tlaternet/tlaternet-server
1
0
Fork 0
Code Issues11 Pull requests Releases Activity

Compare commits

...

4 commits
d6217e6101 ... 5e4a945981

Author SHA1 Message Date
Tristan Daniël Maat 5e4a945981
WIP: fix(crowdsec): Make the whitelists actually work 2025-02-28 02:20:59 +08:00
Tristan Daniël Maat e1eb85d00f
WIP: feat: Add minecraft server 2025-02-28 02:20:58 +08:00
Tristan Daniël Maat a398790ef4
feat(metrics): Add victorialogs 2025-02-28 02:11:39 +08:00
Tristan Daniël Maat e4a7fa8764
feat(grafana): Use the victoriametrics metrics plugin 2025-02-28 02:01:54 +08:00
7 changed files with 257 additions and 66 deletions

6
configuration/default.nix
View file

@ -22,6 +22,7 @@
./services/foundryvtt.nix
./services/gitea.nix
./services/metrics
./services/minecraft.nix
./services/nextcloud.nix
./services/webserver.nix
./services/wireguard.nix
@ -70,8 +71,6 @@
8448
# starbound
21025
# Minecraft
25565
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
@ -80,9 +79,6 @@
];
allowedUDPPorts = [
# More minecraft
25565
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port

44
configuration/services/crowdsec.nix
View file

@ -12,6 +12,18 @@
"10.45.249.2"
];
extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
name = "tetsumaki/matrix";
description = "custom matrix whitelist";
whitelist = {
reason = "whitelist false positive for matrix";
expression = [
"evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
"evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
];
};
};
extraGroups = [
"systemd-journal"
"nginx"
@ -55,36 +67,4 @@
};
};
};
# Add whitelists for matrix
systemd.tmpfiles.settings."10-matrix" =
let
stateDir = config.security.crowdsec.stateDirectory;
in
{
"${stateDir}/config/postoverflows".d = {
user = "crowdsec";
group = "crowdsec";
mode = "0700";
};
"${stateDir}/config/postoverflows/s01-whitelist".d = {
user = "crowdsec";
group = "crowdsec";
mode = "0700";
};
"${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
name = "tetsumaki/matrix";
description = "custom matrix whitelist";
whitelist = {
reason = "whitelist false positive for matrix";
expression = [
"evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
"evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
];
};
}).outPath;
};
}

1
configuration/services/metrics/default.nix
View file

@ -5,5 +5,6 @@
./exporters.nix
./grafana.nix
./victoriametrics.nix
./victorialogs.nix
];
}

23
configuration/services/metrics/grafana.nix
View file

@ -1,4 +1,9 @@
{ config, ... }:
{
pkgs,
config,
flake-inputs,
...
}:
let
domain = "metrics.${config.services.nginx.domain}";
in
@ -28,6 +33,11 @@ in
};
};
declarativePlugins = [
pkgs.grafanaPlugins.victoriametrics-metrics-datasource
flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.grafanaPlugins.victoriametrics-logs-datasource
];
provision = {
enable = true;
@ -35,7 +45,16 @@ in
{
name = "Victoriametrics - tlater.net";
url = "http://localhost:8428";
type = "prometheus";
type = "victoriametrics-metrics-datasource";
access = "proxy";
isDefault = true;
}
{
name = "Victorialogs - tlater.net";
url = "http://${config.services.victorialogs.bindAddress}";
type = "victoriametrics-logs-datasource";
access = "proxy";
}
];
};

110
configuration/services/metrics/victorialogs.nix Normal file
View file

@ -0,0 +1,110 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.victorialogs;
pkg = pkgs.victoriametrics;
dirname = "victorialogs";
in
{
options.services.victorialogs =
let
inherit (lib.types) str;
in
{
listenAddress = lib.mkOption {
default = ":9428";
type = str;
};
bindAddress = lib.mkOption {
readOnly = true;
type = str;
description = ''
Final address on which victorialogs listens.
'';
};
};
config = {
services.victorialogs.bindAddress =
(lib.optionalString (lib.hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
services.journald.upload = {
enable = true;
settings.Upload = {
URL = "http://${cfg.bindAddress}/insert/journald";
NetworkTimeoutSec = "20s";
};
};
systemd.services."systemd-journal-upload".after = [ "victorialogs.service" ];
systemd.services.victorialogs = {
description = "VictoriaLogs log database";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
startLimitBurst = 5;
serviceConfig = {
ExecStart = lib.escapeShellArgs [
"${pkg}/bin/victoria-logs"
"-storageDataPath=/var/lib/${dirname}"
"-httpListenAddr=${cfg.listenAddress}"
];
DynamicUser = true;
RestartSec = 1;
Restart = "on-failure";
RuntimeDirectory = dirname;
RuntimeDirectoryMode = "0700";
StateDirectory = dirname;
StateDirectoryMode = "0700";
LimitNOFILE = 1048576;
# Hardening
DeviceAllow = [ "/dev/null rw" ];
DevicePolicy = "strict";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
};
postStart = lib.mkBefore ''
until ${lib.getBin pkgs.curl}/bin/curl -s -o /dev/null http://${cfg.bindAddress}/ping; do
sleep 1;
done
'';
};
};
}

83
configuration/services/minecraft.nix Normal file
View file

@ -0,0 +1,83 @@
{
pkgs,
lib,
config,
...
}:
{
services.minecraft-server = {
enable = true;
eula = true;
# jvmOpts are set using a file for forge
# jvmOpts = "-Xmx8G -Xms8G";
openFirewall = true;
declarative = true;
whitelist = {
tlater = "140d177a-966f-41b8-a4c0-e305babd291b";
romino25 = "59cd1648-14a4-4bcf-8f5a-2e1bde678f2c";
lasi25 = "0ab6e3d1-544a-47e7-8538-2e6c248e49a4";
};
serverProperties = {
allow-flight = true;
difficulty = "hard";
motd = "tlater.net";
spawn-protection = 1;
white-list = true;
enable-query = true;
enable-status = true;
# Allows the server to write chunks without hogging the main
# thread...
sync-chunk-writes = false;
# Disables chat reporting, because we don't need any of that
# drama on a lil' friends-only server.
enforce-secure-profile = false;
};
package = pkgs.writeShellApplication {
name = "minecraft-server";
runtimeInputs = with pkgs; [ jdk17_headless ];
text = ''
exec /var/lib/minecraft/run.sh $@
'';
};
};
systemd.services.minecraft-server = {
path = with pkgs; [ jdk17_headless ];
# Since we read from our own HTTP server, we need to wait for it
# to be up
after = [ "nginx.service" ];
serviceConfig = {
# Use packwiz to install mods
ExecStartPre = [
"${pkgs.jdk17_headless}/bin/java -jar ${config.services.minecraft-server.dataDir}/packwiz-installer-bootstrap.jar -g -s server 'https://minecraft.${config.services.nginx.domain}/cobblemon-pack/pack.toml'"
];
# Forge requires some bonus JVM options, which they include in a
# little `run.sh` script
ExecStart = lib.mkForce "${config.services.minecraft-server.dataDir}/run.sh --nogui";
};
};
systemd.tmpfiles.settings."10-minecraft" = {
"/srv/minecraft".d = {
user = "nginx";
group = "minecraft";
mode = "0775";
};
};
services.nginx.virtualHosts."minecraft.${config.services.nginx.domain}" = {
forceSSL = true;
useACMEHost = "tlater.net";
enableHSTS = true;
root = "/srv/minecraft";
};
}

56
modules/crowdsec/default.nix
View file

@ -31,6 +31,22 @@ let
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
---
'';
extraConfigs = pkgs.symlinkJoin {
name = "crowdsec-extra-configs";
paths = lib.mapAttrsToList (
path: settings:
(settingsFormat.generate path settings).overrideAttrs (old: {
patchPhase = ''
mkdir -p "$out/${dirOf path}/"
out="$out/${dirOf path}/"
echo $out
exit 1
'';
})
) cfg.extraConfig;
};
in
{
imports = [ ./remediations ];
@ -38,6 +54,7 @@ in
options.security.crowdsec =
let
inherit (lib.types)
attrsOf
nullOr
listOf
package
@ -85,6 +102,16 @@ in
'';
};
extraConfig = lib.mkOption {
type = attrsOf (settingsFormat.type);
default = {
"parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
};
description = ''
Set of additional configurations to install.
'';
};
acquisitions = lib.mkOption {
type = listOf settingsFormat.type;
default = [ ];
@ -300,33 +327,6 @@ in
group = "crowdsec";
mode = "0700";
};
"${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
user = "crowdsec";
group = "crowdsec";
mode = "0700";
};
"${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
user = "crowdsec";
group = "crowdsec";
mode = "0700";
};
"${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
lib.mkIf (cfg.parserWhitelist != [ ])
{
"L+".argument =
(settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
name = "nixos/parser-whitelist";
description = "Parser whitelist generated by the crowdsec NixOS module";
whitelist = {
reason = "Filtered by NixOS whitelist";
ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
};
}).outPath;
};
};
services = {
@ -336,6 +336,8 @@ in
description = "Crowdsec database and config preparation";
script = ''
cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
fi