configured crowdsec

flake.lock

@@ -171,11 +171,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690195124,
+        "lastModified": 1690476848,
-        "narHash": "sha256-RdAMFEnhoOZSjrFd/zULzDJ59obHTYXOv4d5ie76tXw=",
+        "narHash": "sha256-PSmzyuEbMxEn2uwwLYUN2l1psoJXb7jm/kfHD12Sq0k=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "a30f5b5b35e2d974fb5e1a3721eaec723ef48c89",
+        "rev": "8d243f7da13d6ee32f722a3f1afeced150b6d4da",
         "type": "github"
       },
       "original": {
@@ -287,11 +287,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1689320556,
+        "lastModified": 1690200740,
-        "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=",
+        "narHash": "sha256-aRkEXGmCbAGcvDcdh/HB3YN+EvoPoxmJMOaqRZmf6vM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "d4ea64f2063820120c05f6ba93ee02e6d4671d6b",
+        "rev": "ba9650b14e83b365fb9e731f7d7c803f22d2aecf",
         "type": "github"
       },
       "original": {
@@ -301,11 +301,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1690031011,
+        "lastModified": 1690272529,
-        "narHash": "sha256-kzK0P4Smt7CL53YCdZCBbt9uBFFhE0iNvCki20etAf4=",
+        "narHash": "sha256-MakzcKXEdv/I4qJUtq/k/eG+rVmyOZLnYNC2w1mB59Y=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "12303c652b881435065a98729eb7278313041e49",
+        "rev": "ef99fa5c5ed624460217c31ac4271cfb5cb2502c",
         "type": "github"
       },
       "original": {
@@ -399,11 +399,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1689880943,
+        "lastModified": 1690202968,
-        "narHash": "sha256-qFUNtcCGfZldDgvuPLk4J2ww+CNwDmTUWLnn/jgxHJM=",
+        "narHash": "sha256-ppvmKtkU0tlE3ZbZw+Low9jU3hngzAEt3kx9ddNmN+o=",
         "owner": "therealr5",
         "repo": "purge",
-        "rev": "869b5723dfb5d7e7650d631215771dfa4f48bf11",
+        "rev": "ffed44b198379ae77b1c101b5d6020a4a5926bbb",
         "type": "github"
       },
       "original": {

flake.nix

@@ -65,6 +65,7 @@
         jmri = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/jmri { };
         adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { };
         pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { };
+        gnome-break-timer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/gnome-break-timer { };
         crowdsec-firewall-bouncer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/crowdsec-firewall-bouncer { };
       };
       hydraJobs = self.packages;

hosts/falkenstein-1/default.nix

@@ -5,6 +5,7 @@
     [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
+      ./modules/crowdsec
       ./modules/mail
       ./modules/networks
       ./modules/nginx
@@ -39,8 +40,6 @@
     helix
     lsof
     python3
-    crowdsec
-    crowdsec-firewall-bouncer
   ];
   programs.git = {
     enable = true;
@@ -70,6 +69,4 @@
   ];
 
   system.stateVersion = "22.11";
-
 }
-

hosts/falkenstein-1/modules/crowdsec/default.nix

@@ -0,0 +1,52 @@
+{ pkgs, lib, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    crowdsec
+    crowdsec-firewall-bouncer
+    ipset
+  ];
+  services.postgresql = {
+    enable = true;
+    ensureUsers = [
+      {
+        name = "crowdsec";
+        ensurePermissions = {
+          "DATABASE crowdsec" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+    ensureDatabases = [ "crowdsec" ];
+
+  };
+  systemd.services.crowdsec = {
+    after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ];
+    description = "Crowdsec agent";
+    serviceConfig = {
+      Type = "notify";
+      ExecStartPre = "${lib.getExe pkgs.crowdsec} -t -error";
+      ExecStart = "${lib.getExe pkgs.crowdsec}";
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Restart = "always";
+      RestartSec = 60;
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+  systemd.services.crowdsec-firewall-bouncer = {
+    path = [ pkgs.ipset pkgs.iptables ];
+    after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ];
+    before = [ "netfilter-persistent.service" ];
+    description = "Crowdsec firewall bouncer";
+    serviceConfig = {
+      # Type = "notify";
+      ExecStartPre = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml -t";
+      ExecStart = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml";
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Restart = "always";
+      RestartSec = 10;
+      LimitNOFILE = 65536;
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+
+
+}

hosts/thinkpad/default.nix

@@ -103,7 +103,7 @@
       ];
   };
 
-  fonts.fonts = with pkgs; [
+  fonts.packages = with pkgs; [
     nerdfonts
     noto-fonts
     noto-fonts-cjk

overlays/default.nix

@@ -1,6 +1,7 @@
 _final: prev:
 let
   inherit (prev) callPackage;
+  inherit (prev) fetchFromGitHub;
 in
 {
   wpa_supplicant_gui = prev.wpa_supplicant_gui.overrideAttrs
@@ -28,7 +29,23 @@ in
   });
 
   pww = callPackage ../pkgs/pww { };
+  crowdsec = prev.crowdsec.overrideAttrs (old: rec {
+    version = "1.5.2";
+    src = fetchFromGitHub {
+      owner = "crowdsecurity";
+      repo = old.pname;
+      rev = "v${version}";
+      hash = "sha256-260+XsRn3Mm/zCSvfEcBQ6j715KV4t1Z0CvXdriDzCs=";
+    };
+    # subPackages = [
+    #   "cmd/crowdsec"
+    #   "cmd/crowdsec-cli"
+    #   "plugins/notifications/email/main.go"
+    # ];
+
+  });
   crowdsec-firewall-bouncer = callPackage ../pkgs/crowdsec-firewall-bouncer { };
+  gnome-break-timer = callPackage ../pkgs/gnome-break-timer { };
   jmri = callPackage ../pkgs/jmri { };
   adguardian-term = callPackage ../pkgs/adguardian-term { };
 }

pkgs/crowdsec-firewall-bouncer/default.nix

@@ -19,6 +19,7 @@ buildGoModule rec {
     homepage = "https://github.com/crowdsecurity/cs-firewall-bouncer";
     license = licenses.mit;
     maintainers = with maintainers; [ therealr5 ];
+    mainProgram = "cs-firewall-bouncer";
     platforms = platforms.all;
   };
 }

pkgs/gnome-break-timer/0001-remove-install-script.patch

@@ -0,0 +1,49 @@
+From 07c3436bf3803a9b939df7fe9c0f4ab70c21e5ad Mon Sep 17 00:00:00 2001
+From: Rouven Seifert <rouven@rfive.de>
+Date: Mon, 24 Jul 2023 20:59:57 +0200
+Subject: [PATCH] remove install script
+
+---
+ build-aux/meson/postinstall.py | 19 -------------------
+ meson.build                    |  2 --
+ 2 files changed, 21 deletions(-)
+ delete mode 100755 build-aux/meson/postinstall.py
+
+diff --git a/build-aux/meson/postinstall.py b/build-aux/meson/postinstall.py
+deleted file mode 100755
+index 7fb0345..0000000
+--- a/build-aux/meson/postinstall.py
++++ /dev/null
+@@ -1,19 +0,0 @@
+-#!/usr/bin/env python3
+-
+-from os import environ, path
+-from subprocess import call
+-
+-prefix = environ.get('MESON_INSTALL_PREFIX', '/usr/local')
+-datadir = path.join(prefix, 'share')
+-destdir = environ.get('DESTDIR', '')
+-
+-if not destdir:
+-    print('Updating icon cache...')
+-    call(['gtk-update-icon-cache', '-qtf', path.join(datadir, 'icons', 'hicolor')])
+-
+-    print('Updating desktop database...')
+-    call(['update-desktop-database', '-q', path.join(datadir, 'applications')])
+-
+-    print('Compiling GSettings schemas...')
+-    call(['glib-compile-schemas', path.join(datadir, 'glib-2.0', 'schemas')])
+-
+diff --git a/meson.build b/meson.build
+index 0a07ef3..edd6a67 100644
+--- a/meson.build
++++ b/meson.build
+@@ -95,5 +95,3 @@ subdir('po')
+ subdir('data')
+ subdir('src')
+ subdir('tests')
+-
+-meson.add_install_script('build-aux/meson/postinstall.py')
+-- 
+2.41.0
+

pkgs/gnome-break-timer/default.nix

@@ -0,0 +1,62 @@
+{ lib
+, stdenv
+, fetchurl
+, meson
+, vala
+, pkgconfig
+, cairo
+, gsound
+, gtk3
+, json-glib
+, libcanberra
+, libnotify
+, ninja
+, gtk4
+, glib
+, gsettings-desktop-schemas
+, wrapGAppsHook
+}:
+stdenv.mkDerivation rec {
+  pname = "gnome-break-timer";
+  version = "2.1.0";
+  src = fetchurl {
+    url = "https://gitlab.gnome.org/GNOME/${pname}/-/archive/${version}/${pname}-${version}.tar.gz";
+    sha256 = "sha256-B13vZbYwniB9+ZF/XduJHvOd6FwZUpMIdbB8EPUbuS8=";
+  };
+
+  MESON_INSTALL_PREFIX = "$out";
+  nativeBuildInputs = [
+    meson
+    ninja
+    vala
+    pkgconfig
+    cairo
+    gsound
+    gtk3
+    json-glib
+    libcanberra
+    libnotify
+    wrapGAppsHook
+    glib.dev
+  ];
+  buildInputs = [
+    gtk4
+    glib
+    gsettings-desktop-schemas
+  ];
+
+  patches = [ ./0001-remove-install-script.patch ];
+
+  postInstall = ''
+    glib-compile-schemas $out/share/glib-2.0/schemas
+  '';
+
+  meta = with lib; {
+    homepage = "https://wiki.gnome.org/Apps/BreakTimer";
+    description = "Clock application designed for GNOME 3";
+    maintainers = [ maintainers.therealr5 ];
+    license = licenses.gpl2Plus;
+    platforms = platforms.unix;
+  };
+}
+