fix: enable CrowdSec Local API for cscli

Add LAPI server configuration with credentials file path.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

modules/crowdsec.nix

@@ -9,11 +9,13 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 
 let
   cfg = config.myModules.crowdsec;
+  credentialsFile = "/var/lib/crowdsec/state/lapi_credentials.yaml";
 in
 {
   options.myModules.crowdsec = {
@@ -38,6 +40,15 @@ in
       enable = true;
       autoUpdateService = true;
 
+      # Enable Local API server
+      settings = {
+        general.api.server = {
+          enable = true;
+          listen_uri = "127.0.0.1:8080";
+        };
+        lapi.credentialsFile = credentialsFile;
+      };
+
       # Log acquisitions
       localConfig.acquisitions = [
         # SSH logs
@@ -95,5 +106,16 @@ in
         ];
       };
     };
+
+    # Ensure credentials directory exists
+    systemd.tmpfiles.settings."10-crowdsec-lapi" = {
+      "/var/lib/crowdsec/state" = {
+        d = {
+          user = "crowdsec";
+          group = "crowdsec";
+          mode = "0750";
+        };
+      };
+    };
   };
 }