diff --git a/configuration/services/conduit/matrix-hookshot.nix b/configuration/services/conduit/matrix-hookshot.nix
index a297b87..c9c63d6 100644
--- a/configuration/services/conduit/matrix-hookshot.nix
+++ b/configuration/services/conduit/matrix-hookshot.nix
@@ -16,7 +16,7 @@ let
registration = matrixLib.writeRegistrationScript {
id = "matrix-hookshot";
- url = "${address}:${toString port}";
+ url = "http://${address}:${toString port}";
sender_localpart = "hookshot";
namespaces = {
@@ -91,6 +91,8 @@ in
bindAddress = "127.0.0.1";
};
+ bot.displayname = "Hookshot";
+
generic = {
enabled = true;
outbound = false;
diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
index ab0dd01..6e0f367 100644
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+ pkgs,
+ config,
+ lib,
+ ...
+}:
{
security.crowdsec = {
enable = true;
@@ -50,4 +55,36 @@
};
};
};
+
+ # Add whitelists for matrix
+ systemd.tmpfiles.settings."10-matrix" =
+ let
+ stateDir = config.security.crowdsec.stateDirectory;
+ in
+ {
+ "${stateDir}/config/postoverflows".d = {
+ user = "crowdsec";
+ group = "crowdsec";
+ mode = "0700";
+ };
+
+ "${stateDir}/config/postoverflows/s01-whitelist".d = {
+ user = "crowdsec";
+ group = "crowdsec";
+ mode = "0700";
+ };
+
+ "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
+ ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
+ name = "tetsumaki/matrix";
+ description = "custom matrix whitelist";
+ whitelist = {
+ reason = "whitelist false positive for matrix";
+ expression = [
+ "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
+ "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
+ ];
+ };
+ }).outPath;
+ };
}