diff --git a/services/crowdsec.nix b/services/crowdsec.nix index b39cf3d..feeb9d3 100644 --- a/services/crowdsec.nix +++ b/services/crowdsec.nix @@ -168,5 +168,23 @@ in enable = true; registerBouncer.enable = true; }; + + # The hub keeps tracking upstream master, but nixpkgs stable's crowdsec + # binary is a few versions behind and doesn't know newer expr functions + # (e.g. LookupFile, used by crowdsecurity/http-technology-probing). The + # agent then refuses to load the entire bucket and crashes on startup. + # Strip incompatible scenarios after crowdsec-setup repopulates the hub + # but before crowdsec.service tries to load them. + systemd.services.crowdsec-prune-incompatible-hub-items = { + description = "Remove hub scenarios incompatible with the bundled crowdsec"; + after = [ "crowdsec-setup.service" ]; + before = [ "crowdsec.service" ]; + requiredBy = [ "crowdsec.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.coreutils}/bin/rm -f /etc/crowdsec/scenarios/http-technology-probing.yaml"; + }; + }; }; }