Migrate from old repository

defaults/main.yml

@@ -0,0 +1,20 @@
+---
+cs_collections_list: []
+cs_scenarios_list: []
+cs_parsers_list: []
+cs_postoverflows_list: []
+
+cs_ban_duration: "4h"
+
+cs_prometheus_enabled: false
+
+cs_parsers_mywhitelists_ip: []
+cs_parsers_mywhitelists_cidr: []
+
+cs_trusted_ips:
+  - 127.0.0.1
+  - ::1
+
+cs_receiver_emails: []
+
+version: latest

meta/main.yml

@@ -0,0 +1,18 @@
+---
+
+dependencies: []
+
+galaxy_info:
+  role_name: crowdsec
+  author: 'Pierre-Olivier Mercier <nemunaire+iac@nemunai.re>'
+  description: Installs and configure crowdsec through Docker
+  license: GPL-3.0-or-later
+  min_ansible_version: 2.9
+  platforms:
+    - name: Alpine
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+  galaxy_tags: []

tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Ensure crowdsec directory exists
+  file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /etc/crowdsec/notifications
+    - /etc/crowdsec/parsers/s02-enrich
+
+- name: configure crowdsec
+  template:
+    src: "{{ item.src }}"
+    dest: "/etc/crowdsec/{{ item.dest }}"
+  register: crowdsecconfig
+  loop:
+    - {src: "config.yaml.j2", dest: "config.yaml" }
+    - {src: "profiles.yaml.j2", dest: "profiles.yaml" }
+    - {src: "email.yaml.j2", dest: "notifications/email.yaml" }
+    - {src: "mywhitelists.yaml.j2", dest: "parsers/s02-enrich/mywhitelists.yaml" }
+
+- name: "stop crowdsec container to reload config"
+  docker_container:
+    name: "{{ instance_name }}"
+    state: stopped
+  when: crowdsecconfig is changed
+  ignore_errors: yes
+
+- name: "launch {{ instance_name }} container"
+  docker_container:
+    name: "{{ instance_name }}"
+    image: "crowdsecurity/crowdsec:{{ version }}"
+    pull: true
+    state: started
+    restart_policy: unless-stopped
+    memory: 2G
+    volumes:
+      - /etc/crowdsec:/etc/crowdsec
+      - /var/lib/crowdsec:/var/lib/crowdsec/data
+      - /var/log/:/logs:ro
+    mounts:
+      - target: /tmp
+        type: tmpfs
+        tmpfs_mode: 1777
+        tmpfs_size: 512M
+    env:
+      COLLECTIONS: "{{ cs_collections_list | join(' ') }}"
+      SCENARIOS: "{% if cs_scenarios_list is defined %}{{ cs_scenarios_list | join(' ') }}{% endif %}"
+      PARSERS: "{% if cs_parsers_list is defined %}{{ cs_parsers_list | join(' ') }}{% endif %}"
+      POSTOVERFLOWS: "{% if cs_postoverflows_list is defined %}{{ cs_postoverflows_list | join(' ') }}{% endif %}"
+    published_ports:
+      - "{{ prometheus_endpoint }}:6060"
+      - "{{ endpoint }}:8080"
+    log_driver: syslog
+    log_options:
+      syslog-address: unixgram:///dev/log
+      syslog-facility: daemon
+      tag: "{{ instance_name }}"

templates/config.yaml.j2

@@ -0,0 +1,60 @@
+common:
+  daemonize: false
+  pid_dir: /var/run/
+  log_media: stdout
+  log_level: info
+  log_dir: /logs/
+  working_dir: .
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: /var/lib/crowdsec/data/
+  simulation_path: /etc/crowdsec/simulation.yaml
+  hub_dir: /etc/crowdsec/hub/
+  index_path: /etc/crowdsec/hub/.index.json
+  notification_dir: /etc/crowdsec/notifications/
+  plugin_dir: /usr/local/lib/crowdsec/plugins/
+crowdsec_service:
+  acquisition_path: /etc/crowdsec/acquis.yaml
+  parser_routines: 1
+plugin_config:
+  user: nobody
+  group: nobody
+cscli:
+  output: human
+db_config:
+  log_level: info
+{% if database is defined %}
+  type: mysql
+  user: "{{ database.username }}"
+  password: "{{ database.password }}"
+  db_name: "{{ database.database }}"
+  host: "{{ database.host }}"
+  port: {{ database.port }}
+{% else %}
+  type: sqlite
+  db_path: /var/lib/crowdsec/data/crowdsec.db
+{% endif %}
+  flush:
+    max_items: 5000
+    max_age: 7d
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+  server:
+    log_level: info
+    listen_uri: 0.0.0.0:8080
+    profiles_path: /etc/crowdsec/profiles.yaml
+    use_forwarded_for_headers: true
+    trusted_ips: {{ cs_trusted_ips | to_json() }}# IP ranges, or IPs which can have admin API access
+    online_client: # Central API credentials (to push signals and receive bad IPs)
+      credentials_path: /etc/crowdsec/online_api_credentials.yaml
+    #credentials_path: /etc/crowdsec/online_api_credentials.yaml
+#    tls:
+#      cert_file: /etc/crowdsec/ssl/cert.pem
+#      key_file: /etc/crowdsec/ssl/key.pem
+prometheus:
+  enabled: {{ cs_prometheus_enabled }}
+  level: full
+  listen_addr: 0.0.0.0
+  listen_port: 6060

templates/email.yaml.j2

@@ -0,0 +1,37 @@
+type: email           # Don't change
+name: email_default   # Must match the registered plugin in the profile
+
+# One of "trace", "debug", "info", "warn", "error", "off"
+log_level: info
+
+# group_wait:         # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
+# group_threshold:    # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
+# max_retry:          # Number of attempts to relay messages to plugins in case of error
+timeout: 20s          # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
+
+#-------------------------
+# plugin-specific options
+
+# The following template receives a list of models.Alert objects
+# The output goes in the email message body
+format: | {{ "
+  {{range . -}}
+    {{$alert := . -}}
+    {{range .Decisions -}}
+      <html><body><p><a href=https://www.whois.com/whois/{{.Value}}>{{.Value}}</a> will get <b>{{.Type}}</b> for next <b>{{.Duration}}</b> for triggering <b>{{.Scenario}}</b> on machine <b>{{$alert.MachineID}}</b>.</p> <p><a href=https://www.shodan.io/host/{{.Value}}>Shodan</a></p></body></html>
+    {{end -}}
+  {{end -}}" }}
+
+smtp_host: "{{ email.host }}"
+smtp_username: "{{ email.username }}"
+smtp_password: "{{ email.password }}"
+smtp_port: {{ email.port }}
+auth_type: "{{ email.auth }}" # Valid choices are "none", "crammd5", "login", "plain"
+sender_name: "CrowdSec"
+sender_email: "{{ email.from }}"
+email_subject: "CrowdSec Notification"
+receiver_emails: {{ cs_receiver_emails | to_json() }}
+# - email1@gmail.com
+# - email2@gmail.com
+
+encryption_type: "{{ email.starttls }}" # One of "ssltls", "none"

templates/mywhitelists.yaml.j2

@@ -0,0 +1,8 @@
+name: crowdsecurity/whitelists
+description: "Whitelist events from my ip addresses"
+whitelist:
+  reason: "my ip ranges"
+  ip:
+    {{ cs_parsers_mywhitelists_ip }}
+  cidr:
+    {{ cs_parsers_mywhitelists_cidr }}

templates/profiles.yaml.j2

@@ -0,0 +1,15 @@
+name: default_ip_remediation
+#debug: true
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: {{ cs_ban_duration }}
+notifications:
+#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
+#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
+#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
+{% if len(cs_receiver_emails) > 0 %}
+  - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
+{% endif %}
+on_success: break