jasmine/dotfiles.nix
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

fix crowdsec/traefik

Browse source
This commit is contained in:
♥ Minnie ♥ 2024-11-23 20:18:08 +08:00
parent d496f1259d
commit 3df22f9eb0
Signed by: jasmine
GPG key ID: 8563E358D4E8040E
9 changed files with 77 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
nixos/common/global/ssh.nix
View file

@ -9,11 +9,4 @@
ports = [22]; ports = [22];
openFirewall = true; openFirewall = true;
}; };
services.rsyslogd = {
enable = true;
extraConfig = ''
if $programname == 'sshd' then /var/log/sshd.log
'';
};
} }

5
nixos/viridian/services/crowdsec/acquis.d/appsec.yaml
View file

@ -1,6 +1,5 @@
listen_addr: 127.0.0.1:7422
appsec_config: crowdsecurity/appsec-default appsec_config: crowdsecurity/appsec-default
name: traefik
source: appsec
labels: labels:
type: appsec type: appsec
listen_addr: 127.0.0.1:7422
source: appsec

5
nixos/viridian/services/crowdsec/acquis.d/syslog.yaml Normal file
View file

@ -0,0 +1,5 @@
source: journalctl
journalctl_filter:
- "_SYSTEMD_UNIT=ssh.service"
labels:
type: syslog

5
nixos/viridian/services/crowdsec/acquis.d/traefik.yaml Normal file
View file

@ -0,0 +1,5 @@
poll_without_inotify: false
filenames:
- /var/log/traefik/access.log
labels:
type: traefik

26
nixos/viridian/services/crowdsec/default.nix
View file

@ -21,14 +21,7 @@ in {
group = "crowdsec"; group = "crowdsec";
}; };
services.crowdsec = let services.crowdsec = {
yaml = (pkgs.formats.yaml {}).generate;
acquisitions_file = yaml "acquisitions.yaml" {
source = "journalctl";
journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
labels.type = "syslog";
};
in {
enable = true; enable = true;
allowLocalJournalAccess = true; allowLocalJournalAccess = true;
enrollKeyFile = config.age.secrets.enrollment-key.path; enrollKeyFile = config.age.secrets.enrollment-key.path;
@ -36,7 +29,6 @@ in {
api.server = { api.server = {
listen_uri = "127.0.0.1:${port}"; listen_uri = "127.0.0.1:${port}";
}; };
crowdsec_service.acquisition_path = acquisitions_file;
crowdsec_service.acquisition_dir = ./acquis.d; crowdsec_service.acquisition_dir = ./acquis.d;
}; };
}; };
@ -80,6 +72,22 @@ in {
if ! cscli collections list | grep -q "crowdsecurity/appsec-generic-rules"; then if ! cscli collections list | grep -q "crowdsecurity/appsec-generic-rules"; then
cscli collections install "crowdsecurity/appsec-generic-rules" cscli collections install "crowdsecurity/appsec-generic-rules"
fi fi
if ! cscli collections list | grep -q "crowdsecurity/traefik"; then
cscli collections install "crowdsecurity/traefik"
fi
if ! cscli collections list | grep -q "crowdsecurity/http-cve"; then
cscli collections install "crowdsecurity/http-cve"
fi
if ! cscli collections list | grep -q "crowdsecurity/sshd"; then
cscli collections install "crowdsecurity/sshd"
fi
if ! cscli collections list | grep -q "crowdsecurity/base-http-scenarios"; then
cscli collections install "crowdsecurity/base-http-scenarios"
fi
''; '';
in [ in [
"${bouncer}/bin/register-bouncer" "${bouncer}/bin/register-bouncer"

BIN
nixos/viridian/services/crowdsec/firewall-bouncer-key.age
View file

Binary file not shown.

9
nixos/viridian/services/crowdsec/traefik-bouncer-key.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> piv-p256 hdSnGw A6O6zvEq05hpB3GxDsrj2rUxr0P031TKreOe3ZAfUpJs
Ww8Qg1MV5dJoCYQEGSNLUnZdX7dO1cGu3XaQTyn97PA
-> 0(D-grease b? xbW Qg ~cDE0j!
s5z0LGzRiWS6lMMphO19nB7qmvXkto4RJrcTSrOtPHbY9Iam2aeYA0qN4faK40Zs
XPc
--- q1PoY78SatX6wOKNW549+ndCCrNhveA8dHcHQpF+slk
l <0A>¾ß`òŠæ¨=(¡¾è;>Y[)Pfwú.§…óQ²¹¸W5áòØØL©Ã—K£DˆTœY$’µŸ
ý’Ù¿zñ¨Ã]

54
nixos/viridian/services/traefik/default.nix
View file

@ -22,7 +22,7 @@
User = "traefik"; User = "traefik";
Group = "traefik"; Group = "traefik";
LogsDirectory = "traefik"; LogsDirectory = "traefik";
LogsDirectoryMode = "0750"; LogsDirectoryMode = "0755";
}; };
# Reverse proxy and load balancer for HTTP and TCP-based applications # Reverse proxy and load balancer for HTTP and TCP-based applications
@ -50,6 +50,16 @@
accessLog = { accessLog = {
filePath = "/var/log/traefik/access.log"; filePath = "/var/log/traefik/access.log";
format = "json"; format = "json";
filters.statusCodes = [
"200-299" # log successful http requests
"400-599" # log failed http requests
];
# collect logs in-memory buffer before writing into log file
bufferingSize = "0";
fields.headers = {
defaultMode = "drop"; # drop all headers per default
names.User-Agent = "keep"; # log user agent strings
};
}; };
# Install plugins # Install plugins
@ -63,7 +73,7 @@
# Authorize or block requests from IPs based on there reputation and behaviour. # Authorize or block requests from IPs based on there reputation and behaviour.
bouncer = { bouncer = {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"; moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
version = "v1.3.2"; version = "v1.3.5";
}; };
}; };
@ -99,21 +109,6 @@
]; ];
}; };
}; };
# Used to expose metrics
metrics = {
address = ":8082";
};
};
# Provide metrics for the prometheus backend
metrics = {
prometheus = {
entryPoint = "metrics";
buckets = ["0.1" "0.3" "1.2" "5.0"];
addEntryPointsLabels = true;
addRoutersLabels = true;
addServicesLabels = true;
};
}; };
# Retrieve certificates from an ACME server # Retrieve certificates from an ACME server
@ -141,19 +136,20 @@
insecureSkipVerify = true; insecureSkipVerify = true;
}; };
}; };
};
# Scrape our traefik metrics dynamicConfigOptions.http.routers = {
services.prometheus.scrapeConfigs = [ traefik-dashboard = {
{ rule = "Host(`traefik.home.arpa`)";
job_name = "traefik"; entryPoints = [
static_configs = [ "websecure"
{ ];
targets = ["127.0.0.1:8082"]; middlewares = [
} "internal"
]; ];
} service = "api@internal";
]; };
};
};
# Persist our traefik data & logs # Persist our traefik data & logs
environment.persistence."/persist" = { environment.persistence."/persist" = {

38
nixos/viridian/services/traefik/middlewares.nix
View file

@ -1,11 +1,4 @@
{config, ...}: { {...}: {
# Crowdsec Local API key for the bouncer.
age.secrets.traefik-bouncer-key = {
rekeyFile = ../crowdsec/traefik-bouncer-key.age;
owner = "traefik";
group = "traefik";
};
# Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
services.traefik.dynamicConfigOptions.http.middlewares = { services.traefik.dynamicConfigOptions.http.middlewares = {
# Restrict access to internal networks # Restrict access to internal networks
@ -42,16 +35,31 @@
forceMonthlyUpdate = "true"; forceMonthlyUpdate = "true";
}; };
# Disable Crowdsec IP checking but apply Crowdsec Appsec checking. # Intrusion Prevention System
# This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
crowdsec.plugin.bouncer = { crowdsec.plugin.bouncer = {
enabled = "true"; enabled = "true";
crowdsecMode = "appsec"; defaultDecisionSeconds = "60";
crowdsecLapiKeyFile = config.age.secrets.traefik-bouncer-key.path; crowdsecMode = "live";
crowdsecLapiScheme = "http";
crowdsecLapiHost = "127.0.0.1:8080";
crowdsecAppsecEnabled = "true"; crowdsecAppsecEnabled = "true";
crowdsecAppsecHost = "127.0.0.1:7422"; crowdsecAppsecHost = "localhost:7422";
crowdsecAppsecFailureBlock = "true";
crowdsecAppsecUnreachableBlock = "true";
crowdsecLapiKey = "18c725d5-3a22-4331-a8e8-abfd3018a7c0";
crowdsecLapiHost = "localhost:8080";
crowdsecLapiScheme = "http";
crowdsecLapiTLSInsecureVerify = "false";
forwardedHeadersTrustedIPs = [
# private class ranges
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
clientTrustedIPs = [
# private class ranges
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
}; };
}; };
} }