initial crowdsec

hosts/nas/apps.nix

@@ -2,6 +2,7 @@
 {
   imports = [
     ./apps/arrs
+    ./apps/crowdsec
     ./apps/jellyfin
     ./apps/jellyseerr
     ./apps/nextcloud

hosts/nas/apps/crowdsec/default.nix

@@ -0,0 +1,44 @@
+{ outputs, pkgs, ... }:
+{
+  services = {
+    crowdsec = let
+      yaml = (pkgs.formats.yaml {}).generate;
+      acquisitions_file = yaml "acquisitions.yaml" {
+        source = "journalctl";
+        journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
+        labels.type = "syslog";
+      };
+    in  {
+      enable = true;
+      enrollKeyFile = "/media/nas/ssd/nix-app-data/crowdsec/enroll.key";
+      settings = {
+        crowdsec_service.acquisition_path = acquisitions_file;
+        api.server = {
+          listen_uri = "0.0.0.0:9898";
+        };
+      };
+    };
+
+    crowdsec-firewall-bouncer = {
+      enable = true;
+      settings = {
+        api_key = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
+        api_url = "http://10.0.1.18:9898";
+      };
+    };
+  };
+
+  systemd.services.crowdsec.serviceConfig = {
+    ExecStartPre = let
+      script = pkgs.writeScriptBin "register-bouncer" ''
+        #!${pkgs.runtimeShell}
+        set -eu
+        set -o pipefail
+
+        if ! cscli bouncers list | grep -q "nas-bouncer"; then
+          cscli bouncers add "nas-bouncer" --key "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE"
+        fi
+      '';
+    in ["${script}/bin/register-bouncer"];
+  };
+}

hosts/nas/configuration.nix

@@ -96,6 +96,7 @@ in
       glances
       gparted
       htop
+      ipset
       jq
       lm_sensors
       nano

hosts/nas/impermanence.nix

@@ -40,6 +40,12 @@
         group = "jallen-nas";
         mode = "u=rwx,g=rx,o=rx";
       }
+      {
+        directory = "/var/lib/crowdsec";
+        user = "crowdsec";
+        group = "crowdsec";
+        mode = "u=rwx,g=rwx,o=rx";
+      }
     ];
     files = [
       "/var/cache-priv-key.pem"