shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

🚀 crowdsec demo

Browse Source
This commit is contained in:
auricom
2022-12-22 23:25:27 +01:00
parent c75d8350bd
commit 5b2893786f
11 changed files with 224 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
kubernetes/base/config/cluster-secrets.sops.yaml
View File

@@ -12,6 +12,7 @@ stringData:
SECRET_CLUSTER_OVH_APPLICATION_KEY: ENC[AES256_GCM,data:W8BOyYQbQJpQco0XQ8wgtA==,iv:z/nc9+DkIkvKw6Daf/UpuMsIc/H7AnwQF5ZjQarf03U=,tag:j+Qm6oK6jei7EFDBTT5ddQ==,type:str] SECRET_CLUSTER_OVH_APPLICATION_KEY: ENC[AES256_GCM,data:W8BOyYQbQJpQco0XQ8wgtA==,iv:z/nc9+DkIkvKw6Daf/UpuMsIc/H7AnwQF5ZjQarf03U=,tag:j+Qm6oK6jei7EFDBTT5ddQ==,type:str]
SECRET_CLUSTER_OVH_APPLICATION_SECRET: ENC[AES256_GCM,data:+R6Vy1qlYZuvFsGTnK3m94PuzdsYNPe1JVpGqhq9Dy0=,iv:bNKMp6VNMyuiJokr5xm9To2OuBYzoiJSRXUm4S00MdI=,tag:8YJoz5MICyC9bES/IP6ROw==,type:str] SECRET_CLUSTER_OVH_APPLICATION_SECRET: ENC[AES256_GCM,data:+R6Vy1qlYZuvFsGTnK3m94PuzdsYNPe1JVpGqhq9Dy0=,iv:bNKMp6VNMyuiJokr5xm9To2OuBYzoiJSRXUm4S00MdI=,tag:8YJoz5MICyC9bES/IP6ROw==,type:str]
SECRET_CLUSTER_OVH_CONSUMER_KEY: ENC[AES256_GCM,data:HwEaNSLEoON99KzgVLuDWxj8DPz1gz8tc3q/1hWJOvM=,iv:uTHCAT81Js9yQ/7iK90+elZzA0j6ia7AOWEufE1i/4k=,tag:D4tI50RyJz8o3n9hrrYz4Q==,type:str] SECRET_CLUSTER_OVH_CONSUMER_KEY: ENC[AES256_GCM,data:HwEaNSLEoON99KzgVLuDWxj8DPz1gz8tc3q/1hWJOvM=,iv:uTHCAT81Js9yQ/7iK90+elZzA0j6ia7AOWEufE1i/4k=,tag:D4tI50RyJz8o3n9hrrYz4Q==,type:str]
SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY: ENC[AES256_GCM,data:ecukkFOK40WWIxJ48sXrxJUBaHx2BnzqxkIT+cXYZg4=,iv:y6AfslVPufBfrIL3GQqTw0cDAan64mB9J7RY9OzKQqw=,tag:+V4Rgz26wey2UtA32S0PJQ==,type:str]
SECRET_EMAIL_DOMAIN: ENC[AES256_GCM,data:tggMEXyLi03dAorm,iv:tXHmWmm9wUIOyGXbHUagS0gl4cEW588XSvBIoNsADFw=,tag:69X+WZoj6CiI6mUJT01DzQ==,type:str] SECRET_EMAIL_DOMAIN: ENC[AES256_GCM,data:tggMEXyLi03dAorm,iv:tXHmWmm9wUIOyGXbHUagS0gl4cEW588XSvBIoNsADFw=,tag:69X+WZoj6CiI6mUJT01DzQ==,type:str]
SECRET_EMAIL_SMTP_USERNAME: ENC[AES256_GCM,data:U8UiC6SdBbX9JbpRglyXfofDzYf+LNY=,iv:BLqn6nWm+il2yxWBJgpjlLKp5/eVh8L9qSEfM9LzUEo=,tag:1+afhSVYeHTvzzBiTxP7Ew==,type:str] SECRET_EMAIL_SMTP_USERNAME: ENC[AES256_GCM,data:U8UiC6SdBbX9JbpRglyXfofDzYf+LNY=,iv:BLqn6nWm+il2yxWBJgpjlLKp5/eVh8L9qSEfM9LzUEo=,tag:1+afhSVYeHTvzzBiTxP7Ew==,type:str]
SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:lHrRfoAtj/sY7aFiWibf7ejrwn5ANa62d85kyPKxpZhXhdiz5jHcAw==,iv:D4ac1ltRrsHEM1z/bG0gHQZ4TntCK4fEj8BoYxDv7XM=,tag:yXVYJNpbM46ri9kW8MwxwQ==,type:str] SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:lHrRfoAtj/sY7aFiWibf7ejrwn5ANa62d85kyPKxpZhXhdiz5jHcAw==,iv:D4ac1ltRrsHEM1z/bG0gHQZ4TntCK4fEj8BoYxDv7XM=,tag:yXVYJNpbM46ri9kW8MwxwQ==,type:str]
@@ -48,8 +49,8 @@ sops:
WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-21T21:03:04Z" lastmodified: "2022-12-23T01:26:12Z"
mac: ENC[AES256_GCM,data:1kDdR/a7WBENCYzT3JSiM7tYCGqYA+z5J/HbV7C9vw0kqoRCPg6QftdaszI0OOcNANtOnFWsaJZo2qvb8joNQMSYTiVQ6M0gEGjf1r5/ppi/mmBIZpPIdEU0qC+t8vJziFoiG/1wuetm/fUHlaom0XkgKtoy/irrPK0NcZEMuXA=,iv:HYa8SiJ6IZWuxMUSbfKdc7/gslrtTUy/89M0cfz05Hk=,tag:IlIiGNjpRQfxUu7JeN2XRQ==,type:str] mac: ENC[AES256_GCM,data:wYR8nXe5A7BePH7ttqp2YPyBthbJM892U5qZjvpVqo+vAbxYLZn/H3aDWAeUmM9rSQi8c4wR8UtDk7GTxUiMkdRYS267r2Jxcns0Z0sLq7D3YdL4zlW7TkDuo6zaknVOuePgSr9SYl/Z9y2ryk/BhRF9UjAASqnAEWtOKTqqs6I=,iv:LNqr+JPdywz/Z0wNhgKSAHJu4wMm+MykbFAzNoBNhec=,tag:kaltioo8R0HOhSYGmH1jww==,type:str]
pgp: [] pgp: []
encrypted_regex: ^(data|stringData)$ encrypted_regex: ^(data|stringData)$
version: 3.7.3 version: 3.7.3

1
kubernetes/base/config/cluster-settings.yaml
View File

@@ -19,7 +19,6 @@ data:
CLUSTER_LB_EMQX: 192.168.169.109 CLUSTER_LB_EMQX: 192.168.169.109
CLUSTER_LB_JELLYFIN: 192.168.169.110 CLUSTER_LB_JELLYFIN: 192.168.169.110
CLUSTER_LB_RESILIOSYNC_HELENE: 192.168.169.111 CLUSTER_LB_RESILIOSYNC_HELENE: 192.168.169.111
CLUSTER_LB_BORGSERVER: 192.168.169.112
LOCAL_LAN: 192.168.8.0/22 LOCAL_LAN: 192.168.8.0/22
LOCAL_LAN_OPNSENSE: 192.168.8.1 LOCAL_LAN_OPNSENSE: 192.168.8.1
LOCAL_LAN_TRUENAS: 192.168.9.10 LOCAL_LAN_TRUENAS: 192.168.9.10

9
kubernetes/base/repositories/helm/crowdsec.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: crowdsec
namespace: flux-system
spec:
interval: 1h
url: https://crowdsecurity.github.io/helm-charts

1
kubernetes/base/repositories/helm/kustomization.yaml
View File

@@ -7,6 +7,7 @@ resources:
- ./cert-manager-webhook-ovh.yaml - ./cert-manager-webhook-ovh.yaml
- ./cilium.yaml - ./cilium.yaml
- ./cloudnative-pg.yaml - ./cloudnative-pg.yaml
- ./crowdsec.yaml
- ./descheduler.yaml - ./descheduler.yaml
- ./drone.yaml - ./drone.yaml
- ./dysnix.yaml - ./dysnix.yaml

1
kubernetes/cluster-0/apps/kustomization.yaml
View File

@@ -14,5 +14,6 @@ resources:
- ./media-servers - ./media-servers
- ./monitoring - ./monitoring
- ./networking - ./networking
# - ./security
- ./storage - ./storage
- ./web-tools - ./web-tools

7
kubernetes/cluster-0/apps/namespaces.yaml
View File

@@ -1,6 +1,13 @@
--- ---
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata:
name: crowdsec
labels:
kustomize.toolkit.fluxcd.io/prune: disabled
---
apiVersion: v1
kind: Namespace
metadata: metadata:
name: default name: default
labels: labels:

49
kubernetes/cluster-0/apps/networking/ingress-nginx/helmrelease.yaml
View File

@@ -51,6 +51,9 @@ spec:
service-upstream: "true" service-upstream: "true"
ssl-protocols: "TLSv1.3 TLSv1.2" ssl-protocols: "TLSv1.3 TLSv1.2"
use-forwarded-headers: "true" use-forwarded-headers: "true"
# crowdsec bouncer
# plugins: "crowdsec"
# lua-shared-dicts: "crowdsec_cache: 50m"
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
@@ -69,12 +72,46 @@ spec:
matchLabels: matchLabels:
app.kubernetes.io/name: ingress-nginx app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
resources: # crowdsec bouncer
requests: # extraVolumes:
memory: 400Mi # - name: crowdsec-bouncer-plugin
cpu: 25m # emptyDir: {}
limits: # extraInitContainers:
memory: 1Gi # - name: init-clone-crowdsec-bouncer
# image: crowdsecurity/lua-bouncer-plugin
# tag: v0.1.11
# imagePullPolicy: IfNotPresent
# env:
# - name: API_URL
# value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
# - name: API_KEY
# value: "${SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY}"
# - name: DISABLE_RUN
# value: "true"
# - name: BOUNCER_CONFIG
# value: "/crowdsec/crowdsec-bouncer.conf"
# command:
# - "/bin/sh"
# - "-c"
# - |
# #!/bin/sh
# sh /docker_start.sh
# mkdir -p /lua_plugins/crowdsec/
# cp -pr /crowdsec/* /lua_plugins/crowdsec/
# volumeMounts:
# - name: crowdsec-bouncer-plugin
# mountPath: /lua_plugins
# extraVolumeMounts:
# - name: crowdsec-bouncer-plugin
# mountPath: /etc/nginx/lua/plugins/crowdsec
# subPath: crowdsec
# resources:
# requests:
# memory: 400Mi
# cpu: 25m
# limits:
# memory: 1Gi
defaultBackend: defaultBackend:
enabled: true enabled: true
image: image:

120
kubernetes/cluster-0/apps/security/crowdsec/helmrelease.yaml Normal file
View File

@@ -0,0 +1,120 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: crowdsec
namespace: crowdsec
spec:
interval: 15m
chart:
spec:
chart: crowdsec
version: 0.8.2
sourceRef:
kind: HelmRepository
name: crowdsec
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
container_runtime: containerd
image:
repository: crowdsecurity/crowdsec
tag: v1.4.3
lapi:
env:
# by default disable the agent for local API pods
- name: DISABLE_AGENT
value: "true"
- name: ENROLL_KEY
valueFrom:
secretKeyRef:
name: crowdsec-config
key: enroll_key
- name: ENROLL_INSTANCE_NAME
value: "talos@cluster-0"
dashboard:
enabled: false
ingress:
enabled: false
annotations:
ingressClassName: nginx
host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
tls:
- hosts:
- *host
resources:
requests:
cpu: 150m
memory: 100M
limits:
memory: 100M
# -- Enable persistent volumes
persistentVolume:
# -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
data:
enabled: true
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-filesystem
size: 1Gi
# -- Persistent volume for config folder. Stores e.g. online api credentials
config:
enabled: true
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-filesystem
size: 100Mi
metrics:
enabled: false
serviceMonitor:
enabled: false
strategy:
type: Recreate
agent:
# To specify each pod you want to process it logs (pods present in the node)
acquisition:
# The namespace where the pod is located
- namespace: ingress-nginx
# The pod name
podName: ingress-nginx-controller-*
# as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
program: nginx
# Those are ENV variables
env:
# As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
- name: DISABLE_crONLINE_API
value: "true"
# As we are running Nginx, we want to install the Nginx collection
- name: COLLECTIONS
value: "crowdsecurity/nginx crowdsecurity/linux crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/pgsql crowdsecurity/sshd"
- name: PARSERS
value: "crowdsecurity/cri-logs"
- name: TZ
value: "${TIMEZONE}"
- name: DISABLE_ONLINE_API
value: "false"
resources:
limits:
memory: 100Mi
requests:
cpu: 150m
memory: 100Mi
# -- Enable persistent volumes
persistentVolume:
# -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
config:
enabled: true
accessModes:
- ReadWriteMany
storageClassName: rook-ceph-filesystem
size: 100Mi
metrics:
enabled: true
serviceMonitor:
enabled: true

6
kubernetes/cluster-0/apps/security/crowdsec/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml
- ./secret.sops.yaml

29
kubernetes/cluster-0/apps/security/crowdsec/secret.sops.yaml Normal file
View File

@@ -0,0 +1,29 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: crowdsec-config
namespace: crowdsec
type: Opaque
stringData:
enroll_key: ENC[AES256_GCM,data:ret34T4Bcdua76M8s19bLeNTUWweVqPg5Q==,iv:q9sXlIUAkRi4Gu1+uhVWW5WCDuUCn6ZAV+UjtK1hkAQ=,tag:zXCtO2dpokZ57/NTthItig==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-23T02:14:45Z"
mac: ENC[AES256_GCM,data:Y5ZzEfUbfy4hs6CpxZOW9/jSzp/lRaL28vB81BHFnUCDH9hHiCLMhb64SfJdCOgxP1HjKRbsQgSLdQD0W1Q7udtsXFVFg+LnND++ukWaXESj/USb25o9RT8Kn94RePLzeDdOkAR9hYS+YViKjdvdck2oKwr1cy8slcgHDXi83LI=,iv:/iBS+i43BaSOBZGUeNxUnqn4sgX12GozkQdUuLLsvMM=,tag:JLwY15QfNLWRJax2nKdcbw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

5
kubernetes/cluster-0/apps/security/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./crowdsec