From 8a933fd9de5d5ed4b525070f7930607249d87e2f Mon Sep 17 00:00:00 2001
From: ashisgreat22 <dev@ashisgreat.xyz>
Date: Wed, 18 Mar 2026 13:53:15 +0100
Subject: [PATCH] fix: enable CrowdSec Local API for cscli

Add LAPI server configuration with credentials file path.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 modules/crowdsec.nix | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/modules/crowdsec.nix b/modules/crowdsec.nix
index 90a44c3..2fe78ae 100644
--- a/modules/crowdsec.nix
+++ b/modules/crowdsec.nix
@@ -9,11 +9,13 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 
 let
   cfg = config.myModules.crowdsec;
+  credentialsFile = "/var/lib/crowdsec/state/lapi_credentials.yaml";
 in
 {
   options.myModules.crowdsec = {
@@ -38,6 +40,15 @@ in
       enable = true;
       autoUpdateService = true;
 
+      # Enable Local API server
+      settings = {
+        general.api.server = {
+          enable = true;
+          listen_uri = "127.0.0.1:8080";
+        };
+        lapi.credentialsFile = credentialsFile;
+      };
+
       # Log acquisitions
       localConfig.acquisitions = [
         # SSH logs
@@ -95,5 +106,16 @@ in
         ];
       };
     };
+
+    # Ensure credentials directory exists
+    systemd.tmpfiles.settings."10-crowdsec-lapi" = {
+      "/var/lib/crowdsec/state" = {
+        d = {
+          user = "crowdsec";
+          group = "crowdsec";
+          mode = "0750";
+        };
+      };
+    };
   };
 }