Refactor CrowdSec configuration: remove deprecated config.yaml, add local_api_server.yaml, and update docker-compose for new user database

authelia/users_database.yml

@@ -0,0 +1,23 @@
+# authelia/users_database.yml
+# User database for Authelia authentication
+# Passwords are hashed with argon2id algorithm
+# Use: authelia crypto hash generate argon2 --password 'your_password'
+
+users:
+  # Admin user with full access
+  admin:
+    displayname: "Administrator"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t1MF//X73A"  # password: admin123
+    email: admin@3launchpad.com
+    groups:
+      - admins
+      - users
+
+  # Developer user with dev and user access
+  developer:
+    displayname: "Developer"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t1MF//X73A"  # password: dev123
+    email: dev@3launchpad.com
+    groups:
+      - devs
+      - users

crowdsec/config.yaml

@@ -1,4 +0,0 @@
-# minimal override to expose LAPI to other containers
-api:
-  server:
-    listen_uri: 0.0.0.0:8080

crowdsec/local_api_server.yaml

@@ -0,0 +1,2 @@
+listen_uri: 0.0.0.0:8080
+profiles_path: /etc/crowdsec/profiles.yaml

docker-compose.yml

@@ -1,6 +1,3 @@
-# docker-compose.yml
-version: "3.9"
-
 ########################
 # Networks & Volumes
 ########################
@@ -51,6 +48,8 @@ services:
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
       - --entrypoints.websecure.address=:443
+      - --entrypoints.web.forwardedheaders.insecure=true
+      - --entrypoints.websecure.forwardedheaders.insecure=true
 
       # Dashboard/API (internal)
       - --api.dashboard=true
@@ -101,6 +100,9 @@ services:
       - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdseclapiurl=http://crowdsec:8080/
       - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdseclapikey=${CROWDSEC_BOUNCER_KEY}
       - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdsecmode=stream
+      - traefik.http.middlewares.crowdsec.forwardauth.address=http://traefik-bouncer:8080/api/v1/forwardAuth
+      - traefik.http.middlewares.crowdsec.forwardauth.trustForwardHeader=true
+      - traefik.http.middlewares.crowdsec.forwardauth.authRequestHeaders=X-Real-Ip,X-Forwarded-For
 
       # Traefik dashboard (protected)
       - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`)
@@ -182,8 +184,9 @@ services:
       - traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`)
       - traefik.http.routers.authelia.entrypoints=websecure
       - traefik.http.routers.authelia.tls.certresolver=le
-      - traefik.http.routers.authelia.middlewares=crowdsec,security-headers
+      - traefik.http.routers.authelia.middlewares=security-headers
-      - traefik.http.services.authelia.loadbalancer.server.port=9091
+      - traefik.http.routers.authelia.service=authelia-svc
+      - traefik.http.services.authelia-svc.loadbalancer.server.port=9091
 
   redis:
     image: redis:7-alpine
@@ -204,7 +207,7 @@ services:
       COLLECTIONS: "crowdsecurity/traefik crowdsecurity/linux"
     volumes:
       - crowdsec_data:/var/lib/crowdsec/data
-      - ./crowdsec/config.yaml:/etc/crowdsec/config.yaml:ro
+      - ./crowdsec/local_api_server.yaml:/etc/crowdsec/local_api_server.yaml:ro
       - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
       - traefik_logs:/var/log/traefik:ro
     networks: [traefik_proxy]