Merge branch 'falkheiland-app/crowdsec'

apps/crowdsec/config.json

@@ -0,0 +1,26 @@
+{
+  "$schema": "../schema.json",
+  "name": "Crowdsec",
+  "port": 8679,
+  "available": true,
+  "exposable": true,
+  "id": "crowdsec",
+  "tipi_version": 1,
+  "version": "v1.6.1-2",
+  "categories": ["security", "utilities"],
+  "description": "CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), it uses Grok patterns to parse logs and YAML scenarios to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM-based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read below for more.",
+  "short_desc": "Participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.",
+  "author": "crowdsecurity",
+  "source": "https://github.com/crowdsecurity/crowdsec",
+  "form_fields": [
+    {
+      "type": "password",
+      "hint": "For initial start, use a random string and change it later as specified in the description!",
+      "label": "Bouncer API Key",
+      "placeholder": "Random string",
+      "required": true,
+      "env_variable": "CROWDSEC_BOUNCER_API_KEY"
+    }
+  ],
+  "supported_architectures": ["arm64", "amd64"]
+}

apps/crowdsec/data/crowdsec/acquis.yaml

@@ -0,0 +1,11 @@
+filenames:
+ - /var/log/auth.log
+ - /var/log/syslog
+labels:
+  type: syslog
+---
+filenames:
+  - /var/log/traefik/*.log
+labels:
+  type: traefik
+---

apps/crowdsec/docker-compose.yml

@@ -0,0 +1,85 @@
+services:
+  crowdsec:
+    container_name: crowdsec
+    image: crowdsecurity/crowdsec:v1.6.1-2
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ${APP_DATA_DIR}/data/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
+      - ${APP_DATA_DIR}/data/crowdsec:/etc/crowdsec
+      - ${APP_DATA_DIR}/data/crowdsec/db:/var/lib/crowdsec/data
+      - /var/log/auth.log:/var/log/auth.log:ro
+      - /var/log/traefik:/var/log/traefik:ro
+      # other containers will output their log files too
+      # sudo mkdir /var/log/crowdsec
+      - /var/log/crowdsec:/var/log/crowdsec:ro
+    environment:
+      - COLLECTIONS=
+        crowdsecurity/linux
+        crowdsecurity/traefik
+        crowdsecurity/http-cve
+        crowdsecurity/whitelist-good-actors
+        crowdsecurity/sshd
+      - GID=${GID-1000}
+    networks:
+      - tipi_main_network
+
+  crowdsec-bouncer-traefik:
+    container_name: crowdsec-bouncer-traefik
+    image: fbonalair/traefik-crowdsec-bouncer:latest
+    restart: unless-stopped
+    depends_on:
+      - crowdsec
+    environment:
+      # the CROWDSEC_BOUNCER_API_KEY needs to be created of the crowdsec container with:
+      # To create the CROWDSEC_BOUNCER_API_KEY, execute the following command in the crowdsec container:
+      # docker compose exec -t crowdsec cscli bouncers add crowdsec-bouncer-traefik
+      - CROWDSEC_BOUNCER_API_KEY=${CROWDSEC_BOUNCER_API_KEY}
+      - CROWDSEC_AGENT_HOST=crowdsec:8080
+    networks:
+      - tipi_main_network
+
+  crowdsec-dashboard:
+    container_name: crowdsec-dashboard
+    #we're using a custom Dockerfile so that metabase pops with pre-configured dashboards
+    #build: ./crowdsec_config/dashboard
+    image: metabase/metabase
+    restart: unless-stopped
+    ports:
+      - ${APP_PORT}:3000
+    environment:
+      - MB_DB_FILE=/data/metabase.db
+      - MGID=${GID-1000}
+    depends_on:
+      - crowdsec
+    volumes:
+      - ${APP_DATA_DIR}/data/crowdsec-dashboard/data:/data
+      - ${APP_DATA_DIR}/data/crowdsec/db:/metabase-data
+    networks:
+      - tipi_main_network
+    labels:
+      # Main
+      traefik.enable: true
+      traefik.http.middlewares.crowdsec-web-redirect.redirectscheme.scheme: https
+      traefik.http.services.crowdsec.loadbalancer.server.port: 3000
+      # Web
+      traefik.http.routers.crowdsec-insecure.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.crowdsec-insecure.entrypoints: web
+      traefik.http.routers.crowdsec-insecure.service: crowdsec
+      traefik.http.routers.crowdsec-insecure.middlewares: crowdsec-web-redirect
+      # Websecure
+      traefik.http.routers.crowdsec.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.crowdsec.entrypoints: websecure
+      traefik.http.routers.crowdsec.service: crowdsec
+      traefik.http.routers.crowdsec.tls.certresolver: myresolver
+      # Local domain
+      traefik.http.routers.crowdsec-local-insecure.rule: Host(`crowdsec.${LOCAL_DOMAIN}`)
+      traefik.http.routers.crowdsec-local-insecure.entrypoints: web
+      traefik.http.routers.crowdsec-local-insecure.service: crowdsec
+      traefik.http.routers.crowdsec-local-insecure.middlewares: crowdsec-web-redirect
+      # Local domain secure
+      traefik.http.routers.crowdsec-local.rule: Host(`crowdsec.${LOCAL_DOMAIN}`)
+      traefik.http.routers.crowdsec-local.entrypoints: websecure
+      traefik.http.routers.crowdsec-local.service: crowdsec
+      traefik.http.routers.crowdsec-local.tls: true

apps/crowdsec/metadata/description.md

@@ -0,0 +1,103 @@
+# CrowdSec
+
+CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI
+
+CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), it uses Grok patterns to parse logs and YAML scenarios to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM-based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read below for more.
+
+## App Links
+
+<https://www.crowdsec.net/>
+
+<https://github.com/crowdsecurity/crowdsec>
+
+<https://hub.docker.com/r/crowdsecurity/crowdsec>
+
+## Bouncer API Key
+
+The app stack contains the crowdsec service and a bouncer. The bouncer needs an API Key to connect to the service.
+Since the API Key needs to be generated after the initial start, you must provide a temporary dummy Bouncer API Key for the stack to run.
+
+After you started the app, head to a console and use 
+
+```bash
+docker exec -t crowdsec cscli bouncers add crowdsec-bouncer-traefik
+```
+
+```bash
+# docker exec -t crowdsec cscli bouncers add crowdsec-bouncer-traefik
+API key for 'crowdsec-bouncer-traefik':
+
+   djC0YxRO3xzKG1mctemSzaUfs2yj4vG7cQ7fliTOJR0
+
+Please keep this key since you will not be able to retrieve it!
+```
+
+To get the Bouncer API Key, use this Key in the settings of the app instead of the dummy Bouncer API Key and restart the app.
+
+## Check Metrics
+
+```bash
+docker exec crowdsec cscli metrics
+```
+
+## Integrate in crowdsec Console
+
+https://app.crowdsec.net/security-engines
+
+With the key from the command line in the section `Enroll your CrowdSec Security Engine`execute:
+
+```bash
+docker exec crowdsec cscli console enroll {{ KEY }}
+```
+
+## Dashboard
+
+The dashboard comes with a preconfigured user:
+
+Email address: crowdsec@crowdsec.net
+
+Password: !!Cr0wdS3c_M3t4b4s3??
+
+
+## Traefik Integration
+
+add the following files and / or settings:
+
+- tipi-compose.yml
+
+  ```yml
+  services:
+    runtipi-reverse-proxy:
+      volumes:
+        - /var/log/traefik/:/var/log/
+  ```
+
+- traefik.yml
+
+  ```yml
+  entryPoints:
+    websecure:
+      http:
+        middlewares:
+          - crowdsec-bouncer@file
+  log:
+    filePath: "/var/log/traefik.log"
+    level: INFO
+
+  accessLog:
+    filePath: "/var/log/access.log"
+    bufferingSize: 100
+  ```
+
+- dynamic.yml
+
+  ```yml
+  http:
+    middlewares:
+      crowdsec-bouncer:
+        forwardauth:
+          address: http://crowdsec-bouncer-traefik:8080/api/v1/forwardAuth
+          trustForwardHeader: true
+  ```
+
+restart runtipi to apply the settings.