From 23ce55d8806a08330802a64c5e18f70e432e6bb7 Mon Sep 17 00:00:00 2001 From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com> Date: Thu, 19 Mar 2026 15:25:12 -0500 Subject: [PATCH 1/4] feat (crowdsec): Enable Crowdsec to read all journalctl logs --- services/crowdsec.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/crowdsec.nix b/services/crowdsec.nix index 5c3e279..9f3f6d8 100644 --- a/services/crowdsec.nix +++ b/services/crowdsec.nix @@ -44,6 +44,8 @@ }; }; + users.users."${config.services.crowdsec.user}".extraGroups = [ "adm" ]; + systemd.tmpfiles.rules = let cfg = config.services.crowdsec; in [ "d /var/lib/crowdsec 0755 ${cfg.user} ${cfg.group}" ]; } From 3b079d142f937b56cac158d397f596716b5b0846 Mon Sep 17 00:00:00 2001 From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com> Date: Thu, 19 Mar 2026 15:26:02 -0500 Subject: [PATCH 2/4] fix (fireflyiii, vaultwarden): container dependency order --- services/fireflyiii.nix | 4 ++-- services/vaultwarden.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/fireflyiii.nix b/services/fireflyiii.nix index 5174cc2..c029444 100644 --- a/services/fireflyiii.nix +++ b/services/fireflyiii.nix @@ -155,8 +155,8 @@ in { networks = [ networks."${user}".ref ]; publishPorts = [ "127.0.0.1:${port}:${containerPort}" ]; }; - unitConfig.Requires = [ secrets.ref containers."${user}".ref ]; - unitConfig.After = [ secrets.ref containers."${user}".ref ]; + unitConfig.Requires = [ secrets.ref containers."${user}-db".ref ]; + unitConfig.After = [ secrets.ref containers."${user}-db".ref ]; }; }; }; diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 0156254..3b0ed47 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -146,8 +146,8 @@ in { networks = [ networks."${user}".ref ]; publishPorts = [ "127.0.0.1:${port}:${containerPort}" ]; }; - unitConfig.Requires = [ secrets.ref containers."${user}".ref ]; - unitConfig.After = [ secrets.ref containers."${user}".ref ]; + unitConfig.Requires = [ secrets.ref containers."${user}-db".ref ]; + unitConfig.After = [ secrets.ref containers."${user}-db".ref ]; }; }; }; From 67ca6433ccf3b8cf53ca439aabfdf258526dbf48 Mon Sep 17 00:00:00 2001 From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com> Date: Thu, 19 Mar 2026 15:26:39 -0500 Subject: [PATCH 3/4] security (vaultwarden): Add vaultwarden logs to Crowdsec --- services/vaultwarden.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 3b0ed47..54ea31e 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -60,6 +60,15 @@ in { } ''; + services.crowdsec = { + localConfig.acquisitions = [{ + source = "journalctl"; + journalctl_filter = [ "_SYSTEMD_USER_UNIT=${user}.service" ]; + labels.type = "bitwarden"; + }]; + hub.collections = [ "MariuszKociubinski/bitwarden" ]; + }; + users.users."${user}" = { group = user; isNormalUser = true; From 98715d12e34471f68595e5300cd41eac8f2d2af4 Mon Sep 17 00:00:00 2001 From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com> Date: Thu, 19 Mar 2026 18:51:28 -0500 Subject: [PATCH 4/4] security (mcentire): Prevent ssh root and password login --- services/openssh.nix | 9 +++++++++ systems/linux/mcentire.nix | 1 + 2 files changed, 10 insertions(+) create mode 100644 services/openssh.nix diff --git a/services/openssh.nix b/services/openssh.nix new file mode 100644 index 0000000..a315eac --- /dev/null +++ b/services/openssh.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + }; +} diff --git a/systems/linux/mcentire.nix b/systems/linux/mcentire.nix index 95cb563..bf03719 100644 --- a/systems/linux/mcentire.nix +++ b/systems/linux/mcentire.nix @@ -12,6 +12,7 @@ ./../../services/fireflyiii.nix ./../../services/freshrss.nix ./../../services/navidrome.nix + ./../../services/openssh.nix ./../../services/vaultwarden.nix ];