feat: Add Crowdsec modules

secrets: Remove bosephus root from administrators
flake: Add crowdsec flake
2025-11-10 00:07:41 -06:00 · 2025-11-09 23:22:37 -06:00 · 2025-11-09 21:13:30 -06:00
9 changed files with 166 additions and 19 deletions
--- a/flake.lock
+++ b/flake.lock
@ -27,6 +27,27 @@
        "type": "github"
      }
    },
+    "crowdsec": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1752497357,
+        "narHash": "sha256-9epXn1+T6U4Kfyw8B9zMzbERxDB3VfaPXhVebtai6CE=",
+        "ref": "refs/heads/main",
+        "rev": "84db7dcea77f7f477d79e69e35fb0bb560232667",
+        "revCount": 42,
+        "type": "git",
+        "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
+      }
+    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
@ -48,6 +69,23 @@
        "type": "github"
      }
    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "id": "flake-utils",
+        "type": "indirect"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -200,6 +238,7 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
+        "crowdsec": "crowdsec",
        "home-manager": "home-manager",
        "nix-darwin": "nix-darwin",
        "nixpkgs": "nixpkgs",
@ -247,6 +286,21 @@
        "repo": "default",
        "type": "github"
      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -30,6 +30,10 @@
    };

    # Linux-specific inputs
+    crowdsec = {
+      url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    plasma-manager = {
      url = "github:nix-community/plasma-manager";
      inputs = {
@ -47,8 +51,8 @@
  };

  outputs = { self, nix-darwin, nixpkgs, nixpkgs-darwin, nixpkgs-unstable
-    , home-manager, agenix, rycee-nurpkgs, nur, plasma-manager, quadlet-nix, ...
-    }:
+    , home-manager, agenix, rycee-nurpkgs, nur, crowdsec, plasma-manager
+    , quadlet-nix, ... }:
    let
      mkHomeConfiguration = { hostname, arch ? "x86_64", os ? "linux"
        , desktop ? false, extraModules ? [ ] }:
@ -142,6 +146,9 @@
            ./systems/linux/mcentire.nix
            agenix.nixosModules.default
            quadlet-nix.nixosModules.quadlet
+            crowdsec.nixosModules.crowdsec
+            crowdsec.nixosModules.crowdsec-firewall-bouncer
+            { nixpkgs.overlays = [ crowdsec.overlays.default ]; }
          ];
        };
      };
--- a/secrets.nix
+++ b/secrets.nix
@ -4,8 +4,6 @@ let
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8G6okW/vpl3DTBwL64aPb+oxJsr2Wl6KzHYsLPecBc millironx@millironx.com";
  bosephus-host =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos";
-  bosephus-root =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFFl4zOdlKkpoccPZTX8195068gJVhylvV9pUYxy2kM+ root@bosephus";
  bosephus-millironx =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus";
  odyssey-millironx =
@ -17,7 +15,6 @@ let

  system-administrators = [
    anderson-millironx
-    bosephus-root
    bosephus-millironx
    odyssey-millironx
    corianne-millironx
--- a/secrets/ansible-vault-password.age
+++ b/secrets/ansible-vault-password.age
@ -1,15 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 il3lzQ oDA/rl4XZJY+vIIdnMBaAuSMD+DnMX2n6+B3geHw/1Q
-Jpv2pN6KwJAHgwWBbAAgmGVrZeO+wLmuwFRpJLsUDcU
-> ssh-ed25519 bN6E9A jKvJPR87Eojde1aq2FFxRj+cxy+0S7Eix5JwRPRpX34
-48eC+KdOBcIGU0y2ui4iq+g8K9SG7qc3U60ApLU+w+Q
-> ssh-ed25519 1g/xww UiK5nDMJg+tTc7zdE5zlEXmoBPE5dV2EpHxvhWBENmU
-ljQEJ+tiZPdFrpiZER5EOIsdnhpj05EKryhzm0vM3LU
-> ssh-ed25519 +kBihw ZIcwOBbRMJ8jiu9Vcq8BvGyOT1xuqG+Mf/DXUHMeCAA
-wlXcO4kQpHmka49CARH0xvm/Lh0AcQ1j/bPx12wZVBY
-> ssh-ed25519 dbKeHw +G44jyudYu9opDuMcTs05j5Ha91m9lm5g551uIAACEk
-9DXJxDc2L3PDCAi3cLfVajqPseaxmBpb+Uo3AW2R05I
-> ssh-ed25519 Svnssw PZN+FpZsFnCqerEgW7B4RFHo7iumlUXL4pYt54/XxjM
-bKrgyqBpIMnntB0CHA560TvraQE9bPF06oOXR+wocIA
--- RW8fUuT62TXXKS8k8MgKISzwORr/3hEl0XK2XSZFzpA
-W:ÙÍðiZS¶Öì‡ÓÞtó±ƒhÍðÕž0JßEg¾õÚPTá#8™²‡ì¹Žõ‘-‡“<E280A1>'€È°L8kpØ
+-> ssh-ed25519 il3lzQ Ni2CHjeijXHfF62cUqVTm8MAOn6rRg8UrhqN6xvdkyk
+DsT0Ysx88FlCLeRzoOGctX7KqatX9/UCr5WdtdLJAf4
+-> ssh-ed25519 1g/xww jRn91F29sISMyi41anAlzVCzt1t1DnUqxtryqkTQPlM
+cysgZLQR0YhiJYXBl59DjKbm+N8FnjA46wkQtnAzBFA
+-> ssh-ed25519 +kBihw t6wlSnDKGgSzGhNJnryXVbDR40DATaV3fHovtI/u7zo
+zOyCZtzfLKeer9K6SMpfTxn6El4HB7gQFQqLOxIYB5U
+-> ssh-ed25519 dbKeHw cn+8WTwis58bYm2pfEra6LeLvzEZ8GhZrOEeN+kkhCM
+fnlUAj8JtG8+r7Cj8xYUgF+JM6Pwqawn4sGI1LOeN78
+-> ssh-ed25519 Svnssw zmDBR8TdRZ9NzNhwPYRN6c8naTxAkULyUZpKgk7Gshk
+0XCwpegEIlGXhnzLLUtmciKQiYiZRgnSOSvCcYeXXk8
+--- D/lZ36n5sVste2NWfdOx8/klPh0CTmMjVQN74KIqDRY
+]%得ﾇC}<7D>弡鶲ﾈﾓ"vﾎﾈ#<23>ｱｪ釋｢tｭ､ﾜ_Q;^*!ｻ+<+ｱ瑁詞ﾈdBﾗ/Kﾒ<4B>ﾉ`
--- a/secrets/darwin-policies-json.age
+++ b/secrets/darwin-policies-json.age
--- a/secrets/network-information.age
+++ b/secrets/network-information.age
--- a/secrets/pihole.age
+++ b/secrets/pihole.age
--- a/services/crowdsec.nix
+++ b/services/crowdsec.nix
@ -0,0 +1,90 @@
+{ pkgs, config, ... }:
+let
+  crowdsec-url = "127.0.0.1:2763";
+  firewall-bouncer-name = "fw-bouncer";
+  # Although this key can be reproduced by anyone who actually cares to, the
+  # Crowdsec API will not be exposed to the outside world, so keeping this key
+  # super secret really isn't that important to me. Still make it look random
+  # so that hungry botnets can't just slurp up the password in plaintext.
+  firewall-bouncer-key = builtins.hashString "sha256"
+    "${config.networking.hostName}-crowdsec-bouncer-salt";
+  toMultiYAML = items:
+    pkgs.lib.concatMapStrings (item:
+      ''
+
+        ---
+      '' + (pkgs.lib.generators.toYAML { } item) + "\n") items;
+in {
+  services = {
+    crowdsec = {
+      enable = true;
+      settings = {
+        api.server = { listen_uri = crowdsec-url; };
+        allowLocalJournalAccess = true;
+        crowdsec_service.acquisition_path = pkgs.writeText "acquisitions.yaml"
+          (toMultiYAML [
+            {
+              source = "journalctl";
+              journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+              labels.type = "syslog";
+            }
+            {
+              filenames = [ "/var/log/auth.log" ];
+              labels.type = "syslog";
+            }
+            {
+              filenames = [ "/var/log/syslog" "/var/log/kern.log" ];
+              labels.type = "syslog";
+            }
+          ]);
+      };
+    };
+    crowdsec-firewall-bouncer = {
+      enable = true;
+      settings = {
+        api_url = firewall-bouncer-name;
+        api_key = firewall-bouncer-key;
+      };
+    };
+  };
+
+  systemd.services.crowdsec.serviceConfig = {
+    ExecStartPre = let
+      bouncer-script = pkgs.writeScriptBin "register-bouncer" ''
+        #!${pkgs.runtimeShell}
+        set -eu
+        set -o pipefail
+
+        if ! cscli bouncers list | grep -q "${firewall-bouncer-name}"; then
+          cscli bouncers add "${firewall-bouncer-name}" --key "${firewall-bouncer-key}"
+        fi
+      '';
+      collection-check = collection: ''
+
+        if ! cscli collections list | grep -q "${collection}"; then
+          cscli collections install "${collection}"
+        fi
+
+      '';
+      collections = [
+        "crowdsecurity/base-http-scenarios"
+        "crowdsecurity/http-cve"
+        "crowdsecurity/http-dos"
+        "crowdsecurity/iptables"
+        "crowdsecurity/linux"
+        "crowdsecurity/sshd"
+        "crowdsecurity/whitelist-good-actors"
+      ];
+      collection-script = pkgs.writeScriptBin "install-collections" ''
+        #!${pkgs.runtimeShell}
+        set -eu
+        set -o pipefail
+
+        ${pkgs.lib.concatMapStrings collection-check collections}
+      '';
+    in [
+      "${bouncer-script}/bin/register-bouncer"
+      "${collection-script}/bin/install-collections"
+    ];
+  };
+}
--- a/systems/linux/mcentire.nix
+++ b/systems/linux/mcentire.nix
@ -4,6 +4,7 @@
  imports = [ # Include the results of the hardware scan.
    ./hardware-configuration/mcentire.nix
    ./../../services/nixos-update.nix
+    ./../../services/crowdsec.nix
  ];

  # Use the GRUB 2 boot loader.
Author	SHA1	Message	Date
Thomas A. Christensen II	97a9912537	feat: Add Crowdsec modules	2025-11-10 00:07:41 -06:00
Thomas A. Christensen II	3d0c03efb0	secrets: Remove bosephus root from administrators	2025-11-09 23:22:37 -06:00
Thomas A. Christensen II	9295e14787	flake: Add crowdsec flake	2025-11-09 21:13:30 -06:00