diff --git a/configuration/default.nix b/configuration/default.nix
index d4c422f..18d124e 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -18,11 +18,10 @@
./services/backups.nix
./services/battery-manager.nix
./services/conduit.nix
- ./services/crowdsec.nix
+ ./services/fail2ban.nix
./services/foundryvtt.nix
./services/gitea.nix
./services/metrics
- ./services/minecraft.nix
./services/nextcloud.nix
./services/webserver.nix
./services/wireguard.nix
@@ -71,6 +70,8 @@
8448
# starbound
21025
+ # Minecraft
+ 25565
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
@@ -79,6 +80,9 @@
];
allowedUDPPorts = [
+ # More minecraft
+ 25565
+
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
deleted file mode 100644
index 98dbeb3..0000000
--- a/configuration/services/crowdsec.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ pkgs, config, ... }:
-{
- services.crowdsec = {
- enable = true;
- # clientCredentials = config.sops.secrets."crowdsec/credentials".path;
-
- settings.crowdsec_service.acquisition_path =
- (pkgs.formats.yaml { }).generate "crowdsec-acquisitions.yaml"
- {
- source = "journalctl";
- journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
- labels.type = "syslog";
- };
- };
-}
-
-# db_config = {
-# type = "postgresql";
-# db_path = "/run/postgresql";
-# user = "crowdsec";
-# db_name = "crowdsec";
-# flush = {
-# max_items = 10000;
-# max_age = "14d";
-# };
-# };
diff --git a/configuration/services/fail2ban.nix b/configuration/services/fail2ban.nix
new file mode 100644
index 0000000..f09668c
--- /dev/null
+++ b/configuration/services/fail2ban.nix
@@ -0,0 +1,43 @@
+{ pkgs, ... }:
+{
+ services.fail2ban = {
+ enable = true;
+ extraPackages = [ pkgs.ipset ];
+ banaction = "iptables-ipset-proto6-allports";
+ bantime-increment.enable = true;
+
+ jails = {
+ nginx-botsearch = ''
+ enabled = true
+ logpath = /var/log/nginx/access.log
+ '';
+ };
+
+ ignoreIP = [
+ "127.0.0.0/8"
+ "10.0.0.0/8"
+ "172.16.0.0/12"
+ "192.168.0.0/16"
+ ];
+ };
+
+ # Allow metrics services to connect to the socket as well
+ users.groups.fail2ban = { };
+ systemd.services.fail2ban.serviceConfig = {
+ ExecStartPost =
+ "+"
+ + (pkgs.writeShellScript "fail2ban-post-start" ''
+ while ! [ -S /var/run/fail2ban/fail2ban.sock ]; do
+ sleep 1
+ done
+
+ while ! ${pkgs.netcat}/bin/nc -zU /var/run/fail2ban/fail2ban.sock; do
+ sleep 1
+ done
+
+ ${pkgs.coreutils}/bin/chown root:fail2ban /var/run/fail2ban /var/run/fail2ban/fail2ban.sock
+ ${pkgs.coreutils}/bin/chmod 660 /var/run/fail2ban/fail2ban.sock
+ ${pkgs.coreutils}/bin/chmod 710 /var/run/fail2ban
+ '');
+ };
+}
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index da01cde..c88dd01 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -59,6 +59,24 @@ in
};
};
+ # Block repeated failed login attempts
+ #
+ # TODO(tlater): Update this - we switched to forgejo, who knows what
+ # the new matches are.
+ # environment.etc = {
+ # "fail2ban/filter.d/gitea.conf".text = ''
+ # [Definition]
+ # failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ # journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
+ # '';
+ # };
+
+ # services.fail2ban.jails = {
+ # gitea = ''
+ # enabled = true
+ # '';
+ # };
+
services.backups.forgejo = {
user = "forgejo";
paths = [
diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix
index ecd69bd..e16b945 100644
--- a/configuration/services/metrics/exporters.nix
+++ b/configuration/services/metrics/exporters.nix
@@ -68,6 +68,34 @@ in
};
};
+ extraExporters = {
+ fail2ban =
+ let
+ cfg = config.services.prometheus.extraExporters.fail2ban;
+ in
+ {
+ port = 9191;
+ serviceOpts = {
+ after = [ "fail2ban.service" ];
+ requires = [ "fail2ban.service" ];
+ serviceConfig = {
+ Group = "fail2ban";
+ RestrictAddressFamilies = [
+ "AF_UNIX"
+ "AF_INET"
+ "AF_INET6"
+ ];
+ ExecStart = lib.concatStringsSep " " [
+ "${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter"
+ "--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock"
+ "--web.listen-address='${cfg.listenAddress}:${toString cfg.port}'"
+ "--collector.f2b.exit-on-socket-connection-error=true"
+ ];
+ };
+ };
+ };
+ };
+
# TODO(tlater):
# - wireguard (?)
# - postgres (?)
diff --git a/configuration/services/metrics/options.nix b/configuration/services/metrics/options.nix
index 8868c6c..69cbd6b 100644
--- a/configuration/services/metrics/options.nix
+++ b/configuration/services/metrics/options.nix
@@ -12,7 +12,6 @@ in
options = {
services.prometheus = {
extraExporters = mkOption {
- default = { };
type = types.attrsOf (
types.submodule {
options = {
diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix
index 4ed2773..710cf70 100644
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@@ -10,7 +10,6 @@
extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
};
coturn.targets = [ "127.0.0.1:9641" ];
- crowdsec.targets = [ "127.0.0.1:6060" ];
};
};
}
diff --git a/configuration/services/minecraft.nix b/configuration/services/minecraft.nix
deleted file mode 100644
index 0477f44..0000000
--- a/configuration/services/minecraft.nix
+++ /dev/null
@@ -1,83 +0,0 @@
-{
- pkgs,
- lib,
- config,
- ...
-}:
-{
- services.minecraft-server = {
- enable = true;
- eula = true;
- # jvmOpts are set using a file for forge
- # jvmOpts = "-Xmx8G -Xms8G";
- openFirewall = true;
-
- declarative = true;
-
- whitelist = {
- tlater = "140d177a-966f-41b8-a4c0-e305babd291b";
- romino25 = "59cd1648-14a4-4bcf-8f5a-2e1bde678f2c";
- lasi25 = "0ab6e3d1-544a-47e7-8538-2e6c248e49a4";
- };
-
- serverProperties = {
- allow-flight = true;
- difficulty = "hard";
- motd = "tlater.net";
- spawn-protection = 1;
- white-list = true;
- enable-query = true;
- enable-status = true;
-
- # Allows the server to write chunks without hogging the main
- # thread...
- sync-chunk-writes = false;
- # Disables chat reporting, because we don't need any of that
- # drama on a lil' friends-only server.
- enforce-secure-profile = false;
- };
-
- package = pkgs.writeShellApplication {
- name = "minecraft-server";
- runtimeInputs = with pkgs; [ jdk17_headless ];
-
- text = ''
- exec /var/lib/minecraft/run.sh $@
- '';
- };
- };
-
- systemd.services.minecraft-server = {
- path = with pkgs; [ jdk17_headless ];
-
- # Since we read from our own HTTP server, we need to wait for it
- # to be up
- after = [ "nginx.service" ];
-
- serviceConfig = {
- # Use packwiz to install mods
- ExecStartPre = [
- "${pkgs.jdk17_headless}/bin/java -jar ${config.services.minecraft-server.dataDir}/packwiz-installer-bootstrap.jar -g -s server 'https://minecraft.${config.services.nginx.domain}/cobblemon-pack/pack.toml'"
- ];
- # Forge requires some bonus JVM options, which they include in a
- # little `run.sh` script
- ExecStart = lib.mkForce "${config.services.minecraft-server.dataDir}/run.sh --nogui";
- };
- };
-
- systemd.tmpfiles.settings."10-minecraft" = {
- "/srv/minecraft".d = {
- user = "nginx";
- group = "minecraft";
- mode = "0775";
- };
- };
-
- services.nginx.virtualHosts."minecraft.${config.services.nginx.domain}" = {
- forceSSL = true;
- useACMEHost = "tlater.net";
- enableHSTS = true;
-
- root = "/srv/minecraft";
- };
-}
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index b5cb691..e54df14 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -70,6 +70,29 @@ in
# The upstream module already adds HSTS
};
+ # Block repeated failed login attempts
+ environment.etc = {
+ "fail2ban/filter.d/nextcloud.conf".text = ''
+ [Definition]
+ _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+ failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+ \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+ datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+ journalmatch = SYSLOG_IDENTIFIER=Nextcloud
+ '';
+ };
+
+ services.fail2ban.jails = {
+ nextcloud = ''
+ enabled = true
+
+ # Nextcloud does some throttling already, so we need to set
+ # these to something bigger.
+ findtime = 43200
+ bantime = 86400
+ '';
+ };
+
services.backups.nextcloud = {
user = "nextcloud";
paths = [
diff --git a/configuration/sops.nix b/configuration/sops.nix
index 1c09c7e..bc21834 100644
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@@ -13,11 +13,6 @@
group = "battery-manager";
};
- "crowdsec/credentials" = {
- owner = "crowdsec";
- group = "crowdsec";
- };
-
# Gitea
"forgejo/metrics-token" = {
owner = "forgejo";
diff --git a/flake.lock b/flake.lock
index d761f4f..d349bea 100644
--- a/flake.lock
+++ b/flake.lock
@@ -114,10 +114,44 @@
"type": "github"
}
},
+ "flake-compat_3": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1696426674,
+ "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+ "type": "github"
+ },
+ "original": {
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "type": "github"
+ }
+ },
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
+ "locked": {
+ "lastModified": 1731533236,
+ "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "flake-utils_2": {
+ "inputs": {
+ "systems": "systems_3"
+ },
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
@@ -238,15 +272,37 @@
"type": "github"
}
},
+ "nvfetcher": {
+ "inputs": {
+ "flake-compat": "flake-compat_2",
+ "flake-utils": "flake-utils",
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1732501185,
+ "narHash": "sha256-Z0BpHelaGQsE5VD9hBsBHsvMU9h+Xt0kfkDJyFivZOU=",
+ "owner": "berberman",
+ "repo": "nvfetcher",
+ "rev": "bdb14eab6fe9cefc29efe01e60c3a3f616d6b62a",
+ "type": "github"
+ },
+ "original": {
+ "owner": "berberman",
+ "repo": "nvfetcher",
+ "type": "github"
+ }
+ },
"poetry2nixi": {
"inputs": {
- "flake-utils": "flake-utils",
+ "flake-utils": "flake-utils_2",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"sonnenshift",
"nixpkgs"
],
- "systems": "systems_3",
+ "systems": "systems_4",
"treefmt-nix": "treefmt-nix"
},
"locked": {
@@ -265,7 +321,7 @@
},
"purescript-overlay": {
"inputs": {
- "flake-compat": "flake-compat_2",
+ "flake-compat": "flake-compat_3",
"nixpkgs": [
"tlaternet-webserver",
"dream2nix",
@@ -311,6 +367,7 @@
"foundryvtt": "foundryvtt",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
+ "nvfetcher": "nvfetcher",
"sonnenshift": "sonnenshift",
"sops-nix": "sops-nix",
"tlaternet-webserver": "tlaternet-webserver"
@@ -428,6 +485,21 @@
}
},
"systems_3": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ },
+ "systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
diff --git a/flake.nix b/flake.nix
index 2253566..e6f1dcb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -13,6 +13,10 @@
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
+ nvfetcher = {
+ url = "github:berberman/nvfetcher";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
tlaternet-webserver = {
url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
inputs.nixpkgs.follows = "nixpkgs";
@@ -33,6 +37,7 @@
self,
nixpkgs,
sops-nix,
+ nvfetcher,
deploy-rs,
...
}@inputs:
@@ -115,6 +120,18 @@
${vm.config.system.build.vm.outPath}/bin/run-testvm-vm
'').outPath;
};
+
+ update-pkgs = {
+ type = "app";
+ program =
+ let
+ nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher";
+ in
+ (pkgs.writeShellScript "update-pkgs" ''
+ cd "$(git rev-parse --show-toplevel)/pkgs"
+ ${nvfetcher-bin} -o _sources_pkgs -c nvfetcher.toml
+ '').outPath;
+ };
};
###########################
diff --git a/keys/staging.yaml b/keys/staging.yaml
index 36212cd..091424d 100644
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@@ -2,8 +2,6 @@ hetzner-api: ENC[AES256_GCM,data:1Zjp003j60g=,iv:+vDcyiqYm4A9CMIrW4oGZKdZiczatBc
battery-manager:
email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str]
password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str]
-crowdsec:
- credentials: ENC[AES256_GCM,data:jJ+tRa3696odtbI=,iv:M3bhbrqa2XxNkt97Vih/zUaX3J2F71tbSXm/ARo5wQ8=,tag:DlFJJ4qZq4tc80ArUmcCOA==,type:str]
forgejo:
metrics-token: ENC[AES256_GCM,data:HEDV/GK/WtI=,iv:ihPEusEGVUNZjjjxz2ys6Nfag/og4n7Cqmd4rroT6Ww=,tag:Brcv7XW6HfzzgF3emtuT2A==,type:str]
grafana:
@@ -34,8 +32,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2025-01-23T17:19:30Z"
- mac: ENC[AES256_GCM,data:eWItAwXJ3JTf3RgzFo8oh0REeCeeZvLWZn8jsIpdRMsA+pRXTu8d+Eh5YCkUA13P/rNbn28EP7hEwEIU7RQSoTuyO2gNytoROkOttO/m0ehwSX6b5Kvwjw81KpQ6GBXst5BEaCkPznv5iBLuYLnngM3QE3GauTdUI63yVWSomUI=,iv:/0SuOpE01hr8CXbRvcRrClLzfid1WJoIyZ/qilV6UrM=,tag:/HDq+n8ahiMCUIwpTHT/kA==,type:str]
+ lastmodified: "2024-04-15T23:13:27Z"
+ mac: ENC[AES256_GCM,data:JhEVrKF2Jsqpdztcr3g5lMrgEFeLXfBRQTwQJ6PmLSNyDORcTU09TJPNWTPDnR5okDrvIU/wlzi5DZ8A0ebNhrKf6l0tNFBT9LSvQFHU5SBxqY/m8uEJKSrEC4IL5lugOOISDka2KSvYXVCXrumMHE5FnmOS/CgOZaZk6LUjPYA=,iv:ygygnSedcTo2Vsc56s2qrz1qkWchvSgvoiMTebRxQQ8=,tag:vf6z8rxsXmqzwpDy9Avifw==,type:str]
pgp:
- created_at: "2025-01-21T17:55:30Z"
enc: |-
@@ -73,4 +71,4 @@ sops:
-----END PGP MESSAGE-----
fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
unencrypted_suffix: _unencrypted
- version: 3.9.2
+ version: 3.8.1
diff --git a/modules/crowdsec.nix b/modules/crowdsec.nix
deleted file mode 100644
index c53f301..0000000
--- a/modules/crowdsec.nix
+++ /dev/null
@@ -1,237 +0,0 @@
-{
- pkgs,
- lib,
- config,
- ...
-}:
-let
- cfg = config.services.crowdsec;
- settingsFormat = pkgs.formats.yaml { };
-
- # TODO(tlater): Upstream properly installing the service file
- crowdsec = pkgs.symlinkJoin {
- name = "crowdsec-with-unit";
- paths = [
- pkgs.crowdsec
- (pkgs.runCommandLocal "crowdsec.service" { } ''
- mkdir -p $out/lib/systemd/system/
-
- substitute ${pkgs.crowdsec}/share/crowdsec/config/crowdsec.service $out/lib/systemd/system/crowdsec.service \
- --replace-fail /usr/local ${pkgs.crowdsec}
- '')
- ];
- };
-in
-{
- options.services.crowdsec =
- let
- inherit (lib.types) nullOr package path;
- in
- {
- enable = lib.mkEnableOption "crowdsec";
-
- package = lib.mkOption {
- type = package;
- default = crowdsec;
- };
-
- stateDirectory = lib.mkOption {
- type = path;
- readOnly = true;
-
- description = ''
- The state directory of the crowdsec instance. Cannot be
- changed, but is exposed for downstream use.
- '';
- };
-
- settings = lib.mkOption {
- inherit (settingsFormat) type;
- default = { };
-
- description = ''
- The crowdsec configuration. Refer to
- <https://docs.crowdsec.net/docs/next/configuration/crowdsec_configuration/>
- for details on supported values.
- '';
- };
-
- # clientCredentials = lib.mkOption {
- # type = path;
-
- # description = ''
- # The API client credentials to configure; Required to access
- # the service at all.
- # '';
- # };
-
- centralApiCredentials = lib.mkOption {
- type = nullOr path;
- default = null;
-
- description = ''
- The API key to access crowdsec's central API - this is
- required to access any of the shared blocklists.
-
- Use of this feature is optional, entering no API key (the
- default) turns all sharing or receiving of blocked IPs off.
-
- Note that adding the API key by itself does not enable
- sharing of blocked IPs with the central API. This limits the
- types of blocklists this instance can access.
-
- To also turn sharing blocked IPs on, set
- `api.server.online_client.sharing = true;`.
- '';
- };
-
- ctiApiKey = lib.mkOption {
- type = nullOr path;
- default = null;
-
- description = ''
- The API key for crowdsec's CTI offering.
- '';
- };
- };
-
- config = lib.mkIf cfg.enable {
- # Set up default settings; anything that *shouldn't* be changed is
- # set to the default priority so that users need to use
- # `lib.mkForce`.
- services.crowdsec = {
- stateDirectory = "/var/lib/crowdsec";
-
- settings = {
- common = {
- # Default config daemonizes, but the service is set to
- # `notify`; presumably the daemonization isn't really intended
- daemonize = false;
- # The default logs to files, which isn't the preferred way
- # on NixOS
- log_media = "stdout";
- };
-
- config_paths = {
- config_dir = "/etc/crowdsec/";
- data_dir = "${cfg.stateDirectory}/data/";
- # This "config" file is intended to be written to using the
- # cscli tool, so you can temporarily make it so rules don't
- # do anything but log what they *would* do for
- # experimentation.
- simulation_path = "${cfg.stateDirectory}/config/simulation.yaml";
-
- pattern_dir = "${cfg.package}/share/crowdsec/config/patterns";
-
- # We don't want to actually download anything; Any rules
- # will be properly packaged.
- hub_dir = lib.mkDefault "/var/empty/";
- index_path = lib.mkDefault "/var/empty/.index.json";
-
- # Integrations aren't supported for now
- notification_dir = lib.mkDefault "/var/empty/";
- plugin_dir = lib.mkDefault "/var/empty/";
- };
-
- crowdsec_service.acquisition_path = lib.mkDefault "${cfg.package}/share/crowdsec/config/acquis.yaml";
-
- cscli = {
- prometheus_uri = lib.mkDefault "127.0.0.1:6060";
- };
-
- api = {
- cti = {
- enabled = cfg.ctiApiKey != null;
- key = cfg.ctiApiKey;
- };
- # client.credentials_path = cfg.clientCredentials;
- client.credentials_path = "${cfg.stateDirectory}/local_credentials.yaml";
- server = {
- listen_uri = lib.mkDefault "127.0.0.1:8080";
- profiles_path = lib.mkDefault "${cfg.package}/share/crowdsec/config/profiles.yaml";
- console_path = lib.mkDefault "${cfg.package}/share/crowdsec/config/console.yaml";
-
- online_client = {
- # By default, we don't let crowdsec phone home, since
- # this is usually within NixOS users' concerns.
- #
- # TODO: Enable when this option becomes available
- # (1.6.4, current nixpkgs-unstable)
- # sharing = lib.mkDefault false;
- credentials_path = cfg.centralApiCredentials;
- };
- };
- };
-
- # We enable prometheus by default, since cscli relies on it
- # for metrics
- prometheus = {
- enabled = lib.mkDefault true;
- level = lib.mkDefault "full";
- listen_addr = lib.mkDefault "127.0.0.1";
- listen_port = lib.mkDefault 6060;
- };
- };
- };
-
- systemd.packages = [
- cfg.package
- ];
-
- environment.etc."crowdsec/config.yaml".source =
- settingsFormat.generate "crowdsec-settings.yaml" cfg.settings;
-
- # Note that the service basics are already defined upstream
- systemd.services.crowdsec.serviceConfig = {
-
- # TODO: ExecStartPre to make `/var/lib/crowdsec/config`
-
- User = "crowdsec";
- Group = "crowdsec";
- SupplementaryGroups = [ "systemd-journal" ];
-
- StateDirectory = "crowdsec";
-
- PrivateTmp = true;
- PrivateUsers = true;
- ProtectHome = true;
- CapabilityBoundingSet = [ ];
- LockPersonality = true;
- PrivateDevices = true;
- ProtectHostname = true;
- ProtectKernelTunables = true;
- ProtectKernelModules = true;
- ProtectControlGroups = true;
-
- NoNewPrivileges = true;
- RestrictSUIDSGID = true;
-
- ProtectProc = "invisible";
- ProcSubset = "pid"; # Needed for journal access
-
- RestrictNamespaces = true;
- RestrictRealtime = true;
-
- SystemCallFilter = [
- "@system-service"
- "@network-io"
- ];
- SystemCallArchitectures = [ "native" ];
- SystemCallErrorNumber = "EPERM";
-
- ExecPaths = [ "/nix/store" ];
- NoExecPaths = [ "/" ];
- };
-
- users = {
- users.crowdsec = {
- isSystemUser = true;
- home = cfg.stateDirectory;
- group = "crowdsec";
- };
- groups = {
- crowdsec = { };
- };
- };
- };
-}
diff --git a/modules/default.nix b/modules/default.nix
index 977539a..e1db4cc 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,6 +1 @@
-{
- imports = [
- ./crowdsec.nix
- ./nginxExtensions.nix
- ];
-}
+{ imports = [ ./nginxExtensions.nix ]; }
diff --git a/pkgs/_sources_pkgs/generated.json b/pkgs/_sources_pkgs/generated.json
new file mode 100644
index 0000000..cec5a92
--- /dev/null
+++ b/pkgs/_sources_pkgs/generated.json
@@ -0,0 +1,22 @@
+{
+ "prometheus-fail2ban-exporter": {
+ "cargoLocks": null,
+ "date": null,
+ "extract": null,
+ "name": "prometheus-fail2ban-exporter",
+ "passthru": null,
+ "pinned": false,
+ "src": {
+ "deepClone": false,
+ "fetchSubmodules": false,
+ "leaveDotGit": false,
+ "name": null,
+ "rev": "v0.10.1",
+ "sha256": "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=",
+ "sparseCheckout": [],
+ "type": "git",
+ "url": "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"
+ },
+ "version": "v0.10.1"
+ }
+}
\ No newline at end of file
diff --git a/pkgs/_sources_pkgs/generated.nix b/pkgs/_sources_pkgs/generated.nix
new file mode 100644
index 0000000..95fd75e
--- /dev/null
+++ b/pkgs/_sources_pkgs/generated.nix
@@ -0,0 +1,17 @@
+# This file was generated by nvfetcher, please do not modify it manually.
+{ fetchgit, fetchurl, fetchFromGitHub, dockerTools }:
+{
+ prometheus-fail2ban-exporter = {
+ pname = "prometheus-fail2ban-exporter";
+ version = "v0.10.1";
+ src = fetchgit {
+ url = "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter";
+ rev = "v0.10.1";
+ fetchSubmodules = false;
+ deepClone = false;
+ leaveDotGit = false;
+ sparseCheckout = [ ];
+ sha256 = "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=";
+ };
+ };
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 036afd4..131282d 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -4,4 +4,7 @@ let
in
{
starbound = callPackage ./starbound { };
+ prometheus-fail2ban-exporter = callPackage ./prometheus/fail2ban-exporter.nix {
+ sources = pkgs.callPackage ./_sources_pkgs/generated.nix { };
+ };
}
diff --git a/pkgs/nvfetcher.toml b/pkgs/nvfetcher.toml
new file mode 100644
index 0000000..d0dfbe5
--- /dev/null
+++ b/pkgs/nvfetcher.toml
@@ -0,0 +1,3 @@
+[prometheus-fail2ban-exporter]
+src.manual = "v0.10.1" # No gitlab support in nvfetcher
+fetch.git = "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"
diff --git a/pkgs/prometheus/fail2ban-exporter.nix b/pkgs/prometheus/fail2ban-exporter.nix
new file mode 100644
index 0000000..dc22b6c
--- /dev/null
+++ b/pkgs/prometheus/fail2ban-exporter.nix
@@ -0,0 +1,5 @@
+{ buildGoModule, sources }:
+buildGoModule {
+ inherit (sources.prometheus-fail2ban-exporter) pname src version;
+ vendorHash = "sha256-5o8p5p0U/c0WAIV5dACnWA3ThzSh2tt5LIFMb59i9GY=";
+}