tlaternet/tlaternet-server
1
0
Fork 0
Code Issues11 Pull requests Releases Activity

Compare commits

...

3 commits
f959c6c671 ... d6217e6101

Author SHA1 Message Date
Tristan Daniël Maat d6217e6101
WIP: fix(crowdsec): Make the whitelists actually work 2025-02-23 01:45:12 +08:00
Tristan Daniël Maat e079ecbe72
WIP: feat: Add minecraft server 2025-02-23 01:45:11 +08:00
Tristan Daniël Maat be1d739b40
bump: Update inputs 
Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/fa5746ecea1772cf59b3f34c5816ab3531478142?narHash=sha256-xFnU%2BuUl48Icas2wPQ%2BZzlL2O3n8f6J2LrzNK9f2nng%3D' (2025-02-15)
  → 'github:nix-community/disko/15dbf8cebd8e2655a883b74547108e089f051bf0?narHash=sha256-lSOXdgW/1zi/SSu7xp71v%2B55D5Egz8ACv0STkj7fhbs%3D' (2025-02-18)
• Updated input 'foundryvtt':
    'github:reckenrode/nix-foundryvtt/0a72a4bf64224c6584fd1b9e9f0012dd09af979a?narHash=sha256-vM9C1gFiQGa3nTYqmTBI8MoiUfprkQdepUBbxV7ECMQ%3D' (2025-01-17)
  → 'github:reckenrode/nix-foundryvtt/a7fa493ba2c623cf90e83756b62285b3b58f18d2?narHash=sha256-u3m%2BawbdL%2B0BKk8IWidsWMr%2BR0ian3GZMUlH7623kd8%3D' (2025-02-16)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/30d4471a8a2a13b716530d3aad60b9846ea5ff83?narHash=sha256-jGiez5BtGGJUB/LXzRa%2B4AQurMO9acc1B69kBfgQhJc%3D' (2025-02-15)
  → 'github:nixos/nixpkgs/11415c7ae8539d6292f2928317ee7a8410b28bb9?narHash=sha256-SSYxFhqCOb3aiPb6MmN68yEzBIltfom8IgRz7phHscM%3D' (2025-02-21)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/31ff66eb77d02e9ac34b7256a02edb1c43fb9998?narHash=sha256-3bnOIZz8KXtzcaXGuH9Eriv0HiQyr1EIfcye%2BVHLQZE%3D' (2025-02-15)
  → 'github:nixos/nixpkgs/8465e233b0668cf162c608a92e62e8d78c1ba7e4?narHash=sha256-wzBbGGZ6i1VVBA/cDJaLfuuGYCUriD7fwsLgJJHRVRk%3D' (2025-02-22)
 2025-02-23 01:45:11 +08:00
8 changed files with 147 additions and 87 deletions

6
configuration/default.nix
View file

@ -22,6 +22,7 @@
./services/foundryvtt.nix
./services/gitea.nix
./services/metrics
./services/minecraft.nix
./services/nextcloud.nix
./services/webserver.nix
./services/wireguard.nix
@ -70,8 +71,6 @@
8448
# starbound
21025
# Minecraft
25565
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
@ -80,9 +79,6 @@
];
allowedUDPPorts = [
# More minecraft
25565
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port

44
configuration/services/crowdsec.nix
View file

@ -12,6 +12,18 @@
"10.45.249.2"
];
extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
name = "tetsumaki/matrix";
description = "custom matrix whitelist";
whitelist = {
reason = "whitelist false positive for matrix";
expression = [
"evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
"evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
];
};
};
extraGroups = [
"systemd-journal"
"nginx"
@ -55,36 +67,4 @@
};
};
};
# Add whitelists for matrix
systemd.tmpfiles.settings."10-matrix" =
let
stateDir = config.security.crowdsec.stateDirectory;
in
{
"${stateDir}/config/postoverflows".d = {
user = "crowdsec";
group = "crowdsec";
mode = "0700";
};
"${stateDir}/config/postoverflows/s01-whitelist".d = {
user = "crowdsec";
group = "crowdsec";
mode = "0700";
};
"${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
name = "tetsumaki/matrix";
description = "custom matrix whitelist";
whitelist = {
reason = "whitelist false positive for matrix";
expression = [
"evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
"evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
];
};
}).outPath;
};
}

83
configuration/services/minecraft.nix Normal file
View file

@ -0,0 +1,83 @@
{
pkgs,
lib,
config,
...
}:
{
services.minecraft-server = {
enable = true;
eula = true;
# jvmOpts are set using a file for forge
# jvmOpts = "-Xmx8G -Xms8G";
openFirewall = true;
declarative = true;
whitelist = {
tlater = "140d177a-966f-41b8-a4c0-e305babd291b";
romino25 = "59cd1648-14a4-4bcf-8f5a-2e1bde678f2c";
lasi25 = "0ab6e3d1-544a-47e7-8538-2e6c248e49a4";
};
serverProperties = {
allow-flight = true;
difficulty = "hard";
motd = "tlater.net";
spawn-protection = 1;
white-list = true;
enable-query = true;
enable-status = true;
# Allows the server to write chunks without hogging the main
# thread...
sync-chunk-writes = false;
# Disables chat reporting, because we don't need any of that
# drama on a lil' friends-only server.
enforce-secure-profile = false;
};
package = pkgs.writeShellApplication {
name = "minecraft-server";
runtimeInputs = with pkgs; [ jdk17_headless ];
text = ''
exec /var/lib/minecraft/run.sh $@
'';
};
};
systemd.services.minecraft-server = {
path = with pkgs; [ jdk17_headless ];
# Since we read from our own HTTP server, we need to wait for it
# to be up
after = [ "nginx.service" ];
serviceConfig = {
# Use packwiz to install mods
ExecStartPre = [
"${pkgs.jdk17_headless}/bin/java -jar ${config.services.minecraft-server.dataDir}/packwiz-installer-bootstrap.jar -g -s server 'https://minecraft.${config.services.nginx.domain}/cobblemon-pack/pack.toml'"
];
# Forge requires some bonus JVM options, which they include in a
# little `run.sh` script
ExecStart = lib.mkForce "${config.services.minecraft-server.dataDir}/run.sh --nogui";
};
};
systemd.tmpfiles.settings."10-minecraft" = {
"/srv/minecraft".d = {
user = "nginx";
group = "minecraft";
mode = "0775";
};
};
services.nginx.virtualHosts."minecraft.${config.services.nginx.domain}" = {
forceSSL = true;
useACMEHost = "tlater.net";
enableHSTS = true;
root = "/srv/minecraft";
};
}

27
flake.lock
View file

@ -300,11 +300,11 @@
]
},
"locked": {
"lastModified": 1739634831,
"narHash": "sha256-xFnU+uUl48Icas2wPQ+ZzlL2O3n8f6J2LrzNK9f2nng=",
"lastModified": 1739841949,
"narHash": "sha256-lSOXdgW/1zi/SSu7xp71v+55D5Egz8ACv0STkj7fhbs=",
"owner": "nix-community",
"repo": "disko",
"rev": "fa5746ecea1772cf59b3f34c5816ab3531478142",
"rev": "15dbf8cebd8e2655a883b74547108e089f051bf0",
"type": "github"
},
"original": {
@ -595,11 +595,11 @@
]
},
"locked": {
"lastModified": 1737076827,
"narHash": "sha256-vM9C1gFiQGa3nTYqmTBI8MoiUfprkQdepUBbxV7ECMQ=",
"lastModified": 1739712626,
"narHash": "sha256-u3m+awbdL+0BKk8IWidsWMr+R0ian3GZMUlH7623kd8=",
"owner": "reckenrode",
"repo": "nix-foundryvtt",
"rev": "0a72a4bf64224c6584fd1b9e9f0012dd09af979a",
"rev": "a7fa493ba2c623cf90e83756b62285b3b58f18d2",
"type": "github"
},
"original": {
@ -746,11 +746,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1739611738,
"narHash": "sha256-3bnOIZz8KXtzcaXGuH9Eriv0HiQyr1EIfcye+VHLQZE=",
"lastModified": 1740215764,
"narHash": "sha256-wzBbGGZ6i1VVBA/cDJaLfuuGYCUriD7fwsLgJJHRVRk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "31ff66eb77d02e9ac34b7256a02edb1c43fb9998",
"rev": "8465e233b0668cf162c608a92e62e8d78c1ba7e4",
"type": "github"
},
"original": {
@ -762,11 +762,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1739578539,
"narHash": "sha256-jGiez5BtGGJUB/LXzRa+4AQurMO9acc1B69kBfgQhJc=",
"lastModified": 1740162160,
"narHash": "sha256-SSYxFhqCOb3aiPb6MmN68yEzBIltfom8IgRz7phHscM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "30d4471a8a2a13b716530d3aad60b9846ea5ff83",
"rev": "11415c7ae8539d6292f2928317ee7a8410b28bb9",
"type": "github"
},
"original": {
@ -1078,14 +1078,13 @@
"locked": {
"lastModified": 1740082109,
"narHash": "sha256-WdRNkwsIotFOSymee/yQyH46RmYtuxd1FENhvGL4KRc=",
"ref": "tlater/rust-rewrite",
"ref": "refs/heads/main",
"rev": "a1b48cf2ba194054e2d8816c94a84cebc4fb5de0",
"revCount": 23,
"type": "git",
"url": "ssh://git@github.com/sonnenshift/battery-manager"
},
"original": {
"ref": "tlater/rust-rewrite",
"type": "git",
"url": "ssh://git@github.com/sonnenshift/battery-manager"
}

2
flake.nix
View file

@ -23,7 +23,7 @@
};
sonnenshift = {
url = "git+ssh://git@github.com/sonnenshift/battery-manager?ref=tlater/rust-rewrite";
url = "git+ssh://git@github.com/sonnenshift/battery-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
};

56
modules/crowdsec/default.nix
View file

@ -31,6 +31,22 @@ let
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
---
'';
extraConfigs = pkgs.symlinkJoin {
name = "crowdsec-extra-configs";
paths = lib.mapAttrsToList (
path: settings:
(settingsFormat.generate path settings).overrideAttrs (old: {
patchPhase = ''
mkdir -p "$out/${dirOf path}/"
out="$out/${dirOf path}/"
echo $out
exit 1
'';
})
) cfg.extraConfig;
};
in
{
imports = [ ./remediations ];
@ -38,6 +54,7 @@ in
options.security.crowdsec =
let
inherit (lib.types)
attrsOf
nullOr
listOf
package
@ -85,6 +102,16 @@ in
'';
};
extraConfig = lib.mkOption {
type = attrsOf (settingsFormat.type);
default = {
"parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
};
description = ''
Set of additional configurations to install.
'';
};
acquisitions = lib.mkOption {
type = listOf settingsFormat.type;
default = [ ];
@ -300,33 +327,6 @@ in
group = "crowdsec";
mode = "0700";
};
"${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
user = "crowdsec";
group = "crowdsec";
mode = "0700";
};
"${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
user = "crowdsec";
group = "crowdsec";
mode = "0700";
};
"${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
lib.mkIf (cfg.parserWhitelist != [ ])
{
"L+".argument =
(settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
name = "nixos/parser-whitelist";
description = "Parser whitelist generated by the crowdsec NixOS module";
whitelist = {
reason = "Filtered by NixOS whitelist";
ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
};
}).outPath;
};
};
services = {
@ -336,6 +336,8 @@ in
description = "Crowdsec database and config preparation";
script = ''
cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
fi

8
pkgs/crowdsec/_sources/generated.json
View file

@ -21,7 +21,7 @@
},
"crowdsec-hub": {
"cargoLocks": null,
"date": "2025-02-16",
"date": "2025-02-22",
"extract": null,
"name": "crowdsec-hub",
"passthru": null,
@ -33,10 +33,10 @@
"name": null,
"owner": "crowdsecurity",
"repo": "hub",
"rev": "f7d7f476f88a4af05e1cfb3994536990adecfb57",
"sha256": "sha256-m78uipryHDKixJzrF4K59ioAJ3WJN1JlXEC0DNVMCJ8=",
"rev": "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df",
"sha256": "sha256-45pUln7Qj5luY9I9BE2qhzjH7kv4IbYvNoEX3/4AVVg=",
"type": "github"
},
"version": "f7d7f476f88a4af05e1cfb3994536990adecfb57"
"version": "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df"
}
}

8
pkgs/crowdsec/_sources/generated.nix
View file

@ -14,14 +14,14 @@
};
crowdsec-hub = {
pname = "crowdsec-hub";
version = "f7d7f476f88a4af05e1cfb3994536990adecfb57";
version = "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df";
src = fetchFromGitHub {
owner = "crowdsecurity";
repo = "hub";
rev = "f7d7f476f88a4af05e1cfb3994536990adecfb57";
rev = "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df";
fetchSubmodules = false;
sha256 = "sha256-m78uipryHDKixJzrF4K59ioAJ3WJN1JlXEC0DNVMCJ8=";
sha256 = "sha256-45pUln7Qj5luY9I9BE2qhzjH7kv4IbYvNoEX3/4AVVg=";
};
date = "2025-02-16";
date = "2025-02-22";
};
}