mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix nix flake check

Browse Source
This commit is contained in:
mjallen18
2026-03-25 16:42:34 -05:00
parent 642cee5dc5
commit ccd413d273
28 changed files with 228 additions and 224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
modules/nixos/services/crowdsec/default.nix
View File

@@ -10,9 +10,6 @@ let
name = "crowdsec";
cfg = config.${namespace}.services.${name};
ntfyServer = "https://ntfy.mjallen.dev";
ntfyTopic = "crowdsec";
# Build the notification-http plugin binary from the crowdsec source.
# The nixpkgs crowdsec package omits all notification plugin binaries;
# we build just the http one we need.
@@ -223,30 +220,61 @@ let
# a nix store path via -c and never creates that file. Expose the full
# NixOS-generated config (which includes plugin_config via
# settings.general.plugin_config) at the well-known path.
environment.etc."crowdsec/config.yaml" =
let
execStart = builtins.elemAt config.systemd.services.crowdsec.serviceConfig.ExecStart 1;
configPath = builtins.head (builtins.match ".* -c ([^ ]+) .*" execStart);
in
{
source = configPath;
mode = "0440";
environment.etc = {
"crowdsec/config.yaml" =
let
execStart = builtins.elemAt config.systemd.services.crowdsec.serviceConfig.ExecStart 1;
configPath = builtins.head (builtins.match ".* -c ([^ ]+) .*" execStart);
in
{
source = configPath;
mode = "0440";
user = "crowdsec";
group = "crowdsec";
};
# ---------------------------------------------------------------------------
# ntfy notifications via the CrowdSec HTTP notification plugin
# ---------------------------------------------------------------------------
# Place the notification-http binary at the path the NixOS crowdsec module
# hardcodes for plugin_dir (/etc/crowdsec/plugins/). CrowdSec matches
# plugins by their filename — it expects "notification-http" for type=http.
"crowdsec/plugins/notification-http" = lib.mkIf cfg.ntfy.enable {
source = "${crowdsecHttpPlugin}/bin/notification-http";
mode = "0550";
user = "crowdsec";
group = "crowdsec";
};
# ---------------------------------------------------------------------------
# ntfy notifications via the CrowdSec HTTP notification plugin
# ---------------------------------------------------------------------------
# Place the notification-http binary at the path the NixOS crowdsec module
# hardcodes for plugin_dir (/etc/crowdsec/plugins/). CrowdSec matches
# plugins by their filename — it expects "notification-http" for type=http.
environment.etc."crowdsec/plugins/notification-http" = lib.mkIf cfg.ntfy.enable {
source = "${crowdsecHttpPlugin}/bin/notification-http";
mode = "0550";
user = "crowdsec";
group = "crowdsec";
# CrowdSec profiles.yaml: route every alert to the ntfy plugin.
# This replaces the default "do nothing" profile.
"crowdsec/profiles.yaml" = lib.mkIf cfg.ntfy.enable {
text = ''
name: default_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
notifications:
- ntfy_plugin
on_success: break
---
name: default_range_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
- type: ban
duration: 4h
notifications:
- ntfy_plugin
on_success: break
'';
mode = "0440";
user = "crowdsec";
group = "crowdsec";
};
};
# The ntfy plugin config YAML (with credentials baked in) is managed as a
@@ -260,35 +288,6 @@ let
}"
];
# CrowdSec profiles.yaml: route every alert to the ntfy plugin.
# This replaces the default "do nothing" profile.
environment.etc."crowdsec/profiles.yaml" = lib.mkIf cfg.ntfy.enable {
text = ''
name: default_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
notifications:
- ntfy_plugin
on_success: break
---
name: default_range_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
- type: ban
duration: 4h
notifications:
- ntfy_plugin
on_success: break
'';
mode = "0440";
user = "crowdsec";
group = "crowdsec";
};
};
};
in