diff --git a/flake.nix b/flake.nix index 735b5b9..a5b90d9 100644 --- a/flake.nix +++ b/flake.nix @@ -148,6 +148,7 @@ quadlet-nix.nixosModules.quadlet crowdsec.nixosModules.crowdsec crowdsec.nixosModules.crowdsec-firewall-bouncer + { nixpkgs.overlays = [ crowdsec.overlays.default ]; } ]; }; }; diff --git a/secrets.nix b/secrets.nix index cb1d980..3b3ede4 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,8 +4,6 @@ let "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8G6okW/vpl3DTBwL64aPb+oxJsr2Wl6KzHYsLPecBc millironx@millironx.com"; bosephus-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos"; - bosephus-root = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFFl4zOdlKkpoccPZTX8195068gJVhylvV9pUYxy2kM+ root@bosephus"; bosephus-millironx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus"; odyssey-millironx = @@ -17,7 +15,6 @@ let system-administrators = [ anderson-millironx - bosephus-root bosephus-millironx odyssey-millironx corianne-millironx diff --git a/secrets/ansible-vault-password.age b/secrets/ansible-vault-password.age index d0be48c..99a96bc 100644 --- a/secrets/ansible-vault-password.age +++ b/secrets/ansible-vault-password.age @@ -1,15 +1,13 @@ age-encryption.org/v1 --> ssh-ed25519 il3lzQ oDA/rl4XZJY+vIIdnMBaAuSMD+DnMX2n6+B3geHw/1Q -Jpv2pN6KwJAHgwWBbAAgmGVrZeO+wLmuwFRpJLsUDcU --> ssh-ed25519 bN6E9A jKvJPR87Eojde1aq2FFxRj+cxy+0S7Eix5JwRPRpX34 -48eC+KdOBcIGU0y2ui4iq+g8K9SG7qc3U60ApLU+w+Q --> ssh-ed25519 1g/xww UiK5nDMJg+tTc7zdE5zlEXmoBPE5dV2EpHxvhWBENmU -ljQEJ+tiZPdFrpiZER5EOIsdnhpj05EKryhzm0vM3LU --> ssh-ed25519 +kBihw ZIcwOBbRMJ8jiu9Vcq8BvGyOT1xuqG+Mf/DXUHMeCAA -wlXcO4kQpHmka49CARH0xvm/Lh0AcQ1j/bPx12wZVBY --> ssh-ed25519 dbKeHw +G44jyudYu9opDuMcTs05j5Ha91m9lm5g551uIAACEk -9DXJxDc2L3PDCAi3cLfVajqPseaxmBpb+Uo3AW2R05I --> ssh-ed25519 Svnssw PZN+FpZsFnCqerEgW7B4RFHo7iumlUXL4pYt54/XxjM -bKrgyqBpIMnntB0CHA560TvraQE9bPF06oOXR+wocIA ---- RW8fUuT62TXXKS8k8MgKISzwORr/3hEl0XK2XSZFzpA -W: iZSth ՞0JEgPT#8-'ȰL8kp \ No newline at end of file +-> ssh-ed25519 il3lzQ Ni2CHjeijXHfF62cUqVTm8MAOn6rRg8UrhqN6xvdkyk +DsT0Ysx88FlCLeRzoOGctX7KqatX9/UCr5WdtdLJAf4 +-> ssh-ed25519 1g/xww jRn91F29sISMyi41anAlzVCzt1t1DnUqxtryqkTQPlM +cysgZLQR0YhiJYXBl59DjKbm+N8FnjA46wkQtnAzBFA +-> ssh-ed25519 +kBihw t6wlSnDKGgSzGhNJnryXVbDR40DATaV3fHovtI/u7zo +zOyCZtzfLKeer9K6SMpfTxn6El4HB7gQFQqLOxIYB5U +-> ssh-ed25519 dbKeHw cn+8WTwis58bYm2pfEra6LeLvzEZ8GhZrOEeN+kkhCM +fnlUAj8JtG8+r7Cj8xYUgF+JM6Pwqawn4sGI1LOeN78 +-> ssh-ed25519 Svnssw zmDBR8TdRZ9NzNhwPYRN6c8naTxAkULyUZpKgk7Gshk +0XCwpegEIlGXhnzLLUtmciKQiYiZRgnSOSvCcYeXXk8 +--- D/lZ36n5sVste2NWfdOx8/klPh0CTmMjVQN74KIqDRY +]%C}NO"v#˱t_Q;^*!+<+dB/K` \ No newline at end of file diff --git a/secrets/darwin-policies-json.age b/secrets/darwin-policies-json.age index e1a202f..9fa2d2b 100644 Binary files a/secrets/darwin-policies-json.age and b/secrets/darwin-policies-json.age differ diff --git a/secrets/network-information.age b/secrets/network-information.age index 66c199c..0de69b7 100644 Binary files a/secrets/network-information.age and b/secrets/network-information.age differ diff --git a/secrets/pihole.age b/secrets/pihole.age index e7f0c78..babead9 100644 Binary files a/secrets/pihole.age and b/secrets/pihole.age differ diff --git a/services/crowdsec.nix b/services/crowdsec.nix new file mode 100644 index 0000000..f7e2e5a --- /dev/null +++ b/services/crowdsec.nix @@ -0,0 +1,90 @@ +{ pkgs, config, ... }: +let + crowdsec-url = "127.0.0.1:2763"; + firewall-bouncer-name = "fw-bouncer"; + # Although this key can be reproduced by anyone who actually cares to, the + # Crowdsec API will not be exposed to the outside world, so keeping this key + # super secret really isn't that important to me. Still make it look random + # so that hungry botnets can't just slurp up the password in plaintext. + firewall-bouncer-key = builtins.hashString "sha256" + "${config.networking.hostName}-crowdsec-bouncer-salt"; + toMultiYAML = items: + pkgs.lib.concatMapStrings (item: + '' + + --- + '' + (pkgs.lib.generators.toYAML { } item) + "\n") items; +in { + services = { + crowdsec = { + enable = true; + settings = { + api.server = { listen_uri = crowdsec-url; }; + allowLocalJournalAccess = true; + crowdsec_service.acquisition_path = pkgs.writeText "acquisitions.yaml" + (toMultiYAML [ + { + source = "journalctl"; + journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ]; + labels.type = "syslog"; + } + { + filenames = [ "/var/log/auth.log" ]; + labels.type = "syslog"; + } + { + filenames = [ "/var/log/syslog" "/var/log/kern.log" ]; + labels.type = "syslog"; + } + ]); + }; + }; + crowdsec-firewall-bouncer = { + enable = true; + settings = { + api_url = firewall-bouncer-name; + api_key = firewall-bouncer-key; + }; + }; + }; + + systemd.services.crowdsec.serviceConfig = { + ExecStartPre = let + bouncer-script = pkgs.writeScriptBin "register-bouncer" '' + #!${pkgs.runtimeShell} + set -eu + set -o pipefail + + if ! cscli bouncers list | grep -q "${firewall-bouncer-name}"; then + cscli bouncers add "${firewall-bouncer-name}" --key "${firewall-bouncer-key}" + fi + ''; + collection-check = collection: '' + + if ! cscli collections list | grep -q "${collection}"; then + cscli collections install "${collection}" + fi + + ''; + collections = [ + "crowdsecurity/base-http-scenarios" + "crowdsecurity/http-cve" + "crowdsecurity/http-dos" + "crowdsecurity/iptables" + "crowdsecurity/linux" + "crowdsecurity/sshd" + "crowdsecurity/whitelist-good-actors" + ]; + collection-script = pkgs.writeScriptBin "install-collections" '' + #!${pkgs.runtimeShell} + set -eu + set -o pipefail + + ${pkgs.lib.concatMapStrings collection-check collections} + ''; + in [ + "${bouncer-script}/bin/register-bouncer" + "${collection-script}/bin/install-collections" + ]; + }; +} diff --git a/systems/linux/mcentire.nix b/systems/linux/mcentire.nix index 6ee0ae4..07135d1 100644 --- a/systems/linux/mcentire.nix +++ b/systems/linux/mcentire.nix @@ -4,6 +4,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration/mcentire.nix ./../../services/nixos-update.nix + ./../../services/crowdsec.nix ]; # Use the GRUB 2 boot loader.