Update to 2021-02-19 19:00

roles/crowdsec/defaults/main.yml

@@ -57,12 +57,12 @@ crowdsec_parsers:
   - crowdsecurity/geoip-enrich
   - crowdsecurity/dateparse-enrich
   - crowdsecurity/whitelists
-  - crowdsecurity/sshd-logs
-  - crowdsecurity/iptables-logs
+#  - crowdsecurity/sshd-logs
+#  - crowdsecurity/iptables-logs
 # List of scenarios to install from the hub
 crowdsec_scenarios:
   - crowdsecurity/ban-defcon-drop_range
-  - crowdsecurity/ssh-bf
+#  - crowdsecurity/ssh-bf
 # List of postoverflows to install from the hub
 crowdsec_postoverflows:
   - crowdsecurity/cdn-whitelist

roles/crowdsec/tasks/conf.yml

@@ -18,7 +18,9 @@
     - db_user: "{{ crowdsec_db_user }}"
     - db_server: "{{ crowdsec_db_server }}"
     - db_pass: "{{ crowdsec_db_pass }}"
-  when: crowdsec_db_engine == 'mysql'
+  when:
+    - crowdsec_db_engine == 'mysql'
+    - crowdsec_lapi_enabled
   tags: crowdsec
 
 - when: crowdsec_lapi_pass is not defined

roles/crowdsec/tasks/directories.yml

@@ -7,4 +7,11 @@
       mode: 755
     - dir: /etc/crowdsec/meta
       mode: 700
+    - dir: /home/lbkp/crowdsec
+    - dir: /etc/crowdsec/parsers/s00-raw
+    - dir: /etc/crowdsec/parsers/s01-parse
+    - dir: /etc/crowdsec/parsers/s02-enrich
+    - dir: /etc/crowdsec/scenarios
+    - dir: /etc/crowdsec/postoverflows/s00-enrich
+    - dir: /etc/crowdsec/postoverflows/s01-whitelist
   tags: crowdsec

roles/crowdsec/tasks/install.yml

@@ -25,3 +25,30 @@
 
   tags: crowdsec
 
+- name: Create the systemd unit snippet dir
+  file: path=/etc/systemd/system/crowdsec.service.d state=directory
+  tags: crowdsec
+
+- name: Make the service restart on failure
+  copy:
+    content: |
+      [Service]
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=30
+    dest: /etc/systemd/system/crowdsec.service.d/restart.conf
+  register: crodwsec_unit
+  notify: restart crodwsec
+  tags: crowdsec
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: crodwsec_unit.changed
+  tags: crowdsec
+
+- name: Install pre and post backup hooks
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/crowdsec mode=700
+  loop:
+    - pre
+    - post
+  tags: crowdsec

roles/crowdsec/templates/local_api_credentials.yaml.j2

@@ -1,3 +1,3 @@
-url: {{ crowdsec_lapi_url }}
+url: {{ crowdsec_lapi_enabled | ternary('http://127.0.0.1:' ~ crowdsec_lapi_port,crowdsec_lapi_url) }}
 login: {{ crowdsec_lapi_user }}
 password: {{ crowdsec_lapi_pass }}

roles/crowdsec/templates/post-backup.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f /home/lbkp/crowdsec/*

roles/crowdsec/templates/pre-backup.j2

@@ -0,0 +1,18 @@
+#!/bin/bash -e
+
+mkdir -p /home/lbkp/crowdsec/
+{% if crowdsec_lapi_enabled %}
+{% if crowdsec_db_engine == 'mysql' %}
+/usr/bin/mysqldump \
+{% if crowdsec_db_server not in ['localhost','127.0.0.1'] %}
+  --user={{ crowdsec_db_user | quote }} \
+  --password={{ crowdsec_db_pass | quote }} \
+  --host={{ crowdsec_db_server | quote }} \
+  --port={{ crowdsec_db_port | quote }} \
+{% endif %}
+  --quick --single-transaction \
+  --add-drop-table {{ crowdsec_db_name | quote }} | zstd -c > /home/lbkp/crowdsec/{{ crowdsec_db_name }}.sql.zst
+{% else %}
+sqlite3 /var/lib/crowdsec/data/crowdsec.db .dump | zstd -c > /home/lbkp/crowdsec/crowdsec.sql.zst
+{% endif %}
+{% endif %}

roles/ntp_client/handlers/main.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: restart ntpd
-  service: name={{ ntp_service }} state=restarted
+  service: name={{ ntp_ntpd_service }} state=restarted
 
 - name: restart chrony
-  service: name={{ chrony_service }} state=restarted
+  service: name={{ ntp_chrony_service }} state=restarted

roles/squid/files/acl/software_various.domains

@@ -348,3 +348,7 @@ store.itophub.io
 crowdsec-statics-assets.s3-eu-west-1.amazonaws.com
 api.crowdsec.com
 www.cloudflare.com
+
+# Metabase
+static.metabase.com
+downloads.metabase.com