11 changed files with 3 additions and 145 deletions
--- a/nixos/viridian/containers/mealie.nix
+++ b/nixos/viridian/containers/mealie.nix
@ -6,7 +6,7 @@ in
  virtualisation.oci-containers.containers = {
    mealie = {
      autoStart = true;
-      image = "ghcr.io/mealie-recipes/mealie:v1.9.0";
+      image = "ghcr.io/mealie-recipes/mealie:v1.8.0";
      ports = [
        "${port}:9000"
      ];
@ -21,8 +21,6 @@ in
        MAX_WORKERS = "1";
        WEB_CONCURRENCY = "1";
        BASE_URL = "https://mealie.kanto.dev";
-        SECURITY_MAX_LOGIN_ATTEMPTS = "3";
-        SECRURITY_USER_LOCKOUT_TIME = "72";
      };
    };
  };
@ -34,8 +32,7 @@ in
        "websecure"
      ];
      middlewares = [
-        "crowdsec"
-        "geoblock"
+        "internal"
      ];
      service = "mealie";
    };
--- a/nixos/viridian/services/crowdsec/acquis.d/appsec.yaml
+++ b/nixos/viridian/services/crowdsec/acquis.d/appsec.yaml
@ -1,6 +0,0 @@
-listen_addr: 127.0.0.1:7422
-appsec_config: crowdsecurity/appsec-default
-name: traefik
-source: appsec
-labels:
-  type: appsec
--- a/nixos/viridian/services/crowdsec/default.nix
+++ b/nixos/viridian/services/crowdsec/default.nix
@ -1,94 +0,0 @@
-{ config, inputs, pkgs, ... }:
-let
-  port = "8080";
-in
-{
-  imports = [
-    inputs.crowdsec.nixosModules.crowdsec
-    inputs.crowdsec.nixosModules.crowdsec-firewall-bouncer
-  ];
-
-  nixpkgs.overlays = [
-    inputs.crowdsec.overlays.default
-  ];
-
-  age.secrets.enrollment-key = {
-    rekeyFile = ./enrollment_key.age;
-    owner = "crowdsec";
-    group = "crowdsec";
-  };
-
-  services.crowdsec = let
-    yaml = (pkgs.formats.yaml {}).generate;
-    acquisitions_file = yaml "acquisitions.yaml" {
-      source = "journalctl";
-      journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
-      labels.type = "syslog";
-    };
-  in {
-    enable = true;
-    allowLocalJournalAccess = true;
-    enrollKeyFile = config.age.secrets.enrollment-key.path;
-    settings = {
-      api.server = {
-        listen_uri = "127.0.0.1:${port}";
-      };
-      crowdsec_service.acquisition_path = acquisitions_file;
-      crowdsec_service.acquisition_dir = ./acquis.d;
-    };
-  };
-
-  services.crowdsec-firewall-bouncer = {
-    enable = true;
-    settings = {
-      api_key = "2025f0be-35ca-406c-8737-810321c918c2";
-      api_url = "http://localhost:${port}";
-    };
-  };
-
-  systemd.services.crowdsec.serviceConfig = {
-    ExecStartPre = let
-      bouncer = pkgs.writeScriptBin "register-bouncer" ''
-        #!${pkgs.runtimeShell}
-        set -eu
-        set -o pipefail
-
-        if ! cscli bouncers list | grep -q "firewall-bouncer"; then
-          cscli bouncers add "firewall-bouncer" --key "2025f0be-35ca-406c-8737-810321c918c2"
-        fi
-
-        if ! cscli bouncers list | grep -q "traefik-bouncer"; then
-          cscli bouncers add "traefik-bouncer" --key "18c725d5-3a22-4331-a8e8-abfd3018a7c0"
-        fi
-      '';
-      scenario = pkgs.writeScriptBin "install-scenario" ''
-        #!${pkgs.runtimeShell}
-        set -eu
-        set -o pipefail
-
-        if ! cscli collections list | grep -q "crowdsecurity/linux"; then
-          cscli collections install "crowdsecurity/linux"
-        fi
-
-        if ! cscli collections list | grep -q "crowdsecurity/appsec-virtual-patching"; then
-          cscli collections install "crowdsecurity/appsec-virtual-patching"
-        fi
-
-        if ! cscli collections list | grep -q "crowdsecurity/appsec-generic-rules"; then
-          cscli collections install "crowdsecurity/appsec-generic-rules"
-        fi
-      '';
-    in [
-      "${bouncer}/bin/register-bouncer"
-      "${scenario}/bin/install-scenario"
-    ];
-  };
-
-  environment.persistence."/persist" = {
-    directories = [
-      { directory = "/var/lib/crowdsec"; user = "crowdsec"; group = "crowdsec"; }
-    ];
-    hideMounts = true;
-  };
-}
-
--- a/nixos/viridian/services/crowdsec/enrollment_key.age
+++ b/nixos/viridian/services/crowdsec/enrollment_key.age
--- a/nixos/viridian/services/crowdsec/firewall-bouncer-key.age
+++ b/nixos/viridian/services/crowdsec/firewall-bouncer-key.age
--- a/nixos/viridian/services/crowdsec/traefik-bouncer-key.age
+++ b/nixos/viridian/services/crowdsec/traefik-bouncer-key.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> piv-p256 hdSnGw A6O6zvEq05hpB3GxDsrj2rUxr0P031TKreOe3ZAfUpJs
-Ww8Qg1MV5dJoCYQEGSNLUnZdX7dO1cGu3XaQTyn97PA
-> 0(D-grease b? xbW Qg ~cDE0j!
-s5z0LGzRiWS6lMMphO19nB7qmvXkto4RJrcTSrOtPHbY9Iam2aeYA0qN4faK40Zs
-XPc
--- q1PoY78SatX6wOKNW549+ndCCrNhveA8dHcHQpF+slk
-l
<0A>¾ß`òŠæ¨=(¡¾è;>Y[)Pfwú.§…óQ²¹¸W5áòØØL©Ã—K£DˆTœY$’µŸ
-ý’Ù¿zñ¨Ã]
--- a/nixos/viridian/services/default.nix
+++ b/nixos/viridian/services/default.nix
@ -3,7 +3,6 @@
 {
  imports = [
    ./traefik
-    ./crowdsec
    ./minecraft
    ./borgbackup.nix
    ./forgejo.nix
--- a/nixos/viridian/services/forgejo.nix
+++ b/nixos/viridian/services/forgejo.nix
@ -25,7 +25,6 @@
        "websecure"
      ];
      middlewares = [
-        "crowdsec"
        "geoblock"
      ];
      service = "forgejo";
--- a/nixos/viridian/services/lighttpd.nix
+++ b/nixos/viridian/services/lighttpd.nix
@ -14,7 +14,6 @@
        "websecure"
      ];
      middlewares = [
-        "crowdsec"
        "geoblock"
      ];
      service = "lighttpd";
--- a/nixos/viridian/services/traefik/default.nix
+++ b/nixos/viridian/services/traefik/default.nix
@ -53,17 +53,10 @@

      # Install plugins
      experimental.plugins = {
-        # Block or allow requests based on their country of origin.
        geoblock = {
          moduleName = "github.com/PascalMinder/geoblock";
          version = "v0.2.7";
        };
-
-        # Authorize or block requests from IPs based on there reputation and behaviour.
-        bouncer = {
-          moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
-          version = "v1.3.2";
-        };
      };

      # Network entry points into Traefik
--- a/nixos/viridian/services/traefik/middlewares.nix
+++ b/nixos/viridian/services/traefik/middlewares.nix
@ -1,13 +1,6 @@
-{ config, ... }:
+{ ... }:

 {
-  # Crowdsec Local API key for the bouncer.
-  age.secrets.traefik-bouncer-key = {
-    rekeyFile = ../crowdsec/traefik-bouncer-key.age;
-    owner = "traefik";
-    group = "traefik";
-  };
-
  # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
  services.traefik.dynamicConfigOptions.http.middlewares = {
    # Restrict access to admin devices only
@ -16,14 +9,12 @@
      "192.168.1.101"   # fuchsia
      "10.100.0.2"      # Pixel 6 Pro
    ];
-
    # Restrict access to internal networks
    internal.ipwhitelist.sourcerange = [
      "127.0.0.1/32"    # localhost
      "192.168.1.1/24"  # lan
      "10.100.0.0/24"   # wireguard clients
    ];
-
    # Restrict access based on geo-location
    geoblock.plugin.geoblock = {
      silentStartUp = "false";
@ -51,17 +42,6 @@
      # Even if an IP stays in the cache for a period of a month, it must be fetch again after a month.
      forceMonthlyUpdate = "true";
    };
-
-    # Disable Crowdsec IP checking but apply Crowdsec Appsec checking. This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
-    crowdsec.plugin.bouncer = {
-      enabled = "true";
-      crowdsecMode = "appsec";
-      crowdsecLapiKeyFile = config.age.secrets.traefik-bouncer-key.path; 
-      crowdsecLapiScheme = "http";
-      crowdsecLapiHost = "127.0.0.1:8080";
-      crowdsecAppsecEnabled = "true";
-      crowdsecAppsecHost = "127.0.0.1:7422";
-    };
  };
 }