From 60e1f3c3d09c4a7a12bfa34f0aae7e548f4aa805 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 27 Jul 2023 23:25:08 +0200 Subject: [PATCH] configured crowdsec --- flake.lock | 24 +++---- flake.nix | 1 + hosts/falkenstein-1/default.nix | 5 +- .../modules/crowdsec/default.nix | 52 ++++++++++++++++ hosts/thinkpad/default.nix | 2 +- overlays/default.nix | 17 +++++ pkgs/crowdsec-firewall-bouncer/default.nix | 1 + .../0001-remove-install-script.patch | 49 +++++++++++++++ pkgs/gnome-break-timer/default.nix | 62 +++++++++++++++++++ 9 files changed, 196 insertions(+), 17 deletions(-) create mode 100644 hosts/falkenstein-1/modules/crowdsec/default.nix create mode 100644 pkgs/gnome-break-timer/0001-remove-install-script.patch create mode 100644 pkgs/gnome-break-timer/default.nix diff --git a/flake.lock b/flake.lock index 5325c66..62bf4fb 100644 --- a/flake.lock +++ b/flake.lock @@ -171,11 +171,11 @@ ] }, "locked": { - "lastModified": 1690195124, - "narHash": "sha256-RdAMFEnhoOZSjrFd/zULzDJ59obHTYXOv4d5ie76tXw=", + "lastModified": 1690476848, + "narHash": "sha256-PSmzyuEbMxEn2uwwLYUN2l1psoJXb7jm/kfHD12Sq0k=", "owner": "nix-community", "repo": "home-manager", - "rev": "a30f5b5b35e2d974fb5e1a3721eaec723ef48c89", + "rev": "8d243f7da13d6ee32f722a3f1afeced150b6d4da", "type": "github" }, "original": { @@ -287,11 +287,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1689320556, - "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", + "lastModified": 1690200740, + "narHash": "sha256-aRkEXGmCbAGcvDcdh/HB3YN+EvoPoxmJMOaqRZmf6vM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "d4ea64f2063820120c05f6ba93ee02e6d4671d6b", + "rev": "ba9650b14e83b365fb9e731f7d7c803f22d2aecf", "type": "github" }, "original": { @@ -301,11 +301,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690031011, - "narHash": "sha256-kzK0P4Smt7CL53YCdZCBbt9uBFFhE0iNvCki20etAf4=", + "lastModified": 1690272529, + "narHash": "sha256-MakzcKXEdv/I4qJUtq/k/eG+rVmyOZLnYNC2w1mB59Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "12303c652b881435065a98729eb7278313041e49", + "rev": "ef99fa5c5ed624460217c31ac4271cfb5cb2502c", "type": "github" }, "original": { @@ -399,11 +399,11 @@ ] }, "locked": { - "lastModified": 1689880943, - "narHash": "sha256-qFUNtcCGfZldDgvuPLk4J2ww+CNwDmTUWLnn/jgxHJM=", + "lastModified": 1690202968, + "narHash": "sha256-ppvmKtkU0tlE3ZbZw+Low9jU3hngzAEt3kx9ddNmN+o=", "owner": "therealr5", "repo": "purge", - "rev": "869b5723dfb5d7e7650d631215771dfa4f48bf11", + "rev": "ffed44b198379ae77b1c101b5d6020a4a5926bbb", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index ba20d7f..df382c0 100644 --- a/flake.nix +++ b/flake.nix @@ -65,6 +65,7 @@ jmri = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/jmri { }; adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { }; pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { }; + gnome-break-timer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/gnome-break-timer { }; crowdsec-firewall-bouncer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/crowdsec-firewall-bouncer { }; }; hydraJobs = self.packages; diff --git a/hosts/falkenstein-1/default.nix b/hosts/falkenstein-1/default.nix index e72818f..a5fe3b1 100644 --- a/hosts/falkenstein-1/default.nix +++ b/hosts/falkenstein-1/default.nix @@ -5,6 +5,7 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./modules/crowdsec ./modules/mail ./modules/networks ./modules/nginx @@ -39,8 +40,6 @@ helix lsof python3 - crowdsec - crowdsec-firewall-bouncer ]; programs.git = { enable = true; @@ -70,6 +69,4 @@ ]; system.stateVersion = "22.11"; - } - diff --git a/hosts/falkenstein-1/modules/crowdsec/default.nix b/hosts/falkenstein-1/modules/crowdsec/default.nix new file mode 100644 index 0000000..e19846f --- /dev/null +++ b/hosts/falkenstein-1/modules/crowdsec/default.nix @@ -0,0 +1,52 @@ +{ pkgs, lib, ... }: +{ + environment.systemPackages = with pkgs; [ + crowdsec + crowdsec-firewall-bouncer + ipset + ]; + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "crowdsec"; + ensurePermissions = { + "DATABASE crowdsec" = "ALL PRIVILEGES"; + }; + } + ]; + ensureDatabases = [ "crowdsec" ]; + + }; + systemd.services.crowdsec = { + after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ]; + description = "Crowdsec agent"; + serviceConfig = { + Type = "notify"; + ExecStartPre = "${lib.getExe pkgs.crowdsec} -t -error"; + ExecStart = "${lib.getExe pkgs.crowdsec}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = 60; + }; + wantedBy = [ "multi-user.target" ]; + }; + systemd.services.crowdsec-firewall-bouncer = { + path = [ pkgs.ipset pkgs.iptables ]; + after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ]; + before = [ "netfilter-persistent.service" ]; + description = "Crowdsec firewall bouncer"; + serviceConfig = { + # Type = "notify"; + ExecStartPre = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml -t"; + ExecStart = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = 10; + LimitNOFILE = 65536; + }; + wantedBy = [ "multi-user.target" ]; + }; + + +} diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index cd39525..5070705 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -103,7 +103,7 @@ ]; }; - fonts.fonts = with pkgs; [ + fonts.packages = with pkgs; [ nerdfonts noto-fonts noto-fonts-cjk diff --git a/overlays/default.nix b/overlays/default.nix index 0597aaa..12312a1 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,6 +1,7 @@ _final: prev: let inherit (prev) callPackage; + inherit (prev) fetchFromGitHub; in { wpa_supplicant_gui = prev.wpa_supplicant_gui.overrideAttrs @@ -28,7 +29,23 @@ in }); pww = callPackage ../pkgs/pww { }; + crowdsec = prev.crowdsec.overrideAttrs (old: rec { + version = "1.5.2"; + src = fetchFromGitHub { + owner = "crowdsecurity"; + repo = old.pname; + rev = "v${version}"; + hash = "sha256-260+XsRn3Mm/zCSvfEcBQ6j715KV4t1Z0CvXdriDzCs="; + }; + # subPackages = [ + # "cmd/crowdsec" + # "cmd/crowdsec-cli" + # "plugins/notifications/email/main.go" + # ]; + + }); crowdsec-firewall-bouncer = callPackage ../pkgs/crowdsec-firewall-bouncer { }; + gnome-break-timer = callPackage ../pkgs/gnome-break-timer { }; jmri = callPackage ../pkgs/jmri { }; adguardian-term = callPackage ../pkgs/adguardian-term { }; } diff --git a/pkgs/crowdsec-firewall-bouncer/default.nix b/pkgs/crowdsec-firewall-bouncer/default.nix index 050590c..036a1c5 100644 --- a/pkgs/crowdsec-firewall-bouncer/default.nix +++ b/pkgs/crowdsec-firewall-bouncer/default.nix @@ -19,6 +19,7 @@ buildGoModule rec { homepage = "https://github.com/crowdsecurity/cs-firewall-bouncer"; license = licenses.mit; maintainers = with maintainers; [ therealr5 ]; + mainProgram = "cs-firewall-bouncer"; platforms = platforms.all; }; } diff --git a/pkgs/gnome-break-timer/0001-remove-install-script.patch b/pkgs/gnome-break-timer/0001-remove-install-script.patch new file mode 100644 index 0000000..0ef4c2b --- /dev/null +++ b/pkgs/gnome-break-timer/0001-remove-install-script.patch @@ -0,0 +1,49 @@ +From 07c3436bf3803a9b939df7fe9c0f4ab70c21e5ad Mon Sep 17 00:00:00 2001 +From: Rouven Seifert +Date: Mon, 24 Jul 2023 20:59:57 +0200 +Subject: [PATCH] remove install script + +--- + build-aux/meson/postinstall.py | 19 ------------------- + meson.build | 2 -- + 2 files changed, 21 deletions(-) + delete mode 100755 build-aux/meson/postinstall.py + +diff --git a/build-aux/meson/postinstall.py b/build-aux/meson/postinstall.py +deleted file mode 100755 +index 7fb0345..0000000 +--- a/build-aux/meson/postinstall.py ++++ /dev/null +@@ -1,19 +0,0 @@ +-#!/usr/bin/env python3 +- +-from os import environ, path +-from subprocess import call +- +-prefix = environ.get('MESON_INSTALL_PREFIX', '/usr/local') +-datadir = path.join(prefix, 'share') +-destdir = environ.get('DESTDIR', '') +- +-if not destdir: +- print('Updating icon cache...') +- call(['gtk-update-icon-cache', '-qtf', path.join(datadir, 'icons', 'hicolor')]) +- +- print('Updating desktop database...') +- call(['update-desktop-database', '-q', path.join(datadir, 'applications')]) +- +- print('Compiling GSettings schemas...') +- call(['glib-compile-schemas', path.join(datadir, 'glib-2.0', 'schemas')]) +- +diff --git a/meson.build b/meson.build +index 0a07ef3..edd6a67 100644 +--- a/meson.build ++++ b/meson.build +@@ -95,5 +95,3 @@ subdir('po') + subdir('data') + subdir('src') + subdir('tests') +- +-meson.add_install_script('build-aux/meson/postinstall.py') +-- +2.41.0 + diff --git a/pkgs/gnome-break-timer/default.nix b/pkgs/gnome-break-timer/default.nix new file mode 100644 index 0000000..04e5a11 --- /dev/null +++ b/pkgs/gnome-break-timer/default.nix @@ -0,0 +1,62 @@ +{ lib +, stdenv +, fetchurl +, meson +, vala +, pkgconfig +, cairo +, gsound +, gtk3 +, json-glib +, libcanberra +, libnotify +, ninja +, gtk4 +, glib +, gsettings-desktop-schemas +, wrapGAppsHook +}: +stdenv.mkDerivation rec { + pname = "gnome-break-timer"; + version = "2.1.0"; + src = fetchurl { + url = "https://gitlab.gnome.org/GNOME/${pname}/-/archive/${version}/${pname}-${version}.tar.gz"; + sha256 = "sha256-B13vZbYwniB9+ZF/XduJHvOd6FwZUpMIdbB8EPUbuS8="; + }; + + MESON_INSTALL_PREFIX = "$out"; + nativeBuildInputs = [ + meson + ninja + vala + pkgconfig + cairo + gsound + gtk3 + json-glib + libcanberra + libnotify + wrapGAppsHook + glib.dev + ]; + buildInputs = [ + gtk4 + glib + gsettings-desktop-schemas + ]; + + patches = [ ./0001-remove-install-script.patch ]; + + postInstall = '' + glib-compile-schemas $out/share/glib-2.0/schemas + ''; + + meta = with lib; { + homepage = "https://wiki.gnome.org/Apps/BreakTimer"; + description = "Clock application designed for GNOME 3"; + maintainers = [ maintainers.therealr5 ]; + license = licenses.gpl2Plus; + platforms = platforms.unix; + }; +} +