tlaternet-server/configuration/services/crowdsec.nix

{ config, lib, ... }:
{
  services = {
    crowdsec = {
      enable = true;
      autoUpdateService = true;

      settings = {
        general.api.server = {
          enable = true;
          online_client.sharing = false;
        };

        lapi.credentialsFile = "/var/lib/crowdsec/state/local_credentials.yaml";
      };

      hub = {
        collections = [
          "crowdsecurity/base-http-scenarios"
          "crowdsecurity/http-cve"
          "crowdsecurity/linux"
          "crowdsecurity/nextcloud"
          "crowdsecurity/nginx"
          "crowdsecurity/sshd"
        ];
      };

      localConfig = {
        acquisitions = [
          {
            labels.type = "syslog";
            journalctl_filter = [
              "SYSLOG_IDENTIFIER=Nextcloud"
              "SYSLOG_IDENTIFIER=sshd-session"
            ];
            source = "journalctl";
          }

          {
            labels.type = "nginx";
            filenames = [
              "/var/log/nginx/*.log"
            ]
            ++ lib.mapAttrsToList (
              vHost: _: "/var/log/nginx/${vHost}/access.log"
            ) config.services.nginx.virtualHosts;
          }
        ];

        parsers.s02Enrich = [
          {
            name = "nixos/parser-whitelist";
            description = "Parser whitelist generated by the crowdsec NixOS module";
            whitelist = {
              reason = "Filtered by NixOS whitelist";
              ip = [ "10.45.249.2" ];
            };
          }
        ];

        postOverflows.s01Whitelist = [
          {
            description = "custom matrix whitelist";
            name = "tetsumaki/matrix";
            whitelist = {
              reason = "whitelist false positive for matrix";
              expression = [
                "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
                "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
              ];
            };
          }
        ];
      };
    };

    crowdsec-firewall-bouncer = {
      enable = true;
      settings.prometheus = {
        enabled = true;
        listen_addr = "127.0.0.1";
        listen_port = "60601";
      };
    };

    victoriametrics.scrapeConfigs = {
      crowdsec.targets =
        let
          cfg = config.services.crowdsec.settings.general;
          address = cfg.prometheus.listen_addr;
          port = cfg.prometheus.listen_port;
        in
        [ "${address}:${toString port}" ];

      csFirewallBouncer.targets =
        let
          cfg = config.services.crowdsec-firewall-bouncer.settings;
          address = cfg.prometheus.listen_addr;
          port = cfg.prometheus.listen_port;
        in
        [ "${address}:${toString port}" ];
    };
  };
}