From 995819820991351b36a9679b32d678c806446bd5 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Sun, 5 Apr 2026 23:12:45 +0100 Subject: [PATCH] Fix CrowdSec: enable LAPI server and expose config.yaml for bouncer registration Co-Authored-By: Claude Sonnet 4.6 --- services/crowdsec.nix | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/services/crowdsec.nix b/services/crowdsec.nix index db41fb7..be432d7 100644 --- a/services/crowdsec.nix +++ b/services/crowdsec.nix @@ -1,27 +1,37 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: { config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") { services.crowdsec = { enable = true; autoUpdateService = true; + # Install detection collections on first boot + hub.collections = [ "crowdsecurity/linux" "crowdsecurity/sshd" ]; + + settings = { + # Enable the Local API server (required for bouncer registration) + general.api.server.enable = true; + # Where the LAPI client credentials will be written on first boot + lapi.credentialsFile = "/var/lib/crowdsec/state/lapi-credentials.yaml"; + }; + localConfig.acquisitions = [ - # SSH + # SSH brute-force detection { source = "journalctl"; journalctl_filter = [ "-u" "sshd" ]; labels.type = "syslog"; } - # Nginx Proxy Manager (Docker logs via journald) - { - source = "journalctl"; - journalctl_filter = [ "-u" "docker" "-t" "nginx-proxy-manager" ]; - labels.type = "nginx"; - } ]; }; - # Firewall bouncer — auto-registers to local CrowdSec API + # The bouncer-register service uses raw cscli (no -c flag), so it looks for + # config at /etc/crowdsec/config.yaml. Symlink the Nix-generated config there. + systemd.tmpfiles.rules = [ + "L+ /etc/crowdsec/config.yaml - - - - ${(pkgs.formats.yaml { }).generate "crowdsec.yaml" config.services.crowdsec.settings.general}" + ]; + + # Firewall bouncer — auto-registers to local CrowdSec LAPI services.crowdsec-firewall-bouncer = { enable = true; settings.api_url = "http://127.0.0.1:8080";