nixos/services/crowdsec.nix

# services/crowdsec.nix — Vendors the crowdsec module rewrite from
# https://github.com/NixOS/nixpkgs/pull/446307 (TornaxO7's branch) until
# it lands upstream. The upstream module in nixpkgs at the pinned revision
# is broken for first-time bootstrap (no auto cscli machines add, DynamicUser
# state ownership wedges).
#
# When PR #446307 merges to nixpkgs unstable:
#   1. Bump flake.lock past the merge commit
#   2. Delete ../modules/crowdsec/ and the disabledModules + imports lines below
#   3. The settings/option API is the same as the PR's, so config below is forward-compatible
#
# Before first deploy, create /var/secrets/ntfy-url with your topic URL:
#   echo 'https://ntfy.sh/nordhammer-<random>' | sudo tee /var/secrets/ntfy-url
#   sudo chmod 640 /var/secrets/ntfy-url
{ config, lib, ... }:
let
  ntfyUrlFile = "/var/secrets/ntfy-url";
  ntfyUrl =
    if builtins.pathExists ntfyUrlFile
    then lib.removeSuffix "\n" (builtins.readFile ntfyUrlFile)
    else "https://ntfy.sh/CHANGE-ME-CREATE-VAR-SECRETS-NTFY-URL";
in
{
  disabledModules = [
    "services/security/crowdsec.nix"
    "services/security/crowdsec-firewall-bouncer.nix"
  ];

  imports = [
    ../modules/crowdsec/crowdsec.nix
    ../modules/crowdsec/crowdsec-firewall-bouncer.nix
  ];

  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {

    services.crowdsec = {
      enable = true;
      name = "fredos-mediaserver";

      hub.collections = [
        "crowdsecurity/linux"                 # sshd + linux LPE
        "crowdsecurity/nginx"                 # nginx parser
        "crowdsecurity/base-http-scenarios"   # generic HTTP attacks
        "crowdsecurity/http-cve"              # known-CVE fingerprints
        "crowdsecurity/whitelist-good-actors" # don't ban legit crawlers
      ];

      # Allow the agent to read nginx logs (it runs as DynamicUser).
      readOnlyPaths = [ "/var/log/nginx" ];

      settings = {
        # config.yaml — main agent + LAPI configuration
        config.api.server.listen_uri = "127.0.0.1:8081";  # 8080 is qBit

        # Log sources to ingest
        acquisitions = [
          {
            source = "file";
            filenames = [ "/var/log/nginx/access.log" ];
            labels.type = "nginx";
          }
          {
            source = "journalctl";
            journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
            labels.type = "syslog";
          }
          {
            source = "journalctl";
            journalctl_filter = [ "_SYSTEMD_UNIT=authelia-main.service" ];
            labels.type = "syslog";
          }
        ];

        # Push notifications via ntfy.sh
        notifications = [
          {
            name = "ntfy_http";
            type = "http";
            log_level = "info";
            url = ntfyUrl;
            method = "POST";
            headers = {
              Title = "CrowdSec alert";
              Priority = "high";
              Tags = "rotating_light";
            };
            format = ''
              {{range . -}}
              {{.Scenario}} from {{.Source.IP}} ({{.Source.Cn}}) — {{len .Decisions}} decision(s) taken
              {{end -}}
            '';
          }
        ];

        # Override default profiles to attach the ntfy notifier
        profiles = [
          {
            name = "default_ip_remediation";
            filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip'" ];
            decisions = [{ type = "ban"; duration = "4h"; }];
            notifications = [ "ntfy_http" ];
            on_success = "break";
          }
          {
            name = "default_range_remediation";
            filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Range'" ];
            decisions = [{ type = "ban"; duration = "4h"; }];
            notifications = [ "ntfy_http" ];
            on_success = "break";
          }
        ];
      };
    };

    # Firewall bouncer enforces decisions via nftables; auto-registers with LAPI
    services.crowdsec-firewall-bouncer = {
      enable = true;
      registerBouncer.enable = true;
    };
  };
}
crowdsec: vendor PR #446307 rewrite to fix bootstrap The upstream NixOS crowdsec module fails on first deploy ("no API client section in configuration") because it doesn't auto-register LAPI credentials. The rewrite in NixOS/nixpkgs#446307 (TornaxO7's branch) adds a setup oneshot that runs `cscli machines add --auto` if the credentials file is missing, and handles DynamicUser StateDirectory permissions explicitly. The bouncer rewrite gets matching auto-registration. Vendor both module files locally and disable the upstream copies. Drop modules/crowdsec/ and the disabledModules+imports lines once the PR merges into nixpkgs unstable. Config moves to the new unified `settings` API (no more separate `localConfig`); LAPI moved to 127.0.0.1:8081 to dodge the qBit collision. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-25 15:00:31 +01:00			`# services/crowdsec.nix — Vendors the crowdsec module rewrite from`
			`# https://github.com/NixOS/nixpkgs/pull/446307 (TornaxO7's branch) until`
			`# it lands upstream. The upstream module in nixpkgs at the pinned revision`
			`# is broken for first-time bootstrap (no auto cscli machines add, DynamicUser`
			`# state ownership wedges).`
crowdsec: add community IDS/IPS with ntfy push alerts Enables the CrowdSec agent with sshd/nginx/http-cve hub collections, acquires logs from nginx, sshd, and Authelia journald, and wires the firewall bouncer to enforce bans via nftables. Alerts are POSTed to a self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls back to a placeholder so the repo stays eval-clean without the secret). Module is self-contained — remove the file + import to uninstall; state lives under /var/lib/crowdsec. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 22:30:16 +01:00			`#`
crowdsec: vendor PR #446307 rewrite to fix bootstrap The upstream NixOS crowdsec module fails on first deploy ("no API client section in configuration") because it doesn't auto-register LAPI credentials. The rewrite in NixOS/nixpkgs#446307 (TornaxO7's branch) adds a setup oneshot that runs `cscli machines add --auto` if the credentials file is missing, and handles DynamicUser StateDirectory permissions explicitly. The bouncer rewrite gets matching auto-registration. Vendor both module files locally and disable the upstream copies. Drop modules/crowdsec/ and the disabledModules+imports lines once the PR merges into nixpkgs unstable. Config moves to the new unified `settings` API (no more separate `localConfig`); LAPI moved to 127.0.0.1:8081 to dodge the qBit collision. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-25 15:00:31 +01:00			`# When PR #446307 merges to nixpkgs unstable:`
			`# 1. Bump flake.lock past the merge commit`
			`# 2. Delete ../modules/crowdsec/ and the disabledModules + imports lines below`
			`# 3. The settings/option API is the same as the PR's, so config below is forward-compatible`
crowdsec: add community IDS/IPS with ntfy push alerts Enables the CrowdSec agent with sshd/nginx/http-cve hub collections, acquires logs from nginx, sshd, and Authelia journald, and wires the firewall bouncer to enforce bans via nftables. Alerts are POSTed to a self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls back to a placeholder so the repo stays eval-clean without the secret). Module is self-contained — remove the file + import to uninstall; state lives under /var/lib/crowdsec. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 22:30:16 +01:00			`#`
crowdsec: vendor PR #446307 rewrite to fix bootstrap The upstream NixOS crowdsec module fails on first deploy ("no API client section in configuration") because it doesn't auto-register LAPI credentials. The rewrite in NixOS/nixpkgs#446307 (TornaxO7's branch) adds a setup oneshot that runs `cscli machines add --auto` if the credentials file is missing, and handles DynamicUser StateDirectory permissions explicitly. The bouncer rewrite gets matching auto-registration. Vendor both module files locally and disable the upstream copies. Drop modules/crowdsec/ and the disabledModules+imports lines once the PR merges into nixpkgs unstable. Config moves to the new unified `settings` API (no more separate `localConfig`); LAPI moved to 127.0.0.1:8081 to dodge the qBit collision. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-25 15:00:31 +01:00			`# Before first deploy, create /var/secrets/ntfy-url with your topic URL:`
crowdsec: add community IDS/IPS with ntfy push alerts Enables the CrowdSec agent with sshd/nginx/http-cve hub collections, acquires logs from nginx, sshd, and Authelia journald, and wires the firewall bouncer to enforce bans via nftables. Alerts are POSTed to a self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls back to a placeholder so the repo stays eval-clean without the secret). Module is self-contained — remove the file + import to uninstall; state lives under /var/lib/crowdsec. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 22:30:16 +01:00			`# echo 'https://ntfy.sh/nordhammer-<random>' \| sudo tee /var/secrets/ntfy-url`
			`# sudo chmod 640 /var/secrets/ntfy-url`
			`{ config, lib, ... }:`
			`let`
			`ntfyUrlFile = "/var/secrets/ntfy-url";`
			`ntfyUrl =`
			`if builtins.pathExists ntfyUrlFile`
			`then lib.removeSuffix "\n" (builtins.readFile ntfyUrlFile)`
			`else "https://ntfy.sh/CHANGE-ME-CREATE-VAR-SECRETS-NTFY-URL";`
			`in`
			`{`
crowdsec: vendor PR #446307 rewrite to fix bootstrap The upstream NixOS crowdsec module fails on first deploy ("no API client section in configuration") because it doesn't auto-register LAPI credentials. The rewrite in NixOS/nixpkgs#446307 (TornaxO7's branch) adds a setup oneshot that runs `cscli machines add --auto` if the credentials file is missing, and handles DynamicUser StateDirectory permissions explicitly. The bouncer rewrite gets matching auto-registration. Vendor both module files locally and disable the upstream copies. Drop modules/crowdsec/ and the disabledModules+imports lines once the PR merges into nixpkgs unstable. Config moves to the new unified `settings` API (no more separate `localConfig`); LAPI moved to 127.0.0.1:8081 to dodge the qBit collision. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-25 15:00:31 +01:00			`disabledModules = [`
			`"services/security/crowdsec.nix"`
			`"services/security/crowdsec-firewall-bouncer.nix"`
			`];`

			`imports = [`
			`../modules/crowdsec/crowdsec.nix`
			`../modules/crowdsec/crowdsec-firewall-bouncer.nix`
			`];`

crowdsec: add community IDS/IPS with ntfy push alerts Enables the CrowdSec agent with sshd/nginx/http-cve hub collections, acquires logs from nginx, sshd, and Authelia journald, and wires the firewall bouncer to enforce bans via nftables. Alerts are POSTed to a self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls back to a placeholder so the repo stays eval-clean without the secret). Module is self-contained — remove the file + import to uninstall; state lives under /var/lib/crowdsec. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 22:30:16 +01:00			`config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {`

			`services.crowdsec = {`
			`enable = true;`
crowdsec: vendor PR #446307 rewrite to fix bootstrap The upstream NixOS crowdsec module fails on first deploy ("no API client section in configuration") because it doesn't auto-register LAPI credentials. The rewrite in NixOS/nixpkgs#446307 (TornaxO7's branch) adds a setup oneshot that runs `cscli machines add --auto` if the credentials file is missing, and handles DynamicUser StateDirectory permissions explicitly. The bouncer rewrite gets matching auto-registration. Vendor both module files locally and disable the upstream copies. Drop modules/crowdsec/ and the disabledModules+imports lines once the PR merges into nixpkgs unstable. Config moves to the new unified `settings` API (no more separate `localConfig`); LAPI moved to 127.0.0.1:8081 to dodge the qBit collision. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-25 15:00:31 +01:00			`name = "fredos-mediaserver";`
crowdsec: add community IDS/IPS with ntfy push alerts Enables the CrowdSec agent with sshd/nginx/http-cve hub collections, acquires logs from nginx, sshd, and Authelia journald, and wires the firewall bouncer to enforce bans via nftables. Alerts are POSTed to a self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls back to a placeholder so the repo stays eval-clean without the secret). Module is self-contained — remove the file + import to uninstall; state lives under /var/lib/crowdsec. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 22:30:16 +01:00
			`hub.collections = [`
crowdsec: vendor PR #446307 rewrite to fix bootstrap The upstream NixOS crowdsec module fails on first deploy ("no API client section in configuration") because it doesn't auto-register LAPI credentials. The rewrite in NixOS/nixpkgs#446307 (TornaxO7's branch) adds a setup oneshot that runs `cscli machines add --auto` if the credentials file is missing, and handles DynamicUser StateDirectory permissions explicitly. The bouncer rewrite gets matching auto-registration. Vendor both module files locally and disable the upstream copies. Drop modules/crowdsec/ and the disabledModules+imports lines once the PR merges into nixpkgs unstable. Config moves to the new unified `settings` API (no more separate `localConfig`); LAPI moved to 127.0.0.1:8081 to dodge the qBit collision. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-25 15:00:31 +01:00			`"crowdsecurity/linux" # sshd + linux LPE`
			`"crowdsecurity/nginx" # nginx parser`
			`"crowdsecurity/base-http-scenarios" # generic HTTP attacks`
crowdsec: add community IDS/IPS with ntfy push alerts Enables the CrowdSec agent with sshd/nginx/http-cve hub collections, acquires logs from nginx, sshd, and Authelia journald, and wires the firewall bouncer to enforce bans via nftables. Alerts are POSTed to a self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls back to a placeholder so the repo stays eval-clean without the secret). Module is self-contained — remove the file + import to uninstall; state lives under /var/lib/crowdsec. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 22:30:16 +01:00			`"crowdsecurity/http-cve" # known-CVE fingerprints`
			`"crowdsecurity/whitelist-good-actors" # don't ban legit crawlers`
			`];`

crowdsec: vendor PR #446307 rewrite to fix bootstrap The upstream NixOS crowdsec module fails on first deploy ("no API client section in configuration") because it doesn't auto-register LAPI credentials. The rewrite in NixOS/nixpkgs#446307 (TornaxO7's branch) adds a setup oneshot that runs `cscli machines add --auto` if the credentials file is missing, and handles DynamicUser StateDirectory permissions explicitly. The bouncer rewrite gets matching auto-registration. Vendor both module files locally and disable the upstream copies. Drop modules/crowdsec/ and the disabledModules+imports lines once the PR merges into nixpkgs unstable. Config moves to the new unified `settings` API (no more separate `localConfig`); LAPI moved to 127.0.0.1:8081 to dodge the qBit collision. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-25 15:00:31 +01:00			`# Allow the agent to read nginx logs (it runs as DynamicUser).`
			`readOnlyPaths = [ "/var/log/nginx" ];`

			`settings = {`
			`# config.yaml — main agent + LAPI configuration`
			`config.api.server.listen_uri = "127.0.0.1:8081"; # 8080 is qBit`

			`# Log sources to ingest`
crowdsec: add community IDS/IPS with ntfy push alerts Enables the CrowdSec agent with sshd/nginx/http-cve hub collections, acquires logs from nginx, sshd, and Authelia journald, and wires the firewall bouncer to enforce bans via nftables. Alerts are POSTed to a self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls back to a placeholder so the repo stays eval-clean without the secret). Module is self-contained — remove the file + import to uninstall; state lives under /var/lib/crowdsec. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 22:30:16 +01:00			`acquisitions = [`
			`{`
			`source = "file";`
			`filenames = [ "/var/log/nginx/access.log" ];`
			`labels.type = "nginx";`
			`}`
			`{`
			`source = "journalctl";`
			`journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];`
			`labels.type = "syslog";`
			`}`
			`{`
			`source = "journalctl";`
			`journalctl_filter = [ "_SYSTEMD_UNIT=authelia-main.service" ];`
			`labels.type = "syslog";`
			`}`
			`];`

crowdsec: vendor PR #446307 rewrite to fix bootstrap The upstream NixOS crowdsec module fails on first deploy ("no API client section in configuration") because it doesn't auto-register LAPI credentials. The rewrite in NixOS/nixpkgs#446307 (TornaxO7's branch) adds a setup oneshot that runs `cscli machines add --auto` if the credentials file is missing, and handles DynamicUser StateDirectory permissions explicitly. The bouncer rewrite gets matching auto-registration. Vendor both module files locally and disable the upstream copies. Drop modules/crowdsec/ and the disabledModules+imports lines once the PR merges into nixpkgs unstable. Config moves to the new unified `settings` API (no more separate `localConfig`); LAPI moved to 127.0.0.1:8081 to dodge the qBit collision. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-25 15:00:31 +01:00			`# Push notifications via ntfy.sh`
crowdsec: add community IDS/IPS with ntfy push alerts Enables the CrowdSec agent with sshd/nginx/http-cve hub collections, acquires logs from nginx, sshd, and Authelia journald, and wires the firewall bouncer to enforce bans via nftables. Alerts are POSTed to a self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls back to a placeholder so the repo stays eval-clean without the secret). Module is self-contained — remove the file + import to uninstall; state lives under /var/lib/crowdsec. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 22:30:16 +01:00			`notifications = [`
			`{`
			`name = "ntfy_http";`
			`type = "http";`
			`log_level = "info";`
			`url = ntfyUrl;`
			`method = "POST";`
			`headers = {`
			`Title = "CrowdSec alert";`
			`Priority = "high";`
			`Tags = "rotating_light";`
			`};`
			`format = ''`
			`{{range . -}}`
			`{{.Scenario}} from {{.Source.IP}} ({{.Source.Cn}}) — {{len .Decisions}} decision(s) taken`
			`{{end -}}`
			`'';`
			`}`
			`];`

crowdsec: vendor PR #446307 rewrite to fix bootstrap The upstream NixOS crowdsec module fails on first deploy ("no API client section in configuration") because it doesn't auto-register LAPI credentials. The rewrite in NixOS/nixpkgs#446307 (TornaxO7's branch) adds a setup oneshot that runs `cscli machines add --auto` if the credentials file is missing, and handles DynamicUser StateDirectory permissions explicitly. The bouncer rewrite gets matching auto-registration. Vendor both module files locally and disable the upstream copies. Drop modules/crowdsec/ and the disabledModules+imports lines once the PR merges into nixpkgs unstable. Config moves to the new unified `settings` API (no more separate `localConfig`); LAPI moved to 127.0.0.1:8081 to dodge the qBit collision. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-25 15:00:31 +01:00			`# Override default profiles to attach the ntfy notifier`
crowdsec: add community IDS/IPS with ntfy push alerts Enables the CrowdSec agent with sshd/nginx/http-cve hub collections, acquires logs from nginx, sshd, and Authelia journald, and wires the firewall bouncer to enforce bans via nftables. Alerts are POSTed to a self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls back to a placeholder so the repo stays eval-clean without the secret). Module is self-contained — remove the file + import to uninstall; state lives under /var/lib/crowdsec. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 22:30:16 +01:00			`profiles = [`
			`{`
			`name = "default_ip_remediation";`
			`filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip'" ];`
			`decisions = [{ type = "ban"; duration = "4h"; }];`
			`notifications = [ "ntfy_http" ];`
			`on_success = "break";`
			`}`
			`{`
			`name = "default_range_remediation";`
			`filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Range'" ];`
			`decisions = [{ type = "ban"; duration = "4h"; }];`
			`notifications = [ "ntfy_http" ];`
			`on_success = "break";`
			`}`
			`];`
			`};`
			`};`

crowdsec: vendor PR #446307 rewrite to fix bootstrap The upstream NixOS crowdsec module fails on first deploy ("no API client section in configuration") because it doesn't auto-register LAPI credentials. The rewrite in NixOS/nixpkgs#446307 (TornaxO7's branch) adds a setup oneshot that runs `cscli machines add --auto` if the credentials file is missing, and handles DynamicUser StateDirectory permissions explicitly. The bouncer rewrite gets matching auto-registration. Vendor both module files locally and disable the upstream copies. Drop modules/crowdsec/ and the disabledModules+imports lines once the PR merges into nixpkgs unstable. Config moves to the new unified `settings` API (no more separate `localConfig`); LAPI moved to 127.0.0.1:8081 to dodge the qBit collision. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-25 15:00:31 +01:00			`# Firewall bouncer enforces decisions via nftables; auto-registers with LAPI`
crowdsec: add community IDS/IPS with ntfy push alerts Enables the CrowdSec agent with sshd/nginx/http-cve hub collections, acquires logs from nginx, sshd, and Authelia journald, and wires the firewall bouncer to enforce bans via nftables. Alerts are POSTed to a self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls back to a placeholder so the repo stays eval-clean without the secret). Module is self-contained — remove the file + import to uninstall; state lives under /var/lib/crowdsec. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 22:30:16 +01:00			`services.crowdsec-firewall-bouncer = {`
			`enable = true;`
			`registerBouncer.enable = true;`
			`};`
			`};`
			`}`