temp

2025-09-22 07:48:44 -05:00
parent 0a40f7712a
commit aa0d09d3c9
12 changed files with 469 additions and 366 deletions
--- a/modules/nixos/services/crowdsec/default.nix
+++ b/modules/nixos/services/crowdsec/default.nix
@@ -12,55 +12,68 @@ in
 {
  imports = [ ./options.nix ];
  config = lib.mkIf cfg.enable {
-    services = {
-      crowdsec =
-        let
-          yaml = (pkgs.formats.yaml { }).generate;
-          acquisitions_file = yaml "acquisitions.yaml" {
-            source = "journalctl";
-            journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
-            labels.type = "syslog";
-          };
-        in
-        {
-          enable = true;
-          enrollKeyFile = "${cfg.dataDir}/enroll.key";
-          settings = {
-            crowdsec_service.acquisition_path = acquisitions_file;
-            api.server = {
-              listen_uri = "0.0.0.0:${toString cfg.port}";
-            };
-          };
-        };

-      crowdsec-firewall-bouncer = {
+    services = {
+      crowdsec = {
        enable = true;
+        openFirewall = true;
+        hub = {
+          appSecConfigs = [
+            "crowdsecurity/appsec-default"
+          ];
+          appSecRules = [
+            "crowdsecurity/base-config"
+          ];
+          collections = [
+            "crowdsecurity/linux"
+            "crowdsecurity/traefik"
+            "firix/authentik"
+          ];
+          parsers = [
+            "crowdsecurity/sshd-logs"
+          ];
+          postOverflows = [
+            "crowdsecurity/auditd-nix-wrappers-whitelist-process"
+          ];
+          scenarios = [
+            "crowdsecurity/ssh-bf"
+          ];
+        };
+        localConfig = {
+          acquisitions = [
+            {
+              journalctl_filter = [
+                "_SYSTEMD_UNIT=sshd.service"
+              ];
+              labels = {
+                type = "syslog";
+              };
+              source = "journalctl";
+            }
+            {
+              journalctl_filter = [
+                "_SYSTEMD_UNIT=traefik.service"
+              ];
+              labels = {
+                type = "syslog";
+              };
+              source = "journalctl";
+            }
+            {
+              journalctl_filter = [
+                "_SYSTEMD_UNIT=authentik.service"
+              ];
+              labels = {
+                type = "syslog";
+              };
+              source = "journalctl";
+            }
+          ];
+        };
        settings = {
-          api_key = cfg.apiKey;
-          api_url = "http://${cfg.apiAddress}:${toString cfg.port}";
+          capi.credentialsFile = cfg.apiKey;
        };
      };
    };
-
-    systemd.services.crowdsec.serviceConfig = {
-      ExecStartPre =
-        let
-          script = pkgs.writeScriptBin "register-bouncer" ''
-            #!${pkgs.runtimeShell}
-            set -eu
-            set -o pipefail
-
-            if ! cscli bouncers list | grep -q "nas-bouncer"; then
-              cscli bouncers add "nas-bouncer" --key "${cfg.apiKey}"
-            fi
-          '';
-        in
-        [ "${script}/bin/register-bouncer" ];
-    };
-
-    networking.firewall = mkIf cfg.openFirewall {
-      allowedTCPPorts = [ cfg.port ];
-      allowedUDPPorts = [ cfg.port ];
-    };
  };
 }