feat: Add crowdsec to replace fail2ban

feat: Add crowdsec module
2025-01-31 22:41:51 +08:00 · 2025-01-31 22:41:51 +08:00
1 changed files with 30 additions and 0 deletions
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@ -335,6 +335,36 @@ in
            SupplementaryGroups = [ "systemd-journal" ];

            StateDirectory = "crowdsec";
+
+            # PrivateTmp = true;
+            # PrivateUsers = true;
+            # ProtectHome = true;
+            # CapabilityBoundingSet = [ ];
+            # LockPersonality = true;
+            # PrivateDevices = true;
+            # ProtectHostname = true;
+            # ProtectKernelTunables = true;
+            # ProtectKernelModules = true;
+            # ProtectControlGroups = true;
+
+            # NoNewPrivileges = true;
+            # RestrictSUIDSGID = true;
+
+            # ProtectProc = "invisible";
+            # ProcSubset = "pid"; # Needed for journal access
+
+            # RestrictNamespaces = true;
+            # RestrictRealtime = true;
+
+            # SystemCallFilter = [
+            #   "@system-service"
+            #   "@network-io"
+            # ];
+            # SystemCallArchitectures = [ "native" ];
+            # SystemCallErrorNumber = "EPERM";
+
+            # ExecPaths = [ "/nix/store" ];
+            # NoExecPaths = [ "/" ];
          };
        };
      };
Author	SHA1	Message	Date
Tristan Daniël Maat	af76e7fe52	feat: Add crowdsec to replace fail2ban	2025-01-31 22:41:51 +08:00
Tristan Daniël Maat	fd9938af04	feat: Add crowdsec module	2025-01-31 22:41:51 +08:00