Sanitized mirror from private repository - 2026-03-30 00:10:29 UTC

2026-03-30 00:10:29 +00:00
commit 8664c8417c
1280 changed files with 331217 additions and 0 deletions
--- a/hosts/vms/matrix-ubuntu/crowdsec.yaml
+++ b/hosts/vms/matrix-ubuntu/crowdsec.yaml
@@ -0,0 +1,63 @@
+# CrowdSec Security Stack - Intrusion Detection & Prevention
+# =============================================================================
+# Co-located with NPM on matrix-ubuntu for direct log access (no rsync needed).
+# CrowdSec engine (LAPI) parses NPM access/error logs and host syslog.
+# Blocking is handled by crowdsec-firewall-bouncer-nftables installed on the
+# host (not containerized) — drops packets at the network layer via nftables,
+# avoiding nginx auth_request conflicts with Authentik SSO.
+#
+# Ports: 8580 (LAPI), 6060 (Prometheus metrics)
+#
+# Setup steps after first deploy:
+#   1. Install firewall bouncer on host:
+#      curl -s https://install.crowdsec.net | sudo sh
+#      sudo apt install crowdsec-firewall-bouncer-nftables
+#   2. Generate bouncer API key:
+#      docker exec crowdsec cscli bouncers add firewall-bouncer
+#   3. Configure /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml:
+#      api_url: http://127.0.0.1:8580/
+#      api_key: <generated key>
+#      deny_log: true
+#   4. Start bouncer: sudo systemctl enable --now crowdsec-firewall-bouncer
+#   5. Enroll in CrowdSec console (optional):
+#      docker exec crowdsec cscli console enroll <key>
+#
+# Collections installed via COLLECTIONS env var:
+#   - crowdsecurity/nginx-proxy-manager — NPM log parser + scenarios
+#   - crowdsecurity/base-http-scenarios — generic HTTP attack detection
+#   - crowdsecurity/http-cve — known CVE exploit detection
+#   - crowdsecurity/linux — SSH brute force, etc.
+# =============================================================================
+
+services:
+  crowdsec:
+    image: crowdsecurity/crowdsec:latest
+    container_name: crowdsec
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    environment:
+      TZ: America/Los_Angeles
+      COLLECTIONS: >-
+        crowdsecurity/nginx-proxy-manager
+        crowdsecurity/base-http-scenarios
+        crowdsecurity/http-cve
+        crowdsecurity/linux
+      GID: "1000"
+      CROWDSEC_PROMETHEUS_LISTEN_ADDR: "0.0.0.0"
+      CROWDSEC_PROMETHEUS_LISTEN_PORT: "6060"
+    volumes:
+      - /opt/crowdsec/config:/etc/crowdsec
+      - /opt/crowdsec/data:/var/lib/crowdsec/data
+      # NPM logs — direct mount, same host
+      - /opt/npm/data/logs:/var/log/npm:ro
+      - /var/log:/var/log/host:ro
+    ports:
+      - "8580:8080"
+      - "6060:6060"
+    healthcheck:
+      test: ["CMD", "cscli", "version"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s