tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 10 Pull requests Activity

Compare commits

base: tlaternet:40187d4b2d64f6835dcddef68edaa160d2219daa
Branches Tags
tlaternet:master
tlaternet:tlater/authelia-attempt-3
tlaternet:tlater/coturn-disable
tlaternet:tlater/authelia-2
tlaternet:tlater/crowdsec-whitelists
tlaternet:tlater/authelia
...
compare: tlaternet:68450870cf3776f4f855cfdf117b24069777d3c9
Branches Tags
tlaternet:tlater/authelia-attempt-3
tlaternet:master
tlaternet:tlater/coturn-disable
tlaternet:tlater/authelia-2
tlaternet:tlater/crowdsec-whitelists
tlaternet:tlater/authelia

2 commits
40187d4b2d ... 68450870cf

Author SHA1 Message Date
Tristan Daniël Maat
68450870cf
feat(crowdsec-service): Add nginx monitoring 2025-02-01 18:01:00 +08:00
Tristan Daniël Maat
2831fdb0f2
feat(crowdsec): Add proper support for acquisitions 2025-02-01 18:00:59 +08:00
2 changed files with 66 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

50
configuration/services/crowdsec.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: { config, lib, ... }:
{ {
security.crowdsec = { security.crowdsec = {
enable = true; enable = true;
@ -7,21 +7,39 @@
"1.64.239.213" "1.64.239.213"
]; ];
settings.crowdsec_service.acquisition_path = pkgs.writeText "crowdsec-acquisitions.yaml" '' extraGroups = [
--- "systemd-journal"
source: journalctl "nginx"
journalctl_filter: ];
- "SYSLOG_IDENTIFIER=Nextcloud"
labels: acquisitions = [
type: syslog {
--- source = "journalctl";
source: journalctl labels.type = "syslog";
journalctl_filter: journalctl_filter = [
- "SYSLOG_IDENTIFIER=sshd-session" "SYSLOG_IDENTIFIER=Nextcloud"
labels: ];
type: syslog }
---
''; {
source = "journalctl";
labels.type = "syslog";
journalctl_filter = [
"SYSLOG_IDENTIFIER=sshd-session"
];
}
{
labels.type = "nginx";
filenames =
[
"/var/log/nginx/*.log"
]
++ lib.mapAttrsToList (
vHost: _: "/var/log/nginx/${vHost}/access.log"
) config.services.nginx.virtualHosts;
}
];
remediationComponents.firewallBouncer = { remediationComponents.firewallBouncer = {
enable = true; enable = true;

34
modules/crowdsec/default.nix
View file

@ -28,6 +28,12 @@ let
$sudo ${crowdsec}/bin/cscli "$@" $sudo ${crowdsec}/bin/cscli "$@"
''; '';
acquisitions = ''
---
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
---
'';
in in
{ {
imports = [ ./remediations ]; imports = [ ./remediations ];
@ -82,6 +88,24 @@ in
''; '';
}; };
acquisitions = lib.mkOption {
type = listOf settingsFormat.type;
default = [ ];
description = ''
Log acquisitions.
'';
};
extraGroups = lib.mkOption {
type = listOf str;
default = [ ];
description = ''
Additional groups to make the service part of.
Required to permit reading from various log sources.
'';
};
hubConfigurations = { hubConfigurations = {
collections = lib.mkOption { collections = lib.mkOption {
type = listOf str; type = listOf str;
@ -190,7 +214,13 @@ in
plugin_dir = lib.mkDefault "/var/empty/"; plugin_dir = lib.mkDefault "/var/empty/";
}; };
crowdsec_service.acquisition_path = lib.mkDefault "${cfg.package}/share/crowdsec/config/acquis.yaml"; crowdsec_service.acquisition_path =
# Using an if/else here because `mkMerge` does not work in
# YAML-type options
if cfg.acquisitions == [ ] then
"${cfg.package}/share/crowdsec/config/acquis.yaml"
else
pkgs.writeText "acquis.yaml" acquisitions;
cscli = { cscli = {
prometheus_uri = lib.mkDefault "127.0.0.1:6060"; prometheus_uri = lib.mkDefault "127.0.0.1:6060";
@ -339,7 +369,7 @@ in
serviceConfig = { serviceConfig = {
User = "crowdsec"; User = "crowdsec";
Group = "crowdsec"; Group = "crowdsec";
SupplementaryGroups = [ "systemd-journal" ]; SupplementaryGroups = cfg.extraGroups;
StateDirectory = "crowdsec"; StateDirectory = "crowdsec";
}; };