initial crowdsec

hosts/nas/apps/crowdsec/default.nix

@@ -0,0 +1,44 @@
+{ outputs, pkgs, ... }:
+{
+  services = {
+    crowdsec = let
+      yaml = (pkgs.formats.yaml {}).generate;
+      acquisitions_file = yaml "acquisitions.yaml" {
+        source = "journalctl";
+        journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
+        labels.type = "syslog";
+      };
+    in  {
+      enable = true;
+      enrollKeyFile = "/media/nas/ssd/nix-app-data/crowdsec/enroll.key";
+      settings = {
+        crowdsec_service.acquisition_path = acquisitions_file;
+        api.server = {
+          listen_uri = "0.0.0.0:9898";
+        };
+      };
+    };
+
+    crowdsec-firewall-bouncer = {
+      enable = true;
+      settings = {
+        api_key = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
+        api_url = "http://10.0.1.18:9898";
+      };
+    };
+  };
+
+  systemd.services.crowdsec.serviceConfig = {
+    ExecStartPre = let
+      script = pkgs.writeScriptBin "register-bouncer" ''
+        #!${pkgs.runtimeShell}
+        set -eu
+        set -o pipefail
+
+        if ! cscli bouncers list | grep -q "nas-bouncer"; then
+          cscli bouncers add "nas-bouncer" --key "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE"
+        fi
+      '';
+    in ["${script}/bin/register-bouncer"];
+  };
+}