8 changed files with 17 additions and 104 deletions
--- a/flake.nix
+++ b/flake.nix
@ -148,7 +148,6 @@
            quadlet-nix.nixosModules.quadlet
            crowdsec.nixosModules.crowdsec
            crowdsec.nixosModules.crowdsec-firewall-bouncer
-            { nixpkgs.overlays = [ crowdsec.overlays.default ]; }
          ];
        };
      };
--- a/secrets.nix
+++ b/secrets.nix
@ -4,6 +4,8 @@ let
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8G6okW/vpl3DTBwL64aPb+oxJsr2Wl6KzHYsLPecBc millironx@millironx.com";
  bosephus-host =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos";
+  bosephus-root =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFFl4zOdlKkpoccPZTX8195068gJVhylvV9pUYxy2kM+ root@bosephus";
  bosephus-millironx =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus";
  odyssey-millironx =
@ -15,6 +17,7 @@ let

  system-administrators = [
    anderson-millironx
+    bosephus-root
    bosephus-millironx
    odyssey-millironx
    corianne-millironx
--- a/secrets/ansible-vault-password.age
+++ b/secrets/ansible-vault-password.age
@ -1,13 +1,15 @@
 age-encryption.org/v1
-> ssh-ed25519 il3lzQ Ni2CHjeijXHfF62cUqVTm8MAOn6rRg8UrhqN6xvdkyk
-DsT0Ysx88FlCLeRzoOGctX7KqatX9/UCr5WdtdLJAf4
-> ssh-ed25519 1g/xww jRn91F29sISMyi41anAlzVCzt1t1DnUqxtryqkTQPlM
-cysgZLQR0YhiJYXBl59DjKbm+N8FnjA46wkQtnAzBFA
-> ssh-ed25519 +kBihw t6wlSnDKGgSzGhNJnryXVbDR40DATaV3fHovtI/u7zo
-zOyCZtzfLKeer9K6SMpfTxn6El4HB7gQFQqLOxIYB5U
-> ssh-ed25519 dbKeHw cn+8WTwis58bYm2pfEra6LeLvzEZ8GhZrOEeN+kkhCM
-fnlUAj8JtG8+r7Cj8xYUgF+JM6Pwqawn4sGI1LOeN78
-> ssh-ed25519 Svnssw zmDBR8TdRZ9NzNhwPYRN6c8naTxAkULyUZpKgk7Gshk
-0XCwpegEIlGXhnzLLUtmciKQiYiZRgnSOSvCcYeXXk8
--- D/lZ36n5sVste2NWfdOx8/klPh0CTmMjVQN74KIqDRY
-]%得ﾇC}<7D>弡鶲ﾈﾓ"vﾎﾈ#<23>ｱｪ釋｢tｭ､ﾜ_Q;^*!ｻ+<+ｱ瑁詞ﾈdBﾗ/Kﾒ<4B>ﾉ`
+-> ssh-ed25519 il3lzQ oDA/rl4XZJY+vIIdnMBaAuSMD+DnMX2n6+B3geHw/1Q
+Jpv2pN6KwJAHgwWBbAAgmGVrZeO+wLmuwFRpJLsUDcU
+-> ssh-ed25519 bN6E9A jKvJPR87Eojde1aq2FFxRj+cxy+0S7Eix5JwRPRpX34
+48eC+KdOBcIGU0y2ui4iq+g8K9SG7qc3U60ApLU+w+Q
+-> ssh-ed25519 1g/xww UiK5nDMJg+tTc7zdE5zlEXmoBPE5dV2EpHxvhWBENmU
+ljQEJ+tiZPdFrpiZER5EOIsdnhpj05EKryhzm0vM3LU
+-> ssh-ed25519 +kBihw ZIcwOBbRMJ8jiu9Vcq8BvGyOT1xuqG+Mf/DXUHMeCAA
+wlXcO4kQpHmka49CARH0xvm/Lh0AcQ1j/bPx12wZVBY
+-> ssh-ed25519 dbKeHw +G44jyudYu9opDuMcTs05j5Ha91m9lm5g551uIAACEk
+9DXJxDc2L3PDCAi3cLfVajqPseaxmBpb+Uo3AW2R05I
+-> ssh-ed25519 Svnssw PZN+FpZsFnCqerEgW7B4RFHo7iumlUXL4pYt54/XxjM
+bKrgyqBpIMnntB0CHA560TvraQE9bPF06oOXR+wocIA
+--- RW8fUuT62TXXKS8k8MgKISzwORr/3hEl0XK2XSZFzpA
+W:ÙÍðiZS¶Öì‡ÓÞtó±ƒhÍðÕž0JßEg¾õÚPTá#8™²‡ì¹Žõ‘-‡“<E280A1>'€È°L8kpØ
--- a/secrets/darwin-policies-json.age
+++ b/secrets/darwin-policies-json.age
--- a/secrets/network-information.age
+++ b/secrets/network-information.age
--- a/secrets/pihole.age
+++ b/secrets/pihole.age
--- a/services/crowdsec.nix
+++ b/services/crowdsec.nix
@ -1,90 +0,0 @@
-{ pkgs, config, ... }:
-let
-  crowdsec-url = "127.0.0.1:2763";
-  firewall-bouncer-name = "fw-bouncer";
-  # Although this key can be reproduced by anyone who actually cares to, the
-  # Crowdsec API will not be exposed to the outside world, so keeping this key
-  # super secret really isn't that important to me. Still make it look random
-  # so that hungry botnets can't just slurp up the password in plaintext.
-  firewall-bouncer-key = builtins.hashString "sha256"
-    "${config.networking.hostName}-crowdsec-bouncer-salt";
-  toMultiYAML = items:
-    pkgs.lib.concatMapStrings (item:
-      ''
-
-        ---
-      '' + (pkgs.lib.generators.toYAML { } item) + "\n") items;
-in {
-  services = {
-    crowdsec = {
-      enable = true;
-      settings = {
-        api.server = { listen_uri = crowdsec-url; };
-        allowLocalJournalAccess = true;
-        crowdsec_service.acquisition_path = pkgs.writeText "acquisitions.yaml"
-          (toMultiYAML [
-            {
-              source = "journalctl";
-              journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
-              labels.type = "syslog";
-            }
-            {
-              filenames = [ "/var/log/auth.log" ];
-              labels.type = "syslog";
-            }
-            {
-              filenames = [ "/var/log/syslog" "/var/log/kern.log" ];
-              labels.type = "syslog";
-            }
-          ]);
-      };
-    };
-    crowdsec-firewall-bouncer = {
-      enable = true;
-      settings = {
-        api_url = firewall-bouncer-name;
-        api_key = firewall-bouncer-key;
-      };
-    };
-  };
-
-  systemd.services.crowdsec.serviceConfig = {
-    ExecStartPre = let
-      bouncer-script = pkgs.writeScriptBin "register-bouncer" ''
-        #!${pkgs.runtimeShell}
-        set -eu
-        set -o pipefail
-
-        if ! cscli bouncers list | grep -q "${firewall-bouncer-name}"; then
-          cscli bouncers add "${firewall-bouncer-name}" --key "${firewall-bouncer-key}"
-        fi
-      '';
-      collection-check = collection: ''
-
-        if ! cscli collections list | grep -q "${collection}"; then
-          cscli collections install "${collection}"
-        fi
-
-      '';
-      collections = [
-        "crowdsecurity/base-http-scenarios"
-        "crowdsecurity/http-cve"
-        "crowdsecurity/http-dos"
-        "crowdsecurity/iptables"
-        "crowdsecurity/linux"
-        "crowdsecurity/sshd"
-        "crowdsecurity/whitelist-good-actors"
-      ];
-      collection-script = pkgs.writeScriptBin "install-collections" ''
-        #!${pkgs.runtimeShell}
-        set -eu
-        set -o pipefail
-
-        ${pkgs.lib.concatMapStrings collection-check collections}
-      '';
-    in [
-      "${bouncer-script}/bin/register-bouncer"
-      "${collection-script}/bin/install-collections"
-    ];
-  };
-}
--- a/systems/linux/mcentire.nix
+++ b/systems/linux/mcentire.nix
@ -4,7 +4,6 @@
  imports = [ # Include the results of the hardware scan.
    ./hardware-configuration/mcentire.nix
    ./../../services/nixos-update.nix
-    ./../../services/crowdsec.nix
  ];

  # Use the GRUB 2 boot loader.