From 2f108e708ffa99e1e210cc7ac2566554a144465a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 16 Feb 2025 18:46:25 +0800
Subject: [PATCH 1/4] WIP: chore(coturn): Switch to letsencrypt certificate
Fixes #107
---
configuration/nginx.nix | 8 ++++++-
configuration/services/conduit/default.nix | 11 +++++----
configuration/services/metrics/exporters.nix | 10 ++++++++
.../services/metrics/victoriametrics.nix | 24 +++++++++++++++++++
4 files changed, 47 insertions(+), 6 deletions(-)
diff --git a/configuration/nginx.nix b/configuration/nginx.nix
index 0b72cc1..3ec3bd9 100644
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@@ -53,7 +53,7 @@
"*.tlater.com"
];
dnsProvider = "porkbun";
- group = "nginx";
+ group = "ssl-cert";
credentialFiles = {
PORKBUN_API_KEY_FILE = config.sops.secrets."porkbun/api-key".path;
PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets."porkbun/secret-api-key".path;
@@ -61,6 +61,12 @@
};
};
+ users.groups.ssl-cert = { };
+
+ systemd.services.nginx.serviceConfig.SupplementaryGroups = [
+ config.security.acme.certs."tlater.net".group
+ ];
+
services.backups.acme = {
user = "acme";
paths = lib.mapAttrsToList (
diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix
index c3803f4..c7e4ab4 100644
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@@ -50,6 +50,10 @@ in
# See also https://gitlab.com/famedly/conduit/-/issues/314
systemd.services.conduit.serviceConfig.EnvironmentFile = config.sops.secrets."turn/env".path;
+ systemd.services.coturn.serviceConfig.SupplementaryGroups = [
+ config.security.acme.certs."tlater.net".group
+ ];
+
services.coturn = {
enable = true;
no-cli = true;
@@ -59,11 +63,8 @@ in
relay-ips = [ "116.202.158.55" ];
# SSL config
- #
- # TODO(tlater): Switch to letsencrypt once google fix:
- # https://github.com/vector-im/element-android/issues/1533
- pkey = config.sops.secrets."turn/ssl-key".path;
- cert = config.sops.secrets."turn/ssl-cert".path;
+ pkey = "${config.security.acme.certs."tlater.net".directory}/key.pem";
+ cert = "${config.security.acme.certs."tlater.net".directory}/fullchain.pem";
# Based on suggestions from
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix
index a47a701..78ba684 100644
--- a/configuration/services/metrics/exporters.nix
+++ b/configuration/services/metrics/exporters.nix
@@ -20,6 +20,16 @@ in
timeout = "5s";
http.preferred_ip_protocol = "ip4";
};
+
+ turn_server = {
+ prober = "tcp";
+ timeout = "5s";
+ tcp = {
+ preferred_ip_protocol = "ip4";
+ source_ip_address = "116.202.158.55";
+ tls = true;
+ };
+ };
};
};
};
diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix
index eca65d0..4a78d46 100644
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@@ -40,6 +40,30 @@ in
};
};
+ blackbox_turn = {
+ targets = [ "turn.tlater.net:${toString config.services.coturn.tls-listening-port}" ];
+
+ extraSettings = {
+ metrics_path = "/probe";
+ params.module = [ "turn_server" ];
+
+ relabel_configs = [
+ {
+ source_labels = [ "__address__" ];
+ target_label = "__param_target";
+ }
+ {
+ source_labels = [ "__param_target" ];
+ target_label = "instance";
+ }
+ {
+ target_label = "__address__";
+ replacement = "${blackbox_host}:${toString blackbox_port}";
+ }
+ ];
+ };
+ };
+
blackbox_exporter.targets = [ "${blackbox_host}:${toString blackbox_port}" ];
coturn.targets = [ "127.0.0.1:9641" ];
From 778818a359237dbaa0e5270167e0b64dd3fc93f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 23 Feb 2025 00:42:13 +0800
Subject: [PATCH 2/4] WIP: fix(crowdsec): Make the whitelists actually work
---
configuration/services/crowdsec.nix | 44 +++++++----------------
modules/crowdsec/default.nix | 56 +++++++++++++++--------------
2 files changed, 41 insertions(+), 59 deletions(-)
diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
index 6e0f367..6860354 100644
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@@ -12,6 +12,18 @@
"10.45.249.2"
];
+ extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
+ name = "tetsumaki/matrix";
+ description = "custom matrix whitelist";
+ whitelist = {
+ reason = "whitelist false positive for matrix";
+ expression = [
+ "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
+ "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
+ ];
+ };
+ };
+
extraGroups = [
"systemd-journal"
"nginx"
@@ -55,36 +67,4 @@
};
};
};
-
- # Add whitelists for matrix
- systemd.tmpfiles.settings."10-matrix" =
- let
- stateDir = config.security.crowdsec.stateDirectory;
- in
- {
- "${stateDir}/config/postoverflows".d = {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${stateDir}/config/postoverflows/s01-whitelist".d = {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
- ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
- name = "tetsumaki/matrix";
- description = "custom matrix whitelist";
- whitelist = {
- reason = "whitelist false positive for matrix";
- expression = [
- "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
- "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
- ];
- };
- }).outPath;
- };
}
diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix
index c0003a5..cc14939 100644
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@@ -31,6 +31,22 @@ let
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
---
'';
+
+ extraConfigs = pkgs.symlinkJoin {
+ name = "crowdsec-extra-configs";
+ paths = lib.mapAttrsToList (
+ path: settings:
+ (settingsFormat.generate path settings).overrideAttrs (old: {
+ patchPhase = ''
+ mkdir -p "$out/${dirOf path}/"
+ out="$out/${dirOf path}/"
+
+ echo $out
+ exit 1
+ '';
+ })
+ ) cfg.extraConfig;
+ };
in
{
imports = [ ./remediations ];
@@ -38,6 +54,7 @@ in
options.security.crowdsec =
let
inherit (lib.types)
+ attrsOf
nullOr
listOf
package
@@ -85,6 +102,16 @@ in
'';
};
+ extraConfig = lib.mkOption {
+ type = attrsOf (settingsFormat.type);
+ default = {
+ "parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
+ };
+ description = ''
+ Set of additional configurations to install.
+ '';
+ };
+
acquisitions = lib.mkOption {
type = listOf settingsFormat.type;
default = [ ];
@@ -300,33 +327,6 @@ in
group = "crowdsec";
mode = "0700";
};
-
- "${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
- lib.mkIf (cfg.parserWhitelist != [ ])
- {
- "L+".argument =
- (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
- name = "nixos/parser-whitelist";
- description = "Parser whitelist generated by the crowdsec NixOS module";
- whitelist = {
- reason = "Filtered by NixOS whitelist";
- ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
- cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
- };
- }).outPath;
- };
};
services = {
@@ -336,6 +336,8 @@ in
description = "Crowdsec database and config preparation";
script = ''
+ cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
+
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
fi
From a60cb7f60cc58e2696f171884f9130d451b3d2c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 16 Feb 2025 18:46:25 +0800
Subject: [PATCH 3/4] chore(coturn): Switch to letsencrypt certificate
Fixes #107
---
configuration/nginx.nix | 8 ++++++-
configuration/services/conduit/default.nix | 11 +++++----
configuration/services/metrics/exporters.nix | 10 ++++++++
.../services/metrics/victoriametrics.nix | 24 +++++++++++++++++++
4 files changed, 47 insertions(+), 6 deletions(-)
diff --git a/configuration/nginx.nix b/configuration/nginx.nix
index 0b72cc1..3ec3bd9 100644
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@@ -53,7 +53,7 @@
"*.tlater.com"
];
dnsProvider = "porkbun";
- group = "nginx";
+ group = "ssl-cert";
credentialFiles = {
PORKBUN_API_KEY_FILE = config.sops.secrets."porkbun/api-key".path;
PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets."porkbun/secret-api-key".path;
@@ -61,6 +61,12 @@
};
};
+ users.groups.ssl-cert = { };
+
+ systemd.services.nginx.serviceConfig.SupplementaryGroups = [
+ config.security.acme.certs."tlater.net".group
+ ];
+
services.backups.acme = {
user = "acme";
paths = lib.mapAttrsToList (
diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix
index c3803f4..c7e4ab4 100644
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@@ -50,6 +50,10 @@ in
# See also https://gitlab.com/famedly/conduit/-/issues/314
systemd.services.conduit.serviceConfig.EnvironmentFile = config.sops.secrets."turn/env".path;
+ systemd.services.coturn.serviceConfig.SupplementaryGroups = [
+ config.security.acme.certs."tlater.net".group
+ ];
+
services.coturn = {
enable = true;
no-cli = true;
@@ -59,11 +63,8 @@ in
relay-ips = [ "116.202.158.55" ];
# SSL config
- #
- # TODO(tlater): Switch to letsencrypt once google fix:
- # https://github.com/vector-im/element-android/issues/1533
- pkey = config.sops.secrets."turn/ssl-key".path;
- cert = config.sops.secrets."turn/ssl-cert".path;
+ pkey = "${config.security.acme.certs."tlater.net".directory}/key.pem";
+ cert = "${config.security.acme.certs."tlater.net".directory}/fullchain.pem";
# Based on suggestions from
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix
index a47a701..78ba684 100644
--- a/configuration/services/metrics/exporters.nix
+++ b/configuration/services/metrics/exporters.nix
@@ -20,6 +20,16 @@ in
timeout = "5s";
http.preferred_ip_protocol = "ip4";
};
+
+ turn_server = {
+ prober = "tcp";
+ timeout = "5s";
+ tcp = {
+ preferred_ip_protocol = "ip4";
+ source_ip_address = "116.202.158.55";
+ tls = true;
+ };
+ };
};
};
};
diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix
index eca65d0..4a78d46 100644
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@@ -40,6 +40,30 @@ in
};
};
+ blackbox_turn = {
+ targets = [ "turn.tlater.net:${toString config.services.coturn.tls-listening-port}" ];
+
+ extraSettings = {
+ metrics_path = "/probe";
+ params.module = [ "turn_server" ];
+
+ relabel_configs = [
+ {
+ source_labels = [ "__address__" ];
+ target_label = "__param_target";
+ }
+ {
+ source_labels = [ "__param_target" ];
+ target_label = "instance";
+ }
+ {
+ target_label = "__address__";
+ replacement = "${blackbox_host}:${toString blackbox_port}";
+ }
+ ];
+ };
+ };
+
blackbox_exporter.targets = [ "${blackbox_host}:${toString blackbox_port}" ];
coturn.targets = [ "127.0.0.1:9641" ];
From f959c6c671ca6a3f5b838f56afd06795a8744e24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 23 Feb 2025 00:42:13 +0800
Subject: [PATCH 4/4] WIP: fix(crowdsec): Make the whitelists actually work
---
configuration/services/crowdsec.nix | 44 +++++++----------------
modules/crowdsec/default.nix | 56 +++++++++++++++--------------
2 files changed, 41 insertions(+), 59 deletions(-)
diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
index 6e0f367..6860354 100644
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@@ -12,6 +12,18 @@
"10.45.249.2"
];
+ extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
+ name = "tetsumaki/matrix";
+ description = "custom matrix whitelist";
+ whitelist = {
+ reason = "whitelist false positive for matrix";
+ expression = [
+ "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
+ "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
+ ];
+ };
+ };
+
extraGroups = [
"systemd-journal"
"nginx"
@@ -55,36 +67,4 @@
};
};
};
-
- # Add whitelists for matrix
- systemd.tmpfiles.settings."10-matrix" =
- let
- stateDir = config.security.crowdsec.stateDirectory;
- in
- {
- "${stateDir}/config/postoverflows".d = {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${stateDir}/config/postoverflows/s01-whitelist".d = {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
- ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
- name = "tetsumaki/matrix";
- description = "custom matrix whitelist";
- whitelist = {
- reason = "whitelist false positive for matrix";
- expression = [
- "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
- "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
- ];
- };
- }).outPath;
- };
}
diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix
index c0003a5..cc14939 100644
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@@ -31,6 +31,22 @@ let
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
---
'';
+
+ extraConfigs = pkgs.symlinkJoin {
+ name = "crowdsec-extra-configs";
+ paths = lib.mapAttrsToList (
+ path: settings:
+ (settingsFormat.generate path settings).overrideAttrs (old: {
+ patchPhase = ''
+ mkdir -p "$out/${dirOf path}/"
+ out="$out/${dirOf path}/"
+
+ echo $out
+ exit 1
+ '';
+ })
+ ) cfg.extraConfig;
+ };
in
{
imports = [ ./remediations ];
@@ -38,6 +54,7 @@ in
options.security.crowdsec =
let
inherit (lib.types)
+ attrsOf
nullOr
listOf
package
@@ -85,6 +102,16 @@ in
'';
};
+ extraConfig = lib.mkOption {
+ type = attrsOf (settingsFormat.type);
+ default = {
+ "parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
+ };
+ description = ''
+ Set of additional configurations to install.
+ '';
+ };
+
acquisitions = lib.mkOption {
type = listOf settingsFormat.type;
default = [ ];
@@ -300,33 +327,6 @@ in
group = "crowdsec";
mode = "0700";
};
-
- "${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
- lib.mkIf (cfg.parserWhitelist != [ ])
- {
- "L+".argument =
- (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
- name = "nixos/parser-whitelist";
- description = "Parser whitelist generated by the crowdsec NixOS module";
- whitelist = {
- reason = "Filtered by NixOS whitelist";
- ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
- cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
- };
- }).outPath;
- };
};
services = {
@@ -336,6 +336,8 @@ in
description = "Crowdsec database and config preparation";
script = ''
+ cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
+
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
fi