Add crowdsec module and cs-firewall-bouncer package

flake.nix

@@ -68,8 +68,53 @@
           "${inputs.self}/services"
           {
             networking.hostName = "nginx";
-            services.vm_nginx = {
-              enable = true;
+            services
+              vm_nginx = {
+                enable = true;
+              };
+              crowdsec = {
+                enable = true;
+                autoUpdateService = false;
+                settings = {
+                  general = {
+                    api = {
+                      server = {
+                        enable = false;
+                      };
+                    };
+                    prometheus.listen_addr = "0.0.0.0";
+                  };
+                };
+                hub.collections = [
+                  "firix/authentik"
+                  "crowdsecurity/sshd"
+                  "crowdsecurity/linux"
+                  "crowdsecurity/nginx"
+                  "LePresidente/grafana"
+                  "LePresidente/jellyfin"
+                  "crowdsecurity/http-cve"
+                  "crowdsecurity/nextcloud"
+                  "crowdsecurity/base-http-scenarios"
+                ];
+                localConfig = {
+                  acquisitions = [
+                    {
+                      source = "journalctl";
+                      journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+                      labels = {
+                        type = "syslog";
+                      };
+                    }
+                    {
+                      source = "file";
+
+                      labels = {
+                        type = "syslog";
+                      };
+                    }
+                  ];
+                };
+              };
             };
           }
         ];

packages/cs-firewall-bouncer/default.nix

@@ -0,0 +1,28 @@
+{
+  lib,
+  buildGoModule,
+  fetchFromGitHub,
+}:
+buildGoModule rec {
+  pname = "cs-firewall-bouncer";
+  version = "0.0.31";
+
+  src = fetchFromGitHub {
+    owner = "crowdsecurity";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-59MWll8v00CF4WA53gjHZSTFc8hpYaHENg9O7LgTCrA=";
+  };
+
+  vendorHash = "sha256-7Jxvg8UEjUxnIz1llvXyI2AefJ31OVdNzhWD/C8wU/Y=";
+
+  meta = with lib; {
+    homepage = "https://crowdsec.net/";
+    changelog = "https://github.com/crowdsecurity/${pname}/releases/tag/v${version}";
+    description = "Crowdsec bouncer for firewalls.";
+    longDescription = ''
+      crowdsec-firewall-bouncer will fetch new and old decisions from a CrowdSec API to add them in a blocklist used by supported firewalls.
+    '';
+    license = licenses.mit;
+  };
+}

services/grafana/default.nix

@@ -163,14 +163,6 @@ in {
             }
           ];
         }
-        {
-          job_name = "crowdsec_nextcloud";
-          static_configs = [
-            {
-              targets = ["192.168.1.45:6060"];
-            }
-          ];
-        }
         {
           job_name = "deluge";
           static_configs = [
@@ -187,14 +179,6 @@ in {
             }
           ];
         }
-        {
-          job_name = "crowdsec_jellyfin";
-          static_configs = [
-            {
-              targets = ["192.168.1.42:6060"];
-            }
-          ];
-        }
       ];
     };
     services.loki = {