From e4a7fa8764f2c283e0d1d989e53d61e078ed48d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Fri, 28 Feb 2025 01:47:58 +0800
Subject: [PATCH 1/4] feat(grafana): Use the victoriametrics metrics plugin
---
configuration/services/metrics/grafana.nix | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix
index e597cff..d14b908 100644
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ pkgs, config, ... }:
let
domain = "metrics.${config.services.nginx.domain}";
in
@@ -28,6 +28,10 @@ in
};
};
+ declarativePlugins = [
+ pkgs.grafanaPlugins.victoriametrics-metrics-datasource
+ ];
+
provision = {
enable = true;
@@ -35,7 +39,9 @@ in
{
name = "Victoriametrics - tlater.net";
url = "http://localhost:8428";
- type = "prometheus";
+ type = "victoriametrics-metrics-datasource";
+ access = "proxy";
+ isDefault = true;
}
];
};
From a398790ef496f6cac8a485b2a3ef1d065e48d639 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Fri, 28 Feb 2025 01:43:10 +0800
Subject: [PATCH 2/4] feat(metrics): Add victorialogs
---
configuration/services/metrics/default.nix | 1 +
configuration/services/metrics/grafana.nix | 15 ++-
.../services/metrics/victorialogs.nix | 110 ++++++++++++++++++
3 files changed, 125 insertions(+), 1 deletion(-)
create mode 100644 configuration/services/metrics/victorialogs.nix
diff --git a/configuration/services/metrics/default.nix b/configuration/services/metrics/default.nix
index 84e126a..fe250fe 100644
--- a/configuration/services/metrics/default.nix
+++ b/configuration/services/metrics/default.nix
@@ -5,5 +5,6 @@
./exporters.nix
./grafana.nix
./victoriametrics.nix
+ ./victorialogs.nix
];
}
diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix
index d14b908..b872833 100644
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@@ -1,4 +1,9 @@
-{ pkgs, config, ... }:
+{
+ pkgs,
+ config,
+ flake-inputs,
+ ...
+}:
let
domain = "metrics.${config.services.nginx.domain}";
in
@@ -30,6 +35,7 @@ in
declarativePlugins = [
pkgs.grafanaPlugins.victoriametrics-metrics-datasource
+ flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.grafanaPlugins.victoriametrics-logs-datasource
];
provision = {
@@ -43,6 +49,13 @@ in
access = "proxy";
isDefault = true;
}
+
+ {
+ name = "Victorialogs - tlater.net";
+ url = "http://${config.services.victorialogs.bindAddress}";
+ type = "victoriametrics-logs-datasource";
+ access = "proxy";
+ }
];
};
};
diff --git a/configuration/services/metrics/victorialogs.nix b/configuration/services/metrics/victorialogs.nix
new file mode 100644
index 0000000..ed74c59
--- /dev/null
+++ b/configuration/services/metrics/victorialogs.nix
@@ -0,0 +1,110 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+let
+ cfg = config.services.victorialogs;
+ pkg = pkgs.victoriametrics;
+ dirname = "victorialogs";
+in
+{
+ options.services.victorialogs =
+ let
+ inherit (lib.types) str;
+ in
+ {
+ listenAddress = lib.mkOption {
+ default = ":9428";
+ type = str;
+ };
+
+ bindAddress = lib.mkOption {
+ readOnly = true;
+ type = str;
+ description = ''
+ Final address on which victorialogs listens.
+ '';
+ };
+ };
+
+ config = {
+ services.victorialogs.bindAddress =
+ (lib.optionalString (lib.hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
+
+ services.journald.upload = {
+ enable = true;
+ settings.Upload = {
+ URL = "http://${cfg.bindAddress}/insert/journald";
+ NetworkTimeoutSec = "20s";
+ };
+ };
+
+ systemd.services."systemd-journal-upload".after = [ "victorialogs.service" ];
+
+ systemd.services.victorialogs = {
+ description = "VictoriaLogs log database";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+ startLimitBurst = 5;
+
+ serviceConfig = {
+ ExecStart = lib.escapeShellArgs [
+ "${pkg}/bin/victoria-logs"
+ "-storageDataPath=/var/lib/${dirname}"
+ "-httpListenAddr=${cfg.listenAddress}"
+ ];
+
+ DynamicUser = true;
+ RestartSec = 1;
+ Restart = "on-failure";
+ RuntimeDirectory = dirname;
+ RuntimeDirectoryMode = "0700";
+ StateDirectory = dirname;
+ StateDirectoryMode = "0700";
+
+ LimitNOFILE = 1048576;
+
+ # Hardening
+ DeviceAllow = [ "/dev/null rw" ];
+ DevicePolicy = "strict";
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ NoNewPrivileges = true;
+ PrivateDevices = true;
+ PrivateTmp = true;
+ PrivateUsers = true;
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ ProtectProc = "invisible";
+ ProtectSystem = "full";
+ RemoveIPC = true;
+ RestrictAddressFamilies = [
+ "AF_INET"
+ "AF_INET6"
+ "AF_UNIX"
+ ];
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [
+ "@system-service"
+ "~@privileged"
+ ];
+ };
+
+ postStart = lib.mkBefore ''
+ until ${lib.getBin pkgs.curl}/bin/curl -s -o /dev/null http://${cfg.bindAddress}/ping; do
+ sleep 1;
+ done
+ '';
+ };
+ };
+}
From e1eb85d00fcf3fb109847fbb3bfe59a3e29a4b6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Thu, 7 Nov 2024 20:26:43 +0100
Subject: [PATCH 3/4] WIP: feat: Add minecraft server
---
configuration/default.nix | 6 +-
configuration/services/minecraft.nix | 83 ++++++++++++++++++++++++++++
2 files changed, 84 insertions(+), 5 deletions(-)
create mode 100644 configuration/services/minecraft.nix
diff --git a/configuration/default.nix b/configuration/default.nix
index 239f9f6..f874733 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -22,6 +22,7 @@
./services/foundryvtt.nix
./services/gitea.nix
./services/metrics
+ ./services/minecraft.nix
./services/nextcloud.nix
./services/webserver.nix
./services/wireguard.nix
@@ -70,8 +71,6 @@
8448
# starbound
21025
- # Minecraft
- 25565
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
@@ -80,9 +79,6 @@
];
allowedUDPPorts = [
- # More minecraft
- 25565
-
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
diff --git a/configuration/services/minecraft.nix b/configuration/services/minecraft.nix
new file mode 100644
index 0000000..0477f44
--- /dev/null
+++ b/configuration/services/minecraft.nix
@@ -0,0 +1,83 @@
+{
+ pkgs,
+ lib,
+ config,
+ ...
+}:
+{
+ services.minecraft-server = {
+ enable = true;
+ eula = true;
+ # jvmOpts are set using a file for forge
+ # jvmOpts = "-Xmx8G -Xms8G";
+ openFirewall = true;
+
+ declarative = true;
+
+ whitelist = {
+ tlater = "140d177a-966f-41b8-a4c0-e305babd291b";
+ romino25 = "59cd1648-14a4-4bcf-8f5a-2e1bde678f2c";
+ lasi25 = "0ab6e3d1-544a-47e7-8538-2e6c248e49a4";
+ };
+
+ serverProperties = {
+ allow-flight = true;
+ difficulty = "hard";
+ motd = "tlater.net";
+ spawn-protection = 1;
+ white-list = true;
+ enable-query = true;
+ enable-status = true;
+
+ # Allows the server to write chunks without hogging the main
+ # thread...
+ sync-chunk-writes = false;
+ # Disables chat reporting, because we don't need any of that
+ # drama on a lil' friends-only server.
+ enforce-secure-profile = false;
+ };
+
+ package = pkgs.writeShellApplication {
+ name = "minecraft-server";
+ runtimeInputs = with pkgs; [ jdk17_headless ];
+
+ text = ''
+ exec /var/lib/minecraft/run.sh $@
+ '';
+ };
+ };
+
+ systemd.services.minecraft-server = {
+ path = with pkgs; [ jdk17_headless ];
+
+ # Since we read from our own HTTP server, we need to wait for it
+ # to be up
+ after = [ "nginx.service" ];
+
+ serviceConfig = {
+ # Use packwiz to install mods
+ ExecStartPre = [
+ "${pkgs.jdk17_headless}/bin/java -jar ${config.services.minecraft-server.dataDir}/packwiz-installer-bootstrap.jar -g -s server 'https://minecraft.${config.services.nginx.domain}/cobblemon-pack/pack.toml'"
+ ];
+ # Forge requires some bonus JVM options, which they include in a
+ # little `run.sh` script
+ ExecStart = lib.mkForce "${config.services.minecraft-server.dataDir}/run.sh --nogui";
+ };
+ };
+
+ systemd.tmpfiles.settings."10-minecraft" = {
+ "/srv/minecraft".d = {
+ user = "nginx";
+ group = "minecraft";
+ mode = "0775";
+ };
+ };
+
+ services.nginx.virtualHosts."minecraft.${config.services.nginx.domain}" = {
+ forceSSL = true;
+ useACMEHost = "tlater.net";
+ enableHSTS = true;
+
+ root = "/srv/minecraft";
+ };
+}
From 5e4a945981baa511f920cc29e90a535b5539932a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 23 Feb 2025 00:42:13 +0800
Subject: [PATCH 4/4] WIP: fix(crowdsec): Make the whitelists actually work
---
configuration/services/crowdsec.nix | 44 +++++++----------------
modules/crowdsec/default.nix | 56 +++++++++++++++--------------
2 files changed, 41 insertions(+), 59 deletions(-)
diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
index 6e0f367..6860354 100644
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@@ -12,6 +12,18 @@
"10.45.249.2"
];
+ extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
+ name = "tetsumaki/matrix";
+ description = "custom matrix whitelist";
+ whitelist = {
+ reason = "whitelist false positive for matrix";
+ expression = [
+ "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
+ "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
+ ];
+ };
+ };
+
extraGroups = [
"systemd-journal"
"nginx"
@@ -55,36 +67,4 @@
};
};
};
-
- # Add whitelists for matrix
- systemd.tmpfiles.settings."10-matrix" =
- let
- stateDir = config.security.crowdsec.stateDirectory;
- in
- {
- "${stateDir}/config/postoverflows".d = {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${stateDir}/config/postoverflows/s01-whitelist".d = {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
- ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
- name = "tetsumaki/matrix";
- description = "custom matrix whitelist";
- whitelist = {
- reason = "whitelist false positive for matrix";
- expression = [
- "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
- "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
- ];
- };
- }).outPath;
- };
}
diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix
index c0003a5..cc14939 100644
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@@ -31,6 +31,22 @@ let
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
---
'';
+
+ extraConfigs = pkgs.symlinkJoin {
+ name = "crowdsec-extra-configs";
+ paths = lib.mapAttrsToList (
+ path: settings:
+ (settingsFormat.generate path settings).overrideAttrs (old: {
+ patchPhase = ''
+ mkdir -p "$out/${dirOf path}/"
+ out="$out/${dirOf path}/"
+
+ echo $out
+ exit 1
+ '';
+ })
+ ) cfg.extraConfig;
+ };
in
{
imports = [ ./remediations ];
@@ -38,6 +54,7 @@ in
options.security.crowdsec =
let
inherit (lib.types)
+ attrsOf
nullOr
listOf
package
@@ -85,6 +102,16 @@ in
'';
};
+ extraConfig = lib.mkOption {
+ type = attrsOf (settingsFormat.type);
+ default = {
+ "parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
+ };
+ description = ''
+ Set of additional configurations to install.
+ '';
+ };
+
acquisitions = lib.mkOption {
type = listOf settingsFormat.type;
default = [ ];
@@ -300,33 +327,6 @@ in
group = "crowdsec";
mode = "0700";
};
-
- "${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
- lib.mkIf (cfg.parserWhitelist != [ ])
- {
- "L+".argument =
- (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
- name = "nixos/parser-whitelist";
- description = "Parser whitelist generated by the crowdsec NixOS module";
- whitelist = {
- reason = "Filtered by NixOS whitelist";
- ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
- cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
- };
- }).outPath;
- };
};
services = {
@@ -336,6 +336,8 @@ in
description = "Crowdsec database and config preparation";
script = ''
+ cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
+
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
fi