tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Try pre-commit and formatting with alejandra
Some checks are pending
/ Build Nix targets (push) Waiting to run
Details

Browse source
This commit is contained in:
Théo Barnouin 2025-06-05 10:41:53 +02:00
parent 0eb6154c32
commit 32b60f1ff9
16 changed files with 325 additions and 248 deletions
Download patch file Download diff file Expand all files Collapse all files

397
modules/crowdsec.nix
View file

@ -3,10 +3,8 @@
pkgs,
lib,
...
}:
let
format = pkgs.formats.yaml { };
}: let
format = pkgs.formats.yaml {};
rootDir = "/var/lib/crowdsec";
stateDir = "${rootDir}/state";
@ -22,14 +20,11 @@ let
localParsersS01ParseDir = "${parsersDir}/s01-parse/";
localParsersS02EnrichDir = "${parsersDir}/s02-enrich/";
localContextsDir = "${confDir}/contexts/";
in
{
in {
options.services.crowdsec = with lib; {
enable = mkEnableOption "CrowdSec Security Engine";
package = mkPackageOption pkgs "crowdsec" { };
package = mkPackageOption pkgs "crowdsec" {};
autoUpdateService = mkEnableOption "Auto Hub Update";
@ -61,7 +56,7 @@ in
options = {
acquisitions = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of acquisition specifications, which define the data sources you want to be parsed.
See <https://docs.crowdsec.net/docs/data_sources/intro> for details.
@ -69,7 +64,7 @@ in
example = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
labels = {
type = "syslog";
};
@ -78,7 +73,7 @@ in
};
scenarios = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of scenarios specifications.
See <https://docs.crowdsec.net/docs/scenarios/intro> for details.
@ -100,7 +95,7 @@ in
options = {
s00Raw = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of stage s00-raw specifications. Most of the time, those are already included in the hub, but are presented here anyway.
See <https://docs.crowdsec.net/docs/parsers/intro> for details.
@ -108,7 +103,7 @@ in
};
s01Parse = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of stage s01-parse specifications.
See <https://docs.crowdsec.net/docs/parsers/intro> for details.
@ -135,7 +130,7 @@ in
};
s02Enrich = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of stage s02-enrich specifications. Inside this list, you can specify Parser Whitelists.
See <https://docs.crowdsec.net/docs/whitelist/intro> for details.
@ -158,14 +153,14 @@ in
};
};
};
default = { };
default = {};
};
postOverflows = mkOption {
type = types.submodule {
options = {
s01Whitelist = mkOption {
type = types.listOf format.type;
default = [ ];
default = [];
description = ''
A list of stage s01-whitelist specifications. Inside this list, you can specify Postoverflows Whitelists.
See <https://docs.crowdsec.net/docs/whitelist/intro> for details.
@ -185,7 +180,7 @@ in
};
};
};
default = { };
default = {};
};
contexts = mkOption {
type = types.listOf format.type;
@ -196,14 +191,14 @@ in
example = [
{
context = {
target_uri = [ "evt.Meta.http_path" ];
user_agent = [ "evt.Meta.http_user_agent" ];
method = [ "evt.Meta.http_verb" ];
status = [ "evt.Meta.http_status" ];
target_uri = ["evt.Meta.http_path"];
user_agent = ["evt.Meta.http_user_agent"];
method = ["evt.Meta.http_verb"];
status = ["evt.Meta.http_status"];
};
}
];
default = [ ];
default = [];
};
notifications = mkOption {
type = types.listOf format.type;
@ -223,7 +218,7 @@ in
method = "POST";
}
];
default = [ ];
default = [];
};
profiles = mkOption {
type = types.listOf format.type;
@ -290,14 +285,14 @@ in
};
patterns = mkOption {
type = types.listOf types.package;
default = [ ];
default = [];
example = lib.literalExpression ''
[ (pkgs.writeTextDir "custom_service_logs" (builtins.readFile ./custom_service_logs)) ]
'';
};
};
};
default = { };
default = {};
};
hub = mkOption {
@ -305,48 +300,48 @@ in
options = {
collections = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub collections to install";
example = [ "crowdsecurity/linux" ];
example = ["crowdsecurity/linux"];
};
scenarios = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub scenarios to install";
example = [ "crowdsecurity/ssh-bf" ];
example = ["crowdsecurity/ssh-bf"];
};
parsers = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub parsers to install";
example = [ "crowdsecurity/sshd-logs" ];
example = ["crowdsecurity/sshd-logs"];
};
postOverflows = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub postoverflows to install";
example = [ "crowdsecurity/auditd-nix-wrappers-whitelist-process" ];
example = ["crowdsecurity/auditd-nix-wrappers-whitelist-process"];
};
appSecConfigs = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub appsec configurations to install";
example = [ "crowdsecurity/appsec-default" ];
example = ["crowdsecurity/appsec-default"];
};
appSecRules = mkOption {
type = types.listOf types.str;
default = [ ];
default = [];
description = "List of hub appsec rules to install";
example = [ "crowdsecurity/base-config" ];
example = ["crowdsecurity/base-config"];
};
};
};
default = { };
default = {};
description = ''
Hub collections, parsers, AppSec rules, etc.
'';
@ -361,7 +356,7 @@ in
Refer to the defaults at <https://github.com/crowdsecurity/crowdsec/blob/master/config/config.yaml>.
'';
type = format.type;
default = { };
default = {};
};
simulation = mkOption {
type = format.type;
@ -389,7 +384,7 @@ in
description = ''
LAPI Configuration attributes
'';
default = { };
default = {};
};
capi = mkOption {
type = types.submodule {
@ -407,7 +402,7 @@ in
description = ''
CAPI Configuration attributes
'';
default = { };
default = {};
};
console = mkOption {
type = types.submodule {
@ -437,133 +432,130 @@ in
description = ''
Console Configuration attributes
'';
default = { };
default = {};
};
};
};
};
};
config =
let
cfg = config.services.crowdsec;
configFile = format.generate "crowdsec.yaml" cfg.settings.general;
simulationFile = format.generate "simulation.yaml" cfg.settings.simulation;
consoleFile = format.generate "console.yaml" cfg.settings.console.configuration;
patternsDir = pkgs.buildPackages.symlinkJoin {
name = "crowdsec-patterns";
paths = [
cfg.localConfig.patterns
"${lib.attrsets.getOutput "out" cfg.package}/share/crowdsec/config/patterns/"
];
};
config = let
cfg = config.services.crowdsec;
configFile = format.generate "crowdsec.yaml" cfg.settings.general;
simulationFile = format.generate "simulation.yaml" cfg.settings.simulation;
consoleFile = format.generate "console.yaml" cfg.settings.console.configuration;
patternsDir = pkgs.buildPackages.symlinkJoin {
name = "crowdsec-patterns";
paths = [
cfg.localConfig.patterns
"${lib.attrsets.getOutput "out" cfg.package}/share/crowdsec/config/patterns/"
];
};
cscli = pkgs.writeShellScriptBin "cscli" ''
set -euo pipefail
# cscli needs crowdsec on it's path in order to be able to run `cscli explain`
export PATH="$PATH:${lib.makeBinPath [ cfg.package ]}"
sudo=exec
if [ "$USER" != "${cfg.user}" ]; then
sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}'
fi
$sudo ${lib.getExe' cfg.package "cscli"} -c=${configFile} "$@"
'';
cscli = pkgs.writeShellScriptBin "cscli" ''
set -euo pipefail
# cscli needs crowdsec on it's path in order to be able to run `cscli explain`
export PATH="$PATH:${lib.makeBinPath [cfg.package]}"
sudo=exec
if [ "$USER" != "${cfg.user}" ]; then
sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}'
fi
$sudo ${lib.getExe' cfg.package "cscli"} -c=${configFile} "$@"
'';
localScenariosMap = (map (format.generate "scenario.yaml") cfg.localConfig.scenarios);
localParsersS00RawMap = (
map (format.generate "parsers-s00-raw.yaml") cfg.localConfig.parsers.s00Raw
);
localParsersS01ParseMap = (
map (format.generate "parsers-s01-parse.yaml") cfg.localConfig.parsers.s01Parse
);
localParsersS02EnrichMap = (
map (format.generate "parsers-s02-enrich.yaml") cfg.localConfig.parsers.s02Enrich
);
localPostOverflowsS01WhitelistMap = (
map (format.generate "postoverflows-s01-whitelist.yaml") cfg.localConfig.postOverflows.s01Whitelist
);
localContextsMap = (map (format.generate "context.yaml") cfg.localConfig.contexts);
localNotificationsMap = (map (format.generate "notification.yaml") cfg.localConfig.notifications);
localProfilesFile = pkgs.writeText "local_profiles.yaml" ''
---
${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.profiles}
---
'';
localAcquisisionFile = pkgs.writeText "local_acquisisions.yaml" ''
---
${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.acquisitions}
---
'';
localScenariosMap = map (format.generate "scenario.yaml") cfg.localConfig.scenarios;
localParsersS00RawMap = (
map (format.generate "parsers-s00-raw.yaml") cfg.localConfig.parsers.s00Raw
);
localParsersS01ParseMap = (
map (format.generate "parsers-s01-parse.yaml") cfg.localConfig.parsers.s01Parse
);
localParsersS02EnrichMap = (
map (format.generate "parsers-s02-enrich.yaml") cfg.localConfig.parsers.s02Enrich
);
localPostOverflowsS01WhitelistMap = (
map (format.generate "postoverflows-s01-whitelist.yaml") cfg.localConfig.postOverflows.s01Whitelist
);
localContextsMap = map (format.generate "context.yaml") cfg.localConfig.contexts;
localNotificationsMap = map (format.generate "notification.yaml") cfg.localConfig.notifications;
localProfilesFile = pkgs.writeText "local_profiles.yaml" ''
---
${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.profiles}
---
'';
localAcquisisionFile = pkgs.writeText "local_acquisisions.yaml" ''
---
${lib.strings.concatMapStringsSep "\n---\n" builtins.toJSON cfg.localConfig.acquisitions}
---
'';
scriptArray =
[
"set -euo pipefail"
"${lib.getExe cscli} hub update"
]
++ lib.optionals (cfg.hub.collections != [ ]) [
"${lib.getExe cscli} collections install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.collections
}"
]
++ lib.optionals (cfg.hub.scenarios != [ ]) [
"${lib.getExe cscli} scenarios install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.scenarios
}"
]
++ lib.optionals (cfg.hub.parsers != [ ]) [
"${lib.getExe cscli} parsers install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.parsers
}"
]
++ lib.optionals (cfg.hub.postOverflows != [ ]) [
"${lib.getExe cscli} postoverflows install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.postOverflows
}"
]
++ lib.optionals (cfg.hub.appSecConfigs != [ ]) [
"${lib.getExe cscli} appsec-configs install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecConfigs
}"
]
++ lib.optionals (cfg.hub.appSecRules != [ ]) [
"${lib.getExe cscli} appsec-rules install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecRules
}"
]
++ lib.optionals (cfg.settings.general.api.server.enable) [
''
if [ ! -s "${cfg.settings.general.api.client.credentials_path}" ]; then
${lib.getExe cscli} machine add "${cfg.name}" --auto
fi
''
]
++ lib.optionals (cfg.settings.capi.credentialsFile != null) [
''
if ! grep -q password "${cfg.settings.capi.credentialsFile}" ]; then
${lib.getExe cscli} capi register
fi
''
]
++ lib.optionals (cfg.settings.console.tokenFile != null) [
''
if [ ! -e "${cfg.settings.console.tokenFile}" ]; then
${lib.getExe cscli} console enroll "$(cat ${cfg.settings.console.tokenFile})" --name ${cfg.name}
fi
''
];
scriptArray =
[
"set -euo pipefail"
"${lib.getExe cscli} hub update"
]
++ lib.optionals (cfg.hub.collections != []) [
"${lib.getExe cscli} collections install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.collections
}"
]
++ lib.optionals (cfg.hub.scenarios != []) [
"${lib.getExe cscli} scenarios install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.scenarios
}"
]
++ lib.optionals (cfg.hub.parsers != []) [
"${lib.getExe cscli} parsers install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.parsers
}"
]
++ lib.optionals (cfg.hub.postOverflows != []) [
"${lib.getExe cscli} postoverflows install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.postOverflows
}"
]
++ lib.optionals (cfg.hub.appSecConfigs != []) [
"${lib.getExe cscli} appsec-configs install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecConfigs
}"
]
++ lib.optionals (cfg.hub.appSecRules != []) [
"${lib.getExe cscli} appsec-rules install ${
lib.strings.concatMapStringsSep " " (x: lib.escapeShellArg x) cfg.hub.appSecRules
}"
]
++ lib.optionals (cfg.settings.general.api.server.enable) [
''
if [ ! -s "${cfg.settings.general.api.client.credentials_path}" ]; then
${lib.getExe cscli} machine add "${cfg.name}" --auto
fi
''
]
++ lib.optionals (cfg.settings.capi.credentialsFile != null) [
''
if ! grep -q password "${cfg.settings.capi.credentialsFile}" ]; then
${lib.getExe cscli} capi register
fi
''
]
++ lib.optionals (cfg.settings.console.tokenFile != null) [
''
if [ ! -e "${cfg.settings.console.tokenFile}" ]; then
${lib.getExe cscli} console enroll "$(cat ${cfg.settings.console.tokenFile})" --name ${cfg.name}
fi
''
];
setupScript = pkgs.writeShellScriptBin "crowdsec-setup" (
lib.strings.concatStringsSep "\n" scriptArray
);
in
setupScript = pkgs.writeShellScriptBin "crowdsec-setup" (
lib.strings.concatStringsSep "\n" scriptArray
);
in
lib.mkIf (cfg.enable) {
warnings =
[ ]
++ lib.optionals (cfg.localConfig.profiles == [ ]) [
[]
++ lib.optionals (cfg.localConfig.profiles == []) [
"By not specifying profiles in services.crowdsec.localConfig.profiles, CrowdSec will not react to any alert by default."
]
++ lib.optionals (cfg.localConfig.acquisitions == [ ]) [
++ lib.optionals (cfg.localConfig.acquisitions == []) [
"By not specifying acquisitions in services.crowdsec.localConfig.acquisitions, CrowdSec will not look for any data source."
];
@ -624,14 +616,14 @@ in
};
environment = {
systemPackages = [ cscli ];
systemPackages = [cscli];
};
systemd.packages = [ cfg.package ];
systemd.packages = [cfg.package];
systemd.timers.crowdsec-update-hub = lib.mkIf (cfg.autoUpdateService) {
description = "Update the crowdsec hub index";
wantedBy = [ "timers.target" ];
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "daily";
Persistent = "yes";
@ -696,16 +688,16 @@ in
RestrictSUIDSGID = true;
ExecStart = "${lib.getExe cscli} --error hub update";
ExecStartPost = "systemctl reload crowdsec.service";
LogLevelMax=5;
LogLevelMax = 5;
};
};
crowdsec = {
description = "CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network.";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = lib.mkForce [ ];
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
wants = ["network-online.target"];
path = lib.mkForce [];
environment = {
LC_ALL = "C";
LANG = "C";
@ -778,7 +770,7 @@ in
"${lib.getExe setupScript}"
"${lib.getExe' cfg.package "crowdsec"} -c ${configFile} -t -error"
];
LogLevelMax=5;
LogLevelMax = 5;
};
};
};
@ -787,32 +779,32 @@ in
"10-crowdsec" =
builtins.listToAttrs (
map
(dirName: {
inherit cfg;
name = lib.strings.normalizePath dirName;
value = {
d = {
user = cfg.user;
group = cfg.group;
mode = "0750";
};
(dirName: {
inherit cfg;
name = lib.strings.normalizePath dirName;
value = {
d = {
user = cfg.user;
group = cfg.group;
mode = "0750";
};
})
[
stateDir
hubDir
confDir
localScenariosDir
localPostOverflowsDir
localPostOverflowsS01WhitelistDir
parsersDir
localParsersS00RawDir
localParsersS01ParseDir
localParsersS02EnrichDir
localContextsDir
notificationsDir
pluginDir
]
};
})
[
stateDir
hubDir
confDir
localScenariosDir
localPostOverflowsDir
localPostOverflowsS01WhitelistDir
parsersDir
localParsersS00RawDir
localParsersS01ParseDir
localParsersS02EnrichDir
localContextsDir
notificationsDir
pluginDir
]
)
// builtins.listToAttrs (
map (scenarioFile: {
@ -824,7 +816,8 @@ in
argument = "${scenarioFile}";
};
};
}) localScenariosMap
})
localScenariosMap
)
// builtins.listToAttrs (
map (parser: {
@ -836,7 +829,8 @@ in
argument = "${parser}";
};
};
}) localParsersS00RawMap
})
localParsersS00RawMap
)
// builtins.listToAttrs (
map (parser: {
@ -848,7 +842,8 @@ in
argument = "${parser}";
};
};
}) localParsersS01ParseMap
})
localParsersS01ParseMap
)
// builtins.listToAttrs (
map (parser: {
@ -860,7 +855,8 @@ in
argument = "${parser}";
};
};
}) localParsersS02EnrichMap
})
localParsersS02EnrichMap
)
// builtins.listToAttrs (
map (postoverflow: {
@ -872,7 +868,8 @@ in
argument = "${postoverflow}";
};
};
}) localPostOverflowsS01WhitelistMap
})
localPostOverflowsS01WhitelistMap
)
// builtins.listToAttrs (
map (context: {
@ -884,7 +881,8 @@ in
argument = "${context}";
};
};
}) localContextsMap
})
localContextsMap
)
// builtins.listToAttrs (
map (notification: {
@ -896,7 +894,8 @@ in
argument = "${notification}";
};
};
}) localNotificationsMap
})
localNotificationsMap
);
};
@ -905,10 +904,10 @@ in
description = lib.mkDefault "CrowdSec service user";
isSystemUser = true;
group = cfg.group;
extraGroups = [ "systemd-journal" ];
extraGroups = ["systemd-journal"];
};
users.groups.${cfg.group} = lib.mapAttrs (name: lib.mkDefault) { };
users.groups.${cfg.group} = lib.mapAttrs (name: lib.mkDefault) {};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [
6060