Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(BOUN-1003): Adds Crowdsec bouncer to BN
- Loading branch information
1 parent
6e3edfb
commit 0f707cd
Showing
6 changed files
with
147 additions
and
9 deletions.
There are no files selected for viewing
26 changes: 26 additions & 0 deletions
26
ic-os/boundary-guestos/rootfs/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
mode: nftables | ||
|
||
update_frequency: 1s | ||
|
||
log_mode: stdout | ||
log_level: info | ||
|
||
api_url: {API_URL} | ||
api_key: {API_KEY} | ||
|
||
supported_decisions_types: | ||
- ban | ||
|
||
blacklists_ipv4: crowdsec | ||
blacklists_ipv6: crowdsec6 | ||
|
||
nftables: | ||
ipv4: | ||
enabled: true | ||
set-only: true | ||
table: filter | ||
|
||
ipv6: | ||
enabled: true | ||
set-only: true | ||
table: filter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
ic-os/boundary-guestos/rootfs/etc/systemd/system/crowdsec-firewall-bouncer.service
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
[Unit] | ||
Description=Crowdsec nftables bouncer | ||
After=network-online.target | ||
Wants=network-online.target | ||
After=setup-crowdsec.service | ||
BindsTo=setup-crowdsec.service | ||
|
||
[Service] | ||
Type=notify | ||
ExecStart=/usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml | ||
ExecStartPre=/usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -t | ||
ExecStartPost=/bin/sleep 0.1 | ||
Restart=always | ||
RestartSec=10 | ||
LimitNOFILE=65536 | ||
KillMode=mixed | ||
|
||
[Install] | ||
WantedBy=multi-user.target |
10 changes: 10 additions & 0 deletions
10
ic-os/boundary-guestos/rootfs/etc/systemd/system/setup-crowdsec.service
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
[Unit] | ||
Description=Create configuration for Crowdsec | ||
DefaultDependencies=no | ||
After=bootstrap-ic-node.service | ||
Requires=bootstrap-ic-node.service | ||
|
||
[Service] | ||
Type=oneshot | ||
RemainAfterExit=true | ||
ExecStart=/opt/ic/bin/setup-crowdsec.sh |
49 changes: 49 additions & 0 deletions
49
ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-crowdsec.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
#!/bin/bash | ||
|
||
set -euox pipefail | ||
source '/opt/ic/bin/helpers.shlib' | ||
|
||
readonly BN_CONFIG="${BOOT_DIR}/bn_vars.conf" | ||
|
||
readonly RUN_DIR='/run/ic-node/etc/crowdsec' | ||
readonly CFG_RO="/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml" | ||
readonly CFG_RW="${RUN_DIR}/crowdsec-firewall-bouncer.yaml" | ||
|
||
# Read the config variables. The files must be of the form | ||
# "key=value" for each line with a specific set of keys permissible (see | ||
# code below). | ||
function read_variables() { | ||
if [[ ! -d "${BOOT_DIR}" ]]; then | ||
err "missing node configuration directory: ${BOOT_DIR}" | ||
exit 1 | ||
fi | ||
|
||
if [ ! -f "${BN_CONFIG}" ]; then | ||
err "missing domain configuration: ${BN_CONFIG}" | ||
exit 1 | ||
fi | ||
|
||
# Read limited set of keys. Be extra-careful quoting values as it could | ||
# otherwise lead to executing arbitrary shell code! | ||
while IFS="=" read -r key value; do | ||
case "${key}" in | ||
"crowdsec_api_url") API_URL="${value}" ;; | ||
"crowdsec_api_key") API_KEY="${value}" ;; | ||
esac | ||
done <"${BN_CONFIG}" | ||
} | ||
|
||
function generate_config() { | ||
mkdir -p "${RUN_DIR}" | ||
cp $CFG_RO $CFG_RW | ||
sed -i "s|{API_URL}|${API_URL}|g" $CFG_RW | ||
sed -i "s|{API_KEY}|${API_KEY}|g" $CFG_RW | ||
mount --bind $CFG_RW $CFG_RO | ||
} | ||
|
||
function main() { | ||
read_variables | ||
generate_config | ||
} | ||
|
||
main "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters