Update to 2021-02-23 19:00

master
Daniel Berteaud 4 years ago
parent 3431050b2f
commit e8311ecfce
  1. 70
      roles/crowdsec/defaults/main.yml
  2. 2
      roles/crowdsec/meta/main.yml
  3. 4
      roles/crowdsec/tasks/cleanup.yml
  4. 102
      roles/crowdsec/tasks/conf.yml
  5. 2
      roles/crowdsec/tasks/directories.yml
  6. 72
      roles/crowdsec/tasks/facts.yml
  7. 20
      roles/crowdsec/tasks/install.yml
  8. 14
      roles/crowdsec/tasks/iptables.yml
  9. 2
      roles/crowdsec/tasks/services.yml
  10. 22
      roles/crowdsec/templates/config.yaml.j2
  11. 6
      roles/crowdsec/templates/local_api_credentials.yaml.j2
  12. 8
      roles/crowdsec/templates/online_api_credentials.yaml.j2
  13. 16
      roles/crowdsec/templates/pre-backup.j2
  14. 2
      roles/crowdsec/templates/profiles.yaml.j2

@ -1,71 +1,71 @@
--- ---
# Version to install # Version to install
crowdsec_version: 1.0.7 cs_version: 1.0.7
# URL of the archive # URL of the archive
crowdsec_archive_url: https://github.com/crowdsecurity/crowdsec/releases/download/v{{ crowdsec_version }}/crowdsec-release.tgz cs_archive_url: https://github.com/crowdsecurity/crowdsec/releases/download/v{{ cs_version }}/crowdsec-release.tgz
# Expected sha1 of the archive # Expected sha1 of the archive
crowdsec_archive_sha1: 7c9dc58c6648c8fd43b297427d6a53fe940cbf13 cs_archive_sha1: 7c9dc58c6648c8fd43b297427d6a53fe940cbf13
# Can be sqlite or mysql # Can be sqlite or mysql
crowdsec_db_engine: sqlite cs_db_engine: sqlite
# This is for mysql backend # This is for mysql backend
crowdsec_db_server: "{{ mysql_server | default('localhost') }}" cs_db_server: "{{ mysql_server | default('localhost') }}"
crowdsec_db_port: 3306 cs_db_port: 3306
crowdsec_db_name: crowdsec cs_db_name: crowdsec
crowdsec_db_user: crowdsec cs_db_user: crowdsec
# If not defined, a random one will be generated and store in /etc/crowdsec/meta/ansible_dbpass # If not defined, a random one will be generated and store in /etc/crowdsec/meta/ansible_dbpass
# crowdsec_db_pass: S3cr3t. # cs_db_pass: S3cr3t.
# You can disable the Local API, if using a remote one for example # You can disable the Local API, if using a remote one for example
crowdsec_lapi_enabled: True cs_lapi_enabled: True
# Set to true if Local API is enabled, and you intend to use it through a trusted reverse proxy # Set to true if Local API is enabled, and you intend to use it through a trusted reverse proxy
crowdsec_use_forwarded_headers: False cs_use_forwarded_headers: False
# Port on which the Local API will listen # Port on which the Local API will listen
crowdsec_lapi_port: 8080 cs_lapi_port: 8080
# List of IP/CIDR allowed to access crowdsec_lapi_port # List of IP/CIDR allowed to access cs_lapi_port
crowdsec_lapi_src_ip: [] cs_lapi_src_ip: []
# Address of the Local API server # Address of the Local API server
# The default config will make it standalone # The default config will make it standalone
crowdsec_lapi_url: http://localhost:{{ crowdsec_lapi_port }}/ cs_lapi_url: http://localhost:{{ cs_lapi_port }}/
crowdsec_lapi_user: "{{ inventory_hostname }}" cs_lapi_user: "{{ inventory_hostname }}"
# On installation, ansible will register this host on the Local API # On installation, ansible will register this host on the Local API
# And will then validate the registration on the following server. # And will then validate the registration on the following server.
# So set it to your own Local API server so ansible will delegate the task # So set it to your own Local API server so ansible will delegate the task
crowdsec_lapi_server: "{{ inventory_hostname }}" cs_lapi_server: "{{ inventory_hostname }}"
# Use the central API, to share your banned IP, and received list of IP to ban # Use the central API, to share your banned IP, and received list of IP to ban
# Requires crowdsec_lapi_enabled to be true too # Requires cs_lapi_enabled to be true too
crowdsec_capi_enabled: False cs_capi_enabled: False
# You can either register manuelly and the the user/pass with those variable # You can either register manuelly and the the user/pass with those variable
# Else, ansible will register and configure the credentials # Else, ansible will register and configure the credentials
# crowdsec_capi_user: 123456789 # cs_capi_user: 123456789
# crowdsec_capi_pass: azertyuiop # cs_capi_pass: azertyuiop
# Port on which the prometheus metric endpoint will bind to # Port on which the prometheus metric endpoint will bind to
crowdsec_prometheus_port: 6060 cs_prometheus_port: 6060
# List of IP/CIDR allowed to access the prometheus port # List of IP/CIDR allowed to access the prometheus port
crowdsec_prometheus_src_ip: [] cs_prometheus_src_ip: []
# Default duration of a ban # Default duration of a ban
crowdsec_ban_duration: 15m cs_ban_duration: 15m
# List of parsers to install from the hub # List of parsers to install from the hub
crowdsec_parsers: cs_parsers: []
- crowdsecurity/syslog-logs # - crowdsecurity/syslog-logs
- crowdsecurity/geoip-enrich # - crowdsecurity/geoip-enrich
- crowdsecurity/dateparse-enrich # - crowdsecurity/dateparse-enrich
- crowdsecurity/whitelists # - crowdsecurity/whitelists
# - crowdsecurity/sshd-logs # - crowdsecurity/sshd-logs
# - crowdsecurity/iptables-logs # - crowdsecurity/iptables-logs
# List of scenarios to install from the hub # List of scenarios to install from the hub
crowdsec_scenarios: cs_scenarios: []
- crowdsecurity/ban-defcon-drop_range # - crowdsecurity/ban-defcon-drop_range
# - crowdsecurity/ssh-bf # - crowdsecurity/ssh-bf
# List of postoverflows to install from the hub # List of postoverflows to install from the hub
crowdsec_postoverflows: cs_postoverflows: []
- crowdsecurity/cdn-whitelist # - crowdsecurity/cdn-whitelist
- crowdsecurity/rdns # - crowdsecurity/rdns
- crowdsecurity/seo-bots-whitelist # - crowdsecurity/seo-bots-whitelist

@ -2,4 +2,4 @@
dependencies: dependencies:
- role: mysql_server - role: mysql_server
when: crowdsec_db_server in ['localhost','127.0.0.1'] when: cs_db_server in ['localhost','127.0.0.1']

@ -4,5 +4,5 @@
file: path={{ item }} state=absent file: path={{ item }} state=absent
loop: loop:
- /tmp/crowdsec-release.tgz - /tmp/crowdsec-release.tgz
- /tmp/crowdsec-v{{ crowdsec_version }} - /tmp/crowdsec-v{{ cs_version }}
tags: crowdsec tags: cs

@ -9,45 +9,45 @@
- profiles.yaml - profiles.yaml
- parsers/s02-enrich/trusted_ip.yaml - parsers/s02-enrich/trusted_ip.yaml
notify: reload crowdsec notify: reload crowdsec
tags: crowdsec tags: cs
# Create the database # Create the database
- import_tasks: ../includes/webapps_create_mysql_db.yml - import_tasks: ../includes/webapps_create_mysql_db.yml
vars: vars:
- db_name: "{{ crowdsec_db_name }}" - db_name: "{{ cs_db_name }}"
- db_user: "{{ crowdsec_db_user }}" - db_user: "{{ cs_db_user }}"
- db_server: "{{ crowdsec_db_server }}" - db_server: "{{ cs_db_server }}"
- db_pass: "{{ crowdsec_db_pass }}" - db_pass: "{{ cs_db_pass }}"
when: when:
- crowdsec_db_engine == 'mysql' - cs_db_engine == 'mysql'
- crowdsec_lapi_enabled - cs_lapi_enabled
tags: crowdsec tags: cs
- when: crowdsec_lapi_pass is not defined - when: cs_lapi_pass is not defined
block: block:
- name: Declare on the local API - name: Declare on the local API
command: cscli machines add {{ crowdsec_lapi_user }} --auto --force --file /dev/stdout --output raw command: cscli machines add {{ cs_lapi_user }} --auto --force --file /dev/stdout --output raw
register: crowdsec_lapi_credentials register: cs_lapi_credentials
delegate_to: "{{ crowdsec_lapi_server }}" delegate_to: "{{ cs_lapi_server }}"
- set_fact: crowdsec_lapi_credentials_yaml={{ crowdsec_lapi_credentials.stdout | from_yaml }} - set_fact: cs_lapi_credentials_yaml={{ cs_lapi_credentials.stdout | from_yaml }}
- copy: content={{ crowdsec_lapi_credentials_yaml.password }} dest=/etc/crowdsec/meta/lapi_pass mode=600 - copy: content={{ cs_lapi_credentials_yaml.password }} dest=/etc/crowdsec/meta/lapi_pass mode=600
- set_fact: crowdsec_lapi_pass={{ crowdsec_lapi_credentials_yaml.password }} - set_fact: cs_lapi_pass={{ cs_lapi_credentials_yaml.password }}
tags: crowdsec tags: cs
- when: - when:
- crowdsec_lapi_enabled - cs_lapi_enabled
- crowdsec_capi_enabled - cs_capi_enabled
- crowdsec_capi_user is not defined or crowdsec_capi_pass is not defined - cs_capi_user is not defined or cs_capi_pass is not defined
block: block:
- name: Register on the central API - name: Register on the central API
command: cscli capi register -o raw -f /dev/stdout command: cscli capi register -o raw -f /dev/stdout
register: crowdsec_capi_credentials register: cs_capi_credentials
- set_fact: crowdsec_capi_credentials_yaml={{ crowdsec_capi_credentials.stdout | from_yaml }} - set_fact: cs_capi_credentials_yaml={{ cs_capi_credentials.stdout | from_yaml }}
- copy: content={{ crowdsec_capi_credentials_yaml.login }} dest=/etc/crowdsec/meta/capi_user mode=600 - copy: content={{ cs_capi_credentials_yaml.login }} dest=/etc/crowdsec/meta/capi_user mode=600
- copy: content={{ crowdsec_capi_credentials_yaml.password }} dest=/etc/crowdsec/meta/capi_pass mode=600 - copy: content={{ cs_capi_credentials_yaml.password }} dest=/etc/crowdsec/meta/capi_pass mode=600
- set_fact: crowdsec_capi_user={{ crowdsec_capi_credentials_yaml.login }} - set_fact: cs_capi_user={{ cs_capi_credentials_yaml.login }}
- set_fact: crowdsec_capi_pass={{ crowdsec_capi_credentials_yaml.password }} - set_fact: cs_capi_pass={{ cs_capi_credentials_yaml.password }}
tags: crowdsec tags: cs
- name: Deploy credentials config - name: Deploy credentials config
template: src={{ item }}_api_credentials.yaml.j2 dest=/etc/crowdsec/{{ item }}_api_credentials.yaml mode=600 template: src={{ item }}_api_credentials.yaml.j2 dest=/etc/crowdsec/{{ item }}_api_credentials.yaml mode=600
@ -55,64 +55,64 @@
- online - online
- local - local
notify: restart crowdsec notify: restart crowdsec
tags: crowdsec tags: cs
- name: List installed parsers - name: List installed parsers
shell: cscli parsers list -o json shell: cscli parsers list -o json
register: crowdsec_installed_parsers register: cs_installed_parsers
changed_when: False changed_when: False
tags: crowdsec tags: cs
- name: Install parsers - name: Install parsers
command: cscli parsers install {{ item }} command: cscli parsers install {{ item }}
when: item not in crowdsec_installed_parsers.stdout | from_json | map(attribute='name') | list when: item not in cs_installed_parsers.stdout | from_json | map(attribute='name') | list
loop: "{{ crowdsec_parsers }}" loop: "{{ cs_parsers }}"
notify: reload crowdsec notify: reload crowdsec
tags: crowdsec tags: cs
- name: Upgrade parsers - name: Upgrade parsers
command: csscli parsers upgrade {{ item }} command: csscli parsers upgrade {{ item }}
loop: "{{ crowdsec_parsers }}" loop: "{{ cs_parsers }}"
when: crowdsec_install_mode == 'upgrade' when: cs_install_mode == 'upgrade'
notify: reload crowdsec notify: reload crowdsec
tags: crowdsec tags: cs
- name: List installed scenarios - name: List installed scenarios
command: cscli scenarios list -o json command: cscli scenarios list -o json
register: crowdsec_installed_scenarios register: cs_installed_scenarios
changed_when: False changed_when: False
tags: crowdsec tags: cs
- name: Install scenarios - name: Install scenarios
command: cscli scenarios install {{ item }} command: cscli scenarios install {{ item }}
when: item not in crowdsec_installed_scenarios.stdout | from_json | map(attribute='name') | list when: item not in cs_installed_scenarios.stdout | from_json | map(attribute='name') | list
loop: "{{ crowdsec_scenarios }}" loop: "{{ cs_scenarios }}"
notify: reload crowdsec notify: reload crowdsec
tags: crowdsec tags: cs
- name: Upgrade scenarios - name: Upgrade scenarios
command: csscli scenarios upgrade {{ item }} command: csscli scenarios upgrade {{ item }}
loop: "{{ crowdsec_scenarios }}" loop: "{{ cs_scenarios }}"
when: crowdsec_install_mode == 'upgrade' when: cs_install_mode == 'upgrade'
notify: reload crowdsec notify: reload crowdsec
tags: crowdsec tags: cs
- name: List installed postoverflows - name: List installed postoverflows
command: cscli postoverflows list -o json command: cscli postoverflows list -o json
register: crowdsec_installed_postoverflows register: cs_installed_postoverflows
changed_when: False changed_when: False
tags: crowdsec tags: cs
- name: Install postoverflows - name: Install postoverflows
command: cscli postoverflows install {{ item }} command: cscli postoverflows install {{ item }}
when: item not in crowdsec_installed_postoverflows.stdout | from_json | map(attribute='name') | list when: item not in cs_installed_postoverflows.stdout | from_json | map(attribute='name') | list
loop: "{{ crowdsec_postoverflows }}" loop: "{{ cs_postoverflows }}"
notify: reload crowdsec notify: reload crowdsec
tags: crowdsec tags: cs
- name: Upgrade postoverflows - name: Upgrade postoverflows
command: csscli postoverflows upgrade {{ item }} command: csscli postoverflows upgrade {{ item }}
loop: "{{ crowdsec_postoverflows }}" loop: "{{ cs_postoverflows }}"
when: crowdsec_install_mode == 'upgrade' when: cs_install_mode == 'upgrade'
notify: reload crowdsec notify: reload crowdsec
tags: crowdsec tags: cs

@ -14,4 +14,4 @@
- dir: /etc/crowdsec/scenarios - dir: /etc/crowdsec/scenarios
- dir: /etc/crowdsec/postoverflows/s00-enrich - dir: /etc/crowdsec/postoverflows/s00-enrich
- dir: /etc/crowdsec/postoverflows/s01-whitelist - dir: /etc/crowdsec/postoverflows/s01-whitelist
tags: crowdsec tags: cs

@ -2,34 +2,34 @@
- name: Set initial facts - name: Set initial facts
block: block:
- set_fact: crowdsec_install_mode='none' - set_fact: cs_install_mode='none'
- set_fact: crowdsec_current_version='' - set_fact: cs_current_version=''
tags: crowdsec tags: cs
- name: Check if crowdsec is installed - name: Check if crowdsec is installed
stat: path=/usr/local/bin/crowdsec stat: path=/usr/local/bin/crowdsec
register: crowdsec_bin register: cs_bin
tags: crowdsec tags: cs
- name: Check installed version - name: Check installed version
shell: | shell: |
crowdsec -version 2>&1 | perl -ne 'm/version: v(\d+(\.\d+)*)/ && print $1' crowdsec -version 2>&1 | perl -ne 'm/version: v(\d+(\.\d+)*)/ && print $1'
register: crowdsec_current_version register: cs_current_version
changed_when: False changed_when: False
when: crowdsec_bin.stat.exists when: cs_bin.stat.exists
tags: crowdsec tags: cs
- name: Set install mode - name: Set install mode
set_fact: crowdsec_install_mode='install' set_fact: cs_install_mode='install'
when: not crowdsec_bin.stat.exists when: not cs_bin.stat.exists
tags: crowdsec tags: cs
- name: Set upgrade mode - name: Set upgrade mode
set_fact: crowdsec_install_mode='upgrade' set_fact: cs_install_mode='upgrade'
when: when:
- crowdsec_bin.stat.exists - cs_bin.stat.exists
- crowdsec_current_version.stdout != crowdsec_version - cs_current_version.stdout != cs_version
tags: crowdsec tags: cs
# Create a random db password if needed # Create a random db password if needed
- block: - block:
@ -37,48 +37,48 @@
vars: vars:
- pass_file: "/etc/crowdsec/meta/ansible_db_pass" - pass_file: "/etc/crowdsec/meta/ansible_db_pass"
- complex: False - complex: False
- set_fact: crowdsec_db_pass={{ rand_pass }} - set_fact: cs_db_pass={{ rand_pass }}
when: when:
- crowdsec_db_pass is not defined - cs_db_pass is not defined
- crowdsec_lapi_enabled - cs_lapi_enabled
tags: crowdsec tags: cs
# Check if local API credentials are available in the meta dir # Check if local API credentials are available in the meta dir
- name: Check local API credential files - name: Check local API credential files
stat: path=/etc/crowdsec/meta/lapi_pass stat: path=/etc/crowdsec/meta/lapi_pass
register: crowdsec_lapi_pass_file register: cs_lapi_pass_file
tags: crowdsec tags: cs
- name: Read the local API pass - name: Read the local API pass
block: block:
- slurp: src=/etc/crowdsec/meta/lapi_pass - slurp: src=/etc/crowdsec/meta/lapi_pass
register: crowdsec_lapi_pass_meta register: cs_lapi_pass_meta
- set_fact: crowdsec_lapi_pass={{ crowdsec_lapi_pass_meta.content | b64decode | trim }} - set_fact: cs_lapi_pass={{ cs_lapi_pass_meta.content | b64decode | trim }}
when: crowdsec_lapi_pass is not defined and crowdsec_lapi_pass_file.stat.exists when: cs_lapi_pass is not defined and cs_lapi_pass_file.stat.exists
tags: crowdsec tags: cs
# Check if central API credentials are available in the meta dir # Check if central API credentials are available in the meta dir
- name: Check central API credential files - name: Check central API credential files
block: block:
- stat: path=/etc/crowdsec/meta/capi_user - stat: path=/etc/crowdsec/meta/capi_user
register: crowdsec_capi_user_file register: cs_capi_user_file
- stat: path=/etc/crowdsec/meta/capi_pass - stat: path=/etc/crowdsec/meta/capi_pass
register: crowdsec_capi_pass_file register: cs_capi_pass_file
tags: crowdsec tags: cs
- name: Read the central API user - name: Read the central API user
block: block:
- slurp: src=/etc/crowdsec/meta/capi_user - slurp: src=/etc/crowdsec/meta/capi_user
register: crowdsec_capi_user_meta register: cs_capi_user_meta
- set_fact: crowdsec_capi_user={{ crowdsec_capi_user_meta.content | b64decode | trim }} - set_fact: cs_capi_user={{ cs_capi_user_meta.content | b64decode | trim }}
when: crowdsec_capi_user is not defined and crowdsec_capi_user_file.stat.exists when: cs_capi_user is not defined and cs_capi_user_file.stat.exists
tags: crowdsec tags: cs
- name: Read the central API pass - name: Read the central API pass
block: block:
- slurp: src=/etc/crowdsec/meta/capi_pass - slurp: src=/etc/crowdsec/meta/capi_pass
register: crowdsec_capi_pass_meta register: cs_capi_pass_meta
- set_fact: crowdsec_capi_pass={{ crowdsec_capi_pass_meta.content | b64decode | trim }} - set_fact: cs_capi_pass={{ cs_capi_pass_meta.content | b64decode | trim }}
when: crowdsec_capi_pass is not defined and crowdsec_capi_pass_file.stat.exists when: cs_capi_pass is not defined and cs_capi_pass_file.stat.exists
tags: crowdsec tags: cs

@ -1,12 +1,12 @@
--- ---
- when: crowdsec_install_mode != 'none' - when: cs_install_mode != 'none'
block: block:
- name: Download crowdsec - name: Download crowdsec
get_url: get_url:
url: "{{ crowdsec_archive_url }}" url: "{{ cs_archive_url }}"
dest: /tmp/ dest: /tmp/
checksum: sha1:{{ crowdsec_archive_sha1 }} checksum: sha1:{{ cs_archive_sha1 }}
- name: Extract crowdsec - name: Extract crowdsec
unarchive: unarchive:
@ -15,19 +15,19 @@
remote_src: True remote_src: True
- name: Install or upgrade crowdsec - name: Install or upgrade crowdsec
command: ./wizard.sh --bin{{ crowdsec_install_mode }} command: ./wizard.sh --bin{{ cs_install_mode }}
args: args:
chdir: /tmp/crowdsec-v{{ crowdsec_version }}/ chdir: /tmp/crowdsec-v{{ cs_version }}/
notify: restart crowdsec notify: restart crowdsec
- name: Update crowdsec hub - name: Update crowdsec hub
command: cscli hub update command: cscli hub update
tags: crowdsec tags: cs
- name: Create the systemd unit snippet dir - name: Create the systemd unit snippet dir
file: path=/etc/systemd/system/crowdsec.service.d state=directory file: path=/etc/systemd/system/crowdsec.service.d state=directory
tags: crowdsec tags: cs
- name: Make the service restart on failure - name: Make the service restart on failure
copy: copy:
@ -39,16 +39,16 @@
dest: /etc/systemd/system/crowdsec.service.d/restart.conf dest: /etc/systemd/system/crowdsec.service.d/restart.conf
register: crodwsec_unit register: crodwsec_unit
notify: restart crowdsec notify: restart crowdsec
tags: crowdsec tags: cs
- name: Reload systemd - name: Reload systemd
systemd: daemon_reload=True systemd: daemon_reload=True
when: crodwsec_unit.changed when: crodwsec_unit.changed
tags: crowdsec tags: cs
- name: Install pre and post backup hooks - name: Install pre and post backup hooks
template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/crowdsec mode=700 template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/crowdsec mode=700
loop: loop:
- pre - pre
- post - post
tags: crowdsec tags: cs

@ -6,10 +6,10 @@
state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}" state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state NEW -p tcp --dport {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT" rules: "-A INPUT -m state --state NEW -p tcp --dport {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT"
loop: loop:
- name: crowdsec_lapi_port - name: cs_lapi_port
port: "{{ crowdsec_lapi_port }}" port: "{{ cs_lapi_port }}"
src_ip: "{{ crowdsec_lapi_src_ip }}" src_ip: "{{ cs_lapi_src_ip }}"
- name: crowdsec_prometheus_port - name: cs_prometheus_port
port: "{{ crowdsec_prometheus_port }}" port: "{{ cs_prometheus_port }}"
src_ip: "{{ crowdsec_prometheus_src_ip }}" src_ip: "{{ cs_prometheus_src_ip }}"
tags: firewall,crowdsec tags: firewall,cs

@ -2,4 +2,4 @@
- name: Start and enable the service - name: Start and enable the service
service: name=crowdsec state=started enabled=True service: name=crowdsec state=started enabled=True
tags: crowdsec tags: cs

@ -22,13 +22,13 @@ cscli:
db_config: db_config:
log_level: info log_level: info
{% if crowdsec_db_engine == 'mysql' %} {% if cs_db_engine == 'mysql' %}
type: mysql type: mysql
user: {{ crowdsec_db_user }} user: {{ cs_db_user }}
password: {{ crowdsec_db_pass | quote }} password: {{ cs_db_pass | quote }}
db_name: {{ crowdsec_db_name }} db_name: {{ cs_db_name }}
host: {{ crowdsec_db_server }} host: {{ cs_db_server }}
port: {{ crowdsec_db_port }} port: {{ cs_db_port }}
{% else %} {% else %}
db_path: /var/lib/crowdsec/data/crowdsec.db db_path: /var/lib/crowdsec/data/crowdsec.db
{% endif %} {% endif %}
@ -41,12 +41,12 @@ api:
insecure_skip_verify: false insecure_skip_verify: false
credentials_path: /etc/crowdsec/local_api_credentials.yaml credentials_path: /etc/crowdsec/local_api_credentials.yaml
{% if crowdsec_lapi_enabled %} {% if cs_lapi_enabled %}
server: server:
log_level: info log_level: info
listen_uri: 0.0.0.0:{{ crowdsec_lapi_port }} listen_uri: 0.0.0.0:{{ cs_lapi_port }}
profiles_path: /etc/crowdsec/profiles.yaml profiles_path: /etc/crowdsec/profiles.yaml
{% if crowdsec_capi_enabled %} {% if cs_capi_enabled %}
online_client: online_client:
credentials_path: /etc/crowdsec/online_api_credentials.yaml credentials_path: /etc/crowdsec/online_api_credentials.yaml
{% endif %} {% endif %}
@ -55,6 +55,6 @@ api:
prometheus: prometheus:
enabled: true enabled: true
level: full level: full
listen_addr: {{ (crowdsec_prometheus_src_ip | length > 0) | ternary(ansible_all_ipv4_addresses[0],'127.0.0.1') }} listen_addr: {{ (cs_prometheus_src_ip | length > 0) | ternary(ansible_all_ipv4_addresses[0],'127.0.0.1') }}
listen_port: {{ crowdsec_prometheus_port }} listen_port: {{ cs_prometheus_port }}

@ -1,3 +1,3 @@
url: {{ crowdsec_lapi_enabled | ternary('http://127.0.0.1:' ~ crowdsec_lapi_port,(crowdsec_lapi_url is search('/$')) | ternary(crowdsec_lapi_url, crowdsec_lapi_url ~ '/')) }} url: {{ cs_lapi_enabled | ternary('http://127.0.0.1:' ~ cs_lapi_port,(cs_lapi_url is search('/$')) | ternary(cs_lapi_url, cs_lapi_url ~ '/')) }}
login: {{ crowdsec_lapi_user }} login: {{ cs_lapi_user }}
password: {{ crowdsec_lapi_pass }} password: {{ cs_lapi_pass }}

@ -1,7 +1,7 @@
url: https://api.crowdsec.net/ url: https://api.crowdsec.net/
{% if crowdsec_capi_user is defined %} {% if cs_capi_user is defined %}
login: {{ crowdsec_capi_user }} login: {{ cs_capi_user }}
{% endif %} {% endif %}
{% if crowdsec_capi_pass is defined %} {% if cs_capi_pass is defined %}
password: {{ crowdsec_capi_pass }} password: {{ cs_capi_pass }}
{% endif %} {% endif %}

@ -1,17 +1,17 @@
#!/bin/bash -e #!/bin/bash -e
mkdir -p /home/lbkp/crowdsec/ mkdir -p /home/lbkp/crowdsec/
{% if crowdsec_lapi_enabled %} {% if cs_lapi_enabled %}
{% if crowdsec_db_engine == 'mysql' %} {% if cs_db_engine == 'mysql' %}
/usr/bin/mysqldump \ /usr/bin/mysqldump \
{% if crowdsec_db_server not in ['localhost','127.0.0.1'] %} {% if cs_db_server not in ['localhost','127.0.0.1'] %}
--user={{ crowdsec_db_user | quote }} \ --user={{ cs_db_user | quote }} \
--password={{ crowdsec_db_pass | quote }} \ --password={{ cs_db_pass | quote }} \
--host={{ crowdsec_db_server | quote }} \ --host={{ cs_db_server | quote }} \
--port={{ crowdsec_db_port | quote }} \ --port={{ cs_db_port | quote }} \
{% endif %} {% endif %}
--quick --single-transaction \ --quick --single-transaction \
--add-drop-table {{ crowdsec_db_name | quote }} | zstd -c > /home/lbkp/crowdsec/{{ crowdsec_db_name }}.sql.zst --add-drop-table {{ cs_db_name | quote }} | zstd -c > /home/lbkp/crowdsec/{{ cs_db_name }}.sql.zst
{% else %} {% else %}
sqlite3 /var/lib/crowdsec/data/crowdsec.db .dump | zstd -c > /home/lbkp/crowdsec/crowdsec.sql.zst sqlite3 /var/lib/crowdsec/data/crowdsec.db .dump | zstd -c > /home/lbkp/crowdsec/crowdsec.sql.zst
{% endif %} {% endif %}

@ -3,5 +3,5 @@ filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions: decisions:
- type: ban - type: ban
duration: {{ crowdsec_ban_duration }} duration: {{ cs_ban_duration }}
on_success: break on_success: break

Loading…
Cancel
Save