diff --git a/configuration/default.nix b/configuration/default.nix
index 8dddf76..d4c422f 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -18,6 +18,7 @@
./services/backups.nix
./services/battery-manager.nix
./services/conduit.nix
+ ./services/crowdsec.nix
./services/foundryvtt.nix
./services/gitea.nix
./services/metrics
diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
new file mode 100644
index 0000000..98dbeb3
--- /dev/null
+++ b/configuration/services/crowdsec.nix
@@ -0,0 +1,26 @@
+{ pkgs, config, ... }:
+{
+ services.crowdsec = {
+ enable = true;
+ # clientCredentials = config.sops.secrets."crowdsec/credentials".path;
+
+ settings.crowdsec_service.acquisition_path =
+ (pkgs.formats.yaml { }).generate "crowdsec-acquisitions.yaml"
+ {
+ source = "journalctl";
+ journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+ labels.type = "syslog";
+ };
+ };
+}
+
+# db_config = {
+# type = "postgresql";
+# db_path = "/run/postgresql";
+# user = "crowdsec";
+# db_name = "crowdsec";
+# flush = {
+# max_items = 10000;
+# max_age = "14d";
+# };
+# };
diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix
index 710cf70..4ed2773 100644
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@@ -10,6 +10,7 @@
extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
};
coturn.targets = [ "127.0.0.1:9641" ];
+ crowdsec.targets = [ "127.0.0.1:6060" ];
};
};
}
diff --git a/configuration/sops.nix b/configuration/sops.nix
index bc21834..1c09c7e 100644
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@@ -13,6 +13,11 @@
group = "battery-manager";
};
+ "crowdsec/credentials" = {
+ owner = "crowdsec";
+ group = "crowdsec";
+ };
+
# Gitea
"forgejo/metrics-token" = {
owner = "forgejo";
diff --git a/keys/staging.yaml b/keys/staging.yaml
index 091424d..36212cd 100644
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@@ -2,6 +2,8 @@ hetzner-api: ENC[AES256_GCM,data:1Zjp003j60g=,iv:+vDcyiqYm4A9CMIrW4oGZKdZiczatBc
battery-manager:
email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str]
password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str]
+crowdsec:
+ credentials: ENC[AES256_GCM,data:jJ+tRa3696odtbI=,iv:M3bhbrqa2XxNkt97Vih/zUaX3J2F71tbSXm/ARo5wQ8=,tag:DlFJJ4qZq4tc80ArUmcCOA==,type:str]
forgejo:
metrics-token: ENC[AES256_GCM,data:HEDV/GK/WtI=,iv:ihPEusEGVUNZjjjxz2ys6Nfag/og4n7Cqmd4rroT6Ww=,tag:Brcv7XW6HfzzgF3emtuT2A==,type:str]
grafana:
@@ -32,8 +34,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2024-04-15T23:13:27Z"
- mac: ENC[AES256_GCM,data:JhEVrKF2Jsqpdztcr3g5lMrgEFeLXfBRQTwQJ6PmLSNyDORcTU09TJPNWTPDnR5okDrvIU/wlzi5DZ8A0ebNhrKf6l0tNFBT9LSvQFHU5SBxqY/m8uEJKSrEC4IL5lugOOISDka2KSvYXVCXrumMHE5FnmOS/CgOZaZk6LUjPYA=,iv:ygygnSedcTo2Vsc56s2qrz1qkWchvSgvoiMTebRxQQ8=,tag:vf6z8rxsXmqzwpDy9Avifw==,type:str]
+ lastmodified: "2025-01-23T17:19:30Z"
+ mac: ENC[AES256_GCM,data:eWItAwXJ3JTf3RgzFo8oh0REeCeeZvLWZn8jsIpdRMsA+pRXTu8d+Eh5YCkUA13P/rNbn28EP7hEwEIU7RQSoTuyO2gNytoROkOttO/m0ehwSX6b5Kvwjw81KpQ6GBXst5BEaCkPznv5iBLuYLnngM3QE3GauTdUI63yVWSomUI=,iv:/0SuOpE01hr8CXbRvcRrClLzfid1WJoIyZ/qilV6UrM=,tag:/HDq+n8ahiMCUIwpTHT/kA==,type:str]
pgp:
- created_at: "2025-01-21T17:55:30Z"
enc: |-
@@ -71,4 +73,4 @@ sops:
-----END PGP MESSAGE-----
fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
unencrypted_suffix: _unencrypted
- version: 3.8.1
+ version: 3.9.2