ntfy crowdsec

2026-03-24 16:11:07 -05:00
parent f8a86f9b29
commit a4c2cbdf7b
3 changed files with 93 additions and 55 deletions
--- a/systems/x86_64-linux/jallen-nas/sops.nix
+++ b/systems/x86_64-linux/jallen-nas/sops.nix
@@ -259,10 +259,10 @@ in
      "jallen-nas/ntfy/auth-users" = {
        sopsFile = defaultSops;
      };
+
      "jallen-nas/ntfy/user" = {
        sopsFile = defaultSops;
        mode = "0440";
-        owner = "grafana";
        group = "keys";
        restartUnits = [
          "grafana.service"
@@ -273,7 +273,6 @@ in
      "jallen-nas/ntfy/password" = {
        sopsFile = defaultSops;
        mode = "0440";
-        owner = "grafana";
        group = "keys";
        restartUnits = [
          "grafana.service"
@@ -357,7 +356,8 @@ in
          NTFY_USER=${config.sops.placeholder."jallen-nas/ntfy/user"}
          NTFY_PASSWORD=${config.sops.placeholder."jallen-nas/ntfy/password"}
        '';
-        mode = "0600";
+        mode = "0640";
+        group = "keys";
        restartUnits = [
          "crowdsec.service"
          "upsmon.service"
@@ -366,6 +366,33 @@ in
        ];
      };

+      # CrowdSec HTTP notification plugin config with credentials baked in.
+      # The plugin process spawned by crowdsec/cscli reads this file directly.
+      # Credentials are embedded in the URL using HTTP basic auth so no
+      # base64 encoding or env var injection is needed.
+      "crowdsec/notifications/ntfy.yaml" = {
+        content = ''
+          type: http
+          name: ntfy_plugin
+          log_level: info
+          format: "{{range . -}}CrowdSec blocked: {{.Scenario}}\nSource IP: {{.Source.Value}}\nCountry: {{.Source.Cn}}\nDecisions: {{.Decisions | len}}{{range .Decisions}}\nAction: {{.Type}} for {{.Duration}}{{end}}\n{{end}}"
+          url: https://${config.sops.placeholder."jallen-nas/ntfy/user"}:${
+            config.sops.placeholder."jallen-nas/ntfy/password"
+          }@ntfy.mjallen.dev/crowdsec
+          method: POST
+          headers:
+            Title: "CrowdSec: {{(index . 0).Scenario}}"
+            Priority: "high"
+            Tags: "rotating_light,shield"
+          skip_tls_verify: false
+          timeout: 10s
+        '';
+        mode = "0440";
+        owner = "crowdsec";
+        group = "crowdsec";
+        restartUnits = [ "crowdsec.service" ];
+      };
+
      "paperless.env" = {
        content = ''
          PAPERLESS_ADMIN_USER = "mjallen"
--- a/systems/x86_64-linux/jallen-nas/users.nix
+++ b/systems/x86_64-linux/jallen-nas/users.nix
@@ -57,8 +57,16 @@ in
      prometheus = {
        extraGroups = [ "keys" ];
      };
+
+      # crowdsec needs to read the ntfy.env SOPS template for notifications.
+      crowdsec = {
+        isSystemUser = true;
+        group = "crowdsec";
+        extraGroups = [ "keys" ];
+      };
    };

    groups.nextcloud-exporter = { };
+    groups.crowdsec = { };
  };
 }