Skip to content

nixos/crowdsec-firewall-bouncer: init module #446106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

nixos/crowdsec-firewall-bouncer: init module #446106

wants to merge 1 commit into from
+385 −0

Conversation

nicomem
Copy link
Contributor

@nicomem nicomem commented Sep 25, 2025
edited
Loading

Fixes #358457

Initialize a module for configuring the CrowdSec Firewall Bouncer, fetching decisions from a CrowdSec API and applying them to the configured firewall.

This module defaults to a configuration that connects to the services.crowdsec local API such that a configuration like:

{
  services.crowdsec-firewall-bouncer.enable = true;
}

would work as intended, but should be configurable enough that it can support other types of configuration (e.g. leaving the user manage the rulesets itself, connect to an external CrowdSec API, etc.).

The module requires the user to manually register the bouncer to get the API key before enabling this module.
It may be possible to create another service that does this work automatically but this is not simple to do in a robust way and would not work when using an external CrowdSec API.
There is now an option (enabled by default if config.services.crowdsec.enable is set) to automatically register to the locally running crowdsec service, allowing for a no-manual-intervention setup.
This options is optional and the module still allows for other use-cases (e.g. specify an api_key to connect to an external CrowdSec API).

I have tested the nftables mode, both with the module creating the rulesets (set-only = true), or leaving the bouncer creating and updating them (set-only = false).
In both cases, the bouncer manages to create/update the appropriate nftables elements to block the IPs based on the current CrowdSec decisions.

I have not tested the iptables mode, where the bouncer will automatically create the ruleset for the iptables firewall. If one is able to test this case, I would be thankful.
I also did not write the creation of the ruleset for the iptables firewall as I was not too familiar on this topic.
-> Thus, I added an assertion when the user has set the ipset mode (the bouncer expects the ruleset to be created) and the create_rulesets option is left enabled.

I've only added myself as a maintainer but if others such as the crowdsec module maintainers want to also be added to this module, let me know and I will add you.

Upstream documentation and interesting files:

Pinging the maintainers of the crowdsec module: @M0ustach3 @TornaxO7 @06kellyjac

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@nicomem nicomem force-pushed the crowdsec-firewall-bouncer-module branch from 19aa7de to 4fa01c4 Compare September 25, 2025 17:43
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: documentation This PR adds or changes documentation labels Sep 25, 2025
@nicomem nicomem force-pushed the crowdsec-firewall-bouncer-module branch 2 times, most recently from a1e08d9 to db78240 Compare September 25, 2025 18:50
@nixpkgs-ci nixpkgs-ci bot added the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Sep 25, 2025
@h7x4 h7x4 added the 8.has: module (new) This PR adds a module in `nixos/` label Sep 26, 2025
@nicomem nicomem marked this pull request as draft September 27, 2025 15:43
@nicomem
Copy link
Contributor Author

nicomem commented Sep 27, 2025

On second thought, the bouncer could be automatically registered to the locally running crowdsec service in a similar way as the crowdsec-setup of the crowdsec module.
-> This could also potentially allow adding module tests as it would no longer require manual intervention

Converting the PR to draft while I'm working on this

@nixpkgs-ci nixpkgs-ci bot removed the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Sep 27, 2025
@nicomem nicomem force-pushed the crowdsec-firewall-bouncer-module branch from db78240 to b8cf0db Compare September 27, 2025 20:58
@nicomem nicomem force-pushed the crowdsec-firewall-bouncer-module branch from b8cf0db to 587b65b Compare September 27, 2025 21:02
@nicomem
Copy link
Contributor Author

nicomem commented Sep 27, 2025

I added an option to automatically register the bouncer to the locally running CrowdSec service (enabled by default if config.services.crowdsec.enable is set).

I changed the naming of options from kebab-case to camelCase as it seems to be the most commonly used casing for modules options.

I tried to add module tests but I got stuck at the crowdsec-setup script trying to download from the hub, failing to do so, and thus making the service not start...
As this would require non-trivial work to be done on the crowdsec module, tests could be added at a later date once this problem has been fixed.

@nicomem nicomem marked this pull request as ready for review September 27, 2025 21:13
@nixpkgs-ci nixpkgs-ci bot added the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Sep 27, 2025
@h7x4 h7x4 self-requested a review October 8, 2025 23:26
@nixpkgs-ci nixpkgs-ci bot added 2.status: merge conflict This PR has merge conflicts with the target branch and removed 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Oct 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@h7x4 h7x4 Awaiting requested review from h7x4

Assignees

No one assigned

Labels

2.status: merge conflict This PR has merge conflicts with the target branch 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (new) This PR adds a module in `nixos/` 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Module request: crowdsec firewall bouncer

2 participants

@nicomem @h7x4