From 395a970304f111f1e5659653e004170f8ab35a86 Mon Sep 17 00:00:00 2001
From: Mohmmed Elfateh Sabry <59346303+elfateh4@users.noreply.github.com>
Date: Mon, 11 Aug 2025 02:10:34 +0300
Subject: [PATCH] Refactor CrowdSec configuration: remove deprecated
 config.yaml, add local_api_server.yaml, and update docker-compose for new
 user database

---
 authelia/users_database.yml    | 23 +++++++++++++++++++++++
 crowdsec/config.yaml           |  4 ----
 crowdsec/local_api_server.yaml |  2 ++
 docker-compose.yml             | 15 +++++++++------
 4 files changed, 34 insertions(+), 10 deletions(-)
 create mode 100644 authelia/users_database.yml
 delete mode 100644 crowdsec/config.yaml
 create mode 100644 crowdsec/local_api_server.yaml

diff --git a/authelia/users_database.yml b/authelia/users_database.yml
new file mode 100644
index 0000000..156f4d2
--- /dev/null
+++ b/authelia/users_database.yml
@@ -0,0 +1,23 @@
+# authelia/users_database.yml
+# User database for Authelia authentication
+# Passwords are hashed with argon2id algorithm
+# Use: authelia crypto hash generate argon2 --password 'your_password'
+
+users:
+  # Admin user with full access
+  admin:
+    displayname: "Administrator"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t1MF//X73A"  # password: admin123
+    email: admin@3launchpad.com
+    groups:
+      - admins
+      - users
+
+  # Developer user with dev and user access
+  developer:
+    displayname: "Developer"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t1MF//X73A"  # password: dev123
+    email: dev@3launchpad.com
+    groups:
+      - devs
+      - users
\ No newline at end of file
diff --git a/crowdsec/config.yaml b/crowdsec/config.yaml
deleted file mode 100644
index c48a4c2..0000000
--- a/crowdsec/config.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-# minimal override to expose LAPI to other containers
-api:
-  server:
-    listen_uri: 0.0.0.0:8080
diff --git a/crowdsec/local_api_server.yaml b/crowdsec/local_api_server.yaml
new file mode 100644
index 0000000..e282d0b
--- /dev/null
+++ b/crowdsec/local_api_server.yaml
@@ -0,0 +1,2 @@
+listen_uri: 0.0.0.0:8080
+profiles_path: /etc/crowdsec/profiles.yaml
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 142dedd..a0702b4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,3 @@
-# docker-compose.yml
-version: "3.9"
-
 ########################
 # Networks & Volumes
 ########################
@@ -51,6 +48,8 @@ services:
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
       - --entrypoints.websecure.address=:443
+      - --entrypoints.web.forwardedheaders.insecure=true
+      - --entrypoints.websecure.forwardedheaders.insecure=true
 
       # Dashboard/API (internal)
       - --api.dashboard=true
@@ -101,6 +100,9 @@ services:
       - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdseclapiurl=http://crowdsec:8080/
       - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdseclapikey=${CROWDSEC_BOUNCER_KEY}
       - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdsecmode=stream
+      - traefik.http.middlewares.crowdsec.forwardauth.address=http://traefik-bouncer:8080/api/v1/forwardAuth
+      - traefik.http.middlewares.crowdsec.forwardauth.trustForwardHeader=true
+      - traefik.http.middlewares.crowdsec.forwardauth.authRequestHeaders=X-Real-Ip,X-Forwarded-For
 
       # Traefik dashboard (protected)
       - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`)
@@ -182,8 +184,9 @@ services:
       - traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`)
       - traefik.http.routers.authelia.entrypoints=websecure
       - traefik.http.routers.authelia.tls.certresolver=le
-      - traefik.http.routers.authelia.middlewares=crowdsec,security-headers
-      - traefik.http.services.authelia.loadbalancer.server.port=9091
+      - traefik.http.routers.authelia.middlewares=security-headers
+      - traefik.http.routers.authelia.service=authelia-svc
+      - traefik.http.services.authelia-svc.loadbalancer.server.port=9091
 
   redis:
     image: redis:7-alpine
@@ -204,7 +207,7 @@ services:
       COLLECTIONS: "crowdsecurity/traefik crowdsecurity/linux"
     volumes:
       - crowdsec_data:/var/lib/crowdsec/data
-      - ./crowdsec/config.yaml:/etc/crowdsec/config.yaml:ro
+      - ./crowdsec/local_api_server.yaml:/etc/crowdsec/local_api_server.yaml:ro
       - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
       - traefik_logs:/var/log/traefik:ro
     networks: [traefik_proxy]