Add security engine role

2025-01-25 17:18:32 +00:00 · 2025-01-25 17:18:32 +00:00 · 8123f50e83
commit 8123f50e83
parent 938e6664ba
8 changed files with 209 additions and 0 deletions
--- a/roles/security_engine/defaults/main.yml
+++ b/roles/security_engine/defaults/main.yml
@ -0,0 +1,26 @@
 ---
 crowdsec_version: ''
 crowdsec_log_dir: /var/log
 crowdsec_server: {}
 crowdsec_data_dir: /var/lib/crowdsec/data
 crowdsec_plugin_dir: /usr/local/lib/crowdsec/plugins
 crowdsec_simulation: false
 crowdsec_server_trusted_ips:
  - 127.0.0.1
  - ::1
 crowdsec_default_ip_remediation:
  filters:
    - Alert.Remediation == true && Alert.GetScope() == "Ip"
  decisions:
    - type: ban
      duration: 4h
  on_success: break
 crowdsec_default_range_remediation:
  filters:
    - Alert.Remediation == true && Alert.GetScope() == "Range"
  decisions:
    - type: ban
      duration: 4h
  on_success: break
 crowdsec_remediation: []
 crowdsec_notifications: []
--- a/roles/security_engine/handlers/main.yml
+++ b/roles/security_engine/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: Restart CrowdSec service
  ansible.builtin.systemd_service:
    name: crowdsec
    state: restarted
--- a/roles/security_engine/tasks/main.yml
+++ b/roles/security_engine/tasks/main.yml
@ -0,0 +1,64 @@
 ---
 - name: Setup security engine package
  ansible.builtin.apt:
    name: "crowdsec{{ crowdsec_version }}"
    state: present
  notify:
    - Restart CrowdSec service
 - name: Setup configuration file
  ansible.builtin.template:
    src: config.yaml.j2
    dest: /etc/crowdsec/config.yaml
    user: root
    group: root
    mode: '0644'
  notify:
    - Restart CrowdSec service
 - name: Setup acquisition configuration file
  ansible.builtin.template:
    src: acquis.yaml.j2
    dest: /etc/crowdsec/acquis.yaml
    user: root
    group: root
    mode: '0644'
  when:
    - crowdsec_acquisition is defined
  notify:
    - Restart CrowdSec service
 - name: Setup profiles file
  ansible.builtin.template:
    src: profiles.yaml.j2
    dest: /etc/crowdsec/profiles.yaml
    user: root
    group: root
    mode: '0644'
  notify:
    - Restart CrowdSec service
 - name: "Setup {{ item.name }} notification configuration file"
  ansible.builtin.template:
    src: notification.yaml.j2
    dest: "/etc/crowdsec/notifications/{{ item.name }}.yaml"
    user: root
    group: root
    mode: '0644'
  notify:
    - Restart CrowdSec service
  loop: "{{ crowdsec_notifications }}"
 - name: Setup service file
  ansible.builtin.template:
    src: crowdsec.service.j2
    dest: /lib/systemd/system/crowdsec.service
    user: root
    group: root
    mode: '0755'
 - name: Setup CrowdSec service
  ansible.builtin.systemd_service:
    name: crowdsec
    state: started
    enabled: true
--- a/roles/security_engine/templates/acquis.yaml.j2
+++ b/roles/security_engine/templates/acquis.yaml.j2
@ -0,0 +1,9 @@
 #jinja2:lstrip_blocks: True
 # {{ ansible_managed }}
 {% for item in crowdsec_acquisition %}
 {% if not loop.first %}
 ---
 {% endif %}
 {{ item | to_nice_yaml(indent=2) | trim }}
 {% endfor %}
--- a/roles/security_engine/templates/config.yaml.j2
+++ b/roles/security_engine/templates/config.yaml.j2
@ -0,0 +1,70 @@
 #jinja2:lstrip_blocks: True
 # {{ ansible_managed }}
 common:
  daemonize: {{ crowdsec_daemonize | default(true) }}
  log_media: {{ crowdsec_log_media | default('file') }}
  log_level: {{ crowdsec_log_level | default('info') }}
  log_dir: {{ crowdsec_log_dir }}/
  log_max_size: {{ crowdsec_log_max_size | default(20) }}
  compress_logs: {{ crowdsec_log_compress | default(true) }}
  log_max_files: {{ crowdsec_log_max_files | default(10) }}
 config_paths:
  config_dir: /etc/crowdsec/
  data_dir: {{ crowdsec_data_dir }}/
  {% if crowdsec_simulation %}
  simulation_path: /etc/crowdsec/simulation.yaml
  {% endif %}
  notification_dir: /etc/crowdsec/notifications/
  plugin_dir: {{ crowdsec_plugin_dir }}/
 crowdsec_service:
  {% if crowdsec_acquisition is defined %}
  acquisition_path: /etc/crowdsec/acquis.yaml
  acquisition_dir: /etc/crowdsec/acquis.d
  {% endif %}
  parser_routines: 1
 cscli:
  output: {{ crowdsec_cli_output | default('human') }}
  color: {{ crowdsec_cli_color | default('auto') }}
 {% if crowdsec_database is defined %}
 db_config:
  {{ crowdsec_database | to_nice_yaml(indent=2) | trim | indent(2) }}
 {% else %}
 db_config:
  log_level: info
  type: sqlite
  db_path: /var/lib/crowdsec/data/crowdsec.db
  flush:
    max_items: 5000
    max_age: 7d
 {% endif %}
 plugin_config:
  user: {{ crowdsec_plugin_user | default('nobody') }}
  group: {{ crowdsec_plugin_group | default('nogroup') }}
 api:
  client:
    insecure_skip_verify: {{ crowdsec_client_insecure_skip_verify | default(false) }}
    credentials_path: /etc/crowdsec/local_api_credentials.yaml
  server:
    log_level: {{ crowdsec_server['log_level'] if 'log_level' in crowdsec_server else 'info' }}
    listen_uri: {{ crowdsec_server['listen_uri'] if 'listen_uri' in crowdsec_server else '127.0.0.1:8080' }}
    profiles_path: /etc/crowdsec/profiles.yaml
    {% if crowdsec_console is defined %}
    console_path: /etc/crowdsec/console.yaml
    {% endif %}
    {% if crowdsec_online_api is defined %}
    online_client:
      credentials_path: /etc/crowdsec/online_api_credentials.yaml
    {% endif %}
    trusted_ips:
      {{ crowdsec_server_trusted_ips | to_nice_yaml(indent=2) | trim | indent(6) }}
    {% if 'ssl' in crowdsec_server %}
    tls:
      cert_file: {{ crowdsec_server['ssl']['cert_file'] }}
      key_file: {{ crowdsec_server['ssl']['key_file'] }}
    {% endif %}
 prometheus:
  enabled: {{ crowdsec_prometheus_enabled | default(true) }}
  level: {{ crowdsec_prometheus_level | default('full') }}
  listen_addr: {{ crowdsec_prometheus_listen_addr | default('127.0.0.1') }}
  listen_port: {{ crowdsec_prometheus_listen_port | default(6060) }}
--- a/roles/security_engine/templates/crowdsec.service.j2
+++ b/roles/security_engine/templates/crowdsec.service.j2
@ -0,0 +1,19 @@
 # {{ ansible_managed }}
 [Unit]
 Description=CrowdSec agent
 After=syslog.target network.target remote-fs.target nss-lookup.target
 [Service]
 Type=notify
 Environment=LC_ALL=C LANG=C
 ExecStartPre=/usr/bin/crowdsec -c /etc/crowdsec/config.yaml -t -error
 ExecStart=/usr/bin/crowdsec -c /etc/crowdsec/config.yaml
 #ExecStartPost=/bin/sleep 0.1
 ExecReload=/usr/bin/crowdsec -c /etc/crowdsec/config.yaml -t -error
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
 RestartSec=60
 [Install]
 WantedBy=multi-user.target
--- a/roles/security_engine/templates/notification.yaml.j2
+++ b/roles/security_engine/templates/notification.yaml.j2
@ -0,0 +1,4 @@
 #jinja2:lstrip_blocks: True
 # {{ ansible_managed }}
 {{ item | to_nice_yaml(indent=2) | trim }}
--- a/roles/security_engine/templates/profiles.yaml.j2
+++ b/roles/security_engine/templates/profiles.yaml.j2
@ -0,0 +1,12 @@
 #jinja2:lstrip_blocks: True
 # {{ ansible_managed }}
 name: default_ip_remediation
 {{ crowdsec_default_ip_remediation | to_nice_yaml(indent=2) | trim }}
 ---
 name: default_range_remediation
 {{ crowdsec_default_range_remediation | to_nice_yaml(indent=2) | trim }}
 {% for item in crowdsec_remediation %}
 ---
 {{ item | to_nice_yaml(indent=2) | trim }}
 {% endfor %}