1.0.0 Release IaaS

config/services/systemd/common/crowdsec/acquis.d/caddy.yaml

@@ -0,0 +1,5 @@
+# Suricata logs
+filenames:
+  - /var/log/caddy/access.log
+labels:
+  type: caddy

config/services/systemd/common/crowdsec/acquis.d/suricata.yaml

@@ -0,0 +1,5 @@
+# Suricata logs
+filenames:
+  - /var/log/suricata/eve.json
+labels:
+  type: suricata

config/services/systemd/common/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.j2

@@ -0,0 +1,56 @@
+mode: nftables
+pid_dir: /var/run/
+update_frequency: 10s
+log_mode: file
+log_dir: /var/log/
+log_level: info
+log_compression: true
+log_max_size: 100
+log_max_backups: 3
+log_max_age: 30
+api_url: "https://{{ infra_uri['crowdsec']['domain'] }}:{{ infra_uri['crowdsec']['ports']['https'] }}"
+api_key: "{{ hostvars['console']['crowdsec']['bouncer']['fw'] }}"
+insecure_skip_verify: false
+disable_ipv6: false
+deny_action: DROP
+deny_log: false
+supported_decisions_types:
+  - ban
+#to change log prefix
+#deny_log_prefix: "crowdsec: "
+#to change the blacklists name
+blacklists_ipv4: crowdsec-blacklists
+blacklists_ipv6: crowdsec6-blacklists
+#type of ipset to use
+ipset_type: nethash
+#if present, insert rule in those chains
+#iptables_chains:
+#  - INPUT
+#  - FORWARD
+#  - OUTPUT
+#  - DOCKER-USER
+
+## nftables > table inet filter's set crowddsec-blacklists_ipv4,6 is needed
+nftables:
+  ipv4:
+    enabled: true
+    set-only: true
+    family: inet
+    table: filter
+    chain: global
+  ipv6:
+    enabled: true
+    set-only: true
+    family: inet
+    table: filter
+    chain: global
+# packet filter
+pf:
+  # an empty string disables the anchor
+  anchor_name: ""
+
+# Crowdsec firewall bouncer cannot use "[::]" yet
+prometheus:
+  enabled: true
+  listen_addr: "::"
+  listen_port: 60601

config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2

@@ -0,0 +1,11 @@
+name: crowdsecurity/whitelists
+description: "Whitelist console/admin hosts only"
+whitelist:
+    reason: "trusted admin hosts"
+    ip:
+        - "127.0.0.1"
+        - "::1"
+        - "{{ hostvars['fw']['network4']['console']['client'] }}"
+        - "{{ hostvars['fw']['network4']['console']['wg'] }}"
+        - "{{ hostvars['fw']['network6']['console']['client'] }}"
+        - "{{ hostvars['fw']['network6']['console']['wg'] }}"

config/services/systemd/common/crowdsec/crowdsec-update.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Crowdsec Rule Update Service
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/cscli hub update
+ExecStart=/usr/bin/cscli hub upgrade
+ExecStartPost=/bin/systemctl restart crowdsec

config/services/systemd/common/crowdsec/crowdsec-update.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Daily Crowdsec Rule Update Timer
+
+[Timer]
+OnCalendar=*-*-* 05:00:00
+Persistent=true
+RandomizedDelaySec=300
+
+[Install]
+WantedBy=timers.target

config/services/systemd/common/crowdsec/etc/config.yaml.j2

@@ -0,0 +1,66 @@
+common:
+  daemonize: true
+  log_media: file
+  log_level: info
+  log_dir: /var/log/
+  log_max_size: 20
+  compress_logs: true
+  log_max_files: 10
+  working_dir: .
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: /var/lib/crowdsec/data/
+  simulation_path: /etc/crowdsec/simulation.yaml
+  hub_dir: /var/lib/crowdsec/hub/
+  index_path: /var/lib/crowdsec/hub/.index.json
+  notification_dir: /etc/crowdsec/notifications/
+  plugin_dir: /usr/lib/crowdsec/plugins/
+crowdsec_service:
+  acquisition_path: /etc/crowdsec/acquis.yaml
+  acquisition_dir: /etc/crowdsec/acquis.d
+  parser_routines: 1
+cscli:
+  output: human
+  color: auto
+db_config:
+  log_level: info
+  type: sqlite
+  db_path: /var/lib/crowdsec/data/crowdsec.db
+  #max_open_conns: 100
+  #user: 
+  #password:
+  #db_name:
+  #host:
+  #port:
+  flush:
+    max_items: 5000
+    max_age: 7d
+plugin_config:
+  user: nobody # plugin process would be ran on behalf of this user
+  group: nogroup # plugin process would be ran on behalf of this group
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+{% if node['name'] == 'fw' %}
+  server:
+    log_level: info
+    listen_uri: "[::]:8080"
+    profiles_path: /etc/crowdsec/profiles.yaml
+    console_path: /etc/crowdsec/console.yaml
+    online_client: # Central API credentials (to push signals and receive bad IPs)
+      credentials_path: /etc/crowdsec/online_api_credentials.yaml
+    trusted_ips: # IP ranges, or IPs which can have admin API access
+      - ::1
+      - 127.0.0.1
+      - {{ hostvars['fw']['network6']['subnet']['server'] }}
+      - {{ hostvars['fw']['network4']['subnet']['server'] }}
+    tls:
+      cert_file: /etc/crowdsec/ssl/crowdsec.crt
+      key_file: /etc/crowdsec/ssl/crowdsec.key
+prometheus:
+  enabled: true
+  level: full
+  listen_addr: "[::]"
+  listen_port: 6060
+{% endif %}

config/services/systemd/common/crowdsec/etc/local_api_credentials.yaml.j2

@@ -0,0 +1,3 @@
+url: https://{{ infra_uri['crowdsec']['domain'] }}:{{ infra_uri['crowdsec']['ports']['https'] }}
+login: {{ node['name'] }}
+password: {{ hostvars['console']['crowdsec']['machine'][node['name']] }}