configured crowdsec

2025-04-25 16:08:30 +02:00 · 2023-07-27 23:25:08 +02:00 · 2023-07-27 23:25:08 +02:00 · 60e1f3c3d0
commit 60e1f3c3d0
parent 5fa24530b1
9 changed files with 196 additions and 17 deletions
--- a/hosts/falkenstein-1/default.nix
+++ b/hosts/falkenstein-1/default.nix
@ -5,6 +5,7 @@
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
+      ./modules/crowdsec
      ./modules/mail
      ./modules/networks
      ./modules/nginx
@ -39,8 +40,6 @@
    helix
    lsof
    python3
-    crowdsec
-    crowdsec-firewall-bouncer
  ];
  programs.git = {
    enable = true;
@ -70,6 +69,4 @@
  ];

  system.stateVersion = "22.11";
-
 }
-
--- a/hosts/falkenstein-1/modules/crowdsec/default.nix
+++ b/hosts/falkenstein-1/modules/crowdsec/default.nix
@ -0,0 +1,52 @@
+{ pkgs, lib, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    crowdsec
+    crowdsec-firewall-bouncer
+    ipset
+  ];
+  services.postgresql = {
+    enable = true;
+    ensureUsers = [
+      {
+        name = "crowdsec";
+        ensurePermissions = {
+          "DATABASE crowdsec" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+    ensureDatabases = [ "crowdsec" ];
+
+  };
+  systemd.services.crowdsec = {
+    after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ];
+    description = "Crowdsec agent";
+    serviceConfig = {
+      Type = "notify";
+      ExecStartPre = "${lib.getExe pkgs.crowdsec} -t -error";
+      ExecStart = "${lib.getExe pkgs.crowdsec}";
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Restart = "always";
+      RestartSec = 60;
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+  systemd.services.crowdsec-firewall-bouncer = {
+    path = [ pkgs.ipset pkgs.iptables ];
+    after = [ "syslog.target" "network.target" "remote-fs.target" "nss-lookup.target" ];
+    before = [ "netfilter-persistent.service" ];
+    description = "Crowdsec firewall bouncer";
+    serviceConfig = {
+      # Type = "notify";
+      ExecStartPre = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml -t";
+      ExecStart = "${lib.getExe pkgs.crowdsec-firewall-bouncer} -c /etc/crowdsec/crowdsec-firewall-bouncer.yaml";
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Restart = "always";
+      RestartSec = 10;
+      LimitNOFILE = 65536;
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+
+
+}
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -103,7 +103,7 @@
      ];
  };

-  fonts.fonts = with pkgs; [
+  fonts.packages = with pkgs; [
    nerdfonts
    noto-fonts
    noto-fonts-cjk