mistral: crowdsec fixup

moni-dz · Dec 29, 2024 · 6fb3736 · 6fb3736
1 parent 7f148fe
commit 6fb3736
Showing 1 changed file with 34 additions and 10 deletions.
diff --git a/hosts/mistral/configuration.nix b/hosts/mistral/configuration.nix
@@ -44,17 +44,33 @@
   systemd.services = {
     crowdsec.serviceConfig.ExecStartPre =
       let
-        script = pkgs.writeScriptBin "register-bouncer" ''
+        cfg = config.services.crowdsec;
+
+        setup = pkgs.writeScriptBin "crowdsec-setup" ''
           #!${pkgs.runtimeShell}
           set -eu
           set -o pipefail
 
-          if ! cscli bouncers list | grep -q "tough-guy"; then
-            cscli bouncers add "tough-guy" --key "$(cat ${config.age.secrets.bouncer.path})"
-          fi
+          ${lib.optionalString cfg.settings.api.server.enable ''
+            if [ ! -s "${cfg.settings.api.client.credentials_path}" ]; then
+              cscli machine add "${cfg.name}" --auto
+            fi
+          ''}
+
+          ${lib.optionalString (cfg.enrollKeyFile != null) ''
+            if ! grep -q password "${cfg.settings.api.server.online_client.credentials_path}" ]; then
+              cscli capi register
+            fi
+
+            if [ ! -e "${cfg.settings.api.server.console_path}" ]; then
+              cscli console enroll "$(cat ${cfg.enrollKeyFile})" --name ${cfg.name}
+            fi
+          ''}
         '';
       in
-      [ "${script}/bin/register-bouncer" ];
+      lib.mkForce [
+        "${setup}/bin/crowdsec-setup"
+      ];
 
     crowdsec-update-hub.serviceConfig.ExecStartPost = lib.mkForce "";
   };
@@ -64,13 +80,21 @@
 
     crowdsec = {
       enable = true;
+      allowLocalJournalAccess = true;
       enrollKeyFile = config.age.secrets.crowdsec.path;
 
-      settings.acquisitions_path = (pkgs.formats.yaml { }).generate "acquisitions.yaml" {
-        source = "journalctl";
-        journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
-        labels.type = "syslog";
-      };
+      settings =
+        let
+          yaml = (pkgs.formats.yaml { }).generate;
+          acquisitions_file = yaml "acquisitions.yaml" {
+            source = "journalctl";
+            journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+            labels.type = "syslog";
+          };
+        in
+        {
+          crowdsec_service.acquisition_path = acquisitions_file;
+        };
     };
 
     crowdsec-firewall-bouncer = {