diff --git a/ansible/app-configs/crowdsec_config.yaml.j2 b/ansible/app-configs/crowdsec_config.yaml.j2 new file mode 100644 index 00000000..9f58cb6b --- /dev/null +++ b/ansible/app-configs/crowdsec_config.yaml.j2 @@ -0,0 +1,49 @@ +common: + daemonize: false + log_media: stdout + log_level: info + log_dir: /var/log/ +config_paths: + config_dir: /etc/crowdsec/ + data_dir: /var/lib/crowdsec/data/ + simulation_path: /etc/crowdsec/simulation.yaml + hub_dir: /etc/crowdsec/hub/ + index_path: /etc/crowdsec/hub/.index.json + notification_dir: /etc/crowdsec/notifications/ + plugin_dir: /usr/local/lib/crowdsec/plugins/ +crowdsec_service: + acquisition_path: /etc/crowdsec/acquis.yaml + acquisition_dir: /etc/crowdsec/acquis.d + parser_routines: 1 +plugin_config: + user: nobody + group: nobody +cscli: + output: human +db_config: + log_level: info + type: sqlite + db_path: /var/lib/crowdsec/data/crowdsec.db + flush: + max_items: 5000 + max_age: 7d + use_wal: false +api: + client: + insecure_skip_verify: false + credentials_path: /etc/crowdsec/local_api_credentials.yaml + server: + log_level: info + listen_uri: 0.0.0.0:8080 + profiles_path: /etc/crowdsec/profiles.yaml + trusted_ips: # IP ranges, or IPs which can have admin API access + - 127.0.0.1 + - ::1 + online_client: # Central API credentials (to push signals and receive bad IPs) + credentials_path: /etc/crowdsec/online_api_credentials.yaml + enable: true +prometheus: + enabled: true + level: full + listen_addr: 0.0.0.0 + listen_port: 6060 \ No newline at end of file diff --git a/ansible/app-configs/crowdsec_online-api-credentials.yaml.j2 b/ansible/app-configs/crowdsec_online-api-credentials.yaml.j2 new file mode 100644 index 00000000..3f7aeafb --- /dev/null +++ b/ansible/app-configs/crowdsec_online-api-credentials.yaml.j2 @@ -0,0 +1,6 @@ +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} + +url: https://api.crowdsec.net/ +login: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }} +password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }} \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index f4aeff33..a89e153c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -722,36 +722,13 @@ services: security_opt: - no-new-privileges=true volumes: - - source: ${DOCKER_VOLUME_CONFIG}/crowdsec/config.yaml.local - target: /etc/crowdsec/config.yaml.local - type: bind - bind: - create_host_path: true - - source: ${DOCKER_VOLUME_CONFIG}/crowdsec/local_api_credentials.yaml.local - target: /etc/crowdsec/local_api_credentials.yaml.local - type: bind - bind: - create_host_path: true - - read_only: true - source: ${DOCKER_VOLUME_CONFIG}/swag/log/nginx - target: /var/log/swag - type: bind - bind: - create_host_path: true - - source: crowdsec-config - target: /etc/crowdsec - type: volume - volume: {} - - source: crowdsec-db - target: /var/lib/crowdsec/data - type: volume - volume: {} - - bind: - create_host_path: true - read_only: true - source: /var/log/journal - target: /var/log/host - type: bind + - ${DOCKER_VOLUME_CONFIG}/crowdsec/config.yaml.local:/etc/crowdsec/config.yaml + - ${DOCKER_VOLUME_CONFIG}/crowdsec/local-api-credentials.yaml:/etc/crowdsec/local_api_credentials.yaml + - ${DOCKER_VOLUME_CONFIG}/crowdsec/online-api-credentials.yaml:/etc/crowdsec/online_api_credentials.yaml + - ${DOCKER_VOLUME_CONFIG}/swag/log/nginx:/var/log/swag:ro + - crowdsec-config:/etc/crowdsec + - crowdsec-db:/var/lib/crowdsec/data + - /var/log/journal:/var/log/host:ro crowdsec-dashboard: container_name: crowdsec-dashboard depends_on: