add crowdsec console enrollment

.gitignore

@@ -0,0 +1,12 @@
+# Ignore these files
+**/services/.env
+
+# Ignore these folders
+letsencrypt/
+certs/
+log-dashboard/
+lib/
+**/headscale/config/
+**/headscale/run/
+**/crowdsec/config/
+**/crowdsec/data/

README.md

@@ -2,3 +2,9 @@
 
 This configuration includes a reverse proxy using caddy, headscale (VPN) and watchtower (automatic updates).
 It is particularly useful if you do not own an IPV4 address, as this could be deployed on a server. In this case it was deployed on an oracle server and automated using an ansible playbook found on this [repository](https://gitea.crescentec.ch/chriswin/vps-ansible)
+
+For Crowdsec, if an enrollment to your console is wanted, run the following command: 
+```
+docker compose -it exec cscli console enroll $ENROLLMENT_KEY
+```
+where the the enrollment can be found in your console under the engine page.

services/.env

@@ -1 +0,0 @@
-CROWDSEC_API_KEY=8lbUZjrGQp9JZln2pa5G1SCj0Fc8f9SaZUwqLm+6ZJQ

services/crowdsec/appsec.yaml

@@ -0,0 +1,6 @@
+appsec_configs:
+  - crowdsecurity/appsec-default
+labels:
+  type: appsec
+listen_addr: 0.0.0.0:7422
+source: appsec

services/crowdsec/crowdsec.yml

@@ -18,6 +18,7 @@ services:
       - ${SERVICE_PATH}/crowdsec/config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
       - ${SERVICE_PATH}/crowdsec/config/config.yaml:/etc/crowdsec/config.yaml
       - ${SERVICE_PATH}/crowdsec/config:/etc/crowdsec
+      - ${SERVICE_PATH}/crowdsec/appsec.yaml:/etc/crowdsec/acquis.d/appsec.yaml
       - ${SERVICE_PATH}/crowdsec/data:/var/lib/crowdsec/data
       - /var/log/traefik:/var/log/crowdsec:ro
       - /var/log/syslog:/var/log/syslog:ro

services/headscale/headscale.yml

@@ -3,19 +3,24 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: docker.io/headscale/headscale 
+    image: docker.io/headscale/headscale
-    container_name: headscale 
+    container_name: headscale
     volumes:
       - ${SERVICE_PATH}/headscale/config:/etc/headscale
       - ${SERVICE_PATH}/headscale/lib:/var/lib/headscale
       - ${SERVICE_PATH}/headscale/run:/var/run/headscale
     ports:
-      - 127.0.0.1:8080:8080 # api 
+      - 127.0.0.1:8080:8080 # api
       - 127.0.0.1:9090:9090 # metrics
     command: serve
     environment:
     networks:
       - ip4net
     labels:
-      # Watchtower
+      # Traefik
-      - "com.centurylinklabs.watchtower.enable=true"
+      - "traefik.enable=true"
+      - "traefik.http.routers.headscale.rule=Host(`headscale.${PUBLIC_DOMAIN}`)"
+      - "traefik.http.routers.headscale.entrypoints=https"
+      - "traefik.http.routers.headscale.tls.certresolver=myresolver"
+      - "traefik.http.routers.headscale.tls=true"
+      - "traefik.http.routers.headscale.middlewares=crowdsec-bouncer@file"

services/traefik/config/config.yml

@@ -10,11 +10,13 @@ http:
           updateIntervalSeconds: 60
           crowdsecMode: stream
           crowdsecAppsecEnabled: true
+          crowdsecAppsecFailureBlock: true 
+          crowdsecAppsecUnreachableBlock: true 
           crowdsecAppsecHost: crowdsec:7422
           crowdsecLapiScheme: http
           crowdsecLapiHost: crowdsec:8080
           # generated using "docker exec crowdsec cscli bouncers add crowdsecBouncer"
-          crowdseclapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
+          crowdsecLapikey: {{ env "TRAEFIK_CROWDSEC_API_KEY" }}
           forwardedHeadersTrustedIPs:
             - 10.0.0.0/8
           clientTrustedIPs: