From e236a65c52ed4a8910d11de35f6333cce8bed06c Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 24 Nov 2023 11:08:25 +0000
Subject: [PATCH] add crowdsec module [ci skip]

---
 .../crowdsec/crowdsec-ingress-bouncer.yaml    |  44 ++++++++
 modules/kubernetes/crowdsec/main.tf           | 105 ++++++++++++++++++
 modules/kubernetes/crowdsec/values.yaml       |  49 ++++++++
 modules/kubernetes/main.tf                    |   7 +-
 4 files changed, 204 insertions(+), 1 deletion(-)
 create mode 100644 modules/kubernetes/crowdsec/crowdsec-ingress-bouncer.yaml
 create mode 100644 modules/kubernetes/crowdsec/main.tf
 create mode 100644 modules/kubernetes/crowdsec/values.yaml

diff --git a/modules/kubernetes/crowdsec/crowdsec-ingress-bouncer.yaml b/modules/kubernetes/crowdsec/crowdsec-ingress-bouncer.yaml
new file mode 100644
index 00000000..fe8ba008
--- /dev/null
+++ b/modules/kubernetes/crowdsec/crowdsec-ingress-bouncer.yaml
@@ -0,0 +1,44 @@
+controller:
+  extraVolumes:
+    - name: crowdsec-bouncer-plugin
+      emptyDir: {}
+  extraInitContainers:
+    - name: init-clone-crowdsec-bouncer
+      image: crowdsecurity/lua-bouncer-plugin
+      imagePullPolicy: IfNotPresent
+      env:
+        - name: API_URL
+          value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" # crowdsec lapi service-name
+        - name: API_KEY
+          value: "<API KEY>" # generated with `cscli bouncers add -n <bouncer_name>
+        - name: BOUNCER_CONFIG
+          value: "/crowdsec/crowdsec-bouncer.conf"
+        - name: CAPTCHA_PROVIDER
+          value: "recaptcha" # valid providers are recaptcha, hcaptcha, turnstile
+        - name: SECRET_KEY
+          value: "<your-captcha-secret-key>" # If you want captcha support otherwise remove this ENV VAR
+        - name: SITE_KEY
+          value: "<your-captcha-site-key>" # If you want captcha support otherwise remove this ENV VAR
+        - name: BAN_TEMPLATE_PATH
+          value: /etc/nginx/lua/plugins/crowdsec/templates/ban.html
+        - name: CAPTCHA_TEMPLATE_PATH
+          value: /etc/nginx/lua/plugins/crowdsec/templates/captcha.html
+      command:
+        [
+          "sh",
+          "-c",
+          "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/",
+        ]
+      volumeMounts:
+        - name: crowdsec-bouncer-plugin
+          mountPath: /lua_plugins
+  extraVolumeMounts:
+    - name: crowdsec-bouncer-plugin
+      mountPath: /etc/nginx/lua/plugins/crowdsec
+      subPath: crowdsec
+  config:
+    plugins: "crowdsec"
+    lua-shared-dicts: "crowdsec_cache: 50m"
+    server-snippet: |
+      lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"; # If you want captcha support otherwise remove this line
+      resolver local=on ipv6=off;
diff --git a/modules/kubernetes/crowdsec/main.tf b/modules/kubernetes/crowdsec/main.tf
new file mode 100644
index 00000000..871b8241
--- /dev/null
+++ b/modules/kubernetes/crowdsec/main.tf
@@ -0,0 +1,105 @@
+variable "tls_secret_name" {}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "crowdsec"
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_namespace" "crowdsec" {
+  metadata {
+    name = "crowdsec"
+  }
+}
+
+resource "kubernetes_persistent_volume" "db" {
+  metadata {
+    name = "crowdsec-db"
+  }
+  spec {
+    capacity = {
+      "storage" = "2Gi"
+    }
+    access_modes = ["ReadWriteOnce"]
+    persistent_volume_source {
+      nfs {
+        path   = "/mnt/main/crowdsec/db"
+        server = "10.0.10.15"
+      }
+    }
+    claim_ref {
+      name      = "crowdsec-db-pvc"
+      namespace = "crowdsec"
+    }
+  }
+}
+
+resource "kubernetes_persistent_volume" "config" {
+  metadata {
+    name = "crowdsec-config"
+  }
+  spec {
+    capacity = {
+      "storage" = "2Gi"
+    }
+    access_modes = ["ReadWriteOnce"]
+    persistent_volume_source {
+      nfs {
+        path   = "/mnt/main/crowdsec/config"
+        server = "10.0.10.15"
+      }
+    }
+    claim_ref {
+      name      = "crowdsec-config-pvc"
+      namespace = "crowdsec"
+    }
+  }
+}
+
+resource "helm_release" "crowdsec" {
+  namespace        = "crowdsec"
+  create_namespace = true
+  name             = "crowdsec"
+  atomic           = true
+
+  repository = "https://crowdsecurity.github.io/helm-charts"
+  chart      = "crowdsec"
+
+  values = [templatefile("${path.module}/values.yaml", {})]
+  #   values = [templatefile("${path.module}/rowdsec-ingress-bouncer.yaml", {})]
+}
+
+resource "kubernetes_ingress_v1" "metabase" {
+  metadata {
+    name      = "metabase"
+    namespace = "crowdsec"
+    annotations = {
+      "kubernetes.io/ingress.class" = "nginx"
+      # "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
+      # "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["metabase.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "metabase.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "crowdsec-service"
+              port {
+                number = 3000
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/modules/kubernetes/crowdsec/values.yaml b/modules/kubernetes/crowdsec/values.yaml
new file mode 100644
index 00000000..1b9e620d
--- /dev/null
+++ b/modules/kubernetes/crowdsec/values.yaml
@@ -0,0 +1,49 @@
+container_runtime: containerd
+
+agent:
+  # To specify each pod you want to process it logs (pods present in the node)
+  acquisition:
+    # The namespace where the pod is located
+    - namespace: ingress-nginx
+      # The pod name
+      podName: ingress-nginx-controller-*
+      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
+      program: nginx
+  # Those are ENV variables
+  env:
+    # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
+    - name: DISABLE_ONLINE_API
+      value: "true"
+    # As we are running Nginx, we want to install the Nginx collection
+    - name: COLLECTIONS
+      value: "crowdsecurity/nginx"
+lapi:
+  env:
+    # As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
+    - name: DISABLE_ONLINE_API
+      value: "true"
+  ingress:
+    enabled: true
+    annotations:
+      # we only want http to the backend so we need this annotation
+      nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    # labels: {}
+    ingressClassName: "nginx"
+    host: "crowdsec.viktorbarzin.me" # crowdsec-api.example.com
+    tls:
+      - hosts:
+          - crowdsec.viktorbarzin.me
+        secretName: "tls-secret"
+  dashboard:
+    # -- Enable Metabase Dashboard (by default disabled)
+    enabled: true
+    annotations:
+      # metabase only supports http so we need this annotation
+      nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    # labels: {}
+    ingressClassName: "nginx" # nginx
+    host: "crowdsec.viktorbarzin.me" # crowdsec-api.example.com
+    tls:
+      - hosts:
+          - crowdsec.viktorbarzin.me
+        secretName: "tls-secret"
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index 421a4919..ff07a588 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -313,7 +313,7 @@ module "dashy" {
 module "vaultwarden" {
   source          = "./vaultwarden"
   tls_secret_name = var.tls_secret_name
-  smtp_password = var.vaultwarden_smtp_password
+  smtp_password   = var.vaultwarden_smtp_password
 }
 
 module "reverse-proxy" {
@@ -347,3 +347,8 @@ module "nginx-ingress" {
   source         = "./nginx-ingress"
   honeypotapikey = var.ingress_honeypotapikey
 }
+
+module "crowdsec" {
+  source          = "./crowdsec"
+  tls_secret_name = var.tls_secret_name
+}