Try to implement crowdsec everywhere, connected to central lapi

2025-04-04 17:30:31 +02:00 · 2025-04-04 17:30:31 +02:00 · d90a031c68
commit d90a031c68
parent 4d337df460
4 changed files with 319 additions and 278 deletions
--- a/services/nginx/default.nix
+++ b/services/nginx/default.nix
@ -15,12 +15,6 @@ in {
    };
  };
  config = lib.mkIf cfg.enable {
-    age.secrets = {
-      cs-lapi-key = {
-        file = ./secrets/cs-lapi-key.age;
-        owner = "crowdsec";
-      };
-    };
    security.acme = {
      acceptTerms = true;
      defaults.email = "theo.barnouin@le43.eu";
@ -34,14 +28,10 @@ in {
        package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer;
        settings = {
          api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg";
-          api_url = "http://127.0.0.1:8080";
+          api_url = "http://${cfg.proxy_ip}:8080";
        };
      };
      crowdsec = {
-        enable = true;
-        package = pkgs.crowdsec;
-        autoUpdateService = false;
-        openFirewall = true;
        settings = {
          general = {
            api = {
@ -50,19 +40,14 @@ in {
                listen_uri = "${cfg.proxy_ip}:8080";
              };
            };
-            prometheus.listen_addr = "0.0.0.0";
          };
-          lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}";
        };
        hub.collections = [
          "firix/authentik"
          "crowdsecurity/sshd"
          "crowdsecurity/linux"
          "crowdsecurity/nginx"
-          "LePresidente/grafana"
-          "LePresidente/jellyfin"
          "crowdsecurity/http-cve"
-          "crowdsecurity/nextcloud"
          "crowdsecurity/base-http-scenarios"
        ];
        localConfig = {