diff --git a/roles/crowdsec/defaults/main.yml b/roles/crowdsec/defaults/main.yml index 257e718..700d6e1 100644 --- a/roles/crowdsec/defaults/main.yml +++ b/roles/crowdsec/defaults/main.yml @@ -1,71 +1,71 @@ --- # Version to install -crowdsec_version: 1.0.7 +cs_version: 1.0.7 # URL of the archive -crowdsec_archive_url: https://github.com/crowdsecurity/crowdsec/releases/download/v{{ crowdsec_version }}/crowdsec-release.tgz +cs_archive_url: https://github.com/crowdsecurity/crowdsec/releases/download/v{{ cs_version }}/crowdsec-release.tgz # Expected sha1 of the archive -crowdsec_archive_sha1: 7c9dc58c6648c8fd43b297427d6a53fe940cbf13 +cs_archive_sha1: 7c9dc58c6648c8fd43b297427d6a53fe940cbf13 # Can be sqlite or mysql -crowdsec_db_engine: sqlite +cs_db_engine: sqlite # This is for mysql backend -crowdsec_db_server: "{{ mysql_server | default('localhost') }}" -crowdsec_db_port: 3306 -crowdsec_db_name: crowdsec -crowdsec_db_user: crowdsec +cs_db_server: "{{ mysql_server | default('localhost') }}" +cs_db_port: 3306 +cs_db_name: crowdsec +cs_db_user: crowdsec # If not defined, a random one will be generated and store in /etc/crowdsec/meta/ansible_dbpass -# crowdsec_db_pass: S3cr3t. +# cs_db_pass: S3cr3t. # You can disable the Local API, if using a remote one for example -crowdsec_lapi_enabled: True +cs_lapi_enabled: True # Set to true if Local API is enabled, and you intend to use it through a trusted reverse proxy -crowdsec_use_forwarded_headers: False +cs_use_forwarded_headers: False # Port on which the Local API will listen -crowdsec_lapi_port: 8080 -# List of IP/CIDR allowed to access crowdsec_lapi_port -crowdsec_lapi_src_ip: [] +cs_lapi_port: 8080 +# List of IP/CIDR allowed to access cs_lapi_port +cs_lapi_src_ip: [] # Address of the Local API server # The default config will make it standalone -crowdsec_lapi_url: http://localhost:{{ crowdsec_lapi_port }}/ -crowdsec_lapi_user: "{{ inventory_hostname }}" +cs_lapi_url: http://localhost:{{ cs_lapi_port }}/ +cs_lapi_user: "{{ inventory_hostname }}" # On installation, ansible will register this host on the Local API # And will then validate the registration on the following server. # So set it to your own Local API server so ansible will delegate the task -crowdsec_lapi_server: "{{ inventory_hostname }}" +cs_lapi_server: "{{ inventory_hostname }}" # Use the central API, to share your banned IP, and received list of IP to ban -# Requires crowdsec_lapi_enabled to be true too -crowdsec_capi_enabled: False +# Requires cs_lapi_enabled to be true too +cs_capi_enabled: False # You can either register manuelly and the the user/pass with those variable # Else, ansible will register and configure the credentials -# crowdsec_capi_user: 123456789 -# crowdsec_capi_pass: azertyuiop +# cs_capi_user: 123456789 +# cs_capi_pass: azertyuiop # Port on which the prometheus metric endpoint will bind to -crowdsec_prometheus_port: 6060 +cs_prometheus_port: 6060 # List of IP/CIDR allowed to access the prometheus port -crowdsec_prometheus_src_ip: [] +cs_prometheus_src_ip: [] # Default duration of a ban -crowdsec_ban_duration: 15m +cs_ban_duration: 15m # List of parsers to install from the hub -crowdsec_parsers: - - crowdsecurity/syslog-logs - - crowdsecurity/geoip-enrich - - crowdsecurity/dateparse-enrich - - crowdsecurity/whitelists +cs_parsers: [] +# - crowdsecurity/syslog-logs +# - crowdsecurity/geoip-enrich +# - crowdsecurity/dateparse-enrich +# - crowdsecurity/whitelists # - crowdsecurity/sshd-logs # - crowdsecurity/iptables-logs # List of scenarios to install from the hub -crowdsec_scenarios: - - crowdsecurity/ban-defcon-drop_range +cs_scenarios: [] +# - crowdsecurity/ban-defcon-drop_range # - crowdsecurity/ssh-bf # List of postoverflows to install from the hub -crowdsec_postoverflows: - - crowdsecurity/cdn-whitelist - - crowdsecurity/rdns - - crowdsecurity/seo-bots-whitelist +cs_postoverflows: [] +# - crowdsecurity/cdn-whitelist +# - crowdsecurity/rdns +# - crowdsecurity/seo-bots-whitelist diff --git a/roles/crowdsec/meta/main.yml b/roles/crowdsec/meta/main.yml index f5eb73e..9e7d40e 100644 --- a/roles/crowdsec/meta/main.yml +++ b/roles/crowdsec/meta/main.yml @@ -2,4 +2,4 @@ dependencies: - role: mysql_server - when: crowdsec_db_server in ['localhost','127.0.0.1'] + when: cs_db_server in ['localhost','127.0.0.1'] diff --git a/roles/crowdsec/tasks/cleanup.yml b/roles/crowdsec/tasks/cleanup.yml index 167e790..300acdf 100644 --- a/roles/crowdsec/tasks/cleanup.yml +++ b/roles/crowdsec/tasks/cleanup.yml @@ -4,5 +4,5 @@ file: path={{ item }} state=absent loop: - /tmp/crowdsec-release.tgz - - /tmp/crowdsec-v{{ crowdsec_version }} - tags: crowdsec + - /tmp/crowdsec-v{{ cs_version }} + tags: cs diff --git a/roles/crowdsec/tasks/conf.yml b/roles/crowdsec/tasks/conf.yml index 3703198..61e77b7 100644 --- a/roles/crowdsec/tasks/conf.yml +++ b/roles/crowdsec/tasks/conf.yml @@ -9,45 +9,45 @@ - profiles.yaml - parsers/s02-enrich/trusted_ip.yaml notify: reload crowdsec - tags: crowdsec + tags: cs # Create the database - import_tasks: ../includes/webapps_create_mysql_db.yml vars: - - db_name: "{{ crowdsec_db_name }}" - - db_user: "{{ crowdsec_db_user }}" - - db_server: "{{ crowdsec_db_server }}" - - db_pass: "{{ crowdsec_db_pass }}" + - db_name: "{{ cs_db_name }}" + - db_user: "{{ cs_db_user }}" + - db_server: "{{ cs_db_server }}" + - db_pass: "{{ cs_db_pass }}" when: - - crowdsec_db_engine == 'mysql' - - crowdsec_lapi_enabled - tags: crowdsec + - cs_db_engine == 'mysql' + - cs_lapi_enabled + tags: cs -- when: crowdsec_lapi_pass is not defined +- when: cs_lapi_pass is not defined block: - name: Declare on the local API - command: cscli machines add {{ crowdsec_lapi_user }} --auto --force --file /dev/stdout --output raw - register: crowdsec_lapi_credentials - delegate_to: "{{ crowdsec_lapi_server }}" - - set_fact: crowdsec_lapi_credentials_yaml={{ crowdsec_lapi_credentials.stdout | from_yaml }} - - copy: content={{ crowdsec_lapi_credentials_yaml.password }} dest=/etc/crowdsec/meta/lapi_pass mode=600 - - set_fact: crowdsec_lapi_pass={{ crowdsec_lapi_credentials_yaml.password }} - tags: crowdsec + command: cscli machines add {{ cs_lapi_user }} --auto --force --file /dev/stdout --output raw + register: cs_lapi_credentials + delegate_to: "{{ cs_lapi_server }}" + - set_fact: cs_lapi_credentials_yaml={{ cs_lapi_credentials.stdout | from_yaml }} + - copy: content={{ cs_lapi_credentials_yaml.password }} dest=/etc/crowdsec/meta/lapi_pass mode=600 + - set_fact: cs_lapi_pass={{ cs_lapi_credentials_yaml.password }} + tags: cs - when: - - crowdsec_lapi_enabled - - crowdsec_capi_enabled - - crowdsec_capi_user is not defined or crowdsec_capi_pass is not defined + - cs_lapi_enabled + - cs_capi_enabled + - cs_capi_user is not defined or cs_capi_pass is not defined block: - name: Register on the central API command: cscli capi register -o raw -f /dev/stdout - register: crowdsec_capi_credentials - - set_fact: crowdsec_capi_credentials_yaml={{ crowdsec_capi_credentials.stdout | from_yaml }} - - copy: content={{ crowdsec_capi_credentials_yaml.login }} dest=/etc/crowdsec/meta/capi_user mode=600 - - copy: content={{ crowdsec_capi_credentials_yaml.password }} dest=/etc/crowdsec/meta/capi_pass mode=600 - - set_fact: crowdsec_capi_user={{ crowdsec_capi_credentials_yaml.login }} - - set_fact: crowdsec_capi_pass={{ crowdsec_capi_credentials_yaml.password }} - tags: crowdsec + register: cs_capi_credentials + - set_fact: cs_capi_credentials_yaml={{ cs_capi_credentials.stdout | from_yaml }} + - copy: content={{ cs_capi_credentials_yaml.login }} dest=/etc/crowdsec/meta/capi_user mode=600 + - copy: content={{ cs_capi_credentials_yaml.password }} dest=/etc/crowdsec/meta/capi_pass mode=600 + - set_fact: cs_capi_user={{ cs_capi_credentials_yaml.login }} + - set_fact: cs_capi_pass={{ cs_capi_credentials_yaml.password }} + tags: cs - name: Deploy credentials config template: src={{ item }}_api_credentials.yaml.j2 dest=/etc/crowdsec/{{ item }}_api_credentials.yaml mode=600 @@ -55,64 +55,64 @@ - online - local notify: restart crowdsec - tags: crowdsec + tags: cs - name: List installed parsers shell: cscli parsers list -o json - register: crowdsec_installed_parsers + register: cs_installed_parsers changed_when: False - tags: crowdsec + tags: cs - name: Install parsers command: cscli parsers install {{ item }} - when: item not in crowdsec_installed_parsers.stdout | from_json | map(attribute='name') | list - loop: "{{ crowdsec_parsers }}" + when: item not in cs_installed_parsers.stdout | from_json | map(attribute='name') | list + loop: "{{ cs_parsers }}" notify: reload crowdsec - tags: crowdsec + tags: cs - name: Upgrade parsers command: csscli parsers upgrade {{ item }} - loop: "{{ crowdsec_parsers }}" - when: crowdsec_install_mode == 'upgrade' + loop: "{{ cs_parsers }}" + when: cs_install_mode == 'upgrade' notify: reload crowdsec - tags: crowdsec + tags: cs - name: List installed scenarios command: cscli scenarios list -o json - register: crowdsec_installed_scenarios + register: cs_installed_scenarios changed_when: False - tags: crowdsec + tags: cs - name: Install scenarios command: cscli scenarios install {{ item }} - when: item not in crowdsec_installed_scenarios.stdout | from_json | map(attribute='name') | list - loop: "{{ crowdsec_scenarios }}" + when: item not in cs_installed_scenarios.stdout | from_json | map(attribute='name') | list + loop: "{{ cs_scenarios }}" notify: reload crowdsec - tags: crowdsec + tags: cs - name: Upgrade scenarios command: csscli scenarios upgrade {{ item }} - loop: "{{ crowdsec_scenarios }}" - when: crowdsec_install_mode == 'upgrade' + loop: "{{ cs_scenarios }}" + when: cs_install_mode == 'upgrade' notify: reload crowdsec - tags: crowdsec + tags: cs - name: List installed postoverflows command: cscli postoverflows list -o json - register: crowdsec_installed_postoverflows + register: cs_installed_postoverflows changed_when: False - tags: crowdsec + tags: cs - name: Install postoverflows command: cscli postoverflows install {{ item }} - when: item not in crowdsec_installed_postoverflows.stdout | from_json | map(attribute='name') | list - loop: "{{ crowdsec_postoverflows }}" + when: item not in cs_installed_postoverflows.stdout | from_json | map(attribute='name') | list + loop: "{{ cs_postoverflows }}" notify: reload crowdsec - tags: crowdsec + tags: cs - name: Upgrade postoverflows command: csscli postoverflows upgrade {{ item }} - loop: "{{ crowdsec_postoverflows }}" - when: crowdsec_install_mode == 'upgrade' + loop: "{{ cs_postoverflows }}" + when: cs_install_mode == 'upgrade' notify: reload crowdsec - tags: crowdsec + tags: cs diff --git a/roles/crowdsec/tasks/directories.yml b/roles/crowdsec/tasks/directories.yml index 4d82a7b..86fe46c 100644 --- a/roles/crowdsec/tasks/directories.yml +++ b/roles/crowdsec/tasks/directories.yml @@ -14,4 +14,4 @@ - dir: /etc/crowdsec/scenarios - dir: /etc/crowdsec/postoverflows/s00-enrich - dir: /etc/crowdsec/postoverflows/s01-whitelist - tags: crowdsec + tags: cs diff --git a/roles/crowdsec/tasks/facts.yml b/roles/crowdsec/tasks/facts.yml index fe31470..119ee78 100644 --- a/roles/crowdsec/tasks/facts.yml +++ b/roles/crowdsec/tasks/facts.yml @@ -2,34 +2,34 @@ - name: Set initial facts block: - - set_fact: crowdsec_install_mode='none' - - set_fact: crowdsec_current_version='' - tags: crowdsec + - set_fact: cs_install_mode='none' + - set_fact: cs_current_version='' + tags: cs - name: Check if crowdsec is installed stat: path=/usr/local/bin/crowdsec - register: crowdsec_bin - tags: crowdsec + register: cs_bin + tags: cs - name: Check installed version shell: | crowdsec -version 2>&1 | perl -ne 'm/version: v(\d+(\.\d+)*)/ && print $1' - register: crowdsec_current_version + register: cs_current_version changed_when: False - when: crowdsec_bin.stat.exists - tags: crowdsec + when: cs_bin.stat.exists + tags: cs - name: Set install mode - set_fact: crowdsec_install_mode='install' - when: not crowdsec_bin.stat.exists - tags: crowdsec + set_fact: cs_install_mode='install' + when: not cs_bin.stat.exists + tags: cs - name: Set upgrade mode - set_fact: crowdsec_install_mode='upgrade' + set_fact: cs_install_mode='upgrade' when: - - crowdsec_bin.stat.exists - - crowdsec_current_version.stdout != crowdsec_version - tags: crowdsec + - cs_bin.stat.exists + - cs_current_version.stdout != cs_version + tags: cs # Create a random db password if needed - block: @@ -37,48 +37,48 @@ vars: - pass_file: "/etc/crowdsec/meta/ansible_db_pass" - complex: False - - set_fact: crowdsec_db_pass={{ rand_pass }} + - set_fact: cs_db_pass={{ rand_pass }} when: - - crowdsec_db_pass is not defined - - crowdsec_lapi_enabled - tags: crowdsec + - cs_db_pass is not defined + - cs_lapi_enabled + tags: cs # Check if local API credentials are available in the meta dir - name: Check local API credential files stat: path=/etc/crowdsec/meta/lapi_pass - register: crowdsec_lapi_pass_file - tags: crowdsec + register: cs_lapi_pass_file + tags: cs - name: Read the local API pass block: - slurp: src=/etc/crowdsec/meta/lapi_pass - register: crowdsec_lapi_pass_meta - - set_fact: crowdsec_lapi_pass={{ crowdsec_lapi_pass_meta.content | b64decode | trim }} - when: crowdsec_lapi_pass is not defined and crowdsec_lapi_pass_file.stat.exists - tags: crowdsec + register: cs_lapi_pass_meta + - set_fact: cs_lapi_pass={{ cs_lapi_pass_meta.content | b64decode | trim }} + when: cs_lapi_pass is not defined and cs_lapi_pass_file.stat.exists + tags: cs # Check if central API credentials are available in the meta dir - name: Check central API credential files block: - stat: path=/etc/crowdsec/meta/capi_user - register: crowdsec_capi_user_file + register: cs_capi_user_file - stat: path=/etc/crowdsec/meta/capi_pass - register: crowdsec_capi_pass_file - tags: crowdsec + register: cs_capi_pass_file + tags: cs - name: Read the central API user block: - slurp: src=/etc/crowdsec/meta/capi_user - register: crowdsec_capi_user_meta - - set_fact: crowdsec_capi_user={{ crowdsec_capi_user_meta.content | b64decode | trim }} - when: crowdsec_capi_user is not defined and crowdsec_capi_user_file.stat.exists - tags: crowdsec + register: cs_capi_user_meta + - set_fact: cs_capi_user={{ cs_capi_user_meta.content | b64decode | trim }} + when: cs_capi_user is not defined and cs_capi_user_file.stat.exists + tags: cs - name: Read the central API pass block: - slurp: src=/etc/crowdsec/meta/capi_pass - register: crowdsec_capi_pass_meta - - set_fact: crowdsec_capi_pass={{ crowdsec_capi_pass_meta.content | b64decode | trim }} - when: crowdsec_capi_pass is not defined and crowdsec_capi_pass_file.stat.exists - tags: crowdsec + register: cs_capi_pass_meta + - set_fact: cs_capi_pass={{ cs_capi_pass_meta.content | b64decode | trim }} + when: cs_capi_pass is not defined and cs_capi_pass_file.stat.exists + tags: cs diff --git a/roles/crowdsec/tasks/install.yml b/roles/crowdsec/tasks/install.yml index 9d58de3..1d691e8 100644 --- a/roles/crowdsec/tasks/install.yml +++ b/roles/crowdsec/tasks/install.yml @@ -1,12 +1,12 @@ --- -- when: crowdsec_install_mode != 'none' +- when: cs_install_mode != 'none' block: - name: Download crowdsec get_url: - url: "{{ crowdsec_archive_url }}" + url: "{{ cs_archive_url }}" dest: /tmp/ - checksum: sha1:{{ crowdsec_archive_sha1 }} + checksum: sha1:{{ cs_archive_sha1 }} - name: Extract crowdsec unarchive: @@ -15,19 +15,19 @@ remote_src: True - name: Install or upgrade crowdsec - command: ./wizard.sh --bin{{ crowdsec_install_mode }} + command: ./wizard.sh --bin{{ cs_install_mode }} args: - chdir: /tmp/crowdsec-v{{ crowdsec_version }}/ + chdir: /tmp/crowdsec-v{{ cs_version }}/ notify: restart crowdsec - name: Update crowdsec hub command: cscli hub update - tags: crowdsec + tags: cs - name: Create the systemd unit snippet dir file: path=/etc/systemd/system/crowdsec.service.d state=directory - tags: crowdsec + tags: cs - name: Make the service restart on failure copy: @@ -39,16 +39,16 @@ dest: /etc/systemd/system/crowdsec.service.d/restart.conf register: crodwsec_unit notify: restart crowdsec - tags: crowdsec + tags: cs - name: Reload systemd systemd: daemon_reload=True when: crodwsec_unit.changed - tags: crowdsec + tags: cs - name: Install pre and post backup hooks template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/crowdsec mode=700 loop: - pre - post - tags: crowdsec + tags: cs diff --git a/roles/crowdsec/tasks/iptables.yml b/roles/crowdsec/tasks/iptables.yml index 2adcad9..82fd517 100644 --- a/roles/crowdsec/tasks/iptables.yml +++ b/roles/crowdsec/tasks/iptables.yml @@ -6,10 +6,10 @@ state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}" rules: "-A INPUT -m state --state NEW -p tcp --dport {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT" loop: - - name: crowdsec_lapi_port - port: "{{ crowdsec_lapi_port }}" - src_ip: "{{ crowdsec_lapi_src_ip }}" - - name: crowdsec_prometheus_port - port: "{{ crowdsec_prometheus_port }}" - src_ip: "{{ crowdsec_prometheus_src_ip }}" - tags: firewall,crowdsec + - name: cs_lapi_port + port: "{{ cs_lapi_port }}" + src_ip: "{{ cs_lapi_src_ip }}" + - name: cs_prometheus_port + port: "{{ cs_prometheus_port }}" + src_ip: "{{ cs_prometheus_src_ip }}" + tags: firewall,cs diff --git a/roles/crowdsec/tasks/services.yml b/roles/crowdsec/tasks/services.yml index 994109e..e778afb 100644 --- a/roles/crowdsec/tasks/services.yml +++ b/roles/crowdsec/tasks/services.yml @@ -2,4 +2,4 @@ - name: Start and enable the service service: name=crowdsec state=started enabled=True - tags: crowdsec + tags: cs diff --git a/roles/crowdsec/templates/config.yaml.j2 b/roles/crowdsec/templates/config.yaml.j2 index c945f22..e7c11e2 100644 --- a/roles/crowdsec/templates/config.yaml.j2 +++ b/roles/crowdsec/templates/config.yaml.j2 @@ -22,13 +22,13 @@ cscli: db_config: log_level: info -{% if crowdsec_db_engine == 'mysql' %} +{% if cs_db_engine == 'mysql' %} type: mysql - user: {{ crowdsec_db_user }} - password: {{ crowdsec_db_pass | quote }} - db_name: {{ crowdsec_db_name }} - host: {{ crowdsec_db_server }} - port: {{ crowdsec_db_port }} + user: {{ cs_db_user }} + password: {{ cs_db_pass | quote }} + db_name: {{ cs_db_name }} + host: {{ cs_db_server }} + port: {{ cs_db_port }} {% else %} db_path: /var/lib/crowdsec/data/crowdsec.db {% endif %} @@ -41,12 +41,12 @@ api: insecure_skip_verify: false credentials_path: /etc/crowdsec/local_api_credentials.yaml -{% if crowdsec_lapi_enabled %} +{% if cs_lapi_enabled %} server: log_level: info - listen_uri: 0.0.0.0:{{ crowdsec_lapi_port }} + listen_uri: 0.0.0.0:{{ cs_lapi_port }} profiles_path: /etc/crowdsec/profiles.yaml -{% if crowdsec_capi_enabled %} +{% if cs_capi_enabled %} online_client: credentials_path: /etc/crowdsec/online_api_credentials.yaml {% endif %} @@ -55,6 +55,6 @@ api: prometheus: enabled: true level: full - listen_addr: {{ (crowdsec_prometheus_src_ip | length > 0) | ternary(ansible_all_ipv4_addresses[0],'127.0.0.1') }} - listen_port: {{ crowdsec_prometheus_port }} + listen_addr: {{ (cs_prometheus_src_ip | length > 0) | ternary(ansible_all_ipv4_addresses[0],'127.0.0.1') }} + listen_port: {{ cs_prometheus_port }} diff --git a/roles/crowdsec/templates/local_api_credentials.yaml.j2 b/roles/crowdsec/templates/local_api_credentials.yaml.j2 index 45d5d4b..2b8d193 100644 --- a/roles/crowdsec/templates/local_api_credentials.yaml.j2 +++ b/roles/crowdsec/templates/local_api_credentials.yaml.j2 @@ -1,3 +1,3 @@ -url: {{ crowdsec_lapi_enabled | ternary('http://127.0.0.1:' ~ crowdsec_lapi_port,(crowdsec_lapi_url is search('/$')) | ternary(crowdsec_lapi_url, crowdsec_lapi_url ~ '/')) }} -login: {{ crowdsec_lapi_user }} -password: {{ crowdsec_lapi_pass }} +url: {{ cs_lapi_enabled | ternary('http://127.0.0.1:' ~ cs_lapi_port,(cs_lapi_url is search('/$')) | ternary(cs_lapi_url, cs_lapi_url ~ '/')) }} +login: {{ cs_lapi_user }} +password: {{ cs_lapi_pass }} diff --git a/roles/crowdsec/templates/online_api_credentials.yaml.j2 b/roles/crowdsec/templates/online_api_credentials.yaml.j2 index 99e08e1..ae7b3c6 100644 --- a/roles/crowdsec/templates/online_api_credentials.yaml.j2 +++ b/roles/crowdsec/templates/online_api_credentials.yaml.j2 @@ -1,7 +1,7 @@ url: https://api.crowdsec.net/ -{% if crowdsec_capi_user is defined %} -login: {{ crowdsec_capi_user }} +{% if cs_capi_user is defined %} +login: {{ cs_capi_user }} {% endif %} -{% if crowdsec_capi_pass is defined %} -password: {{ crowdsec_capi_pass }} +{% if cs_capi_pass is defined %} +password: {{ cs_capi_pass }} {% endif %} diff --git a/roles/crowdsec/templates/pre-backup.j2 b/roles/crowdsec/templates/pre-backup.j2 index 8a4bfe5..58e9f7f 100644 --- a/roles/crowdsec/templates/pre-backup.j2 +++ b/roles/crowdsec/templates/pre-backup.j2 @@ -1,17 +1,17 @@ #!/bin/bash -e mkdir -p /home/lbkp/crowdsec/ -{% if crowdsec_lapi_enabled %} -{% if crowdsec_db_engine == 'mysql' %} +{% if cs_lapi_enabled %} +{% if cs_db_engine == 'mysql' %} /usr/bin/mysqldump \ -{% if crowdsec_db_server not in ['localhost','127.0.0.1'] %} - --user={{ crowdsec_db_user | quote }} \ - --password={{ crowdsec_db_pass | quote }} \ - --host={{ crowdsec_db_server | quote }} \ - --port={{ crowdsec_db_port | quote }} \ +{% if cs_db_server not in ['localhost','127.0.0.1'] %} + --user={{ cs_db_user | quote }} \ + --password={{ cs_db_pass | quote }} \ + --host={{ cs_db_server | quote }} \ + --port={{ cs_db_port | quote }} \ {% endif %} --quick --single-transaction \ - --add-drop-table {{ crowdsec_db_name | quote }} | zstd -c > /home/lbkp/crowdsec/{{ crowdsec_db_name }}.sql.zst + --add-drop-table {{ cs_db_name | quote }} | zstd -c > /home/lbkp/crowdsec/{{ cs_db_name }}.sql.zst {% else %} sqlite3 /var/lib/crowdsec/data/crowdsec.db .dump | zstd -c > /home/lbkp/crowdsec/crowdsec.sql.zst {% endif %} diff --git a/roles/crowdsec/templates/profiles.yaml.j2 b/roles/crowdsec/templates/profiles.yaml.j2 index 2d58e39..3efa959 100644 --- a/roles/crowdsec/templates/profiles.yaml.j2 +++ b/roles/crowdsec/templates/profiles.yaml.j2 @@ -3,5 +3,5 @@ filters: - Alert.Remediation == true && Alert.GetScope() == "Ip" decisions: - type: ban - duration: {{ crowdsec_ban_duration }} + duration: {{ cs_ban_duration }} on_success: break