viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

crowdsec+rybbit: proxied edge to single CF list (block-only) + retrigger firewall-bouncer apply

Browse source 
CF account hard-limits to 1 Rules List, so proxied enforcement uses one crowdsec_ban
list + one WAF block rule; the sync writes both ban and captcha decisions into it
(captcha downgraded to block at the edge). Drops the second list + managed_challenge
rule. Trivial touch to firewall_bouncer.tf to make CI re-apply crowdsec and recreate
the DaemonSet (tar fix already in master; stale orphan was cleared).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-20 19:29:43 +00:00
parent 1406d8a391
commit 7cf93a0587
3 changed files with 69 additions and 90 deletions
Download patch file Download diff file Expand all files Collapse all files

1
stacks/crowdsec/modules/crowdsec/firewall_bouncer.tf
View file

@ -33,6 +33,7 @@
# nodeSelector pins this to ONE node (k8s-node2, which runs a Traefik pod) for first validation.
# !!! REMOVING THE nodeSelector ROLLS THIS DAEMONSET CLUSTER-WIDE !!!
# Do that ONLY after the one-node validation checklist passes (see commit/PR).
# Validating on k8s-node2 (single node) before removing the nodeSelector to roll cluster-wide.
locals {
# Pin a specific stable release. Bump deliberately (re-validate on one node first).