feat: Add crowdsec to server

.gitignore

@@ -1,3 +1,4 @@
 .env
 /secrets.yml
 venv
+age.agekey

README.md

@@ -158,7 +158,8 @@ kubectl delete -f proxmox/k8s/examples/001-example.yml
 
 Prerequisites:
 - Gitea is set up
-- Infisical or some other secrets provider is set up
+- Infisical or some other secrets provider is set up (if not Infisical, change
+  the ClusterSecretStore manifest)
 
 Follow [the Infisical guide to get a client id and secret](https://infisical.com/docs/documentation/platform/identities/universal-auth).
 Use it to apply [a manifest](https://external-secrets.io/latest/provider/infisical/)

k8s/apps/ingressroutes/external/build/dns-dolo-mnke.yaml

@@ -3,13 +3,13 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: dns-home-mnke-external
+  name: dns-dolo-mnke-external
   namespace: default
 spec:
   type: ExternalName
   externalName: 10.0.123.123
   ports:
-    - name: dns-home-mnke-external
+    - name: dns-dolo-mnke-external
       port: 5380
       targetPort: 5380
 
@@ -18,7 +18,7 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: dns-home-mnke-external
+  name: dns-dolo-mnke-external
   namespace: default
 spec:
   entryPoints:
@@ -31,7 +31,7 @@ spec:
           namespace: default
       services:
         - kind: Service
-          name: dns-home-mnke-external
+          name: dns-dolo-mnke-external
           port: 5380
           passHostHeader: False
   tls:

k8s/apps/ingressroutes/external/build/kustomization.yaml

@@ -6,4 +6,4 @@ resources:
   - jellyfin-tonydu.yaml
   - seerr-mnke.yaml
   - seerr-tonydu.yaml
-  - dns-home-mnke.yaml
+  - dns-dolo-mnke.yaml

k8s/clusters/dolo/apps.yaml

@@ -16,3 +16,7 @@ spec:
   prune: true
   wait: true
   timeout: 5m0s
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age

k8s/clusters/dolo/infrastructure.yaml

@@ -14,10 +14,6 @@ spec:
   path: ./k8s/infrastructure/crds
   wait: true
   prune: true
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
 
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1

k8s/infrastructure/configs/kustomization.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:

k8s/infrastructure/configs/secrets/kustomization.yaml

@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - cloudflare.yaml
+  - sops-age.yaml

k8s/infrastructure/configs/secrets/sops-age.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterExternalSecret
+metadata:
+  name: sops-age
+spec:
+  externalSecretName: sops-age
+
+  namespaceSelectors:
+    - matchLabels:
+        external-secrets.io/secrets.sops-age: require
+    - matchLabels:
+        app.kubernetes.io/instance: flux-system
+
+  externalSecretSpec:
+    secretStoreRef:
+      kind: ClusterSecretStore
+      name: infisical
+
+    target:
+      name: sops-age
+
+    data:
+      - secretKey: age.agekey
+        remoteRef:
+          key: sops-age-key
+
+

k8s/infrastructure/controllers/crowdsec/release.yaml

@@ -32,7 +32,7 @@ spec:
           program: traefik
       env:
         - name: COLLECTIONS
-          value: "crowdsecurity/traefik"
+          value: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/http-dos crowdsecurity/base-http-scenarios"
     lapi:
       env:
         # To enroll the Security Engine to the console

k8s/infrastructure/controllers/kube-prometheus-stack/kustomization.yaml

@@ -2,5 +2,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - secrets.yaml
   - repository.yaml
   - release.yaml

k8s/infrastructure/controllers/kube-prometheus-stack/release.yaml

@@ -18,9 +18,14 @@ spec:
         name: prometheus-community
         namespace: flux-system
       interval: 10m
+  valuesFrom:
+    - kind: Secret
+      name: grafana-creds
+      valuesKey: gf-admin-password
+      targetPath: grafana.adminPassword
   values:
     grafana:
-      adminPassword: admin
+      # adminPassword: admin
       defaultDashboardsTimezone: browser
       # TODO: Create CRDS first and then apply everything at one step
       ingress:
@@ -48,9 +53,9 @@ spec:
         storageSpec:
           volumeClaimTemplate:
             spec:
-              storageClassName: longhorn
-              accessModes: ["ReadWriteOnce"]
+              storageClassName: nfs-client
+              accessModes: ["ReadWriteMany"]
               resources:
                 requests:
-                  storage: 4Gi
+                  storage: 8Gi
 

k8s/infrastructure/controllers/kube-prometheus-stack/secrets.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-creds
+  namespace: flux-system
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: infisical
+
+  target:
+    name: grafana-creds
+
+  data:
+    - secretKey: gf-admin-password
+      remoteRef:
+        key: gf-admin-password
+

k8s/infrastructure/controllers/traefik/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
   - namespace.yaml
   - repository.yaml
   - release.yaml
-  - plugins
+  - middlewares

k8s/infrastructure/controllers/traefik/middlewares/crowdsec-bouncer.yaml

@@ -0,0 +1,36 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+    name: bouncer
+    namespace: traefik
+spec:
+    plugin:
+        crowdsec-bouncer-traefik-plugin:
+            enabled: true
+            logLevel: DEBUG
+            crowdsecMode: live
+            crowdsecLapiScheme: http
+            # crowdsecLapiTLSInsecureVerify: true
+            crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
+            # https://docs.crowdsec.net/u/getting_started/installation/kubernetes/
+            crowdsecLapiKey: ENC[AES256_GCM,data:FJiRbf++tt3LUrIIHD49fYcrxc/dLE28ESRBBOFQXzTrEtK4KjCq/MmcZQ==,iv:cBZjSXMOA99rO71s3dhJflFO7bBHDXHpYl2BynT69Ko=,tag:ghN0Qfis3UcQVlm7us1qOA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1gznjylxw2d3mhq6ar4nl4mvltzjems76swlqpe607u4h8j5ykefqz0hhw0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINjEySWwvTkVKbHQ1QVk4
+            TUE2VGdqUzd2bzQ5Z1UvWUNRZnFjVzdRUXg4CjR1UmVVdDV5aEw3azJzZTNvR3Vr
+            Q1hiRjYwTGdhN1VlUldhS01MdFJNUXMKLS0tIDZYNXg0aGlDQ0IxNHdMMnpWWi9u
+            VEtPSlVOSUFyaWt0ek1GZVdLOWN4NmMKZUFo00va4XrYXoRf6ge45nyLAYXlG7mP
+            xkyR0cInOsvhPd8hSQdMKZNxS8T38VnFsLOTCb/wJyzOuQgy13sznw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-14T02:23:36Z"
+    mac: ENC[AES256_GCM,data:IZOr8n3//RUDn1Wrlau82QXdvAvOPVLfbjEdm2sbIZhvjQ14xXeEDHXCMobudVv+sYPzx7rU2soTrpYNNDtp3ocUvMwBOi5Aa21bPPjc3kxxdvK+jtQliBEaLsPdwSO/+8fmDHK/Ip+gw3hrGsXic7zpc2pCp5XrRY75RjujO+g=,iv:KQavUuifIjeA2jgkRFBXAweGYvtK85wMcbFm9vfz6Vc=,tag:ZixM2qHGmfT2YTc5AU5smA==,type:str]
+    pgp: []
+    encrypted_regex: crowdsecLapiKey
+    version: 3.9.1

k8s/infrastructure/controllers/traefik/middlewares/kustomization.yaml

@@ -2,4 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - crowdsec.yaml
+  - crowdsec-bouncer.yaml
+

k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml

@@ -1,35 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-    name: bouncer
-    namespace: traefik
-spec:
-    plugin:
-        bouncer:
-            enabled: "true"
-            logLevel: DEBUG
-            crowdsecMode: stream
-            crowdsecLapiScheme: https
-            crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
-            # https://docs.crowdsec.net/u/getting_started/installation/kubernetes/
-            crowdsecLapiKey: ENC[AES256_GCM,data:6uiMo8nlWN+NJ9Ow8By3435R4sV6Ff4Uug/KSPDExNLnY4D2mM95Ne6Skw==,iv:XA5EhZ1iM+DzTa9ZhZlrKMwCh1YJ471GY4M3ZCJFKc4=,tag:Yn312cAs02oDnovxIVYHQA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1gznjylxw2d3mhq6ar4nl4mvltzjems76swlqpe607u4h8j5ykefqz0hhw0
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOW1HRDduS1JkeHp6N2Fx
-            RWlGTXpDS3Y1SHRRN1dzSm9LaFJXTVJYb0RNCjhuU1BONVhNWW05VUY2cWFOQWVK
-            cmcxN2dRVDdTWXovUzRJSWNZUjNUdzgKLS0tIHlVYmk4czdoaHI0aERaeWNTNHRz
-            S3JSOEY2Y0dWci9JNGVFRHM3ckxURjgKKCk3oswfOMyMFwluWbUOy1ugfM24SARR
-            fPbgrcUqAQAIiGONf88ybs9kWGSlnh9CS/IEhbDKFixAWNebpmv28A==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-14T00:15:25Z"
-    mac: ENC[AES256_GCM,data:sR/HO71a2sjIOmGXTSGkcDU/AAYNG+oy0G9Zr8WKT6Oz+auvp4gy2pUENJl1oX5KiUvfrJe7ref0x+oQ5FtaYHYIXW925zALYGpVFwVKeasAahsZLBqfzbG+Q/8aYrayaz2xidINlLU+DJT/H+M9vGmaRKX/p9CHt8EkAq736TQ=,iv:4rxIvGQnb6okS/kDAe9gkzIaEzIXY12lkQFNcpLYCTs=,tag:X7FjXkH1avrhM9ZQxo2dmQ==,type:str]
-    pgp: []
-    encrypted_regex: crowdsecLapiKey
-    version: 3.9.1

k8s/infrastructure/controllers/traefik/release.yaml

@@ -49,6 +49,8 @@ spec:
 
     ports:
       web:
+        middlewares:
+          - traefik-bouncer@kubernetescrd
         port: 80
         redirections:
           entryPoint:
@@ -56,6 +58,8 @@ spec:
             scheme: https
             permanent: true
       websecure:
+        middlewares:
+          - traefik-bouncer@kubernetescrd
         port: 443
         http3:
           enabled: true
@@ -128,7 +132,7 @@ spec:
       plugins:
         crowdsec-bouncer-traefik-plugin:
           moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
-          version: "v1.4.1"
+          version: "v1.3.3"
 
     # Mostly from https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-prometheus-operator
     metrics: