From be1d739b400a5c16c7b51c82916960b30692995c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 23 Feb 2025 01:43:13 +0800
Subject: [PATCH 1/3] bump: Update inputs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'disko':
'github:nix-community/disko/fa5746ecea1772cf59b3f34c5816ab3531478142?narHash=sha256-xFnU%2BuUl48Icas2wPQ%2BZzlL2O3n8f6J2LrzNK9f2nng%3D' (2025-02-15)
→ 'github:nix-community/disko/15dbf8cebd8e2655a883b74547108e089f051bf0?narHash=sha256-lSOXdgW/1zi/SSu7xp71v%2B55D5Egz8ACv0STkj7fhbs%3D' (2025-02-18)
• Updated input 'foundryvtt':
'github:reckenrode/nix-foundryvtt/0a72a4bf64224c6584fd1b9e9f0012dd09af979a?narHash=sha256-vM9C1gFiQGa3nTYqmTBI8MoiUfprkQdepUBbxV7ECMQ%3D' (2025-01-17)
→ 'github:reckenrode/nix-foundryvtt/a7fa493ba2c623cf90e83756b62285b3b58f18d2?narHash=sha256-u3m%2BawbdL%2B0BKk8IWidsWMr%2BR0ian3GZMUlH7623kd8%3D' (2025-02-16)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/30d4471a8a2a13b716530d3aad60b9846ea5ff83?narHash=sha256-jGiez5BtGGJUB/LXzRa%2B4AQurMO9acc1B69kBfgQhJc%3D' (2025-02-15)
→ 'github:nixos/nixpkgs/11415c7ae8539d6292f2928317ee7a8410b28bb9?narHash=sha256-SSYxFhqCOb3aiPb6MmN68yEzBIltfom8IgRz7phHscM%3D' (2025-02-21)
• Updated input 'nixpkgs-unstable':
'github:nixos/nixpkgs/31ff66eb77d02e9ac34b7256a02edb1c43fb9998?narHash=sha256-3bnOIZz8KXtzcaXGuH9Eriv0HiQyr1EIfcye%2BVHLQZE%3D' (2025-02-15)
→ 'github:nixos/nixpkgs/8465e233b0668cf162c608a92e62e8d78c1ba7e4?narHash=sha256-wzBbGGZ6i1VVBA/cDJaLfuuGYCUriD7fwsLgJJHRVRk%3D' (2025-02-22)
---
flake.lock | 27 +++++++++++++--------------
flake.nix | 2 +-
pkgs/crowdsec/_sources/generated.json | 8 ++++----
pkgs/crowdsec/_sources/generated.nix | 8 ++++----
4 files changed, 22 insertions(+), 23 deletions(-)
diff --git a/flake.lock b/flake.lock
index 276b8b2..37c3d5f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -300,11 +300,11 @@
]
},
"locked": {
- "lastModified": 1739634831,
- "narHash": "sha256-xFnU+uUl48Icas2wPQ+ZzlL2O3n8f6J2LrzNK9f2nng=",
+ "lastModified": 1739841949,
+ "narHash": "sha256-lSOXdgW/1zi/SSu7xp71v+55D5Egz8ACv0STkj7fhbs=",
"owner": "nix-community",
"repo": "disko",
- "rev": "fa5746ecea1772cf59b3f34c5816ab3531478142",
+ "rev": "15dbf8cebd8e2655a883b74547108e089f051bf0",
"type": "github"
},
"original": {
@@ -595,11 +595,11 @@
]
},
"locked": {
- "lastModified": 1737076827,
- "narHash": "sha256-vM9C1gFiQGa3nTYqmTBI8MoiUfprkQdepUBbxV7ECMQ=",
+ "lastModified": 1739712626,
+ "narHash": "sha256-u3m+awbdL+0BKk8IWidsWMr+R0ian3GZMUlH7623kd8=",
"owner": "reckenrode",
"repo": "nix-foundryvtt",
- "rev": "0a72a4bf64224c6584fd1b9e9f0012dd09af979a",
+ "rev": "a7fa493ba2c623cf90e83756b62285b3b58f18d2",
"type": "github"
},
"original": {
@@ -746,11 +746,11 @@
},
"nixpkgs-unstable": {
"locked": {
- "lastModified": 1739611738,
- "narHash": "sha256-3bnOIZz8KXtzcaXGuH9Eriv0HiQyr1EIfcye+VHLQZE=",
+ "lastModified": 1740215764,
+ "narHash": "sha256-wzBbGGZ6i1VVBA/cDJaLfuuGYCUriD7fwsLgJJHRVRk=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "31ff66eb77d02e9ac34b7256a02edb1c43fb9998",
+ "rev": "8465e233b0668cf162c608a92e62e8d78c1ba7e4",
"type": "github"
},
"original": {
@@ -762,11 +762,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1739578539,
- "narHash": "sha256-jGiez5BtGGJUB/LXzRa+4AQurMO9acc1B69kBfgQhJc=",
+ "lastModified": 1740162160,
+ "narHash": "sha256-SSYxFhqCOb3aiPb6MmN68yEzBIltfom8IgRz7phHscM=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "30d4471a8a2a13b716530d3aad60b9846ea5ff83",
+ "rev": "11415c7ae8539d6292f2928317ee7a8410b28bb9",
"type": "github"
},
"original": {
@@ -1078,14 +1078,13 @@
"locked": {
"lastModified": 1740082109,
"narHash": "sha256-WdRNkwsIotFOSymee/yQyH46RmYtuxd1FENhvGL4KRc=",
- "ref": "tlater/rust-rewrite",
+ "ref": "refs/heads/main",
"rev": "a1b48cf2ba194054e2d8816c94a84cebc4fb5de0",
"revCount": 23,
"type": "git",
"url": "ssh://git@github.com/sonnenshift/battery-manager"
},
"original": {
- "ref": "tlater/rust-rewrite",
"type": "git",
"url": "ssh://git@github.com/sonnenshift/battery-manager"
}
diff --git a/flake.nix b/flake.nix
index 737a17f..b31d108 100644
--- a/flake.nix
+++ b/flake.nix
@@ -23,7 +23,7 @@
};
sonnenshift = {
- url = "git+ssh://git@github.com/sonnenshift/battery-manager?ref=tlater/rust-rewrite";
+ url = "git+ssh://git@github.com/sonnenshift/battery-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
};
diff --git a/pkgs/crowdsec/_sources/generated.json b/pkgs/crowdsec/_sources/generated.json
index 634bc18..ac251aa 100644
--- a/pkgs/crowdsec/_sources/generated.json
+++ b/pkgs/crowdsec/_sources/generated.json
@@ -21,7 +21,7 @@
},
"crowdsec-hub": {
"cargoLocks": null,
- "date": "2025-02-16",
+ "date": "2025-02-22",
"extract": null,
"name": "crowdsec-hub",
"passthru": null,
@@ -33,10 +33,10 @@
"name": null,
"owner": "crowdsecurity",
"repo": "hub",
- "rev": "f7d7f476f88a4af05e1cfb3994536990adecfb57",
- "sha256": "sha256-m78uipryHDKixJzrF4K59ioAJ3WJN1JlXEC0DNVMCJ8=",
+ "rev": "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df",
+ "sha256": "sha256-45pUln7Qj5luY9I9BE2qhzjH7kv4IbYvNoEX3/4AVVg=",
"type": "github"
},
- "version": "f7d7f476f88a4af05e1cfb3994536990adecfb57"
+ "version": "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df"
}
}
\ No newline at end of file
diff --git a/pkgs/crowdsec/_sources/generated.nix b/pkgs/crowdsec/_sources/generated.nix
index 7ef44e6..9c63cc5 100644
--- a/pkgs/crowdsec/_sources/generated.nix
+++ b/pkgs/crowdsec/_sources/generated.nix
@@ -14,14 +14,14 @@
};
crowdsec-hub = {
pname = "crowdsec-hub";
- version = "f7d7f476f88a4af05e1cfb3994536990adecfb57";
+ version = "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df";
src = fetchFromGitHub {
owner = "crowdsecurity";
repo = "hub";
- rev = "f7d7f476f88a4af05e1cfb3994536990adecfb57";
+ rev = "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df";
fetchSubmodules = false;
- sha256 = "sha256-m78uipryHDKixJzrF4K59ioAJ3WJN1JlXEC0DNVMCJ8=";
+ sha256 = "sha256-45pUln7Qj5luY9I9BE2qhzjH7kv4IbYvNoEX3/4AVVg=";
};
- date = "2025-02-16";
+ date = "2025-02-22";
};
}
From e079ecbe72d1175a42fa401139948eb7b08fb54d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Thu, 7 Nov 2024 20:26:43 +0100
Subject: [PATCH 2/3] WIP: feat: Add minecraft server
---
configuration/default.nix | 6 +-
configuration/services/minecraft.nix | 83 ++++++++++++++++++++++++++++
2 files changed, 84 insertions(+), 5 deletions(-)
create mode 100644 configuration/services/minecraft.nix
diff --git a/configuration/default.nix b/configuration/default.nix
index 239f9f6..f874733 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -22,6 +22,7 @@
./services/foundryvtt.nix
./services/gitea.nix
./services/metrics
+ ./services/minecraft.nix
./services/nextcloud.nix
./services/webserver.nix
./services/wireguard.nix
@@ -70,8 +71,6 @@
8448
# starbound
21025
- # Minecraft
- 25565
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
@@ -80,9 +79,6 @@
];
allowedUDPPorts = [
- # More minecraft
- 25565
-
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
diff --git a/configuration/services/minecraft.nix b/configuration/services/minecraft.nix
new file mode 100644
index 0000000..0477f44
--- /dev/null
+++ b/configuration/services/minecraft.nix
@@ -0,0 +1,83 @@
+{
+ pkgs,
+ lib,
+ config,
+ ...
+}:
+{
+ services.minecraft-server = {
+ enable = true;
+ eula = true;
+ # jvmOpts are set using a file for forge
+ # jvmOpts = "-Xmx8G -Xms8G";
+ openFirewall = true;
+
+ declarative = true;
+
+ whitelist = {
+ tlater = "140d177a-966f-41b8-a4c0-e305babd291b";
+ romino25 = "59cd1648-14a4-4bcf-8f5a-2e1bde678f2c";
+ lasi25 = "0ab6e3d1-544a-47e7-8538-2e6c248e49a4";
+ };
+
+ serverProperties = {
+ allow-flight = true;
+ difficulty = "hard";
+ motd = "tlater.net";
+ spawn-protection = 1;
+ white-list = true;
+ enable-query = true;
+ enable-status = true;
+
+ # Allows the server to write chunks without hogging the main
+ # thread...
+ sync-chunk-writes = false;
+ # Disables chat reporting, because we don't need any of that
+ # drama on a lil' friends-only server.
+ enforce-secure-profile = false;
+ };
+
+ package = pkgs.writeShellApplication {
+ name = "minecraft-server";
+ runtimeInputs = with pkgs; [ jdk17_headless ];
+
+ text = ''
+ exec /var/lib/minecraft/run.sh $@
+ '';
+ };
+ };
+
+ systemd.services.minecraft-server = {
+ path = with pkgs; [ jdk17_headless ];
+
+ # Since we read from our own HTTP server, we need to wait for it
+ # to be up
+ after = [ "nginx.service" ];
+
+ serviceConfig = {
+ # Use packwiz to install mods
+ ExecStartPre = [
+ "${pkgs.jdk17_headless}/bin/java -jar ${config.services.minecraft-server.dataDir}/packwiz-installer-bootstrap.jar -g -s server 'https://minecraft.${config.services.nginx.domain}/cobblemon-pack/pack.toml'"
+ ];
+ # Forge requires some bonus JVM options, which they include in a
+ # little `run.sh` script
+ ExecStart = lib.mkForce "${config.services.minecraft-server.dataDir}/run.sh --nogui";
+ };
+ };
+
+ systemd.tmpfiles.settings."10-minecraft" = {
+ "/srv/minecraft".d = {
+ user = "nginx";
+ group = "minecraft";
+ mode = "0775";
+ };
+ };
+
+ services.nginx.virtualHosts."minecraft.${config.services.nginx.domain}" = {
+ forceSSL = true;
+ useACMEHost = "tlater.net";
+ enableHSTS = true;
+
+ root = "/srv/minecraft";
+ };
+}
From d6217e6101ad8708cad77df513791407a546e208 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 23 Feb 2025 00:42:13 +0800
Subject: [PATCH 3/3] WIP: fix(crowdsec): Make the whitelists actually work
---
configuration/services/crowdsec.nix | 44 +++++++----------------
modules/crowdsec/default.nix | 56 +++++++++++++++--------------
2 files changed, 41 insertions(+), 59 deletions(-)
diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
index 6e0f367..6860354 100644
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@@ -12,6 +12,18 @@
"10.45.249.2"
];
+ extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
+ name = "tetsumaki/matrix";
+ description = "custom matrix whitelist";
+ whitelist = {
+ reason = "whitelist false positive for matrix";
+ expression = [
+ "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
+ "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
+ ];
+ };
+ };
+
extraGroups = [
"systemd-journal"
"nginx"
@@ -55,36 +67,4 @@
};
};
};
-
- # Add whitelists for matrix
- systemd.tmpfiles.settings."10-matrix" =
- let
- stateDir = config.security.crowdsec.stateDirectory;
- in
- {
- "${stateDir}/config/postoverflows".d = {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${stateDir}/config/postoverflows/s01-whitelist".d = {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
- ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
- name = "tetsumaki/matrix";
- description = "custom matrix whitelist";
- whitelist = {
- reason = "whitelist false positive for matrix";
- expression = [
- "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
- "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
- ];
- };
- }).outPath;
- };
}
diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix
index c0003a5..cc14939 100644
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@@ -31,6 +31,22 @@ let
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
---
'';
+
+ extraConfigs = pkgs.symlinkJoin {
+ name = "crowdsec-extra-configs";
+ paths = lib.mapAttrsToList (
+ path: settings:
+ (settingsFormat.generate path settings).overrideAttrs (old: {
+ patchPhase = ''
+ mkdir -p "$out/${dirOf path}/"
+ out="$out/${dirOf path}/"
+
+ echo $out
+ exit 1
+ '';
+ })
+ ) cfg.extraConfig;
+ };
in
{
imports = [ ./remediations ];
@@ -38,6 +54,7 @@ in
options.security.crowdsec =
let
inherit (lib.types)
+ attrsOf
nullOr
listOf
package
@@ -85,6 +102,16 @@ in
'';
};
+ extraConfig = lib.mkOption {
+ type = attrsOf (settingsFormat.type);
+ default = {
+ "parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
+ };
+ description = ''
+ Set of additional configurations to install.
+ '';
+ };
+
acquisitions = lib.mkOption {
type = listOf settingsFormat.type;
default = [ ];
@@ -300,33 +327,6 @@ in
group = "crowdsec";
mode = "0700";
};
-
- "${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
- lib.mkIf (cfg.parserWhitelist != [ ])
- {
- "L+".argument =
- (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
- name = "nixos/parser-whitelist";
- description = "Parser whitelist generated by the crowdsec NixOS module";
- whitelist = {
- reason = "Filtered by NixOS whitelist";
- ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
- cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
- };
- }).outPath;
- };
};
services = {
@@ -336,6 +336,8 @@ in
description = "Crowdsec database and config preparation";
script = ''
+ cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
+
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
fi