rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2024-11-15 05:13:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

remove crowdsec and add tpm key

Browse source
This commit is contained in:
Rouven Seifert 2023-09-06 13:35:16 +02:00
parent 74a4348d1d
commit 970ddcdacb
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
13 changed files with 23 additions and 123 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
flake.lock
View file

@ -236,11 +236,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1693527216, "lastModified": 1693915360,
"narHash": "sha256-SxmuXa1bCN+4SGkNdJ/mQA4BM/7CJQS/qdDieCKRlSA=", "narHash": "sha256-jYvS4GTZ2xLvC5VOWshjMHEaK17qZhlIpV+291GPjdM=",
"owner": "helix-editor", "owner": "helix-editor",
"repo": "helix", "repo": "helix",
"rev": "a38ec6d6ca9e5dbbd2e313f3173f2e967ed71fc1", "rev": "65c3cca3cc0d0956f4ce8d40ce9e72ba5c9c8e87",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -255,11 +255,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1693713564, "lastModified": 1693895999,
"narHash": "sha256-00w2uwb4O6Y1e2W5LG5UFyl1ZN3KFG7aoRdYEvT/BqA=", "narHash": "sha256-yN1XVFltQxiwle833KCqWkZNfBuRLWkXyEnOD+ljoYY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "8e49b883890ccb52c059abb152b00a416342ec1c", "rev": "3c0e381fef63e4fbc6c3292c9e9cbcf479c01794",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -432,11 +432,11 @@
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1693097136, "lastModified": 1693675694,
"narHash": "sha256-fBZSMdBaoZ0INFbyZ5s0DOF7zDNcLsLxgkwdDh3l9Pc=", "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9117c4e9dc117a6cd0319cca40f2349ed333669d", "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -586,11 +586,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1693404499, "lastModified": 1693898833,
"narHash": "sha256-cx/7yvM/AP+o/3wPJmA9W9F+WHemJk5t+Xcr+Qwkqhg=", "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "d9c5dc41c4b1f74c77f0dbffd0f3a4ebde447b7a", "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
flake.nix
View file

@ -67,7 +67,6 @@
adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { }; adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { };
pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { }; pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { };
gnome-break-timer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/gnome-break-timer { }; gnome-break-timer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/gnome-break-timer { };
crowdsec-firewall-bouncer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/crowdsec-firewall-bouncer { };
}; };
hydraJobs = self.packages; hydraJobs = self.packages;
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;

1
hosts/falkenstein-1/default.nix
View file

@ -6,7 +6,6 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./modules/backup ./modules/backup
./modules/crowdsec
./modules/mail ./modules/mail
./modules/networks ./modules/networks
./modules/nginx ./modules/nginx

1
hosts/falkenstein-1/modules/backup/default.nix
View file

@ -9,7 +9,6 @@
source_directories = [ source_directories = [
"/var/lib" "/var/lib"
"/var/log" "/var/log"
"/etc/crowdsec"
"/root" "/root"
]; ];

52
hosts/falkenstein-1/modules/crowdsec/default.nix
View file

@ -1,52 +0,0 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
crowdsec
crowdsec-firewall-bouncer
ipset
];
services.postgresql = {
enable = true;
ensureUsers = [
{
name = "crowdsec";
ensurePermissions = {
"DATABASE crowdsec" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "crowdsec" ];
};
systemd.services.crowdsec = {
after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ];
description = "Crowdsec agent";
serviceConfig = {
Type = "notify";
ExecStartPre = "${pkgs.crowdsec}/bin/crowdsec -t -error";
ExecStart = "${pkgs.crowdsec}/bin/crowdsec";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = 60;
};
wantedBy = [ "multi-user.target" ];
};
systemd.services.crowdsec-firewall-bouncer = {
path = [ pkgs.ipset pkgs.iptables ];
after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ];
before = [ "netfilter-persistent.service" ];
description = "Crowdsec firewall bouncer";
serviceConfig = {
# Type = "notify";
ExecStartPre = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml -t";
ExecStart = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = 10;
LimitNOFILE = 65536;
};
wantedBy = [ "multi-user.target" ];
};
}

12
hosts/thinkpad/default.nix
View file

@ -185,12 +185,12 @@
}; };
}; };
# security.tpm2 = { security.tpm2 = {
# enable = true; enable = true;
# pkcs11.enable = true; pkcs11.enable = true;
# abrmd.enable = true; abrmd.enable = true;
# tctiEnvironment.enable = true; tctiEnvironment.enable = true;
# }; };
hardware.opengl.extraPackages = with pkgs; [ hardware.opengl.extraPackages = with pkgs; [
intel-compute-runtime intel-compute-runtime

1
keys/ssh/rouven-tpm Normal file
View file

@ -0,0 +1 @@
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlITzcTVnSi8EpEW3leSuqYCDhbnJyoGCjFOtIJ0Dl5uRNm0UNXS7AbQtLLylEeI1+/qinQDEWAJ6cBDAaPfNw= rouven@thinkpad

1
overlays/default.nix
View file

@ -44,7 +44,6 @@ in
# ]; # ];
}); });
crowdsec-firewall-bouncer = callPackage ../pkgs/crowdsec-firewall-bouncer { };
gnome-break-timer = callPackage ../pkgs/gnome-break-timer { }; gnome-break-timer = callPackage ../pkgs/gnome-break-timer { };
jmri = callPackage ../pkgs/jmri { }; jmri = callPackage ../pkgs/jmri { };
adguardian-term = callPackage ../pkgs/adguardian-term { }; adguardian-term = callPackage ../pkgs/adguardian-term { };

22
pkgs/crowdsec-firewall-bouncer/0001-remove-natend-go-mod-for-nix-builds.patch
View file

@ -1,22 +0,0 @@
From be0cc576bedade783a26b58b6577ce9903784251 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Thu, 20 Jul 2023 17:15:58 +0200
Subject: [PATCH] remove natend go.mod for nix builds
---
koneu/natend/go.mod | 3 ---
1 file changed, 3 deletions(-)
delete mode 100644 koneu/natend/go.mod
diff --git a/koneu/natend/go.mod b/koneu/natend/go.mod
deleted file mode 100644
index 92b93b4..0000000
--- a/koneu/natend/go.mod
+++ /dev/null
@@ -1,3 +0,0 @@
-module natend
-
-go 1.17
--
2.41.0

25
pkgs/crowdsec-firewall-bouncer/default.nix
View file

@ -1,25 +0,0 @@
{ lib, buildGoModule, fetchFromGitHub, playerctl }:
buildGoModule rec {
pname = "crowdsec-firewall-bouncer";
version = "0.0.27";
src = fetchFromGitHub {
owner = "crowdsecurity";
repo = "cs-firewall-bouncer";
rev = "v${version}";
hash = "sha256-zrYs/9hH+sGG1RMFWMeTm1yIDPElGBr7rVGeWR3ff34=";
};
patches = [ ./0001-remove-natend-go-mod-for-nix-builds.patch ];
vendorSha256 = "sha256-7wIdwTv4jMpFQkl3tKeH3MWxJ/EbiFg5FtGSAvNNpos=";
meta = with lib; {
description = "Crowdsec bouncer written in golang for firewalls";
homepage = "https://github.com/crowdsecurity/cs-firewall-bouncer";
license = licenses.mit;
maintainers = with maintainers; [ therealr5 ];
mainProgram = "cs-firewall-bouncer";
platforms = platforms.all;
};
}

2
users/rouven/default.nix
View file

@ -5,7 +5,7 @@
users.users.rouven = { users.users.rouven = {
description = "Rouven Seifert"; description = "Rouven Seifert";
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" "video" "libvirtd" ]; extraGroups = [ "wheel" "video" "libvirtd" "tss" ];
initialHashedPassword = "$6$X3XERQv28Nt1UUT5$MjdMBDuXyEwexkuKqmNFweez69q4enY5cjMXSbBxOc6Bq7Fhhp7OqmCm02k3OGjoZFXzPV9ZHuMSGKZOtwYIk1"; initialHashedPassword = "$6$X3XERQv28Nt1UUT5$MjdMBDuXyEwexkuKqmNFweez69q4enY5cjMXSbBxOc6Bq7Fhhp7OqmCm02k3OGjoZFXzPV9ZHuMSGKZOtwYIk1";
}; };
home-manager.useUserPackages = true; home-manager.useUserPackages = true;

3
users/rouven/modules/packages.nix
View file

@ -58,6 +58,7 @@
rustfmt rustfmt
clippy clippy
gcc gcc
nodejs_20
# libs # libs
libyubikey libyubikey
@ -78,7 +79,7 @@
defaultApplications = defaultApplications =
let let
image-viewers = [ "imv.desktop" "gimp.desktop" "swappy.desktop" "org.qutebrowser.qutebrowser.desktop" "google-chrome.desktop" ]; image-viewers = [ "imv.desktop" "gimp.desktop" "swappy.desktop" "org.qutebrowser.qutebrowser.desktop" "google-chrome.desktop" ];
browsers = [ "google-chrome.desktop" "org.qutebrowser.qutebrowser.desktop" ]; browsers = [ "firefox.desktop" "google-chrome.desktop" "org.qutebrowser.qutebrowser.desktop" ];
in in
{ {
"application/pdf" = [ "org.gnome.Evince.desktop" ]; "application/pdf" = [ "org.gnome.Evince.desktop" ];

1
users/rouven/modules/ssh/default.nix
View file

@ -64,6 +64,7 @@ in
}; };
}; };
extraConfig = '' extraConfig = ''
PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so
IdentityFile ~/.ssh/id_ed25519 IdentityFile ~/.ssh/id_ed25519
''; '';
}; };