From 039354993e554dbb94200e345b747fc1a78bab07 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 21 Jan 2026 16:25:39 +0000 Subject: [PATCH] cleanup gitignore, improve crowdsec --- .gitignore | 12 ++++++++++++ services/.env | 1 - services/crowdsec/appsec.yaml | 6 ++++++ services/crowdsec/crowdsec.yml | 1 + services/headscale/headscale.yml | 15 ++++++++++----- services/traefik/config/config.yml | 4 +++- 6 files changed, 32 insertions(+), 7 deletions(-) create mode 100644 .gitignore delete mode 100644 services/.env create mode 100644 services/crowdsec/appsec.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f247f45 --- /dev/null +++ b/.gitignore @@ -0,0 +1,12 @@ +# Ignore these files +**/services/.env + +# Ignore these folders +letsencrypt/ +certs/ +log-dashboard/ +lib/ +**/headscale/config/ +**/headscale/run/ +**/crowdsec/config/ +**/crowdsec/data/ diff --git a/services/.env b/services/.env deleted file mode 100644 index 7e7463d..0000000 --- a/services/.env +++ /dev/null @@ -1 +0,0 @@ -CROWDSEC_API_KEY=8lbUZjrGQp9JZln2pa5G1SCj0Fc8f9SaZUwqLm+6ZJQ diff --git a/services/crowdsec/appsec.yaml b/services/crowdsec/appsec.yaml new file mode 100644 index 0000000..279fcd8 --- /dev/null +++ b/services/crowdsec/appsec.yaml @@ -0,0 +1,6 @@ +appsec_configs: + - crowdsecurity/appsec-default +labels: + type: appsec +listen_addr: 0.0.0.0:7422 +source: appsec diff --git a/services/crowdsec/crowdsec.yml b/services/crowdsec/crowdsec.yml index c39e68d..67b4eae 100644 --- a/services/crowdsec/crowdsec.yml +++ b/services/crowdsec/crowdsec.yml @@ -18,6 +18,7 @@ services: - ${SERVICE_PATH}/crowdsec/config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro - ${SERVICE_PATH}/crowdsec/config/config.yaml:/etc/crowdsec/config.yaml - ${SERVICE_PATH}/crowdsec/config:/etc/crowdsec + - ${SERVICE_PATH}/crowdsec/appsec.yaml:/etc/crowdsec/acquis.d/appsec.yaml - ${SERVICE_PATH}/crowdsec/data:/var/lib/crowdsec/data - /var/log/traefik:/var/log/crowdsec:ro - /var/log/syslog:/var/log/syslog:ro diff --git a/services/headscale/headscale.yml b/services/headscale/headscale.yml index 4872208..5519fb1 100644 --- a/services/headscale/headscale.yml +++ b/services/headscale/headscale.yml @@ -3,19 +3,24 @@ services: extends: file: ${TEMPLATES_PATH} service: default - image: docker.io/headscale/headscale - container_name: headscale + image: docker.io/headscale/headscale + container_name: headscale volumes: - ${SERVICE_PATH}/headscale/config:/etc/headscale - ${SERVICE_PATH}/headscale/lib:/var/lib/headscale - ${SERVICE_PATH}/headscale/run:/var/run/headscale ports: - - 127.0.0.1:8080:8080 # api + - 127.0.0.1:8080:8080 # api - 127.0.0.1:9090:9090 # metrics command: serve environment: networks: - ip4net labels: - # Watchtower - - "com.centurylinklabs.watchtower.enable=true" + # Traefik + - "traefik.enable=true" + - "traefik.http.routers.headscale.rule=Host(`headscale.${PUBLIC_DOMAIN}`)" + - "traefik.http.routers.headscale.entrypoints=https" + - "traefik.http.routers.headscale.tls.certresolver=myresolver" + - "traefik.http.routers.headscale.tls=true" + - "traefik.http.routers.headscale.middlewares=crowdsec-bouncer@file" diff --git a/services/traefik/config/config.yml b/services/traefik/config/config.yml index ba8649e..4f0c9d7 100644 --- a/services/traefik/config/config.yml +++ b/services/traefik/config/config.yml @@ -10,11 +10,13 @@ http: updateIntervalSeconds: 60 crowdsecMode: stream crowdsecAppsecEnabled: true + crowdsecAppsecFailureBlock: true + crowdsecAppsecUnreachableBlock: true crowdsecAppsecHost: crowdsec:7422 crowdsecLapiScheme: http crowdsecLapiHost: crowdsec:8080 # generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer" - crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }} + crowdsecLapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }} forwardedHeadersTrustedIPs: - 10.0.0.0/8 clientTrustedIPs: