mirror of
https://git.sr.ht/~rouven/nixos-config
synced 2024-11-15 05:13:10 +01:00
remove crowdsec and add tpm key
This commit is contained in:
parent
74a4348d1d
commit
970ddcdacb
24
flake.lock
24
flake.lock
|
@ -236,11 +236,11 @@
|
|||
"rust-overlay": "rust-overlay"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1693527216,
|
||||
"narHash": "sha256-SxmuXa1bCN+4SGkNdJ/mQA4BM/7CJQS/qdDieCKRlSA=",
|
||||
"lastModified": 1693915360,
|
||||
"narHash": "sha256-jYvS4GTZ2xLvC5VOWshjMHEaK17qZhlIpV+291GPjdM=",
|
||||
"owner": "helix-editor",
|
||||
"repo": "helix",
|
||||
"rev": "a38ec6d6ca9e5dbbd2e313f3173f2e967ed71fc1",
|
||||
"rev": "65c3cca3cc0d0956f4ce8d40ce9e72ba5c9c8e87",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -255,11 +255,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1693713564,
|
||||
"narHash": "sha256-00w2uwb4O6Y1e2W5LG5UFyl1ZN3KFG7aoRdYEvT/BqA=",
|
||||
"lastModified": 1693895999,
|
||||
"narHash": "sha256-yN1XVFltQxiwle833KCqWkZNfBuRLWkXyEnOD+ljoYY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "8e49b883890ccb52c059abb152b00a416342ec1c",
|
||||
"rev": "3c0e381fef63e4fbc6c3292c9e9cbcf479c01794",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -432,11 +432,11 @@
|
|||
},
|
||||
"nixpkgs-stable_2": {
|
||||
"locked": {
|
||||
"lastModified": 1693097136,
|
||||
"narHash": "sha256-fBZSMdBaoZ0INFbyZ5s0DOF7zDNcLsLxgkwdDh3l9Pc=",
|
||||
"lastModified": 1693675694,
|
||||
"narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9117c4e9dc117a6cd0319cca40f2349ed333669d",
|
||||
"rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -586,11 +586,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1693404499,
|
||||
"narHash": "sha256-cx/7yvM/AP+o/3wPJmA9W9F+WHemJk5t+Xcr+Qwkqhg=",
|
||||
"lastModified": 1693898833,
|
||||
"narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "d9c5dc41c4b1f74c77f0dbffd0f3a4ebde447b7a",
|
||||
"rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -67,7 +67,6 @@
|
|||
adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { };
|
||||
pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { };
|
||||
gnome-break-timer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/gnome-break-timer { };
|
||||
crowdsec-firewall-bouncer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/crowdsec-firewall-bouncer { };
|
||||
};
|
||||
hydraJobs = self.packages;
|
||||
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
|
||||
|
|
|
@ -6,7 +6,6 @@
|
|||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./modules/backup
|
||||
./modules/crowdsec
|
||||
./modules/mail
|
||||
./modules/networks
|
||||
./modules/nginx
|
||||
|
|
|
@ -9,7 +9,6 @@
|
|||
source_directories = [
|
||||
"/var/lib"
|
||||
"/var/log"
|
||||
"/etc/crowdsec"
|
||||
"/root"
|
||||
];
|
||||
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
{ pkgs, lib, ... }:
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
crowdsec
|
||||
crowdsec-firewall-bouncer
|
||||
ipset
|
||||
];
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "crowdsec";
|
||||
ensurePermissions = {
|
||||
"DATABASE crowdsec" = "ALL PRIVILEGES";
|
||||
};
|
||||
}
|
||||
];
|
||||
ensureDatabases = [ "crowdsec" ];
|
||||
|
||||
};
|
||||
systemd.services.crowdsec = {
|
||||
after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ];
|
||||
description = "Crowdsec agent";
|
||||
serviceConfig = {
|
||||
Type = "notify";
|
||||
ExecStartPre = "${pkgs.crowdsec}/bin/crowdsec -t -error";
|
||||
ExecStart = "${pkgs.crowdsec}/bin/crowdsec";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
Restart = "always";
|
||||
RestartSec = 60;
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
systemd.services.crowdsec-firewall-bouncer = {
|
||||
path = [ pkgs.ipset pkgs.iptables ];
|
||||
after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ];
|
||||
before = [ "netfilter-persistent.service" ];
|
||||
description = "Crowdsec firewall bouncer";
|
||||
serviceConfig = {
|
||||
# Type = "notify";
|
||||
ExecStartPre = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml -t";
|
||||
ExecStart = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
Restart = "always";
|
||||
RestartSec = 10;
|
||||
LimitNOFILE = 65536;
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
|
||||
|
||||
}
|
|
@ -185,12 +185,12 @@
|
|||
};
|
||||
};
|
||||
|
||||
# security.tpm2 = {
|
||||
# enable = true;
|
||||
# pkcs11.enable = true;
|
||||
# abrmd.enable = true;
|
||||
# tctiEnvironment.enable = true;
|
||||
# };
|
||||
security.tpm2 = {
|
||||
enable = true;
|
||||
pkcs11.enable = true;
|
||||
abrmd.enable = true;
|
||||
tctiEnvironment.enable = true;
|
||||
};
|
||||
|
||||
hardware.opengl.extraPackages = with pkgs; [
|
||||
intel-compute-runtime
|
||||
|
|
1
keys/ssh/rouven-tpm
Normal file
1
keys/ssh/rouven-tpm
Normal file
|
@ -0,0 +1 @@
|
|||
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlITzcTVnSi8EpEW3leSuqYCDhbnJyoGCjFOtIJ0Dl5uRNm0UNXS7AbQtLLylEeI1+/qinQDEWAJ6cBDAaPfNw= rouven@thinkpad
|
|
@ -44,7 +44,6 @@ in
|
|||
# ];
|
||||
|
||||
});
|
||||
crowdsec-firewall-bouncer = callPackage ../pkgs/crowdsec-firewall-bouncer { };
|
||||
gnome-break-timer = callPackage ../pkgs/gnome-break-timer { };
|
||||
jmri = callPackage ../pkgs/jmri { };
|
||||
adguardian-term = callPackage ../pkgs/adguardian-term { };
|
||||
|
|
|
@ -1,22 +0,0 @@
|
|||
From be0cc576bedade783a26b58b6577ce9903784251 Mon Sep 17 00:00:00 2001
|
||||
From: Rouven Seifert <rouven@rfive.de>
|
||||
Date: Thu, 20 Jul 2023 17:15:58 +0200
|
||||
Subject: [PATCH] remove natend go.mod for nix builds
|
||||
|
||||
---
|
||||
koneu/natend/go.mod | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
delete mode 100644 koneu/natend/go.mod
|
||||
|
||||
diff --git a/koneu/natend/go.mod b/koneu/natend/go.mod
|
||||
deleted file mode 100644
|
||||
index 92b93b4..0000000
|
||||
--- a/koneu/natend/go.mod
|
||||
+++ /dev/null
|
||||
@@ -1,3 +0,0 @@
|
||||
-module natend
|
||||
-
|
||||
-go 1.17
|
||||
--
|
||||
2.41.0
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
{ lib, buildGoModule, fetchFromGitHub, playerctl }:
|
||||
buildGoModule rec {
|
||||
pname = "crowdsec-firewall-bouncer";
|
||||
version = "0.0.27";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "crowdsecurity";
|
||||
repo = "cs-firewall-bouncer";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-zrYs/9hH+sGG1RMFWMeTm1yIDPElGBr7rVGeWR3ff34=";
|
||||
};
|
||||
|
||||
patches = [ ./0001-remove-natend-go-mod-for-nix-builds.patch ];
|
||||
|
||||
vendorSha256 = "sha256-7wIdwTv4jMpFQkl3tKeH3MWxJ/EbiFg5FtGSAvNNpos=";
|
||||
|
||||
meta = with lib; {
|
||||
description = "Crowdsec bouncer written in golang for firewalls";
|
||||
homepage = "https://github.com/crowdsecurity/cs-firewall-bouncer";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ therealr5 ];
|
||||
mainProgram = "cs-firewall-bouncer";
|
||||
platforms = platforms.all;
|
||||
};
|
||||
}
|
|
@ -5,7 +5,7 @@
|
|||
users.users.rouven = {
|
||||
description = "Rouven Seifert";
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "video" "libvirtd" ];
|
||||
extraGroups = [ "wheel" "video" "libvirtd" "tss" ];
|
||||
initialHashedPassword = "$6$X3XERQv28Nt1UUT5$MjdMBDuXyEwexkuKqmNFweez69q4enY5cjMXSbBxOc6Bq7Fhhp7OqmCm02k3OGjoZFXzPV9ZHuMSGKZOtwYIk1";
|
||||
};
|
||||
home-manager.useUserPackages = true;
|
||||
|
|
|
@ -58,6 +58,7 @@
|
|||
rustfmt
|
||||
clippy
|
||||
gcc
|
||||
nodejs_20
|
||||
|
||||
# libs
|
||||
libyubikey
|
||||
|
@ -78,7 +79,7 @@
|
|||
defaultApplications =
|
||||
let
|
||||
image-viewers = [ "imv.desktop" "gimp.desktop" "swappy.desktop" "org.qutebrowser.qutebrowser.desktop" "google-chrome.desktop" ];
|
||||
browsers = [ "google-chrome.desktop" "org.qutebrowser.qutebrowser.desktop" ];
|
||||
browsers = [ "firefox.desktop" "google-chrome.desktop" "org.qutebrowser.qutebrowser.desktop" ];
|
||||
in
|
||||
{
|
||||
"application/pdf" = [ "org.gnome.Evince.desktop" ];
|
||||
|
|
|
@ -64,6 +64,7 @@ in
|
|||
};
|
||||
};
|
||||
extraConfig = ''
|
||||
PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so
|
||||
IdentityFile ~/.ssh/id_ed25519
|
||||
'';
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue