Compare commits

..

2 commits

View file

@ -208,52 +208,55 @@ in
}; };
systemd = { systemd = {
tmpfiles.settings."10-crowdsec" = lib.mkIf (cfg.parserWhitelist != [ ]) { tmpfiles.settings."10-crowdsec" = {
"${cfg.stateDirectory}".d = { "${cfg.stateDirectory}".d = {
user = "crowdsec"; user = "crowdsec";
group = "crowdsec"; group = "crowdsec";
mode = "0700"; mode = "0700";
}; };
# This must be created for the setup service to work
"${cfg.stateDirectory}/config".d = { "${cfg.stateDirectory}/config".d = {
user = "crowdsec"; user = "crowdsec";
group = "crowdsec"; group = "crowdsec";
mode = "0700"; mode = "0700";
}; };
"${cfg.stateDirectory}/config/parsers".d = { "${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
user = "crowdsec"; user = "crowdsec";
group = "crowdsec"; group = "crowdsec";
mode = "0700"; mode = "0700";
}; };
"${cfg.stateDirectory}/config/parsers/s02-enrich".d = { "${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
user = "crowdsec"; user = "crowdsec";
group = "crowdsec"; group = "crowdsec";
mode = "0700"; mode = "0700";
}; };
"${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" = { "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
"L+".argument = lib.mkIf (cfg.parserWhitelist != [ ])
(settingsFormat.generate "crowdsec-nixos-whitelist.yaml" { {
name = "nixos/parser-whitelist"; "L+".argument =
description = "Parser whitelist generated by the crowdsec NixOS module"; (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
whitelist = { name = "nixos/parser-whitelist";
reason = "Filtered by NixOS whitelist"; description = "Parser whitelist generated by the crowdsec NixOS module";
ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist; whitelist = {
cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist; reason = "Filtered by NixOS whitelist";
}; ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
}).outPath; cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
}; };
}).outPath;
};
}; };
services = { services = {
crowdsec-setup = { crowdsec-setup = {
# TODO(tlater): Depend on tmpfiles path for
# /var/lib/crowdsec/config
description = "Crowdsec database and config preparation"; description = "Crowdsec database and config preparation";
script = '' script = ''
mkdir -p '${cfg.stateDirectory}/'{config,}
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}' cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
fi fi