feat(crowdsec-service): Add nginx monitoring

feat(crowdsec): Add proper support for acquisitions
2025-02-01 18:01:00 +08:00 · 2025-02-01 18:00:59 +08:00
2 changed files with 66 additions and 18 deletions
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, lib, ... }:
 {
  security.crowdsec = {
    enable = true;
@ -7,21 +7,39 @@
      "1.64.239.213"
    ];

-    settings.crowdsec_service.acquisition_path = pkgs.writeText "crowdsec-acquisitions.yaml" ''
-      ---
-      source: journalctl
-      journalctl_filter:
-        - "SYSLOG_IDENTIFIER=Nextcloud"
-      labels:
-        type: syslog
-      ---
-      source: journalctl
-      journalctl_filter:
-        - "SYSLOG_IDENTIFIER=sshd-session"
-      labels:
-        type: syslog
-      ---
-    '';
+    extraGroups = [
+      "systemd-journal"
+      "nginx"
+    ];
+
+    acquisitions = [
+      {
+        source = "journalctl";
+        labels.type = "syslog";
+        journalctl_filter = [
+          "SYSLOG_IDENTIFIER=Nextcloud"
+        ];
+      }
+
+      {
+        source = "journalctl";
+        labels.type = "syslog";
+        journalctl_filter = [
+          "SYSLOG_IDENTIFIER=sshd-session"
+        ];
+      }
+
+      {
+        labels.type = "nginx";
+        filenames =
+          [
+            "/var/log/nginx/*.log"
+          ]
+          ++ lib.mapAttrsToList (
+            vHost: _: "/var/log/nginx/${vHost}/access.log"
+          ) config.services.nginx.virtualHosts;
+      }
+    ];

    remediationComponents.firewallBouncer = {
      enable = true;
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@ -28,6 +28,12 @@ let

    $sudo ${crowdsec}/bin/cscli "$@"
  '';
+
+  acquisitions = ''
+    ---
+    ${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
+    ---
+  '';
 in
 {
  imports = [ ./remediations ];
@ -82,6 +88,24 @@ in
        '';
      };

+      acquisitions = lib.mkOption {
+        type = listOf settingsFormat.type;
+        default = [ ];
+        description = ''
+          Log acquisitions.
+        '';
+      };
+
+      extraGroups = lib.mkOption {
+        type = listOf str;
+        default = [ ];
+        description = ''
+          Additional groups to make the service part of.
+
+          Required to permit reading from various log sources.
+        '';
+      };
+
      hubConfigurations = {
        collections = lib.mkOption {
          type = listOf str;
@ -190,7 +214,13 @@ in
          plugin_dir = lib.mkDefault "/var/empty/";
        };

-        crowdsec_service.acquisition_path = lib.mkDefault "${cfg.package}/share/crowdsec/config/acquis.yaml";
+        crowdsec_service.acquisition_path =
+          # Using an if/else here because `mkMerge` does not work in
+          # YAML-type options
+          if cfg.acquisitions == [ ] then
+            "${cfg.package}/share/crowdsec/config/acquis.yaml"
+          else
+            pkgs.writeText "acquis.yaml" acquisitions;

        cscli = {
          prometheus_uri = lib.mkDefault "127.0.0.1:6060";
@ -339,7 +369,7 @@ in
          serviceConfig = {
            User = "crowdsec";
            Group = "crowdsec";
-            SupplementaryGroups = [ "systemd-journal" ];
+            SupplementaryGroups = cfg.extraGroups;

            StateDirectory = "crowdsec";
          };
Author	SHA1	Message	Date
Tristan Daniël Maat	68450870cf	feat(crowdsec-service): Add nginx monitoring	2025-02-01 18:01:00 +08:00
Tristan Daniël Maat	2831fdb0f2	feat(crowdsec): Add proper support for acquisitions	2025-02-01 18:00:59 +08:00