhMvjXqLxCY/rpegb5jBD1U6tURhPsH3ADrERk+kCmTV2eUpuV+nluiGM+fRdwhB0zu378HKwhXCpSO4L24aXhe9pxxxaTQzncWH6zW5iaRdouDVr1bAUzLi9BpnmS0ZK/rfLq2whErCeN++Srx6aCgwJ7jaqetBglQkIl3YG6flS8u3vsKtI+RVaNJ5tzrWR/qv0vBy8y1PZEuuXZdiHjn1hjiPE1T31j2+aQdbX70RaJfIt6E4lVtArQHv8PTUDxUoxcnUv52xLTStT5/UdIlNoZjPMwvaknpK7Z0uw9w4j76gmgk06xsxoCpnXIGTm1QpGqviBhgfNs5Va/qi4MBfByaym3UAz9LPHs4keuvJNN8dS0q5OMnRswl14PjIb1MIKB/QCVHvb4hO7eIRiWOkA7nb9LP/y1mjAYslr+I+GNpU8oIYTAvKoMS7ZgC49RoLWytAXUru2I7CqDR9zgPzlDQ9gLPoFKw2uKulpAy0ayQWPcgPA2CFmF+5zdINNSNKn0gRZ/2RTc3DiWmzo4P13EmrOwvkWCkiswFu1d6ctKZFhQnfPuj9LRGp/Os55JpLrreSyRJug6lgR4bPdC3x8sbxNmb5S2Y+4aFfgPXfdCdXs5b+8j28d1d4EoOO/arUzNADz9ODD5esb2g8UC2QtQd0RRYX/qmiM=,iv:YKvFxz3M8HKlg56JfN6uv8hvCFlEbhBkaSQz1v9l3zk=,tag:rz7UixSDqOXH7Ga6mkVYAw==,type:str]
|
||||||
traefik:
|
traefik:
|
||||||
crowdsec-lapi-key: ENC[AES256_GCM,data:r+0zzklrT+Ot9WVuyb0nhvzTfaN+1CGP0aAdWARiB9AvEnFz0KAM9Q==,iv:wLxubJJBVAP5XwgI3yd3+ynKdtntth0VShWm2umvthk=,tag:SkqRofFOB7c/U/IISmaB8w==,type:str]
|
crowdsec:
|
||||||
|
lapi-key: ENC[AES256_GCM,data:tEEr+KtGPseweqWn7eyrZwZBl+pPqzQqr5cmlYZF2ugm9pF4sUwBdEy21A==,iv:x1h0Op29Ta15dPe1Tfm4c1Mlo85aqvyOgZ5bELRNTGE=,tag:y0R8DHc0ya96n6hLLhteYA==,type:str]
|
||||||
|
capi-machine-id: ENC[AES256_GCM,data:W6G/jr1qr3KQQmVtAApEZkaAfEmGbqapmcv93ENuprAVrSWAkndyKbtpqg3iYwZK,iv:PAhZq0GkdOEIlU/50hl7ewNHhC/a9S6Sb4vreRBo/ZU=,tag:6ELW9NKIzE4sRH4vR9G3JQ==,type:str]
|
||||||
|
capi-password: ENC[AES256_GCM,data:iH3rG5Y8vg4TbM8yPzqe0i2vrH73Md8Yj/vGfFp9IdqTmZqCruFS/s/7PpWOUQ9OnTnmLqA4LXOMr8eDA8hjFw==,iv:jlsajO+xKOAP8hlFmT+t0nYXBq/td7uath/u4gEb8+I=,tag:SysRfxuWKA3b493JOGYiRg==,type:str]
|
||||||
cloudflare-dns-api-token: ENC[AES256_GCM,data:ZHAP3KuCIh5LAH3FqCaUEoKNRkoRqrbY/NySsubzGCbZtO4aXYI2GA==,iv:IdGRIpfxxDhHQKaU4PeQI8ESIvzcNNgsqEFsyZ1ar6k=,tag:1u/bhR0CuI9rsn8gycYHzg==,type:str]
|
cloudflare-dns-api-token: ENC[AES256_GCM,data:ZHAP3KuCIh5LAH3FqCaUEoKNRkoRqrbY/NySsubzGCbZtO4aXYI2GA==,iv:IdGRIpfxxDhHQKaU4PeQI8ESIvzcNNgsqEFsyZ1ar6k=,tag:1u/bhR0CuI9rsn8gycYHzg==,type:str]
|
||||||
cloudflare-zone-api-token: ENC[AES256_GCM,data:N02jcaPLYVzOmo5omGvOKUw2MZg8/cVolRcw/pu+sFnV8IsrUFOjmA==,iv:NZ+OaNR5lmsXicYQ7QL9CBMhlm397VbqmIcmr6GGBWw=,tag:FOT0EzDDuJ/kKOArn8e/rA==,type:str]
|
cloudflare-zone-api-token: ENC[AES256_GCM,data:N02jcaPLYVzOmo5omGvOKUw2MZg8/cVolRcw/pu+sFnV8IsrUFOjmA==,iv:NZ+OaNR5lmsXicYQ7QL9CBMhlm397VbqmIcmr6GGBWw=,tag:FOT0EzDDuJ/kKOArn8e/rA==,type:str]
|
||||||
cloudflare-api-key: ENC[AES256_GCM,data:SWCsa1YzUpl5aQmeVBzKjfkZdAfduX8pl5RKd+EP6pgyMCCc6Q==,iv:ccIzA1OzGyRnq8gxXAg4B3HHtKcvXhXKMWVuTs/PHLI=,tag:R9KrYDrAluTAyuv7DfYVWQ==,type:str]
|
cloudflare-api-key: ENC[AES256_GCM,data:SWCsa1YzUpl5aQmeVBzKjfkZdAfduX8pl5RKd+EP6pgyMCCc6Q==,iv:ccIzA1OzGyRnq8gxXAg4B3HHtKcvXhXKMWVuTs/PHLI=,tag:R9KrYDrAluTAyuv7DfYVWQ==,type:str]
|
||||||
@@ -174,8 +177,8 @@ sops:
|
|||||||
NXZkbVZyV0VtTzArOE1uU1JwMXZZN0EKLDU1x+rIWecDD9x//huoM2BM9NRSa4g1
|
NXZkbVZyV0VtTzArOE1uU1JwMXZZN0EKLDU1x+rIWecDD9x//huoM2BM9NRSa4g1
|
||||||
L5nodU/J0XsfB9z3kr7eY5LYSwsqGkAxI1cXJYZGHF+bozJjweyXTQ==
|
L5nodU/J0XsfB9z3kr7eY5LYSwsqGkAxI1cXJYZGHF+bozJjweyXTQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2025-10-07T16:00:55Z"
|
lastmodified: "2025-10-09T19:42:48Z"
|
||||||
mac: ENC[AES256_GCM,data:Z8H09wF7kYYZs7FU4qAvpJmo3wEsSKg5qML+Q57UGNzjoaBJFor60B0yW/vaLcALt4clcJHhsU2phoCqCh7SdlP/AlgE5u8pn6G8n3zXiWxXK1dqiJLqE8iIgye+BA0EMdV9zATwTAQJwK/BtIBitXP1nboWi73W0tj+RdMIkjg=,iv:31IqJSL+kZAGqeKnOnZr5A2A0GOR/njrQ6tZqpjSTVo=,tag:1u24sjA06D8RnW4T3S1QjA==,type:str]
|
mac: ENC[AES256_GCM,data:12mGNMyFnw1SME5XgYRPwADnwurMEY2GkJBwKu6qgniv4LdbKIRg6dTgAQf2LwJEmhS8RAyVhbz4MFS8/Sw17OM7wbId3OFP7LeW32xktHVP1JdC538Z3ZxwDWv47age1vC3s9NrJonq46cUQzmL3UsODWWlSs3f/EJLq+TAbLg=,iv:3scf4+lXtKeS9VM2Opk3iJ/VWwuZyUe9AGCWK/OIrts=,tag:xS31oLt3+xpz7lod6F6DMw==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2025-08-24T02:21:34Z"
|
- created_at: "2025-08-24T02:21:34Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|||||||
@@ -74,8 +74,8 @@
|
|||||||
|
|
||||||
crowdsec = {
|
crowdsec = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = 9898;
|
port = 8181;
|
||||||
apiAddress = "10.0.1.3";
|
apiAddress = "0.0.0.0";
|
||||||
apiKey = config.sops.secrets."jallen-nas/crowdsec-capi".path;
|
apiKey = config.sops.secrets."jallen-nas/crowdsec-capi".path;
|
||||||
dataDir = "/media/nas/main/nix-app-data/crowdsec";
|
dataDir = "/media/nas/main/nix-app-data/crowdsec";
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -10,7 +10,7 @@
|
|||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
inherit (lib.${namespace}) enabled disabled;
|
inherit (lib.${namespace}) enabled;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
@@ -150,6 +150,7 @@ in
|
|||||||
8192
|
8192
|
||||||
3000
|
3000
|
||||||
2222
|
2222
|
||||||
|
8181
|
||||||
];
|
];
|
||||||
allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts;
|
allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts;
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -100,6 +100,8 @@ in
|
|||||||
|
|
||||||
"jallen-nas/crowdsec-capi" = {
|
"jallen-nas/crowdsec-capi" = {
|
||||||
sopsFile = defaultSops;
|
sopsFile = defaultSops;
|
||||||
|
owner = "crowdsec";
|
||||||
|
group = "crowdsec";
|
||||||
restartUnits = [ "crowdsec.service" ];
|
restartUnits = [ "crowdsec.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user