modules/crowdsec/default.nix

@@ -28,6 +28,12 @@ let
 
     $sudo ${crowdsec}/bin/cscli "$@"
   '';
+
+  acquisitions = ''
+    ---
+    ${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
+    ---
+  '';
 in
 {
   imports = [ ./remediations ];
@@ -82,6 +88,24 @@ in
         '';
       };
 
+      acquisitions = lib.mkOption {
+        type = listOf settingsFormat.type;
+        default = [ ];
+        description = ''
+          Log acquisitions.
+        '';
+      };
+
+      extraGroups = lib.mkOption {
+        type = listOf str;
+        default = [ ];
+        description = ''
+          Additional groups to make the service part of.
+
+          Required to permit reading from various log sources.
+        '';
+      };
+
       hubConfigurations = {
         collections = lib.mkOption {
           type = listOf str;
@@ -190,7 +214,13 @@ in
           plugin_dir = lib.mkDefault "/var/empty/";
         };
 
-        crowdsec_service.acquisition_path = lib.mkDefault "${cfg.package}/share/crowdsec/config/acquis.yaml";
+        crowdsec_service.acquisition_path =
+          # Using an if/else here because `mkMerge` does not work in
+          # YAML-type options
+          if cfg.acquisitions == [ ] then
+            "${cfg.package}/share/crowdsec/config/acquis.yaml"
+          else
+            pkgs.writeText "acquis.yaml" acquisitions;
 
         cscli = {
           prometheus_uri = lib.mkDefault "127.0.0.1:6060";
@@ -339,7 +369,7 @@ in
           serviceConfig = {
             User = "crowdsec";
             Group = "crowdsec";
-            SupplementaryGroups = [ "systemd-journal" ];
+            SupplementaryGroups = cfg.extraGroups;
 
             StateDirectory = "crowdsec";
           };