Add crowdsec module and cs-firewall-bouncer package

2025-04-04 10:30:17 +02:00 · 2025-04-04 10:30:17 +02:00 · fdded71651
commit fdded71651
parent 7e84f9861d
3 changed files with 75 additions and 18 deletions
--- a/flake.nix
+++ b/flake.nix
@ -68,8 +68,53 @@
          "${inputs.self}/services"
          {
            networking.hostName = "nginx";
-            services.vm_nginx = {
-              enable = true;
+            services
+              vm_nginx = {
+                enable = true;
+              };
+              crowdsec = {
+                enable = true;
+                autoUpdateService = false;
+                settings = {
+                  general = {
+                    api = {
+                      server = {
+                        enable = false;
+                      };
+                    };
+                    prometheus.listen_addr = "0.0.0.0";
+                  };
+                };
+                hub.collections = [
+                  "firix/authentik"
+                  "crowdsecurity/sshd"
+                  "crowdsecurity/linux"
+                  "crowdsecurity/nginx"
+                  "LePresidente/grafana"
+                  "LePresidente/jellyfin"
+                  "crowdsecurity/http-cve"
+                  "crowdsecurity/nextcloud"
+                  "crowdsecurity/base-http-scenarios"
+                ];
+                localConfig = {
+                  acquisitions = [
+                    {
+                      source = "journalctl";
+                      journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+                      labels = {
+                        type = "syslog";
+                      };
+                    }
+                    {
+                      source = "file";
+
+                      labels = {
+                        type = "syslog";
+                      };
+                    }
+                  ];
+                };
+              };
            };
          }
        ];