diff --git a/.gitignore b/.gitignore index deba0c9..f635f65 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ .idea/ .DS_Store +./config/ conf db logs diff --git a/Makefile b/Makefile index 0f7ad8f..68a10ca 100644 --- a/Makefile +++ b/Makefile @@ -34,6 +34,9 @@ run_cacheredis: run_trustedips: docker-compose -f exemples/trusted-ips/docker-compose.trusted.yml up -d --remove-orphans +run_binaryvm: + cd exemples/binary-vm/ && sudo vagrant up + run_tlsauth: docker-compose -f exemples/tls-auth/docker-compose.tls-auth.yml down && docker-compose -f exemples/tls-auth/docker-compose.tls-auth.yml up -d && docker-compose -f exemples/tls-auth/docker-compose.tls-auth.yml restart && docker-compose -f exemples/tls-auth/docker-compose.tls-auth.yml logs -f @@ -78,6 +81,10 @@ clean_all_docker: docker-compose -f docker-compose.local.yml down --remove-orphans docker-compose -f docker-compose.yml down --remove-orphans +clean_vagrant: + cd exemples/binary-vm/ && sudo vagrant destroy -f + + show_metrics: docker exec crowdsec cscli metrics diff --git a/README.md b/README.md index 1253867..0f1b101 100644 --- a/README.md +++ b/README.md @@ -387,6 +387,15 @@ To play the demo environment run: make run_trustedips ``` +4. Using Crowdsec and Traefik installed as binary in a single VM + +Please see details in `exemples/binary-vm/README.md` + +To play the demo environment run: +```bash +make run_binaryvm +``` + 5. Using https communication and tls authentication with Crowdsec ##### Summary diff --git a/exemples/binary-vm/.gitignore b/exemples/binary-vm/.gitignore new file mode 100644 index 0000000..a977916 --- /dev/null +++ b/exemples/binary-vm/.gitignore @@ -0,0 +1 @@ +.vagrant/ diff --git a/exemples/binary-vm/README.md b/exemples/binary-vm/README.md new file mode 100644 index 0000000..17bc02f --- /dev/null +++ b/exemples/binary-vm/README.md @@ -0,0 +1,60 @@ +### Install vagrant + +##### On linux + +```bash +curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.asc +echo "deb [ signed-by=/usr/share/keyrings/hashicorp-archive-keyring.asc ] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list +sudo apt-get update && sudo apt-get install vagrant +``` + +### Install libvirt + +```bash +sudo apt install -y qemu-kvm virt-manager libvirt-daemon-system virtinst libvirt-clients bridge-utils +sudo systemctl enable --now libvirtd +sudo systemctl start libvirtd +sudo usermod -aG kvm $USER +sudo usermod -aG libvirt $USER +``` + +### Install the plugin vagrant-libvirt + +```bash +vagrant plugin install vagrant-libvirt +``` + +#### Start the VM + +```bash +sudo vagrant up --provider=libvirt +``` + +#### Destroy the VM + +```bash +sudo vagrant destroy -f +``` + +#### SSH in the VM + +```bash +sudo vagrant ssh +``` + +### Context + +Traefik is installed as a systemd service. +It is configured with the dashboard activated and listening on port 8081 and port 80 for the web + +Crowdsec is started and listening on port 8080. +Certificates are generated on the provision step of vagrant. + +Whoami is installed as a systemd service. +It is configured to listen on port 9000. + +Whoami is accessible from traefik on port 80 at any domain and path + +For example: curl http://localhost:80/test + +The Plugin / Bouncer use certificates to validate the server certificates and authenticates with the Crowdsec local api. diff --git a/exemples/binary-vm/Vagrantfile b/exemples/binary-vm/Vagrantfile new file mode 100644 index 0000000..1eb4b13 --- /dev/null +++ b/exemples/binary-vm/Vagrantfile @@ -0,0 +1,81 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure("2") do |config| + # The most common configuration options are documented and commented below. + # For a complete reference, please see the online documentation at + # https://docs.vagrantup.com. + + # Every Vagrant development environment requires a box. You can search for + # boxes at https://vagrantcloud.com/search. + config.vm.box = "generic/debian11" + + # Disable automatic box update checking. If you disable this, then + # boxes will only be checked for updates when the user runs + # `vagrant box outdated`. This is not recommended. + # config.vm.box_check_update = false + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine. In the example below, + # accessing "localhost:8080" will access port 80 on the guest machine. + # NOTE: This will enable public access to the opened port + # config.vm.network "forwarded_port", guest: 80, host: 8080 + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine and only allow access + # via 127.0.0.1 to disable public access + # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1" + config.vm.network "forwarded_port", guest: 8081, host: 8081 + config.vm.network "forwarded_port", guest: 80, host: 80 + + + # Create a private network, which allows host-only access to the machine + # using a specific IP. + # config.vm.network "private_network", ip: "192.168.33.10" + + # Create a public network, which generally matched to bridged network. + # Bridged networks make the machine appear as another physical device on + # your network. + # config.vm.network "public_network" + + # Share an additional folder to the guest VM. The first argument is + # the path on the host to the actual folder. The second argument is + # the path on the guest to mount the folder. And the optional third + # argument is a set of non-required options. + # Provider-specific configuration so you can fine-tune various + # backing providers for Vagrant. These expose provider-specific options. + # Example for VirtualBox: + # + + config.vm.provider "libvirt" do |lv| + graphics_type = "none" + lv.cpus = 1 + # lv.vm.network :private_network, :ip => "10.20.30.40" + # Customize the amount of memory on the VM: + lv.memory = "2048" + end + + # config.vm.provider "virtualbox" do |vb| + # vb.gui = false + # vb.cpus = 1 + # # vb.vm.network :private_network, :ip => "10.20.30.40" + # # Customize the amount of memory on the VM: + # vb.memory = "2048" + # end + config.vm.provision "file", source: "./files", destination: "/home/vagrant/vagrant_data" + + config.vm.provision "shell", path: "scripts/install_traefik.sh" + config.vm.provision "shell", path: "scripts/configure_traefik.sh" + + config.vm.provision "shell", path: "scripts/install_whoami.sh" + + config.vm.provision "shell", path: "scripts/install_crowdsec.sh" + + config.vm.provision "shell", path: "scripts/configure_crowdsec_certs.sh" + + +end diff --git a/exemples/binary-vm/files/crowdsec/acquis.yaml b/exemples/binary-vm/files/crowdsec/acquis.yaml new file mode 100644 index 0000000..5d52554 --- /dev/null +++ b/exemples/binary-vm/files/crowdsec/acquis.yaml @@ -0,0 +1,4 @@ +filenames: + - /var/log/traefik/access.log +labels: + type: traefik diff --git a/exemples/binary-vm/files/crowdsec/certs/agent.json b/exemples/binary-vm/files/crowdsec/certs/agent.json new file mode 100644 index 0000000..354bf7a --- /dev/null +++ b/exemples/binary-vm/files/crowdsec/certs/agent.json @@ -0,0 +1,16 @@ +{ + "CN": "myagent", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "FR", + "L": "Paris", + "O": "Crowdsec", + "OU": "agent-ou", + "ST": "France" + } + ] +} diff --git a/exemples/binary-vm/files/crowdsec/certs/bouncer.json b/exemples/binary-vm/files/crowdsec/certs/bouncer.json new file mode 100644 index 0000000..eb50f81 --- /dev/null +++ b/exemples/binary-vm/files/crowdsec/certs/bouncer.json @@ -0,0 +1,17 @@ +{ + "CN": "whoami", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "FR", + "L": "Paris", + "O": "Crowdsec", + "OU": "bouncer-ou", + "ST": "France" + } + ] +} + diff --git a/exemples/binary-vm/files/crowdsec/certs/ca.json b/exemples/binary-vm/files/crowdsec/certs/ca.json new file mode 100644 index 0000000..3d8bc31 --- /dev/null +++ b/exemples/binary-vm/files/crowdsec/certs/ca.json @@ -0,0 +1,16 @@ +{ + "CN": "CrowdSec Test CA", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "FR", + "L": "Paris", + "O": "Crowdsec", + "OU": "Crowdsec", + "ST": "France" + } + ] +} diff --git a/exemples/binary-vm/files/crowdsec/certs/intermediate.json b/exemples/binary-vm/files/crowdsec/certs/intermediate.json new file mode 100644 index 0000000..c76f957 --- /dev/null +++ b/exemples/binary-vm/files/crowdsec/certs/intermediate.json @@ -0,0 +1,19 @@ +{ + "CN": "CrowdSec Test CA Intermediate", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "FR", + "L": "Paris", + "O": "Crowdsec", + "OU": "Crowdsec Intermediate", + "ST": "France" + } + ], + "ca": { + "expiry": "42720h" + } +} diff --git a/exemples/binary-vm/files/crowdsec/certs/profiles.json b/exemples/binary-vm/files/crowdsec/certs/profiles.json new file mode 100644 index 0000000..e9af38e --- /dev/null +++ b/exemples/binary-vm/files/crowdsec/certs/profiles.json @@ -0,0 +1,44 @@ +{ + "signing": { + "default": { + "expiry": "8760h" + }, + "profiles": { + "intermediate_ca": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "cert sign", + "crl sign", + "server auth", + "client auth" + ], + "expiry": "8760h", + "ca_constraint": { + "is_ca": true, + "max_path_len": 0, + "max_path_len_zero": true + } + }, + "server": { + "usages": [ + "signing", + "digital signing", + "key encipherment", + "server auth" + ], + "expiry": "8760h" + }, + "client": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "client auth" + ], + "expiry": "8760h" + } + } + } +} diff --git a/exemples/binary-vm/files/crowdsec/certs/server.json b/exemples/binary-vm/files/crowdsec/certs/server.json new file mode 100644 index 0000000..689beb0 --- /dev/null +++ b/exemples/binary-vm/files/crowdsec/certs/server.json @@ -0,0 +1,20 @@ +{ + "CN": "localhost", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "FR", + "L": "Paris", + "O": "Crowdsec", + "OU": "Crowdsec Server", + "ST": "France" + } + ], + "hosts": [ + "127.0.0.1", + "localhost" + ] +} diff --git a/exemples/binary-vm/files/crowdsec/config/config.yaml b/exemples/binary-vm/files/crowdsec/config/config.yaml new file mode 100644 index 0000000..47ec94f --- /dev/null +++ b/exemples/binary-vm/files/crowdsec/config/config.yaml @@ -0,0 +1,62 @@ +common: + daemonize: true + pid_dir: /var/run/ + log_media: file + log_level: debug + log_dir: /var/log/ + log_max_size: 20 + compress_logs: true + log_max_files: 10 + working_dir: . +config_paths: + config_dir: /etc/crowdsec/ + data_dir: /var/lib/crowdsec/data/ + simulation_path: /etc/crowdsec/simulation.yaml + hub_dir: /etc/crowdsec/hub/ + index_path: /etc/crowdsec/hub/.index.json + notification_dir: /etc/crowdsec/notifications/ + plugin_dir: /usr/lib/crowdsec/plugins/ +crowdsec_service: + acquisition_path: /etc/crowdsec/acquis.yaml + acquisition_dir: /etc/crowdsec/acquis.d + parser_routines: 1 +cscli: + output: human + color: auto +db_config: + log_level: info + type: sqlite + db_path: /var/lib/crowdsec/data/crowdsec.db + #max_open_conns: 100 + #user: + #password: + #db_name: + #host: + #port: + flush: + max_items: 5000 + max_age: 7d +plugin_config: + user: nobody # plugin process would be ran on behalf of this user + group: nogroup # plugin process would be ran on behalf of this group +api: + client: + insecure_skip_verify: false + credentials_path: /etc/crowdsec/local_api_credentials.yaml + server: + log_level: debug + listen_uri: 127.0.0.1:8080 + profiles_path: /etc/crowdsec/profiles.yaml + console_path: /etc/crowdsec/console.yaml + online_client: # Central API credentials (to push signals and receive bad IPs) + credentials_path: /etc/crowdsec/online_api_credentials.yaml + trusted_ips: # IP ranges, or IPs which can have admin API access + - 127.0.0.1 + tls: + cert_file: /etc/crowdsec/certs/server.pem #Server side cert + key_file: /etc/crowdsec/certs/server-key.pem #Server side key + ca_cert_path: /etc/crowdsec/certs/inter.pem #CA used to verify the client certs + bouncers_allowed_ou: #OU allowed for bouncers + - bouncer-ou + agents_allowed_ou: #OU allowed for agents + - agent-ou diff --git a/exemples/binary-vm/files/crowdsec/config/local_api_credentials.yaml b/exemples/binary-vm/files/crowdsec/config/local_api_credentials.yaml new file mode 100644 index 0000000..1628fdc --- /dev/null +++ b/exemples/binary-vm/files/crowdsec/config/local_api_credentials.yaml @@ -0,0 +1,4 @@ +url: https://localhost:8080 +ca_cert_path: /etc/crowdsec/certs/inter.pem #CA to trust the server certificate +key_path: /etc/crowdsec/certs/agent-key.pem #Client key +cert_path: /etc/crowdsec/certs/agent.pem #Client cert diff --git a/exemples/binary-vm/files/traefik/conf/whoami.yml b/exemples/binary-vm/files/traefik/conf/whoami.yml new file mode 100644 index 0000000..830e950 --- /dev/null +++ b/exemples/binary-vm/files/traefik/conf/whoami.yml @@ -0,0 +1,31 @@ +http: + routers: + to-whoami-http-service: + rule: "PathPrefix(`/`)" + service: whoami-service + middlewares: + - "crowdsec-whoami" + entryPoints: + - web + + services: + whoami-service: + loadBalancer: + servers: + - url: "http://localhost:9000/" + + middlewares: + crowdsec-whoami: + plugin: + bouncer: + enabled: true + crowdseclapikey: whoami-demo + updateintervalseconds: 60 + crowdsecmode: live + loglevel: "DEBUG" + crowdsecLapiScheme: https + crowdsecLapiHost: localhost:8080 + crowdsecLapiTLSInsecureVerify: false + crowdsecLapiTLSCertificateAuthorityFile: /etc/traefik/crowdsec-certs/inter.pem + crowdsecLapiTLSCertificateBouncerFile: /etc/traefik/crowdsec-certs/bouncer.pem + crowdsecLapiTLSCertificateBouncerKeyFile: /etc/traefik/crowdsec-certs/bouncer-key.pem diff --git a/exemples/binary-vm/files/traefik/traefik.service b/exemples/binary-vm/files/traefik/traefik.service new file mode 100644 index 0000000..fddf7b9 --- /dev/null +++ b/exemples/binary-vm/files/traefik/traefik.service @@ -0,0 +1,40 @@ +[Unit] +Description=traefik proxy +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service + +[Service] +Restart=on-abnormal + +; User and group the process will run as. +User=traefik +Group=traefik + +; Always set "-root" to something safe in case it gets forgotten in the traefikfile. +ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.yml +WorkingDirectory=/etc/traefik +; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. +LimitNOFILE=1048576 + +; Use private /tmp and /var/tmp, which are discarded after traefik stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. +ProtectHome=true +; Make /usr, /boot, /etc and possibly some more folders read-only. +;ProtectSystem=full +; … except /etc/ssl/traefik, because we want Letsencrypt-certificates there. +; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! +;ReadWriteDirectories=/etc/traefik/acme +;ReadWriteDirectories=/etc/traefik/plugins-storage + +; The following additional security directives only work with systemd v229 or later. +; They further restrict privileges that can be gained by traefik. Uncomment if you like. +; Note that you may have to add capabilities required by any plugins in use. +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target diff --git a/exemples/binary-vm/files/traefik/traefik.yml b/exemples/binary-vm/files/traefik/traefik.yml new file mode 100644 index 0000000..30c1200 --- /dev/null +++ b/exemples/binary-vm/files/traefik/traefik.yml @@ -0,0 +1,100 @@ +################################################################ +# Global configuration +################################################################ +global: + checkNewVersion: false + sendAnonymousUsage: false + +################################################################ +# EntryPoints configuration +################################################################ + +entryPoints: + web: + address: :80 + traefik: + address: :8081 + +################################################################ +# Provider file configuration +################################################################ + +providers: + file: + directory: "/etc/traefik/conf" + +################################################################ +# Plugin configuration +################################################################ + +experimental: + plugins: + bouncer: + moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin + version: v1.1.5 + +################################################################ +# Certificate Resolver +################################################################ + +serversTransport: + insecureSkipVerify: false + +################################################################ +# Traefik logs configuration +################################################################ + +# Traefik logs +# Enabled by default and log to stdout +log: + filePath: /var/log/traefik/traefik.log + level: DEBUG + # format: json + +################################################################ +# Access logs configuration +################################################################ + +# Enable access logs +# By default it will write to stdout and produce logs in the textual +# Common Log Format (CLF), extended with additional fields. +accessLog: + # Sets the file path for the access log. If not specified, stdout will be used. + # Intermediate directories are created if necessary. + filePath: /var/log/traefik/access.log + fields: + defaultMode: keep + names: + ClientUsername: keep + headers: + defaultMode: keep + + # Format is either "json" or "common". + # + # Optional + # Default: "common" + # +# format: json + +################################################################ +# API and dashboard configuration +################################################################ + +# Enable API and dashboard +# +# Optional +# +api: + # Enable the API in insecure mode + # + # Optional + # Default: false + # + insecure: true + + # Enabled Dashboard + # + # Optional + # Default: true + # + dashboard: true diff --git a/exemples/binary-vm/files/whoami.service b/exemples/binary-vm/files/whoami.service new file mode 100644 index 0000000..4158317 --- /dev/null +++ b/exemples/binary-vm/files/whoami.service @@ -0,0 +1,31 @@ +[Unit] +Description=whoami web server +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service + +[Service] +Restart=on-abnormal + +; User and group the process will run as. +User=whoami +Group=whoami + +; Always set "-root" to something safe in case it gets forgotten in the traefikfile. +ExecStart=/usr/local/bin/whoami --port=9000 + +; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. +LimitNOFILE=1048576 + +; Use private /tmp and /var/tmp, which are discarded after traefik stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. +ProtectHome=true +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full + +NoNewPrivileges=true + +[Install] +WantedBy=multi-user. diff --git a/exemples/binary-vm/scripts/configure_crowdsec_certs.sh b/exemples/binary-vm/scripts/configure_crowdsec_certs.sh new file mode 100644 index 0000000..3f99680 --- /dev/null +++ b/exemples/binary-vm/scripts/configure_crowdsec_certs.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +basepath="/home/vagrant/vagrant_data/crowdsec/certs" + +VERSION=$(curl --silent "https://api.github.com/repos/cloudflare/cfssl/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/') +VNUMBER=${VERSION#"v"} +wget https://github.com/cloudflare/cfssl/releases/download/${VERSION}/cfssl_${VNUMBER}_linux_amd64 -O cfssl +chmod +x cfssl +sudo mv cfssl /usr/local/bin + +VERSION=$(curl --silent "https://api.github.com/repos/cloudflare/cfssl/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/') +VNUMBER=${VERSION#"v"} +wget https://github.com/cloudflare/cfssl/releases/download/${VERSION}/cfssljson_${VNUMBER}_linux_amd64 -O cfssljson +chmod +x cfssljson +sudo mv cfssljson /usr/local/bin +cfssljson -version + +mkdir -p /etc/crowdsec/certs + +# Generate the CA +cfssl gencert --initca ${basepath}/ca.json 2>/dev/null | cfssljson --bare "/etc/crowdsec/certs/ca" +# Generate an intermediate certificate that will be used to sign the client certificates +cfssl gencert --initca ${basepath}/intermediate.json 2>/dev/null | cfssljson --bare "/etc/crowdsec/certs/inter" +cfssl sign -ca "/etc/crowdsec/certs/ca.pem" -ca-key "/etc/crowdsec/certs/ca-key.pem" -config ${basepath}/profiles.json -profile intermediate_ca "/etc/crowdsec/certs/inter.csr" 2>/dev/null | cfssljson --bare "/etc/crowdsec/certs/inter" +# Generate a server side certificate +cfssl gencert -ca "/etc/crowdsec/certs/inter.pem" -ca-key "/etc/crowdsec/certs/inter-key.pem" -config ${basepath}/profiles.json -profile=server ${basepath}/server.json 2>/dev/null | cfssljson --bare "/etc/crowdsec/certs/server" +# Generate a client certificate for the bouncer whoami +cfssl gencert -ca "/etc/crowdsec/certs/inter.pem" -ca-key "/etc/crowdsec/certs/inter-key.pem" -config ${basepath}/profiles.json -profile=client ${basepath}/bouncer.json 2>/dev/null | cfssljson --bare "/etc/crowdsec/certs/bouncer" +# Generate a client certificate for the agent +cfssl gencert -ca "/etc/crowdsec/certs/inter.pem" -ca-key "/etc/crowdsec/certs/inter-key.pem" -config ${basepath}/profiles.json -profile=client ${basepath}/agent.json 2>/dev/null | cfssljson --bare "/etc/crowdsec/certs/agent" + + +cp /home/vagrant/vagrant_data/crowdsec/config/config.yaml /etc/crowdsec/config.yaml.local +cp /home/vagrant/vagrant_data/crowdsec/config/local_api_credentials.yaml /etc/crowdsec/ +chmod +r /etc/crowdsec/config.yaml +chmod +r /etc/crowdsec/local_api_credentials.yaml + +systemctl restart crowdsec + +mkdir /etc/traefik/crowdsec-certs +cp /etc/crowdsec/certs/inter.pem /etc/traefik/crowdsec-certs/inter.pem +cp /etc/crowdsec/certs/bouncer.pem /etc/traefik/crowdsec-certs/bouncer.pem +cp /etc/crowdsec/certs/bouncer-key.pem /etc/traefik/crowdsec-certs/bouncer-key.pem +chown -R traefik:traefik /etc/traefik/crowdsec-certs/ + +systemctl restart traefik diff --git a/exemples/binary-vm/scripts/configure_traefik.sh b/exemples/binary-vm/scripts/configure_traefik.sh new file mode 100644 index 0000000..c5f16f0 --- /dev/null +++ b/exemples/binary-vm/scripts/configure_traefik.sh @@ -0,0 +1,11 @@ +#!/bin/bash + + +sudo cp /home/vagrant/vagrant_data/traefik/traefik.yml /etc/traefik/traefik.yml +sudo cp -a /home/vagrant/vagrant_data/traefik/conf /etc/traefik/ +sudo chown -R traefik:traefik /etc/traefik +sudo mkdir /var/log/traefik +sudo chown -R traefik:traefik /var/log/traefik + +sudo systemctl restart traefik.service +sudo systemctl status traefik.service diff --git a/exemples/binary-vm/scripts/install_crowdsec.sh b/exemples/binary-vm/scripts/install_crowdsec.sh new file mode 100644 index 0000000..aec29df --- /dev/null +++ b/exemples/binary-vm/scripts/install_crowdsec.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash +sudo apt install crowdsec -y +sudo cp /home/vagrant/vagrant_data/crowdsec/acquis.yaml /etc/crowdsec/acquis.yaml diff --git a/exemples/binary-vm/scripts/install_traefik.sh b/exemples/binary-vm/scripts/install_traefik.sh new file mode 100644 index 0000000..8f5e416 --- /dev/null +++ b/exemples/binary-vm/scripts/install_traefik.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +sudo apt-get update && apt-get install wget -y && apt-get upgrade -y +wget -O traefik.tar.gz "https://github.com/traefik/traefik/releases/download/v2.9.5/traefik_v2.9.5_linux_amd64.tar.gz" +tar -zxvf traefik.tar.gz +# inspired from https://gist.github.com/ubergesundheit/7c9d875befc2d7bfd0bf43d8b3862d85 +sudo mv ./traefik /usr/local/bin/ +sudo chown root:root /usr/local/bin/traefik +sudo chmod 755 /usr/local/bin/traefik +sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik + +sudo groupadd -g 321 traefik +sudo useradd \ + -g traefik --no-user-group \ + --home-dir /var/www --no-create-home \ + --shell /usr/sbin/nologin \ + --system --uid 321 traefik + +sudo mkdir /etc/traefik +sudo mkdir /etc/traefik/acme +sudo mkdir /etc/traefik/plugins-storage +sudo chown -R root:root /etc/traefik +sudo chown -R traefik:traefik /etc/traefik/acme +sudo chown -R traefik:traefik /etc/traefik/plugins-storage + +sudo cp /home/vagrant/vagrant_data/traefik/traefik.service /etc/systemd/system/ +sudo chown root:root /etc/systemd/system/traefik.service +sudo chmod 644 /etc/systemd/system/traefik.service +sudo systemctl daemon-reload +sudo systemctl start traefik.service +sudo systemctl enable traefik.service diff --git a/exemples/binary-vm/scripts/install_whoami.sh b/exemples/binary-vm/scripts/install_whoami.sh new file mode 100644 index 0000000..050c838 --- /dev/null +++ b/exemples/binary-vm/scripts/install_whoami.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +sudo apt-get update && apt-get install wget -y +wget -O whoami.tar.gz "https://github.com/traefik/whoami/releases/download/v1.8.7/whoami_v1.8.7_linux_amd64.tar.gz" +tar -zxvf whoami.tar.gz +# inspired from https://gist.github.com/ubergesundheit/7c9d875befc2d7bfd0bf43d8b3862d85 +sudo mv ./whoami /usr/local/bin/ +sudo chown root:root /usr/local/bin/whoami +sudo chmod 755 /usr/local/bin/whoami + +sudo groupadd -g 322 whoami +sudo useradd \ + -g whoami --no-user-group \ + --home-dir /var/www --no-create-home \ + --shell /usr/sbin/nologin \ + --system --uid 322 whoami + +sudo cp /home/vagrant/vagrant_data/whoami.service /etc/systemd/system/ +sudo chown root:root /etc/systemd/system/whoami.service +sudo chmod 644 /etc/systemd/system/whoami.service +sudo systemctl daemon-reload +sudo systemctl start whoami.service +sudo systemctl enable whoami.service