viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

CrowdSec real enforcement: edge WAF (proxied) + firewall-bouncer (direct) #2

Merged
viktor merged 6 commits from wizard/crowdsec-enforcement into master 2026-06-20 09:42:41 +00:00
Conversation 0 Commits 6 Files changed 6 +9
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 0ac176da01 - Show all commits

9
stacks/crowdsec/modules/crowdsec/main.tf
View file

@ -102,6 +102,15 @@ resource "kubernetes_config_map" "crowdsec_whitelist" {
reason: "Trusted IP - never block"
ip:
- "176.12.22.76"
cidr:
# Never ban internal/cluster/LAN/tailnet sources. Enforcement (edge
# Worker + firewall-bouncer) drops on real source IP, so an internal
# range slipping into a decision could blackhole legit traffic this
# makes that structurally impossible at the decision layer.
- "10.0.0.0/8" # k8s nodes/pods/services + VLAN 10/20
- "172.16.0.0/12" # RFC1918
- "192.168.0.0/16" # LAN (192.168.1.0/24) + Sofia
- "100.64.0.0/10" # Headscale tailnet (CGNAT)
---
name: viktor/immich-asset-paths-whitelist
description: "Don't penalise legit Immich timeline bursts (mobile scrub, web grid)"