diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
index 6860354..6e0f367 100644
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@@ -12,18 +12,6 @@
"10.45.249.2"
];
- extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
- name = "tetsumaki/matrix";
- description = "custom matrix whitelist";
- whitelist = {
- reason = "whitelist false positive for matrix";
- expression = [
- "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
- "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
- ];
- };
- };
-
extraGroups = [
"systemd-journal"
"nginx"
@@ -67,4 +55,36 @@
};
};
};
+
+ # Add whitelists for matrix
+ systemd.tmpfiles.settings."10-matrix" =
+ let
+ stateDir = config.security.crowdsec.stateDirectory;
+ in
+ {
+ "${stateDir}/config/postoverflows".d = {
+ user = "crowdsec";
+ group = "crowdsec";
+ mode = "0700";
+ };
+
+ "${stateDir}/config/postoverflows/s01-whitelist".d = {
+ user = "crowdsec";
+ group = "crowdsec";
+ mode = "0700";
+ };
+
+ "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
+ ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
+ name = "tetsumaki/matrix";
+ description = "custom matrix whitelist";
+ whitelist = {
+ reason = "whitelist false positive for matrix";
+ expression = [
+ "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
+ "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
+ ];
+ };
+ }).outPath;
+ };
}
diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix
index cc14939..c0003a5 100644
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@@ -31,22 +31,6 @@ let
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
---
'';
-
- extraConfigs = pkgs.symlinkJoin {
- name = "crowdsec-extra-configs";
- paths = lib.mapAttrsToList (
- path: settings:
- (settingsFormat.generate path settings).overrideAttrs (old: {
- patchPhase = ''
- mkdir -p "$out/${dirOf path}/"
- out="$out/${dirOf path}/"
-
- echo $out
- exit 1
- '';
- })
- ) cfg.extraConfig;
- };
in
{
imports = [ ./remediations ];
@@ -54,7 +38,6 @@ in
options.security.crowdsec =
let
inherit (lib.types)
- attrsOf
nullOr
listOf
package
@@ -102,16 +85,6 @@ in
'';
};
- extraConfig = lib.mkOption {
- type = attrsOf (settingsFormat.type);
- default = {
- "parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
- };
- description = ''
- Set of additional configurations to install.
- '';
- };
-
acquisitions = lib.mkOption {
type = listOf settingsFormat.type;
default = [ ];
@@ -327,6 +300,33 @@ in
group = "crowdsec";
mode = "0700";
};
+
+ "${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
+ user = "crowdsec";
+ group = "crowdsec";
+ mode = "0700";
+ };
+
+ "${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
+ user = "crowdsec";
+ group = "crowdsec";
+ mode = "0700";
+ };
+
+ "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
+ lib.mkIf (cfg.parserWhitelist != [ ])
+ {
+ "L+".argument =
+ (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
+ name = "nixos/parser-whitelist";
+ description = "Parser whitelist generated by the crowdsec NixOS module";
+ whitelist = {
+ reason = "Filtered by NixOS whitelist";
+ ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
+ cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
+ };
+ }).outPath;
+ };
};
services = {
@@ -336,8 +336,6 @@ in
description = "Crowdsec database and config preparation";
script = ''
- cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
-
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
fi