2025-02-01 10:52:38 +00:00
1 changed files with 34 additions and 16 deletions
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, lib, ... }:
 {
  security.crowdsec = {
    enable = true;
@ -7,21 +7,39 @@
      "1.64.239.213"
    ];

-    settings.crowdsec_service.acquisition_path = pkgs.writeText "crowdsec-acquisitions.yaml" ''
-      ---
-      source: journalctl
-      journalctl_filter:
-        - "SYSLOG_IDENTIFIER=Nextcloud"
-      labels:
-        type: syslog
-      ---
-      source: journalctl
-      journalctl_filter:
-        - "SYSLOG_IDENTIFIER=sshd-session"
-      labels:
-        type: syslog
-      ---
-    '';
+    extraGroups = [
+      "systemd-journal"
+      "nginx"
+    ];
+
+    acquisitions = [
+      {
+        source = "journalctl";
+        labels.type = "syslog";
+        journalctl_filter = [
+          "SYSLOG_IDENTIFIER=Nextcloud"
+        ];
+      }
+
+      {
+        source = "journalctl";
+        labels.type = "syslog";
+        journalctl_filter = [
+          "SYSLOG_IDENTIFIER=sshd-session"
+        ];
+      }
+
+      {
+        labels.type = "nginx";
+        filenames =
+          [
+            "/var/log/nginx/*.log"
+          ]
+          ++ lib.mapAttrsToList (
+            vHost: _: "/var/log/nginx/${vHost}/access.log"
+          ) config.services.nginx.virtualHosts;
+      }
+    ];

    remediationComponents.firewallBouncer = {
      enable = true;