WIP: fix(crowdsec): Make the whitelists actually work

2025-02-23 00:42:13 +08:00 · 2025-02-23 00:42:13 +08:00 · 5e4a945981
parent e1eb85d00f
commit 5e4a945981
2 changed files with 41 additions and 59 deletions
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@ -12,6 +12,18 @@
      "10.45.249.2"
    ];

+    extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
+      name = "tetsumaki/matrix";
+      description = "custom matrix whitelist";
+      whitelist = {
+        reason = "whitelist false positive for matrix";
+        expression = [
+          "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
+          "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
+        ];
+      };
+    };
+
    extraGroups = [
      "systemd-journal"
      "nginx"
@ -55,36 +67,4 @@
      };
    };
  };
-
-  # Add whitelists for matrix
-  systemd.tmpfiles.settings."10-matrix" =
-    let
-      stateDir = config.security.crowdsec.stateDirectory;
-    in
-    {
-      "${stateDir}/config/postoverflows".d = {
-        user = "crowdsec";
-        group = "crowdsec";
-        mode = "0700";
-      };
-
-      "${stateDir}/config/postoverflows/s01-whitelist".d = {
-        user = "crowdsec";
-        group = "crowdsec";
-        mode = "0700";
-      };
-
-      "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
-        ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
-          name = "tetsumaki/matrix";
-          description = "custom matrix whitelist";
-          whitelist = {
-            reason = "whitelist false positive for matrix";
-            expression = [
-              "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
-              "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
-            ];
-          };
-        }).outPath;
-    };
 }
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@ -31,6 +31,22 @@ let
    ${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
    ---
  '';
+
+  extraConfigs = pkgs.symlinkJoin {
+    name = "crowdsec-extra-configs";
+    paths = lib.mapAttrsToList (
+      path: settings:
+      (settingsFormat.generate path settings).overrideAttrs (old: {
+        patchPhase = ''
+          mkdir -p "$out/${dirOf path}/"
+          out="$out/${dirOf path}/"
+
+          echo $out
+          exit 1
+        '';
+      })
+    ) cfg.extraConfig;
+  };
 in
 {
  imports = [ ./remediations ];
@ -38,6 +54,7 @@ in
  options.security.crowdsec =
    let
      inherit (lib.types)
+        attrsOf
        nullOr
        listOf
        package
@ -85,6 +102,16 @@ in
        '';
      };

+      extraConfig = lib.mkOption {
+        type = attrsOf (settingsFormat.type);
+        default = {
+          "parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
+        };
+        description = ''
+          Set of additional configurations to install.
+        '';
+      };
+
      acquisitions = lib.mkOption {
        type = listOf settingsFormat.type;
        default = [ ];
@ -300,33 +327,6 @@ in
          group = "crowdsec";
          mode = "0700";
        };
-
-        "${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
-          user = "crowdsec";
-          group = "crowdsec";
-          mode = "0700";
-        };
-
-        "${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
-          user = "crowdsec";
-          group = "crowdsec";
-          mode = "0700";
-        };
-
-        "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
-          lib.mkIf (cfg.parserWhitelist != [ ])
-            {
-              "L+".argument =
-                (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
-                  name = "nixos/parser-whitelist";
-                  description = "Parser whitelist generated by the crowdsec NixOS module";
-                  whitelist = {
-                    reason = "Filtered by NixOS whitelist";
-                    ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
-                    cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
-                  };
-                }).outPath;
-            };
      };

      services = {
@ -336,6 +336,8 @@ in
          description = "Crowdsec database and config preparation";

          script = ''
+            cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
+
            if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
                cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
            fi