etorres/nixos
0
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nixos/services/crowdsec-traefik-bouncer.nix

79 lines
2.2 KiB
Nix
Raw Permalink Blame History

# Module: services/crowdsec-traefik-bouncer
# Enrolls a traefik bouncer with the crowdsec console
{
config,
lib,
pkgs,
pkgsUnstable,
inputs,
...
}:
with lib;
let
cfg = config.crowdsec-traefik-bouncer;
pluginVersion = "v1.4.5";
lapiHost = "log-01.tail755c5.ts.net:8080";
wafHost = "log-01.tail755c5.ts.net:7422";
in
{
#imports = [ "${pkgsUnstable.path}/nixos/modules/services/security/crowdsec.nix" ];
options.crowdsec-traefik-bouncer = {
enable = mkEnableOption "Enables traefik bouncer for a specified crowdsec instance";
lapiKeyFile = mkOption {
type = types.path;
default = null;
description = "Path of encrypted environment file containing secrets for the crowdsec config";
example = "/run/secrets/lapiKey";
};
};
config = mkIf (cfg.enable && config.services.traefik.enable) {
# Create plugins directory, otherwise traefik will error out
systemd.tmpfiles.rules = [
"d ${config.services.traefik.dataDir}/plugins-storage 0750 traefik traefik -"
"d ${config.services.traefik.dataDir}/plugins-storage/sources 0750 traefik traefik -"
];
services.traefik = {
staticConfigOptions = {
experimental = {
plugins = {
crowdsec-bouncer-plugin = {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
version = pluginVersion;
};
};
};
entryPoints.websecure.http.middlewares = [
"crowdsec-bouncer@file"
];
};
dynamicConfigOptions = {
http.middlewares = {
crowdsec-bouncer = {
plugin = {
crowdsec-bouncer-plugin = {
enabled = true;
crowdsecMode = "stream";
crowdsecLapiHost = "${lapiHost}";
crowdsecLapiKeyFile = cfg.lapiKeyFile;
crowdsecAppsecEnabled = true;
crowdsecAppsecHost = "${wafHost}";
crowdsecAppsecPath = "/";
crowdsecAppsecFailureBlock = true;
crowdsecAppsecUnreachableBlock = true;
redisCacheEnabled = false;
};
};
};
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink