From 1b85654de58d13bbd1b2b29b19604c1cb8480f8d Mon Sep 17 00:00:00 2001
From: death916 <mail@trentnelson.dev>
Date: Fri, 16 Jan 2026 03:34:51 -0800
Subject: [PATCH] crowdsec

---
 .../containers/docker/crowdsec/crowdsec.nix   | 82 +++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 modules/containers/docker/crowdsec/crowdsec.nix

diff --git a/modules/containers/docker/crowdsec/crowdsec.nix b/modules/containers/docker/crowdsec/crowdsec.nix
new file mode 100644
index 0000000..371f5e4
--- /dev/null
+++ b/modules/containers/docker/crowdsec/crowdsec.nix
@@ -0,0 +1,82 @@
+{ config, pkgs, ... }:
+
+let
+  crowdsecImage = "crowdsecurity/crowdsec:latest";
+  bouncerImage = "crowdsecurity/crowdsec-firewall-bouncer:latest";
+
+  configDir = "/var/lib/crowdsec/config";
+  dataDir = "/var/lib/crowdsec/data";
+  bouncerDir = "/var/lib/crowdsec/bouncer-data";
+
+  acquisYaml = pkgs.writeText "acquis.yaml" ''
+    ---
+    source: docker
+    container_name:
+      - traefik
+    labels:
+      type: traefik
+    ---
+    source: journalctl
+    journalctl_filter:
+      - "_SYSTEMD_UNIT=sshd.service"
+    labels:
+      type: syslog
+    ---
+    source: journalctl
+    journalctl_filter:
+      - "SYSLOG_IDENTIFIER=sudo"
+      - "SYSLOG_IDENTIFIER=auth"
+    labels:
+      type: syslog
+  '';
+
+in
+{
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers.backend = "docker";
+
+  systemd.tmpfiles.rules = [
+    "d ${configDir} 0755 root root -"
+    "d ${dataDir} 0755 root root -"
+    "d ${bouncerDir} 0700 root root -"
+    "f ${bouncerDir}/bouncer.env 0600 root root -"
+  ];
+
+  virtualisation.oci-containers.containers = {
+
+    crowdsec = {
+      image = crowdsecImage;
+      autoStart = true;
+      environment = {
+        COLLECTIONS = "crowdsecurity/linux crowdsecurity/sshd crowdsecurity/traefik crowdsecurity/http-cve";
+        GID = "0";
+      };
+      volumes = [
+        "${configDir}:/etc/crowdsec"
+        "${dataDir}:/var/lib/crowdsec/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/var/log/journal:/var/log/journal:ro"
+        "/run/log/journal:/run/log/journal:ro"
+        "/etc/machine-id:/etc/machine-id:ro"
+        "${acquisYaml}:/etc/crowdsec/acquis.yaml"
+      ];
+    };
+
+    crowdsec-bouncer = {
+      image = bouncerImage;
+      autoStart = true;
+      extraOptions = [
+        "--network=host"
+        "--privileged"
+      ];
+      environment = {
+        API_URL = "http://127.0.0.1:8080";
+        LOG_LEVEL = "info";
+      };
+      environmentFiles = [
+        "${bouncerDir}/bouncer.env"
+      ];
+      dependsOn = [ "crowdsec" ];
+    };
+  };
+}