jasmine/dotfiles.nix
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
dotfiles.nix/nixos/viridian/services/crowdsec/default.nix

127 lines
3.3 KiB
Nix
Raw Blame History

{
config,
inputs,
pkgs,
...
}: let
port = "8080";
in {
imports = [
inputs.crowdsec.nixosModules.crowdsec
inputs.crowdsec.nixosModules.crowdsec-firewall-bouncer
];
nixpkgs.overlays = [
inputs.crowdsec.overlays.default
];
age.secrets.enrollment-key = {
rekeyFile = ./enrollment_key.age;
owner = "crowdsec";
group = "crowdsec";
};
services.crowdsec = {
enable = true;
allowLocalJournalAccess = true;
enrollKeyFile = config.age.secrets.enrollment-key.path;
settings = {
api.server = {
listen_uri = "127.0.0.1:${port}";
};
crowdsec_service.acquisition_dir = ./acquis.d;
};
};
services.crowdsec-firewall-bouncer = {
enable = true;
settings = {
api_key = "2025f0be-35ca-406c-8737-810321c918c2";
api_url = "http://localhost:${port}";
};
};
systemd.services.crowdsec.serviceConfig = {
ExecStartPre = let
bouncer = pkgs.writeScriptBin "register-bouncer" ''
#!${pkgs.runtimeShell}
set -eu
set -o pipefail
if ! cscli bouncers list | grep -q "firewall-bouncer"; then
cscli bouncers add "firewall-bouncer" --key "2025f0be-35ca-406c-8737-810321c918c2"
fi
if ! cscli bouncers list | grep -q "traefik-bouncer"; then
cscli bouncers add "traefik-bouncer" --key "18c725d5-3a22-4331-a8e8-abfd3018a7c0"
fi
'';
scenario = pkgs.writeScriptBin "install-scenario" ''
#!${pkgs.runtimeShell}
set -eu
set -o pipefail
if ! cscli collections list | grep -q "crowdsecurity/linux"; then
cscli collections install "crowdsecurity/linux"
fi
if ! cscli collections list | grep -q "crowdsecurity/appsec-virtual-patching"; then
cscli collections install "crowdsecurity/appsec-virtual-patching"
fi
if ! cscli collections list | grep -q "crowdsecurity/appsec-generic-rules"; then
cscli collections install "crowdsecurity/appsec-generic-rules"
fi
if ! cscli collections list | grep -q "crowdsecurity/traefik"; then
cscli collections install "crowdsecurity/traefik"
fi
if ! cscli collections list | grep -q "crowdsecurity/http-cve"; then
cscli collections install "crowdsecurity/http-cve"
fi
if ! cscli collections list | grep -q "crowdsecurity/sshd"; then
cscli collections install "crowdsecurity/sshd"
fi
if ! cscli collections list | grep -q "crowdsecurity/base-http-scenarios"; then
cscli collections install "crowdsecurity/base-http-scenarios"
fi
'';
in [
"${bouncer}/bin/register-bouncer"
"${scenario}/bin/install-scenario"
];
};
environment.etc = {
"/crowdsec/parsers/s02-enrich/whitelist.yaml" = {
text = ''
name: "sajenim/whitelist"
description: "Whitelist events from my ipv4 addresses"
whitelist:
reason: "my ipv4 ranges"
ip:
- "127.0.0.1"
cidr:
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"
'';
mode = "0755";
};
};
environment.persistence."/persist" = {
directories = [
{
directory = "/var/lib/crowdsec";
user = "crowdsec";
group = "crowdsec";
}
];
hideMounts = true;
};
}
Reference in a new issue View git blame Copy permalink