hosts/lax-01: enable crowdsec-traefik-bouncer module

2025-10-18 13:52:24 -07:00
parent a55d163bae
commit a373364c25
2 changed files with 48 additions and 5 deletions
--- a/hosts/lax-01/default.nix
+++ b/hosts/lax-01/default.nix
@@ -31,11 +31,14 @@
  qemu.enable = false;
  spice.enable = false;

-  sops.secrets."HEALTHCHECKS_SECRETS" = {
-    sopsFile = ../../secrets/lax-01_healthchecks.env;
-    format = "binary";
-    owner = "healthchecks";
-    mode = "0400";
+  sops.secrets = {
+    "HEALTHCHECKS_SECRETS" = {
+      sopsFile = ../../secrets/lax-01_healthchecks.env;
+      format = "binary";
+      owner = "healthchecks";
+      mode = "0400";
+    };
+    "crowdsec/lapiKey" = { };
  };

  dockerserver.enable = true;
@@ -46,6 +49,11 @@
  };
  ntfy.enable = true;

+  crowdsec-traefik-bouncer = {
+    enable = true;
+    lapiKeyFile = config.sops.secrets."crowdsec/lapiKey".path;
+  };
+
  traefik.redirectHttps = true;
  services.traefik = {
    staticConfigOptions = {
--- a/secrets/lax-01.yml
+++ b/secrets/lax-01.yml
@@ -0,0 +1,35 @@
+crowdsec:
+    lapiKey: null
+sops:
+    age:
+        - recipient: age1jmsrfddctahhznfv7jv77tgw5crmhjhe0e0kzc967hvax4sulv3s6hp2su
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNXhQc2tSWUdjcURMUFBm
+            aHpSU1crZXBZNWR6c3VxcFp0OFJBTGRCWVM0CkdyZXFHODJaN3htc3Z0QTVlZlo4
+            dlRqMFlSTmUxSVkveFIvTHI0djhyc1UKLS0tIGNreEZmTkRTMWp0cU5EeEhjVGQ3
+            cFVyeXo5S25tQXAzMStldUR3Z2pMSG8KGbm9FqCQhLyzFiZhKSKUZuRVJP/27tAn
+            fTIc4hneKEHLUvDK5efc0dU4i8sm4zTaDQN6ehwp/wi95cqEFCRRZA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g0vx0dgpzy3et6kuejf4xn4n0acr3666p8j4ygaulefh5mq3vyxs7mgjat
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MEk3TDVJTGxCWUQ4MGJx
+            M0trOHhNbzVwaWxJdG9kYUtVZ0MxSEZkNmlzClRJT0xVei9ZQzdkakZIK2hjVWor
+            bUVsMWxZRkVBaGY1QldxVEYrRVE0bVEKLS0tIEJOUEE1T3pqMEozMTdSUFBBYm9K
+            YjhJYzg0aUNOSWNLTEQ2WVFFYUtpVzQKwzkwuHiKzYhA/ynm3O+OZGJrKk4hF37f
+            pRwbPpBhxioj/Rogeh8CU51N+9BygkYrzD3i1ywHAhzJpm1c9FWr3A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1whehwala9q7hp8dx6tn27mtuzerxhvwz6wf3f4m54ln6gggzcsns7ax87l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWcFhVWXcvM0FzbzRzazdh
+            VjU4UTJBWTZKUGFnMmZ1VEJDNk45RnFDeUVzCitQVkNWd3dTeWhydDJBcjZpazcy
+            N3R3YkwxZUtqR3JuK1h2Q1FybU9Fa3cKLS0tIFNBYUNGYzE5ZTd6WXpxTkg2Y2Ur
+            WVRHWW9CSmZWWnVoREN4RGxFQ3NJcWcKRakRbpJWGzsuLVpLafeZh4MuMKLNcCPH
+            j4xfuBAF24/BB/oI1hRdxsVtOQHgpx77jxDcAx22XZqSqP7t1YvVpg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-18T20:43:09Z"
+    mac: ENC[AES256_GCM,data:g32n+rINyMGieynL6egZT+dBFaZJ62eUex00XrZHeUUrs8AzhNPPofpsXXB1rCY+kMQAVp4ocINUwL0GEG1bg2lkh0w2tJnlnWbRjHKF4gnYKkWWLAxdT6hHujdl25ZbDbJgENC58T8ujo3QcttcXmrPryNvY0lllq5fXBULpJ8=,iv:gzbIlsHXDOctRSrVEA//THAfB3r1poiZ+hRYok95Wq0=,tag:5C/GlEqX1lPBBfOrvB09Ng==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0