ashie/nixos-vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add firewall bouncer to CrowdSec module

Browse source 
- Enable crowdsec-firewall-bouncer by default
- Auto-registers bouncer with local CrowdSec API
- Blocks malicious IPs at iptables/nftables level

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
ashisgreat22 2026-03-18 13:58:13 +01:00
parent 8a933fd9de
commit f82b822d16
1 changed files with 14 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
modules/crowdsec.nix
View file

@ -4,6 +4,7 @@
# Usage: # Usage:
# myModules.crowdsec = { # myModules.crowdsec = {
# enable = true; # enable = true;
# enableBouncer = true; # Block attackers at firewall level
# }; # };
{ {
@ -21,6 +22,12 @@ in
options.myModules.crowdsec = { options.myModules.crowdsec = {
enable = lib.mkEnableOption "CrowdSec security engine"; enable = lib.mkEnableOption "CrowdSec security engine";
enableBouncer = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable firewall bouncer to block malicious IPs";
};
whitelistIPs = lib.mkOption { whitelistIPs = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
default = [ ]; default = [ ];
@ -107,6 +114,13 @@ in
}; };
}; };
# Firewall bouncer - blocks malicious IPs at firewall level
services.crowdsec-firewall-bouncer = lib.mkIf cfg.enableBouncer {
enable = true;
registerBouncer.enable = true;
registerBouncer.bouncerName = "firewall-bouncer";
};
# Ensure credentials directory exists # Ensure credentials directory exists
systemd.tmpfiles.settings."10-crowdsec-lapi" = { systemd.tmpfiles.settings."10-crowdsec-lapi" = {
"/var/lib/crowdsec/state" = { "/var/lib/crowdsec/state" = {