couple fixes

modules/nixos/services/crowdsec/default.nix

@@ -129,6 +129,36 @@ let
           # secrets.apiKeyPath = config.sops.secrets."jallen-nas/crowdsec-firewall-bouncer-api-key".path;
         };
       };
+
+      # The upstream crowdsec module uses ReadWritePaths (not StateDirectory) on
+      # crowdsec.service, meaning it expects /var/lib/crowdsec to exist as a real
+      # directory (created by tmpfiles). However, crowdsec-firewall-bouncer-register
+      # declares StateDirectory=crowdsec with DynamicUser=true, which conflicts: it
+      # tries to create /var/lib/private/crowdsec and symlink /var/lib/crowdsec → it,
+      # but /var/lib/crowdsec already exists as a real dir. Disabling DynamicUser on
+      # those two services lets them use the real crowdsec user/group instead, which is
+      # consistent with how crowdsec.service itself runs.
+      systemd.services.crowdsec.serviceConfig.DynamicUser = lib.mkForce false;
+      systemd.services.crowdsec-firewall-bouncer.serviceConfig.DynamicUser = lib.mkForce false;
+      systemd.services.crowdsec-firewall-bouncer-register.serviceConfig.DynamicUser = lib.mkForce false;
+
+      # crowdsec-firewall-bouncer-register calls cscli without -c, so cscli
+      # looks for /etc/crowdsec/config.yaml. The upstream crowdsec.service uses
+      # a nix store path via -c and never creates that file. Expose the config
+      # at /etc/crowdsec/config.yaml by extracting the store path from the
+      # crowdsec service's ExecStart list at NixOS eval time.
+      environment.etc."crowdsec/config.yaml" =
+        let
+          # ExecStart is [ " " "<store>/crowdsec -c <config-file> -info" ]
+          execStart = builtins.elemAt config.systemd.services.crowdsec.serviceConfig.ExecStart 1;
+          configPath = builtins.head (builtins.match ".* -c ([^ ]+) .*" execStart);
+        in
+        {
+          source = configPath;
+          mode = "0440";
+          user = "crowdsec";
+          group = "crowdsec";
+        };
     };
   };
 in