kyra(hardening): crowdsec init

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
2026-05-03 15:53:43 +03:00 · 2026-05-03 15:53:43 +03:00 · ab2a010175
commit ab2a010175
parent 5ff4f78974
1 changed files with 51 additions and 0 deletions
--- a/kyra/services/crowdsec.nix
+++ b/kyra/services/crowdsec.nix
@ -0,0 +1,51 @@
+_: {
+  services = {
+    crowdsec = {
+      enable = true;
+      settings = {
+        hub = {
+          collections = [
+            "crowdsecurity/linux"
+            "crowdsecurity/traefik"
+            "crowdsecurity/http-dos"
+            "crowdsecurity/cloudflare"
+          ];
+        };
+
+        acquisitions = [
+          {
+            source = "journalctl";
+
+            journalctl_filter = [
+              "_SYSTEMD_UNIT=traefik.service"
+            ];
+
+            labels = {
+              type = "traefik";
+            };
+          }
+
+          {
+            source = "journalctl";
+
+            journalctl_filter = [
+              "_SYSTEMD_UNIT=sshd.service"
+            ];
+
+            labels = {
+              type = "syslog";
+            };
+          }
+        ];
+      };
+    };
+
+    crowdsec-firewall-bouncer = {
+      enable = true;
+
+      settings = {
+        mode = "firewalld";
+      };
+    };
+  };
+}