ashie/nixos-vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add CrowdSec security module

Browse source 
- Wraps native NixOS CrowdSec service
- Configures SSH and nginx log acquisition
- Installs linux/nginx/sshd hub collections
- Supports IP whitelisting and ban duration config
- Optional nginx bouncer integration (requires manual API key setup)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
ashisgreat22 2026-03-18 13:44:36 +01:00
parent db4f0f8f61
commit 211693ef3b
3 changed files with 145 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

138
modules/crowdsec.nix Normal file
View file

@ -0,0 +1,138 @@
# CrowdSec Module
# Provides: Collaborative intrusion detection and prevention
#
# Usage:
# myModules.crowdsec = {
# enable = true;
# enableNginxBouncer = true; # Block attackers at nginx level
# };
{
config,
lib,
...
}:
let
cfg = config.myModules.crowdsec;
in
{
options.myModules.crowdsec = {
enable = lib.mkEnableOption "CrowdSec security engine";
enableNginxBouncer = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable nginx bouncer to block malicious IPs at nginx level";
};
whitelistIPs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "1.2.3.4" "10.0.0.0/8" ];
description = "IP addresses or CIDR ranges to whitelist";
};
banDuration = lib.mkOption {
type = lib.types.str;
default = "4h";
description = "Default ban duration for malicious IPs";
};
};
config = lib.mkIf cfg.enable {
services.crowdsec = {
enable = true;
autoUpdateService = true;
# Enable Local API for bouncers
settings.general.api.server.enable = true;
# Log acquisitions
localConfig.acquisitions = [
# SSH logs
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
labels = {
type = "syslog";
};
}
# Nginx access logs
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=nginx.service" ];
labels = {
type = "nginx";
};
}
];
# Whitelist parser for trusted IPs
localConfig.parsers.s02Enrich = lib.mkIf (cfg.whitelistIPs != [ ]) [
{
name = "nixos/whitelist";
description = "Whitelist trusted IPs";
whitelist = {
reason = "Trusted IPs";
ip = lib.filter (ip: !(lib.hasInfix "/" ip)) cfg.whitelistIPs;
cidr = lib.filter (lib.hasInfix "/") cfg.whitelistIPs;
};
}
];
# Remediation profiles
localConfig.profiles = [
{
name = "default_ip_remediation";
filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip'" ];
decisions = [
{
type = "ban";
duration = cfg.banDuration;
}
];
on_success = "break";
}
];
# Hub collections for common attack patterns
hub = {
collections = [
"crowdsecurity/linux"
"crowdsecurity/nginx"
"crowdsecurity/sshd"
];
};
};
# Nginx bouncer integration
# Note: This requires the crowdsec-nginx-bouncer package
# which may need to be installed separately
services.nginx = lib.mkIf cfg.enableNginxBouncer {
# Add crowdsec bouncer configuration
# The bouncer checks with CrowdSec LAPI before allowing requests
upstreams.crowdsec-squid = {
servers = {
"127.0.0.1:8081" = { };
};
};
# Include bouncer in all virtual hosts
appendHttpConfig = ''
# CrowdSec bouncer will be configured via environment
# cscli bouncers add nginx-bouncer --key <generated-key>
'';
};
# Instructions for manual setup (bouncer requires API key)
system.activationScripts.crowdsec-nginx-info = lib.mkIf cfg.enableNginxBouncer ''
echo ""
echo "=== CrowdSec Setup ==="
echo "To enable nginx bouncer, run:"
echo " sudo cscli bouncers add nginx-bouncer --key \$(openssl rand -hex 32)"
echo "Then configure /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf"
echo ""
'';
};
}