feat: Replace the now missing fail2ban with crowdsec

2025-01-24 02:14:46 +08:00 · 2025-01-24 02:14:46 +08:00 · 6e2b796c0d
parent b90af26085
commit 6e2b796c0d
5 changed files with 38 additions and 3 deletions
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -18,6 +18,7 @@
    ./services/backups.nix
    ./services/battery-manager.nix
    ./services/conduit.nix
+    ./services/crowdsec.nix
    ./services/foundryvtt.nix
    ./services/gitea.nix
    ./services/metrics
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@ -0,0 +1,26 @@
+{ pkgs, config, ... }:
+{
+  services.crowdsec = {
+    enable = true;
+    # clientCredentials = config.sops.secrets."crowdsec/credentials".path;
+
+    settings.crowdsec_service.acquisition_path =
+      (pkgs.formats.yaml { }).generate "crowdsec-acquisitions.yaml"
+        {
+          source = "journalctl";
+          journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+          labels.type = "syslog";
+        };
+  };
+}
+
+#       db_config = {
+#         type = "postgresql";
+#         db_path = "/run/postgresql";
+#         user = "crowdsec";
+#         db_name = "crowdsec";
+#         flush = {
+#           max_items = 10000;
+#           max_age = "14d";
+#         };
+#       };
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@ -10,6 +10,7 @@
        extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
      };
      coturn.targets = [ "127.0.0.1:9641" ];
+      crowdsec.targets = [ "127.0.0.1:6060" ];
    };
  };
 }
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@ -13,6 +13,11 @@
        group = "battery-manager";
      };

+      "crowdsec/credentials" = {
+        owner = "crowdsec";
+        group = "crowdsec";
+      };
+
      # Gitea
      "forgejo/metrics-token" = {
        owner = "forgejo";
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@ -2,6 +2,8 @@ hetzner-api: ENC[AES256_GCM,data:1Zjp003j60g=,iv:+vDcyiqYm4A9CMIrW4oGZKdZiczatBc
 battery-manager:
    email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str]
    password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str]
+crowdsec:
+    credentials: ENC[AES256_GCM,data:jJ+tRa3696odtbI=,iv:M3bhbrqa2XxNkt97Vih/zUaX3J2F71tbSXm/ARo5wQ8=,tag:DlFJJ4qZq4tc80ArUmcCOA==,type:str]
 forgejo:
    metrics-token: ENC[AES256_GCM,data:HEDV/GK/WtI=,iv:ihPEusEGVUNZjjjxz2ys6Nfag/og4n7Cqmd4rroT6Ww=,tag:Brcv7XW6HfzzgF3emtuT2A==,type:str]
 grafana:
@ -32,8 +34,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2024-04-15T23:13:27Z"
-    mac: ENC[AES256_GCM,data:JhEVrKF2Jsqpdztcr3g5lMrgEFeLXfBRQTwQJ6PmLSNyDORcTU09TJPNWTPDnR5okDrvIU/wlzi5DZ8A0ebNhrKf6l0tNFBT9LSvQFHU5SBxqY/m8uEJKSrEC4IL5lugOOISDka2KSvYXVCXrumMHE5FnmOS/CgOZaZk6LUjPYA=,iv:ygygnSedcTo2Vsc56s2qrz1qkWchvSgvoiMTebRxQQ8=,tag:vf6z8rxsXmqzwpDy9Avifw==,type:str]
+    lastmodified: "2025-01-23T17:19:30Z"
+    mac: ENC[AES256_GCM,data:eWItAwXJ3JTf3RgzFo8oh0REeCeeZvLWZn8jsIpdRMsA+pRXTu8d+Eh5YCkUA13P/rNbn28EP7hEwEIU7RQSoTuyO2gNytoROkOttO/m0ehwSX6b5Kvwjw81KpQ6GBXst5BEaCkPznv5iBLuYLnngM3QE3GauTdUI63yVWSomUI=,iv:/0SuOpE01hr8CXbRvcRrClLzfid1WJoIyZ/qilV6UrM=,tag:/HDq+n8ahiMCUIwpTHT/kA==,type:str]
    pgp:
        - created_at: "2025-01-21T17:55:30Z"
          enc: |-
@ -71,4 +73,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.2