tony/homelab
1
0
Fork 0
Code Issues 12 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add crowdsec to server

Browse Source
This commit is contained in:
Tony Du 2025-02-13 16:36:28 -08:00
parent 2ba4eca34e
commit 11c5f27bc7
19 changed files with 116 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
.env .env
/secrets.yml /secrets.yml
venv venv
age.agekey

0
k8s/clusters/dolo/.sops.yaml → .sops.yaml
View File

3
README.md
View File

@ -158,7 +158,8 @@ kubectl delete -f proxmox/k8s/examples/001-example.yml
Prerequisites: Prerequisites:
- Gitea is set up - Gitea is set up
- Infisical or some other secrets provider is set up - Infisical or some other secrets provider is set up (if not Infisical, change
the ClusterSecretStore manifest)
Follow [the Infisical guide to get a client id and secret](https://infisical.com/docs/documentation/platform/identities/universal-auth). Follow [the Infisical guide to get a client id and secret](https://infisical.com/docs/documentation/platform/identities/universal-auth).
Use it to apply [a manifest](https://external-secrets.io/latest/provider/infisical/) Use it to apply [a manifest](https://external-secrets.io/latest/provider/infisical/)

8
k8s/apps/ingressroutes/external/build/dns-home-mnke.yaml → k8s/apps/ingressroutes/external/build/dns-dolo-mnke.yaml vendored
View File

@ -3,13 +3,13 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: dns-home-mnke-external name: dns-dolo-mnke-external
namespace: default namespace: default
spec: spec:
type: ExternalName type: ExternalName
externalName: 10.0.123.123 externalName: 10.0.123.123
ports: ports:
- name: dns-home-mnke-external - name: dns-dolo-mnke-external
port: 5380 port: 5380
targetPort: 5380 targetPort: 5380
@ -18,7 +18,7 @@ spec:
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: IngressRoute kind: IngressRoute
metadata: metadata:
name: dns-home-mnke-external name: dns-dolo-mnke-external
namespace: default namespace: default
spec: spec:
entryPoints: entryPoints:
@ -31,7 +31,7 @@ spec:
namespace: default namespace: default
services: services:
- kind: Service - kind: Service
name: dns-home-mnke-external name: dns-dolo-mnke-external
port: 5380 port: 5380
passHostHeader: False passHostHeader: False
tls: tls:

2
k8s/apps/ingressroutes/external/build/kustomization.yaml vendored
View File

@ -6,4 +6,4 @@ resources:
- jellyfin-tonydu.yaml - jellyfin-tonydu.yaml
- seerr-mnke.yaml - seerr-mnke.yaml
- seerr-tonydu.yaml - seerr-tonydu.yaml
- dns-home-mnke.yaml - dns-dolo-mnke.yaml

4
k8s/clusters/dolo/apps.yaml
View File

@ -16,3 +16,7 @@ spec:
prune: true prune: true
wait: true wait: true
timeout: 5m0s timeout: 5m0s
decryption:
provider: sops
secretRef:
name: sops-age

4
k8s/clusters/dolo/infrastructure.yaml
View File

@ -14,10 +14,6 @@ spec:
path: ./k8s/infrastructure/crds path: ./k8s/infrastructure/crds
wait: true wait: true
prune: true prune: true
decryption:
provider: sops
secretRef:
name: sops-age
--- ---
apiVersion: kustomize.toolkit.fluxcd.io/v1 apiVersion: kustomize.toolkit.fluxcd.io/v1

1
k8s/infrastructure/configs/kustomization.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:

1
k8s/infrastructure/configs/secrets/kustomization.yaml
View File

@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- cloudflare.yaml - cloudflare.yaml
- sops-age.yaml

28
k8s/infrastructure/configs/secrets/sops-age.yaml Normal file
View File

@ -0,0 +1,28 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterExternalSecret
metadata:
name: sops-age
spec:
externalSecretName: sops-age
namespaceSelectors:
- matchLabels:
external-secrets.io/secrets.sops-age: require
- matchLabels:
app.kubernetes.io/instance: flux-system
externalSecretSpec:
secretStoreRef:
kind: ClusterSecretStore
name: infisical
target:
name: sops-age
data:
- secretKey: age.agekey
remoteRef:
key: sops-age-key

2
k8s/infrastructure/controllers/crowdsec/release.yaml
View File

@ -32,7 +32,7 @@ spec:
program: traefik program: traefik
env: env:
- name: COLLECTIONS - name: COLLECTIONS
value: "crowdsecurity/traefik" value: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/http-dos crowdsecurity/base-http-scenarios"
lapi: lapi:
env: env:
# To enroll the Security Engine to the console # To enroll the Security Engine to the console

1
k8s/infrastructure/controllers/kube-prometheus-stack/kustomization.yaml
View File

@ -2,5 +2,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- secrets.yaml
- repository.yaml - repository.yaml
- release.yaml - release.yaml

13
k8s/infrastructure/controllers/kube-prometheus-stack/release.yaml
View File

@ -18,9 +18,14 @@ spec:
name: prometheus-community name: prometheus-community
namespace: flux-system namespace: flux-system
interval: 10m interval: 10m
valuesFrom:
- kind: Secret
name: grafana-creds
valuesKey: gf-admin-password
targetPath: grafana.adminPassword
values: values:
grafana: grafana:
adminPassword: admin # adminPassword: admin
defaultDashboardsTimezone: browser defaultDashboardsTimezone: browser
# TODO: Create CRDS first and then apply everything at one step # TODO: Create CRDS first and then apply everything at one step
ingress: ingress:
@ -48,9 +53,9 @@ spec:
storageSpec: storageSpec:
volumeClaimTemplate: volumeClaimTemplate:
spec: spec:
storageClassName: longhorn storageClassName: nfs-client
accessModes: ["ReadWriteOnce"] accessModes: ["ReadWriteMany"]
resources: resources:
requests: requests:
storage: 4Gi storage: 8Gi

19
k8s/infrastructure/controllers/kube-prometheus-stack/secrets.yaml Normal file
View File

@ -0,0 +1,19 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grafana-creds
namespace: flux-system
spec:
secretStoreRef:
kind: ClusterSecretStore
name: infisical
target:
name: grafana-creds
data:
- secretKey: gf-admin-password
remoteRef:
key: gf-admin-password

2
k8s/infrastructure/controllers/traefik/kustomization.yaml
View File

@ -5,4 +5,4 @@ resources:
- namespace.yaml - namespace.yaml
- repository.yaml - repository.yaml
- release.yaml - release.yaml
- plugins - middlewares

36
k8s/infrastructure/controllers/traefik/middlewares/crowdsec-bouncer.yaml Normal file
View File

@ -0,0 +1,36 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: bouncer
namespace: traefik
spec:
plugin:
crowdsec-bouncer-traefik-plugin:
enabled: true
logLevel: DEBUG
crowdsecMode: live
crowdsecLapiScheme: http
# crowdsecLapiTLSInsecureVerify: true
crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
# https://docs.crowdsec.net/u/getting_started/installation/kubernetes/
crowdsecLapiKey: ENC[AES256_GCM,data:FJiRbf++tt3LUrIIHD49fYcrxc/dLE28ESRBBOFQXzTrEtK4KjCq/MmcZQ==,iv:cBZjSXMOA99rO71s3dhJflFO7bBHDXHpYl2BynT69Ko=,tag:ghN0Qfis3UcQVlm7us1qOA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1gznjylxw2d3mhq6ar4nl4mvltzjems76swlqpe607u4h8j5ykefqz0hhw0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINjEySWwvTkVKbHQ1QVk4
TUE2VGdqUzd2bzQ5Z1UvWUNRZnFjVzdRUXg4CjR1UmVVdDV5aEw3azJzZTNvR3Vr
Q1hiRjYwTGdhN1VlUldhS01MdFJNUXMKLS0tIDZYNXg0aGlDQ0IxNHdMMnpWWi9u
VEtPSlVOSUFyaWt0ek1GZVdLOWN4NmMKZUFo00va4XrYXoRf6ge45nyLAYXlG7mP
xkyR0cInOsvhPd8hSQdMKZNxS8T38VnFsLOTCb/wJyzOuQgy13sznw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-14T02:23:36Z"
mac: ENC[AES256_GCM,data:IZOr8n3//RUDn1Wrlau82QXdvAvOPVLfbjEdm2sbIZhvjQ14xXeEDHXCMobudVv+sYPzx7rU2soTrpYNNDtp3ocUvMwBOi5Aa21bPPjc3kxxdvK+jtQliBEaLsPdwSO/+8fmDHK/Ip+gw3hrGsXic7zpc2pCp5XrRY75RjujO+g=,iv:KQavUuifIjeA2jgkRFBXAweGYvtK85wMcbFm9vfz6Vc=,tag:ZixM2qHGmfT2YTc5AU5smA==,type:str]
pgp: []
encrypted_regex: crowdsecLapiKey
version: 3.9.1

3
k8s/infrastructure/controllers/traefik/plugins/kustomization.yaml → k8s/infrastructure/controllers/traefik/middlewares/kustomization.yaml
View File

@ -2,4 +2,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- crowdsec.yaml - crowdsec-bouncer.yaml

35
k8s/infrastructure/controllers/traefik/plugins/crowdsec.yaml
View File

@ -1,35 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: bouncer
namespace: traefik
spec:
plugin:
bouncer:
enabled: "true"
logLevel: DEBUG
crowdsecMode: stream
crowdsecLapiScheme: https
crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
# https://docs.crowdsec.net/u/getting_started/installation/kubernetes/
crowdsecLapiKey: ENC[AES256_GCM,data:6uiMo8nlWN+NJ9Ow8By3435R4sV6Ff4Uug/KSPDExNLnY4D2mM95Ne6Skw==,iv:XA5EhZ1iM+DzTa9ZhZlrKMwCh1YJ471GY4M3ZCJFKc4=,tag:Yn312cAs02oDnovxIVYHQA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1gznjylxw2d3mhq6ar4nl4mvltzjems76swlqpe607u4h8j5ykefqz0hhw0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOW1HRDduS1JkeHp6N2Fx
RWlGTXpDS3Y1SHRRN1dzSm9LaFJXTVJYb0RNCjhuU1BONVhNWW05VUY2cWFOQWVK
cmcxN2dRVDdTWXovUzRJSWNZUjNUdzgKLS0tIHlVYmk4czdoaHI0aERaeWNTNHRz
S3JSOEY2Y0dWci9JNGVFRHM3ckxURjgKKCk3oswfOMyMFwluWbUOy1ugfM24SARR
fPbgrcUqAQAIiGONf88ybs9kWGSlnh9CS/IEhbDKFixAWNebpmv28A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-14T00:15:25Z"
mac: ENC[AES256_GCM,data:sR/HO71a2sjIOmGXTSGkcDU/AAYNG+oy0G9Zr8WKT6Oz+auvp4gy2pUENJl1oX5KiUvfrJe7ref0x+oQ5FtaYHYIXW925zALYGpVFwVKeasAahsZLBqfzbG+Q/8aYrayaz2xidINlLU+DJT/H+M9vGmaRKX/p9CHt8EkAq736TQ=,iv:4rxIvGQnb6okS/kDAe9gkzIaEzIXY12lkQFNcpLYCTs=,tag:X7FjXkH1avrhM9ZQxo2dmQ==,type:str]
pgp: []
encrypted_regex: crowdsecLapiKey
version: 3.9.1

6
k8s/infrastructure/controllers/traefik/release.yaml
View File

@ -49,6 +49,8 @@ spec:
ports: ports:
web: web:
middlewares:
- traefik-bouncer@kubernetescrd
port: 80 port: 80
redirections: redirections:
entryPoint: entryPoint:
@ -56,6 +58,8 @@ spec:
scheme: https scheme: https
permanent: true permanent: true
websecure: websecure:
middlewares:
- traefik-bouncer@kubernetescrd
port: 443 port: 443
http3: http3:
enabled: true enabled: true
@ -128,7 +132,7 @@ spec:
plugins: plugins:
crowdsec-bouncer-traefik-plugin: crowdsec-bouncer-traefik-plugin:
moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin" moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
version: "v1.4.1" version: "v1.3.3"
# Mostly from https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-prometheus-operator # Mostly from https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-prometheus-operator
metrics: metrics: