rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

crowdsec: build notification plugins via package override

Browse source 
Upstream nixpkgs builds only cmd/crowdsec and cmd/crowdsec-cli; the
PR #446307 module's setup script expects notification plugins at
\$package/libexec/crowdsec/plugins/notification-*, causing first-start
failure (cannot stat notification-dummy). Add the cmd/notification-*
subpackages and move the resulting binaries into the libexec layout the
module expects.

Drop this override along with the vendored modules once the PR lands —
nixpkgs will need a matching package update for the rewrite to work.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-04-25 15:16:03 +01:00
parent a8d163b4a8
commit 0125a1deb2
1 changed files with 18 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

19
services/crowdsec.nix
View file

@ -12,13 +12,29 @@
# Before first deploy, create /var/secrets/ntfy-url with your topic URL: # Before first deploy, create /var/secrets/ntfy-url with your topic URL:
# echo 'https://ntfy.sh/nordhammer-<random>' | sudo tee /var/secrets/ntfy-url # echo 'https://ntfy.sh/nordhammer-<random>' | sudo tee /var/secrets/ntfy-url
# sudo chmod 640 /var/secrets/ntfy-url # sudo chmod 640 /var/secrets/ntfy-url
{ config, lib, ... }: { config, lib, pkgs, ... }:
let let
ntfyUrlFile = "/var/secrets/ntfy-url"; ntfyUrlFile = "/var/secrets/ntfy-url";
ntfyUrl = ntfyUrl =
if builtins.pathExists ntfyUrlFile if builtins.pathExists ntfyUrlFile
then lib.removeSuffix "\n" (builtins.readFile ntfyUrlFile) then lib.removeSuffix "\n" (builtins.readFile ntfyUrlFile)
else "https://ntfy.sh/CHANGE-ME-CREATE-VAR-SECRETS-NTFY-URL"; else "https://ntfy.sh/CHANGE-ME-CREATE-VAR-SECRETS-NTFY-URL";
# nixpkgs only builds the agent + cscli; the new module also expects
# notification plugins at $out/libexec/crowdsec/plugins/. Compile them
# from the same source tree (cmd/notification-*) and move them there.
pluginNames = [ "dummy" "email" "file" "http" "sentinel" "slack" "splunk" ];
crowdsecWithPlugins = pkgs.crowdsec.overrideAttrs (old: {
subPackages = (old.subPackages or [ ]) ++ map (p: "cmd/notification-${p}") pluginNames;
postInstall = (old.postInstall or "") + ''
mkdir -p $out/libexec/crowdsec/plugins
for p in ${lib.concatStringsSep " " pluginNames}; do
if [ -f $out/bin/notification-$p ]; then
mv $out/bin/notification-$p $out/libexec/crowdsec/plugins/notification-$p
fi
done
'';
});
in in
{ {
disabledModules = [ disabledModules = [
@ -36,6 +52,7 @@ in
services.crowdsec = { services.crowdsec = {
enable = true; enable = true;
name = "fredos-mediaserver"; name = "fredos-mediaserver";
package = crowdsecWithPlugins;
hub.collections = [ hub.collections = [
"crowdsecurity/linux" # sshd + linux LPE "crowdsecurity/linux" # sshd + linux LPE