death916/nixconfig
1
0
Fork 0
mirror of https://github.com/Death916/nixconfig.git synced 2026-04-11 04:48:25 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions
nixconfig/modules/containers/docker/crowdsec/crowdsec.nix
death916 c2d5ab5d72 flake update and crowdsec whitelist
2026-02-07 03:10:27 -08:00

105 lines
2.9 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
let
configDir = "/var/lib/crowdsec/config";
dataDir = "/var/lib/crowdsec/data";
bouncerEnvFile = "/var/lib/crowdsec/bouncer.env";
acquisYaml = pkgs.writeText "acquis.yaml" ''
---
source: docker
container_name:
- traefik
labels:
type: traefik
---
source: journalctl
journalctl_filter:
- "_SYSTEMD_UNIT=sshd.service"
labels:
type: syslog
---
source: journalctl
journalctl_filter:
- "_SYSTEMD_UNIT=vaultwarden.service"
labels:
type: vaultwarden
---
source: journalctl
journalctl_filter:
- "SYSLOG_IDENTIFIER=sudo"
- "SYSLOG_IDENTIFIER=auth"
labels:
type: syslog
'';
whitelistYaml = pkgs.writeText "tailscale-whitelist.yaml" ''
name: my/tailscale_whitelist
description: "Whitelist Tailscale IPs"
whitelist:
reason: "Tailscale / Internal"
cidr:
- "100.64.0.0/10"
'';
nextcloudWhitelistYaml = pkgs.writeText "nextcloud-whitelist.yaml" ''
name: my/nextcloud_whitelist
description: "Whitelist Nextcloud URLs to prevent false positives"
whitelist:
reason: "Nextcloud Sync / Mobile App"
expression:
- "evt.Parsed.request contains '/remote.php/dav/'"
- "evt.Parsed.request contains '/index.php/svg/'"
- "evt.Parsed.request contains '/status.php'"
'';
in
{
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
systemd.tmpfiles.rules = [
"d ${configDir} 0755 root root -"
"d ${dataDir} 0755 root root -"
"f ${bouncerEnvFile} 0600 root root -"
];
virtualisation.oci-containers.containers.crowdsec = {
image = "crowdsecurity/crowdsec:latest-debian";
autoStart = true;
ports = [ "127.0.0.1:8080:8080" "127.0.0.1:6060:6060" ];
environment = {
COLLECTIONS = "crowdsecurity/linux crowdsecurity/sshd crowdsecurity/traefik crowdsecurity/http-cve Dominic-Wagner/vaultwarden";
GID = "0";
};
volumes = [
"${configDir}:/etc/crowdsec"
"${dataDir}:/var/lib/crowdsec/data"
"/var/run/docker.sock:/var/run/docker.sock"
"/var/log/journal:/var/log/journal:ro"
"/run/log/journal:/run/log/journal:ro"
"/etc/machine-id:/etc/machine-id:ro"
"${acquisYaml}:/etc/crowdsec/acquis.yaml"
"${whitelistYaml}:/etc/crowdsec/parsers/s02-enrich/tailscale-whitelist.yaml"
"${nextcloudWhitelistYaml}:/etc/crowdsec/parsers/s02-enrich/nextcloud-whitelist.yaml"
];
};
services.crowdsec-firewall-bouncer = {
enable = true;
settings = {
mode = "iptables";
log_level = "info";
update_frequency = "10s";
api_url = "http://127.0.0.1:8080/";
api_key = "\${BOUNCER_API_KEY}";
iptables_chains = [ "INPUT" "DOCKER-USER" ];
};
};
systemd.services.crowdsec-firewall-bouncer.serviceConfig = {
EnvironmentFile = bouncerEnvFile;
Environment = [ "CREDENTIALS_DIRECTORY=/var/lib/crowdsec" ];
};
}
Reference in a new issue View git blame Copy permalink