Setup crowdsec with ssh/firewall/traefik

2024-06-20 22:16:50 +08:00 · 2024-06-20 22:16:50 +08:00 · dc03244a3c
commit dc03244a3c
parent 2adadb30e8
10 changed files with 140 additions and 1 deletions
--- a/nixos/viridian/services/crowdsec/default.nix
+++ b/nixos/viridian/services/crowdsec/default.nix
@ -0,0 +1,94 @@
+{ config, inputs, pkgs, ... }:
+let
+  port = "8080";
+in
+{
+  imports = [
+    inputs.crowdsec.nixosModules.crowdsec
+    inputs.crowdsec.nixosModules.crowdsec-firewall-bouncer
+  ];
+
+  nixpkgs.overlays = [
+    inputs.crowdsec.overlays.default
+  ];
+
+  age.secrets.enrollment-key = {
+    rekeyFile = ./enrollment_key.age;
+    owner = "crowdsec";
+    group = "crowdsec";
+  };
+
+  services.crowdsec = let
+    yaml = (pkgs.formats.yaml {}).generate;
+    acquisitions_file = yaml "acquisitions.yaml" {
+      source = "journalctl";
+      journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
+      labels.type = "syslog";
+    };
+  in {
+    enable = true;
+    allowLocalJournalAccess = true;
+    enrollKeyFile = config.age.secrets.enrollment-key.path;
+    settings = {
+      api.server = {
+        listen_uri = "127.0.0.1:${port}";
+      };
+      crowdsec_service.acquisition_path = acquisitions_file;
+      crowdsec_service.acquisition_dir = ./acquis.d;
+    };
+  };
+
+  services.crowdsec-firewall-bouncer = {
+    enable = true;
+    settings = {
+      api_key = "2025f0be-35ca-406c-8737-810321c918c2";
+      api_url = "http://localhost:${port}";
+    };
+  };
+
+  systemd.services.crowdsec.serviceConfig = {
+    ExecStartPre = let
+      bouncer = pkgs.writeScriptBin "register-bouncer" ''
+        #!${pkgs.runtimeShell}
+        set -eu
+        set -o pipefail
+
+        if ! cscli bouncers list | grep -q "firewall-bouncer"; then
+          cscli bouncers add "firewall-bouncer" --key "2025f0be-35ca-406c-8737-810321c918c2"
+        fi
+
+        if ! cscli bouncers list | grep -q "traefik-bouncer"; then
+          cscli bouncers add "traefik-bouncer" --key "18c725d5-3a22-4331-a8e8-abfd3018a7c0"
+        fi
+      '';
+      scenario = pkgs.writeScriptBin "install-scenario" ''
+        #!${pkgs.runtimeShell}
+        set -eu
+        set -o pipefail
+
+        if ! cscli collections list | grep -q "crowdsecurity/linux"; then
+          cscli collections install "crowdsecurity/linux"
+        fi
+
+        if ! cscli collections list | grep -q "crowdsecurity/appsec-virtual-patching"; then
+          cscli collections install "crowdsecurity/appsec-virtual-patching"
+        fi
+
+        if ! cscli collections list | grep -q "crowdsecurity/appsec-generic-rules"; then
+          cscli collections install "crowdsecurity/appsec-generic-rules"
+        fi
+      '';
+    in [
+      "${bouncer}/bin/register-bouncer"
+      "${scenario}/bin/install-scenario"
+    ];
+  };
+
+  environment.persistence."/persist" = {
+    directories = [
+      { directory = "/var/lib/crowdsec"; user = "crowdsec"; group = "crowdsec"; }
+    ];
+    hideMounts = true;
+  };
+}
+