From 726c0c35230410d0cc8b81c64d5eaa8fdce8afcf Mon Sep 17 00:00:00 2001
From: il <il@ilnmors.internal>
Date: Sat, 21 Mar 2026 19:30:15 +0900
Subject: [PATCH] config: update whitelists.yaml.j2 to add whitelist expression
 to fix false positive of actual budget

---
 .../common/crowdsec/bouncers/whitelists.yaml.j2        | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2
index 8766d77..506f640 100644
--- a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2
+++ b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2
@@ -1,11 +1,17 @@
 name: crowdsecurity/whitelists
-description: "Whitelist console/admin hosts only"
+description: "Local whitelist policy"
 whitelist:
-    reason: "trusted admin hosts"
+    reason: "rules"
     ip:
+        # Console IP lists
         - "127.0.0.1"
         - "::1"
         - "{{ hostvars['fw']['network4']['console']['client'] }}"
         - "{{ hostvars['fw']['network4']['console']['wg'] }}"
         - "{{ hostvars['fw']['network6']['console']['client'] }}"
         - "{{ hostvars['fw']['network6']['console']['wg'] }}"
+{% if node['name'] == 'auth' %}
+    expression:
+        # budget local-first sql scrap rule
+        - "evt.Meta.target_fqdn == 'budget.ilnmors.com' && evt.Meta.http_path contains '/data/migrations/'"
+{% endif %}