diff --git a/flake.nix b/flake.nix index 91f6295..7bef536 100644 --- a/flake.nix +++ b/flake.nix @@ -9,9 +9,12 @@ systems = flake-utils.lib.eachDefaultSystem (system: let pkgs = import nixpkgs {inherit system;}; + crowdsec = pkgs.callPackage ./packages/crowdsec {}; bouncer-firewall = pkgs.callPackage ./packages/bouncer-firewall {}; in { formatter = pkgs.alejandra; + + packages."crowdsec" = crowdsec; packages."crowdsec-firewall-bouncer" = bouncer-firewall; }); in (systems @@ -21,6 +24,7 @@ crowdsec-firewall-bouncer = import ./modules/crowdsec-firewall-bouncer; }; overlays.default = final: prev: { + crowdsec = systems.packages.${final.system}.crowdsec; crowdsec-firewall-bouncer = systems.packages.${final.system}.crowdsec-firewall-bouncer; }; }); diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix index 4ed6284..e12a652 100644 --- a/modules/crowdsec/default.nix +++ b/modules/crowdsec/default.nix @@ -8,24 +8,7 @@ format = pkgs.formats.yaml {}; configFile = format.generate "crowdsec.yaml" cfg.settings; - pkg = cfg.package.overrideAttrs (old: { - ldflags = - (old.ldflags or []) - ++ [ - "-X github.com/crowdsecurity/go-cs-lib/version.Version=v${old.version}" - ]; - patches = - (old.patches or []) - ++ [ - ( - pkgs.fetchpatch - { - url = "https://patch-diff.githubusercontent.com/raw/crowdsecurity/crowdsec/pull/2868.patch"; - hash = "sha256-RSfLhNZ3JVvHoW/BNca9Hs4lpjcDtE1vsBDjJeaHqvc="; - } - ) - ]; - }); + pkg = cfg.package; defaultPatterns = lib.mapAttrs (name: value: lib.mkDefault "${pkg}/share/crowdsec/config/patterns/${name}") (builtins.readDir "${pkg}/share/crowdsec/config/patterns"); @@ -91,7 +74,11 @@ in { options.services.crowdsec = with lib; { enable = mkEnableOption "CrowSec Security Engine"; - package = mkPackageOption pkgs "crowdsec" {}; + package = mkOption { + description = "The crowdsec package to use in this module"; + type = types.package; + default = pkgs.callPackage ../../packages/crowdsec {}; + }; name = mkOption { type = types.str; description = mdDoc '' diff --git a/packages/crowdsec/default.nix b/packages/crowdsec/default.nix new file mode 100644 index 0000000..1e7dadb --- /dev/null +++ b/packages/crowdsec/default.nix @@ -0,0 +1,98 @@ +/* +This package has been copied from the nixpkgs source repository. +All rights apply. + +Copyright (c) 2003-2024 Eelco Dolstra and the Nixpkgs/NixOS contributors +Copyright (c) 2024 Christian Kampka + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +*/ +{ + lib, + buildGoModule, + fetchFromGitHub, + installShellFiles, +}: +buildGoModule rec { + pname = "crowdsec"; + version = "1.6.1"; + + src = fetchFromGitHub { + owner = "crowdsecurity"; + repo = pname; + rev = "v${version}"; + hash = "sha256-CCQDMIBpKmaUSRwyjryTO3YWVIrr6FwW64K+alTrcdw="; + }; + + vendorHash = "sha256-K38hxWcrYOznXr8eST0xQBL0nNxHMAiGji5rFwAK0Qw="; + + nativeBuildInputs = [installShellFiles]; + + subPackages = [ + "cmd/crowdsec" + "cmd/crowdsec-cli" + ]; + + ldflags = [ + "-s" + "-w" + "-X github.com/crowdsecurity/go-cs-lib/version.Version=v${version}" + "-X github.com/crowdsecurity/go-cs-lib/version.BuildDate=1970-01-01_00:00:00" + "-X github.com/crowdsecurity/go-cs-lib/version.Tag=${src.rev}" + "-X github.com/crowdsecurity/crowdsec/pkg/cwversion.Codename=alphaga" + "-X github.com/crowdsecurity/crowdsec/pkg/csconfig.defaultConfigDir=/etc/crowdsec" + "-X github.com/crowdsecurity/crowdsec/pkg/csconfig.defaultDataDir=/var/lib/crowdsec/data" + ]; + + postBuild = "mv $GOPATH/bin/{crowdsec-cli,cscli}"; + + postInstall = '' + mkdir -p $out/share/crowdsec + cp -r ./config $out/share/crowdsec/ + + installShellCompletion --cmd cscli \ + --bash <($out/bin/cscli completion bash) \ + --fish <($out/bin/cscli completion fish) \ + --zsh <($out/bin/cscli completion zsh) + ''; + + # It's important that the version is correctly set as it also determines feature capabilities + checkPhase = '' + $GOPATH/bin/cscli version 2>&1 | grep -q "version: v${version}" + ''; + + meta = with lib; { + homepage = "https://crowdsec.net/"; + changelog = "https://github.com/crowdsecurity/crowdsec/releases/tag/v${version}"; + description = "CrowdSec is a free, open-source and collaborative IPS"; + longDescription = '' + CrowdSec is a free, modern & collaborative behavior detection engine, + coupled with a global IP reputation network. It stacks on fail2ban's + philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok + patterns to parse logs and YAML scenario to identify behaviors. CrowdSec + is engineered for modern Cloud/Containers/VM based infrastructures (by + decoupling detection and remediation). Once detected you can remedy + threats with various bouncers (firewall block, nginx http 403, Captchas, + etc.) while the aggressive IP can be sent to CrowdSec for curation before + being shared among all users to further improve everyone's security. + ''; + license = licenses.mit; + }; +}