feat: Add crowdsec to replace fail2ban

configuration/default.nix

@@ -18,6 +18,7 @@
     ./services/backups.nix
     ./services/battery-manager.nix
     ./services/conduit.nix
+    ./services/crowdsec.nix
     ./services/foundryvtt.nix
     ./services/gitea.nix
     ./services/metrics

configuration/services/crowdsec.nix

@@ -0,0 +1,35 @@
+{ pkgs, ... }:
+{
+  security.crowdsec = {
+    enable = true;
+
+    parserWhitelist = [
+      "1.64.239.213"
+    ];
+
+    settings.crowdsec_service.acquisition_path = pkgs.writeText "crowdsec-acquisitions.yaml" ''
+      ---
+      source: journalctl
+      journalctl_filter:
+        - "SYSLOG_IDENTIFIER=Nextcloud"
+      labels:
+        type: syslog
+      ---
+      source: journalctl
+      journalctl_filter:
+        - "SYSLOG_IDENTIFIER=sshd-session"
+      labels:
+        type: syslog
+      ---
+    '';
+
+    remediationComponents.firewallBouncer = {
+      enable = true;
+      settings.prometheus = {
+        enabled = true;
+        listen_addr = "127.0.0.1";
+        listen_port = "60601";
+      };
+    };
+  };
+}

configuration/services/metrics/victoriametrics.nix

@@ -10,6 +10,22 @@
         extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
       };
       coturn.targets = [ "127.0.0.1:9641" ];
+
+      crowdsec.targets =
+        let
+          address = config.security.crowdsec.settings.prometheus.listen_addr;
+          port = config.security.crowdsec.settings.prometheus.listen_port;
+        in
+        [ "${address}:${toString port}" ];
+
+      csFirewallBouncer.targets =
+        let
+          address =
+            config.security.crowdsec.remediationComponents.firewallBouncer.settings.prometheus.listen_addr;
+          port =
+            config.security.crowdsec.remediationComponents.firewallBouncer.settings.prometheus.listen_port;
+        in
+        [ "${address}:${toString port}" ];
     };
   };
 }