crowdsec

modules/nixos/programs/default.nix

@@ -62,7 +62,7 @@
         libgbm
       ];
     };
-    seahorse.enable = lib.mkDefault false;
+    seahorse.enable = lib.mkDefault true;
   };
   environment = {
     systemPackages = with pkgs; [

modules/nixos/services/actual/default.nix

@@ -25,7 +25,6 @@ let
         userFiles = "${dataDir}/user-files";
       };
     };
-  };
 
     users.users.actual = {
       isSystemUser = true;

modules/nixos/services/arrs/default.nix

@@ -1,6 +1,5 @@
 {
   config,
-  pkgs,
   lib,
   namespace,
   ...

modules/nixos/services/calibre/default.nix

@@ -1,6 +1,5 @@
 {
   config,
-  pkgs,
   lib,
   namespace,
   ...
@@ -39,31 +38,31 @@ let
   #       };
   #     };
 
-      # users.users.calibre = {
+  # users.users.calibre = {
-      #   isSystemUser = true;
+  #   isSystemUser = true;
-      #   uid = lib.mkForce calibreUserId;
+  #   uid = lib.mkForce calibreUserId;
-      #   group = "calibre";
+  #   group = "calibre";
-      # };
+  # };
 
-      # users.groups = {
+  # users.groups = {
-      #   calibre-web = {
+  #   calibre-web = {
-      #     gid = lib.mkForce calibreGroupId;
+  #     gid = lib.mkForce calibreGroupId;
-      #   };
+  #   };
-      # };
+  # };
 
-      # networking = {
+  # networking = {
-      #   firewall = {
+  #   firewall = {
-      #     enable = true;
+  #     enable = true;
-      #     allowedTCPPorts = [ cfg.port ];
+  #     allowedTCPPorts = [ cfg.port ];
-      #   };
+  #   };
-      #   # Use systemd-resolved inside the container
+  #   # Use systemd-resolved inside the container
-      #   # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+  #   # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-      #   useHostResolvConf = lib.mkForce false;
+  #   useHostResolvConf = lib.mkForce false;
-      # };
+  # };
 
-      # services.resolved.enable = true;
+  # services.resolved.enable = true;
-      # system.stateVersion = "23.11";
+  # system.stateVersion = "23.11";
-    # };
+  # };
 
   # bindMounts = {
   #   ${dataDir} = {

modules/nixos/services/crowdsec/default.nix

@@ -69,8 +69,16 @@ in
           ];
         };
         settings = {
-          # general.api.server.enable = true;
+          general.api = {
-          capi.credentialsFile = cfg.apiKey;
+            server = {
+              enable = true;
+              listen_uri = "${cfg.apiAddress}:${toString cfg.port}";
+            };
+            client = {
+              credentials_path = lib.mkForce "/media/nas/main/nix-app-data/crowdsec/client.yaml";
+            };
+          };
+          capi.credentialsFile = lib.mkDefault "/media/nas/main/nix-app-data/crowdsec/capi.yaml";
         };
       };
     };

modules/nixos/services/crowdsec/options.nix

@@ -6,7 +6,7 @@ with lib;
 
     port = mkOption {
       type = types.port;
-      default = 9898;
+      default = 8080;
       description = "Port for crowdsec API";
     };
 

modules/nixos/services/gitea/default.nix

@@ -27,35 +27,37 @@ let
 in
 {
   imports = [ ./options.nix ];
-  config = mkIf cfg.enable {
+  config =
-    services.gitea = {
+    mkIf cfg.enable {
-      enable = true;
+      services.gitea = {
-      stateDir = cfg.dataDir;
+        enable = true;
-      user = "nix-apps";
+        stateDir = cfg.dataDir;
-      group = "jallen-nas";
+        user = "nix-apps";
-      mailerPasswordFile = mailerPasswordFile;
+        group = "jallen-nas";
-      metricsTokenFile = metricsTokenFile;
+        mailerPasswordFile = mailerPasswordFile;
-      settings = {
+        metricsTokenFile = metricsTokenFile;
-        server = {
+        settings = {
-          DOMAIN = "jallen-nas";
+          server = {
-          HTTP_ADDR = "0.0.0.0";
+            DOMAIN = "jallen-nas";
-          HTTP_PORT = cfg.httpPort;
+            HTTP_ADDR = "0.0.0.0";
-          PROTOCOL = "http";
+            HTTP_PORT = cfg.httpPort;
-          ROOT_URL = rootUrl;
+            PROTOCOL = "http";
-          START_SSH_SERVER = true;
+            ROOT_URL = rootUrl;
-          SSH_PORT = cfg.sshPort;
+            START_SSH_SERVER = true;
-        };
+            SSH_PORT = cfg.sshPort;
-        service = {
+          };
-          REGISTER_EMAIL_CONFIRM = false;
+          service = {
-          ENABLE_CAPTCHA = false;
+            REGISTER_EMAIL_CONFIRM = false;
-          DISABLE_REGISTRATION = true;
+            ENABLE_CAPTCHA = false;
-          ENABLE_OPENID_SIGNIN = false;
+            DISABLE_REGISTRATION = true;
-          ENABLE_LDAP_SIGNIN = false;
+            ENABLE_OPENID_SIGNIN = false;
-          ENABLE_SSH_SIGNIN = true;
+            ENABLE_LDAP_SIGNIN = false;
-          ENABLE_BUILTIN_SSH_SERVER = true;
+            ENABLE_SSH_SIGNIN = true;
-          ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
+            ENABLE_BUILTIN_SSH_SERVER = true;
+            ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
+          };
         };
       };
-    };
+    }
-  } // traefik;
+    // traefik;
 }

modules/nixos/services/traefik/default.nix

@@ -76,7 +76,7 @@ let
   traefikPlugins = {
     bouncer = {
       moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
-      version = "v1.4.2";
+      version = "v1.4.5";
     };
     geoblock = {
       moduleName = "github.com/PascalMinder/geoblock";
@@ -84,9 +84,6 @@ let
     };
   };
 
-  crowdsecAppsecHost = "${serverIp}:7422";
-  crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path;
-
   # Ports
   httpPort = 80;
   httpsPort = 443;
@@ -111,7 +108,21 @@ in
   config = mkIf cfg.enable {
     sops = {
       secrets = {
-        "jallen-nas/traefik/crowdsec-lapi-key" = {
+        "jallen-nas/traefik/crowdsec/lapi-key" = {
+          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+          owner = config.users.users.traefik.name;
+          group = config.users.users.traefik.group;
+          restartUnits = [ "traefik.service" ];
+        };
+
+        "jallen-nas/traefik/crowdsec/capi-machine-id" = {
+          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+          owner = config.users.users.traefik.name;
+          group = config.users.users.traefik.group;
+          restartUnits = [ "traefik.service" ];
+        };
+
+        "jallen-nas/traefik/crowdsec/capi-password" = {
           sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
           owner = config.users.users.traefik.name;
           group = config.users.users.traefik.group;
@@ -119,15 +130,27 @@ in
         };
         "jallen-nas/traefik/cloudflare-dns-api-token" = {
           sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+          owner = config.users.users.traefik.name;
+          group = config.users.users.traefik.group;
+          restartUnits = [ "traefik.service" ];
         };
         "jallen-nas/traefik/cloudflare-zone-api-token" = {
           sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+          owner = config.users.users.traefik.name;
+          group = config.users.users.traefik.group;
+          restartUnits = [ "traefik.service" ];
         };
         "jallen-nas/traefik/cloudflare-api-key" = {
           sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+          owner = config.users.users.traefik.name;
+          group = config.users.users.traefik.group;
+          restartUnits = [ "traefik.service" ];
         };
         "jallen-nas/traefik/cloudflare-email" = {
           sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+          owner = config.users.users.traefik.name;
+          group = config.users.users.traefik.group;
+          restartUnits = [ "traefik.service" ];
         };
       };
       templates = {
@@ -250,11 +273,15 @@ in
             crowdsec = {
               plugin = {
                 bouncer = {
-                  crowdsecAppsecEnabled = true;
+                  enabled = true;
-                  crowdsecAppsecHost = crowdsecAppsecHost;
+                  crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec/lapi-key".path;
-                  crowdsecAppsecFailureBlock = true;
+                  crowdsecLapiScheme = "http";
-                  crowdsecAppsecUnreachableBlock = true;
+                  crowdsecLapiHost = "localhost:8181";
-                  crowdsecLapiKeyFile = crowdsecLapiKeyFile;
+                  crowdsecLapiPath = "/";
+                  crowdsecLapiTLSInsecureVerify = false;
+                  crowdsecCapiMachineIdFile = config.sops.secrets."jallen-nas/traefik/crowdsec/capi-machine-id".path;
+                  crowdsecCapiPasswordFile = config.sops.secrets."jallen-nas/traefik/crowdsec/capi-password".path;
+                  crowdsecCapiScenarios = [ ];
                 };
               };
             };

overlays/rcon/default.nix

@@ -1,5 +1,5 @@
-{ inputs, ... }:
+{ ... }:
-final: _prev: {
+_final: _prev: {
   # rcon = inputs.nixpkgs-stable.legacyPackages."x86_64-linux".rcon;
   # llama-cpp = inputs.nixpkgs-stable.legacyPackages."x86_64-linux".llama-cpp;
 }

systems/x86_64-linux/jallen-nas/apps.nix

@@ -74,8 +74,8 @@
 
       crowdsec = {
         enable = true;
-        port = 9898;
+        port = 8181;
-        apiAddress = "10.0.1.3";
+        apiAddress = "0.0.0.0";
         apiKey = config.sops.secrets."jallen-nas/crowdsec-capi".path;
         dataDir = "/media/nas/main/nix-app-data/crowdsec";
       };

systems/x86_64-linux/jallen-nas/default.nix

@@ -10,7 +10,7 @@
   ...
 }:
 let
-  inherit (lib.${namespace}) enabled disabled;
+  inherit (lib.${namespace}) enabled;
 in
 {
   imports = [
@@ -150,6 +150,7 @@ in
           8192
           3000
           2222
+          8181
         ];
         allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts;
       };

systems/x86_64-linux/jallen-nas/sops.nix

@@ -100,6 +100,8 @@ in
 
       "jallen-nas/crowdsec-capi" = {
         sopsFile = defaultSops;
+        owner = "crowdsec";
+        group = "crowdsec";
         restartUnits = [ "crowdsec.service" ];
       };