From 10ae51d717cd7ecd41412bdc8942cc72d6967dda Mon Sep 17 00:00:00 2001
From: moni-dz <lythe1107@gmail.com>
Date: Sun, 29 Dec 2024 18:04:54 +0800
Subject: [PATCH] mistral: crowdsec fixup

---
 hosts/mistral/configuration.nix | 77 ++++++++++++++++++++++++++-------
 1 file changed, 61 insertions(+), 16 deletions(-)

diff --git a/hosts/mistral/configuration.nix b/hosts/mistral/configuration.nix
index 81515f2..af432af 100644
--- a/hosts/mistral/configuration.nix
+++ b/hosts/mistral/configuration.nix
@@ -41,20 +41,57 @@
     # 5432
   ];
 
+  systemd.tmpfiles.rules = [
+    "Z '/var/lib/crowdsec' 0764 crowdsec crowdsec - -"
+    "Z '/var/lib/crowdsec/data' 0764 crowdsec crowdsec - -"
+    "Z '/var/lib/crowdsec/hub' 0764 crowdsec crowdsec - -"
+  ];
+
   systemd.services = {
-    crowdsec.serviceConfig.ExecStartPre =
+    crowdsec.serviceConfig =
       let
-        script = pkgs.writeScriptBin "register-bouncer" ''
-          #!${pkgs.runtimeShell}
-          set -eu
-          set -o pipefail
-
-          if ! cscli bouncers list | grep -q "tough-guy"; then
-            cscli bouncers add "tough-guy" --key "$(cat ${config.age.secrets.bouncer.path})"
-          fi
-        '';
+        cfg = config.services.crowdsec;
+        format = pkgs.formats.yaml { };
+        configFile = format.generate "crowdsec.yaml" cfg.settings;
+        pkg = cfg.package;
       in
-      [ "${script}/bin/register-bouncer" ];
+      {
+        ExecPaths = lib.mkForce [
+          "/nix/store"
+          "/run/current-system/sw/bin/"
+        ];
+
+        NoExecPaths = lib.mkForce [ ];
+        ExecStart = lib.mkForce "${pkgs.coreutils}/bin/stdbuf -oL -- ${pkg}/bin/crowdsec -c ${configFile}";
+
+        ExecStartPre =
+          let
+            setup = pkgs.writeScriptBin "crowdsec-setup" ''
+              #!${pkgs.runtimeShell}
+              set -eu
+              set -o pipefail
+
+              ${lib.optionalString cfg.settings.api.server.enable ''
+                if [ ! -s "${cfg.settings.api.client.credentials_path}" ]; then
+                  cscli machine add "${cfg.name}" --auto
+                fi
+              ''}
+
+              ${lib.optionalString (cfg.enrollKeyFile != null) ''
+                if ! grep -q password "${cfg.settings.api.server.online_client.credentials_path}" ]; then
+                  cscli capi register
+                fi
+
+                if [ ! -e "${cfg.settings.api.server.console_path}" ]; then
+                  cscli console enroll "$(cat ${cfg.enrollKeyFile})" --name ${cfg.name}
+                fi
+              ''}
+            '';
+          in
+          lib.mkForce [
+            "${setup}/bin/crowdsec-setup"
+          ];
+      };
 
     crowdsec-update-hub.serviceConfig.ExecStartPost = lib.mkForce "";
   };
@@ -64,13 +101,21 @@
 
     crowdsec = {
       enable = true;
+      allowLocalJournalAccess = true;
       enrollKeyFile = config.age.secrets.crowdsec.path;
 
-      settings.acquisitions_path = (pkgs.formats.yaml { }).generate "acquisitions.yaml" {
-        source = "journalctl";
-        journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
-        labels.type = "syslog";
-      };
+      settings =
+        let
+          yaml = (pkgs.formats.yaml { }).generate;
+          acquisitions_file = yaml "acquisitions.yaml" {
+            source = "journalctl";
+            journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
+            labels.type = "syslog";
+          };
+        in
+        {
+          crowdsec_service.acquisition_path = acquisitions_file;
+        };
     };
 
     crowdsec-firewall-bouncer = {