From 446550cb61e2f673eae5a8132f78cb0301aba637 Mon Sep 17 00:00:00 2001
From: oxmox <oxmox@oxmox.dev>
Date: Sun, 15 Oct 2023 18:29:32 +0200
Subject: [PATCH] add crowdsec and crowdsec-bashboard (no bouncers)

Basic crowdsec and metabase dashboard setup is done. journalctl ssh
monitoring and alerts work. Need to check if other log sources work.

No bouncers active yet!
---
 crowdsec/acquis.d/docker-containers.yml |  9 +++++
 crowdsec/acquis.d/host-ssh.yml          |  5 +++
 crowdsec/acquis.d/nextcloud.yml         |  5 +++
 crowdsec/acquis.d/traefik.yml           |  5 +++
 crowdsec/config.yaml.local              |  0
 crowdsec/dashboard/Dockerfile           |  3 ++
 docker-compose.yml                      | 49 +++++++++++++++++++++++++
 7 files changed, 76 insertions(+)
 create mode 100644 crowdsec/acquis.d/docker-containers.yml
 create mode 100644 crowdsec/acquis.d/host-ssh.yml
 create mode 100644 crowdsec/acquis.d/nextcloud.yml
 create mode 100644 crowdsec/acquis.d/traefik.yml
 create mode 100644 crowdsec/config.yaml.local
 create mode 100644 crowdsec/dashboard/Dockerfile

diff --git a/crowdsec/acquis.d/docker-containers.yml b/crowdsec/acquis.d/docker-containers.yml
new file mode 100644
index 0000000..7adbaf1
--- /dev/null
+++ b/crowdsec/acquis.d/docker-containers.yml
@@ -0,0 +1,9 @@
+source: docker
+container_name:
+  - nextcloud-app
+  - forgejo-app
+  - prometheus
+  - grafana
+  - mailserver
+labels:
+  type: syslog
diff --git a/crowdsec/acquis.d/host-ssh.yml b/crowdsec/acquis.d/host-ssh.yml
new file mode 100644
index 0000000..655d5eb
--- /dev/null
+++ b/crowdsec/acquis.d/host-ssh.yml
@@ -0,0 +1,5 @@
+source: journalctl
+journalctl_filter:
+   - "_SYSTEMD_UNIT=ssh.service"
+labels:
+    type: syslog
diff --git a/crowdsec/acquis.d/nextcloud.yml b/crowdsec/acquis.d/nextcloud.yml
new file mode 100644
index 0000000..62e0430
--- /dev/null
+++ b/crowdsec/acquis.d/nextcloud.yml
@@ -0,0 +1,5 @@
+source: file
+filenames:
+   - /run/logs/nextcloud.log
+labels:
+    type: Nextcloud
diff --git a/crowdsec/acquis.d/traefik.yml b/crowdsec/acquis.d/traefik.yml
new file mode 100644
index 0000000..84bf788
--- /dev/null
+++ b/crowdsec/acquis.d/traefik.yml
@@ -0,0 +1,5 @@
+source: file
+filenames:
+  - /run/logs/traefik-access.log
+labels:
+    type: traefik
diff --git a/crowdsec/config.yaml.local b/crowdsec/config.yaml.local
new file mode 100644
index 0000000..e69de29
diff --git a/crowdsec/dashboard/Dockerfile b/crowdsec/dashboard/Dockerfile
new file mode 100644
index 0000000..f4bdd69
--- /dev/null
+++ b/crowdsec/dashboard/Dockerfile
@@ -0,0 +1,3 @@
+FROM metabase/metabase
+
+RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/
diff --git a/docker-compose.yml b/docker-compose.yml
index ccb2a54..7488d21 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -339,6 +339,55 @@ services:
     labels:
       - "traefik.enable=false"
 
+  crowdsec:
+    image: crowdsecurity/crowdsec:latest-debian
+    container_name: "crowdsec"
+    restart: unless-stopped
+    <<: *logging
+    environment:
+      #this is the list of collections we want to install
+      #https://hub.crowdsec.net/author/crowdsecurity/collections/nginx
+      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/nextcloud"
+      GID: "${GID-1000}"
+    depends_on:
+      - traefik
+    volumes:
+      - ./crowdsec/acquis.d/:/etc/crowdsec/acquis.d
+      - ./crowdsec/config.yaml.local:/etc/crowdsec/config.yaml.local:ro
+      - ./crowdsec/etc:/etc/crowdsec/
+      - ./crowdsec/db:/var/lib/crowdsec/data/
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - /var/log/journal:/run/log/journal # host journald
+      - /var/run/docker.sock:/var/run/docker.sock:ro # host docker
+      - ./traefik/logs/access.log:/run/logs/traefik-access.log:ro
+      - ./nextcloud-app/nextcloud/data/nextcloud.log:/run/logs/nextcloud.log:ro
+
+  # metabase, because security is cool, but dashboards are cooler
+  crowdsec-dashboard:
+    container_name: "crowdsec-dashboard"
+    # we're using a custom Dockerfile so that metabase pops with pre-configured dashboards
+    build: ./crowdsec/dashboard
+    restart: unless-stopped
+    <<: *logging
+    ports:
+      - 3000:3000
+    environment:
+      MB_DB_FILE: /data/metabase.db
+      MGID: "${GID-1000}"
+    depends_on:
+      - 'crowdsec'
+    volumes:
+      - ./crowdsec/db:/metabase-data/
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.crowdsec_dashboard_app.rule=Host(`oxmox.dev`) && PathPrefix(`/crowdsec`)"
+      - "traefik.http.routers.crowdsec_dashboard_app.entrypoints=websecure"
+      - "traefik.http.routers.crowdsec_dashboard_app.tls.certresolver=myresolver"
+      - "traefik.http.routers.crowdsec_dashboard_app.middlewares=traefik_api_auth"
+      - "traefik.http.routers.crowdsec_dashboard_app.middlewares=traefik_api_auth,crowdsec_dashboard_app_strip"
+      - "traefik.http.middlewares.crowdsec_dashboard_app_strip.stripprefix.prefixes=/crowdsec"
+      - "traefik.http.services.crowdsec_dashboard_app.loadbalancer.server.port=3000"
 
   #wireguard:
   #  image: lscr.io/linuxserver/wireguard:latest