Setup crowdsec with ssh/firewall/traefik

2024-06-20 22:16:50 +08:00 · 2024-06-20 22:16:50 +08:00 · dc03244a3c
commit dc03244a3c
parent 2adadb30e8
10 changed files with 140 additions and 1 deletions
--- a/nixos/viridian/services/traefik/default.nix
+++ b/nixos/viridian/services/traefik/default.nix
@ -53,10 +53,17 @@

      # Install plugins
      experimental.plugins = {
+        # Block or allow requests based on their country of origin.
        geoblock = {
          moduleName = "github.com/PascalMinder/geoblock";
          version = "v0.2.7";
        };
+
+        # Authorize or block requests from IPs based on there reputation and behaviour.
+        bouncer = {
+          moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
+          version = "v1.3.2";
+        };
      };

      # Network entry points into Traefik
--- a/nixos/viridian/services/traefik/middlewares.nix
+++ b/nixos/viridian/services/traefik/middlewares.nix
@ -1,6 +1,13 @@
-{ ... }:
+{ config, ... }:

 {
+  # Crowdsec Local API key for the bouncer.
+  age.secrets.traefik-bouncer-key = {
+    rekeyFile = ../crowdsec/traefik-bouncer-key.age;
+    owner = "traefik";
+    group = "traefik";
+  };
+
  # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
  services.traefik.dynamicConfigOptions.http.middlewares = {
    # Restrict access to admin devices only
@ -9,12 +16,14 @@
      "192.168.1.101"   # fuchsia
      "10.100.0.2"      # Pixel 6 Pro
    ];
+
    # Restrict access to internal networks
    internal.ipwhitelist.sourcerange = [
      "127.0.0.1/32"    # localhost
      "192.168.1.1/24"  # lan
      "10.100.0.0/24"   # wireguard clients
    ];
+
    # Restrict access based on geo-location
    geoblock.plugin.geoblock = {
      silentStartUp = "false";
@ -42,6 +51,17 @@
      # Even if an IP stays in the cache for a period of a month, it must be fetch again after a month.
      forceMonthlyUpdate = "true";
    };
+
+    # Disable Crowdsec IP checking but apply Crowdsec Appsec checking. This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
+    crowdsec.plugin.bouncer = {
+      enabled = "true";
+      crowdsecMode = "appsec";
+      crowdsecLapiKeyFile = config.age.secrets.traefik-bouncer-key.path; 
+      crowdsecLapiScheme = "http";
+      crowdsecLapiHost = "127.0.0.1:8080";
+      crowdsecAppsecEnabled = "true";
+      crowdsecAppsecHost = "127.0.0.1:7422";
+    };
  };
 }