alerting: silence per-ban crowdsec pushes; ntfy alert on service down/recovery

- crowdsec.nix: drop the ntfy notifications (one push per ban was constant
  noise on the WAN-exposed box); bans still happen silently
- service-health.nix: OnFailure=notify-failure@%n on 16 core units sends an
  ntfy 'down' push when a unit truly fails (after exhausting Restart=), then
  a 'recovered' push when it comes back. Shares /var/secrets/ntfy-url.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
rope 2026-06-13 17:54:37 +01:00
parent 3047ea547c
commit ddbc8929e4
3 changed files with 84 additions and 58 deletions

View file

@ -9,37 +9,10 @@
# 2. Delete ../modules/crowdsec/ and the disabledModules + imports lines below
# 3. The settings/option API is the same as the PR's, so config below is forward-compatible
#
# Before first deploy, create /var/secrets/ntfy-url with your topic URL:
# echo 'https://ntfy.sh/nordhammer-<random>' | sudo tee /var/secrets/ntfy-url
# sudo chmod 600 /var/secrets/ntfy-url
# CrowdSec bans silently — no ntfy pushes (they were constant noise).
# The /var/secrets/ntfy-url topic is used by services/service-health.nix instead.
{ config, lib, pkgs, ... }:
let
# The real URL is injected at service start (see ExecStartPre below) —
# eval-time builtins.readFile can't see /var/secrets under pure flake
# evaluation, which is how the `update` alias builds.
ntfyUrlPlaceholder = "@NTFY_URL@";
# The module renders settings.notifications into /etc/crowdsec/notifications/
# as a symlink into /etc/static (the store). Re-render it from the static
# source with the secret substituted on every service start; nixos-rebuild
# restores the symlink on activation, so this never goes stale.
injectNtfyUrl = pkgs.writeShellScript "crowdsec-inject-ntfy-url" ''
set -euo pipefail
src=/etc/static/crowdsec/notifications/0-nixos-generated.yaml
dst=/etc/crowdsec/notifications/0-nixos-generated.yaml
secret=/var/secrets/ntfy-url
if [ ! -f "$secret" ]; then
echo "WARNING: $secret not found; ntfy notifications will not work" >&2
exit 0
fi
url=$(${pkgs.coreutils}/bin/tr -d '\n' < "$secret")
tmp=$(${pkgs.coreutils}/bin/mktemp "$dst.XXXXXX")
${pkgs.gnused}/bin/sed "s|${ntfyUrlPlaceholder}|$url|g" "$src" > "$tmp"
${pkgs.coreutils}/bin/chmod 600 "$tmp"
${pkgs.coreutils}/bin/chown crowdsec:crowdsec "$tmp"
${pkgs.coreutils}/bin/mv "$tmp" "$dst"
'';
# nixpkgs only builds the agent + cscli; the new module also expects
# notification plugins at $out/libexec/crowdsec/plugins/. Compile them
# from the same source tree (cmd/notification-*) and move them there.
@ -142,52 +115,27 @@ in
}
];
# Push notifications via ntfy.sh
notifications = [
{
name = "ntfy_http";
type = "http";
log_level = "info";
url = ntfyUrlPlaceholder;
method = "POST";
headers = {
Title = "CrowdSec alert";
Priority = "high";
Tags = "rotating_light";
};
format = ''
{{range . -}}
{{.Scenario}} from {{.Source.IP}} ({{.Source.Cn}}) {{len .Decisions}} decision(s) taken
{{end -}}
'';
}
];
# Override default profiles to attach the ntfy notifier
# Profiles set ban duration to 4h. No ntfy notifications: a push per
# ban was constant noise on a WAN-exposed box. ntfy is now reserved
# for service-down alerts (see services/service-health.nix); CrowdSec
# still bans silently.
profiles = [
{
name = "default_ip_remediation";
filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip'" ];
decisions = [{ type = "ban"; duration = "4h"; }];
notifications = [ "ntfy_http" ];
on_success = "break";
}
{
name = "default_range_remediation";
filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Range'" ];
decisions = [{ type = "ban"; duration = "4h"; }];
notifications = [ "ntfy_http" ];
on_success = "break";
}
];
};
};
# Inject the ntfy topic URL into the rendered notification config before
# every start. "+" runs the script with full privileges (it reads the
# root-owned secret and replaces a root-owned /etc symlink).
systemd.services.crowdsec.serviceConfig.ExecStartPre = [ "+${injectNtfyUrl}" ];
# Firewall bouncer enforces decisions via nftables; auto-registers with LAPI
services.crowdsec-firewall-bouncer = {
enable = true;