cleanup gitignore, improve crowdsec

2026-01-21 16:25:39 +00:00
parent f0521563b5
commit 039354993e
6 changed files with 32 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,12 @@
+# Ignore these files
+**/services/.env
+
+# Ignore these folders
+letsencrypt/
+certs/
+log-dashboard/
+lib/
+**/headscale/config/
+**/headscale/run/
+**/crowdsec/config/
+**/crowdsec/data/
--- a/services/.env
+++ b/services/.env
@@ -1 +0,0 @@
-CROWDSEC_API_KEY=8lbUZjrGQp9JZln2pa5G1SCj0Fc8f9SaZUwqLm+6ZJQ
--- a/services/crowdsec/appsec.yaml
+++ b/services/crowdsec/appsec.yaml
@@ -0,0 +1,6 @@
+appsec_configs:
+  - crowdsecurity/appsec-default
+labels:
+  type: appsec
+listen_addr: 0.0.0.0:7422
+source: appsec
--- a/services/crowdsec/crowdsec.yml
+++ b/services/crowdsec/crowdsec.yml
@@ -18,6 +18,7 @@ services:
      - ${SERVICE_PATH}/crowdsec/config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
      - ${SERVICE_PATH}/crowdsec/config/config.yaml:/etc/crowdsec/config.yaml
      - ${SERVICE_PATH}/crowdsec/config:/etc/crowdsec
+      - ${SERVICE_PATH}/crowdsec/appsec.yaml:/etc/crowdsec/acquis.d/appsec.yaml
      - ${SERVICE_PATH}/crowdsec/data:/var/lib/crowdsec/data
      - /var/log/traefik:/var/log/crowdsec:ro
      - /var/log/syslog:/var/log/syslog:ro
--- a/services/headscale/headscale.yml
+++ b/services/headscale/headscale.yml
@@ -3,19 +3,24 @@ services:
    extends:
      file: ${TEMPLATES_PATH}
      service: default
-    image: docker.io/headscale/headscale 
-    container_name: headscale 
+    image: docker.io/headscale/headscale
+    container_name: headscale
    volumes:
      - ${SERVICE_PATH}/headscale/config:/etc/headscale
      - ${SERVICE_PATH}/headscale/lib:/var/lib/headscale
      - ${SERVICE_PATH}/headscale/run:/var/run/headscale
    ports:
-      - 127.0.0.1:8080:8080 # api 
+      - 127.0.0.1:8080:8080 # api
      - 127.0.0.1:9090:9090 # metrics
    command: serve
    environment:
    networks:
      - ip4net
    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
+      # Traefik
+      - "traefik.enable=true"
+      - "traefik.http.routers.headscale.rule=Host(`headscale.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.headscale.entrypoints=https"
+      - "traefik.http.routers.headscale.tls.certresolver=myresolver"
+      - "traefik.http.routers.headscale.tls=true"
+      - "traefik.http.routers.headscale.middlewares=crowdsec-bouncer@file"
--- a/services/traefik/config/config.yml
+++ b/services/traefik/config/config.yml
@@ -10,11 +10,13 @@ http:
          updateIntervalSeconds: 60
          crowdsecMode: stream
          crowdsecAppsecEnabled: true
+          crowdsecAppsecFailureBlock: true 
+          crowdsecAppsecUnreachableBlock: true 
          crowdsecAppsecHost: crowdsec:7422
          crowdsecLapiScheme: http
          crowdsecLapiHost: crowdsec:8080
          # generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer"
-          crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
+          crowdsecLapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
          forwardedHeadersTrustedIPs:
            - 10.0.0.0/8
          clientTrustedIPs:
				`@@ -1 +0,0 @@`
				`CROWDSEC_API_KEY=8lbUZjrGQp9JZln2pa5G1SCj0Fc8f9SaZUwqLm+6ZJQ`