tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add crowdsec module and cs-firewall-bouncer package

Browse source
This commit is contained in:
Théo Barnouin 2025-04-04 10:36:38 +02:00
parent fdded71651
commit 6ec54454a2
3 changed files with 113 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
flake.nix
View file

@ -66,12 +66,16 @@
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
"${inputs.self}/modules"
{
networking.hostName = "nginx";
services
services = {
vm_nginx = {
enable = true;
};
crowdsec-firewall-bouncer = {
enable = true;
};
crowdsec = {
enable = true;
autoUpdateService = false;

102
modules/cs-firewall-bouncer.nix Normal file
View file

@ -0,0 +1,102 @@
{
config,
pkgs,
lib,
...
}: let
cfg = config.services.crowdsec-firewall-bouncer;
format = pkgs.formats.yaml {};
configFile = format.generate "crowdsec.yaml" cfg.settings;
pkg = cfg.package;
backend =
if config.networking.nftables.enable
then "nftables"
else "iptables";
defaultSettings = with lib; {
log_mode = "stdout";
mode = mkDefault backend;
ipset_type = mkDefault "nethash";
update_frequency = mkDefault "10s";
deny_action = mkDefault "DROP";
blacklists_ipv4 = mkDefault "crowdsec-blacklists";
blacklists_ipv6 = mkDefault "crowdsec6-blacklists";
iptables_chains = mkDefault ["INPUT"];
};
in {
options.services.crowdsec-firewall-bouncer = with lib; {
enable = mkEnableOption "CrowSec Firewall Bouncer";
package = mkPackageOption pkgs "crowdsec-firewall-bouncer" {};
settings = mkOption {
description = ''
Settings for CrowdSec Firewall Bouncer. Refer to <https://docs.crowdsec.net/u/bouncers/firewall/#configuration-directives> for details.
'';
type = format.type;
default = {};
};
};
config = lib.mkIf (cfg.enable) {
services.crowdsec-firewall-bouncer.settings = defaultSettings;
systemd.packages = [pkg];
systemd.services = {
crowdsec-firewall-bouncer = {
description = "Crowdsec Firewall Bouncer";
path = [pkg pkgs.ipset pkgs.iptables pkgs.nftables];
wantedBy = ["multi-user.target"];
partOf = ["firewall.service"];
serviceConfig = with lib; {
Type = "notify";
Restart = "on-failure";
RestartSec = 10;
LimitNOFILE = mkDefault 65536;
MemoryDenyWriteExecute = mkDefault true;
CapabilityBoundingSet = mkDefault ["CAP_NET_ADMIN" "CAP_NET_RAW"];
NoNewPrivileges = mkDefault true;
LockPersonality = mkDefault true;
RemoveIPC = mkDefault true;
ProtectSystem = mkDefault "strict";
ProtectHome = mkDefault true;
PrivateTmp = mkDefault true;
PrivateDevices = mkDefault true;
ProtectHostname = mkDefault true;
ProtectKernelTunables = mkDefault true;
ProtectKernelModules = mkDefault true;
ProtectControlGroups = mkDefault true;
ProtectProc = mkDefault "invisible";
ProcSubset = mkDefault "pid";
RestrictNamespaces = mkDefault true;
RestrictRealtime = mkDefault true;
RestrictSUIDSGID = mkDefault true;
SystemCallFilter = mkDefault ["@system-service" "@network-io"];
SystemCallArchitectures = ["native"];
SystemCallErrorNumber = mkDefault "EPERM";
ExecPaths = ["/nix/store"];
NoExecPaths = ["/"];
ExecStartPost = "${pkgs.coreutils}/bin/sleep 0.2";
ExecStart = "${pkg}/bin/cs-firewall-bouncer -c ${configFile}";
ExecStartPre = ["${pkg}/bin/cs-firewall-bouncer -t -c ${configFile}"];
};
};
};
};
}

6
modules/default.nix Normal file
View file

@ -0,0 +1,6 @@
{inputs, ...}: {
imports = [
./crowdsec.nix
./cs-firewall-bouncer.nix
];
}