Add redis crowdsec config

2025-05-13 14:44:53 +02:00 · 2025-05-13 14:44:53 +02:00 · 0012bcd36b
commit 0012bcd36b
parent 3fd9c73fc1
4 changed files with 47 additions and 9 deletions
--- a/secrets.nix
+++ b/secrets.nix
@ -3,6 +3,7 @@ let
  users = [tbarnouin];

  grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
+  redis = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDAbU7uRlNmFIazfJVnibUnwq5OvtV8wb3PYFFYJfZc4 root@redis";
  onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEHTFFQoi8PtzkdTEeA5lGELFS01J51GLLjrnySJM7R root@onlyoffice";
  postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7qA7j1sICuu1RAfs9ifR9dmOlHq45tKu1ga7CKaob root@pgsql";
  forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMf3Cc/S0p/LFcW+RLMEqpxOOv8q/HrKO4I9joHmRxl root@forgejo";
@ -36,4 +37,6 @@ in {
  "secrets/cs-lapi-key.age".publicKeys = users ++ systems;

  "secrets/jellyfin-lapi-key.age".publicKeys = [tbarnouin jellyfin];
+  
+  "secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis];
 }
--- a/secrets/redis-lapi-key.age
+++ b/secrets/redis-lapi-key.age
@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA0cTRx
+eU1JYXUrMWNrZEprU3JVeVpaeXBBQy9yV1N1TTBSL1M5cUF0MFNFCmVvb09oTlZJ
+V1Z6MXZrbDNkNHlGMnBRNzlDSjl5RjZGbFJ3MGoxUC9oSG8KLT4gc3NoLWVkMjU1
+MTkgd25FVXB3IEVUUVMycHFpRXJCalRmRXMvMVdWc3E3WWViNWNmSUMrRURzU3ds
+V2dPajgKSGdNKzBaektIUVI3azBvMS9JKzVualdMSnRXSU1hWFphT3JZRCtrN3hh
+VQotPiBULGYtZ3JlYXNlICxkQi0iIGZJMEA3PWBrICkKNFQvcVZkdk5POHVhbWta
+Y0JJZk16dTdvb2dUR2kxY1l1NlM3dVRzRlk2dzJGT01pWFpUTkR6djgyNEpTZVp6
+WAowOWIxQ2M0NGl3cXljblJObDdwNkU2WUtxeWxKcWFtdHcrTE5jUFA0Zm1MNVhz
+dkRYU3NNK0ZrQmRBCi0tLSAzQXBESGl2eTh3MTNoK0l2T2JtVGhHVXNhaTJvWURB
+RXUyaDlSa2hIRlFzCgPQYsOV9N597izBEFraiwGqiRt7A/Mcoq6puAEfBKlAw+Wh
+4btrDkHPIGek/2q3mg2rUKGbsmeF4AUOijxPzOExbAM7I5rsl9cxq94BcsjKl6Go
+3O1Ep2S/WfGP/TFlLSeFzcpTJmv72MWGyFcoWKWq/mlWzG+vzg8l/hasOO5uPcqt
+vs8ZPiMXaojmGglmdgZUNsoqmg==
+-----END AGE ENCRYPTED FILE-----
--- a/services/redis/default.nix
+++ b/services/redis/default.nix
@ -10,7 +10,26 @@ in {
    enable = lib.mkEnableOption "Enable minimal config";
  };
  config = lib.mkIf cfg.enable {
-    services.redis = {
+    age.secrets.redis-lapi-key = {
+      file = ../../secrets/redis-lapi-key.age;
+      owner = "crowdsec";
+    };
+    services = {
+      crowdsec = {
+        settings.lapi.credentialsFile = "${config.age.secrets.redis-lapi-key.path}";
+        localConfig = {
+          acquisitions = [
+            {
+              source = "journalctl";
+              journalctl_filter = [ "_SYSTEMD_UNIT=redis.service" ];
+              labels = {
+                type = "syslog";
+              };
+            }
+          ];
+        };
+      };
+      redis = {
        vmOverCommit = true;
        servers.redis = {
          enable = true;
@ -21,6 +40,7 @@ in {
          };
        };
      };
+    };
    networking.firewall.allowedTCPPorts = [6379];
  };
 }
--- a/systems/minimalLXCConfig.nix
+++ b/systems/minimalLXCConfig.nix
@ -129,7 +129,7 @@
    rsyslogd = {
      enable = true;
      extraConfig = ''
-        *.* action(type="omfwd" target="192.168.1.27" port="1514" protocol="tcp")
+        *.* action(type="omfwd" target="192.168.1.27" port="1514" protocol="tcp" Template="RSYSLOG_SyslogProtocol23Format")
      '';
    };
    prometheus = {