tlaternet-server/configuration/services/crowdsec.nix

{
  pkgs,
  config,
  lib,
  ...
}:
{
  security.crowdsec = {
    enable = true;

    parserWhitelist = [
      "10.45.249.2"
    ];

    extraGroups = [
      "systemd-journal"
      "nginx"
    ];

    acquisitions = [
      {
        source = "journalctl";
        labels.type = "syslog";
        journalctl_filter = [
          "SYSLOG_IDENTIFIER=Nextcloud"
        ];
      }

      {
        source = "journalctl";
        labels.type = "syslog";
        journalctl_filter = [
          "SYSLOG_IDENTIFIER=sshd-session"
        ];
      }

      {
        labels.type = "nginx";
        filenames =
          [
            "/var/log/nginx/*.log"
          ]
          ++ lib.mapAttrsToList (
            vHost: _: "/var/log/nginx/${vHost}/access.log"
          ) config.services.nginx.virtualHosts;
      }
    ];

    remediationComponents.firewallBouncer = {
      enable = true;
      settings.prometheus = {
        enabled = true;
        listen_addr = "127.0.0.1";
        listen_port = "60601";
      };
    };
  };

  # Add whitelists for matrix
  systemd.tmpfiles.settings."10-matrix" =
    let
      stateDir = config.security.crowdsec.stateDirectory;
    in
    {
      "${stateDir}/config/postoverflows".d = {
        user = "crowdsec";
        group = "crowdsec";
        mode = "0700";
      };

      "${stateDir}/config/postoverflows/s01-whitelist".d = {
        user = "crowdsec";
        group = "crowdsec";
        mode = "0700";
      };

      "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
        ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
          name = "tetsumaki/matrix";
          description = "custom matrix whitelist";
          whitelist = {
            reason = "whitelist false positive for matrix";
            expression = [
              "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
              "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
            ];
          };
        }).outPath;
    };
}