8 changed files with 17 additions and 104 deletions
--- a/flake.nix
+++ b/flake.nix
@ -148,7 +148,6 @@
            quadlet-nix.nixosModules.quadlet
            crowdsec.nixosModules.crowdsec
            crowdsec.nixosModules.crowdsec-firewall-bouncer
            { nixpkgs.overlays = [ crowdsec.overlays.default ]; }
          ];
        };
      };
--- a/secrets.nix
+++ b/secrets.nix
@ -4,6 +4,8 @@ let
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8G6okW/vpl3DTBwL64aPb+oxJsr2Wl6KzHYsLPecBc millironx@millironx.com";
  bosephus-host =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos";
  bosephus-root =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFFl4zOdlKkpoccPZTX8195068gJVhylvV9pUYxy2kM+ root@bosephus";
  bosephus-millironx =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus";
  odyssey-millironx =
@ -15,6 +17,7 @@ let
  system-administrators = [
    anderson-millironx
    bosephus-root
    bosephus-millironx
    odyssey-millironx
    corianne-millironx
--- a/secrets/ansible-vault-password.age
+++ b/secrets/ansible-vault-password.age
@ -1,13 +1,15 @@
 age-encryption.org/v1
-> ssh-ed25519 il3lzQ Ni2CHjeijXHfF62cUqVTm8MAOn6rRg8UrhqN6xvdkyk
+-> ssh-ed25519 il3lzQ oDA/rl4XZJY+vIIdnMBaAuSMD+DnMX2n6+B3geHw/1Q
-DsT0Ysx88FlCLeRzoOGctX7KqatX9/UCr5WdtdLJAf4
+Jpv2pN6KwJAHgwWBbAAgmGVrZeO+wLmuwFRpJLsUDcU
-> ssh-ed25519 1g/xww jRn91F29sISMyi41anAlzVCzt1t1DnUqxtryqkTQPlM
+-> ssh-ed25519 bN6E9A jKvJPR87Eojde1aq2FFxRj+cxy+0S7Eix5JwRPRpX34
-cysgZLQR0YhiJYXBl59DjKbm+N8FnjA46wkQtnAzBFA
+48eC+KdOBcIGU0y2ui4iq+g8K9SG7qc3U60ApLU+w+Q
-> ssh-ed25519 +kBihw t6wlSnDKGgSzGhNJnryXVbDR40DATaV3fHovtI/u7zo
+-> ssh-ed25519 1g/xww UiK5nDMJg+tTc7zdE5zlEXmoBPE5dV2EpHxvhWBENmU
-zOyCZtzfLKeer9K6SMpfTxn6El4HB7gQFQqLOxIYB5U
+ljQEJ+tiZPdFrpiZER5EOIsdnhpj05EKryhzm0vM3LU
-> ssh-ed25519 dbKeHw cn+8WTwis58bYm2pfEra6LeLvzEZ8GhZrOEeN+kkhCM
+-> ssh-ed25519 +kBihw ZIcwOBbRMJ8jiu9Vcq8BvGyOT1xuqG+Mf/DXUHMeCAA
-fnlUAj8JtG8+r7Cj8xYUgF+JM6Pwqawn4sGI1LOeN78
+wlXcO4kQpHmka49CARH0xvm/Lh0AcQ1j/bPx12wZVBY
-> ssh-ed25519 Svnssw zmDBR8TdRZ9NzNhwPYRN6c8naTxAkULyUZpKgk7Gshk
+-> ssh-ed25519 dbKeHw +G44jyudYu9opDuMcTs05j5Ha91m9lm5g551uIAACEk
-0XCwpegEIlGXhnzLLUtmciKQiYiZRgnSOSvCcYeXXk8
+9DXJxDc2L3PDCAi3cLfVajqPseaxmBpb+Uo3AW2R05I
--- D/lZ36n5sVste2NWfdOx8/klPh0CTmMjVQN74KIqDRY
+-> ssh-ed25519 Svnssw PZN+FpZsFnCqerEgW7B4RFHo7iumlUXL4pYt54/XxjM
-]%得ﾇC}<7D>弡鶲ﾈﾓ"vﾎﾈ#<23>ｱｪ釋｢tｭ､ﾜ_Q;^*!ｻ+<+ｱ瑁詞ﾈdBﾗ/Kﾒ<4B>ﾉ`
+bKrgyqBpIMnntB0CHA560TvraQE9bPF06oOXR+wocIA
 --- RW8fUuT62TXXKS8k8MgKISzwORr/3hEl0XK2XSZFzpA
 W:ÙÍðiZS¶Öì‡ÓÞtó±ƒhÍðÕž0JßEg¾õÚPTá#8™²‡ì¹Žõ‘-‡“<E280A1>'€È°L8kpØ
--- a/secrets/darwin-policies-json.age
+++ b/secrets/darwin-policies-json.age
--- a/secrets/network-information.age
+++ b/secrets/network-information.age
--- a/secrets/pihole.age
+++ b/secrets/pihole.age
--- a/services/crowdsec.nix
+++ b/services/crowdsec.nix
@ -1,90 +0,0 @@
 { pkgs, config, ... }:
 let
  crowdsec-url = "127.0.0.1:2763";
  firewall-bouncer-name = "fw-bouncer";
  # Although this key can be reproduced by anyone who actually cares to, the
  # Crowdsec API will not be exposed to the outside world, so keeping this key
  # super secret really isn't that important to me. Still make it look random
  # so that hungry botnets can't just slurp up the password in plaintext.
  firewall-bouncer-key = builtins.hashString "sha256"
    "${config.networking.hostName}-crowdsec-bouncer-salt";
  toMultiYAML = items:
    pkgs.lib.concatMapStrings (item:
      ''
        ---
      '' + (pkgs.lib.generators.toYAML { } item) + "\n") items;
 in {
  services = {
    crowdsec = {
      enable = true;
      settings = {
        api.server = { listen_uri = crowdsec-url; };
        allowLocalJournalAccess = true;
        crowdsec_service.acquisition_path = pkgs.writeText "acquisitions.yaml"
          (toMultiYAML [
            {
              source = "journalctl";
              journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
              labels.type = "syslog";
            }
            {
              filenames = [ "/var/log/auth.log" ];
              labels.type = "syslog";
            }
            {
              filenames = [ "/var/log/syslog" "/var/log/kern.log" ];
              labels.type = "syslog";
            }
          ]);
      };
    };
    crowdsec-firewall-bouncer = {
      enable = true;
      settings = {
        api_url = firewall-bouncer-name;
        api_key = firewall-bouncer-key;
      };
    };
  };
  systemd.services.crowdsec.serviceConfig = {
    ExecStartPre = let
      bouncer-script = pkgs.writeScriptBin "register-bouncer" ''
        #!${pkgs.runtimeShell}
        set -eu
        set -o pipefail
        if ! cscli bouncers list | grep -q "${firewall-bouncer-name}"; then
          cscli bouncers add "${firewall-bouncer-name}" --key "${firewall-bouncer-key}"
        fi
      '';
      collection-check = collection: ''
        if ! cscli collections list | grep -q "${collection}"; then
          cscli collections install "${collection}"
        fi
      '';
      collections = [
        "crowdsecurity/base-http-scenarios"
        "crowdsecurity/http-cve"
        "crowdsecurity/http-dos"
        "crowdsecurity/iptables"
        "crowdsecurity/linux"
        "crowdsecurity/sshd"
        "crowdsecurity/whitelist-good-actors"
      ];
      collection-script = pkgs.writeScriptBin "install-collections" ''
        #!${pkgs.runtimeShell}
        set -eu
        set -o pipefail
        ${pkgs.lib.concatMapStrings collection-check collections}
      '';
    in [
      "${bouncer-script}/bin/register-bouncer"
      "${collection-script}/bin/install-collections"
    ];
  };
 }
--- a/systems/linux/mcentire.nix
+++ b/systems/linux/mcentire.nix
@ -4,7 +4,6 @@
  imports = [ # Include the results of the hardware scan.
    ./hardware-configuration/mcentire.nix
    ./../../services/nixos-update.nix
    ./../../services/crowdsec.nix
  ];
  # Use the GRUB 2 boot loader.