From 32f2a4df2b1cf294339ee5ee7c91691bfd88af21 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Thu, 7 May 2026 14:54:11 +0100 Subject: [PATCH] crowdsec: prune hub items the bundled binary can't parse The crowdsec hub tracks upstream master, but nixpkgs stable's crowdsec binary is a few versions behind and doesn't know newer expr functions (LookupFile in particular). When crowdsec-setup re-pulls the hub on each rebuild, it lands /etc/crowdsec/scenarios/http-technology-probing.yaml which then crashes the agent at load time with "unknown name LookupFile". Adds a tiny oneshot ordered between crowdsec-setup and crowdsec that removes the offending file. RequiredBy crowdsec.service so the hook always fires even if someone restarts the agent manually. Drop this unit (and revert the bundled-package fix) once nixpkgs catches up. Co-Authored-By: Claude Opus 4.7 --- services/crowdsec.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/services/crowdsec.nix b/services/crowdsec.nix index b39cf3d..feeb9d3 100644 --- a/services/crowdsec.nix +++ b/services/crowdsec.nix @@ -168,5 +168,23 @@ in enable = true; registerBouncer.enable = true; }; + + # The hub keeps tracking upstream master, but nixpkgs stable's crowdsec + # binary is a few versions behind and doesn't know newer expr functions + # (e.g. LookupFile, used by crowdsecurity/http-technology-probing). The + # agent then refuses to load the entire bucket and crashes on startup. + # Strip incompatible scenarios after crowdsec-setup repopulates the hub + # but before crowdsec.service tries to load them. + systemd.services.crowdsec-prune-incompatible-hub-items = { + description = "Remove hub scenarios incompatible with the bundled crowdsec"; + after = [ "crowdsec-setup.service" ]; + before = [ "crowdsec.service" ]; + requiredBy = [ "crowdsec.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.coreutils}/bin/rm -f /etc/crowdsec/scenarios/http-technology-probing.yaml"; + }; + }; }; }