Try to use age for crowdsec lapi config

2025-04-04 15:30:24 +02:00 · 2025-04-04 15:30:24 +02:00 · 42792ec4d8
commit 42792ec4d8
parent 64986d2883
5 changed files with 85 additions and 85 deletions
--- a/services/grafana/default.nix
+++ b/services/grafana/default.nix
@ -124,7 +124,7 @@ in {
          ];
        }
        {
-          job_name = "nginx";
+          job_name = "crowdsec_nginx";
          static_configs = [
            {
              targets = ["${cfg.proxy_ip}:6060"];
--- a/services/nginx/default.nix
+++ b/services/nginx/default.nix
@ -2,6 +2,7 @@
  config,
  pkgs,
  lib,
+  inputs,
  ...
 }: let
  cfg = config.services.vm_nginx;
@ -10,6 +11,12 @@ in {
    enable = lib.mkEnableOption "Enable minimal config";
  };
  config = lib.mkIf cfg.enable {
+    age.secrets = {
+      cs-lapi-key = {
+        file = ./secrets/cs-lapi-key.age;
+        owner = "crowdsec";
+      };
+    };
    security.acme = {
      acceptTerms = true;
      defaults.email = "theo.barnouin@le43.eu";
@ -18,6 +25,54 @@ in {
      ];
    };
    services = {
+      crowdsec-firewall-bouncer = {
+        enable = true;
+        package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer;
+        settings = {
+          api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg";
+          api_url = "http://localhost:8080";
+        };
+      };
+      crowdsec = {
+        enable = true;
+        package = pkgs.crowdsec;
+        autoUpdateService = false;
+        openFirewall = true;
+        settings = {
+          general = {
+            api = {
+              server = {
+                enable = true;
+                listen_uri = "127.0.0.1:8080";
+              };
+            };
+            prometheus.listen_addr = "0.0.0.0";
+          };
+          lapi.credentialsFile = "${config.age.secrets.cs-api-key.path}";
+        };
+        hub.collections = [
+          "firix/authentik"
+          "crowdsecurity/sshd"
+          "crowdsecurity/linux"
+          "crowdsecurity/nginx"
+          "LePresidente/grafana"
+          "LePresidente/jellyfin"
+          "crowdsecurity/http-cve"
+          "crowdsecurity/nextcloud"
+          "crowdsecurity/base-http-scenarios"
+        ];
+        localConfig = {
+          acquisitions = [
+            {
+              source = "journalctl";
+              journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+              labels = {
+                type = "syslog";
+              };
+            }
+          ];
+        };
+      };
      fail2ban = {
        jails = {
          nginx-http-auth = ''