From ab2a010175c28c6bf73c6151066b04f21046f94c Mon Sep 17 00:00:00 2001
From: s0me1newithhand7s <git+me@hand7s.org>
Date: Sun, 3 May 2026 15:53:43 +0300
Subject: [PATCH] kyra(hardening): crowdsec init

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
---
 kyra/services/crowdsec.nix | 51 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 kyra/services/crowdsec.nix

diff --git a/kyra/services/crowdsec.nix b/kyra/services/crowdsec.nix
new file mode 100644
index 0000000..5a35464
--- /dev/null
+++ b/kyra/services/crowdsec.nix
@@ -0,0 +1,51 @@
+_: {
+  services = {
+    crowdsec = {
+      enable = true;
+      settings = {
+        hub = {
+          collections = [
+            "crowdsecurity/linux"
+            "crowdsecurity/traefik"
+            "crowdsecurity/http-dos"
+            "crowdsecurity/cloudflare"
+          ];
+        };
+
+        acquisitions = [
+          {
+            source = "journalctl";
+
+            journalctl_filter = [
+              "_SYSTEMD_UNIT=traefik.service"
+            ];
+
+            labels = {
+              type = "traefik";
+            };
+          }
+
+          {
+            source = "journalctl";
+
+            journalctl_filter = [
+              "_SYSTEMD_UNIT=sshd.service"
+            ];
+
+            labels = {
+              type = "syslog";
+            };
+          }
+        ];
+      };
+    };
+
+    crowdsec-firewall-bouncer = {
+      enable = true;
+
+      settings = {
+        mode = "firewalld";
+      };
+    };
+  };
+}