crowdsec: prune hub items the bundled binary can't parse
The crowdsec hub tracks upstream master, but nixpkgs stable's crowdsec binary is a few versions behind and doesn't know newer expr functions (LookupFile in particular). When crowdsec-setup re-pulls the hub on each rebuild, it lands /etc/crowdsec/scenarios/http-technology-probing.yaml which then crashes the agent at load time with "unknown name LookupFile". Adds a tiny oneshot ordered between crowdsec-setup and crowdsec that removes the offending file. RequiredBy crowdsec.service so the hook always fires even if someone restarts the agent manually. Drop this unit (and revert the bundled-package fix) once nixpkgs catches up. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
0c1b23337f
commit
32f2a4df2b
1 changed files with 18 additions and 0 deletions
|
|
@ -168,5 +168,23 @@ in
|
|||
enable = true;
|
||||
registerBouncer.enable = true;
|
||||
};
|
||||
|
||||
# The hub keeps tracking upstream master, but nixpkgs stable's crowdsec
|
||||
# binary is a few versions behind and doesn't know newer expr functions
|
||||
# (e.g. LookupFile, used by crowdsecurity/http-technology-probing). The
|
||||
# agent then refuses to load the entire bucket and crashes on startup.
|
||||
# Strip incompatible scenarios after crowdsec-setup repopulates the hub
|
||||
# but before crowdsec.service tries to load them.
|
||||
systemd.services.crowdsec-prune-incompatible-hub-items = {
|
||||
description = "Remove hub scenarios incompatible with the bundled crowdsec";
|
||||
after = [ "crowdsec-setup.service" ];
|
||||
before = [ "crowdsec.service" ];
|
||||
requiredBy = [ "crowdsec.service" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = "${pkgs.coreutils}/bin/rm -f /etc/crowdsec/scenarios/http-technology-probing.yaml";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue