diff --git a/.env.example b/.env.example index ce8aede..862c37a 100644 --- a/.env.example +++ b/.env.example @@ -9,12 +9,6 @@ TZ=Your/Timezone # Your email address for Let's Encrypt certificate notifications ACME_EMAIL=admin@your-domain.com - -## CrowdSec -# Generate with: docker exec -it crowdsec cscli bouncers add traefik-bouncer -# Use a long random string (64+ characters recommended) -CROWDSEC_BOUNCER_KEY=your_long_random_bouncer_key_here - ## Umami (PostgreSQL) # Database user for Umami analytics UMAMI_DB_USER=umami diff --git a/authelia/configuration.yml b/authelia/configuration.yml index d3693f5..31d760f 100644 --- a/authelia/configuration.yml +++ b/authelia/configuration.yml @@ -46,23 +46,28 @@ authentication_backend: access_control: default_policy: deny rules: - - domain: "auth.gate.3launchpad.com" - policy: bypass - - domain: "status.gate.3launchpad.com" policy: bypass - domain: "traefik.gate.3launchpad.com" - policy: bypass + subject: ["group:admins"] + policy: two_factor - domain: "portainer.gate.3launchpad.com" - policy: bypass + subject: ["group:admins"] + policy: two_factor - domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com" - policy: bypass + subject: + - "group:admins" + - "group:devs" + policy: one_factor - domain: "*.gate.3launchpad.com" - policy: bypass + subject: + - "group:users" + - "group:admins" + - "group:devs" policy: one_factor ######################################################### diff --git a/crowdsec/acquis.yaml b/crowdsec/acquis.yaml deleted file mode 100644 index f023943..0000000 --- a/crowdsec/acquis.yaml +++ /dev/null @@ -1,4 +0,0 @@ -filenames: - - /var/log/traefik/access.log -labels: - type: traefik diff --git a/crowdsec/local_api_server.yaml b/crowdsec/local_api_server.yaml deleted file mode 100644 index e282d0b..0000000 --- a/crowdsec/local_api_server.yaml +++ /dev/null @@ -1,2 +0,0 @@ -listen_uri: 0.0.0.0:8080 -profiles_path: /etc/crowdsec/profiles.yaml \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 1ef0924..9c05f3d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,7 +15,6 @@ volumes: portainer_data: umami_db_data: authelia_data: - crowdsec_data: prometheus_data: grafana_data: uptime_kuma_data: @@ -26,7 +25,7 @@ volumes: services: ## ───────────────────────────────────────────── - ## Traefik — edge router + ACME (HTTP-01) + CrowdSec plugin + ## Traefik — edge router + ACME (HTTP-01) ## ───────────────────────────────────────────── traefik: image: traefik:v3.1 @@ -70,10 +69,6 @@ services: - --accesslog.filepath=/var/log/traefik/access.log - --accesslog.bufferingsize=100 - --log.level=INFO - - # CrowdSec Traefik plugin (recommended vs sidecar) - - --experimental.plugins.crowdsecbouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin - - --experimental.plugins.crowdsecbouncer.version=v1.4.4 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - traefik_letsencrypt:/letsencrypt @@ -95,18 +90,12 @@ services: - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email - # CrowdSec plugin middleware (reusable) - - traefik.http.middlewares.crowdsec-plugin.plugin.crowdsecbouncer.enabled=true - - traefik.http.middlewares.crowdsec-plugin.plugin.crowdsecbouncer.crowdseclapiurl=http://crowdsec:8080/ - - traefik.http.middlewares.crowdsec-plugin.plugin.crowdsecbouncer.crowdseclapikey=${CROWDSEC_BOUNCER_KEY} - - traefik.http.middlewares.crowdsec-plugin.plugin.crowdsecbouncer.crowdsecmode=stream - # Traefik dashboard (protected) - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`) - traefik.http.routers.traefik.entrypoints=websecure - traefik.http.routers.traefik.tls.certresolver=le - traefik.http.routers.traefik.service=api@internal - - traefik.http.routers.traefik.middlewares=crowdsec-plugin,security-headers + - traefik.http.routers.traefik.middlewares=authelia,security-headers ## ───────────────────────────────────────────── ## Portainer — Docker control plane @@ -124,7 +113,7 @@ services: - traefik.http.routers.portainer.rule=Host(`portainer.gate.${DOMAIN}`) - traefik.http.routers.portainer.entrypoints=websecure - traefik.http.routers.portainer.tls.certresolver=le - - traefik.http.routers.portainer.middlewares=crowdsec-plugin,authelia,security-headers + - traefik.http.routers.portainer.middlewares=authelia,security-headers - traefik.http.services.portainer.loadbalancer.server.port=9000 ## ───────────────────────────────────────────── @@ -159,7 +148,7 @@ services: - traefik.http.routers.umami.rule=Host(`umami.gate.${DOMAIN}`) - traefik.http.routers.umami.entrypoints=websecure - traefik.http.routers.umami.tls.certresolver=le - - traefik.http.routers.umami.middlewares=crowdsec-plugin,authelia,security-headers + - traefik.http.routers.umami.middlewares=authelia,security-headers - traefik.http.services.umami.loadbalancer.server.port=3000 ## ───────────────────────────────────────────── @@ -174,7 +163,6 @@ services: TZ: "${TZ}" volumes: - ./authelia/configuration.yml:/config/configuration.yml:ro - - ./authelia/users_database.yml:/config/users_database.yml:ro - authelia_data:/config networks: [traefik_proxy, internal] labels: @@ -192,33 +180,6 @@ services: restart: unless-stopped networks: [internal] - ## ───────────────────────────────────────────── - ## CrowdSec (LAPI) — with Traefik plugin - ## ───────────────────────────────────────────── - crowdsec: - image: crowdsecurity/crowdsec:latest - container_name: crowdsec - restart: unless-stopped - environment: - TZ: "${TZ}" - GID: "0" - COLLECTIONS: "crowdsecurity/traefik crowdsecurity/linux" - volumes: - - crowdsec_data:/var/lib/crowdsec/data - - ./crowdsec/local_api_server.yaml:/etc/crowdsec/local_api_server.yaml:ro - - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro - - traefik_logs:/var/log/traefik:ro - networks: [traefik_proxy] - - # Auto-register the API key used by the Traefik plugin - crowdsec-init: - image: crowdsecurity/crowdsec:latest - container_name: crowdsec-init - depends_on: [crowdsec] - entrypoint: sh -c "cscli bouncers add traefik-bouncer -k ${CROWDSEC_BOUNCER_KEY} || true && sleep 2" - networks: [traefik_proxy] - restart: "no" - ## ───────────────────────────────────────────── ## Uptime Kuma — status page / checks ## ───────────────────────────────────────────── @@ -234,7 +195,7 @@ services: - traefik.http.routers.kuma.rule=Host(`status.gate.${DOMAIN}`) - traefik.http.routers.kuma.entrypoints=websecure - traefik.http.routers.kuma.tls.certresolver=le - - traefik.http.routers.kuma.middlewares=crowdsec-plugin,authelia,security-headers + - traefik.http.routers.kuma.middlewares=authelia,security-headers - traefik.http.services.kuma.loadbalancer.server.port=3001 ## ───────────────────────────────────────────── @@ -253,7 +214,7 @@ services: - traefik.http.routers.prom.rule=Host(`prometheus.gate.${DOMAIN}`) - traefik.http.routers.prom.entrypoints=websecure - traefik.http.routers.prom.tls.certresolver=le - - traefik.http.routers.prom.middlewares=crowdsec-plugin,authelia,security-headers + - traefik.http.routers.prom.middlewares=authelia,security-headers - traefik.http.services.prom.loadbalancer.server.port=9090 cadvisor: @@ -298,5 +259,5 @@ services: - traefik.http.routers.grafana.rule=Host(`grafana.gate.${DOMAIN}`) - traefik.http.routers.grafana.entrypoints=websecure - traefik.http.routers.grafana.tls.certresolver=le - - traefik.http.routers.grafana.middlewares=crowdsec-plugin,authelia,security-headers + - traefik.http.routers.grafana.middlewares=authelia,security-headers - traefik.http.services.grafana.loadbalancer.server.port=3000