feat: add crowdsec

ethibox · May 30, 2024 · cc13dba · cc13dba
1 parent 11c2224
commit cc13dba
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 0 deletions.
diff --git a/stacks/crowdsec.yml b/stacks/crowdsec.yml
@@ -0,0 +1,38 @@
+# DOMAIN=example.com docker stack deploy -c crowdsec.yml crowdsec
+
+version: '3.8'
+
+services:
+  crowdsec:
+    image: crowdsecurity/crowdsec:${VERSION:-v1.6.1-2}
+    environment:
+      - COLLECTIONS=${COLLECTIONS:-crowdsecurity/traefik}
+      - CUSTOM_HOSTNAME=${CUSTOM_HOSTNAME:-crowdsec}
+    volumes:
+      - ${VOLUME_PATH}config:/etc/crowdsec
+      - ${VOLUME_PATH}data:/var/lib/crowdsec/data/
+      - /var/log/traefik:/var/log/traefik:ro
+    networks:
+      - traefik
+      - internal
+
+  crowdsec-bouncer:
+    image: fbonalair/traefik-crowdsec-bouncer:latest
+    environment:
+      - CROWDSEC_BOUNCER_API_KEY=${CROWDSEC_BOUNCER_API_KEY}
+      - CROWDSEC_AGENT_HOST=crowdsec:8080
+    networks:
+      - traefik
+      - internal
+
+volumes:
+  data:
+  config:
+
+networks:
+  internal:
+    driver: overlay
+    attachable: true
+  traefik:
+    external: true
+    name: traefik-net
diff --git a/stacks/traefik-crowdsec.yml b/stacks/traefik-crowdsec.yml
@@ -0,0 +1,54 @@
+# docker stack deploy -c traefik.yml traefik
+
+version: '3.8'
+
+services:
+  traefik:
+    image: traefik:${VERSION:-v2.11.3}
+    command:
+      # - --log.level=DEBUG
+      - --accesslog=${ACCESS_LOG:-false}
+      - --accesslog.filepath=/var/log/traefik/access.log
+      - --providers.docker
+      - --providers.docker.network=traefik-net
+      - --providers.docker.exposedByDefault=false
+      - --providers.docker.swarmMode=true
+      - --providers.docker.endpoint=unix:///var/run/docker.sock
+      - --entrypoints.https.http.middlewares=crowdsec-bouncer@docker
+      - --entrypoints.https.proxyProtocol.trustedIPs=${TRUSTED_IPS:-127.0.0.1}
+      - --entrypoints.https.forwardedHeaders.trustedIPs=${TRUSTED_IPS:-127.0.0.1}
+      - --entrypoints.https.address=:443
+      - --entrypoints.http.address=:80
+      - --entrypoints.http.proxyProtocol.trustedIPs=${TRUSTED_IPS:-127.0.0.1}
+      - --entrypoints.http.forwardedHeaders.trustedIPs=${TRUSTED_IPS:-127.0.0.1}
+      - --entrypoints.http.http.redirections.entryPoint.to=https
+      - --entrypoints.http.http.redirections.entryPoint.scheme=https
+      - --entrypoints.http.http.redirections.entrypoint.permanent=true
+      - --certificatesresolvers.letsencrypt.acme.tlschallenge=true
+      - --certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL:[email protected]}
+      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
+    volumes:
+      - ${VOLUME_PATH}letsencrypt:/letsencrypt
+      - ${VOLUME_PATH}logs:/var/log/traefik/
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    ports:
+      - {target: 80, published: 80, mode: host, protocol: tcp}
+      - {target: 443, published: 443, mode: host, protocol: tcp}
+    deploy:
+      mode: ${MODE:-replicated}
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.traefik.entrypoints=https
+        - traefik.http.routers.traefik.middlewares=crowdsec-bouncer
+        - traefik.http.services.traefik.loadbalancer.server.port=8080
+        - traefik.http.middlewares.crowdsec-bouncer.forwardauth.address=http://crowdsec-bouncer:8080/api/v1/forwardAuth
+        - traefik.http.middlewares.crowdsec-bouncer.forwardauth.trustForwardHeader=true
+
+volumes:
+  letsencrypt:
+  logs:
+
+networks:
+  default:
+    external: true
+    name: traefik-net