diff --git a/main.tf b/main.tf index f3b97f5d..1eaa3909 100644 --- a/main.tf +++ b/main.tf @@ -59,6 +59,9 @@ variable "finance_app_gocardless_secret_id" {} variable "headscale_config" {} variable "immich_postgresql_password" {} variable "ingress_honeypotapikey" {} +variable "ingress_crowdsec_api_key" {} +variable "ingress_crowdsec_captcha_secret_key" {} +variable "ingress_crowdsec_captcha_site_key" {} variable "vaultwarden_smtp_password" {} variable "resume_database_url" {} variable "resume_redis_url" {} @@ -289,7 +292,10 @@ module "kubernetes_cluster" { immich_postgresql_password = var.immich_postgresql_password - ingress_honeypotapikey = var.ingress_honeypotapikey + ingress_honeypotapikey = var.ingress_honeypotapikey + ingress_crowdsec_api_key = var.ingress_crowdsec_api_key + ingress_crowdsec_captcha_secret_key = var.ingress_crowdsec_captcha_secret_key + ingress_crowdsec_captcha_site_key = var.ingress_crowdsec_captcha_site_key vaultwarden_smtp_password = var.vaultwarden_smtp_password diff --git a/modules/kubernetes/crowdsec/main.tf b/modules/kubernetes/crowdsec/main.tf index 2dc0dafb..37cf9d29 100644 --- a/modules/kubernetes/crowdsec/main.tf +++ b/modules/kubernetes/crowdsec/main.tf @@ -66,7 +66,6 @@ resource "helm_release" "crowdsec" { chart = "crowdsec" values = [templatefile("${path.module}/values.yaml", {})] - # values = [templatefile("${path.module}/rowdsec-ingress-bouncer.yaml", {})] } # resource "kubernetes_ingress_v1" "metabase" { diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 4cc99f90..95f9dffa 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -46,6 +46,9 @@ variable "finance_app_gocardless_secret_id" {} variable "headscale_config" {} variable "immich_postgresql_password" {} variable "ingress_honeypotapikey" {} +variable "ingress_crowdsec_api_key" {} +variable "ingress_crowdsec_captcha_secret_key" {} +variable "ingress_crowdsec_captcha_site_key" {} variable "vaultwarden_smtp_password" {} variable "resume_database_url" {} variable "resume_redis_url" {} @@ -76,7 +79,7 @@ module "dbaas" { tls_secret_name = var.tls_secret_name dbaas_root_password = var.dbaas_root_password postgresql_root_password = var.dbaas_postgresql_root_password - pgadmin_password = var.dbaas_pgadmin_password + pgadmin_password = var.dbaas_pgadmin_password } module "descheduler" { @@ -350,8 +353,11 @@ module "immich" { } module "nginx-ingress" { - source = "./nginx-ingress" - honeypotapikey = var.ingress_honeypotapikey + source = "./nginx-ingress" + honeypotapikey = var.ingress_honeypotapikey + crowdsec_api_key = var.ingress_crowdsec_api_key + crowdsec_captcha_secret_key = var.ingress_crowdsec_captcha_secret_key + crowdsec_captcha_site_key = var.ingress_crowdsec_captcha_site_key } module "crowdsec" { diff --git a/modules/kubernetes/nginx-ingress/main.tf b/modules/kubernetes/nginx-ingress/main.tf index fa103bd4..960469e7 100644 --- a/modules/kubernetes/nginx-ingress/main.tf +++ b/modules/kubernetes/nginx-ingress/main.tf @@ -9,6 +9,9 @@ variable "honeypotapikey" { default = null } +variable "crowdsec_api_key" {} +variable "crowdsec_captcha_secret_key" {} +variable "crowdsec_captcha_site_key" {} resource "kubernetes_namespace" "ingress_nginx" { metadata { name = "ingress-nginx" @@ -322,6 +325,12 @@ resource "kubernetes_config_map" "ingress_nginx_controller" { setvar:tx.block_harvester_ip=1,\ setvar:tx.block_spammer_ip=1" EOT + plugins = "crowdsec" + lua-shared-dicts = "crowdsec_cache: 50m" + server-snippet : <<-EOT + lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"; # Captcha + resolver local=on ipv6=off; + EOT } } resource "kubernetes_service" "ingress_nginx_controller" { @@ -430,10 +439,73 @@ resource "kubernetes_deployment" "ingress_nginx_controller" { # name = "modsecurity" # } # } + + ## Crowdsec + init_container { + name = "init-clone-crowdsec-bouncer" + image = "crowdsecurity/lua-bouncer-plugin" + env { + name = "API_URL" + value = "http://crowdsec-service.crowdsec.svc.cluster.local:8080" + } + env { + name = "API_KEY" + value = var.crowdsec_api_key + } + env { + name = "CAPTCHA_PROVIDER" + value = "recaptcha" + } + env { + name = "BOUNCING_ON_TYPE" + value = "all" + } + env { + name = "SECRET_KEY" + value = var.crowdsec_captcha_secret_key + } + env { + name = "SITE_KEY" + value = var.crowdsec_captcha_site_key + } + + env { + name = "DISABLE_RUN" + value = "true" + } + env { + name = "BAN_TEMPLATE_PATH" + value = "/etc/nginx/lua/plugins/crowdsec/templates/ban.html" + } + env { + name = "CAPTCHA_TEMPLATE_PATH" + value = "/etc/nginx/lua/plugins/crowdsec/templates/captcha.html" + } + env { + name = "BOUNCER_CONFIG" + value = "/crowdsec/crowdsec-bouncer.conf" + } + command = ["sh", "-c", "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -r /crowdsec /lua_plugins/; chown -R 101:101 /lua_plugins/"] + volume_mount { + name = "crowdsec" + mount_path = "/lua_plugins" + } + } + # Share bouncer config + volume { + name = "crowdsec" + empty_dir { + } + } container { name = "controller" image = "registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2" args = ["/nginx-ingress-controller", "--election-id=ingress-nginx-leader", "--controller-class=k8s.io/ingress-nginx", "--ingress-class=nginx", "--configmap=$(POD_NAMESPACE)/ingress-nginx-controller", "--validating-webhook=:8443", "--validating-webhook-certificate=/usr/local/certificates/cert", "--validating-webhook-key=/usr/local/certificates/key"] + volume_mount { + name = "crowdsec" + mount_path = "/etc/nginx/lua/plugins/crowdsec" + sub_path = "crowdsec" + } port { name = "http" container_port = 80 diff --git a/terraform.tfvars b/terraform.tfvars index 2c93c453..4ef1fd4c 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ