ghoscht/nix-config
ghoscht/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Arion: Install crowdsec

Browse source
This commit is contained in:
GHOSCHT 2024-08-09 16:00:58 +02:00
parent 925a7948a5
commit bfd1b01d65
Signed by: ghoscht
GPG key ID: 2C2C1C62A5388E82
7 changed files with 75 additions and 151 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
hosts/franz/arion/infrastructure/arion-compose.nix
View file

@ -7,9 +7,7 @@
};
docker-compose.volumes = {
traefik_letsencrypt = null;
scrutiny_data = null;
scrutiny_db = null;
traefik-logs = null;
};
services = {
@ -40,8 +38,10 @@
};
volumes = [
"/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro"
"/home/ghoscht/.docker/infrastructure/traefik_data/config.yml:/config.yml:ro"
"/storage/dataset/docker/infrastructure/traefik_data/acme.json:/acme.json"
"/var/run/docker.sock:/var/run/docker.sock:ro"
"traefik-logs:/var/log/traefik"
];
env_file = [
"/home/ghoscht/.docker/infrastructure/traefik.env"
@ -51,6 +51,46 @@
"dmz"
];
};
crowdsec.service = {
image = "crowdsecurity/crowdsec:v1.6.2";
container_name = "crowdsec";
environment = {
GID = "1000";
COLLECTIONS = "crowdsecurity/linux crowdsecurity/traefik firix/authentik LePresidente/gitea Dominic-Wagner/vaultwarden";
};
volumes = [
"/storage/dataset/docker/infrastructure/crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml"
"/storage/dataset/docker/infrastructure/crowdsec_config/profiles.yaml:/etc/crowdsec/profiles.yaml"
"/storage/dataset/docker/infrastructure/crowdsec_config/ntfy.yaml:/etc/crowdsec/notifications/ntfy.yaml"
"/storage/dataset/docker/infrastructure/crowdsec_db:/var/lib/crowdsec/data/"
"/storage/dataset/docker/infrastructure/crowdsec_data:/etc/crowdsec/"
"traefik-logs:/var/log/traefik/:ro"
"/var/run/docker.sock:/var/run/docker.sock:ro"
];
depends_on = [
"traefik"
];
networks = [
"dmz"
];
restart = "always";
};
bouncer-traefik.service = {
image = "fbonalair/traefik-crowdsec-bouncer:0.5.0";
environment = {
CROWDSEC_AGENT_HOST = "crowdsec:8080";
};
env_file = [
"/home/ghoscht/.docker/infrastructure/traefik-bouncer.env"
];
depends_on = [
"crowdsec"
];
networks = [
"dmz"
];
restart = "always";
};
scrutiny.service = {
image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus";
container_name = "scrutiny";
@ -85,18 +125,6 @@
"dmz"
];
};
dyndns.service = {
image = "ghcr.io/cromefire/fritzbox-cloudflare-dyndns:1.2.1";
container_name = "dyndns";
restart = "always";
ports = ["8888:8080"];
environment = {
CLOUDFLARE_ZONES_IPV4 = "ghoscht.com";
};
env_file = [
"/home/ghoscht/.docker/infrastructure/dyndns.env"
];
};
diun.service = {
image = "crazymax/diun:4.28";
container_name = "diun";

31
hosts/franz/arion/infrastructure/default.nix
View file

@ -21,7 +21,7 @@ in {
owner = vars.user;
};
sops.secrets."dyndns/cloudflare_api_key" = {
sops.secrets."crowdsec/traefik_bouncer_api_key" = {
owner = vars.user;
};
@ -48,12 +48,12 @@ in {
'';
};
sops.templates."dyndns.env" = {
path = "/home/${vars.user}/.docker/infrastructure/dyndns.env";
sops.templates."traefik-bouncer.env" = {
path = "/home/${vars.user}/.docker/infrastructure/traefik-bouncer.env";
owner = vars.user;
mode = "0775";
content = ''
CLOUDFLARE_API_TOKEN="${config.sops.placeholder."dyndns/cloudflare_api_key"}"
CROWDSEC_BOUNCER_API_KEY="${config.sops.placeholder."crowdsec/traefik_bouncer_api_key"}"
'';
};
@ -74,6 +74,8 @@ in {
entrypoint:
to: websecure
scheme: https
websecure:
address: ":443"
web-external:
address: ":81"
http:
@ -81,16 +83,20 @@ in {
entrypoint:
to: websecure-external
scheme: https
websecure:
address: ":443"
middlewares:
- crowdsec-bouncer@file
websecure-external:
address: ":444"
providers:
http:
middlewares:
- crowdsec-bouncer@file
providers:
docker:
watch: true
exposedByDefault: false
network: dmz
file:
filename: /config.yml
certificatesResolvers:
letsencrypt:
acme:
@ -101,6 +107,11 @@ in {
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
'';
};
sops.templates."diun.env" = {
@ -111,4 +122,10 @@ in {
DIUN_NOTIF_NTFY_TOKEN="${config.sops.placeholder."diun/ntfy_access_token"}"
'';
};
services.cron = {
enable = true;
systemCronJobs = [
"0 * * * * root . /etc/profile; docker exec crowdsec cscli hub update && docker exec crowdsec cscli hub upgrade >> /var/log/crowdsec-update.log"
];
};
}

114
rsc/docker/franz/infrastructure/docker-compose.yml
View file

@ -1,114 +0,0 @@
version: '3'
services:
traefik:
image: traefik
container_name: traefik
restart: always
ports:
- "80:80"
- "443:443"
- "6666:8080"
volumes:
- ./traefik_data:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
traefik_net:
labels:
- traefik.enable=true
- traefik.http.routers.dashboard.rule=Host(`traefik.ghoscht.com`)
- traefik.http.routers.dashboard.entrypoints=websecure
- traefik.http.services.dashboard.loadbalancer.server.port=8080
- traefik.http.routers.dashboard.tls=true
- traefik.http.routers.dashboard.tls.certresolver=lencrypt
env_file:
- traefik.env
dns:
- 1.1.1.1
homarr:
container_name: homarr
image: ghcr.io/ajnart/homarr:latest
restart: always
volumes:
- ./homarr_data:/app/data/configs
- ./homarr_icons:/app/public/imgs
networks:
traefik_net:
labels:
- traefik.enable=true
- traefik.http.routers.homarr.entrypoints=websecure
- traefik.http.routers.homarr.rule=Host(`dashboard.ghoscht.com`)
- traefik.http.routers.homarr.tls=true
- traefik.http.routers.homarr.tls.certresolver=lencrypt
dns:
- 1.1.1.1
scrutiny:
container_name: scrutiny
image: ghcr.io/analogj/scrutiny:master-omnibus
restart: always
cap_add:
- SYS_RAWIO
volumes:
- /run/udev:/run/udev:ro
- ./scrutiny_data:/opt/scrutiny/config
- ./scrutiny_db:/opt/scrutiny/influxdb
labels:
- traefik.enable=true
- traefik.http.routers.scrutiny.entrypoints=websecure
- traefik.http.routers.scrutiny.rule=Host(`scrutiny.ghoscht.com`)
- traefik.http.services.scrutiny.loadbalancer.server.port=8080
- traefik.http.routers.scrutiny.tls=true
- traefik.http.routers.scrutiny.tls.certresolver=lencrypt
networks:
traefik_net:
devices:
- "/dev/sda"
- "/dev/sdb"
ntfy:
image: binwiederhier/ntfy
container_name: ntfy
command:
- serve
environment:
- TZ=UTC # optional: set desired timezone
user: 1000:1000 # optional: replace with your own user/group or uid/gid
volumes:
- ./ntfy_data/server.yml:/etc/ntfy/server.yml
labels:
- traefik.enable=true
- traefik.http.routers.ntfy.entrypoints=websecure
- traefik.http.routers.ntfy.rule=Host(`ntfy.ghoscht.com`,`ntfy.local.ghoscht.com`)
- traefik.http.routers.ntfy.tls=true
- traefik.http.routers.ntfy.tls.certresolver=lencrypt
networks:
traefik_net:
homeassistant:
container_name: homeassistant
image: "ghcr.io/home-assistant/home-assistant:stable"
volumes:
- /mnt/hdd/docker/home-assistant_data:/config
- /etc/localtime:/etc/localtime:ro
- /run/dbus:/run/dbus:ro
restart: unless-stopped
privileged: true
labels:
- traefik.enable=true
- traefik.http.routers.homeassistant.entrypoints=websecure
- traefik.http.routers.homeassistant.rule=Host(`home.ghoscht.com`,`home.local.ghoscht.com`)
- traefik.http.routers.homeassistant.tls=true
- traefik.http.routers.homeassistant.tls.certresolver=lencrypt
- traefik.http.services.homeassistant.loadbalancer.server.port=8123
networks:
traefik_net:
cloudflared:
container_name: cloudflared
image: cloudflare/cloudflared:latest
restart: always
command: tunnel --no-autoupdate --protocol http2 run
env_file:
- cloudflared.env
networks:
traefik_net:
networks:
traefik_net:
name: traefik-net
external: true

6
rsc/docker/franz/infrastructure/traefik_data/config.yml Normal file
View file

@ -0,0 +1,6 @@
http:
middlewares:
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true

6
rsc/docker/franz/infrastructure/traefik_data/config/middlewares.yml
View file

@ -1,6 +0,0 @@
http:
middlewares:
httpsredirect:
redirectScheme:
scheme: https
permanent: true

9
rsc/docker/franz/infrastructure/traefik_data/config/routers.yml
View file

@ -1,9 +0,0 @@
http:
routers:
redirecttohttps:
entryPoints:
- "web"
middlewares:
- "httpsredirect"
rule: "HostRegexp(`{host:.+}`)"
service: "noop@internal"

2
secrets/franz.yaml
View file

@ -51,6 +51,8 @@ minio:
root_password: ENC[AES256_GCM,data:0//dfGYkV80=,iv:h1b0R2QRpN/RI9kUBU0fiKLOI3PUYmisa7RH1ibSF4c=,tag:ln1cv5LQpb76vK5+eTvSuA==,type:str]
diun:
ntfy_access_token: ENC[AES256_GCM,data:37UYgaMlmpoMW74LqtxkuMqGQmCvLpVdJAgEmVxSULY=,iv:tZPlfIgo1vWvMPlQzCBPXj5xYDiTWJOsVwkxBjGNMDk=,tag:882g2UxFfg5VSKqAtEMk2Q==,type:str]
crowdsec:
traefik_bouncer_api_key: ENC[AES256_GCM,data:qNY3cWNxG2pyrTN1UnYCGWCmx1Yue1WAJZ8DEsLqnZ+RDoaJfvqqJazJUg==,iv:x0K9Vq+ZuojmeHSbS/0PoOQdLIRDMtGdmU+msv4PWzI=,tag:qgxQIBHtARTNv17x7N6zyw==,type:str]
wiki:
aws_access_key_id: ENC[AES256_GCM,data:Fqfa6XcDDpQ0l+/entQh6sxobBM=,iv:gbfHxTy0Oj9xYlucpN98CjNIURDrx9BuFF4Pfo90V0M=,tag:df8Z3J2ovO1MHPnzOsCtpg==,type:str]
aws_secret_access_key: ENC[AES256_GCM,data:sbgzvlN5dP4jZIGKtDsMn5o2RqWTl+XNi80ydnOgrQkgnQ/HxluWWA==,iv:xyCKfbf/UF9cFunCYHwVBw4eVvOeZQtfPtrz2s6zIII=,tag:S0wzL8d5iEn20VbOVfrZBw==,type:str]