Fix crowdsec's acquisition of caddy logs

2026-01-21 15:11:34 +01:00 · 2025-06-06 08:58:53 +02:00 · 2025-06-06 08:58:53 +02:00 · a1481db722
commit a1481db722
parent e7cdd49bcf
2 changed files with 10 additions and 2 deletions
--- a/modules/system/services/caddy.nix
+++ b/modules/system/services/caddy.nix
@ -54,6 +54,7 @@ in
          virtualHosts = lib.mapAttrs' (
            _: value:
            lib.nameValuePair value.domain {
+              logFormat = "output file ${config.services.caddy.logDir}/access-${value.domain}.log { mode 640 }";
              extraConfig = lib.concatStrings [
                (lib.optionalString (isTailscaleDomain value.domain) ''
                  bind tailscale/${getSubdomain value.domain}
--- a/modules/system/services/crowdsec/default.nix
+++ b/modules/system/services/crowdsec/default.nix
@ -7,6 +7,8 @@
 }:
 let
  cfg = config.custom.services.crowdsec;
+
+  user = config.users.users.crowdsec.name;
 in
 {
  imports = [ inputs.crowdsec.nixosModules.crowdsec ];
@ -32,7 +34,9 @@ in
  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [ inputs.crowdsec.overlays.default ];

-    sops.secrets."crowdsec/enrollment-key".owner = config.users.users.crowdsec.name;
+    sops.secrets."crowdsec/enrollment-key".owner = user;
+
+    users.groups.caddy.members = lib.mkIf (lib.elem "caddy" cfg.sources) [ user ];

    services.crowdsec = {
      enable = true;
@ -53,7 +57,10 @@ in
        in
        [
          (mkAcquisition (lib.elem "sshd" cfg.sources) "sshd.service")
-          (mkAcquisition (lib.elem "caddy" cfg.sources) "caddy.service")
+          (lib.mkIf (lib.elem "caddy" cfg.sources) {
+            filenames = [ "${config.services.caddy.logDir}/*.log" ];
+            labels.type = "caddy";
+          })
          (lib.mkIf (lib.elem "iptables" cfg.sources) {
            source = "journalctl";
            journalctl_filter = [ "-k" ];