Update to 2021-02-17 15:00

4 years ago · 8356a7bae1
parent 2260e74270
commit 8356a7bae1
4 changed files with 53 additions and 0 deletions
--- a/roles/crowdsec/defaults/main.yml
+++ b/roles/crowdsec/defaults/main.yml
@ -35,6 +35,10 @@ crowdsec_lapi_server: "{{ inventory_hostname }}"
 # Use the central API, to share your banned IP, and received list of IP to ban
 # Requires crowdsec_lapi_enabled to be true too
 crowdsec_capi_enabled: False
+# You can either register manuelly and the the user/pass with those variable
+# Else, ansible will register and configure the credentials
+# crowdsec_capi_user: 123456789
+# crowdsec_capi_pass: azertyuiop

 # Port on which the prometheus metric endpoint will bind to
 crowdsec_prometheus_port: 6060
--- a/roles/crowdsec/tasks/conf.yml
+++ b/roles/crowdsec/tasks/conf.yml
@ -42,3 +42,37 @@
      when: crowdsec_lapi_registration.rc == 0

  tags: crowdsec
+
+- when:
+    - crowdsec_capi_enabled
+    - crowdsec_capi_user is not defined or crowdsec_capi_pass is not defined
+    - not crowdsec_capi_user_file.stat.exists or not crowdsec_capi_pass_file.stat.exists
+  block:
+    - name: Register on the central API
+      command: cscli capi register -o raw -f /dev/stdout
+      register: crowdsec_capi_credentials
+    - set_fact: crowdsec_capi_credentials_yaml={{ crowdsec_capi_credentials.stdout | from_yaml }}
+    - copy: content={{ crowdsec_capi_credentials_yaml.login }} dest=/etc/crowdsec/meta/capi_user mode=600
+    - copy: content={{ crowdsec_capi_credentials_yaml.password }} dest=/etc/crowdsec/meta/capi_pass mode=600
+    - set_fact: crowdsec_capi_user={{ crowdsec_capi_credentials_yaml.login }}
+    - set_fact: crowdsec_capi_pass={{ crowdsec_capi_credentials_yaml.password }}
+  tags: crowdsec
+
+- when:
+    - crowdsec_capi_enabled
+    - crowdsec_capi_user is not defined or crowdsec_capi_pass is not defined
+    - crowdsec_capi_user_file.stat.exists
+    - crowdsec_capi_pass_file.stat.exists
+  block:
+    - slurp: src=/etc/crowdsec/meta/capi_user
+      register: crowdsec_capi_user_meta
+    - set_fact: crowdsec_capi_user={{ crowdsec_capi_user_meta.content | b64decode | trim }}
+    - slurp: src=/etc/crowdsec/meta/capi_pass
+      register: crowdsec_capi_pass_meta
+    - set_fact: crowdsec_capi_pass={{ crowdsec_capi_pass_meta.content | b64decode | trim }}
+  tags: crowdsec
+
+- name: Deploy online credentials config
+  template: src=online_api_credentials.yaml.j2 dest=/etc/crowdsec/online_api_credentials.yaml mode=600
+  notify: reload crowdsec
+  tags: crowdsec
--- a/roles/crowdsec/tasks/facts.yml
+++ b/roles/crowdsec/tasks/facts.yml
@ -43,3 +43,11 @@
    - crowdsec_lapi_enabled
  tags: crowdsec

+# Check if central API credentials are available in the meta dir
+- name: Check central API credential files
+  block: 
+    - stat: path=/etc/crowdsec/meta/capi_user
+      register: crowdsec_capi_user_file
+    - stat: path=/etc/crowdsec/meta/capi_pass
+      register: crowdsec_capi_pass_file
+  tags: crowdsec
--- a/roles/crowdsec/templates/online_api_credentials.yaml.j2
+++ b/roles/crowdsec/templates/online_api_credentials.yaml.j2
@ -0,0 +1,7 @@
+url: https://api.crowdsec.net/
+{% if crowdsec_capi_user is defined %}
+login: {{ crowdsec_capi_user }}
+{% endif %}
+{% if crowdsec_capi_pass is defined %}
+password: {{ crowdsec_capi_pass }}
+{% endif %}