add crowdsec and crowdsec-bashboard (no bouncers)

Basic crowdsec and metabase dashboard setup is done. journalctl ssh monitoring and alerts work. Need to check if other log sources work. No bouncers active yet!
2023-10-15 18:29:32 +02:00 · 2023-10-15 18:29:32 +02:00 · 0c8bc1ac0a
commit 0c8bc1ac0a
parent 32c3b5352d
7 changed files with 76 additions and 0 deletions
--- a/crowdsec/acquis.d/docker-containers.yml
+++ b/crowdsec/acquis.d/docker-containers.yml
@ -0,0 +1,9 @@
+source: docker
+container_name:
+  - nextcloud-app
+  - forgejo-app
+  - prometheus
+  - grafana
+  - mailserver
+labels:
+  type: syslog
--- a/crowdsec/acquis.d/host-ssh.yml
+++ b/crowdsec/acquis.d/host-ssh.yml
@ -0,0 +1,5 @@
+source: journalctl
+journalctl_filter:
+   - "_SYSTEMD_UNIT=ssh.service"
+labels:
+    type: syslog
--- a/crowdsec/acquis.d/nextcloud.yml
+++ b/crowdsec/acquis.d/nextcloud.yml
@ -0,0 +1,5 @@
+source: file
+filenames:
+   - /run/logs/nextcloud.log
+labels:
+    type: Nextcloud
--- a/crowdsec/acquis.d/traefik.yml
+++ b/crowdsec/acquis.d/traefik.yml
@ -0,0 +1,5 @@
+source: file
+filenames:
+  - /run/logs/traefik-access.log
+labels:
+    type: traefik
--- a/crowdsec/config.yaml.local
+++ b/crowdsec/config.yaml.local
--- a/crowdsec/dashboard/Dockerfile
+++ b/crowdsec/dashboard/Dockerfile
@ -0,0 +1,3 @@
+FROM metabase/metabase
+
+RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -339,6 +339,55 @@ services:
    labels:
      - "traefik.enable=false"

+  crowdsec:
+    image: crowdsecurity/crowdsec:latest-debian
+    container_name: "crowdsec"
+    restart: unless-stopped
+    <<: *logging
+    environment:
+      #this is the list of collections we want to install
+      #https://hub.crowdsec.net/author/crowdsecurity/collections/nginx
+      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/nextcloud"
+      GID: "${GID-1000}"
+    depends_on:
+      - traefik
+    volumes:
+      - ./crowdsec/acquis.d/:/etc/crowdsec/acquis.d
+      - ./crowdsec/config.yaml.local:/etc/crowdsec/config.yaml.local:ro
+      - ./crowdsec/etc:/etc/crowdsec/
+      - ./crowdsec/db:/var/lib/crowdsec/data/
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - /var/log/journal:/run/log/journal # host journald
+      - /var/run/docker.sock:/var/run/docker.sock:ro # host docker
+      - ./traefik/logs/access.log:/run/logs/traefik-access.log:ro
+      - ./nextcloud-app/nextcloud/data/nextcloud.log:/run/logs/nextcloud.log:ro
+
+  # metabase, because security is cool, but dashboards are cooler
+  crowdsec-dashboard:
+    container_name: "crowdsec-dashboard"
+    # we're using a custom Dockerfile so that metabase pops with pre-configured dashboards
+    build: ./crowdsec/dashboard
+    restart: unless-stopped
+    <<: *logging
+    ports:
+      - 3000:3000
+    environment:
+      MB_DB_FILE: /data/metabase.db
+      MGID: "${GID-1000}"
+    depends_on:
+      - 'crowdsec'
+    volumes:
+      - ./crowdsec/db:/metabase-data/
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.crowdsec_dashboard_app.rule=Host(`oxmox.dev`) && PathPrefix(`/crowdsec`)"
+      - "traefik.http.routers.crowdsec_dashboard_app.entrypoints=websecure"
+      - "traefik.http.routers.crowdsec_dashboard_app.tls.certresolver=myresolver"
+      - "traefik.http.routers.crowdsec_dashboard_app.middlewares=traefik_api_auth"
+      - "traefik.http.routers.crowdsec_dashboard_app.middlewares=traefik_api_auth,crowdsec_dashboard_app_strip"
+      - "traefik.http.middlewares.crowdsec_dashboard_app_strip.stripprefix.prefixes=/crowdsec"
+      - "traefik.http.services.crowdsec_dashboard_app.loadbalancer.server.port=3000"

  #wireguard:
  #  image: lscr.io/linuxserver/wireguard:latest