nixos-config/modules/system/services/crowdsec/default.nix

{
  config,
  inputs,
  pkgs,
  lib,
  ...
}:
let
  cfg = config.custom.services.crowdsec;
in
{
  imports = [ inputs.crowdsec.nixosModules.crowdsec ];

  options.custom.services.crowdsec = {
    enable = lib.mkEnableOption "";
    apiPort = lib.mkOption {
      type = lib.types.port;
      default = 8080;
    };
    sources = lib.mkOption {
      type = lib.types.listOf (
        lib.types.enum [
          "sshd"
          "iptables"
          "caddy"
        ]
      );
      default = [ ];
    };
  };

  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [ inputs.crowdsec.overlays.default ];

    sops.secrets."crowdsec/enrollment-key".owner = config.users.users.crowdsec.name;

    services.crowdsec = {
      enable = true;
      package = inputs.crowdsec.packages.${pkgs.system}.crowdsec;
      enrollKeyFile = config.sops.secrets."crowdsec/enrollment-key".path;
      settings.api.server.listen_uri = "127.0.0.1:${toString cfg.apiPort}";

      allowLocalJournalAccess = true;
      acquisitions =
        let
          mkAcquisition =
            enable: unit:
            lib.optionalAttrs enable {
              source = "journalctl";
              journalctl_filter = [ "_SYSTEMD_UNIT=${unit}" ];
              labels.type = "syslog";
            };
        in
        [
          (mkAcquisition (lib.elem "sshd" cfg.sources) "sshd.service")
          (mkAcquisition (lib.elem "caddy" cfg.sources) "caddy.service")
          (lib.mkIf (lib.elem "iptables" cfg.sources) {
            source = "journalctl";
            journalctl_filter = [ "-k" ];
            labels.type = "syslog";
          })
        ];
    };

    systemd.services.crowdsec.serviceConfig.ExecStartPre =
      let
        installCollection = collection: ''
          if ! cscli collections list | grep -q "${collection}"; then
            cscli collections install ${collection}
          fi
        '';
      in
      [
        "crowdsecurity/linux"
        (lib.optional (lib.elem "sshd" cfg.sources) "crowdsecurity/sshd")
        (lib.optional (lib.elem "caddy" cfg.sources) "crowdsecurity/caddy")
        (lib.optional (lib.elem "iptables" cfg.sources) "crowdsecurity/iptables")
      ]
      |> lib.flatten
      |> lib.map installCollection
      |> lib.concatLines
      |> (text: pkgs.writeShellScript "crowdsec-install-collections" "set -e\n${text}")
      |> lib.mkAfter;
  };
}