Refactor Traefik and CrowdSec integration: remove CrowdSec configurations and update middleware settings for enhanced access control

.env.example

@@ -9,12 +9,6 @@ TZ=Your/Timezone
 # Your email address for Let's Encrypt certificate notifications
 ACME_EMAIL=admin@your-domain.com
 
-
-## CrowdSec
-# Generate with: docker exec -it crowdsec cscli bouncers add traefik-bouncer
-# Use a long random string (64+ characters recommended)
-CROWDSEC_BOUNCER_KEY=your_long_random_bouncer_key_here
-
 ## Umami (PostgreSQL)
 # Database user for Umami analytics
 UMAMI_DB_USER=umami

authelia/configuration.yml

@@ -46,23 +46,28 @@ authentication_backend:
 access_control:
   default_policy: deny
   rules:
-    - domain: "auth.gate.3launchpad.com"
-      policy: bypass
-      
     - domain: "status.gate.3launchpad.com"
       policy: bypass
 
     - domain: "traefik.gate.3launchpad.com"
-      policy: bypass
+      subject: ["group:admins"]
+      policy: two_factor
 
     - domain: "portainer.gate.3launchpad.com"
-      policy: bypass
+      subject: ["group:admins"]
+      policy: two_factor
 
     - domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com"
-      policy: bypass
+      subject:
+        - "group:admins"
+        - "group:devs"
+      policy: one_factor
 
     - domain: "*.gate.3launchpad.com"
-      policy: bypass
+      subject:
+        - "group:users"
+        - "group:admins"
+        - "group:devs"
       policy: one_factor
 
 #########################################################

crowdsec/acquis.yaml

@@ -1,4 +0,0 @@
-filenames:
-  - /var/log/traefik/access.log
-labels:
-  type: traefik

crowdsec/local_api_server.yaml

@@ -1,2 +0,0 @@
-listen_uri: 0.0.0.0:8080
-profiles_path: /etc/crowdsec/profiles.yaml

docker-compose.yml

@@ -15,7 +15,6 @@ volumes:
   portainer_data:
   umami_db_data:
   authelia_data:
-  crowdsec_data:
   prometheus_data:
   grafana_data:
   uptime_kuma_data:
@@ -26,7 +25,7 @@ volumes:
 services:
 
   ## ─────────────────────────────────────────────
-  ## Traefik — edge router + ACME (HTTP-01) + CrowdSec plugin
+  ## Traefik — edge router + ACME (HTTP-01)
   ## ─────────────────────────────────────────────
   traefik:
     image: traefik:v3.1
@@ -70,10 +69,6 @@ services:
       - --accesslog.filepath=/var/log/traefik/access.log
       - --accesslog.bufferingsize=100
       - --log.level=INFO
-
-      # CrowdSec Traefik plugin (recommended vs sidecar)
-      - --experimental.plugins.crowdsecbouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
-      - --experimental.plugins.crowdsecbouncer.version=v1.4.4
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - traefik_letsencrypt:/letsencrypt
@@ -95,18 +90,12 @@ services:
       - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
       - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
 
-      # CrowdSec plugin middleware (reusable)
-      - traefik.http.middlewares.crowdsec-plugin.plugin.crowdsecbouncer.enabled=true
-      - traefik.http.middlewares.crowdsec-plugin.plugin.crowdsecbouncer.crowdseclapiurl=http://crowdsec:8080/
-      - traefik.http.middlewares.crowdsec-plugin.plugin.crowdsecbouncer.crowdseclapikey=${CROWDSEC_BOUNCER_KEY}
-      - traefik.http.middlewares.crowdsec-plugin.plugin.crowdsecbouncer.crowdsecmode=stream
-
       # Traefik dashboard (protected)
       - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`)
       - traefik.http.routers.traefik.entrypoints=websecure
       - traefik.http.routers.traefik.tls.certresolver=le
       - traefik.http.routers.traefik.service=api@internal
-      - traefik.http.routers.traefik.middlewares=crowdsec-plugin,security-headers
+      - traefik.http.routers.traefik.middlewares=authelia,security-headers
 
   ## ─────────────────────────────────────────────
   ## Portainer — Docker control plane
@@ -124,7 +113,7 @@ services:
       - traefik.http.routers.portainer.rule=Host(`portainer.gate.${DOMAIN}`)
       - traefik.http.routers.portainer.entrypoints=websecure
       - traefik.http.routers.portainer.tls.certresolver=le
-      - traefik.http.routers.portainer.middlewares=crowdsec-plugin,authelia,security-headers
+      - traefik.http.routers.portainer.middlewares=authelia,security-headers
       - traefik.http.services.portainer.loadbalancer.server.port=9000
 
   ## ─────────────────────────────────────────────
@@ -159,7 +148,7 @@ services:
       - traefik.http.routers.umami.rule=Host(`umami.gate.${DOMAIN}`)
       - traefik.http.routers.umami.entrypoints=websecure
       - traefik.http.routers.umami.tls.certresolver=le
-      - traefik.http.routers.umami.middlewares=crowdsec-plugin,authelia,security-headers
+      - traefik.http.routers.umami.middlewares=authelia,security-headers
       - traefik.http.services.umami.loadbalancer.server.port=3000
 
   ## ─────────────────────────────────────────────
@@ -174,7 +163,6 @@ services:
       TZ: "${TZ}"
     volumes:
       - ./authelia/configuration.yml:/config/configuration.yml:ro
-      - ./authelia/users_database.yml:/config/users_database.yml:ro
       - authelia_data:/config
     networks: [traefik_proxy, internal]
     labels:
@@ -192,33 +180,6 @@ services:
     restart: unless-stopped
     networks: [internal]
 
-  ## ─────────────────────────────────────────────
-  ## CrowdSec (LAPI) — with Traefik plugin
-  ## ─────────────────────────────────────────────
-  crowdsec:
-    image: crowdsecurity/crowdsec:latest
-    container_name: crowdsec
-    restart: unless-stopped
-    environment:
-      TZ: "${TZ}"
-      GID: "0"
-      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/linux"
-    volumes:
-      - crowdsec_data:/var/lib/crowdsec/data
-      - ./crowdsec/local_api_server.yaml:/etc/crowdsec/local_api_server.yaml:ro
-      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
-      - traefik_logs:/var/log/traefik:ro
-    networks: [traefik_proxy]
-
-  # Auto-register the API key used by the Traefik plugin
-  crowdsec-init:
-    image: crowdsecurity/crowdsec:latest
-    container_name: crowdsec-init
-    depends_on: [crowdsec]
-    entrypoint: sh -c "cscli bouncers add traefik-bouncer -k ${CROWDSEC_BOUNCER_KEY} || true && sleep 2"
-    networks: [traefik_proxy]
-    restart: "no"
-
   ## ─────────────────────────────────────────────
   ## Uptime Kuma — status page / checks
   ## ─────────────────────────────────────────────
@@ -234,7 +195,7 @@ services:
       - traefik.http.routers.kuma.rule=Host(`status.gate.${DOMAIN}`)
       - traefik.http.routers.kuma.entrypoints=websecure
       - traefik.http.routers.kuma.tls.certresolver=le
-      - traefik.http.routers.kuma.middlewares=crowdsec-plugin,authelia,security-headers
+      - traefik.http.routers.kuma.middlewares=authelia,security-headers
       - traefik.http.services.kuma.loadbalancer.server.port=3001
 
   ## ─────────────────────────────────────────────
@@ -253,7 +214,7 @@ services:
       - traefik.http.routers.prom.rule=Host(`prometheus.gate.${DOMAIN}`)
       - traefik.http.routers.prom.entrypoints=websecure
       - traefik.http.routers.prom.tls.certresolver=le
-      - traefik.http.routers.prom.middlewares=crowdsec-plugin,authelia,security-headers
+      - traefik.http.routers.prom.middlewares=authelia,security-headers
       - traefik.http.services.prom.loadbalancer.server.port=9090
 
   cadvisor:
@@ -298,5 +259,5 @@ services:
       - traefik.http.routers.grafana.rule=Host(`grafana.gate.${DOMAIN}`)
       - traefik.http.routers.grafana.entrypoints=websecure
       - traefik.http.routers.grafana.tls.certresolver=le
-      - traefik.http.routers.grafana.middlewares=crowdsec-plugin,authelia,security-headers
+      - traefik.http.routers.grafana.middlewares=authelia,security-headers
       - traefik.http.services.grafana.loadbalancer.server.port=3000