viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

reenable crowdsec [ci skip]

Browse source
This commit is contained in:
Viktor Barzin 2025-08-31 15:20:57 +00:00
parent 5dea499248
commit d79f15cc89
6 changed files with 100 additions and 106 deletions
Download patch file Download diff file Expand all files Collapse all files

4
main.tf
View file

@ -65,6 +65,8 @@ variable "ingress_honeypotapikey" {}
variable "ingress_crowdsec_api_key" {}
variable "ingress_crowdsec_captcha_secret_key" {}
variable "ingress_crowdsec_captcha_site_key" {}
variable "crowdsec_enroll_key" { type = string }
variable "crowdsec_db_password" { type = string }
variable "vaultwarden_smtp_password" {}
variable "resume_database_url" {}
variable "resume_redis_url" {}
@ -379,6 +381,8 @@ module "kubernetes_cluster" {
ingress_crowdsec_api_key = var.ingress_crowdsec_api_key
ingress_crowdsec_captcha_secret_key = var.ingress_crowdsec_captcha_secret_key
ingress_crowdsec_captcha_site_key = var.ingress_crowdsec_captcha_site_key
crowdsec_enroll_key = var.crowdsec_enroll_key
crowdsec_db_password = var.crowdsec_db_password
vaultwarden_smtp_password = var.vaultwarden_smtp_password

85
modules/kubernetes/crowdsec/main.tf
View file

@ -1,6 +1,8 @@
variable "tls_secret_name" {}
variable "homepage_username" {}
variable "homepage_password" {}
variable "db_password" {}
variable "enroll_key" {}
module "tls_secret" {
source = "../setup_tls_secret"
@ -14,95 +16,16 @@ resource "kubernetes_namespace" "crowdsec" {
}
}
resource "kubernetes_persistent_volume" "db" {
metadata {
name = "crowdsec-db"
}
spec {
capacity = {
"storage" = "2Gi"
}
access_modes = ["ReadWriteOnce"]
persistent_volume_source {
nfs {
path = "/mnt/main/crowdsec/db"
server = "10.0.10.15"
}
}
claim_ref {
name = "crowdsec-db-pvc"
namespace = "crowdsec"
}
}
}
resource "kubernetes_persistent_volume" "config" {
metadata {
name = "crowdsec-config"
}
spec {
capacity = {
"storage" = "2Gi"
}
access_modes = ["ReadWriteOnce"]
persistent_volume_source {
nfs {
path = "/mnt/main/crowdsec/config"
server = "10.0.10.15"
}
}
claim_ref {
name = "crowdsec-config-pvc"
namespace = "crowdsec"
}
}
}
resource "helm_release" "crowdsec" {
namespace = "crowdsec"
create_namespace = true
name = "crowdsec"
atomic = true
version = "0.19.2"
version = "0.19.4"
repository = "https://crowdsecurity.github.io/helm-charts"
chart = "crowdsec"
values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password })]
values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key })]
timeout = 3600
}
# resource "kubernetes_ingress_v1" "metabase" {
# metadata {
# name = "metabase"
# namespace = "crowdsec"
# annotations = {
# "kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
# }
# }
# spec {
# tls {
# hosts = ["metabase.viktorbarzin.me"]
# secret_name = var.tls_secret_name
# }
# rule {
# host = "metabase.viktorbarzin.me"
# http {
# path {
# path = "/"
# backend {
# service {
# name = "crowdsec-service"
# port {
# number = 3000
# }
# }
# }
# }
# }
# }
# }
# }

65
modules/kubernetes/crowdsec/values.yaml
View file

@ -19,13 +19,56 @@ agent:
- name: COLLECTIONS
value: "crowdsecurity/nginx"
lapi:
replicas: 3
replicas: 1
extraSecrets:
dbPassword: "${DB_PASSWORD}"
storeCAPICredentialsInSecret: true
persistentVolume:
config:
enabled: false
data:
enabled: false
env:
- name: ENROLL_KEY
value: "${ENROLL_KEY}"
- name: ENROLL_INSTANCE_NAME
value: "k8s-cluster"
- name: ENROLL_TAGS
value: "k8s linux"
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: crowdsec-lapi-secrets
key: dbPassword
# As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
# - name: DISABLE_ONLINE_API
# value: "true"
dashboard:
enabled: true
env:
- name: MB_DB_TYPE
value: "mysql"
- name: MB_DB_DBNAME
value: crowdsec-metabase
- name: MB_DB_USER
value: "crowdsec"
- name: MB_DB_PASS
value: "${DB_PASSWORD}"
- name: MB_DB_HOST
value: "mysql.dbaas.svc.cluster.local"
- name: MB_EMAIL_SMTP_USERNAME
value: "info@viktorbarzin.me"
- name: MB_EMAIL_FROM_ADDRESS
value: "info@viktorbarzin.me"
- name: MB_EMAIL_SMTP_HOST
value: "mailserver.mailserver.svc.cluster.local"
- name: MB_EMAIL_SMTP_PASSWORD
value: "" # Ignore for now as it's unclear what notifications we can get
- name: MB_EMAIL_SMTP_PORT
value: "587"
- name: MB_EMAIL_SMTP_SECURITY
value: "starttls"
ingress:
enabled: true
annotations:
@ -55,3 +98,23 @@ lapi:
enabled: true
strategy:
type: RollingUpdate
config:
config.yaml.local: |
db_config:
type: mysql
user: crowdsec
password: ${DB_PASSWORD}
db_name: crowdsec
host: mysql.dbaas.svc.cluster.local
port: 3306
api:
server:
auto_registration: # Activate if not using TLS for authentication
enabled: true
token: "$${REGISTRATION_TOKEN}" # /!\ do not change
allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
- "127.0.0.1/32"
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"

2
modules/kubernetes/immich/chart_values.tpl
View file

@ -29,7 +29,7 @@ env:
# IMMICH_MACHINE_LEARNING_URL: "http://immich-machine-learning.immich.svc.cluster.local:3003"
image:
tag: v1.140.0
tag: v1.140.1
immich:
persistence:

16
modules/kubernetes/main.tf
View file

@ -52,6 +52,8 @@ variable "ingress_honeypotapikey" {}
variable "ingress_crowdsec_api_key" {}
variable "ingress_crowdsec_captcha_secret_key" {}
variable "ingress_crowdsec_captcha_site_key" {}
variable "crowdsec_enroll_key" { type = string }
variable "crowdsec_db_password" { type = string }
variable "vaultwarden_smtp_password" {}
variable "resume_database_url" {}
variable "resume_redis_url" {}
@ -423,12 +425,14 @@ module "nginx-ingress" {
crowdsec_captcha_site_key = var.ingress_crowdsec_captcha_site_key
}
# module "crowdsec" {
# source = "./crowdsec"
# tls_secret_name = var.tls_secret_name
# homepage_username = var.homepage_credentials["crowdsec"]["username"]
# homepage_password = var.homepage_credentials["crowdsec"]["password"]
# }
module "crowdsec" {
source = "./crowdsec"
tls_secret_name = var.tls_secret_name
homepage_username = var.homepage_credentials["crowdsec"]["username"]
homepage_password = var.homepage_credentials["crowdsec"]["password"]
enroll_key = var.crowdsec_enroll_key
db_password = var.crowdsec_db_password
}
# Seems like it needs S3 even if pg is local...
# module "resume" {

34
modules/kubernetes/nginx-ingress/main.tf
View file

@ -331,8 +331,8 @@ resource "kubernetes_config_map" "ingress_nginx_controller" {
setvar:tx.block_harvester_ip=1,\
setvar:tx.block_spammer_ip=1"
EOT
# plugins = "crowdsec" # metabase causing high cpu?
plugins = ""
plugins = "crowdsec"
# plugins = ""
lua-shared-dicts = "crowdsec_cache: 50m"
http-snippet : <<-EOT
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=static-cache:2m max_size=100m inactive=7d use_temp_path=off;
@ -522,23 +522,23 @@ resource "kubernetes_deployment" "ingress_nginx_controller" {
name = "MODE"
value = "stream"
}
# env {
# name = "CAPTCHA_PROVIDER"
# value = "recaptcha"
# }
env {
name = "BOUNCING_ON_TYPE"
# value = "all"
value = "ban"
name = "CAPTCHA_PROVIDER"
value = "recaptcha"
}
env {
name = "BOUNCING_ON_TYPE"
value = "all"
# value = "ban"
}
env {
name = "SECRET_KEY"
value = var.crowdsec_captcha_secret_key
}
env {
name = "SITE_KEY"
value = var.crowdsec_captcha_site_key
}
# env {
# name = "SECRET_KEY"
# value = var.crowdsec_captcha_secret_key
# }
# env {
# name = "SITE_KEY"
# value = var.crowdsec_captcha_site_key
# }
# env {
# name = "DISABLE_RUN"