fix(crowdsec): update whitelist.yaml to prevent false positive

false positive: - nextcloud chunk problem (crowdsecurity/http-crawl-non_statics) - change expression 'chunks.mjs' to 'chunk.mjs'
chore(chromium): archive a removed stack from console
2026-05-11 19:40:50 +09:00 · 2026-05-11 19:37:25 +09:00 · 2026-05-11 19:34:22 +09:00 · 2026-05-11 01:37:15 +09:00
6 changed files with 24 additions and 29 deletions
@@ -74,3 +74,10 @@
    enabled: true
    daemon_reload: true
  become: true
+
+- name: Fetch deb bin file
+  ansible.builtin.fetch:
+    src: "/var/cache/apt/archives/alloy-{{ version['packages']['alloy'] }}.deb"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/bin/"
+    flat: true
+  become: true
@@ -1,8 +1 @@
 ---
- name: Register font
-  ansible.builtin.shell: |
-    fc-cache -f -v
-  become: true
-  changed_when: false
-  listen: "notification_update_font"
-  ignore_errors: true # noqa: ignore-errors
@@ -41,7 +41,7 @@
  ansible.builtin.get_url:
    url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
      blocky_v{{ version['packages']['blocky'] }}_Linux_x86_64.tar.gz"
-    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
    owner: "blocky"
    group: "blocky"
    mode: "0600"
@@ -52,16 +52,16 @@
  ansible.builtin.get_url:
    url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
      blocky_v{{ version['packages']['blocky'] }}_Linux_arm64.tar.gz"
-    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
+    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
    owner: "blocky"
    group: "blocky"
    mode: "0600"
  become: true
  when: ansible_facts['architecture'] == "aarch64"

- name: Deploy blocky binary file (x86_64)
+- name: Deploy blocky binary file
  ansible.builtin.unarchive:
-    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
    remote_src: true
    dest: "/usr/local/bin/"
    owner: "root"
@@ -72,23 +72,6 @@
      - "--wildcards"
      - "blocky"
  become: true
-  when: ansible_facts['architecture'] == "x86_64"
-  notify: "notification_restart_blocky"
-
- name: Deploy blocky binary file (aarch64)
-  ansible.builtin.unarchive:
-    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
-    remote_src: true
-    dest: "/usr/local/bin/"
-    owner: "root"
-    group: "root"
-    mode: "0755"
-    extra_opts:
-      - "--strip-components=0"
-      - "--wildcards"
-      - "blocky"
-  become: true
-  when: ansible_facts['architecture'] == "aarch64"
  notify: "notification_restart_blocky"

 - name: Deploy blocky config
@@ -141,3 +124,10 @@
    enabled: true
    daemon_reload: true
  become: true
+
+- name: Fetch deb bin file
+  ansible.builtin.fetch:
+    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/bin/"
+    flat: true
+  become: true
@@ -16,4 +16,6 @@ whitelist:
        - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
        # nextcloud thumbnail/preview request error false positive
        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'"
+        # nextcloud chunks.mjs request false positive
+        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunk.mjs'"
 {% endif %}
@@ -23,11 +23,14 @@
 - 2026-05-03: Make previous expressions annotation
 - 2026-05-07: Find the false positive case, which is not on `crowdsecurity/nextcloud-whitelist`
 - 2026-05-07: Set whitelist expression
+- 2026-05-11: Find the false positive case, which is not on `crowdsec/nextcloud-whitelist`
+- 2026-05-11: Set whitelist expression

 ## Solution
 - Install crowdsecurity/nextcloud-whitelist on auth node
 - Add expression on whitelist
-  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/index.php/core/preview?'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunk.mjs'

 ### Deprecated solution
 - Access to fw
Author	SHA1	Message	Date
il	e1936b494d	fix(crowdsec): update whitelist.yaml to prevent false positive false positive: - nextcloud chunk problem (crowdsecurity/http-crawl-non_statics) - change expression 'chunks.mjs' to 'chunk.mjs'	2026-05-11 19:40:50 +09:00
il	0afc841b69	chore(chromium): archive a removed stack from console archived stack: chromium	2026-05-11 19:37:25 +09:00
il	a39122eb4b	fix(crowdsec): update whitelist.yaml to prevent false positive false positive: - nextcloud chunk problem (crowdsecurity/http-crawl-non_statics)	2026-05-11 19:34:22 +09:00
il	0f4da0bb53	feat(backup): add archiving of runtime binary packages	2026-05-11 01:37:15 +09:00