From 970ddcdacb5ab49a59d5d89cb47f62c65c826013 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 6 Sep 2023 13:35:16 +0200 Subject: [PATCH] remove crowdsec and add tpm key --- flake.lock | 24 ++++----- flake.nix | 1 - hosts/falkenstein-1/default.nix | 1 - .../falkenstein-1/modules/backup/default.nix | 1 - .../modules/crowdsec/default.nix | 52 ------------------- hosts/thinkpad/default.nix | 12 ++--- keys/ssh/rouven-tpm | 1 + overlays/default.nix | 1 - ...-remove-natend-go-mod-for-nix-builds.patch | 22 -------- pkgs/crowdsec-firewall-bouncer/default.nix | 25 --------- users/rouven/default.nix | 2 +- users/rouven/modules/packages.nix | 3 +- users/rouven/modules/ssh/default.nix | 1 + 13 files changed, 23 insertions(+), 123 deletions(-) delete mode 100644 hosts/falkenstein-1/modules/crowdsec/default.nix create mode 100644 keys/ssh/rouven-tpm delete mode 100644 pkgs/crowdsec-firewall-bouncer/0001-remove-natend-go-mod-for-nix-builds.patch delete mode 100644 pkgs/crowdsec-firewall-bouncer/default.nix diff --git a/flake.lock b/flake.lock index da5d6fb..1f79272 100644 --- a/flake.lock +++ b/flake.lock @@ -236,11 +236,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1693527216, - "narHash": "sha256-SxmuXa1bCN+4SGkNdJ/mQA4BM/7CJQS/qdDieCKRlSA=", + "lastModified": 1693915360, + "narHash": "sha256-jYvS4GTZ2xLvC5VOWshjMHEaK17qZhlIpV+291GPjdM=", "owner": "helix-editor", "repo": "helix", - "rev": "a38ec6d6ca9e5dbbd2e313f3173f2e967ed71fc1", + "rev": "65c3cca3cc0d0956f4ce8d40ce9e72ba5c9c8e87", "type": "github" }, "original": { @@ -255,11 +255,11 @@ ] }, "locked": { - "lastModified": 1693713564, - "narHash": "sha256-00w2uwb4O6Y1e2W5LG5UFyl1ZN3KFG7aoRdYEvT/BqA=", + "lastModified": 1693895999, + "narHash": "sha256-yN1XVFltQxiwle833KCqWkZNfBuRLWkXyEnOD+ljoYY=", "owner": "nix-community", "repo": "home-manager", - "rev": "8e49b883890ccb52c059abb152b00a416342ec1c", + "rev": "3c0e381fef63e4fbc6c3292c9e9cbcf479c01794", "type": "github" }, "original": { @@ -432,11 +432,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1693097136, - "narHash": "sha256-fBZSMdBaoZ0INFbyZ5s0DOF7zDNcLsLxgkwdDh3l9Pc=", + "lastModified": 1693675694, + "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9117c4e9dc117a6cd0319cca40f2349ed333669d", + "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d", "type": "github" }, "original": { @@ -586,11 +586,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1693404499, - "narHash": "sha256-cx/7yvM/AP+o/3wPJmA9W9F+WHemJk5t+Xcr+Qwkqhg=", + "lastModified": 1693898833, + "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "d9c5dc41c4b1f74c77f0dbffd0f3a4ebde447b7a", + "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index ffa93f9..ad5f9fd 100644 --- a/flake.nix +++ b/flake.nix @@ -67,7 +67,6 @@ adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { }; pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { }; gnome-break-timer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/gnome-break-timer { }; - crowdsec-firewall-bouncer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/crowdsec-firewall-bouncer { }; }; hydraJobs = self.packages; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; diff --git a/hosts/falkenstein-1/default.nix b/hosts/falkenstein-1/default.nix index 213749c..cbc1f0d 100644 --- a/hosts/falkenstein-1/default.nix +++ b/hosts/falkenstein-1/default.nix @@ -6,7 +6,6 @@ # Include the results of the hardware scan. ./hardware-configuration.nix ./modules/backup - ./modules/crowdsec ./modules/mail ./modules/networks ./modules/nginx diff --git a/hosts/falkenstein-1/modules/backup/default.nix b/hosts/falkenstein-1/modules/backup/default.nix index 8767ad9..d7af02d 100644 --- a/hosts/falkenstein-1/modules/backup/default.nix +++ b/hosts/falkenstein-1/modules/backup/default.nix @@ -9,7 +9,6 @@ source_directories = [ "/var/lib" "/var/log" - "/etc/crowdsec" "/root" ]; diff --git a/hosts/falkenstein-1/modules/crowdsec/default.nix b/hosts/falkenstein-1/modules/crowdsec/default.nix deleted file mode 100644 index 3b1ca76..0000000 --- a/hosts/falkenstein-1/modules/crowdsec/default.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ pkgs, lib, ... }: -{ - environment.systemPackages = with pkgs; [ - crowdsec - crowdsec-firewall-bouncer - ipset - ]; - services.postgresql = { - enable = true; - ensureUsers = [ - { - name = "crowdsec"; - ensurePermissions = { - "DATABASE crowdsec" = "ALL PRIVILEGES"; - }; - } - ]; - ensureDatabases = [ "crowdsec" ]; - - }; - systemd.services.crowdsec = { - after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ]; - description = "Crowdsec agent"; - serviceConfig = { - Type = "notify"; - ExecStartPre = "${pkgs.crowdsec}/bin/crowdsec -t -error"; - ExecStart = "${pkgs.crowdsec}/bin/crowdsec"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - Restart = "always"; - RestartSec = 60; - }; - wantedBy = [ "multi-user.target" ]; - }; - systemd.services.crowdsec-firewall-bouncer = { - path = [ pkgs.ipset pkgs.iptables ]; - after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ]; - before = [ "netfilter-persistent.service" ]; - description = "Crowdsec firewall bouncer"; - serviceConfig = { - # Type = "notify"; - ExecStartPre = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml -t"; - ExecStart = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - Restart = "always"; - RestartSec = 10; - LimitNOFILE = 65536; - }; - wantedBy = [ "multi-user.target" ]; - }; - - -} diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 9d7fd40..a8b3c45 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -185,12 +185,12 @@ }; }; - # security.tpm2 = { - # enable = true; - # pkcs11.enable = true; - # abrmd.enable = true; - # tctiEnvironment.enable = true; - # }; + security.tpm2 = { + enable = true; + pkcs11.enable = true; + abrmd.enable = true; + tctiEnvironment.enable = true; + }; hardware.opengl.extraPackages = with pkgs; [ intel-compute-runtime diff --git a/keys/ssh/rouven-tpm b/keys/ssh/rouven-tpm new file mode 100644 index 0000000..93c6545 --- /dev/null +++ b/keys/ssh/rouven-tpm @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlITzcTVnSi8EpEW3leSuqYCDhbnJyoGCjFOtIJ0Dl5uRNm0UNXS7AbQtLLylEeI1+/qinQDEWAJ6cBDAaPfNw= rouven@thinkpad diff --git a/overlays/default.nix b/overlays/default.nix index 09fc50e..3073169 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -44,7 +44,6 @@ in # ]; }); - crowdsec-firewall-bouncer = callPackage ../pkgs/crowdsec-firewall-bouncer { }; gnome-break-timer = callPackage ../pkgs/gnome-break-timer { }; jmri = callPackage ../pkgs/jmri { }; adguardian-term = callPackage ../pkgs/adguardian-term { }; diff --git a/pkgs/crowdsec-firewall-bouncer/0001-remove-natend-go-mod-for-nix-builds.patch b/pkgs/crowdsec-firewall-bouncer/0001-remove-natend-go-mod-for-nix-builds.patch deleted file mode 100644 index de39298..0000000 --- a/pkgs/crowdsec-firewall-bouncer/0001-remove-natend-go-mod-for-nix-builds.patch +++ /dev/null @@ -1,22 +0,0 @@ -From be0cc576bedade783a26b58b6577ce9903784251 Mon Sep 17 00:00:00 2001 -From: Rouven Seifert -Date: Thu, 20 Jul 2023 17:15:58 +0200 -Subject: [PATCH] remove natend go.mod for nix builds - ---- - koneu/natend/go.mod | 3 --- - 1 file changed, 3 deletions(-) - delete mode 100644 koneu/natend/go.mod - -diff --git a/koneu/natend/go.mod b/koneu/natend/go.mod -deleted file mode 100644 -index 92b93b4..0000000 ---- a/koneu/natend/go.mod -+++ /dev/null -@@ -1,3 +0,0 @@ --module natend -- --go 1.17 --- -2.41.0 - diff --git a/pkgs/crowdsec-firewall-bouncer/default.nix b/pkgs/crowdsec-firewall-bouncer/default.nix deleted file mode 100644 index db676e9..0000000 --- a/pkgs/crowdsec-firewall-bouncer/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ lib, buildGoModule, fetchFromGitHub, playerctl }: -buildGoModule rec { - pname = "crowdsec-firewall-bouncer"; - version = "0.0.27"; - - src = fetchFromGitHub { - owner = "crowdsecurity"; - repo = "cs-firewall-bouncer"; - rev = "v${version}"; - hash = "sha256-zrYs/9hH+sGG1RMFWMeTm1yIDPElGBr7rVGeWR3ff34="; - }; - - patches = [ ./0001-remove-natend-go-mod-for-nix-builds.patch ]; - - vendorSha256 = "sha256-7wIdwTv4jMpFQkl3tKeH3MWxJ/EbiFg5FtGSAvNNpos="; - - meta = with lib; { - description = "Crowdsec bouncer written in golang for firewalls"; - homepage = "https://github.com/crowdsecurity/cs-firewall-bouncer"; - license = licenses.mit; - maintainers = with maintainers; [ therealr5 ]; - mainProgram = "cs-firewall-bouncer"; - platforms = platforms.all; - }; -} diff --git a/users/rouven/default.nix b/users/rouven/default.nix index 7588002..0c6bd52 100644 --- a/users/rouven/default.nix +++ b/users/rouven/default.nix @@ -5,7 +5,7 @@ users.users.rouven = { description = "Rouven Seifert"; isNormalUser = true; - extraGroups = [ "wheel" "video" "libvirtd" ]; + extraGroups = [ "wheel" "video" "libvirtd" "tss" ]; initialHashedPassword = "$6$X3XERQv28Nt1UUT5$MjdMBDuXyEwexkuKqmNFweez69q4enY5cjMXSbBxOc6Bq7Fhhp7OqmCm02k3OGjoZFXzPV9ZHuMSGKZOtwYIk1"; }; home-manager.useUserPackages = true; diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix index cabe51e..88792dc 100644 --- a/users/rouven/modules/packages.nix +++ b/users/rouven/modules/packages.nix @@ -58,6 +58,7 @@ rustfmt clippy gcc + nodejs_20 # libs libyubikey @@ -78,7 +79,7 @@ defaultApplications = let image-viewers = [ "imv.desktop" "gimp.desktop" "swappy.desktop" "org.qutebrowser.qutebrowser.desktop" "google-chrome.desktop" ]; - browsers = [ "google-chrome.desktop" "org.qutebrowser.qutebrowser.desktop" ]; + browsers = [ "firefox.desktop" "google-chrome.desktop" "org.qutebrowser.qutebrowser.desktop" ]; in { "application/pdf" = [ "org.gnome.Evince.desktop" ]; diff --git a/users/rouven/modules/ssh/default.nix b/users/rouven/modules/ssh/default.nix index 18d7245..00bb292 100644 --- a/users/rouven/modules/ssh/default.nix +++ b/users/rouven/modules/ssh/default.nix @@ -64,6 +64,7 @@ in }; }; extraConfig = '' + PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so IdentityFile ~/.ssh/id_ed25519 ''; };