chore(crowdsec): Switch to upstream module

2026-02-25 00:07:34 +08:00 · 2026-02-25 00:07:34 +08:00 · 4667044ea5
commit 4667044ea5
parent 2a9b08f1e6
8 changed files with 87 additions and 647 deletions
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@ -1,45 +1,80 @@
+{ config, lib, ... }:
 {
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-{
-  security.crowdsec = {
-    enable = true;
+  services = {
+    crowdsec = {
+      enable = true;
+      autoUpdateService = true;

-    parserWhitelist = [ "10.45.249.2" ];
+      settings = {
+        general.api.server = {
+          enable = true;
+          online_client.sharing = false;
+        };

-    extraGroups = [
-      "systemd-journal"
-      "nginx"
-    ];
+        lapi.credentialsFile = "/var/lib/crowdsec/state/local_credentials.yaml";
+      };

-    acquisitions = [
-      {
-        source = "journalctl";
-        labels.type = "syslog";
-        journalctl_filter = [ "SYSLOG_IDENTIFIER=Nextcloud" ];
-      }
+      hub = {
+        collections = [
+          "crowdsecurity/base-http-scenarios"
+          "crowdsecurity/http-cve"
+          "crowdsecurity/linux"
+          "crowdsecurity/nextcloud"
+          "crowdsecurity/nginx"
+          "crowdsecurity/sshd"
+        ];
+      };

-      {
-        source = "journalctl";
-        labels.type = "syslog";
-        journalctl_filter = [ "SYSLOG_IDENTIFIER=sshd-session" ];
-      }
+      localConfig = {
+        acquisitions = [
+          {
+            labels.type = "syslog";
+            journalctl_filter = [
+              "SYSLOG_IDENTIFIER=Nextcloud"
+              "SYSLOG_IDENTIFIER=sshd-session"
+            ];
+            source = "journalctl";
+          }

-      {
-        labels.type = "nginx";
-        filenames = [
-          "/var/log/nginx/*.log"
-        ]
-        ++ lib.mapAttrsToList (
-          vHost: _: "/var/log/nginx/${vHost}/access.log"
-        ) config.services.nginx.virtualHosts;
-      }
-    ];
+          {
+            labels.type = "nginx";
+            filenames = [
+              "/var/log/nginx/*.log"
+            ]
+            ++ lib.mapAttrsToList (
+              vHost: _: "/var/log/nginx/${vHost}/access.log"
+            ) config.services.nginx.virtualHosts;
+          }
+        ];

-    remediationComponents.firewallBouncer = {
+        parsers.s02Enrich = [
+          {
+            name = "nixos/parser-whitelist";
+            description = "Parser whitelist generated by the crowdsec NixOS module";
+            whitelist = {
+              reason = "Filtered by NixOS whitelist";
+              ip = [ "10.45.249.2" ];
+            };
+          }
+        ];
+
+        postOverflows.s01Whitelist = [
+          {
+            description = "custom matrix whitelist";
+            name = "tetsumaki/matrix";
+            whitelist = {
+              reason = "whitelist false positive for matrix";
+              expression = [
+                "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
+                "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
+              ];
+            };
+          }
+        ];
+      };
+    };
+
+    crowdsec-firewall-bouncer = {
      enable = true;
      settings.prometheus = {
        enabled = true;
@ -47,37 +82,23 @@
        listen_port = "60601";
      };
    };
-  };

-  # Add whitelists for matrix
-  systemd.tmpfiles.settings."10-matrix" =
-    let
-      stateDir = config.security.crowdsec.stateDirectory;
-    in
-    {
-      "${stateDir}/config/postoverflows".d = {
-        user = "crowdsec";
-        group = "crowdsec";
-        mode = "0700";
-      };
+    victoriametrics.scrapeConfigs = {
+      crowdsec.targets =
+        let
+          cfg = config.services.crowdsec.settings.general;
+          address = cfg.prometheus.listen_addr;
+          port = cfg.prometheus.listen_port;
+        in
+        [ "${address}:${toString port}" ];

-      "${stateDir}/config/postoverflows/s01-whitelist".d = {
-        user = "crowdsec";
-        group = "crowdsec";
-        mode = "0700";
-      };
-
-      "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
-        ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
-          name = "tetsumaki/matrix";
-          description = "custom matrix whitelist";
-          whitelist = {
-            reason = "whitelist false positive for matrix";
-            expression = [
-              "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
-              "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
-            ];
-          };
-        }).outPath;
+      csFirewallBouncer.targets =
+        let
+          cfg = config.services.crowdsec-firewall-bouncer.settings;
+          address = cfg.prometheus.listen_addr;
+          port = cfg.prometheus.listen_port;
+        in
+        [ "${address}:${toString port}" ];
    };
+  };
 }