millironx/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

Compare commits

base: millironx:4b8f1589da477e4d6f25f23af660ccccb527619a
Branches Tags
millironx:master
millironx:feat/nixos-25.11
millironx:feat/mcentire-crowdsec
...
compare: millironx:98715d12e34471f68595e5300cd41eac8f2d2af4
Branches Tags
millironx:master
millironx:feat/nixos-25.11
millironx:feat/mcentire-crowdsec

4 commits
4b8f1589da ... 98715d12e3

Author SHA1 Message Date
Thomas A. Christensen II
98715d12e3
security (mcentire): Prevent ssh root and password login 2026-03-19 18:51:28 -05:00
Thomas A. Christensen II
67ca6433cc
security (vaultwarden): Add vaultwarden logs to Crowdsec 2026-03-19 15:26:39 -05:00
Thomas A. Christensen II
3b079d142f
fix (fireflyiii, vaultwarden): container dependency order 2026-03-19 15:26:02 -05:00
Thomas A. Christensen II
23ce55d880
feat (crowdsec): Enable Crowdsec to read all journalctl logs 2026-03-19 15:25:12 -05:00
5 changed files with 25 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
services/crowdsec.nix
View file

@ -44,6 +44,8 @@
}; };
}; };
users.users."${config.services.crowdsec.user}".extraGroups = [ "adm" ];
systemd.tmpfiles.rules = let cfg = config.services.crowdsec; systemd.tmpfiles.rules = let cfg = config.services.crowdsec;
in [ "d /var/lib/crowdsec 0755 ${cfg.user} ${cfg.group}" ]; in [ "d /var/lib/crowdsec 0755 ${cfg.user} ${cfg.group}" ];
} }

4
services/fireflyiii.nix
View file

@ -155,8 +155,8 @@ in {
networks = [ networks."${user}".ref ]; networks = [ networks."${user}".ref ];
publishPorts = [ "127.0.0.1:${port}:${containerPort}" ]; publishPorts = [ "127.0.0.1:${port}:${containerPort}" ];
}; };
unitConfig.Requires = [ secrets.ref containers."${user}".ref ]; unitConfig.Requires = [ secrets.ref containers."${user}-db".ref ];
unitConfig.After = [ secrets.ref containers."${user}".ref ]; unitConfig.After = [ secrets.ref containers."${user}-db".ref ];
}; };
}; };
}; };

9
services/openssh.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }: {
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
}

13
services/vaultwarden.nix
View file

@ -60,6 +60,15 @@ in {
} }
''; '';
services.crowdsec = {
localConfig.acquisitions = [{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_USER_UNIT=${user}.service" ];
labels.type = "bitwarden";
}];
hub.collections = [ "MariuszKociubinski/bitwarden" ];
};
users.users."${user}" = { users.users."${user}" = {
group = user; group = user;
isNormalUser = true; isNormalUser = true;
@ -146,8 +155,8 @@ in {
networks = [ networks."${user}".ref ]; networks = [ networks."${user}".ref ];
publishPorts = [ "127.0.0.1:${port}:${containerPort}" ]; publishPorts = [ "127.0.0.1:${port}:${containerPort}" ];
}; };
unitConfig.Requires = [ secrets.ref containers."${user}".ref ]; unitConfig.Requires = [ secrets.ref containers."${user}-db".ref ];
unitConfig.After = [ secrets.ref containers."${user}".ref ]; unitConfig.After = [ secrets.ref containers."${user}-db".ref ];
}; };
}; };
}; };

1
systems/linux/mcentire.nix
View file

@ -12,6 +12,7 @@
./../../services/fireflyiii.nix ./../../services/fireflyiii.nix
./../../services/freshrss.nix ./../../services/freshrss.nix
./../../services/navidrome.nix ./../../services/navidrome.nix
./../../services/openssh.nix
./../../services/vaultwarden.nix ./../../services/vaultwarden.nix
]; ];