remove crowdsec and add tpm key

This commit is contained in:
Rouven Seifert 2023-09-06 13:35:16 +02:00
parent 74a4348d1d
commit 970ddcdacb
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
13 changed files with 23 additions and 123 deletions

View file

@ -236,11 +236,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1693527216,
"narHash": "sha256-SxmuXa1bCN+4SGkNdJ/mQA4BM/7CJQS/qdDieCKRlSA=",
"lastModified": 1693915360,
"narHash": "sha256-jYvS4GTZ2xLvC5VOWshjMHEaK17qZhlIpV+291GPjdM=",
"owner": "helix-editor",
"repo": "helix",
"rev": "a38ec6d6ca9e5dbbd2e313f3173f2e967ed71fc1",
"rev": "65c3cca3cc0d0956f4ce8d40ce9e72ba5c9c8e87",
"type": "github"
},
"original": {
@ -255,11 +255,11 @@
]
},
"locked": {
"lastModified": 1693713564,
"narHash": "sha256-00w2uwb4O6Y1e2W5LG5UFyl1ZN3KFG7aoRdYEvT/BqA=",
"lastModified": 1693895999,
"narHash": "sha256-yN1XVFltQxiwle833KCqWkZNfBuRLWkXyEnOD+ljoYY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "8e49b883890ccb52c059abb152b00a416342ec1c",
"rev": "3c0e381fef63e4fbc6c3292c9e9cbcf479c01794",
"type": "github"
},
"original": {
@ -432,11 +432,11 @@
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1693097136,
"narHash": "sha256-fBZSMdBaoZ0INFbyZ5s0DOF7zDNcLsLxgkwdDh3l9Pc=",
"lastModified": 1693675694,
"narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9117c4e9dc117a6cd0319cca40f2349ed333669d",
"rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",
"type": "github"
},
"original": {
@ -586,11 +586,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1693404499,
"narHash": "sha256-cx/7yvM/AP+o/3wPJmA9W9F+WHemJk5t+Xcr+Qwkqhg=",
"lastModified": 1693898833,
"narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "d9c5dc41c4b1f74c77f0dbffd0f3a4ebde447b7a",
"rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",
"type": "github"
},
"original": {

View file

@ -67,7 +67,6 @@
adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { };
pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { };
gnome-break-timer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/gnome-break-timer { };
crowdsec-firewall-bouncer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/crowdsec-firewall-bouncer { };
};
hydraJobs = self.packages;
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;

View file

@ -6,7 +6,6 @@
# Include the results of the hardware scan.
./hardware-configuration.nix
./modules/backup
./modules/crowdsec
./modules/mail
./modules/networks
./modules/nginx

View file

@ -9,7 +9,6 @@
source_directories = [
"/var/lib"
"/var/log"
"/etc/crowdsec"
"/root"
];

View file

@ -1,52 +0,0 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
crowdsec
crowdsec-firewall-bouncer
ipset
];
services.postgresql = {
enable = true;
ensureUsers = [
{
name = "crowdsec";
ensurePermissions = {
"DATABASE crowdsec" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "crowdsec" ];
};
systemd.services.crowdsec = {
after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ];
description = "Crowdsec agent";
serviceConfig = {
Type = "notify";
ExecStartPre = "${pkgs.crowdsec}/bin/crowdsec -t -error";
ExecStart = "${pkgs.crowdsec}/bin/crowdsec";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = 60;
};
wantedBy = [ "multi-user.target" ];
};
systemd.services.crowdsec-firewall-bouncer = {
path = [ pkgs.ipset pkgs.iptables ];
after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ];
before = [ "netfilter-persistent.service" ];
description = "Crowdsec firewall bouncer";
serviceConfig = {
# Type = "notify";
ExecStartPre = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml -t";
ExecStart = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = 10;
LimitNOFILE = 65536;
};
wantedBy = [ "multi-user.target" ];
};
}

View file

@ -185,12 +185,12 @@
};
};
# security.tpm2 = {
# enable = true;
# pkcs11.enable = true;
# abrmd.enable = true;
# tctiEnvironment.enable = true;
# };
security.tpm2 = {
enable = true;
pkcs11.enable = true;
abrmd.enable = true;
tctiEnvironment.enable = true;
};
hardware.opengl.extraPackages = with pkgs; [
intel-compute-runtime

1
keys/ssh/rouven-tpm Normal file
View file

@ -0,0 +1 @@
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlITzcTVnSi8EpEW3leSuqYCDhbnJyoGCjFOtIJ0Dl5uRNm0UNXS7AbQtLLylEeI1+/qinQDEWAJ6cBDAaPfNw= rouven@thinkpad

View file

@ -44,7 +44,6 @@ in
# ];
});
crowdsec-firewall-bouncer = callPackage ../pkgs/crowdsec-firewall-bouncer { };
gnome-break-timer = callPackage ../pkgs/gnome-break-timer { };
jmri = callPackage ../pkgs/jmri { };
adguardian-term = callPackage ../pkgs/adguardian-term { };

View file

@ -1,22 +0,0 @@
From be0cc576bedade783a26b58b6577ce9903784251 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Thu, 20 Jul 2023 17:15:58 +0200
Subject: [PATCH] remove natend go.mod for nix builds
---
koneu/natend/go.mod | 3 ---
1 file changed, 3 deletions(-)
delete mode 100644 koneu/natend/go.mod
diff --git a/koneu/natend/go.mod b/koneu/natend/go.mod
deleted file mode 100644
index 92b93b4..0000000
--- a/koneu/natend/go.mod
+++ /dev/null
@@ -1,3 +0,0 @@
-module natend
-
-go 1.17
--
2.41.0

View file

@ -1,25 +0,0 @@
{ lib, buildGoModule, fetchFromGitHub, playerctl }:
buildGoModule rec {
pname = "crowdsec-firewall-bouncer";
version = "0.0.27";
src = fetchFromGitHub {
owner = "crowdsecurity";
repo = "cs-firewall-bouncer";
rev = "v${version}";
hash = "sha256-zrYs/9hH+sGG1RMFWMeTm1yIDPElGBr7rVGeWR3ff34=";
};
patches = [ ./0001-remove-natend-go-mod-for-nix-builds.patch ];
vendorSha256 = "sha256-7wIdwTv4jMpFQkl3tKeH3MWxJ/EbiFg5FtGSAvNNpos=";
meta = with lib; {
description = "Crowdsec bouncer written in golang for firewalls";
homepage = "https://github.com/crowdsecurity/cs-firewall-bouncer";
license = licenses.mit;
maintainers = with maintainers; [ therealr5 ];
mainProgram = "cs-firewall-bouncer";
platforms = platforms.all;
};
}

View file

@ -5,7 +5,7 @@
users.users.rouven = {
description = "Rouven Seifert";
isNormalUser = true;
extraGroups = [ "wheel" "video" "libvirtd" ];
extraGroups = [ "wheel" "video" "libvirtd" "tss" ];
initialHashedPassword = "$6$X3XERQv28Nt1UUT5$MjdMBDuXyEwexkuKqmNFweez69q4enY5cjMXSbBxOc6Bq7Fhhp7OqmCm02k3OGjoZFXzPV9ZHuMSGKZOtwYIk1";
};
home-manager.useUserPackages = true;

View file

@ -58,6 +58,7 @@
rustfmt
clippy
gcc
nodejs_20
# libs
libyubikey
@ -78,7 +79,7 @@
defaultApplications =
let
image-viewers = [ "imv.desktop" "gimp.desktop" "swappy.desktop" "org.qutebrowser.qutebrowser.desktop" "google-chrome.desktop" ];
browsers = [ "google-chrome.desktop" "org.qutebrowser.qutebrowser.desktop" ];
browsers = [ "firefox.desktop" "google-chrome.desktop" "org.qutebrowser.qutebrowser.desktop" ];
in
{
"application/pdf" = [ "org.gnome.Evince.desktop" ];

View file

@ -64,6 +64,7 @@ in
};
};
extraConfig = ''
PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so
IdentityFile ~/.ssh/id_ed25519
'';
};