fix: simplify CrowdSec module
Remove LAPI server config causing null coercion error. Detection-only mode for now; bouncer can be added later. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
9a57a2c511
commit
e0de37b15f
5 changed files with 16 additions and 534 deletions
|
|
@ -4,7 +4,6 @@
|
|||
# Usage:
|
||||
# myModules.crowdsec = {
|
||||
# enable = true;
|
||||
# enableNginxBouncer = true; # Block attackers at nginx level
|
||||
# };
|
||||
|
||||
{
|
||||
|
|
@ -20,12 +19,6 @@ in
|
|||
options.myModules.crowdsec = {
|
||||
enable = lib.mkEnableOption "CrowdSec security engine";
|
||||
|
||||
enableNginxBouncer = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "Enable nginx bouncer to block malicious IPs at nginx level";
|
||||
};
|
||||
|
||||
whitelistIPs = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
|
|
@ -45,9 +38,6 @@ in
|
|||
enable = true;
|
||||
autoUpdateService = true;
|
||||
|
||||
# Enable Local API for bouncers
|
||||
settings.general.api.server.enable = true;
|
||||
|
||||
# Log acquisitions
|
||||
localConfig.acquisitions = [
|
||||
# SSH logs
|
||||
|
|
@ -105,34 +95,5 @@ in
|
|||
];
|
||||
};
|
||||
};
|
||||
|
||||
# Nginx bouncer integration
|
||||
# Note: This requires the crowdsec-nginx-bouncer package
|
||||
# which may need to be installed separately
|
||||
services.nginx = lib.mkIf cfg.enableNginxBouncer {
|
||||
# Add crowdsec bouncer configuration
|
||||
# The bouncer checks with CrowdSec LAPI before allowing requests
|
||||
upstreams.crowdsec-squid = {
|
||||
servers = {
|
||||
"127.0.0.1:8081" = { };
|
||||
};
|
||||
};
|
||||
|
||||
# Include bouncer in all virtual hosts
|
||||
appendHttpConfig = ''
|
||||
# CrowdSec bouncer will be configured via environment
|
||||
# cscli bouncers add nginx-bouncer --key <generated-key>
|
||||
'';
|
||||
};
|
||||
|
||||
# Instructions for manual setup (bouncer requires API key)
|
||||
system.activationScripts.crowdsec-nginx-info = lib.mkIf cfg.enableNginxBouncer ''
|
||||
echo ""
|
||||
echo "=== CrowdSec Setup ==="
|
||||
echo "To enable nginx bouncer, run:"
|
||||
echo " sudo cscli bouncers add nginx-bouncer --key \$(openssl rand -hex 32)"
|
||||
echo "Then configure /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf"
|
||||
echo ""
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue