From f1f11eee2ac6be742472c1f68d1f01ccb9734e6a Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 20 Jul 2023 21:35:12 +0200 Subject: [PATCH] better up purge and mail secrets --- flake.lock | 30 +++++++++---------- flake.nix | 4 +++ hosts/falkenstein-1/default.nix | 2 ++ hosts/falkenstein-1/modules/mail/default.nix | 7 ++--- hosts/falkenstein-1/modules/purge/default.nix | 4 +-- hosts/thinkpad/default.nix | 30 +++++++++---------- overlays/default.nix | 1 + ...-remove-natend-go-mod-for-nix-builds.patch | 22 ++++++++++++++ pkgs/crowdsec-firewall-bouncer/default.nix | 24 +++++++++++++++ secrets/falkenstein-1.yaml | 9 ++---- shared/gpg.nix | 11 ++++--- users/rouven/modules/accounts/default.nix | 3 ++ 12 files changed, 101 insertions(+), 46 deletions(-) create mode 100644 pkgs/crowdsec-firewall-bouncer/0001-remove-natend-go-mod-for-nix-builds.patch create mode 100644 pkgs/crowdsec-firewall-bouncer/default.nix diff --git a/flake.lock b/flake.lock index 046bff1..6df2a9b 100644 --- a/flake.lock +++ b/flake.lock @@ -171,11 +171,11 @@ ] }, "locked": { - "lastModified": 1689495092, - "narHash": "sha256-yZu2j5FpLZEPhJQQutMCPTxa1VMigLPabLYvLTq6ASM=", + "lastModified": 1689875525, + "narHash": "sha256-fgUrFH3bMZ6R7qgBTfuTRGlkZXIkdyjndl6ZbExbjE8=", "owner": "nix-community", "repo": "home-manager", - "rev": "2f84579a70b8c74e5ebb37299a0c3ba279f09382", + "rev": "1443abd2696ec6bd6fb9701e6c26b277a27b4a3e", "type": "github" }, "original": { @@ -301,11 +301,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1689444953, - "narHash": "sha256-0o56bfb2LC38wrinPdCGLDScd77LVcr7CrH1zK7qvDg=", + "lastModified": 1689679375, + "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8acef304efe70152463a6399f73e636bcc363813", + "rev": "684c17c429c42515bafb3ad775d2a710947f3d67", "type": "github" }, "original": { @@ -347,11 +347,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1689398528, - "narHash": "sha256-qVn/doWn20axR+KvmAAGexv0A5RVzcBbd5HfNMAMeVI=", + "lastModified": 1689473667, + "narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3dc2bc15956db2ff2316af45eefd45803fc1372b", + "rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6", "type": "github" }, "original": { @@ -399,11 +399,11 @@ ] }, "locked": { - "lastModified": 1689427636, - "narHash": "sha256-COACHJYnu/ngg/1R40s3zkeMwrBV1cVU6xUfZKAON0g=", + "lastModified": 1689880943, + "narHash": "sha256-qFUNtcCGfZldDgvuPLk4J2ww+CNwDmTUWLnn/jgxHJM=", "owner": "therealr5", "repo": "purge", - "rev": "3674000c8b6993c132aea92456394b49ca62e896", + "rev": "869b5723dfb5d7e7650d631215771dfa4f48bf11", "type": "github" }, "original": { @@ -460,11 +460,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1689405598, - "narHash": "sha256-80fuO3FiXgJmUDQgB7sc2lq8Qe/oSkqDNwx9N/fCtBs=", + "lastModified": 1689534977, + "narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "cfe47aff8660fd760b1db89613a3205c2c4ba7b6", + "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 150b685..ba20d7f 100644 --- a/flake.nix +++ b/flake.nix @@ -65,6 +65,7 @@ jmri = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/jmri { }; adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { }; pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { }; + crowdsec-firewall-bouncer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/crowdsec-firewall-bouncer { }; }; hydraJobs = self.packages; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; @@ -114,6 +115,9 @@ modules = [ ./hosts/falkenstein-1 ./shared + { + nixpkgs.overlays = [ self.overlays.default ]; + } nix-index-database.nixosModules.nix-index sops-nix.nixosModules.sops purge.nixosModules.default diff --git a/hosts/falkenstein-1/default.nix b/hosts/falkenstein-1/default.nix index e4fabc8..e72818f 100644 --- a/hosts/falkenstein-1/default.nix +++ b/hosts/falkenstein-1/default.nix @@ -39,6 +39,8 @@ helix lsof python3 + crowdsec + crowdsec-firewall-bouncer ]; programs.git = { enable = true; diff --git a/hosts/falkenstein-1/modules/mail/default.nix b/hosts/falkenstein-1/modules/mail/default.nix index d1bc016..d08f0ba 100644 --- a/hosts/falkenstein-1/modules/mail/default.nix +++ b/hosts/falkenstein-1/modules/mail/default.nix @@ -6,9 +6,6 @@ let rspamd-domain = "rspamd.${domain}"; in { - sops.secrets."mail/rouven".owner = config.users.users.postfix.name; - sops.secrets."rspamd".owner = config.users.users.rspamd.name; - networking.firewall.allowedTCPPorts = [ 25 # insecure SMTP 465 @@ -160,7 +157,9 @@ in enable = true; postfix.enable = true; locals = { - "worker-controller.inc".source = config.sops.secrets."rspamd".path; + "worker-controller.inc".text = '' + password = "$2$g1jh7t5cxschj11set5wksd656ixd5ie$cgwrj53hfb87xndqbh5r3ow9qfi1ejii8dxok1ihbnhamccn1rxy"; + ''; "redis.conf".text = '' read_servers = "127.0.0.1"; write_servers = "127.0.0.1"; diff --git a/hosts/falkenstein-1/modules/purge/default.nix b/hosts/falkenstein-1/modules/purge/default.nix index 3b57572..822d232 100644 --- a/hosts/falkenstein-1/modules/purge/default.nix +++ b/hosts/falkenstein-1/modules/purge/default.nix @@ -3,14 +3,14 @@ let domain = "purge.rfive.de"; in { - sops.secrets."purge/environment".owner = "purge"; + sops.secrets."purge/token".owner = "purge"; services.purge = { enable = true; discord = { clientId = "941041925216157746"; publicKey = "d2945f6130d9b4a8dda8c8bf52db5dee127a82f89c6b8782e84aa8f45f61d402"; + tokenFile = config.sops.secrets."purge/token".path; }; - environmentFile = config.sops.secrets."purge/environment".path; }; services.nginx.virtualHosts."${domain}" = { enableACME = true; diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 4a288a5..cd39525 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -44,21 +44,21 @@ "nuc.lan:a9UkVw3AizAKCER1CfNGhx8UOMF4t4UGE3GJ9dmHwJc=" ]; }; - distributedBuilds = true; - extraOptions = '' - builders-use-substitutes = true - ''; - buildMachines = [ - { - hostName = "nuc.lan"; - system = "x86_64-linux"; - protocol = "ssh-ng"; - maxJobs = 4; - speedFactor = 1; - supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - mandatoryFeatures = [ ]; - } - ]; + # distributedBuilds = true; + # extraOptions = '' + # builders-use-substitutes = true + # ''; + # buildMachines = [ + # { + # hostName = "nuc.lan"; + # system = "x86_64-linux"; + # protocol = "ssh-ng"; + # maxJobs = 4; + # speedFactor = 1; + # supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + # mandatoryFeatures = [ ]; + # } + # ]; }; environment.persistence."/nix/persist/system" = { diff --git a/overlays/default.nix b/overlays/default.nix index f0a0d6c..0597aaa 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -28,6 +28,7 @@ in }); pww = callPackage ../pkgs/pww { }; + crowdsec-firewall-bouncer = callPackage ../pkgs/crowdsec-firewall-bouncer { }; jmri = callPackage ../pkgs/jmri { }; adguardian-term = callPackage ../pkgs/adguardian-term { }; } diff --git a/pkgs/crowdsec-firewall-bouncer/0001-remove-natend-go-mod-for-nix-builds.patch b/pkgs/crowdsec-firewall-bouncer/0001-remove-natend-go-mod-for-nix-builds.patch new file mode 100644 index 0000000..de39298 --- /dev/null +++ b/pkgs/crowdsec-firewall-bouncer/0001-remove-natend-go-mod-for-nix-builds.patch @@ -0,0 +1,22 @@ +From be0cc576bedade783a26b58b6577ce9903784251 Mon Sep 17 00:00:00 2001 +From: Rouven Seifert +Date: Thu, 20 Jul 2023 17:15:58 +0200 +Subject: [PATCH] remove natend go.mod for nix builds + +--- + koneu/natend/go.mod | 3 --- + 1 file changed, 3 deletions(-) + delete mode 100644 koneu/natend/go.mod + +diff --git a/koneu/natend/go.mod b/koneu/natend/go.mod +deleted file mode 100644 +index 92b93b4..0000000 +--- a/koneu/natend/go.mod ++++ /dev/null +@@ -1,3 +0,0 @@ +-module natend +- +-go 1.17 +-- +2.41.0 + diff --git a/pkgs/crowdsec-firewall-bouncer/default.nix b/pkgs/crowdsec-firewall-bouncer/default.nix new file mode 100644 index 0000000..050590c --- /dev/null +++ b/pkgs/crowdsec-firewall-bouncer/default.nix @@ -0,0 +1,24 @@ +{ lib, buildGoModule, makeWrapper, fetchFromGitHub, playerctl }: +buildGoModule rec { + pname = "crowdsec-firewall-bouncer"; + version = "0.0.27"; + + src = fetchFromGitHub { + owner = "crowdsecurity"; + repo = "cs-firewall-bouncer"; + rev = "v${version}"; + hash = "sha256-zrYs/9hH+sGG1RMFWMeTm1yIDPElGBr7rVGeWR3ff34="; + }; + + patches = [ ./0001-remove-natend-go-mod-for-nix-builds.patch ]; + + vendorSha256 = "sha256-7wIdwTv4jMpFQkl3tKeH3MWxJ/EbiFg5FtGSAvNNpos="; + + meta = with lib; { + description = "Crowdsec bouncer written in golang for firewalls"; + homepage = "https://github.com/crowdsecurity/cs-firewall-bouncer"; + license = licenses.mit; + maintainers = with maintainers; [ therealr5 ]; + platforms = platforms.all; + }; +} diff --git a/secrets/falkenstein-1.yaml b/secrets/falkenstein-1.yaml index e0a4f20..e0210a6 100644 --- a/secrets/falkenstein-1.yaml +++ b/secrets/falkenstein-1.yaml @@ -1,8 +1,5 @@ purge: - environment: ENC[AES256_GCM,data:4qxa4Jod8vFdd5NzHugeRlo5MtEMoUQfbCYhualyfF7RZMms7G/R4OB2RSfv5BekJechU8t8i0+2rHt/c9sVd+JU7Za20bzVqVz7wvMAiZKV,iv:1QesCJz2+tmvrNLIkAhvzMLKQy7IEP7muA7J1ijINI4=,tag:Bn3tIhMm+qOJ764XlAIm/A==,type:str] -mail: - rouven: ENC[AES256_GCM,data:aUUH36pDczOufIgDKWz3obcQOloKBpydZfXMUDHGrsJ3h8O0kZYFmq389L86PJ2YISTd7Jv8PfUYPdLi3e80UggKh7SdtP/bBw==,iv:XgZNmCR+XZhjMxV6H2mtepqt4YUADG+45m9P8jdLVNY=,tag:p2RNQ7uBNctJqm69kXxTug==,type:str] -rspamd: ENC[AES256_GCM,data:Q4V/0aPl9K+ba3aKAZH5Q0lnixIAQBMgPTmMfDP1ZnYAObVc,iv:NBlFpAVBw8az1qEQd+vDmzUHGPMQYuok9MXydHgx8IY=,tag:QptoxnuA+1XB4/0Zd9Yr3Q==,type:str] + token: ENC[AES256_GCM,data:mCK0xAgF4Q8DOTPVRg/O5L8kpDItNj8U0ikoKOOZC3Dv50Yt/nqvq4j4fM0CQ836pxCutir6FkTKbS5xS5XqKoSzu8E/0Q==,iv:JDqyeG+g3RAHmMD4uxS6eyQYYI50X6Bwutp+/v2ngq8=,tag:JkqLWoSwwghNUCD2+I6Njg==,type:str] sops: kms: [] gcp_kms: [] @@ -18,8 +15,8 @@ sops: NGlZbU8rcWJRbGE5OEFHdUNqZ2xUS2sK/r7qJHfTP0REcM2PYM95XT0onnCYXzam 20BgfynX3PJE2QVcgl8rr7ssuKxESi+tY/1VB0l8Tryxe6hr/p5IVg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-28T20:06:48Z" - mac: ENC[AES256_GCM,data:hZk9ltfNRKuTm+ePBpU5wKRexlmRd9oEuHRAjZ4kHRbJBEBTeALOcYXgNXu9ws70hZR7do869tdjY+k1Li+cquqgBFTMIs0R+hBmD9q1Tpv0bMEuQ1t3dHEiMvkm/oi19QKpZLDw9SWlwD1mw3J/4a+w/t1dR5PSrt9SWGkV6mU=,iv:DKjVYYyF5to9Bd84fT1Wl58dLs7Il160o210k/tEQaM=,tag:SgGkU0cDr61kYnmgGGkxGw==,type:str] + lastmodified: "2023-07-20T19:34:57Z" + mac: ENC[AES256_GCM,data:0/r6bPhpdjO/gmQik5NUKA028z0RGmJ7jzum5ZLr/H/540c5nHgPc7URyGcmp2xH5KkmxtcXPloUvZTDep3XsitJtWSmRhME31CrUNan0iWShj4ERbw8/hlLEy5ILc2ko79ofKjjmF6pPxoyeqqQQnSrJBF9qJfQDbQ2jY1GRmY=,iv:0LPC2g6eStt0+tTYBxN3d4sxr6fthCHsudiOhQJTj1A=,tag:nLPVgixzs1+3LroVyvgbFw==,type:str] pgp: - created_at: "2023-04-12T15:47:07Z" enc: |- diff --git a/shared/gpg.nix b/shared/gpg.nix index 339b674..53a5a4a 100644 --- a/shared/gpg.nix +++ b/shared/gpg.nix @@ -1,9 +1,12 @@ { ... }: { - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryFlavor = "gnome3"; + programs.gnupg = { + dirmngr.enable = true; + agent = { + enable = true; + enableSSHSupport = true; + pinentryFlavor = "gnome3"; + }; }; services.pcscd.enable = true; } diff --git a/users/rouven/modules/accounts/default.nix b/users/rouven/modules/accounts/default.nix index 8ae0ef9..98f4630 100644 --- a/users/rouven/modules/accounts/default.nix +++ b/users/rouven/modules/accounts/default.nix @@ -310,4 +310,7 @@ in home.file.".urlview".text = '' COMMAND ${pkgs.xdg-utils}/bin/xdg-open %s &> /dev/null ''; + home.file.".gnupg/dirmngr_ldapservers.conf".text = '' + ldap.pca.dfn.de::::o=DFN-Verein,c=DE + ''; }