From 8123f50e83b61b7a5998d336e053a795ae2c0acb Mon Sep 17 00:00:00 2001
From: Andrew Ying <andrew@witine.com>
Date: Sat, 25 Jan 2025 17:18:32 +0000
Subject: [PATCH] Add security engine role

---
 roles/security_engine/defaults/main.yml       | 26 +++++++
 roles/security_engine/handlers/main.yml       |  5 ++
 roles/security_engine/tasks/main.yml          | 64 +++++++++++++++++
 .../security_engine/templates/acquis.yaml.j2  |  9 +++
 .../security_engine/templates/config.yaml.j2  | 70 +++++++++++++++++++
 .../templates/crowdsec.service.j2             | 19 +++++
 .../templates/notification.yaml.j2            |  4 ++
 .../templates/profiles.yaml.j2                | 12 ++++
 8 files changed, 209 insertions(+)
 create mode 100644 roles/security_engine/defaults/main.yml
 create mode 100644 roles/security_engine/handlers/main.yml
 create mode 100644 roles/security_engine/tasks/main.yml
 create mode 100644 roles/security_engine/templates/acquis.yaml.j2
 create mode 100644 roles/security_engine/templates/config.yaml.j2
 create mode 100644 roles/security_engine/templates/crowdsec.service.j2
 create mode 100644 roles/security_engine/templates/notification.yaml.j2
 create mode 100644 roles/security_engine/templates/profiles.yaml.j2

diff --git a/roles/security_engine/defaults/main.yml b/roles/security_engine/defaults/main.yml
new file mode 100644
index 0000000..5898ccc
--- /dev/null
+++ b/roles/security_engine/defaults/main.yml
@@ -0,0 +1,26 @@
+---
+crowdsec_version: ''
+crowdsec_log_dir: /var/log
+crowdsec_server: {}
+crowdsec_data_dir: /var/lib/crowdsec/data
+crowdsec_plugin_dir: /usr/local/lib/crowdsec/plugins
+crowdsec_simulation: false
+crowdsec_server_trusted_ips:
+  - 127.0.0.1
+  - ::1
+crowdsec_default_ip_remediation:
+  filters:
+    - Alert.Remediation == true && Alert.GetScope() == "Ip"
+  decisions:
+    - type: ban
+      duration: 4h
+  on_success: break
+crowdsec_default_range_remediation:
+  filters:
+    - Alert.Remediation == true && Alert.GetScope() == "Range"
+  decisions:
+    - type: ban
+      duration: 4h
+  on_success: break
+crowdsec_remediation: []
+crowdsec_notifications: []
diff --git a/roles/security_engine/handlers/main.yml b/roles/security_engine/handlers/main.yml
new file mode 100644
index 0000000..fac7ee7
--- /dev/null
+++ b/roles/security_engine/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart CrowdSec service
+  ansible.builtin.systemd_service:
+    name: crowdsec
+    state: restarted
diff --git a/roles/security_engine/tasks/main.yml b/roles/security_engine/tasks/main.yml
new file mode 100644
index 0000000..ab25c8e
--- /dev/null
+++ b/roles/security_engine/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+- name: Setup security engine package
+  ansible.builtin.apt:
+    name: "crowdsec{{ crowdsec_version }}"
+    state: present
+  notify:
+    - Restart CrowdSec service
+
+- name: Setup configuration file
+  ansible.builtin.template:
+    src: config.yaml.j2
+    dest: /etc/crowdsec/config.yaml
+    user: root
+    group: root
+    mode: '0644'
+  notify:
+    - Restart CrowdSec service
+
+- name: Setup acquisition configuration file
+  ansible.builtin.template:
+    src: acquis.yaml.j2
+    dest: /etc/crowdsec/acquis.yaml
+    user: root
+    group: root
+    mode: '0644'
+  when:
+    - crowdsec_acquisition is defined
+  notify:
+    - Restart CrowdSec service
+
+- name: Setup profiles file
+  ansible.builtin.template:
+    src: profiles.yaml.j2
+    dest: /etc/crowdsec/profiles.yaml
+    user: root
+    group: root
+    mode: '0644'
+  notify:
+    - Restart CrowdSec service
+
+- name: "Setup {{ item.name }} notification configuration file"
+  ansible.builtin.template:
+    src: notification.yaml.j2
+    dest: "/etc/crowdsec/notifications/{{ item.name }}.yaml"
+    user: root
+    group: root
+    mode: '0644'
+  notify:
+    - Restart CrowdSec service
+  loop: "{{ crowdsec_notifications }}"
+
+- name: Setup service file
+  ansible.builtin.template:
+    src: crowdsec.service.j2
+    dest: /lib/systemd/system/crowdsec.service
+    user: root
+    group: root
+    mode: '0755'
+
+- name: Setup CrowdSec service
+  ansible.builtin.systemd_service:
+    name: crowdsec
+    state: started
+    enabled: true
diff --git a/roles/security_engine/templates/acquis.yaml.j2 b/roles/security_engine/templates/acquis.yaml.j2
new file mode 100644
index 0000000..ec30bf9
--- /dev/null
+++ b/roles/security_engine/templates/acquis.yaml.j2
@@ -0,0 +1,9 @@
+#jinja2:lstrip_blocks: True
+# {{ ansible_managed }}
+
+{% for item in crowdsec_acquisition %}
+{% if not loop.first %}
+---
+{% endif %}
+{{ item | to_nice_yaml(indent=2) | trim }}
+{% endfor %}
diff --git a/roles/security_engine/templates/config.yaml.j2 b/roles/security_engine/templates/config.yaml.j2
new file mode 100644
index 0000000..b604810
--- /dev/null
+++ b/roles/security_engine/templates/config.yaml.j2
@@ -0,0 +1,70 @@
+#jinja2:lstrip_blocks: True
+# {{ ansible_managed }}
+
+common:
+  daemonize: {{ crowdsec_daemonize | default(true) }}
+  log_media: {{ crowdsec_log_media | default('file') }}
+  log_level: {{ crowdsec_log_level | default('info') }}
+  log_dir: {{ crowdsec_log_dir }}/
+  log_max_size: {{ crowdsec_log_max_size | default(20) }}
+  compress_logs: {{ crowdsec_log_compress | default(true) }}
+  log_max_files: {{ crowdsec_log_max_files | default(10) }}
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: {{ crowdsec_data_dir }}/
+  {% if crowdsec_simulation %}
+  simulation_path: /etc/crowdsec/simulation.yaml
+  {% endif %}
+  notification_dir: /etc/crowdsec/notifications/
+  plugin_dir: {{ crowdsec_plugin_dir }}/
+crowdsec_service:
+  {% if crowdsec_acquisition is defined %}
+  acquisition_path: /etc/crowdsec/acquis.yaml
+  acquisition_dir: /etc/crowdsec/acquis.d
+  {% endif %}
+  parser_routines: 1
+cscli:
+  output: {{ crowdsec_cli_output | default('human') }}
+  color: {{ crowdsec_cli_color | default('auto') }}
+{% if crowdsec_database is defined %}
+db_config:
+  {{ crowdsec_database | to_nice_yaml(indent=2) | trim | indent(2) }}
+{% else %}
+db_config:
+  log_level: info
+  type: sqlite
+  db_path: /var/lib/crowdsec/data/crowdsec.db
+  flush:
+    max_items: 5000
+    max_age: 7d
+{% endif %}
+plugin_config:
+  user: {{ crowdsec_plugin_user | default('nobody') }}
+  group: {{ crowdsec_plugin_group | default('nogroup') }}
+api:
+  client:
+    insecure_skip_verify: {{ crowdsec_client_insecure_skip_verify | default(false) }}
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+  server:
+    log_level: {{ crowdsec_server['log_level'] if 'log_level' in crowdsec_server else 'info' }}
+    listen_uri: {{ crowdsec_server['listen_uri'] if 'listen_uri' in crowdsec_server else '127.0.0.1:8080' }}
+    profiles_path: /etc/crowdsec/profiles.yaml
+    {% if crowdsec_console is defined %}
+    console_path: /etc/crowdsec/console.yaml
+    {% endif %}
+    {% if crowdsec_online_api is defined %}
+    online_client:
+      credentials_path: /etc/crowdsec/online_api_credentials.yaml
+    {% endif %}
+    trusted_ips:
+      {{ crowdsec_server_trusted_ips | to_nice_yaml(indent=2) | trim | indent(6) }}
+    {% if 'ssl' in crowdsec_server %}
+    tls:
+      cert_file: {{ crowdsec_server['ssl']['cert_file'] }}
+      key_file: {{ crowdsec_server['ssl']['key_file'] }}
+    {% endif %}
+prometheus:
+  enabled: {{ crowdsec_prometheus_enabled | default(true) }}
+  level: {{ crowdsec_prometheus_level | default('full') }}
+  listen_addr: {{ crowdsec_prometheus_listen_addr | default('127.0.0.1') }}
+  listen_port: {{ crowdsec_prometheus_listen_port | default(6060) }}
diff --git a/roles/security_engine/templates/crowdsec.service.j2 b/roles/security_engine/templates/crowdsec.service.j2
new file mode 100644
index 0000000..290c025
--- /dev/null
+++ b/roles/security_engine/templates/crowdsec.service.j2
@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=CrowdSec agent
+After=syslog.target network.target remote-fs.target nss-lookup.target
+
+[Service]
+Type=notify
+Environment=LC_ALL=C LANG=C
+ExecStartPre=/usr/bin/crowdsec -c /etc/crowdsec/config.yaml -t -error
+ExecStart=/usr/bin/crowdsec -c /etc/crowdsec/config.yaml
+#ExecStartPost=/bin/sleep 0.1
+ExecReload=/usr/bin/crowdsec -c /etc/crowdsec/config.yaml -t -error
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/security_engine/templates/notification.yaml.j2 b/roles/security_engine/templates/notification.yaml.j2
new file mode 100644
index 0000000..9291aa4
--- /dev/null
+++ b/roles/security_engine/templates/notification.yaml.j2
@@ -0,0 +1,4 @@
+#jinja2:lstrip_blocks: True
+# {{ ansible_managed }}
+
+{{ item | to_nice_yaml(indent=2) | trim }}
diff --git a/roles/security_engine/templates/profiles.yaml.j2 b/roles/security_engine/templates/profiles.yaml.j2
new file mode 100644
index 0000000..c87f636
--- /dev/null
+++ b/roles/security_engine/templates/profiles.yaml.j2
@@ -0,0 +1,12 @@
+#jinja2:lstrip_blocks: True
+# {{ ansible_managed }}
+
+name: default_ip_remediation
+{{ crowdsec_default_ip_remediation | to_nice_yaml(indent=2) | trim }}
+---
+name: default_range_remediation
+{{ crowdsec_default_range_remediation | to_nice_yaml(indent=2) | trim }}
+{% for item in crowdsec_remediation %}
+---
+{{ item | to_nice_yaml(indent=2) | trim }}
+{% endfor %}