From a1481db722f10d7cad50243c8367a84570387ac9 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Fri, 6 Jun 2025 08:58:53 +0200 Subject: [PATCH] Fix crowdsec's acquisition of caddy logs --- modules/system/services/caddy.nix | 1 + modules/system/services/crowdsec/default.nix | 11 +++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/modules/system/services/caddy.nix b/modules/system/services/caddy.nix index 9446e7b..6b6dd32 100644 --- a/modules/system/services/caddy.nix +++ b/modules/system/services/caddy.nix @@ -54,6 +54,7 @@ in virtualHosts = lib.mapAttrs' ( _: value: lib.nameValuePair value.domain { + logFormat = "output file ${config.services.caddy.logDir}/access-${value.domain}.log { mode 640 }"; extraConfig = lib.concatStrings [ (lib.optionalString (isTailscaleDomain value.domain) '' bind tailscale/${getSubdomain value.domain} diff --git a/modules/system/services/crowdsec/default.nix b/modules/system/services/crowdsec/default.nix index 76ef72f..8817917 100644 --- a/modules/system/services/crowdsec/default.nix +++ b/modules/system/services/crowdsec/default.nix @@ -7,6 +7,8 @@ }: let cfg = config.custom.services.crowdsec; + + user = config.users.users.crowdsec.name; in { imports = [ inputs.crowdsec.nixosModules.crowdsec ]; @@ -32,7 +34,9 @@ in config = lib.mkIf cfg.enable { nixpkgs.overlays = [ inputs.crowdsec.overlays.default ]; - sops.secrets."crowdsec/enrollment-key".owner = config.users.users.crowdsec.name; + sops.secrets."crowdsec/enrollment-key".owner = user; + + users.groups.caddy.members = lib.mkIf (lib.elem "caddy" cfg.sources) [ user ]; services.crowdsec = { enable = true; @@ -53,7 +57,10 @@ in in [ (mkAcquisition (lib.elem "sshd" cfg.sources) "sshd.service") - (mkAcquisition (lib.elem "caddy" cfg.sources) "caddy.service") + (lib.mkIf (lib.elem "caddy" cfg.sources) { + filenames = [ "${config.services.caddy.logDir}/*.log" ]; + labels.type = "caddy"; + }) (lib.mkIf (lib.elem "iptables" cfg.sources) { source = "journalctl"; journalctl_filter = [ "-k" ];