Update to 2021-12-01 19:13

roles/crowdsec/templates/acquis.yaml.j2

@@ -0,0 +1,6 @@
+{% if cs_acquis is defined and cs_acquis | length > 0%}
+{% for acquis in cs_acquis %}
+---
+{{ acquis | to_nice_yaml }}
+{% endfor %}
+{% endif %}

roles/crowdsec/templates/acquis/system.yaml.j2

@@ -0,0 +1,5 @@
+---
+journalctl_filter:
+  - ""
+labels:
+  type: syslog

roles/crowdsec/templates/config.yaml.j2

@@ -0,0 +1,65 @@
+common:
+  daemonize: true
+  pid_dir: /var/run/
+  log_media: stdout
+  log_level: info
+  working_dir: .
+
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: {{ cs_root_dir }}/data/
+  simulation_path: /etc/crowdsec/simulation.yaml
+  hub_dir: /etc/crowdsec/hub/
+  index_path: /etc/crowdsec/hub/.index.json
+
+crowdsec_service:
+{% if cs_acquis is defined %}
+  acquisition_path: /etc/crowdsec/acquis.yaml
+{% else %}
+  acquisition_dir: /etc/crowdsec/acquis/
+{% endif %}
+  parser_routines: 1
+
+cscli:
+  output: human
+  hub_branch: master
+
+db_config:
+  log_level: info
+{% if cs_db_engine == 'mysql' %}
+  type: mysql
+  user: {{ cs_db_user }}
+  password: {{ cs_db_pass | quote }}
+  db_name: {{ cs_db_name }}
+  host: {{ cs_db_server }}
+  port: {{ cs_db_port }}
+{% else %}
+  type: sqlite
+  db_path: {{ cs_root_dir }}/data/crowdsec.db
+{% endif %}
+  flush:
+    max_items: 100000
+    max_age: 730d
+
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+
+{% if cs_lapi_enabled %}
+  server:
+    log_level: info
+    listen_uri: 0.0.0.0:{{ cs_lapi_port }}
+    profiles_path: /etc/crowdsec/profiles.yaml
+{% if cs_capi_enabled %}
+    online_client: 
+      credentials_path: /etc/crowdsec/online_api_credentials.yaml
+{% endif %}
+{% endif %}
+
+prometheus:
+  enabled: true
+  level: full
+  listen_addr: {{ (cs_prometheus_src_ip | length > 0) | ternary(ansible_all_ipv4_addresses[0],'127.0.0.1') }}
+  listen_port: {{ cs_prometheus_port }}
+

roles/crowdsec/templates/dev.yaml.j2

@@ -0,0 +1,39 @@
+common:
+  daemonize: false
+  log_media: stdout
+  log_level: info
+  working_dir: .
+
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: {{ cs_root_dir }}/data/
+  simulation_path: /etc/crowdsec/simulation.yaml
+  hub_dir: /etc/crowdsec/hub/
+  index_path: /etc/crowdsec/hub/.index.json
+
+crowdsec_service:
+  acquisition_path: /etc/crowdsec/acquis.yaml
+  parser_routines: 1
+
+cscli:
+  output: human
+  hub_branch: master
+
+db_config:
+  log_level: info
+  type: sqlite
+  db_path: {{ cs_root_dir }}/data/dev.db
+  flush:
+    max_items: 1000
+    max_age: 30d
+
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+  server:
+    profiles_path: /etc/crowdsec/profiles.yaml
+
+prometheus:
+  enabled: false
+

roles/crowdsec/templates/local_api_credentials.yaml.j2

@@ -0,0 +1,3 @@
+url: {{ cs_lapi_enabled | ternary('http://127.0.0.1:' ~ cs_lapi_port,(cs_lapi_url is search('/$')) | ternary(cs_lapi_url, cs_lapi_url ~ '/')) }}
+login: {{ cs_lapi_user }}
+password: {{ cs_lapi_pass }}

roles/crowdsec/templates/online_api_credentials.yaml.j2

@@ -0,0 +1,7 @@
+url: https://api.crowdsec.net/
+{% if cs_capi_user is defined %}
+login: {{ cs_capi_user }}
+{% endif %}
+{% if cs_capi_pass is defined %}
+password: {{ cs_capi_pass }}
+{% endif %}

roles/crowdsec/templates/parsers/s02-enrich/trusted_ip.yaml.j2

@@ -0,0 +1,16 @@
+name: fws/trusted_ip
+description: "Whitelist events from trusted ip"
+whitelist:
+  reason: "trusted ip"
+  ip:
+{% for ip in trusted_ip | default([]) %}
+{% if ip is not search('/\d+$') %}
+    - "{{ ip }}"
+{% endif %}
+{% endfor %}
+  cidr:
+{% for ip in trusted_ip | default([]) %}
+{% if ip is search('/\d+$') %}
+    - "{{ ip }}"
+{% endif %}
+{% endfor %}

roles/crowdsec/templates/post-backup.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ cs_root_dir }}/backup/*

roles/crowdsec/templates/pre-backup.j2

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -eo pipefail
+
+{% if cs_lapi_enabled %}
+{% if cs_db_engine == 'mysql' %}
+/usr/bin/mysqldump \
+{% if cs_db_server not in ['localhost','127.0.0.1'] %}
+  --user={{ cs_db_user | quote }} \
+  --password={{ cs_db_pass | quote }} \
+  --host={{ cs_db_server | quote }} \
+  --port={{ cs_db_port | quote }} \
+{% endif %}
+  --quick --single-transaction \
+  --add-drop-table {{ cs_db_name | quote }} | zstd -c > {{ cs_root_dir }}/backup/{{ cs_db_name }}.sql.zst
+{% else %}
+sqlite3 {{ cs_root_dir }}/data/crowdsec.db .dump | zstd -c > {{ cs_root_dir }}/backup/crowdsec.sql.zst
+{% endif %}
+{% endif %}

roles/crowdsec/templates/profiles.yaml.j2

@@ -0,0 +1,33 @@
+{% if cs_trusted_countries | length > 0 %}
+name: trusted_countries_ip_remediation
+filters:
+  - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.Source.Cn in ["{{ cs_trusted_countries | join('","') }}"]
+decisions:
+ - type: ban
+   duration: {{ cs_ban_trusted_duration }}
+on_success: break
+---
+name: trusted_countries_range_remediation
+filters:
+  - Alert.Remediation == true && Alert.GetScope() == "Range" && Alert.Source.Cn in ["{{ cs_trusted_countries | join('","') }}"]
+decisions:
+ - type: ban
+   duration: {{ cs_ban_trusted_duration }}
+on_success: break
+---
+{% endif %}
+name: default_ip_remediation
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: {{ cs_ban_duration }}
+on_success: break
+---
+name: default_range_remediation
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Range"
+decisions:
+ - type: ban
+   duration: {{ cs_ban_duration }}
+on_success: break

roles/crowdsec/templates/simulation.yaml.j2

@@ -0,0 +1 @@
+simulation: off