feat(crowdsec): Switch to whitelisting wireguard IP

My IP address is not static, and grafana seems to comfortably produce
enough traffic to get me IP banned.

configuration/services/crowdsec.nix

@@ -1,10 +1,15 @@
-{ config, lib, ... }:
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
 {
   security.crowdsec = {
     enable = true;
 
     parserWhitelist = [
-      "1.64.239.213"
+      "10.45.249.2"
     ];
 
     extraGroups = [
@@ -50,4 +55,36 @@
       };
     };
   };
+
+  # Add whitelists for matrix
+  systemd.tmpfiles.settings."10-matrix" =
+    let
+      stateDir = config.security.crowdsec.stateDirectory;
+    in
+    {
+      "${stateDir}/config/postoverflows".d = {
+        user = "crowdsec";
+        group = "crowdsec";
+        mode = "0700";
+      };
+
+      "${stateDir}/config/postoverflows/s01-whitelist".d = {
+        user = "crowdsec";
+        group = "crowdsec";
+        mode = "0700";
+      };
+
+      "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
+        ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
+          name = "tetsumaki/matrix";
+          description = "custom matrix whitelist";
+          whitelist = {
+            reason = "whitelist false positive for matrix";
+            expression = [
+              "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
+              "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
+            ];
+          };
+        }).outPath;
+    };
 }