crowdsec: Remove module

2026-03-22 20:09:07 +01:00 · 2026-02-15 11:50:30 +01:00 · 2026-02-15 11:50:30 +01:00 · 9ed3d13238
commit 9ed3d13238
parent c85c6619b7
6 changed files with 0 additions and 250 deletions
--- a/modules/system/services/alloy.nix
+++ b/modules/system/services/alloy.nix
@ -32,9 +32,6 @@ in
        caddy = lib.mkEnableOption "" // {
          default = config.services.caddy.enable;
        };
-        crowdsec = lib.mkEnableOption "" // {
-          default = config.services.crowdsec.enable;
-        };
      };
      logs.openssh = lib.mkEnableOption "" // {
        default = config.services.openssh.enable;
@ -139,20 +136,6 @@ in
            }
          '';
        };
-        "alloy/crowdsec-metrics.alloy" = {
-          enable = cfg.collect.metrics.crowdsec;
-          text = ''
-            prometheus.scrape "crowdsec" {
-              targets = [{
-                __address__ = "localhost:${toString config.custom.services.crowdsec.prometheusPort}",
-                job         = "crowdsec",
-                instance    = constants.hostname,
-              }]
-              forward_to      = [prometheus.remote_write.default.receiver]
-              scrape_interval = "15s"
-            }
-          '';
-        };
        "alloy/sshd-logs.alloy" = {
          enable = cfg.collect.logs.openssh;
          text = ''
--- a/modules/system/services/crowdsec/bouncers.nix
+++ b/modules/system/services/crowdsec/bouncers.nix
@ -1,40 +0,0 @@
-{
-  config,
-  inputs,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.custom.services.crowdsec;
-in
-{
-  imports = [ inputs.crowdsec.nixosModules.crowdsec-firewall-bouncer ];
-  disabledModules = [ "services/security/crowdsec-firewall-bouncer.nix" ];
-
-  options.custom.services.crowdsec.bouncers.firewall = lib.mkEnableOption "";
-
-  config = lib.mkIf cfg.bouncers.firewall {
-    services.crowdsec-firewall-bouncer = {
-      enable = true;
-      package = inputs.crowdsec.packages.${pkgs.stdenv.hostPlatform.system}.crowdsec-firewall-bouncer;
-      settings = {
-        api_key = "cs-firewall-bouncer";
-        api_url = "http://localhost:${toString cfg.apiPort}";
-      };
-    };
-
-    systemd.services.crowdsec.serviceConfig.ExecStartPre = lib.mkAfter (
-      lib.getExe (
-        pkgs.writeShellApplication {
-          name = "crowdsec-add-bouncer";
-          text = ''
-            if ! cscli bouncers list | grep -q "firewall"; then
-              cscli bouncers add "firewall" --key "cs-firewall-bouncer"
-            fi
-          '';
-        }
-      )
-    );
-  };
-}
--- a/modules/system/services/crowdsec/default.nix
+++ b/modules/system/services/crowdsec/default.nix
@ -1,115 +0,0 @@
-{
-  config,
-  inputs,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.custom.services.crowdsec;
-
-  user = config.users.users.crowdsec.name;
-in
-{
-  disabledModules = [ "services/security/crowdsec.nix" ];
-  imports = [ inputs.crowdsec.nixosModules.crowdsec ];
-
-  options.custom.services.crowdsec = {
-    enable = lib.mkEnableOption "";
-    apiPort = lib.mkOption {
-      type = lib.types.port;
-      default = 8080;
-    };
-    prometheusPort = lib.mkOption {
-      type = lib.types.port;
-      default = 6060;
-    };
-    sources = {
-      iptables = lib.mkEnableOption "" // {
-        default = true;
-      };
-      caddy = lib.mkEnableOption "" // {
-        default = config.services.caddy.enable;
-      };
-      sshd = lib.mkEnableOption "" // {
-        default = config.services.openssh.enable;
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    sops.secrets."crowdsec/enrollment-key" = {
-      owner = user;
-      restartUnits = [ "crowdsec.service" ];
-    };
-
-    users.groups.caddy.members = lib.mkIf cfg.sources.caddy [ user ];
-
-    services.crowdsec = {
-      enable = true;
-      package = inputs.crowdsec.packages.${pkgs.stdenv.hostPlatform.system}.crowdsec;
-      enrollKeyFile = config.sops.secrets."crowdsec/enrollment-key".path;
-      settings = {
-        api.server.listen_uri = "localhost:${toString cfg.apiPort}";
-        cscli.prometheus_uri = "http://localhost:${toString cfg.prometheusPort}";
-        prometheus = {
-          listen_addr = "localhost";
-          listen_port = cfg.prometheusPort;
-        };
-      };
-
-      allowLocalJournalAccess = true;
-      acquisitions = [
-        (lib.mkIf cfg.sources.iptables {
-          source = "journalctl";
-          journalctl_filter = [ "-k" ];
-          labels.type = "syslog";
-        })
-        (lib.mkIf cfg.sources.caddy {
-          filenames = [ "${config.services.caddy.logDir}/*.log" ];
-          labels.type = "caddy";
-        })
-        (lib.mkIf cfg.sources.sshd {
-          source = "journalctl";
-          journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
-          labels.type = "syslog";
-        })
-      ];
-    };
-
-    systemd.services.crowdsec.serviceConfig = {
-      # Fix journalctl acquisitions
-      PrivateUsers = false;
-
-      ExecStartPre =
-        let
-          installCollection = collection: ''
-            if ! cscli collections list | grep -q "${collection}"; then
-              cscli collections install ${collection}
-            fi
-          '';
-          mkScript =
-            name: text:
-            lib.getExe (
-              pkgs.writeShellApplication {
-                inherit name text;
-              }
-            );
-          collectionsScript =
-            [
-              (lib.singleton "crowdsecurity/linux")
-              (lib.optional cfg.sources.iptables "crowdsecurity/iptables")
-              (lib.optional cfg.sources.caddy "crowdsecurity/caddy")
-              (lib.optional cfg.sources.sshd "crowdsecurity/sshd")
-            ]
-            |> lib.concatLists
-            |> lib.map installCollection
-            |> lib.concatLines
-            |> mkScript "crowdsec-install-collections";
-        in
-        lib.mkAfter collectionsScript;
-    };
-
-    custom.persistence.directories = [ "/var/lib/crowdsec" ];
-  };
-}