From cd84465d7f8a52cda034102296618fc6b716f067 Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Thu, 25 Sep 2025 00:25:09 +0200
Subject: [PATCH] alloy: Configure crowdsec metrics collecting

---
 modules/system/services/alloy.nix            | 21 ++++++++++++++++++++
 modules/system/services/crowdsec/default.nix |  4 ++++
 2 files changed, 25 insertions(+)

diff --git a/modules/system/services/alloy.nix b/modules/system/services/alloy.nix
index af2227a..f20eaff 100644
--- a/modules/system/services/alloy.nix
+++ b/modules/system/services/alloy.nix
@@ -32,6 +32,9 @@ in
         caddy = lib.mkEnableOption "" // {
           default = config.services.caddy.enable;
         };
+        crowdsec = lib.mkEnableOption "" // {
+          default = config.services.crowdsec.enable;
+        };
       };
       logs.sshd = lib.mkEnableOption "" // {
         default = config.services.openssh.enable;
@@ -49,6 +52,10 @@ in
         assertion = cfg.collect.metrics.caddy -> config.services.caddy.enable;
         message = "Collecting Caddy metrics requires the Caddy service to be enabled.";
       }
+      {
+        assertion = cfg.collect.metrics.crowdsec -> config.services.crowdsec.enable;
+        message = "Collecting CrowdSec metrics requires the CrowdSec service to be enabled.";
+      }
       {
         assertion = cfg.collect.logs.sshd -> config.services.openssh.enable;
         message = "Collecting OpenSSH logs requires the OpenSSH service to be enabled.";
@@ -136,6 +143,20 @@ in
             }
           '';
         };
+        "alloy/crowdsec-metrics.alloy" = {
+          enable = cfg.collect.metrics.crowdsec;
+          text = ''
+            prometheus.scrape "crowdsec" {
+              targets = [{
+                __address__ = "localhost:${builtins.toString config.custom.services.crowdsec.prometheusPort}",
+                job         = "crowdsec",
+                instance    = constants.hostname,
+              }]
+              forward_to      = [prometheus.remote_write.default.receiver]
+              scrape_interval = "15s"
+            }
+          '';
+        };
         "alloy/sshd-logs.alloy" = {
           enable = cfg.collect.logs.sshd;
           text = ''
diff --git a/modules/system/services/crowdsec/default.nix b/modules/system/services/crowdsec/default.nix
index b6d6a9e..9206ef5 100644
--- a/modules/system/services/crowdsec/default.nix
+++ b/modules/system/services/crowdsec/default.nix
@@ -50,6 +50,10 @@ in
       settings = {
         api.server.listen_uri = "localhost:${builtins.toString cfg.apiPort}";
         cscli.prometheus_uri = "http://localhost:${builtins.toString cfg.prometheusPort}";
+        prometheus = {
+          listen_addr = "localhost";
+          listen_port = cfg.prometheusPort;
+        };
       };
 
       allowLocalJournalAccess = true;