87 lines
2.0 KiB
Nix
Executable File
87 lines
2.0 KiB
Nix
Executable File
{
|
|
config,
|
|
lib,
|
|
namespace,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.${namespace}.services.crowdsec;
|
|
in
|
|
{
|
|
imports = [ ./options.nix ];
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
services = {
|
|
crowdsec = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
hub = {
|
|
appSecConfigs = [
|
|
"crowdsecurity/appsec-default"
|
|
];
|
|
appSecRules = [
|
|
"crowdsecurity/base-config"
|
|
];
|
|
collections = [
|
|
"crowdsecurity/linux"
|
|
"crowdsecurity/traefik"
|
|
"firix/authentik"
|
|
];
|
|
parsers = [
|
|
"crowdsecurity/sshd-logs"
|
|
];
|
|
postOverflows = [
|
|
"crowdsecurity/auditd-nix-wrappers-whitelist-process"
|
|
];
|
|
scenarios = [
|
|
"crowdsecurity/ssh-bf"
|
|
];
|
|
};
|
|
localConfig = {
|
|
acquisitions = [
|
|
{
|
|
journalctl_filter = [
|
|
"_SYSTEMD_UNIT=sshd.service"
|
|
];
|
|
labels = {
|
|
type = "syslog";
|
|
};
|
|
source = "journalctl";
|
|
}
|
|
{
|
|
journalctl_filter = [
|
|
"_SYSTEMD_UNIT=traefik.service"
|
|
];
|
|
labels = {
|
|
type = "syslog";
|
|
};
|
|
source = "journalctl";
|
|
}
|
|
{
|
|
journalctl_filter = [
|
|
"_SYSTEMD_UNIT=authentik.service"
|
|
];
|
|
labels = {
|
|
type = "syslog";
|
|
};
|
|
source = "journalctl";
|
|
}
|
|
];
|
|
};
|
|
settings = {
|
|
general.api = {
|
|
server = {
|
|
enable = true;
|
|
listen_uri = "${cfg.apiAddress}:${toString cfg.port}";
|
|
};
|
|
client = {
|
|
credentials_path = lib.mkForce "/media/nas/main/nix-app-data/crowdsec/client.yaml";
|
|
};
|
|
};
|
|
capi.credentialsFile = lib.mkDefault "/media/nas/main/nix-app-data/crowdsec/capi.yaml";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|