feat: Replace the now missing fail2ban with crowdsec

configuration/default.nix

@@ -18,6 +18,7 @@
     ./services/backups.nix
     ./services/battery-manager.nix
     ./services/conduit.nix
+    ./services/crowdsec.nix
     ./services/foundryvtt.nix
     ./services/gitea.nix
     ./services/metrics

configuration/services/crowdsec.nix

@@ -0,0 +1,26 @@
+{ pkgs, config, ... }:
+{
+  services.crowdsec = {
+    enable = true;
+    # clientCredentials = config.sops.secrets."crowdsec/credentials".path;
+
+    settings.crowdsec_service.acquisition_path =
+      (pkgs.formats.yaml { }).generate "crowdsec-acquisitions.yaml"
+        {
+          source = "journalctl";
+          journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+          labels.type = "syslog";
+        };
+  };
+}
+
+#       db_config = {
+#         type = "postgresql";
+#         db_path = "/run/postgresql";
+#         user = "crowdsec";
+#         db_name = "crowdsec";
+#         flush = {
+#           max_items = 10000;
+#           max_age = "14d";
+#         };
+#       };

configuration/services/metrics/victoriametrics.nix

@@ -10,6 +10,7 @@
         extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
       };
       coturn.targets = [ "127.0.0.1:9641" ];
+      crowdsec.targets = [ "127.0.0.1:6060" ];
     };
   };
 }

configuration/sops.nix

@@ -13,6 +13,11 @@
         group = "battery-manager";
       };
 
+      "crowdsec/credentials" = {
+        owner = "crowdsec";
+        group = "crowdsec";
+      };
+
       # Gitea
       "forgejo/metrics-token" = {
         owner = "forgejo";