mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

move nas apps sorta

Browse Source
This commit is contained in:
mjallen18
2025-07-22 16:23:58 -05:00
parent c8ed7d74f8
commit 1d1f145b37
42 changed files with 1097 additions and 1940 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
modules/nixos/crowdsec/default.nix Executable file
View File

@@ -0,0 +1,58 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.nas-apps.crowdsec;
in
{
imports = [ ./options.nix ];
config = lib.mkIf cfg.enable {
services = {
crowdsec = let
yaml = (pkgs.formats.yaml {}).generate;
acquisitions_file = yaml "acquisitions.yaml" {
source = "journalctl";
journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
labels.type = "syslog";
};
in {
enable = true;
enrollKeyFile = "${cfg.dataDir}/enroll.key";
settings = {
crowdsec_service.acquisition_path = acquisitions_file;
api.server = {
listen_uri = "0.0.0.0:${toString cfg.port}";
};
};
};
crowdsec-firewall-bouncer = {
enable = true;
settings = {
api_key = cfg.apiKey;
api_url = "http://${cfg.apiAddress}:${toString cfg.port}";
};
};
};
systemd.services.crowdsec.serviceConfig = {
ExecStartPre = let
script = pkgs.writeScriptBin "register-bouncer" ''
#!${pkgs.runtimeShell}
set -eu
set -o pipefail
if ! cscli bouncers list | grep -q "nas-bouncer"; then
cscli bouncers add "nas-bouncer" --key "${cfg.apiKey}"
fi
'';
in ["${script}/bin/register-bouncer"];
};
networking = {
firewall = {
allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ];
};
};
};
}

27
modules/nixos/crowdsec/options.nix Normal file
View File

@@ -0,0 +1,27 @@
{ lib, ... }:
with lib;
{
options.nas-apps.crowdsec = {
enable = mkEnableOption "crowdsec service";
port = mkOption {
type = types.int;
default = 9898;
};
apiAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
apiKey = mkOption {
type = types.str;
default = "";
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
}