Add crowdsec

.gitignore

@@ -6,9 +6,14 @@ syncthing/config/*
 transmission/config/*
 
 proxy/nginx/conf.d/default.conf
+proxy/nginx/logs/*
 proxy/ssl/conf/*
 proxy/ssl/www/*
 proxy/ddns/domains.txt
+proxy/crowdsec/*
+!proxy/crowdsec/config
+proxy/crowdsec/config/*
+!proxy/crowdsec/config/acquis.yaml
 
 gitea/data/*
 gitea/db

proxy/.env.example

@@ -1,2 +1,3 @@
 REGRU_LOGIN=login
 REGRU_PASSWORD=password
+CROWDSEC_API_KEY=api_key

proxy/crowdsec/config/acquis.yaml

@@ -0,0 +1,4 @@
+filenames:
+  - /var/log/nginx/*.log
+labels:
+  type: nginx

proxy/docker-compose.yml

@@ -11,6 +11,8 @@ services:
       # Папки для SSL сертификатов
       - ./ssl/conf:/etc/letsencrypt:ro
       - ./ssl/www:/var/www/certbot:ro
+      # Логи для канали CrowdSec
+      - ./nginx/logs:/var/log/nginx
     # Подхватываем новые ssl сертификаты
     command: /bin/sh -c "while :; do sleep 24h & wait $${!}; nginx -s reload; done & nginx -g 'daemon off;'"
     deploy:
@@ -26,6 +28,40 @@ services:
       - cloud_network
       - matrix_network
 
+  crowdsec:
+    image: crowdsecurity/crowdsec:latest
+    container_name: crowdsec
+    restart: always
+    environment:
+      # Какие коллекции правил установить сразу
+      COLLECTIONS: "crowdsecurity/nginx crowdsecurity/http-cve crowdsecurity/whitelist-good-actors"
+      # Чтобы не захламлять вывод, можно включить только ошибки
+      # LEVEL_TRACE: "false"
+    volumes:
+      # Читаем логи Nginx
+      - ./nginx/logs:/var/log/nginx:ro
+      # Конфигурация и база данных
+      - ./crowdsec/config:/etc/crowdsec
+      - ./crowdsec/data:/var/lib/crowdsec/data
+    ports:
+      - 8081:8080
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 256M
+
+  dashboard:
+    image: crowdsecurity/dashboard
+    container_name: crowdsec-dashboard
+    restart: always
+    environment:
+      - MB_DB_FILE=/data/metabase.db
+    volumes:
+      - ./crowdsec/data:/data
+    ports:
+      - 3001:3000
+
   certbot:
     image: certbot/certbot
     container_name: certbot

proxy/install-bouncer.sh

@@ -0,0 +1,12 @@
+curl -s https://api.github.com/repos/crowdsecurity/cs-firewall-bouncer/releases/latest | grep browser_download_url | grep linux-amd64 | cut -d '"' -f 4 | wget -qi -
+tar xzvf crowdsec-firewall-bouncer-linux-amd64.tgz
+cd crowdsec-firewall-bouncer-v*/
+sudo ./install.sh
+
+# Получаем API KEY
+sudo docker exec crowdsec cscli bouncers add firewall-bouncer
+
+
+# Прописываем ключ в конфиге
+# Указваем так же API_URL (см docker-compose.yml, по умолчанию меняем на 8081)
+sudo nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

proxy/nginx/conf.d/default.conf.example

@@ -2,7 +2,10 @@
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
-    server_name domain.ru www.domain.ru git.domain.ru disk.domain.ru matrix.domain.ru chat.domain.ru;
+    server_name domain.ru www.domain.ru git.domain.ru cloud.domain.ru m.domain.ru chat.domain.ru;
+
+    access_log /var/log/nginx/http_access.log main;
+    error_log /var/log/nginx/http_error.log;
 
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;
@@ -23,6 +26,9 @@ server {
     ssl_certificate /etc/letsencrypt/live/domain.ru/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/domain.ru/privkey.pem;
 
+    access_log /var/log/nginx/root_access.log main;
+    error_log /var/log/nginx/root_error.log;
+
     location / {
         charset utf-8;
         default_type text/plain;
@@ -38,6 +44,9 @@ server {
     ssl_certificate /etc/letsencrypt/live/git.domain.ru/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/git.domain.ru/privkey.pem;
 
+    access_log /var/log/nginx/git_access.log main;
+    error_log /var/log/nginx/git_error.log;
+
     location / {
         proxy_pass http://gitea:3000;
         proxy_set_header Host $host;
@@ -50,10 +59,13 @@ server {
 # 4. Cloud
 server {
     listen 443 ssl;
-    server_name disk.domain.ru;
+    server_name cloud.domain.ru;
 
-    ssl_certificate /etc/letsencrypt/live/disk.domain.ru/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/cloud.domain.ru/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/disk.domain.ru/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/cloud.domain.ru/privkey.pem;
+
+    access_log /var/log/nginx/cloud_access.log main;
+    error_log /var/log/nginx/cloud_error.log;
 
     client_max_body_size 0;
 
@@ -69,10 +81,13 @@ server {
 # 4. Matrix
 server {
     listen 443 ssl;
-    server_name matrix.domain.ru;
+    server_name m.domain.ru;
 
-    ssl_certificate /etc/letsencrypt/live/matrix.domain.ru/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/m.domain.ru/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/matrix.domain.ru/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/m.domain.ru/privkey.pem;
+
+    access_log /var/log/nginx/matrix_synapse_access.log main;
+    error_log /var/log/nginx/matrix_synapse_error.log;
 
     location / {
         proxy_pass http://matrix-synapse:8008;
@@ -102,6 +117,9 @@ server {
     ssl_certificate /etc/letsencrypt/live/chat.domain.ru/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/chat.domain.ru/privkey.pem;
 
+    access_log /var/log/nginx/matrix_element_access.log main;
+    error_log /var/log/nginx/matrix_element_error.log;
+
     location / {
         proxy_pass http://matrix-element;
         proxy_set_header Host $host;