{ config, lib, ... }: { services = { crowdsec = { enable = true; autoUpdateService = true; settings = { general.api.server = { enable = true; online_client.sharing = false; }; lapi.credentialsFile = "/var/lib/crowdsec/state/local_credentials.yaml"; }; hub = { collections = [ "crowdsecurity/base-http-scenarios" "crowdsecurity/http-cve" "crowdsecurity/linux" "crowdsecurity/nextcloud" "crowdsecurity/nginx" "crowdsecurity/sshd" ]; }; localConfig = { acquisitions = [ { labels.type = "syslog"; journalctl_filter = [ "SYSLOG_IDENTIFIER=Nextcloud" "SYSLOG_IDENTIFIER=sshd-session" ]; source = "journalctl"; } { labels.type = "nginx"; filenames = [ "/var/log/nginx/*.log" ] ++ lib.mapAttrsToList ( vHost: _: "/var/log/nginx/${vHost}/access.log" ) config.services.nginx.virtualHosts; } ]; parsers.s02Enrich = [ { name = "nixos/parser-whitelist"; description = "Parser whitelist generated by the crowdsec NixOS module"; whitelist = { reason = "Filtered by NixOS whitelist"; ip = [ "10.45.249.2" ]; }; } ]; postOverflows.s01Whitelist = [ { description = "custom matrix whitelist"; name = "tetsumaki/matrix"; whitelist = { reason = "whitelist false positive for matrix"; expression = [ "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'" "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']" ]; }; } ]; }; }; crowdsec-firewall-bouncer = { enable = true; settings.prometheus = { enabled = true; listen_addr = "127.0.0.1"; listen_port = "60601"; }; }; victoriametrics.scrapeConfigs = { crowdsec.targets = let cfg = config.services.crowdsec.settings.general; address = cfg.prometheus.listen_addr; port = cfg.prometheus.listen_port; in [ "${address}:${toString port}" ]; csFirewallBouncer.targets = let cfg = config.services.crowdsec-firewall-bouncer.settings; address = cfg.prometheus.listen_addr; port = cfg.prometheus.listen_port; in [ "${address}:${toString port}" ]; }; }; }