feat: Add Crowdsec modules

flake.nix

@@ -148,6 +148,7 @@
             quadlet-nix.nixosModules.quadlet
             crowdsec.nixosModules.crowdsec
             crowdsec.nixosModules.crowdsec-firewall-bouncer
+            { nixpkgs.overlays = [ crowdsec.overlays.default ]; }
           ];
         };
       };

secrets.nix

@@ -4,8 +4,6 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8G6okW/vpl3DTBwL64aPb+oxJsr2Wl6KzHYsLPecBc millironx@millironx.com";
   bosephus-host =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos";
-  bosephus-root =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFFl4zOdlKkpoccPZTX8195068gJVhylvV9pUYxy2kM+ root@bosephus";
   bosephus-millironx =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus";
   odyssey-millironx =
@@ -17,7 +15,6 @@ let
 
   system-administrators = [
     anderson-millironx
-    bosephus-root
     bosephus-millironx
     odyssey-millironx
     corianne-millironx

secrets/ansible-vault-password.age

@@ -1,15 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 il3lzQ oDA/rl4XZJY+vIIdnMBaAuSMD+DnMX2n6+B3geHw/1Q
+-> ssh-ed25519 il3lzQ Ni2CHjeijXHfF62cUqVTm8MAOn6rRg8UrhqN6xvdkyk
-Jpv2pN6KwJAHgwWBbAAgmGVrZeO+wLmuwFRpJLsUDcU
+DsT0Ysx88FlCLeRzoOGctX7KqatX9/UCr5WdtdLJAf4
--> ssh-ed25519 bN6E9A jKvJPR87Eojde1aq2FFxRj+cxy+0S7Eix5JwRPRpX34
+-> ssh-ed25519 1g/xww jRn91F29sISMyi41anAlzVCzt1t1DnUqxtryqkTQPlM
-48eC+KdOBcIGU0y2ui4iq+g8K9SG7qc3U60ApLU+w+Q
+cysgZLQR0YhiJYXBl59DjKbm+N8FnjA46wkQtnAzBFA
--> ssh-ed25519 1g/xww UiK5nDMJg+tTc7zdE5zlEXmoBPE5dV2EpHxvhWBENmU
+-> ssh-ed25519 +kBihw t6wlSnDKGgSzGhNJnryXVbDR40DATaV3fHovtI/u7zo
-ljQEJ+tiZPdFrpiZER5EOIsdnhpj05EKryhzm0vM3LU
+zOyCZtzfLKeer9K6SMpfTxn6El4HB7gQFQqLOxIYB5U
--> ssh-ed25519 +kBihw ZIcwOBbRMJ8jiu9Vcq8BvGyOT1xuqG+Mf/DXUHMeCAA
+-> ssh-ed25519 dbKeHw cn+8WTwis58bYm2pfEra6LeLvzEZ8GhZrOEeN+kkhCM
-wlXcO4kQpHmka49CARH0xvm/Lh0AcQ1j/bPx12wZVBY
+fnlUAj8JtG8+r7Cj8xYUgF+JM6Pwqawn4sGI1LOeN78
--> ssh-ed25519 dbKeHw +G44jyudYu9opDuMcTs05j5Ha91m9lm5g551uIAACEk
+-> ssh-ed25519 Svnssw zmDBR8TdRZ9NzNhwPYRN6c8naTxAkULyUZpKgk7Gshk
-9DXJxDc2L3PDCAi3cLfVajqPseaxmBpb+Uo3AW2R05I
+0XCwpegEIlGXhnzLLUtmciKQiYiZRgnSOSvCcYeXXk8
--> ssh-ed25519 Svnssw PZN+FpZsFnCqerEgW7B4RFHo7iumlUXL4pYt54/XxjM
+--- D/lZ36n5sVste2NWfdOx8/klPh0CTmMjVQN74KIqDRY
-bKrgyqBpIMnntB0CHA560TvraQE9bPF06oOXR+wocIA
+]%得ﾇC}<7D>弡鶲ﾈﾓ"vﾎﾈ#<23>ｱｪ釋
｢tｭ､ﾜ_Q;^*!ｻ+<+ｱ瑁詞ﾈdBﾗ/Kﾒ<4B>ﾉ`
---- RW8fUuT62TXXKS8k8MgKISzwORr/3hEl0XK2XSZFzpA
-W:ÙÍðiZS¶Öì‡ÓÞtó±ƒhÍðÕž0JßEg¾õÚPTá#8™²‡ì¹Žõ‘-‡“<E280A1>'€È°L8k­pØ

services/crowdsec.nix

@@ -0,0 +1,90 @@
+{ pkgs, config, ... }:
+let
+  crowdsec-url = "127.0.0.1:2763";
+  firewall-bouncer-name = "fw-bouncer";
+  # Although this key can be reproduced by anyone who actually cares to, the
+  # Crowdsec API will not be exposed to the outside world, so keeping this key
+  # super secret really isn't that important to me. Still make it look random
+  # so that hungry botnets can't just slurp up the password in plaintext.
+  firewall-bouncer-key = builtins.hashString "sha256"
+    "${config.networking.hostName}-crowdsec-bouncer-salt";
+  toMultiYAML = items:
+    pkgs.lib.concatMapStrings (item:
+      ''
+
+        ---
+      '' + (pkgs.lib.generators.toYAML { } item) + "\n") items;
+in {
+  services = {
+    crowdsec = {
+      enable = true;
+      settings = {
+        api.server = { listen_uri = crowdsec-url; };
+        allowLocalJournalAccess = true;
+        crowdsec_service.acquisition_path = pkgs.writeText "acquisitions.yaml"
+          (toMultiYAML [
+            {
+              source = "journalctl";
+              journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+              labels.type = "syslog";
+            }
+            {
+              filenames = [ "/var/log/auth.log" ];
+              labels.type = "syslog";
+            }
+            {
+              filenames = [ "/var/log/syslog" "/var/log/kern.log" ];
+              labels.type = "syslog";
+            }
+          ]);
+      };
+    };
+    crowdsec-firewall-bouncer = {
+      enable = true;
+      settings = {
+        api_url = firewall-bouncer-name;
+        api_key = firewall-bouncer-key;
+      };
+    };
+  };
+
+  systemd.services.crowdsec.serviceConfig = {
+    ExecStartPre = let
+      bouncer-script = pkgs.writeScriptBin "register-bouncer" ''
+        #!${pkgs.runtimeShell}
+        set -eu
+        set -o pipefail
+
+        if ! cscli bouncers list | grep -q "${firewall-bouncer-name}"; then
+          cscli bouncers add "${firewall-bouncer-name}" --key "${firewall-bouncer-key}"
+        fi
+      '';
+      collection-check = collection: ''
+
+        if ! cscli collections list | grep -q "${collection}"; then
+          cscli collections install "${collection}"
+        fi
+
+      '';
+      collections = [
+        "crowdsecurity/base-http-scenarios"
+        "crowdsecurity/http-cve"
+        "crowdsecurity/http-dos"
+        "crowdsecurity/iptables"
+        "crowdsecurity/linux"
+        "crowdsecurity/sshd"
+        "crowdsecurity/whitelist-good-actors"
+      ];
+      collection-script = pkgs.writeScriptBin "install-collections" ''
+        #!${pkgs.runtimeShell}
+        set -eu
+        set -o pipefail
+
+        ${pkgs.lib.concatMapStrings collection-check collections}
+      '';
+    in [
+      "${bouncer-script}/bin/register-bouncer"
+      "${collection-script}/bin/install-collections"
+    ];
+  };
+}

systems/linux/mcentire.nix

@@ -4,6 +4,7 @@
   imports = [ # Include the results of the hardware scan.
     ./hardware-configuration/mcentire.nix
     ./../../services/nixos-update.nix
+    ./../../services/crowdsec.nix
   ];
 
   # Use the GRUB 2 boot loader.