# CrowdSec Security Stack - Intrusion Detection & Prevention
# =============================================================================
# Co-located with NPM on matrix-ubuntu for direct log access (no rsync needed).
# CrowdSec engine (LAPI) parses NPM access/error logs and host syslog.
# Blocking is handled by crowdsec-firewall-bouncer-nftables installed on the
# host (not containerized) — drops packets at the network layer via nftables,
# avoiding nginx auth_request conflicts with Authentik SSO.
#
# Ports: 8580 (LAPI), 6060 (Prometheus metrics)
#
# Setup steps after first deploy:
#   1. Install firewall bouncer on host:
#      curl -s https://install.crowdsec.net | sudo sh
#      sudo apt install crowdsec-firewall-bouncer-nftables
#   2. Generate bouncer API key:
#      docker exec crowdsec cscli bouncers add firewall-bouncer
#   3. Configure /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml:
#      api_url: http://127.0.0.1:8580/
#      api_key: <generated key>
#      deny_log: true
#   4. Start bouncer: sudo systemctl enable --now crowdsec-firewall-bouncer
#   5. Enroll in CrowdSec console (optional):
#      docker exec crowdsec cscli console enroll <key>
#
# Collections installed via COLLECTIONS env var:
#   - crowdsecurity/nginx-proxy-manager — NPM log parser + scenarios
#   - crowdsecurity/base-http-scenarios — generic HTTP attack detection
#   - crowdsecurity/http-cve — known CVE exploit detection
#   - crowdsecurity/linux — SSH brute force, etc.
# =============================================================================

services:
  crowdsec:
    image: crowdsecurity/crowdsec:latest
    container_name: crowdsec
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    environment:
      TZ: America/Los_Angeles
      COLLECTIONS: >-
        crowdsecurity/nginx-proxy-manager
        crowdsecurity/base-http-scenarios
        crowdsecurity/http-cve
        crowdsecurity/linux
      GID: "1000"
      CROWDSEC_PROMETHEUS_LISTEN_ADDR: "0.0.0.0"
      CROWDSEC_PROMETHEUS_LISTEN_PORT: "6060"
    volumes:
      - /opt/crowdsec/config:/etc/crowdsec
      - /opt/crowdsec/data:/var/lib/crowdsec/data
      # NPM logs — direct mount, same host
      - /opt/npm/data/logs:/var/log/npm:ro
      - /var/log:/var/log/host:ro
    ports:
      - "8580:8080"
      - "6060:6060"
    healthcheck:
      test: ["CMD", "cscli", "version"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s