crowdsec: prune hub items the bundled binary can't parse

The crowdsec hub tracks upstream master, but nixpkgs stable's crowdsec
binary is a few versions behind and doesn't know newer expr functions
(LookupFile in particular). When crowdsec-setup re-pulls the hub on
each rebuild, it lands /etc/crowdsec/scenarios/http-technology-probing.yaml
which then crashes the agent at load time with "unknown name LookupFile".

Adds a tiny oneshot ordered between crowdsec-setup and crowdsec that
removes the offending file. RequiredBy crowdsec.service so the hook
always fires even if someone restarts the agent manually. Drop this
unit (and revert the bundled-package fix) once nixpkgs catches up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-05-07 14:54:11 +01:00
parent 0c1b23337f
commit 32f2a4df2b

View file

@ -168,5 +168,23 @@ in
enable = true; enable = true;
registerBouncer.enable = true; registerBouncer.enable = true;
}; };
# The hub keeps tracking upstream master, but nixpkgs stable's crowdsec
# binary is a few versions behind and doesn't know newer expr functions
# (e.g. LookupFile, used by crowdsecurity/http-technology-probing). The
# agent then refuses to load the entire bucket and crashes on startup.
# Strip incompatible scenarios after crowdsec-setup repopulates the hub
# but before crowdsec.service tries to load them.
systemd.services.crowdsec-prune-incompatible-hub-items = {
description = "Remove hub scenarios incompatible with the bundled crowdsec";
after = [ "crowdsec-setup.service" ];
before = [ "crowdsec.service" ];
requiredBy = [ "crowdsec.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.coreutils}/bin/rm -f /etc/crowdsec/scenarios/http-technology-probing.yaml";
};
};
}; };
} }