From 7da39198f881df64104d7f9f1f4dd570c354617a Mon Sep 17 00:00:00 2001 From: ue87775 Date: Fri, 24 Apr 2026 10:17:03 +0200 Subject: [PATCH] https://gitea.quangkhai.ch/quangkhai/deployments/issues/6 Uses Crowdsec Co-authored-by: Copilot --- traefik/crowdsec/acquis.yaml | 4 +++ traefik/docker-compose.yaml | 49 ++++++++++++++++++++++++++++++------ 2 files changed, 46 insertions(+), 7 deletions(-) create mode 100644 traefik/crowdsec/acquis.yaml diff --git a/traefik/crowdsec/acquis.yaml b/traefik/crowdsec/acquis.yaml new file mode 100644 index 0000000..f023943 --- /dev/null +++ b/traefik/crowdsec/acquis.yaml @@ -0,0 +1,4 @@ +filenames: + - /var/log/traefik/access.log +labels: + type: traefik diff --git a/traefik/docker-compose.yaml b/traefik/docker-compose.yaml index 8598635..88ed50c 100644 --- a/traefik/docker-compose.yaml +++ b/traefik/docker-compose.yaml @@ -2,11 +2,17 @@ services: traefik: image: traefik:v3.6 container_name: traefik + depends_on: + - crowdsec command: - "--api.dashboard=true" - "--api.insecure=false" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" + - "--experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin" + - "--experimental.plugins.crowdsec-bouncer.version=v1.4.2" + - "--accesslog=true" + - "--accesslog.filepath=/var/log/traefik/access.log" # - "--entrypoints.https.address=:443" @@ -14,6 +20,7 @@ services: - "--entrypoints.web.address=:80" - "--entrypoints.websecure.address=:443" - "--entrypoints.mqtt-secure.address=:8883" + - "--entrypoints.websecure.http.middlewares=crowdsec@docker" # Global HTTP -> HTTPS Redirection - "--entrypoints.web.http.redirections.entryPoint.to=websecure" - "--entrypoints.web.http.redirections.entryPoint.scheme=https" @@ -31,6 +38,7 @@ services: volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./letsencrypt:/letsencrypt + - ./logs:/var/log/traefik networks: - proxy_tier restart: unless-stopped @@ -40,21 +48,48 @@ services: timeout: 10s retries: 3 start_period: 5s - resources: - limits: - cpus: '2' - memory: 512M - reservations: - cpus: '1' - memory: 256M + deploy: + resources: + limits: + cpus: '2' + memory: 512M + reservations: + cpus: '1' + memory: 256M labels: # THE MIDDLEWARE DEFINITION - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/" - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.logLevel=INFO" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecMode=live" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiHost=crowdsec:8080" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiScheme=http" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiKey=${CROWDSEC_BOUNCER_KEY:-change-me}" + + crowdsec: + image: crowdsecurity/crowdsec:latest + container_name: crowdsec + environment: + - TZ=UTC + - COLLECTIONS=crowdsecurity/traefik + - BOUNCER_KEY_TRAEFIK=${CROWDSEC_BOUNCER_KEY:-change-me} + volumes: + - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro + - ./logs:/var/log/traefik:ro + - crowdsec-db:/var/lib/crowdsec/data + - crowdsec-config:/etc/crowdsec + networks: + - proxy_tier + restart: unless-stopped networks: proxy_tier: name: proxy_tier external: true + +volumes: + crowdsec-db: + crowdsec-config: