Compare commits
2 commits
778818a359
...
f959c6c671
| Author | SHA1 | Date | |
|---|---|---|---|
 Tristan Daniël Maat
|
f959c6c671
|
||
|
Tristan Daniël Maat
|
a60cb7f60c
|
configuration
modules/crowdsec
|
|
@ -53,7 +53,7 @@
|
|||
"*.tlater.com"
|
||||
];
|
||||
dnsProvider = "porkbun";
|
||||
group = "nginx";
|
||||
group = "ssl-cert";
|
||||
credentialFiles = {
|
||||
PORKBUN_API_KEY_FILE = config.sops.secrets."porkbun/api-key".path;
|
||||
PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets."porkbun/secret-api-key".path;
|
||||
|
|
@ -61,6 +61,12 @@
|
|||
};
|
||||
};
|
||||
|
||||
users.groups.ssl-cert = { };
|
||||
|
||||
systemd.services.nginx.serviceConfig.SupplementaryGroups = [
|
||||
config.security.acme.certs."tlater.net".group
|
||||
];
|
||||
|
||||
services.backups.acme = {
|
||||
user = "acme";
|
||||
paths = lib.mapAttrsToList (
|
||||
|
|
|
|||
|
|
@ -50,6 +50,10 @@ in
|
|||
# See also https://gitlab.com/famedly/conduit/-/issues/314
|
||||
systemd.services.conduit.serviceConfig.EnvironmentFile = config.sops.secrets."turn/env".path;
|
||||
|
||||
systemd.services.coturn.serviceConfig.SupplementaryGroups = [
|
||||
config.security.acme.certs."tlater.net".group
|
||||
];
|
||||
|
||||
services.coturn = {
|
||||
enable = true;
|
||||
no-cli = true;
|
||||
|
|
@ -59,11 +63,8 @@ in
|
|||
relay-ips = [ "116.202.158.55" ];
|
||||
|
||||
# SSL config
|
||||
#
|
||||
# TODO(tlater): Switch to letsencrypt once google fix:
|
||||
# https://github.com/vector-im/element-android/issues/1533
|
||||
pkey = config.sops.secrets."turn/ssl-key".path;
|
||||
cert = config.sops.secrets."turn/ssl-cert".path;
|
||||
pkey = "${config.security.acme.certs."tlater.net".directory}/key.pem";
|
||||
cert = "${config.security.acme.certs."tlater.net".directory}/fullchain.pem";
|
||||
|
||||
# Based on suggestions from
|
||||
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
|
||||
|
|
|
|||
|
|
@ -12,6 +12,18 @@
|
|||
"10.45.249.2"
|
||||
];
|
||||
|
||||
extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
|
||||
name = "tetsumaki/matrix";
|
||||
description = "custom matrix whitelist";
|
||||
whitelist = {
|
||||
reason = "whitelist false positive for matrix";
|
||||
expression = [
|
||||
"evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
|
||||
"evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
extraGroups = [
|
||||
"systemd-journal"
|
||||
"nginx"
|
||||
|
|
@ -55,36 +67,4 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Add whitelists for matrix
|
||||
systemd.tmpfiles.settings."10-matrix" =
|
||||
let
|
||||
stateDir = config.security.crowdsec.stateDirectory;
|
||||
in
|
||||
{
|
||||
"${stateDir}/config/postoverflows".d = {
|
||||
user = "crowdsec";
|
||||
group = "crowdsec";
|
||||
mode = "0700";
|
||||
};
|
||||
|
||||
"${stateDir}/config/postoverflows/s01-whitelist".d = {
|
||||
user = "crowdsec";
|
||||
group = "crowdsec";
|
||||
mode = "0700";
|
||||
};
|
||||
|
||||
"${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
|
||||
((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
|
||||
name = "tetsumaki/matrix";
|
||||
description = "custom matrix whitelist";
|
||||
whitelist = {
|
||||
reason = "whitelist false positive for matrix";
|
||||
expression = [
|
||||
"evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
|
||||
"evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
|
||||
];
|
||||
};
|
||||
}).outPath;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,6 +20,16 @@ in
|
|||
timeout = "5s";
|
||||
http.preferred_ip_protocol = "ip4";
|
||||
};
|
||||
|
||||
turn_server = {
|
||||
prober = "tcp";
|
||||
timeout = "5s";
|
||||
tcp = {
|
||||
preferred_ip_protocol = "ip4";
|
||||
source_ip_address = "116.202.158.55";
|
||||
tls = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -40,6 +40,30 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
blackbox_turn = {
|
||||
targets = [ "turn.tlater.net:${toString config.services.coturn.tls-listening-port}" ];
|
||||
|
||||
extraSettings = {
|
||||
metrics_path = "/probe";
|
||||
params.module = [ "turn_server" ];
|
||||
|
||||
relabel_configs = [
|
||||
{
|
||||
source_labels = [ "__address__" ];
|
||||
target_label = "__param_target";
|
||||
}
|
||||
{
|
||||
source_labels = [ "__param_target" ];
|
||||
target_label = "instance";
|
||||
}
|
||||
{
|
||||
target_label = "__address__";
|
||||
replacement = "${blackbox_host}:${toString blackbox_port}";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
blackbox_exporter.targets = [ "${blackbox_host}:${toString blackbox_port}" ];
|
||||
|
||||
coturn.targets = [ "127.0.0.1:9641" ];
|
||||
|
|
|
|||
|
|
@ -31,6 +31,22 @@ let
|
|||
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
|
||||
---
|
||||
'';
|
||||
|
||||
extraConfigs = pkgs.symlinkJoin {
|
||||
name = "crowdsec-extra-configs";
|
||||
paths = lib.mapAttrsToList (
|
||||
path: settings:
|
||||
(settingsFormat.generate path settings).overrideAttrs (old: {
|
||||
patchPhase = ''
|
||||
mkdir -p "$out/${dirOf path}/"
|
||||
out="$out/${dirOf path}/"
|
||||
|
||||
echo $out
|
||||
exit 1
|
||||
'';
|
||||
})
|
||||
) cfg.extraConfig;
|
||||
};
|
||||
in
|
||||
{
|
||||
imports = [ ./remediations ];
|
||||
|
|
@ -38,6 +54,7 @@ in
|
|||
options.security.crowdsec =
|
||||
let
|
||||
inherit (lib.types)
|
||||
attrsOf
|
||||
nullOr
|
||||
listOf
|
||||
package
|
||||
|
|
@ -85,6 +102,16 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
extraConfig = lib.mkOption {
|
||||
type = attrsOf (settingsFormat.type);
|
||||
default = {
|
||||
"parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
|
||||
};
|
||||
description = ''
|
||||
Set of additional configurations to install.
|
||||
'';
|
||||
};
|
||||
|
||||
acquisitions = lib.mkOption {
|
||||
type = listOf settingsFormat.type;
|
||||
default = [ ];
|
||||
|
|
@ -300,33 +327,6 @@ in
|
|||
group = "crowdsec";
|
||||
mode = "0700";
|
||||
};
|
||||
|
||||
"${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
|
||||
user = "crowdsec";
|
||||
group = "crowdsec";
|
||||
mode = "0700";
|
||||
};
|
||||
|
||||
"${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
|
||||
user = "crowdsec";
|
||||
group = "crowdsec";
|
||||
mode = "0700";
|
||||
};
|
||||
|
||||
"${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
|
||||
lib.mkIf (cfg.parserWhitelist != [ ])
|
||||
{
|
||||
"L+".argument =
|
||||
(settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
|
||||
name = "nixos/parser-whitelist";
|
||||
description = "Parser whitelist generated by the crowdsec NixOS module";
|
||||
whitelist = {
|
||||
reason = "Filtered by NixOS whitelist";
|
||||
ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
|
||||
cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
|
||||
};
|
||||
}).outPath;
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
|
|
@ -336,6 +336,8 @@ in
|
|||
description = "Crowdsec database and config preparation";
|
||||
|
||||
script = ''
|
||||
cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
|
||||
|
||||
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
|
||||
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
|
||||
fi
|
||||
|
|
|
|||
Loading…
Reference in a new issue