etorres/nixos
0
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

services/crowdsec-firewall-bouncer: initial implementation

Browse Source
This commit is contained in:
Eric Torres
2025-11-09 17:39:01 -08:00
parent 797cabb55d
commit a382452507
1 changed files with 22 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
services/crowdsec-firewall-bouncer.nix
View File

@@ -16,15 +16,32 @@ let
lapiHost = "log-01.tail755c5.ts.net:8080";
in
{
#imports = [ "${pkgsUnstable.path}/nixos/modules/services/security/crowdsec.nix" ];
imports = [ "${pkgsUnstable.path}/nixos/modules/services/security/crowdsec-firewall-bouncer.nix" ];
options.crowdsec-firewall-bouncer = {
enable = mkEnableOption "Enables traefik bouncer for a specified crowdsec instance";
enable = mkEnableOption "Enables crowdsec-firewall-bouncer for a host";
apiKeyFile = mkOption {
type = types.path;
default = null;
description = "Path of file containing key for LAPI";
example = "../secrets/crowdsec-fw-bouncer";
};
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgsUnstable; [
crowdsec-firewall-bouncer
];
services.crowdsec.firewall-bouncer = {
enable = true;
package = pkgsUnstable.crowdsec-firewall-bouncer;
registerBouncer.enable = false;
createRulesets = true;
secrets.apiKeyPath = cfg.apiKeyFile;
settings = {
api_url = lapiHost;
# No need for this for now
#mode = "nftables";
};
};
};
}