From fba44b786d5ee13029855bc845236a2d2750cc36 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Sat, 18 Oct 2025 22:43:58 -0700 Subject: [PATCH 1/3] services: add crowdsec-firewall-bouncer module --- services/crowdsec-firewall-bouncer.nix | 30 ++++++++++++++++++++++++++ services/services.nix | 2 ++ 2 files changed, 32 insertions(+) create mode 100644 services/crowdsec-firewall-bouncer.nix diff --git a/services/crowdsec-firewall-bouncer.nix b/services/crowdsec-firewall-bouncer.nix new file mode 100644 index 0000000..1849120 --- /dev/null +++ b/services/crowdsec-firewall-bouncer.nix @@ -0,0 +1,30 @@ +# Module: services/crowdsec-firewall-bouncer +# Enrolls a traefik bouncer with the crowdsec console +{ + config, + lib, + pkgs, + pkgsUnstable, + inputs, + ... +}: + +with lib; + +let + cfg = config.crowdsec-firewall-bouncer; + lapiHost = "log-01.tail755c5.ts.net:8080"; +in +{ + #imports = [ "${pkgsUnstable.path}/nixos/modules/services/security/crowdsec.nix" ]; + + options.crowdsec-firewall-bouncer = { + enable = mkEnableOption "Enables traefik bouncer for a specified crowdsec instance"; + }; + + config = mkIf (cfg.enable && config.services.crowdsec.enable) { + environment.systemPackages = with pkgsUnstable; [ + crowdsec-firewall-bouncer + ]; + }; +} diff --git a/services/services.nix b/services/services.nix index 22516e4..58cc999 100644 --- a/services/services.nix +++ b/services/services.nix @@ -11,6 +11,7 @@ { imports = [ ./crowdsec.nix + ./crowdsec-firewall-bouncer.nix ./crowdsec-traefik-bouncer.nix ./docker.nix ./healthchecks.nix @@ -22,6 +23,7 @@ ]; crowdsec.enable = lib.mkDefault false; + crowdsec-firewall-bouncer.enable = lib.mkDefault false; crowdsec-traefik-bouncer.enable = lib.mkDefault false; docker.enable = lib.mkDefault false; healthchecks.enable = lib.mkDefault false; From 80ee3463876afb15259d4e64816820201eff35eb Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Sat, 18 Oct 2025 22:44:23 -0700 Subject: [PATCH 2/3] services/crowdsec-firewall-bouncer: only use mkIf cfg.enable conditional --- services/crowdsec-firewall-bouncer.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/crowdsec-firewall-bouncer.nix b/services/crowdsec-firewall-bouncer.nix index 1849120..091f1d2 100644 --- a/services/crowdsec-firewall-bouncer.nix +++ b/services/crowdsec-firewall-bouncer.nix @@ -22,7 +22,7 @@ in enable = mkEnableOption "Enables traefik bouncer for a specified crowdsec instance"; }; - config = mkIf (cfg.enable && config.services.crowdsec.enable) { + config = mkIf cfg.enable { environment.systemPackages = with pkgsUnstable; [ crowdsec-firewall-bouncer ]; From bfd5dfbd2d337f9f102c09e718bc4333a64a89c8 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Sat, 18 Oct 2025 22:45:35 -0700 Subject: [PATCH 3/3] crowdsec-traefik-bouncer: cleanup unneeded vars --- services/crowdsec-traefik-bouncer.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/services/crowdsec-traefik-bouncer.nix b/services/crowdsec-traefik-bouncer.nix index 0bbeb83..f06a7e0 100644 --- a/services/crowdsec-traefik-bouncer.nix +++ b/services/crowdsec-traefik-bouncer.nix @@ -13,9 +13,6 @@ with lib; let cfg = config.crowdsec-traefik-bouncer; - crowdsecListenAddress = "0.0.0.0"; - crowdsecPort = "8080"; - crowdsecPrometheusPort = "6060"; pluginVersion = "v1.4.5"; lapiHost = "log-01.tail755c5.ts.net:8080"; wafHost = "log-01.tail755c5.ts.net:7422";