From a382452507cb4b201f036a7fd0a6957dcb8342ac Mon Sep 17 00:00:00 2001
From: Eric Torres <eric.torres@its-et.me>
Date: Sun, 9 Nov 2025 17:39:01 -0800
Subject: [PATCH] services/crowdsec-firewall-bouncer: initial implementation

---
 services/crowdsec-firewall-bouncer.nix | 27 +++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/services/crowdsec-firewall-bouncer.nix b/services/crowdsec-firewall-bouncer.nix
index 091f1d2..7de2d2f 100644
--- a/services/crowdsec-firewall-bouncer.nix
+++ b/services/crowdsec-firewall-bouncer.nix
@@ -16,15 +16,32 @@ let
   lapiHost = "log-01.tail755c5.ts.net:8080";
 in
 {
-  #imports = [ "${pkgsUnstable.path}/nixos/modules/services/security/crowdsec.nix" ];
+  imports = [ "${pkgsUnstable.path}/nixos/modules/services/security/crowdsec-firewall-bouncer.nix" ];
 
   options.crowdsec-firewall-bouncer = {
-    enable = mkEnableOption "Enables traefik bouncer for a specified crowdsec instance";
+    enable = mkEnableOption "Enables crowdsec-firewall-bouncer for a host";
+
+    apiKeyFile = mkOption {
+      type = types.path;
+      default = null;
+      description = "Path of file containing key for LAPI";
+      example = "../secrets/crowdsec-fw-bouncer";
+    };
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = with pkgsUnstable; [
-      crowdsec-firewall-bouncer
-    ];
+    services.crowdsec.firewall-bouncer = {
+      enable = true;
+      package = pkgsUnstable.crowdsec-firewall-bouncer;
+      registerBouncer.enable = false;
+      createRulesets = true;
+      secrets.apiKeyPath = cfg.apiKeyFile;
+
+      settings = {
+        api_url = lapiHost;
+        # No need for this for now
+        #mode = "nftables";
+      };
+    };
   };
 }