Compare commits
2 commits
5d1685160e
...
ff83fb3b9e
Author | SHA1 | Date | |
---|---|---|---|
ff83fb3b9e | |||
763f6c6389 |
1 changed files with 20 additions and 17 deletions
|
@ -208,52 +208,55 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd = {
|
systemd = {
|
||||||
tmpfiles.settings."10-crowdsec" = lib.mkIf (cfg.parserWhitelist != [ ]) {
|
tmpfiles.settings."10-crowdsec" = {
|
||||||
"${cfg.stateDirectory}".d = {
|
"${cfg.stateDirectory}".d = {
|
||||||
user = "crowdsec";
|
user = "crowdsec";
|
||||||
group = "crowdsec";
|
group = "crowdsec";
|
||||||
mode = "0700";
|
mode = "0700";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# This must be created for the setup service to work
|
||||||
"${cfg.stateDirectory}/config".d = {
|
"${cfg.stateDirectory}/config".d = {
|
||||||
user = "crowdsec";
|
user = "crowdsec";
|
||||||
group = "crowdsec";
|
group = "crowdsec";
|
||||||
mode = "0700";
|
mode = "0700";
|
||||||
};
|
};
|
||||||
|
|
||||||
"${cfg.stateDirectory}/config/parsers".d = {
|
"${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
|
||||||
user = "crowdsec";
|
user = "crowdsec";
|
||||||
group = "crowdsec";
|
group = "crowdsec";
|
||||||
mode = "0700";
|
mode = "0700";
|
||||||
};
|
};
|
||||||
|
|
||||||
"${cfg.stateDirectory}/config/parsers/s02-enrich".d = {
|
"${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
|
||||||
user = "crowdsec";
|
user = "crowdsec";
|
||||||
group = "crowdsec";
|
group = "crowdsec";
|
||||||
mode = "0700";
|
mode = "0700";
|
||||||
};
|
};
|
||||||
|
|
||||||
"${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" = {
|
"${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
|
||||||
"L+".argument =
|
lib.mkIf (cfg.parserWhitelist != [ ])
|
||||||
(settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
|
{
|
||||||
name = "nixos/parser-whitelist";
|
"L+".argument =
|
||||||
description = "Parser whitelist generated by the crowdsec NixOS module";
|
(settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
|
||||||
whitelist = {
|
name = "nixos/parser-whitelist";
|
||||||
reason = "Filtered by NixOS whitelist";
|
description = "Parser whitelist generated by the crowdsec NixOS module";
|
||||||
ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
|
whitelist = {
|
||||||
cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
|
reason = "Filtered by NixOS whitelist";
|
||||||
};
|
ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
|
||||||
}).outPath;
|
cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
|
||||||
};
|
};
|
||||||
|
}).outPath;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
crowdsec-setup = {
|
crowdsec-setup = {
|
||||||
|
# TODO(tlater): Depend on tmpfiles path for
|
||||||
|
# /var/lib/crowdsec/config
|
||||||
description = "Crowdsec database and config preparation";
|
description = "Crowdsec database and config preparation";
|
||||||
|
|
||||||
script = ''
|
script = ''
|
||||||
mkdir -p '${cfg.stateDirectory}/'{config,}
|
|
||||||
|
|
||||||
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
|
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
|
||||||
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
|
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue