crowdsec: register kvsync + firewall bouncer keys in LAPI

Seeds two new bouncers at LAPI startup (BOUNCER_KEY_kvsync, BOUNCER_KEY_firewall)
from Vault secret/platform, mirroring the existing BOUNCER_KEY_traefik wiring.
These are the two halves of the real enforcement that replaces the dead Yaegi
plugin: kvsync authenticates the LAPI->Cloudflare-KV sync (proxied edge Worker),
firewall authenticates the cs-firewall-bouncer DaemonSet (direct-host nftables).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/crowdsec/main.tf

@@ -32,4 +32,8 @@ module "crowdsec" {
   # Same key the traefik-stack bouncer middleware uses — seeded into LAPI so the
   # bouncer authenticates and pulls decisions (was unregistered → 403 → fail-open).
   ingress_bouncer_key = data.vault_kv_secret_v2.secrets.data["ingress_crowdsec_api_key"]
+  # Real enforcement replacing the dead Traefik plugin: kvsync feeds the proxied
+  # edge Worker via Cloudflare KV; firewall is the direct-host nftables bouncer.
+  kvsync_bouncer_key   = data.vault_kv_secret_v2.secrets.data["kvsync_bouncer_key"]
+  firewall_bouncer_key = data.vault_kv_secret_v2.secrets.data["firewall_bouncer_key"]
 }

stacks/crowdsec/modules/crowdsec/main.tf

@@ -21,6 +21,16 @@ variable "ingress_bouncer_key" {
   sensitive   = true
   description = "API key for the Traefik CrowdSec bouncer plugin. Seeded into LAPI via BOUNCER_KEY_traefik so the bouncer authenticates and pulls decisions — the same key the traefik-stack middleware presents."
 }
+variable "kvsync_bouncer_key" {
+  type        = string
+  sensitive   = true
+  description = "API key for the LAPI->Cloudflare-KV sync job (proxied-edge control plane). Seeded into LAPI via BOUNCER_KEY_kvsync; the rybbit-stack CronJob presents the same key to pull decisions."
+}
+variable "firewall_bouncer_key" {
+  type        = string
+  sensitive   = true
+  description = "API key for the cs-firewall-bouncer DaemonSet (direct-host in-kernel enforcement). Seeded into LAPI via BOUNCER_KEY_firewall; the DaemonSet presents the same key to stream decisions."
+}
 
 module "tls_secret" {
   source          = "../../../../modules/kubernetes/setup_tls_secret"
@@ -162,7 +172,7 @@ resource "helm_release" "crowdsec" {
   repository = "https://crowdsecurity.github.io/helm-charts"
   chart      = "crowdsec"
 
-  values        = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url, mysql_host = var.mysql_host, postgresql_host = var.postgresql_host, INGRESS_CROWDSEC_API_KEY = var.ingress_bouncer_key })]
+  values        = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url, mysql_host = var.mysql_host, postgresql_host = var.postgresql_host, INGRESS_CROWDSEC_API_KEY = var.ingress_bouncer_key, KVSYNC_CROWDSEC_API_KEY = var.kvsync_bouncer_key, FIREWALL_CROWDSEC_API_KEY = var.firewall_bouncer_key })]
   timeout       = 1200
   wait          = true
   wait_for_jobs = true

stacks/crowdsec/modules/crowdsec/values.yaml

@@ -135,6 +135,14 @@ lapi:
     # the prior manual registration was lost in the MySQL→PostgreSQL migration).
     - name: BOUNCER_KEY_traefik
       value: "${INGRESS_CROWDSEC_API_KEY}"
+    # Real enforcement path that replaces the dead Traefik Yaegi plugin:
+    #   kvsync   -> LAPI->Cloudflare-KV sync CronJob (proxied hosts, edge Worker)
+    #   firewall -> cs-firewall-bouncer DaemonSet (direct hosts, in-kernel nftables drop)
+    # Registered at LAPI startup (idempotent across the 3 replicas / restarts).
+    - name: BOUNCER_KEY_kvsync
+      value: "${KVSYNC_CROWDSEC_API_KEY}"
+    - name: BOUNCER_KEY_firewall
+      value: "${FIREWALL_CROWDSEC_API_KEY}"
   dashboard:
     enabled: true
     env: