move stuff

2025-08-26 17:20:27 -05:00
parent f66c0726b0
commit d15762b199
68 changed files with 24 additions and 25 deletions
--- a/modules/nixos/services/crowdsec/default.nix
+++ b/modules/nixos/services/crowdsec/default.nix
@@ -0,0 +1,66 @@
+{
+  config,
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+with lib;
+let
+  cfg = config.${namespace}.services.crowdsec;
+in
+{
+  imports = [ ./options.nix ];
+  config = lib.mkIf cfg.enable {
+    services = {
+      crowdsec =
+        let
+          yaml = (pkgs.formats.yaml { }).generate;
+          acquisitions_file = yaml "acquisitions.yaml" {
+            source = "journalctl";
+            journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+            labels.type = "syslog";
+          };
+        in
+        {
+          enable = true;
+          enrollKeyFile = "${cfg.dataDir}/enroll.key";
+          settings = {
+            crowdsec_service.acquisition_path = acquisitions_file;
+            api.server = {
+              listen_uri = "0.0.0.0:${toString cfg.port}";
+            };
+          };
+        };
+
+      crowdsec-firewall-bouncer = {
+        enable = true;
+        settings = {
+          api_key = cfg.apiKey;
+          api_url = "http://${cfg.apiAddress}:${toString cfg.port}";
+        };
+      };
+    };
+
+    systemd.services.crowdsec.serviceConfig = {
+      ExecStartPre =
+        let
+          script = pkgs.writeScriptBin "register-bouncer" ''
+            #!${pkgs.runtimeShell}
+            set -eu
+            set -o pipefail
+
+            if ! cscli bouncers list | grep -q "nas-bouncer"; then
+              cscli bouncers add "nas-bouncer" --key "${cfg.apiKey}"
+            fi
+          '';
+        in
+        [ "${script}/bin/register-bouncer" ];
+    };
+
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
+    };
+  };
+}
--- a/modules/nixos/services/crowdsec/options.nix
+++ b/modules/nixos/services/crowdsec/options.nix
@@ -0,0 +1,37 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.crowdsec = {
+    enable = mkEnableOption "crowdsec service";
+
+    port = mkOption {
+      type = types.port;
+      default = 9898;
+      description = "Port for crowdsec API";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to open firewall for crowdsec";
+    };
+
+    apiAddress = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+      description = "API address for crowdsec";
+    };
+
+    apiKey = mkOption {
+      type = types.str;
+      default = "";
+      description = "API key for crowdsec bouncer";
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "";
+      description = "Data directory for crowdsec";
+    };
+  };
+}