From 7d131891f275a7daabedb12f69a51f978c55bba9 Mon Sep 17 00:00:00 2001 From: Eric Torres Date: Sun, 9 Nov 2025 18:18:49 -0800 Subject: [PATCH] hosts/lax-01: configure crowdsec-firewall-bouncer --- hosts/lax-01/default.nix | 6 ++++-- secrets/lax-01.yml | 7 ++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/hosts/lax-01/default.nix b/hosts/lax-01/default.nix index 4a1616a..c59e1fa 100644 --- a/hosts/lax-01/default.nix +++ b/hosts/lax-01/default.nix @@ -44,7 +44,8 @@ "borgmatic_pass/remote" = { }; "postgres_databases/authentik" = { }; "postgres_databases/healthchecks" = { }; - "crowdsec/lapiKey" = { + "crowdsec/fwLapiKey" = { }; + "crowdsec/wafLapiKey" = { owner = "traefik"; mode = "0400"; }; @@ -60,11 +61,12 @@ crowdsec-firewall-bouncer = { enable = true; + apiKeyFile = config.sops.secrets."crowdsec/fwLapiKey".path; }; crowdsec-traefik-bouncer = { enable = true; - lapiKeyFile = config.sops.secrets."crowdsec/lapiKey".path; + lapiKeyFile = config.sops.secrets."crowdsec/wafLapiKey".path; }; traefik.redirectHttps = true; diff --git a/secrets/lax-01.yml b/secrets/lax-01.yml index a76c5b5..92513fb 100644 --- a/secrets/lax-01.yml +++ b/secrets/lax-01.yml @@ -5,7 +5,8 @@ postgres_databases: authentik: ENC[AES256_GCM,data:Gk1tVHrqrm6HEjukd0v6iw==,iv:KsxrdSeRT+ZX82K0UoKe54QDV0ttJhPWQpwWglkJP38=,tag:EDICo3kxo5nqD3xEdZ88nw==,type:str] healthchecks: ENC[AES256_GCM,data:w8nX0C7n19smMkkzIWdwsSWsPfs=,iv:5+IOTEp2/SSzgp9F6T+N7i6x4d98lCBcmlJbYhEQXYE=,tag:61UGJzBZB4pl75pDRE1YPg==,type:str] crowdsec: - lapiKey: ENC[AES256_GCM,data:NkakII0kieaCy7F9eWgftQwKYCtwqF57adS0CkCirz8g0NmlBdqcU0yM0w==,iv:H90Jox9xnhoF/1WmH29yNrvyPX+ef6YCOeA8Xq3xQNI=,tag:S5JnMRsp1KkyLz8hUPWyJw==,type:str] + fwBouncerLapiKey: ENC[AES256_GCM,data:iri28UCClf+D7Rec3q4BKHLQdEUI/RIw/CelE3KwDlbo+q9DT97RGWZzbg==,iv:Q7mylXedoer/OwPgjfGUM9cM20kz8cwcG9EluRnlmWs=,tag:fQRpMXfUsA3ejphezRmPyw==,type:str] + wafLapiKey: ENC[AES256_GCM,data:Ua98YWQVKC3qnPyt39kKKY3dei/1T0Aq48TBuwQ067Mw3acwDLq6WZ7O87M=,iv:5v0jFnGWZaiGVXRHdrl61Pd0jGvqOlyLIq1CXKvt7Xs=,tag:9PpSQxxtBIuErdqDvA/SAQ==,type:str] sops: age: - recipient: age1jmsrfddctahhznfv7jv77tgw5crmhjhe0e0kzc967hvax4sulv3s6hp2su @@ -35,7 +36,7 @@ sops: WVRHWW9CSmZWWnVoREN4RGxFQ3NJcWcKRakRbpJWGzsuLVpLafeZh4MuMKLNcCPH j4xfuBAF24/BB/oI1hRdxsVtOQHgpx77jxDcAx22XZqSqP7t1YvVpg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-19T14:41:58Z" - mac: ENC[AES256_GCM,data:+kpe5tExdH/VOgUNAGRpOGWo/xm5Grl3oMcmTza3I2IKQqpVpU4KZ2Wg6JCcAitcF1I2BKXG2D4tjWMe+9NqDYuwDNA/8LSile+DdlyexrvZc91/ESp83CPWA2DfwzmEbOigwssoOLIQHsvFoiYnKD3Ya/6W6MNWmrLpvGdUI+w=,iv:MgBPa6+gE2+zAFEctRzFMSUupkpegWxpe4co+Epwbbs=,tag:GBAAF2q82Uzzf1O6YJ/buw==,type:str] + lastmodified: "2025-11-10T02:17:03Z" + mac: ENC[AES256_GCM,data:Ufzv2pUu4vqmb7nVSXFCm9o05Z0wZo4qJHxvQS7j0x6xjSS05WnQkou1tJZ/XLqm3MIxzgJbwk2Y2YjGOE9HiGMclxaP6+BHbI4RH3ojZHKmO/5a0BLFg8yqixvCND/504Qh+51fDCNG1D06s6TfzEwTwkFkhfHDGZZRToK4aW8=,iv:jDfHTMziecOUI6WUu187+edg14eCqiI0MVD8OV4i9Nc=,tag:AUK7xGJJ5cAoA5hbgf4AMw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0