diff --git a/configuration/nginx.nix b/configuration/nginx.nix
index 0b72cc1..b38118b 100644
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@@ -47,17 +47,10 @@
acceptTerms = true;
certs."tlater.net" = {
- extraDomainNames = [
- "*.tlater.net"
- "tlater.com"
- "*.tlater.com"
- ];
- dnsProvider = "porkbun";
+ extraDomainNames = [ "*.tlater.net" ];
+ dnsProvider = "hetzner";
group = "nginx";
- credentialFiles = {
- PORKBUN_API_KEY_FILE = config.sops.secrets."porkbun/api-key".path;
- PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets."porkbun/secret-api-key".path;
- };
+ credentialFiles."HETZNER_API_KEY_FILE" = config.sops.secrets."hetzner-api".path;
};
};
diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
index 4891cad..110602c 100644
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ pkgs, ... }:
{
security.crowdsec = {
enable = true;
@@ -7,39 +7,21 @@
"1.64.239.213"
];
- extraGroups = [
- "systemd-journal"
- "nginx"
- ];
-
- acquisitions = [
- {
- source = "journalctl";
- labels.type = "syslog";
- journalctl_filter = [
- "SYSLOG_IDENTIFIER=Nextcloud"
- ];
- }
-
- {
- source = "journalctl";
- labels.type = "syslog";
- journalctl_filter = [
- "SYSLOG_IDENTIFIER=sshd-session"
- ];
- }
-
- {
- labels.type = "nginx";
- filenames =
- [
- "/var/log/nginx/*.log"
- ]
- ++ lib.mapAttrsToList (
- vHost: _: "/var/log/nginx/${vHost}/access.log"
- ) config.services.nginx.virtualHosts;
- }
- ];
+ settings.crowdsec_service.acquisition_path = pkgs.writeText "crowdsec-acquisitions.yaml" ''
+ ---
+ source: journalctl
+ journalctl_filter:
+ - "SYSLOG_IDENTIFIER=Nextcloud"
+ labels:
+ type: syslog
+ ---
+ source: journalctl
+ journalctl_filter:
+ - "SYSLOG_IDENTIFIER=sshd-session"
+ labels:
+ type: syslog
+ ---
+ '';
remediationComponents.firewallBouncer = {
enable = true;
diff --git a/configuration/sops.nix b/configuration/sops.nix
index bbfb888..bc21834 100644
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@@ -34,20 +34,16 @@
"heisenbridge/as-token" = { };
"heisenbridge/hs-token" = { };
+ "hetzner-api" = {
+ owner = "acme";
+ };
+
# Nextcloud
"nextcloud/tlater" = {
owner = "nextcloud";
group = "nextcloud";
};
- # Porkbub/ACME
- "porkbun/api-key" = {
- owner = "acme";
- };
- "porkbun/secret-api-key" = {
- owner = "acme";
- };
-
# Restic
"restic/local-backups" = {
owner = "root";
diff --git a/keys/production.yaml b/keys/production.yaml
index 19df9bd..6dd4c21 100644
--- a/keys/production.yaml
+++ b/keys/production.yaml
@@ -1,6 +1,4 @@
-porkbun:
- api-key: ENC[AES256_GCM,data:p3lqvGc8m2U/12rBPjoNR7hxQyD52CyEen/V8q59k5CSJZSqzZS8M5vEXFBsUMjz2lrmKM4pgtz4wa2fWK6Ty4LJCaI=,iv:OQC3FpwTtPmqHvDbA41mWF7LGYwC/jD2ZMBsE8ktNOg=,tag:kq5hUR7TBgczuGcXpsdu2A==,type:str]
- secret-api-key: ENC[AES256_GCM,data:zV5PTKf45Zab8uW8mbuXmPNzciq6tV9OF0wUND7YnRk/DjZneYWItAsNBVoM+iHA+XsUPDoeKo6hoJiGkH/cCQ8WvuM=,iv:yr1M5DlgI8k6BgzNz3HRnqspHOrQuf2PmoZS1HGp0v8=,tag:JkNNziMMfKFZV2hnx5lXRg==,type:str]
+hetzner-api: ENC[AES256_GCM,data:OsUfo86AzcBe/OELkfB5brEfsZ4gkbeehxwIVUBwQgE=,iv:Bt/cjlZ6oZEVUOQjWMDL7/mfL3HWLFAw1tEGeLMgeKg=,tag:TMU2XiHlMgP4aes10mIQYQ==,type:str]
battery-manager:
email: ENC[AES256_GCM,data:rYLUACXR/n+bLBmZ,iv:sUBEkh2+7qGjHZ5R23e/hoCiyTA7GTL4bJvXmxjZ5Sw=,tag:fdPMllaQQfRgX0WZKIre4g==,type:str]
password: ENC[AES256_GCM,data:7cokZa6Q6ahSeiFPz+cV,iv:vz405P0IcG9FsAQXlY7mi78GuushQUKJm2irG6buGzc=,tag:JLHG2jTkJDGbinAq9dXRsQ==,type:str]
@@ -34,8 +32,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2025-02-01T10:16:20Z"
- mac: ENC[AES256_GCM,data:oFJNljU0RJdgsdK7qRXKCqRs7kPXgHqSyYcexEs8kXFnn68mKHNKKfl7skepCPKk0U7h6JqJQ+EOnAA0eo6mraBAMKLSXUcucTzqsfcI+V04rYcP2nGPMUiNDGdKHCcb6OmBhfvKw7+elnonPxKsBlyK31AqB9RFDKaTKXpcNMw=,iv:Q9t7ZkUrevHm5I4JBW95TfvZ88dl2Fq3Yq/E642dV6s=,tag:p2XWfii168qq29wX/RCJuQ==,type:str]
+ lastmodified: "2024-04-15T23:13:18Z"
+ mac: ENC[AES256_GCM,data:3/v+WgSWJ+VcBSBe1Wkis3z+tMmSjbKzLFqBB8xugc6DvgQG8J+1HRrPucLnpNNtEdmpyoTa72U6fPm6JnyUsuj5pLEghLprOJkqQNdRI06fllhw+9d3e3twx6D4oIIsVH6/io4ElXrGsGQTsfNbYhgn+987wa3WP5N25fBac3U=,iv:FL3tzPutOMN6IPkQfXIu/JOZT+OzUSqpMSQrUeXZQHE=,tag:jL1BTsYTA9XjrsjFszxZhA==,type:str]
pgp:
- created_at: "2025-01-21T17:55:44Z"
enc: |-
@@ -93,4 +91,4 @@ sops:
-----END PGP MESSAGE-----
fp: 0af7641adb8aa843136cf6d047f71da3e5ad79f9
unencrypted_suffix: _unencrypted
- version: 3.9.2
+ version: 3.8.1
diff --git a/keys/staging.yaml b/keys/staging.yaml
index 67e47ad..091424d 100644
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@@ -1,6 +1,4 @@
-porkbun:
- api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
- secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
+hetzner-api: ENC[AES256_GCM,data:1Zjp003j60g=,iv:+vDcyiqYm4A9CMIrW4oGZKdZiczatBcvfL4qYYhKwCg=,tag:Xeu8JuRm+b+5RO+wFR2M8w==,type:str]
battery-manager:
email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str]
password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str]
@@ -34,8 +32,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2025-02-01T10:16:31Z"
- mac: ENC[AES256_GCM,data:N4RQHOyWvSXW16fepQvRznNbmGerct03kptyiY3IoTpYaJ+43cyFjW15ZqfpaRFyV66QIeqmceqV8c4eP8YSndj6e55e04w0RCyqREXQlFPR6Eh5elaBenokoJhjF6BCsq+xX1C+LUEcxiR/dgy5cwA3mAD/dLCm+G11a06EG6k=,iv:wt5fEOVP6CXHCzmMH9hNCQDDgPa66bLMOa39Eipux9Y=,tag:kWZPnWD1stANVAmWmvOjCg==,type:str]
+ lastmodified: "2024-04-15T23:13:27Z"
+ mac: ENC[AES256_GCM,data:JhEVrKF2Jsqpdztcr3g5lMrgEFeLXfBRQTwQJ6PmLSNyDORcTU09TJPNWTPDnR5okDrvIU/wlzi5DZ8A0ebNhrKf6l0tNFBT9LSvQFHU5SBxqY/m8uEJKSrEC4IL5lugOOISDka2KSvYXVCXrumMHE5FnmOS/CgOZaZk6LUjPYA=,iv:ygygnSedcTo2Vsc56s2qrz1qkWchvSgvoiMTebRxQQ8=,tag:vf6z8rxsXmqzwpDy9Avifw==,type:str]
pgp:
- created_at: "2025-01-21T17:55:30Z"
enc: |-
@@ -73,4 +71,4 @@ sops:
-----END PGP MESSAGE-----
fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
unencrypted_suffix: _unencrypted
- version: 3.9.2
+ version: 3.8.1
diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix
index 0d0ff1c..915ca0b 100644
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@@ -28,12 +28,6 @@ let
$sudo ${crowdsec}/bin/cscli "$@"
'';
-
- acquisitions = ''
- ---
- ${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
- ---
- '';
in
{
imports = [ ./remediations ];
@@ -88,24 +82,6 @@ in
'';
};
- acquisitions = lib.mkOption {
- type = listOf settingsFormat.type;
- default = [ ];
- description = ''
- Log acquisitions.
- '';
- };
-
- extraGroups = lib.mkOption {
- type = listOf str;
- default = [ ];
- description = ''
- Additional groups to make the service part of.
-
- Required to permit reading from various log sources.
- '';
- };
-
hubConfigurations = {
collections = lib.mkOption {
type = listOf str;
@@ -214,13 +190,7 @@ in
plugin_dir = lib.mkDefault "/var/empty/";
};
- crowdsec_service.acquisition_path =
- # Using an if/else here because `mkMerge` does not work in
- # YAML-type options
- if cfg.acquisitions == [ ] then
- "${cfg.package}/share/crowdsec/config/acquis.yaml"
- else
- pkgs.writeText "acquis.yaml" acquisitions;
+ crowdsec_service.acquisition_path = lib.mkDefault "${cfg.package}/share/crowdsec/config/acquis.yaml";
cscli = {
prometheus_uri = lib.mkDefault "127.0.0.1:6060";
@@ -369,7 +339,7 @@ in
serviceConfig = {
User = "crowdsec";
Group = "crowdsec";
- SupplementaryGroups = cfg.extraGroups;
+ SupplementaryGroups = [ "systemd-journal" ];
StateDirectory = "crowdsec";
};