Try to implement crowdsec everywhere, connected to central lapi

2025-04-04 17:30:31 +02:00 · 2025-04-04 17:30:31 +02:00 · d90a031c68
commit d90a031c68
parent 4d337df460
4 changed files with 319 additions and 278 deletions
--- a/services/minimalConfig/default.nix
+++ b/services/minimalConfig/default.nix
@ -91,6 +91,13 @@
    ];
  };

+  age.secrets = {
+    cs-lapi-key = {
+      file = ./secrets/cs-lapi-key.age;
+      owner = "crowdsec";
+    };
+  };
+
  services = {
    openssh = {
      enable = true;
@ -107,6 +114,21 @@
    fail2ban = {
      enable = true;
    };
+    crowdsec = {
+      enable = true;
+      package = pkgs.crowdsec;
+      autoUpdateService = false;
+      openFirewall = true;
+      settings = {
+        general = {
+          prometheus.listen_addr = "0.0.0.0";
+        };
+        lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
+      };
+      hub.collections = [
+        "crowdsecurity/linux"
+      ];
+    };
    rsyslogd = {
      enable = true;
      extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";