From d496f1259d7fb143b51e4b1a397aefd80037c3be Mon Sep 17 00:00:00 2001 From: jasmine Date: Sat, 23 Nov 2024 12:06:14 +0800 Subject: [PATCH 1/2] fix mpd --- home-manager/sajenim/features/desktop/mpd/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/home-manager/sajenim/features/desktop/mpd/default.nix b/home-manager/sajenim/features/desktop/mpd/default.nix index 77956cd..89ea00c 100644 --- a/home-manager/sajenim/features/desktop/mpd/default.nix +++ b/home-manager/sajenim/features/desktop/mpd/default.nix @@ -1,18 +1,18 @@ {pkgs, ...}: { services.mpd = { enable = true; - musicDirectory = "nfs://viridian.kanto.dev/srv/multimedia/library/music"; + musicDirectory = "nfs://viridian.home.arpa/srv/multimedia/library/music"; dbFile = null; extraConfig = '' database { plugin "proxy" - host "viridian.kanto.dev" + host "viridian.home.arpa" port "6600" } audio_output { - type "pulse" - name "PulseAudio" + type "pipewire" + name "pipewire server" server "127.0.0.1" # MPD must connect to the local sound server } ''; From 180656160c41d58d738973e7d5684e23b6c65519 Mon Sep 17 00:00:00 2001 From: jasmine Date: Sat, 23 Nov 2024 20:18:08 +0800 Subject: [PATCH 2/2] fix crowdsec/traefik --- nixos/common/global/ssh.nix | 7 --- .../services/crowdsec/acquis.d/appsec.yaml | 5 +-- .../services/crowdsec/acquis.d/syslog.yaml | 5 +++ .../services/crowdsec/acquis.d/traefik.yaml | 5 +++ nixos/viridian/services/crowdsec/default.nix | 28 +++++++----- .../crowdsec/firewall-bouncer-key.age | Bin 345 -> 0 bytes .../services/crowdsec/traefik-bouncer-key.age | 9 ---- nixos/viridian/services/traefik/default.nix | 41 +++++------------- .../viridian/services/traefik/middlewares.nix | 36 +++++++++------ 9 files changed, 64 insertions(+), 72 deletions(-) create mode 100644 nixos/viridian/services/crowdsec/acquis.d/syslog.yaml create mode 100644 nixos/viridian/services/crowdsec/acquis.d/traefik.yaml delete mode 100644 nixos/viridian/services/crowdsec/firewall-bouncer-key.age delete mode 100644 nixos/viridian/services/crowdsec/traefik-bouncer-key.age diff --git a/nixos/common/global/ssh.nix b/nixos/common/global/ssh.nix index 40a41e5..243ff12 100644 --- a/nixos/common/global/ssh.nix +++ b/nixos/common/global/ssh.nix @@ -9,11 +9,4 @@ ports = [22]; openFirewall = true; }; - - services.rsyslogd = { - enable = true; - extraConfig = '' - if $programname == 'sshd' then /var/log/sshd.log - ''; - }; } diff --git a/nixos/viridian/services/crowdsec/acquis.d/appsec.yaml b/nixos/viridian/services/crowdsec/acquis.d/appsec.yaml index f5cb42f..2494989 100644 --- a/nixos/viridian/services/crowdsec/acquis.d/appsec.yaml +++ b/nixos/viridian/services/crowdsec/acquis.d/appsec.yaml @@ -1,6 +1,5 @@ -listen_addr: 127.0.0.1:7422 appsec_config: crowdsecurity/appsec-default -name: traefik -source: appsec labels: type: appsec +listen_addr: 127.0.0.1:7422 +source: appsec diff --git a/nixos/viridian/services/crowdsec/acquis.d/syslog.yaml b/nixos/viridian/services/crowdsec/acquis.d/syslog.yaml new file mode 100644 index 0000000..811c059 --- /dev/null +++ b/nixos/viridian/services/crowdsec/acquis.d/syslog.yaml @@ -0,0 +1,5 @@ +source: journalctl +journalctl_filter: + - "_SYSTEMD_UNIT=ssh.service" +labels: + type: syslog diff --git a/nixos/viridian/services/crowdsec/acquis.d/traefik.yaml b/nixos/viridian/services/crowdsec/acquis.d/traefik.yaml new file mode 100644 index 0000000..e6a5972 --- /dev/null +++ b/nixos/viridian/services/crowdsec/acquis.d/traefik.yaml @@ -0,0 +1,5 @@ +poll_without_inotify: false +filenames: + - /var/log/traefik/access.log +labels: + type: traefik diff --git a/nixos/viridian/services/crowdsec/default.nix b/nixos/viridian/services/crowdsec/default.nix index b8471d3..954bd36 100644 --- a/nixos/viridian/services/crowdsec/default.nix +++ b/nixos/viridian/services/crowdsec/default.nix @@ -21,14 +21,7 @@ in { group = "crowdsec"; }; - services.crowdsec = let - yaml = (pkgs.formats.yaml {}).generate; - acquisitions_file = yaml "acquisitions.yaml" { - source = "journalctl"; - journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"]; - labels.type = "syslog"; - }; - in { + services.crowdsec = { enable = true; allowLocalJournalAccess = true; enrollKeyFile = config.age.secrets.enrollment-key.path; @@ -36,7 +29,6 @@ in { api.server = { listen_uri = "127.0.0.1:${port}"; }; - crowdsec_service.acquisition_path = acquisitions_file; crowdsec_service.acquisition_dir = ./acquis.d; }; }; @@ -45,7 +37,7 @@ in { enable = true; settings = { api_key = "2025f0be-35ca-406c-8737-810321c918c2"; - api_url = "http://localhost:${port}"; + api_url = "http://127.0.0.1:${port}"; }; }; @@ -80,6 +72,22 @@ in { if ! cscli collections list | grep -q "crowdsecurity/appsec-generic-rules"; then cscli collections install "crowdsecurity/appsec-generic-rules" fi + + if ! cscli collections list | grep -q "crowdsecurity/traefik"; then + cscli collections install "crowdsecurity/traefik" + fi + + if ! cscli collections list | grep -q "crowdsecurity/http-cve"; then + cscli collections install "crowdsecurity/http-cve" + fi + + if ! cscli collections list | grep -q "crowdsecurity/sshd"; then + cscli collections install "crowdsecurity/sshd" + fi + + if ! cscli collections list | grep -q "crowdsecurity/base-http-scenarios"; then + cscli collections install "crowdsecurity/base-http-scenarios" + fi ''; in [ "${bouncer}/bin/register-bouncer" diff --git a/nixos/viridian/services/crowdsec/firewall-bouncer-key.age b/nixos/viridian/services/crowdsec/firewall-bouncer-key.age deleted file mode 100644 index e57adc923888c23967b3889a50e4d296ec2e0d7d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 345 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$$Vds!b1zqLGzf{x3e`?a z@+tNSa!s$QNb?Re&B^rC4>R#BjPNsvtTZWc^$&4MN=fwK%F1yyG0n=XbPcEoEpyB; z_4U_JNeeCsEUzf8h>R$;$WPaHNhO8)>E3d`TM?;^2||-LpQa2pJ}=9{%ru_9euh0 diff --git a/nixos/viridian/services/crowdsec/traefik-bouncer-key.age b/nixos/viridian/services/crowdsec/traefik-bouncer-key.age deleted file mode 100644 index 2ba698b..0000000 --- a/nixos/viridian/services/crowdsec/traefik-bouncer-key.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> piv-p256 hdSnGw A6O6zvEq05hpB3GxDsrj2rUxr0P031TKreOe3ZAfUpJs -Ww8Qg1MV5dJoCYQEGSNLUnZdX7dO1cGu3XaQTyn97PA --> 0(D-grease b? xbW Qg ~cDE0j! -s5z0LGzRiWS6lMMphO19nB7qmvXkto4RJrcTSrOtPHbY9Iam2aeYA0qN4faK40Zs -XPc ---- q1PoY78SatX6wOKNW549+ndCCrNhveA8dHcHQpF+slk -l `=(;>Y[)Pfw.QW5L×KDTY$ -ٿz] \ No newline at end of file diff --git a/nixos/viridian/services/traefik/default.nix b/nixos/viridian/services/traefik/default.nix index 8e7f782..bc3c3cc 100644 --- a/nixos/viridian/services/traefik/default.nix +++ b/nixos/viridian/services/traefik/default.nix @@ -22,7 +22,7 @@ User = "traefik"; Group = "traefik"; LogsDirectory = "traefik"; - LogsDirectoryMode = "0750"; + LogsDirectoryMode = "0755"; }; # Reverse proxy and load balancer for HTTP and TCP-based applications @@ -50,6 +50,16 @@ accessLog = { filePath = "/var/log/traefik/access.log"; format = "json"; + filters.statusCodes = [ + "200-299" # log successful http requests + "400-599" # log failed http requests + ]; + # collect logs in-memory buffer before writing into log file + bufferingSize = "0"; + fields.headers = { + defaultMode = "drop"; # drop all headers per default + names.User-Agent = "keep"; # log user agent strings + }; }; # Install plugins @@ -63,7 +73,7 @@ # Authorize or block requests from IPs based on there reputation and behaviour. bouncer = { moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"; - version = "v1.3.2"; + version = "v1.3.5"; }; }; @@ -99,21 +109,6 @@ ]; }; }; - # Used to expose metrics - metrics = { - address = ":8082"; - }; - }; - - # Provide metrics for the prometheus backend - metrics = { - prometheus = { - entryPoint = "metrics"; - buckets = ["0.1" "0.3" "1.2" "5.0"]; - addEntryPointsLabels = true; - addRoutersLabels = true; - addServicesLabels = true; - }; }; # Retrieve certificates from an ACME server @@ -143,18 +138,6 @@ }; }; - # Scrape our traefik metrics - services.prometheus.scrapeConfigs = [ - { - job_name = "traefik"; - static_configs = [ - { - targets = ["127.0.0.1:8082"]; - } - ]; - } - ]; - # Persist our traefik data & logs environment.persistence."/persist" = { directories = [ diff --git a/nixos/viridian/services/traefik/middlewares.nix b/nixos/viridian/services/traefik/middlewares.nix index 28f84f7..4e0e50b 100644 --- a/nixos/viridian/services/traefik/middlewares.nix +++ b/nixos/viridian/services/traefik/middlewares.nix @@ -1,11 +1,4 @@ -{config, ...}: { - # Crowdsec Local API key for the bouncer. - age.secrets.traefik-bouncer-key = { - rekeyFile = ../crowdsec/traefik-bouncer-key.age; - owner = "traefik"; - group = "traefik"; - }; - +{...}: { # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service services.traefik.dynamicConfigOptions.http.middlewares = { # Restrict access to internal networks @@ -42,16 +35,31 @@ forceMonthlyUpdate = "true"; }; - # Disable Crowdsec IP checking but apply Crowdsec Appsec checking. - # This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level. + # Intrusion Prevention System crowdsec.plugin.bouncer = { enabled = "true"; - crowdsecMode = "appsec"; - crowdsecLapiKeyFile = config.age.secrets.traefik-bouncer-key.path; - crowdsecLapiScheme = "http"; - crowdsecLapiHost = "127.0.0.1:8080"; + defaultDecisionSeconds = "60"; + crowdsecMode = "live"; crowdsecAppsecEnabled = "true"; crowdsecAppsecHost = "127.0.0.1:7422"; + crowdsecAppsecFailureBlock = "true"; + crowdsecAppsecUnreachableBlock = "true"; + crowdsecLapiKey = "18c725d5-3a22-4331-a8e8-abfd3018a7c0"; + crowdsecLapiHost = "127.0.0.1:8080"; + crowdsecLapiScheme = "http"; + crowdsecLapiTLSInsecureVerify = "false"; + forwardedHeadersTrustedIPs = [ + # private class ranges + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + ]; + clientTrustedIPs = [ + # private class ranges + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + ]; }; }; }