feat: Add crowdsec to server

This commit is contained in:
Tony Du 2025-02-13 16:36:28 -08:00
parent 2ba4eca34e
commit 11c5f27bc7
19 changed files with 116 additions and 53 deletions

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
.env
/secrets.yml
venv
age.agekey

View File

@ -158,7 +158,8 @@ kubectl delete -f proxmox/k8s/examples/001-example.yml
Prerequisites:
- Gitea is set up
- Infisical or some other secrets provider is set up
- Infisical or some other secrets provider is set up (if not Infisical, change
the ClusterSecretStore manifest)
Follow [the Infisical guide to get a client id and secret](https://infisical.com/docs/documentation/platform/identities/universal-auth).
Use it to apply [a manifest](https://external-secrets.io/latest/provider/infisical/)

View File

@ -3,13 +3,13 @@
apiVersion: v1
kind: Service
metadata:
name: dns-home-mnke-external
name: dns-dolo-mnke-external
namespace: default
spec:
type: ExternalName
externalName: 10.0.123.123
ports:
- name: dns-home-mnke-external
- name: dns-dolo-mnke-external
port: 5380
targetPort: 5380
@ -18,7 +18,7 @@ spec:
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: dns-home-mnke-external
name: dns-dolo-mnke-external
namespace: default
spec:
entryPoints:
@ -31,7 +31,7 @@ spec:
namespace: default
services:
- kind: Service
name: dns-home-mnke-external
name: dns-dolo-mnke-external
port: 5380
passHostHeader: False
tls:

View File

@ -6,4 +6,4 @@ resources:
- jellyfin-tonydu.yaml
- seerr-mnke.yaml
- seerr-tonydu.yaml
- dns-home-mnke.yaml
- dns-dolo-mnke.yaml

View File

@ -16,3 +16,7 @@ spec:
prune: true
wait: true
timeout: 5m0s
decryption:
provider: sops
secretRef:
name: sops-age

View File

@ -14,10 +14,6 @@ spec:
path: ./k8s/infrastructure/crds
wait: true
prune: true
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1

View File

@ -1,3 +1,4 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:

View File

@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cloudflare.yaml
- sops-age.yaml

View File

@ -0,0 +1,28 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterExternalSecret
metadata:
name: sops-age
spec:
externalSecretName: sops-age
namespaceSelectors:
- matchLabels:
external-secrets.io/secrets.sops-age: require
- matchLabels:
app.kubernetes.io/instance: flux-system
externalSecretSpec:
secretStoreRef:
kind: ClusterSecretStore
name: infisical
target:
name: sops-age
data:
- secretKey: age.agekey
remoteRef:
key: sops-age-key

View File

@ -32,7 +32,7 @@ spec:
program: traefik
env:
- name: COLLECTIONS
value: "crowdsecurity/traefik"
value: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/http-dos crowdsecurity/base-http-scenarios"
lapi:
env:
# To enroll the Security Engine to the console

View File

@ -2,5 +2,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secrets.yaml
- repository.yaml
- release.yaml

View File

@ -18,9 +18,14 @@ spec:
name: prometheus-community
namespace: flux-system
interval: 10m
valuesFrom:
- kind: Secret
name: grafana-creds
valuesKey: gf-admin-password
targetPath: grafana.adminPassword
values:
grafana:
adminPassword: admin
# adminPassword: admin
defaultDashboardsTimezone: browser
# TODO: Create CRDS first and then apply everything at one step
ingress:
@ -48,9 +53,9 @@ spec:
storageSpec:
volumeClaimTemplate:
spec:
storageClassName: longhorn
accessModes: ["ReadWriteOnce"]
storageClassName: nfs-client
accessModes: ["ReadWriteMany"]
resources:
requests:
storage: 4Gi
storage: 8Gi

View File

@ -0,0 +1,19 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grafana-creds
namespace: flux-system
spec:
secretStoreRef:
kind: ClusterSecretStore
name: infisical
target:
name: grafana-creds
data:
- secretKey: gf-admin-password
remoteRef:
key: gf-admin-password

View File

@ -5,4 +5,4 @@ resources:
- namespace.yaml
- repository.yaml
- release.yaml
- plugins
- middlewares

View File

@ -0,0 +1,36 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: bouncer
namespace: traefik
spec:
plugin:
crowdsec-bouncer-traefik-plugin:
enabled: true
logLevel: DEBUG
crowdsecMode: live
crowdsecLapiScheme: http
# crowdsecLapiTLSInsecureVerify: true
crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
# https://docs.crowdsec.net/u/getting_started/installation/kubernetes/
crowdsecLapiKey: ENC[AES256_GCM,data:FJiRbf++tt3LUrIIHD49fYcrxc/dLE28ESRBBOFQXzTrEtK4KjCq/MmcZQ==,iv:cBZjSXMOA99rO71s3dhJflFO7bBHDXHpYl2BynT69Ko=,tag:ghN0Qfis3UcQVlm7us1qOA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1gznjylxw2d3mhq6ar4nl4mvltzjems76swlqpe607u4h8j5ykefqz0hhw0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINjEySWwvTkVKbHQ1QVk4
TUE2VGdqUzd2bzQ5Z1UvWUNRZnFjVzdRUXg4CjR1UmVVdDV5aEw3azJzZTNvR3Vr
Q1hiRjYwTGdhN1VlUldhS01MdFJNUXMKLS0tIDZYNXg0aGlDQ0IxNHdMMnpWWi9u
VEtPSlVOSUFyaWt0ek1GZVdLOWN4NmMKZUFo00va4XrYXoRf6ge45nyLAYXlG7mP
xkyR0cInOsvhPd8hSQdMKZNxS8T38VnFsLOTCb/wJyzOuQgy13sznw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-14T02:23:36Z"
mac: ENC[AES256_GCM,data:IZOr8n3//RUDn1Wrlau82QXdvAvOPVLfbjEdm2sbIZhvjQ14xXeEDHXCMobudVv+sYPzx7rU2soTrpYNNDtp3ocUvMwBOi5Aa21bPPjc3kxxdvK+jtQliBEaLsPdwSO/+8fmDHK/Ip+gw3hrGsXic7zpc2pCp5XrRY75RjujO+g=,iv:KQavUuifIjeA2jgkRFBXAweGYvtK85wMcbFm9vfz6Vc=,tag:ZixM2qHGmfT2YTc5AU5smA==,type:str]
pgp: []
encrypted_regex: crowdsecLapiKey
version: 3.9.1

View File

@ -2,4 +2,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- crowdsec.yaml
- crowdsec-bouncer.yaml

View File

@ -1,35 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: bouncer
namespace: traefik
spec:
plugin:
bouncer:
enabled: "true"
logLevel: DEBUG
crowdsecMode: stream
crowdsecLapiScheme: https
crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
# https://docs.crowdsec.net/u/getting_started/installation/kubernetes/
crowdsecLapiKey: ENC[AES256_GCM,data:6uiMo8nlWN+NJ9Ow8By3435R4sV6Ff4Uug/KSPDExNLnY4D2mM95Ne6Skw==,iv:XA5EhZ1iM+DzTa9ZhZlrKMwCh1YJ471GY4M3ZCJFKc4=,tag:Yn312cAs02oDnovxIVYHQA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1gznjylxw2d3mhq6ar4nl4mvltzjems76swlqpe607u4h8j5ykefqz0hhw0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOW1HRDduS1JkeHp6N2Fx
RWlGTXpDS3Y1SHRRN1dzSm9LaFJXTVJYb0RNCjhuU1BONVhNWW05VUY2cWFOQWVK
cmcxN2dRVDdTWXovUzRJSWNZUjNUdzgKLS0tIHlVYmk4czdoaHI0aERaeWNTNHRz
S3JSOEY2Y0dWci9JNGVFRHM3ckxURjgKKCk3oswfOMyMFwluWbUOy1ugfM24SARR
fPbgrcUqAQAIiGONf88ybs9kWGSlnh9CS/IEhbDKFixAWNebpmv28A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-14T00:15:25Z"
mac: ENC[AES256_GCM,data:sR/HO71a2sjIOmGXTSGkcDU/AAYNG+oy0G9Zr8WKT6Oz+auvp4gy2pUENJl1oX5KiUvfrJe7ref0x+oQ5FtaYHYIXW925zALYGpVFwVKeasAahsZLBqfzbG+Q/8aYrayaz2xidINlLU+DJT/H+M9vGmaRKX/p9CHt8EkAq736TQ=,iv:4rxIvGQnb6okS/kDAe9gkzIaEzIXY12lkQFNcpLYCTs=,tag:X7FjXkH1avrhM9ZQxo2dmQ==,type:str]
pgp: []
encrypted_regex: crowdsecLapiKey
version: 3.9.1

View File

@ -49,6 +49,8 @@ spec:
ports:
web:
middlewares:
- traefik-bouncer@kubernetescrd
port: 80
redirections:
entryPoint:
@ -56,6 +58,8 @@ spec:
scheme: https
permanent: true
websecure:
middlewares:
- traefik-bouncer@kubernetescrd
port: 443
http3:
enabled: true
@ -128,7 +132,7 @@ spec:
plugins:
crowdsec-bouncer-traefik-plugin:
moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
version: "v1.4.1"
version: "v1.3.3"
# Mostly from https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-prometheus-operator
metrics: