From f82b822d16ca8bffc4738bc07f03320f97ba3229 Mon Sep 17 00:00:00 2001
From: ashisgreat22 <dev@ashisgreat.xyz>
Date: Wed, 18 Mar 2026 13:58:13 +0100
Subject: [PATCH] feat: add firewall bouncer to CrowdSec module

- Enable crowdsec-firewall-bouncer by default
- Auto-registers bouncer with local CrowdSec API
- Blocks malicious IPs at iptables/nftables level

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 modules/crowdsec.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/modules/crowdsec.nix b/modules/crowdsec.nix
index 2fe78ae..2d6f1fa 100644
--- a/modules/crowdsec.nix
+++ b/modules/crowdsec.nix
@@ -4,6 +4,7 @@
 # Usage:
 #   myModules.crowdsec = {
 #     enable = true;
+#     enableBouncer = true;  # Block attackers at firewall level
 #   };
 
 {
@@ -21,6 +22,12 @@ in
   options.myModules.crowdsec = {
     enable = lib.mkEnableOption "CrowdSec security engine";
 
+    enableBouncer = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Enable firewall bouncer to block malicious IPs";
+    };
+
     whitelistIPs = lib.mkOption {
       type = lib.types.listOf lib.types.str;
       default = [ ];
@@ -107,6 +114,13 @@ in
       };
     };
 
+    # Firewall bouncer - blocks malicious IPs at firewall level
+    services.crowdsec-firewall-bouncer = lib.mkIf cfg.enableBouncer {
+      enable = true;
+      registerBouncer.enable = true;
+      registerBouncer.bouncerName = "firewall-bouncer";
+    };
+
     # Ensure credentials directory exists
     systemd.tmpfiles.settings."10-crowdsec-lapi" = {
       "/var/lib/crowdsec/state" = {