gador/nix-flake-crowdsec
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Internalize crowdsec package and update to v1.6.1

Browse Source
This commit is contained in:
Christian Kampka
2024-04-28 10:31:34 +02:00
parent 6c7253f51c
commit f65978caa7
3 changed files with 108 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
flake.nix
View File

@@ -9,9 +9,12 @@
systems = flake-utils.lib.eachDefaultSystem (system: let
pkgs = import nixpkgs {inherit system;};
crowdsec = pkgs.callPackage ./packages/crowdsec {};
bouncer-firewall = pkgs.callPackage ./packages/bouncer-firewall {};
in {
formatter = pkgs.alejandra;
packages."crowdsec" = crowdsec;
packages."crowdsec-firewall-bouncer" = bouncer-firewall;
});
in (systems
@@ -21,6 +24,7 @@
crowdsec-firewall-bouncer = import ./modules/crowdsec-firewall-bouncer;
};
overlays.default = final: prev: {
crowdsec = systems.packages.${final.system}.crowdsec;
crowdsec-firewall-bouncer = systems.packages.${final.system}.crowdsec-firewall-bouncer;
};
});

25
modules/crowdsec/default.nix
View File

@@ -8,24 +8,7 @@
format = pkgs.formats.yaml {};
configFile = format.generate "crowdsec.yaml" cfg.settings;
pkg = cfg.package.overrideAttrs (old: {
ldflags =
(old.ldflags or [])
++ [
"-X github.com/crowdsecurity/go-cs-lib/version.Version=v${old.version}"
];
patches =
(old.patches or [])
++ [
(
pkgs.fetchpatch
{
url = "https://patch-diff.githubusercontent.com/raw/crowdsecurity/crowdsec/pull/2868.patch";
hash = "sha256-RSfLhNZ3JVvHoW/BNca9Hs4lpjcDtE1vsBDjJeaHqvc=";
}
)
];
});
pkg = cfg.package;
defaultPatterns = lib.mapAttrs (name: value: lib.mkDefault "${pkg}/share/crowdsec/config/patterns/${name}") (builtins.readDir "${pkg}/share/crowdsec/config/patterns");
@@ -91,7 +74,11 @@
in {
options.services.crowdsec = with lib; {
enable = mkEnableOption "CrowSec Security Engine";
package = mkPackageOption pkgs "crowdsec" {};
package = mkOption {
description = "The crowdsec package to use in this module";
type = types.package;
default = pkgs.callPackage ../../packages/crowdsec {};
};
name = mkOption {
type = types.str;
description = mdDoc ''

98
packages/crowdsec/default.nix Normal file
View File

@@ -0,0 +1,98 @@
/*
This package has been copied from the nixpkgs source repository.
All rights apply.
Copyright (c) 2003-2024 Eelco Dolstra and the Nixpkgs/NixOS contributors
Copyright (c) 2024 Christian Kampka
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
{
lib,
buildGoModule,
fetchFromGitHub,
installShellFiles,
}:
buildGoModule rec {
pname = "crowdsec";
version = "1.6.1";
src = fetchFromGitHub {
owner = "crowdsecurity";
repo = pname;
rev = "v${version}";
hash = "sha256-CCQDMIBpKmaUSRwyjryTO3YWVIrr6FwW64K+alTrcdw=";
};
vendorHash = "sha256-K38hxWcrYOznXr8eST0xQBL0nNxHMAiGji5rFwAK0Qw=";
nativeBuildInputs = [installShellFiles];
subPackages = [
"cmd/crowdsec"
"cmd/crowdsec-cli"
];
ldflags = [
"-s"
"-w"
"-X github.com/crowdsecurity/go-cs-lib/version.Version=v${version}"
"-X github.com/crowdsecurity/go-cs-lib/version.BuildDate=1970-01-01_00:00:00"
"-X github.com/crowdsecurity/go-cs-lib/version.Tag=${src.rev}"
"-X github.com/crowdsecurity/crowdsec/pkg/cwversion.Codename=alphaga"
"-X github.com/crowdsecurity/crowdsec/pkg/csconfig.defaultConfigDir=/etc/crowdsec"
"-X github.com/crowdsecurity/crowdsec/pkg/csconfig.defaultDataDir=/var/lib/crowdsec/data"
];
postBuild = "mv $GOPATH/bin/{crowdsec-cli,cscli}";
postInstall = ''
mkdir -p $out/share/crowdsec
cp -r ./config $out/share/crowdsec/
installShellCompletion --cmd cscli \
--bash <($out/bin/cscli completion bash) \
--fish <($out/bin/cscli completion fish) \
--zsh <($out/bin/cscli completion zsh)
'';
# It's important that the version is correctly set as it also determines feature capabilities
checkPhase = ''
$GOPATH/bin/cscli version 2>&1 | grep -q "version: v${version}"
'';
meta = with lib; {
homepage = "https://crowdsec.net/";
changelog = "https://github.com/crowdsecurity/crowdsec/releases/tag/v${version}";
description = "CrowdSec is a free, open-source and collaborative IPS";
longDescription = ''
CrowdSec is a free, modern & collaborative behavior detection engine,
coupled with a global IP reputation network. It stacks on fail2ban's
philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok
patterns to parse logs and YAML scenario to identify behaviors. CrowdSec
is engineered for modern Cloud/Containers/VM based infrastructures (by
decoupling detection and remediation). Once detected you can remedy
threats with various bouncers (firewall block, nginx http 403, Captchas,
etc.) while the aggressive IP can be sent to CrowdSec for curation before
being shared among all users to further improve everyone's security.
'';
license = licenses.mit;
};
}