death916/nixconfig
1
0
Fork 0
mirror of https://github.com/Death916/nixconfig.git synced 2026-04-11 04:48:25 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'main' of https://github.com/death916/nixconfig

Browse source
This commit is contained in:
death916 2026-01-16 06:44:50 -08:00
commit e0ad392fde
5 changed files with 135 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

83
modules/containers/docker/crowdsec/crowdsec.nix Normal file
View file

@ -0,0 +1,83 @@
{ config, pkgs, ... }:
let
configDir = "/var/lib/crowdsec/config";
dataDir = "/var/lib/crowdsec/data";
bouncerEnvFile = "/var/lib/crowdsec/bouncer.env";
acquisYaml = pkgs.writeText "acquis.yaml" ''
---
source: docker
container_name:
- traefik
labels:
type: traefik
---
source: journalctl
journalctl_filter:
- "_SYSTEMD_UNIT=sshd.service"
labels:
type: syslog
---
source: journalctl
journalctl_filter:
- "_SYSTEMD_UNIT=vaultwarden.service"
labels:
type: vaultwarden
---
source: journalctl
journalctl_filter:
- "SYSLOG_IDENTIFIER=sudo"
- "SYSLOG_IDENTIFIER=auth"
labels:
type: syslog
'';
in
{
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
systemd.tmpfiles.rules = [
"d ${configDir} 0755 root root -"
"d ${dataDir} 0755 root root -"
"f ${bouncerEnvFile} 0600 root root -"
];
virtualisation.oci-containers.containers.crowdsec = {
image = "crowdsecurity/crowdsec:latest-debian";
autoStart = true;
ports = [ "127.0.0.1:8080:8080" "127.0.0.1:6060:6060" ];
environment = {
COLLECTIONS = "crowdsecurity/linux crowdsecurity/sshd crowdsecurity/traefik crowdsecurity/http-cve Dominic-Wagner/vaultwarden";
GID = "0";
};
volumes = [
"${configDir}:/etc/crowdsec"
"${dataDir}:/var/lib/crowdsec/data"
"/var/run/docker.sock:/var/run/docker.sock"
"/var/log/journal:/var/log/journal:ro"
"/run/log/journal:/run/log/journal:ro"
"/etc/machine-id:/etc/machine-id:ro"
"${acquisYaml}:/etc/crowdsec/acquis.yaml"
];
};
services.crowdsec-firewall-bouncer = {
enable = true;
settings = {
mode = "iptables";
log_level = "info";
update_frequency = "10s";
api_url = "http://127.0.0.1:8080/";
api_key = "\${BOUNCER_API_KEY}";
iptables_chains = [ "INPUT" "DOCKER-USER" ];
};
};
systemd.services.crowdsec-firewall-bouncer.serviceConfig = {
EnvironmentFile = bouncerEnvFile;
Environment = [ "CREDENTIALS_DIRECTORY=/var/lib/crowdsec" ];
};
}

5
modules/containers/docker/karakeep/docker-compose.nix
View file

@ -116,6 +116,9 @@
];
};
systemd.services."docker-karakeep-web" = {
unitConfig = {
RequiresMountsFor = "/mnt/myjfs";
};
serviceConfig = {
Restart = lib.mkOverride 90 "always";
RestartMaxDelaySec = lib.mkOverride 90 "1m";
@ -124,9 +127,11 @@
};
after = [
"docker-network-karakeep_default.service"
"docker-myjfs-mount-service.service"
];
requires = [
"docker-network-karakeep_default.service"
"docker-myjfs-mount-service.service"
];
partOf = [
"docker-compose-karakeep-root.target"

40
modules/nixos/orac/monitoring.nix
View file

@ -33,8 +33,46 @@
}
];
}
{
job_name = "crowdsec";
static_configs = [
{
targets = [ "127.0.0.1:6060" ];
}
];
}
{
job_name = "smartctl";
static_configs = [
{
targets = [ "127.0.0.1:9633" ];
}
];
}
{
job_name = "process";
static_configs = [
{
targets = [ "127.0.0.1:9256" ];
}
];
}
];
exporters = {
process = {
enable = true;
port = 9256;
settings.process_names = [
{
name = "{{.Comm}}";
cmdline = [ ".+" ];
}
];
};
smartctl = {
enable = true;
port = 9633;
};
node = {
enable = true;
@ -50,6 +88,8 @@
"wifi"
"sysctl"
"processes"
"cgroups"
"btrfs"
];
# You can pass extra options to the exporter using `extraFlags`, e.g.
# to configure collectors or disable those enabled by default.

2
modules/nixos/orac/services.nix
View file

@ -35,7 +35,7 @@
ROCKET_ADDRESS = "100.72.187.12";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
ROCKET_LOG = "warn";
environmentFile = "/var/lib/vaultwarden/vault.env";
# This example assumes a mailserver running on localhost,
# thus without transport encryption.

11
nixos/orac.nix
View file

@ -4,11 +4,12 @@
../modules/nixos/common/tailscale.nix
../modules/soju.nix
../modules/containers/docker/pangolin.nix
../modules/adguard.nix
# ../modules/adguard.nix
../modules/containers/docker/juicefs.nix
../modules/nixos/orac/restic.nix
../modules/containers/docker/karakeep/docker-compose.nix
../modules/nixos/orac/monitoring.nix
../modules/containers/docker/crowdsec/crowdsec.nix
];
networking.firewall = {
@ -56,12 +57,12 @@
networking.domain = "";
users.users.death916.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA02MxjL3+2gY3TenuezzmqObP7/AZ3rh/0PH7lqfxQY death916@nixos''
''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoxgXUwp/ceXyfsOOSTBIpOIXZ4CyNcXj/W0wkkVhqjoiZOXlls1mjGvmFYmYbKw8He055+cxjRyhQqBCblwwy7Kj/o9ZE7Tg/tYoU//Iog/wReSoSlms58UR/qZk2Rk0mD0RfmW22iAJp8e+Z9qxF1h+1MZy6WPb3R7+KiN5U9q6ls71bF2AP+W5PV/voMi5R/66JolPpcVrYhrNKMPNSqefAD0Q0xeuoDff0LIsRuHZVGDE0MxCPWHpikQ/5K3bPjw1yRxo55buwDLddRmKZ5OSwtfnoI02BLh7zJvrctMPpKDQa2L+He5woC92/m7pmPFhdBynJ5e30KvQGsiUuB4oPye/29quZmybOR3JXbBZjrJ2kmAhrdt1PxoywWKOOTX5Xdw6d5kSYq00TAhDpcLcvGy3lh0tpLk8ia8HVfN7pmJQTDi+CW72zlHyPQILPsxR88ex5MGqE2GupP5wFYR+J6ncumh7Chdes2vD7r9uA2GUy8hmAfDhUG4B1yHs= death916@nixos''
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA02MxjL3+2gY3TenuezzmqObP7/AZ3rh/0PH7lqfxQY death916@nixos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoxgXUwp/ceXyfsOOSTBIpOIXZ4CyNcXj/W0wkkVhqjoiZOXlls1mjGvmFYmYbKw8He055+cxjRyhQqBCblwwy7Kj/o9ZE7Tg/tYoU//Iog/wReSoSlms58UR/qZk2Rk0mD0RfmW22iAJp8e+Z9qxF1h+1MZy6WPb3R7+KiN5U9q6ls71bF2AP+W5PV/voMi5R/66JolPpcVrYhrNKMPNSqefAD0Q0xeuoDff0LIsRuHZVGDE0MxCPWHpikQ/5K3bPjw1yRxo55buwDLddRmKZ5OSwtfnoI02BLh7zJvrctMPpKDQa2L+He5woC92/m7pmPFhdBynJ5e30KvQGsiUuB4oPye/29quZmybOR3JXbBZjrJ2kmAhrdt1PxoywWKOOTX5Xdw6d5kSYq00TAhDpcLcvGy3lh0tpLk8ia8HVfN7pmJQTDi+CW72zlHyPQILPsxR88ex5MGqE2GupP5wFYR+J6ncumh7Chdes2vD7r9uA2GUy8hmAfDhUG4B1yHs= death916@nixos"
];
users.users.root.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA02MxjL3+2gY3TenuezzmqObP7/AZ3rh/0PH7lqfxQY death916@nixos''
''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoxgXUwp/ceXyfsOOSTBIpOIXZ4CyNcXj/W0wkkVhqjoiZOXlls1mjGvmFYmYbKw8He055+cxjRyhQqBCblwwy7Kj/o9ZE7Tg/tYoU//Iog/wReSoSlms58UR/qZk2Rk0mD0RfmW22iAJp8e+Z9qxF1h+1MZy6WPb3R7+KiN5U9q6ls71bF2AP+W5PV/voMi5R/66JolPpcVrYhrNKMPNSqefAD0Q0xeuoDff0LIsRuHZVGDE0MxCPWHpikQ/5K3bPjw1yRxo55buwDLddRmKZ5OSwtfnoI02BLh7zJvrctMPpKDQa2L+He5woC92/m7pmPFhdBynJ5e30KvQGsiUuB4oPye/29quZmybOR3JXbBZjrJ2kmAhrdt1PxoywWKOOTX5Xdw6d5kSYq00TAhDpcLcvGy3lh0tpLk8ia8HVfN7pmJQTDi+CW72zlHyPQILPsxR88ex5MGqE2GupP5wFYR+J6ncumh7Chdes2vD7r9uA2GUy8hmAfDhUG4B1yHs= death916@nixos''
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA02MxjL3+2gY3TenuezzmqObP7/AZ3rh/0PH7lqfxQY death916@nixos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoxgXUwp/ceXyfsOOSTBIpOIXZ4CyNcXj/W0wkkVhqjoiZOXlls1mjGvmFYmYbKw8He055+cxjRyhQqBCblwwy7Kj/o9ZE7Tg/tYoU//Iog/wReSoSlms58UR/qZk2Rk0mD0RfmW22iAJp8e+Z9qxF1h+1MZy6WPb3R7+KiN5U9q6ls71bF2AP+W5PV/voMi5R/66JolPpcVrYhrNKMPNSqefAD0Q0xeuoDff0LIsRuHZVGDE0MxCPWHpikQ/5K3bPjw1yRxo55buwDLddRmKZ5OSwtfnoI02BLh7zJvrctMPpKDQa2L+He5woC92/m7pmPFhdBynJ5e30KvQGsiUuB4oPye/29quZmybOR3JXbBZjrJ2kmAhrdt1PxoywWKOOTX5Xdw6d5kSYq00TAhDpcLcvGy3lh0tpLk8ia8HVfN7pmJQTDi+CW72zlHyPQILPsxR88ex5MGqE2GupP5wFYR+J6ncumh7Chdes2vD7r9uA2GUy8hmAfDhUG4B1yHs= death916@nixos"
];
nix.gc = {