ashie/nixos-vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos-vps/modules/crowdsec.nix
ashisgreat22 e0de37b15f fix: simplify CrowdSec module 
Remove LAPI server config causing null coercion error.
Detection-only mode for now; bouncer can be added later.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-18 13:50:44 +01:00

99 lines
2.3 KiB
Nix
Raw Blame History

# CrowdSec Module
# Provides: Collaborative intrusion detection and prevention
#
# Usage:
# myModules.crowdsec = {
# enable = true;
# };
{
config,
lib,
...
}:
let
cfg = config.myModules.crowdsec;
in
{
options.myModules.crowdsec = {
enable = lib.mkEnableOption "CrowdSec security engine";
whitelistIPs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "1.2.3.4" "10.0.0.0/8" ];
description = "IP addresses or CIDR ranges to whitelist";
};
banDuration = lib.mkOption {
type = lib.types.str;
default = "4h";
description = "Default ban duration for malicious IPs";
};
};
config = lib.mkIf cfg.enable {
services.crowdsec = {
enable = true;
autoUpdateService = true;
# Log acquisitions
localConfig.acquisitions = [
# SSH logs
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
labels = {
type = "syslog";
};
}
# Nginx access logs
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=nginx.service" ];
labels = {
type = "nginx";
};
}
];
# Whitelist parser for trusted IPs
localConfig.parsers.s02Enrich = lib.mkIf (cfg.whitelistIPs != [ ]) [
{
name = "nixos/whitelist";
description = "Whitelist trusted IPs";
whitelist = {
reason = "Trusted IPs";
ip = lib.filter (ip: !(lib.hasInfix "/" ip)) cfg.whitelistIPs;
cidr = lib.filter (lib.hasInfix "/") cfg.whitelistIPs;
};
}
];
# Remediation profiles
localConfig.profiles = [
{
name = "default_ip_remediation";
filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip'" ];
decisions = [
{
type = "ban";
duration = cfg.banDuration;
}
];
on_success = "break";
}
];
# Hub collections for common attack patterns
hub = {
collections = [
"crowdsecurity/linux"
"crowdsecurity/nginx"
"crowdsecurity/sshd"
];
};
};
};
}
Reference in a new issue View git blame Copy permalink