crowdsec-blocklist-import: init at 1.1.0 by gaelj · Pull Request #486054 · NixOS/nixpkgs

gaelj · 2026-02-01T21:56:44Z

Things done

Made a package and module for https://github.com/wolffcatskyy/crowdsec-blocklist-import

The module defines a systemd service and a systemd timer.

@wolffcatskyy @TornaxO7 @06kellyjac @SuperSandro2000

journalctl logs:

░░ The job identifier is 12436149.
févr. 01 22:42:13 aero-server systemd[1]: crowdsec-blocklist-import.service: Consumed 2.318s CPU time, 16.4M memory peak, 2.6M incoming IP traffic, 83.7K outgoing IP traffic.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit crowdsec-blocklist-import.service completed and consumed the indicated resources.
févr. 01 22:48:25 aero-server systemd[1]: Starting Import threat intelligence blocklists into CrowdSec...
░░ Subject: A start job for unit crowdsec-blocklist-import.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit crowdsec-blocklist-import.service has begun execution.
░░ 
░░ The job identifier is 12463703.
févr. 01 22:48:25 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:25] [INFO] =========================================
févr. 01 22:48:25 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:25] [INFO] CrowdSec Blocklist Import v1.1.0
févr. 01 22:48:25 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:25] [INFO] =========================================
févr. 01 22:48:25 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:25] [INFO] Decision duration: 24h
févr. 01 22:48:25 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:25] [INFO] Using native CrowdSec (cscli in PATH)
févr. 01 22:48:25 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:25] [INFO] Fetching blocklist sources (28 built-in)...
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:30] [INFO] Sources: 24 successful, 4 unavailable, 0 disabled
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:30] [INFO] --- Source Statistics ---
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[185795]: [2026-02-01 21:48:30] [INFO] Source                         IPs
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[185887]: [2026-02-01 21:48:30] [INFO] ------------------------------ --------
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[185967]: [2026-02-01 21:48:30] [INFO] IPsum                          17647
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186060]: [2026-02-01 21:48:30] [INFO] Spamhaus DROP                  1475
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186143]: [2026-02-01 21:48:30] [INFO] Spamhaus EDROP                 0
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186213]: [2026-02-01 21:48:30] [INFO] Blocklist.de all               23925
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186279]: [2026-02-01 21:48:30] [INFO] Blocklist.de SSH               6244
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186375]: [2026-02-01 21:48:30] [INFO] Blocklist.de Apache            10083
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186449]: [2026-02-01 21:48:30] [INFO] Blocklist.de mail              12665
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186532]: [2026-02-01 21:48:30] [INFO] Firehol level1                 4492
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186626]: [2026-02-01 21:48:30] [INFO] Firehol level2                 15346
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186706]: [2026-02-01 21:48:30] [INFO] Feodo Tracker                  5
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186777]: [2026-02-01 21:48:30] [INFO] SSL Blacklist                  0
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186845]: [2026-02-01 21:48:30] [INFO] URLhaus                        9417
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[186931]: [2026-02-01 21:48:30] [INFO] Emerging Threats               566
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187022]: [2026-02-01 21:48:30] [INFO] Binary Defense                 541
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187116]: [2026-02-01 21:48:30] [INFO] Bruteforce Blocker             546
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187191]: [2026-02-01 21:48:30] [INFO] DShield                        20
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187271]: [2026-02-01 21:48:30] [INFO] CI Army                        15000
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187369]: [2026-02-01 21:48:30] [INFO] Darklist                       1
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187454]: [2026-02-01 21:48:30] [INFO] Talos                          113
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187533]: [2026-02-01 21:48:30] [INFO] Charles Haley                  0
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187632]: [2026-02-01 21:48:30] [INFO] Botvrij                        27
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187720]: [2026-02-01 21:48:30] [INFO] myip.ms                        0
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187799]: [2026-02-01 21:48:30] [INFO] GreenSnow                      4202
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187866]: [2026-02-01 21:48:30] [INFO] StopForumSpam                  53
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[187941]: [2026-02-01 21:48:30] [INFO] Tor exit nodes                 1349
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[188018]: [2026-02-01 21:48:30] [INFO] Tor (dan.me.uk)                3
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[188109]: [2026-02-01 21:48:30] [INFO] Shodan scanners                43
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[188180]: [2026-02-01 21:48:30] [INFO] Censys                         4
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[188283]: [2026-02-01 21:48:30] [INFO] ------------------------------ --------
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[188357]: [2026-02-01 21:48:30] [INFO] TOTAL (before dedup)           123767
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:30] [INFO] ------------------------
févr. 01 22:48:30 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:30] [INFO] Combining and deduplicating...
févr. 01 22:48:31 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:31] [INFO] Checking existing CrowdSec decisions...
févr. 01 22:48:32 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:32] [INFO] Importing 4 new IPs into CrowdSec...
févr. 01 22:48:32 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:32] [INFO] Import complete: 4 IPs added (total coverage: 53688 IPs)
févr. 01 22:48:32 aero-server crowdsec-blocklist-import[180646]: [2026-02-01 21:48:32] [INFO] Done!
févr. 01 22:48:32 aero-server systemd[1]: crowdsec-blocklist-import.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit crowdsec-blocklist-import.service has successfully entered the 'dead' state.
févr. 01 22:48:32 aero-server systemd[1]: Finished Import threat intelligence blocklists into CrowdSec.
░░ Subject: A start job for unit crowdsec-blocklist-import.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit crowdsec-blocklist-import.service has finished successfully.
░░ 
░░ The job identifier is 12463703.
févr. 01 22:48:32 aero-server systemd[1]: crowdsec-blocklist-import.service: Consumed 2.452s CPU time, 12.9M memory peak, 2.6M incoming IP traffic, 85K outgoing IP traffic.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit crowdsec-blocklist-import.service completed and consumed the indicated resources.

gaelj · 2026-02-01T22:02:04Z

`nixpkgs-review` result

Generated using nixpkgs-review-gha

Command: nixpkgs-review pr 486054
Commit: 5c3cfa89483176aa6ef2ac80fbd407e9a485904d (subsequent changes)
Merge: c5a4604d08471dcfa596e0b3c7d674e59fcbe20b

Logs: https://github.com/gaelj/nixpkgs-review-gha/actions/runs/21570977013

`x86_64-linux`

⏩ 2 packages blacklisted:

nixos-install-tools
tests.nixos-functions.nixos-test

✅ 1 package built:

crowdsec-blocklist-import

`aarch64-linux`

⏩ 2 packages blacklisted:

nixos-install-tools
tests.nixos-functions.nixos-test

✅ 1 package built:

crowdsec-blocklist-import

`x86_64-darwin`

✅ No rebuilds

`aarch64-darwin`

✅ No rebuilds

nixos/modules/services/security/crowdsec-blocklist-import.nix

SuperSandro2000 · 2026-02-02T13:19:08Z

pkgs/by-name/cr/crowdsec-blocklist-import/package.nix

+  runtimeDeps = [
+    curl
+    coreutils
+    gnugrep
+    gawk
+  ];


Are those used somewhere? Do we want to use resholve instead?

I tried resholve but as far as I can see, it needs to user rec instead of finalAttrs: and requires a solution attribute set which looks like a lot of boilerplate, compared to setting runtimeDeps. Is it worthwhile ? Any implmentation suggestions for solution ?

Anyway for the moment this block isn't needed do to the module's path inclusion of /run/current-system/sw/bin/

I used wrapProgram instead

pkgs/by-name/cr/crowdsec-blocklist-import/package.nix

nixos/modules/services/security/crowdsec-blocklist-import.nix

pkgs/by-name/cr/crowdsec-blocklist-import/package.nix

gaelj · 2026-02-03T00:09:20Z

This latest push addresses most of the comments, while keeping a working state. Failed attempts to address comments have been included as commented.

gaelj · 2026-02-03T00:11:17Z

Setting to draft for the time being. BTW what is the convention about who is expected to mark review comments as resolved ?

TornaxO7 · 2026-02-03T13:01:21Z

Setting to draft for the time being. BTW what is the convention about who is expected to mark review comments as resolved ?

I would just say the person who thinks that it's resolved. If the other person disagrees it can be reopened anytime if someone disagrees.

wolffcatskyy · 2026-02-03T20:25:48Z

Hey @gaelj — really cool to see this getting packaged for NixOS! Thanks for putting in the work on the systemd service/timer integration.

A couple of things that might be useful:

v2.0.0 is out with 36 feeds (up from 28) and ~120k+ unique IPs. The LAPI mode might be worth exposing as a module option since it avoids the Docker dependency entirely.
There are two companion projects that complete the CrowdSec + UniFi stack if you're interested in packaging those too:
- crowdsec-unifi-bouncer — Applies CrowdSec ban decisions as firewall rules on UniFi gateways (UDM/UDR/USG) via the UniFi API
- crowdsec-unifi-parser — Log parser that feeds UniFi firewall logs into CrowdSec for detection

Together they give you: threat feed import → CrowdSec detection → UniFi enforcement, all without touching the gateway filesystem.

Happy to make any upstream changes to make packaging easier. Let me know if you need anything!

gaelj · 2026-02-11T15:10:43Z

Converted to draft for now, as I yet have to see an interaction with upstream being responded to by a human rather that a half-broken AI chatbot.

The repo is MIT licensed and the idea is interesting, so I'm thinking I might be forking it and / or rewriting it in Python rather than Bash.

wolffcatskyy · 2026-02-18T23:28:24Z

Upstream maintainer here 👋

Great to see this being packaged for NixOS — the module looks well-structured with solid systemd hardening and CrowdSec integration.

A few notes:

Source: The package currently points to @gaelj's fork branch fix-prometheus-use-push. I'm reviewing upstream PR Add calf - audio effects plugin pack and lv2 - audio plugin standard #35 now — once merged, I'll tag a new release so the package can point to wolffcatskyy/crowdsec-blocklist-import at a proper release tag.
Dependencies: requests, prometheus-client, and python-dotenv are correct and complete.
Feed names: The feedNames list may need validation against the current ENABLE_* environment variables in blocklist_import.py — the grouped names (e.g., "Spamhaus" vs individual "Spamhaus DROP") should map correctly to the env vars the script checks.

Happy to help get this over the finish line. Will update here once the upstream release is tagged.

🤖 This comment was generated by Claude AI assisting the maintainer.

nixpkgs-ci bot added the 8.has: documentation This PR adds or changes documentation label Feb 1, 2026