From a0a1d67124f6ac38748f81d28597dfc8126bb691 Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Sat, 25 Apr 2026 20:03:10 +0100
Subject: [PATCH] crowdsec: add systemd-journal group so journalctl
 acquisitions work

DynamicUser can only see its own journald entries by default, so the
sshd + authelia journalctl acquisitions were dying with "insufficient
permissions" and exit status 1 from the spawned journalctl process.
Adding systemd-journal grants the read access journald gates on group
membership, restoring the ssh-bf / authelia-bf detection chain.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 services/crowdsec.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/services/crowdsec.nix b/services/crowdsec.nix
index 7ec63b5..5525638 100644
--- a/services/crowdsec.nix
+++ b/services/crowdsec.nix
@@ -62,11 +62,13 @@ in
         "crowdsecurity/whitelist-good-actors" # don't ban legit crawlers
       ];
 
-      # Allow the agent (DynamicUser) to read nginx logs:
-      # readOnlyPaths makes the dir visible inside the sandbox; extraGroups
-      # gets it past Unix perms (access.log is nginx:nginx 640).
+      # Allow the agent (DynamicUser) to read its acquisition sources:
+      #  - nginx group → /var/log/nginx/access.log (nginx:nginx 640)
+      #  - systemd-journal → journald entries from sshd + authelia
+      #    (without it, journalctl returns "insufficient permissions" and
+      #    the entire ssh-bf / authelia-bf detection chain runs blind)
       readOnlyPaths = [ "/var/log/nginx" ];
-      extraGroups = [ "nginx" ];
+      extraGroups = [ "nginx" "systemd-journal" ];
 
       settings = {
         # config.yaml — main agent + LAPI configuration