diff --git a/flake.nix b/flake.nix index a5b90d9..735b5b9 100644 --- a/flake.nix +++ b/flake.nix @@ -148,7 +148,6 @@ quadlet-nix.nixosModules.quadlet crowdsec.nixosModules.crowdsec crowdsec.nixosModules.crowdsec-firewall-bouncer - { nixpkgs.overlays = [ crowdsec.overlays.default ]; } ]; }; }; diff --git a/secrets.nix b/secrets.nix index 3b3ede4..cb1d980 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,6 +4,8 @@ let "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8G6okW/vpl3DTBwL64aPb+oxJsr2Wl6KzHYsLPecBc millironx@millironx.com"; bosephus-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos"; + bosephus-root = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFFl4zOdlKkpoccPZTX8195068gJVhylvV9pUYxy2kM+ root@bosephus"; bosephus-millironx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus"; odyssey-millironx = @@ -15,6 +17,7 @@ let system-administrators = [ anderson-millironx + bosephus-root bosephus-millironx odyssey-millironx corianne-millironx diff --git a/secrets/ansible-vault-password.age b/secrets/ansible-vault-password.age index 99a96bc..d0be48c 100644 --- a/secrets/ansible-vault-password.age +++ b/secrets/ansible-vault-password.age @@ -1,13 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 il3lzQ Ni2CHjeijXHfF62cUqVTm8MAOn6rRg8UrhqN6xvdkyk -DsT0Ysx88FlCLeRzoOGctX7KqatX9/UCr5WdtdLJAf4 --> ssh-ed25519 1g/xww jRn91F29sISMyi41anAlzVCzt1t1DnUqxtryqkTQPlM -cysgZLQR0YhiJYXBl59DjKbm+N8FnjA46wkQtnAzBFA --> ssh-ed25519 +kBihw t6wlSnDKGgSzGhNJnryXVbDR40DATaV3fHovtI/u7zo -zOyCZtzfLKeer9K6SMpfTxn6El4HB7gQFQqLOxIYB5U --> ssh-ed25519 dbKeHw cn+8WTwis58bYm2pfEra6LeLvzEZ8GhZrOEeN+kkhCM -fnlUAj8JtG8+r7Cj8xYUgF+JM6Pwqawn4sGI1LOeN78 --> ssh-ed25519 Svnssw zmDBR8TdRZ9NzNhwPYRN6c8naTxAkULyUZpKgk7Gshk -0XCwpegEIlGXhnzLLUtmciKQiYiZRgnSOSvCcYeXXk8 ---- D/lZ36n5sVste2NWfdOx8/klPh0CTmMjVQN74KIqDRY -]%C}NO"v#˱t_Q;^*!+<+dB/K` \ No newline at end of file +-> ssh-ed25519 il3lzQ oDA/rl4XZJY+vIIdnMBaAuSMD+DnMX2n6+B3geHw/1Q +Jpv2pN6KwJAHgwWBbAAgmGVrZeO+wLmuwFRpJLsUDcU +-> ssh-ed25519 bN6E9A jKvJPR87Eojde1aq2FFxRj+cxy+0S7Eix5JwRPRpX34 +48eC+KdOBcIGU0y2ui4iq+g8K9SG7qc3U60ApLU+w+Q +-> ssh-ed25519 1g/xww UiK5nDMJg+tTc7zdE5zlEXmoBPE5dV2EpHxvhWBENmU +ljQEJ+tiZPdFrpiZER5EOIsdnhpj05EKryhzm0vM3LU +-> ssh-ed25519 +kBihw ZIcwOBbRMJ8jiu9Vcq8BvGyOT1xuqG+Mf/DXUHMeCAA +wlXcO4kQpHmka49CARH0xvm/Lh0AcQ1j/bPx12wZVBY +-> ssh-ed25519 dbKeHw +G44jyudYu9opDuMcTs05j5Ha91m9lm5g551uIAACEk +9DXJxDc2L3PDCAi3cLfVajqPseaxmBpb+Uo3AW2R05I +-> ssh-ed25519 Svnssw PZN+FpZsFnCqerEgW7B4RFHo7iumlUXL4pYt54/XxjM +bKrgyqBpIMnntB0CHA560TvraQE9bPF06oOXR+wocIA +--- RW8fUuT62TXXKS8k8MgKISzwORr/3hEl0XK2XSZFzpA +W: iZSth ՞0JEgPT#8-'ȰL8kp \ No newline at end of file diff --git a/secrets/darwin-policies-json.age b/secrets/darwin-policies-json.age index 9fa2d2b..e1a202f 100644 Binary files a/secrets/darwin-policies-json.age and b/secrets/darwin-policies-json.age differ diff --git a/secrets/network-information.age b/secrets/network-information.age index 0de69b7..66c199c 100644 Binary files a/secrets/network-information.age and b/secrets/network-information.age differ diff --git a/secrets/pihole.age b/secrets/pihole.age index babead9..e7f0c78 100644 Binary files a/secrets/pihole.age and b/secrets/pihole.age differ diff --git a/services/crowdsec.nix b/services/crowdsec.nix deleted file mode 100644 index f7e2e5a..0000000 --- a/services/crowdsec.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ pkgs, config, ... }: -let - crowdsec-url = "127.0.0.1:2763"; - firewall-bouncer-name = "fw-bouncer"; - # Although this key can be reproduced by anyone who actually cares to, the - # Crowdsec API will not be exposed to the outside world, so keeping this key - # super secret really isn't that important to me. Still make it look random - # so that hungry botnets can't just slurp up the password in plaintext. - firewall-bouncer-key = builtins.hashString "sha256" - "${config.networking.hostName}-crowdsec-bouncer-salt"; - toMultiYAML = items: - pkgs.lib.concatMapStrings (item: - '' - - --- - '' + (pkgs.lib.generators.toYAML { } item) + "\n") items; -in { - services = { - crowdsec = { - enable = true; - settings = { - api.server = { listen_uri = crowdsec-url; }; - allowLocalJournalAccess = true; - crowdsec_service.acquisition_path = pkgs.writeText "acquisitions.yaml" - (toMultiYAML [ - { - source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ]; - labels.type = "syslog"; - } - { - filenames = [ "/var/log/auth.log" ]; - labels.type = "syslog"; - } - { - filenames = [ "/var/log/syslog" "/var/log/kern.log" ]; - labels.type = "syslog"; - } - ]); - }; - }; - crowdsec-firewall-bouncer = { - enable = true; - settings = { - api_url = firewall-bouncer-name; - api_key = firewall-bouncer-key; - }; - }; - }; - - systemd.services.crowdsec.serviceConfig = { - ExecStartPre = let - bouncer-script = pkgs.writeScriptBin "register-bouncer" '' - #!${pkgs.runtimeShell} - set -eu - set -o pipefail - - if ! cscli bouncers list | grep -q "${firewall-bouncer-name}"; then - cscli bouncers add "${firewall-bouncer-name}" --key "${firewall-bouncer-key}" - fi - ''; - collection-check = collection: '' - - if ! cscli collections list | grep -q "${collection}"; then - cscli collections install "${collection}" - fi - - ''; - collections = [ - "crowdsecurity/base-http-scenarios" - "crowdsecurity/http-cve" - "crowdsecurity/http-dos" - "crowdsecurity/iptables" - "crowdsecurity/linux" - "crowdsecurity/sshd" - "crowdsecurity/whitelist-good-actors" - ]; - collection-script = pkgs.writeScriptBin "install-collections" '' - #!${pkgs.runtimeShell} - set -eu - set -o pipefail - - ${pkgs.lib.concatMapStrings collection-check collections} - ''; - in [ - "${bouncer-script}/bin/register-bouncer" - "${collection-script}/bin/install-collections" - ]; - }; -} diff --git a/systems/linux/mcentire.nix b/systems/linux/mcentire.nix index 07135d1..6ee0ae4 100644 --- a/systems/linux/mcentire.nix +++ b/systems/linux/mcentire.nix @@ -4,7 +4,6 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration/mcentire.nix ./../../services/nixos-update.nix - ./../../services/crowdsec.nix ]; # Use the GRUB 2 boot loader.