Add CrowdSec IPS with firewall bouncer on FredOS-Mediaserver

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

common.nix

@@ -29,6 +29,7 @@
     ./services/jellyfin.nix
     ./services/bazarr.nix
     ./services/cloudflare-ddns.nix
+    ./services/crowdsec.nix
   ];
 
   ### Make build time quicker

services/crowdsec.nix

@@ -0,0 +1,27 @@
+{ config, lib, ... }:
+{
+  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
+    services.crowdsec = {
+      enable = true;
+      autoUpdateService = true;
+
+      localConfig.acquisitions = [
+        # SSH
+        {
+          source = "journalctl";
+          journalctl_filter = [ "-u" "sshd" ];
+          labels.type = "syslog";
+        }
+        # Nginx Proxy Manager (Docker logs via journald)
+        {
+          source = "journalctl";
+          journalctl_filter = [ "-u" "docker" "-t" "nginx-proxy-manager" ];
+          labels.type = "nginx";
+        }
+      ];
+    };
+
+    # Firewall bouncer — auto-registers to local CrowdSec API
+    services.crowdsec-firewall-bouncer.enable = true;
+  };
+}