From e1989a6009f0b5e7a8e7433498e55fe286aba94d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sat, 8 Feb 2025 05:29:35 +0800
Subject: [PATCH 1/2] fix(crowdsec): Filter out events against matrix

---
 configuration/services/crowdsec.nix | 39 ++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
index 4891cad..f6f3c80 100644
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
 {
   security.crowdsec = {
     enable = true;
@@ -50,4 +55,36 @@
       };
     };
   };
+
+  # Add whitelists for matrix
+  systemd.tmpfiles.settings."10-matrix" =
+    let
+      stateDir = config.security.crowdsec.stateDirectory;
+    in
+    {
+      "${stateDir}/config/postoverflows".d = {
+        user = "crowdsec";
+        group = "crowdsec";
+        mode = "0700";
+      };
+
+      "${stateDir}/config/postoverflows/s01-whitelist".d = {
+        user = "crowdsec";
+        group = "crowdsec";
+        mode = "0700";
+      };
+
+      "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
+        ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
+          name = "tetsumaki/matrix";
+          description = "custom matrix whitelist";
+          whitelist = {
+            reason = "whitelist false positive for matrix";
+            expression = [
+              "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
+              "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
+            ];
+          };
+        }).outPath;
+    };
 }
-- 
2.47.2


From e11b6f810bd504af9783174bb9f8cebbd7f995c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Fri, 7 Feb 2025 01:39:57 +0800
Subject: [PATCH 2/2] feat(crowdsec): Switch to whitelisting wireguard IP

My IP address is not static, and grafana seems to comfortably produce
enough traffic to get me IP banned.
---
 configuration/services/crowdsec.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
index f6f3c80..6e0f367 100644
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@@ -9,7 +9,7 @@
     enable = true;
 
     parserWhitelist = [
-      "1.64.239.213"
+      "10.45.249.2"
     ];
 
     extraGroups = [
-- 
2.47.2