changes

2025-04-25 20:35:33 +02:00
parent 9cfc423a38
commit 9a5a28098c
36 changed files with 453 additions and 51 deletions
--- a/hosts/fw/configuration.nix
+++ b/hosts/fw/configuration.nix
@@ -26,12 +26,14 @@
    ./modules/ddclient.nix
    # ./modules/wol.nix

+
    # microvm
    ./modules/microvm.nix
    ./modules/gitea-vm.nix
    # ./modules/vscode-server.nix  # Add VS Code Server microvm

    ./modules/ai-mailer.nix
+    ./modules/wazuh.nix

    # web
    ./modules/web
--- a/hosts/fw/modules/ai-mailer.nix
+++ b/hosts/fw/modules/ai-mailer.nix
@@ -49,7 +49,7 @@

      logging:
        level: "info"
-        file_path: "/var/log/ai-mailer.log"
+        file_path: "/var/log/ai-mailer/ai-mailer.log"
    '';
  };

@@ -72,7 +72,7 @@
      User = "ai-mailer";
      Group = "ai-mailer";
      WorkingDirectory = "/var/lib/ai-mailer";
-      ExecStart = "${pkgs.ai-mailer}/bin/paraclub-ai-mailer -config /etc/ai-mailer/config.yaml";
+      ExecStart = "${pkgs.ai-mailer}/bin/ai-mailer -config /etc/ai-mailer/config.yaml";
      Restart = "always";
      RestartSec = "10s";
      StateDirectory = "ai-mailer";
--- a/hosts/fw/modules/ddclient.nix
+++ b/hosts/fw/modules/ddclient.nix
@@ -15,6 +15,7 @@
      "palworld.cloonar.com"
      "matrix.cloonar.com"
      "element.cloonar.com"
+      "tinder.cloonar.com"
    ];
  };

--- a/hosts/fw/modules/home-assistant/default.nix
+++ b/hosts/fw/modules/home-assistant/default.nix
@@ -4,7 +4,7 @@ let
  pkgs-with-home-assistant = import (builtins.fetchGit {
    name = "new-home-assistant";
    url = "https://github.com/nixos/nixpkgs/";
-    rev = "41dea55321e5a999b17033296ac05fe8a8b5a257";
+    rev = "18dd725c29603f582cf1900e0d25f9f1063dbf11";
  }) {};
  networkPrefix = config.networkPrefix;
 in
@@ -161,7 +161,7 @@ in
        };
        script = ''
          set -e
-          HACS_VERSION="2.0.1"  # Replace with the latest version
+          HACS_VERSION="2.0.5"  # Replace with the latest version
          HACS_DIR="/var/lib/hass/custom_components/hacs"
          
          mkdir -p "$HACS_DIR"
--- a/hosts/fw/modules/home-assistant/multimedia.nix
+++ b/hosts/fw/modules/home-assistant/multimedia.nix
@@ -76,7 +76,7 @@
                  {
                    service = "automation.turn_off";
                    target = {
-                      entity_id = "automation.all_multimedia_off";  # Replace with your target automation ID
+                      entity_id = "automation.all_multimedia_off";
                    };
                  }
                  {
@@ -115,7 +115,7 @@
                  {
                    service = "automation.turn_on";
                    target = {
-                      entity_id = "automation.all_multimedia_off";  # Replace with your target automation ID
+                      entity_id = "automation.all_multimedia_off";
                    };
                  }
                ];
@@ -289,6 +289,9 @@
            command = "b64:JgDaAAABKZMUERMSExITEhMSExETEhMSExITEhMSExETNxQ2ExITEhMSEzcTNxM3ExITEhM3ExITNxMSEhITEhM3EzcTEhM3EwAFyAABKJQUERMSEhITEhMSExITEhMSEhITEhMSExITNxM3ExITEhMREzcTNxQ3EhITEhM3ExITNxMSExITEhM3EzcTEhM3EwAFyAABKJQUERMSExETEhMSExITEhMSExETEhMSExITNxM3ExITEhMREzcTOBI4ExETEhM3ExITNxMSExITEhM3EzcTEhM3E5IGAA0FAAAAAAAAAAAAAAAAAAA=";
          };
        }
+        {
+          delay = 20;
+        }
        # turn off tv switch
        {
          service = "switch.turn_off";
--- a/hosts/fw/modules/setupnetwork.nix
+++ b/hosts/fw/modules/setupnetwork.nix
@@ -26,6 +26,7 @@
      };
      subnet4 = [
        {
+          id = 110;
          pools = [
            {
              pool = "${config.networkPrefix}.110.100 - ${config.networkPrefix}.110.240";
--- a/hosts/fw/modules/tinder-api.nix
+++ b/hosts/fw/modules/tinder-api.nix
@@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.tinder-api-wrapper;
+in {
+  options.services.tinder-api-wrapper = with lib; {
+    enable = mkEnableOption "Tinder API wrapper service";
+    
+    port = mkOption {
+      type = types.port;
+      default = 8080;
+      description = "Port to listen on";
+    };
+
+    apiEndpoint = mkOption {
+      type = types.str;
+      default = "https://api.gotinder.com";
+      description = "Target Tinder API endpoint URL";
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "tinder-api";
+      description = "User account to run service.";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "tinder-api";
+      description = "Group account to run service.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    nixpkgs.overlays = [
+      (self: super: {
+        tinder-api-wrapper = self.callPackage ../pkgs/tinder-api.nix {};
+      })
+    ];
+
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+      description = "Tinder API wrapper service user";
+    };
+
+    users.groups.${cfg.group} = {};
+
+    systemd.services.tinder-api-wrapper = {
+      description = "Tinder API Wrapper Service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        ExecStart = "${pkgs.tinder-api-wrapper}/bin/server -listen :${toString cfg.port} -target ${cfg.apiEndpoint}";
+        Restart = "always";
+        RestartSec = "10";
+        
+        # Hardening
+        NoNewPrivileges = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+      };
+    };
+  };
+}
--- a/hosts/fw/modules/unbound.nix
+++ b/hosts/fw/modules/unbound.nix
@@ -54,6 +54,9 @@ let
        "\"switch.cloonar.com IN A ${config.networkPrefix}.97.10\""
        "\"mopidy.cloonar.com IN A ${config.networkPrefix}.97.21\""
        "\"deconz.cloonar.com IN A ${config.networkPrefix}.97.22\""
+        "\"wazuh-manager.cloonar.com IN A ${config.networkPrefix}.97.31\""
+        "\"wazuh-indexer.cloonar.com IN A ${config.networkPrefix}.97.32\""
+        "\"wazuh.cloonar.com IN A ${config.networkPrefix}.97.33\""
        "\"brn30055c566237.cloonar.com IN A ${config.networkPrefix}.96.100\""
        "\"snapcast.cloonar.com IN A ${config.networkPrefix}.97.21\""
        "\"home-assistant.cloonar.com IN A ${config.networkPrefix}.97.20\""
@@ -61,6 +64,7 @@ let
        "\"matrix.cloonar.com IN A ${config.networkPrefix}.97.5\""
        "\"element.cloonar.com IN A ${config.networkPrefix}.97.5\""
        "\"support.cloonar.com IN A ${config.networkPrefix}.97.5\""
+        "\"tinder.cloonar.com IN A ${config.networkPrefix}.97.5\""
        "\"git.cloonar.com IN A ${config.networkPrefix}.97.50\""
        "\"sync.cloonar.com IN A ${config.networkPrefix}.97.51\""

--- a/hosts/fw/modules/wazuh.nix
+++ b/hosts/fw/modules/wazuh.nix
@@ -0,0 +1,58 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation.oci-containers.containers = {
+    # Wazuh Manager Container
+    wazuh-manager = {
+      autoStart = false;
+      image = "docker://wazuh/wazuh-manager:latest";
+      volumes = [
+        "/var/lib/wazuh:/var/ossec"
+      ];
+      extraOptions = [
+        "--network=server"
+        "--mac-address=10:10:00:00:00:01"
+        "--ip=${config.networkPrefix}.97.31"
+      ];
+    };
+
+    # Wazuh Indexer Container (Elasticsearch)
+    wazuh-indexer = {
+      autoStart = false;
+      image = "docker://wazuh/wazuh-indexer:latest";
+      volumes = [
+        "/var/lib/wazuh-indexer:/usr/share/elasticsearch/data"
+      ];
+      environment = {
+        "discovery.type" = "single-node";
+      };
+      extraOptions = [
+        "--network=server"
+        "--mac-address=10:10:00:00:00:02"
+        "--ip=${config.networkPrefix}.97.32"
+      ];
+    };
+
+    # Wazuh Dashboard Container (Kibana)
+    wazuh-dashboard = {
+      autoStart = false;
+      image = "docker://wazuh/wazuh-dashboard:latest";
+      volumes = [
+        "/var/lib/wazuh-indexer:/usr/share/elasticsearch/data"
+      ];
+      environment = {
+        "discovery.type" = "single-node";
+      };
+      environment = {
+        # Optionally, configure to connect to the indexer/manager:
+        WAZUH_INDEXER_URL = "http://wazuh-indexer.cloonar.com:9200";
+        WAZUH_MANAGER_URL = "http://wazuh-manager.cloonar.com:55000";
+      };
+      extraOptions = [
+        "--network=server"
+        "--mac-address=10:10:00:00:00:03"
+        "--ip=${config.networkPrefix}.97.33"
+      ];
+    };
+  };
+}
--- a/hosts/fw/modules/web/default.nix
+++ b/hosts/fw/modules/web/default.nix
@@ -52,11 +52,13 @@ in {
          ../network-prefix.nix
          ../../utils/modules/sops.nix
          ../../utils/modules/lego/lego.nix
+          ../../modules/tinder-api.nix
          # ../../utils/modules/borgbackup.nix

          ./zammad.nix
          ./proxies.nix
          ./matrix.nix
+          ./tinder-api.nix
        ];

        networkPrefix = config.networkPrefix;
--- a/hosts/fw/modules/web/tinder-api.nix
+++ b/hosts/fw/modules/web/tinder-api.nix
@@ -0,0 +1,28 @@
+{ config, pkgs, ... }:
+
+{
+  services.tinder-api-wrapper = {
+    enable = true;
+    port = 8080;  # default port
+    apiEndpoint = "https://api.gotinder.com";
+  };
+  
+  services.nginx.virtualHosts."tinder.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8080";
+      proxyWebsockets = true;
+      extraConfig =
+        "proxy_set_header X-Forwarded-Proto 'https';" +
+        "proxy_set_header X-Forwarded-Ssl on;" +
+        "proxy_connect_timeout  300;" +
+        "proxy_send_timeout     300;" +
+        "proxy_read_timeout     300;" +
+        "send_timeout           300;"
+      ;
+    };
+  };
+}
--- a/hosts/fw/pkgs/tinder-api.nix
+++ b/hosts/fw/pkgs/tinder-api.nix
@@ -0,0 +1,21 @@
+{ lib, buildGoModule, fetchgit }:
+
+buildGoModule rec {
+  pname = "tinder-api-wrapper";
+  version = "0.1.0";
+
+  src = fetchgit {
+    url = "https://git.cloonar.com/dominik.polakovics/tinder-api-wrapper.git";
+    rev = "e99b56e4346ac4ae5c1e0747e51ff3a0259440d3";
+    sha256 = "sha256-ZGuoFVaTBJcnGiToNvk+MRD+zW9IUQldbbqFVLEfkeU=";
+  };
+
+  vendorHash = null;
+
+  meta = with lib; {
+    description = "Tinder API Wrapper Service";
+    homepage = "https://git.cloonar.com/dominik.polakovics/tinder-api-wrapper";
+    license = licenses.mit;
+    maintainers = with maintainers; [ /* add maintainers */ ];
+  };
+}