death916/nixconfig
1
0
Fork 0
mirror of https://github.com/Death916/nixconfig.git synced 2026-04-10 02:54:39 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

crowdsec

Browse source
This commit is contained in:
death916 2026-01-16 02:39:05 -08:00
parent 3386a48e07
commit bf99af9f63
2 changed files with 69 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

68
modules/nixos/orac/crowdsec.nix Normal file
View file

@ -0,0 +1,68 @@
{ config, pkgs, ... }:
{
# 1. Enable the CrowdSec Security Engine
services.crowdsec = {
enable = true;
# Automated hub management
hub = {
collections = [
"crowdsecurity/linux" # Base linux protection
"crowdsecurity/sshd" # SSH brute force
"crowdsecurity/traefik" # Traefik log parsing
"crowdsecurity/http-cve" # Generic HTTP attacks
];
};
# 2. Configure log sources (Acquisitions)
localConfig.acquisitions = [
# Monitor SSH and System Auth via Systemd Journal
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
labels.type = "syslog";
}
{
source = "journalctl";
journalctl_filter = [ "SYSLOG_IDENTIFIER=sudo" "SYSLOG_IDENTIFIER=auth" ];
labels.type = "syslog";
}
# Monitor Traefik logs from Docker via Journald
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=docker-traefik.service" ]; # Matches your Traefik service unit
labels.type = "traefik";
}
];
# Required for the Local API (LAPI) to function
settings = {
api.server.enable = true;
};
};
# 3. Enable the Firewall Bouncer (Remediation)
services.crowdsec-firewall-bouncer = {
enable = true;
# Automatically register the bouncer with the local CrowdSec engine
registerBouncer = true;
# Using the 'settings' attribute for fine-grained configuration
settings = {
mode = "nftables"; # Modern NixOS uses nftables by default
log_level = "info";
update_frequency = "10s";
# The API URL for the local engine
api_url = "http://127.0.0.1:8080/";
};
};
# 4. Permissions: Ensure CrowdSec can read logs from systemd-journal
# The crowdsec service runs as its own user. It needs to be in the 'systemd-journal' group
# to read journalctl logs.
users.users.crowdsec.extraGroups = [ "systemd-journal" ];
}

1
nixos/orac.nix
View file

@ -9,6 +9,7 @@
../modules/nixos/orac/restic.nix ../modules/nixos/orac/restic.nix
../modules/containers/docker/karakeep/docker-compose.nix ../modules/containers/docker/karakeep/docker-compose.nix
../modules/nixos/orac/monitoring.nix ../modules/nixos/orac/monitoring.nix
../modules/nixos/orac/crowdsec.nix
]; ];
networking.firewall = { networking.firewall = {