add crowdsec job

2022-05-26 14:19:32 +02:00 · 2022-05-26 14:19:32 +02:00 · 8e44459e51
commit 8e44459e51
parent f3e7bb9813
3 changed files with 126 additions and 0 deletions
--- a/crowdsec-agent.nomad
+++ b/crowdsec-agent.nomad
@ -0,0 +1,58 @@
+
+job "crowdsec-agent" {
+  datacenters = ["homelab","hetzner"]
+  type = "system"
+  meta {
+    forcedeploy = "2"
+  }
+  vault{
+    policies= ["access-tables"]
+
+  }
+
+  group "crowdsec-agent"{
+    task "crowdsec-agent" {
+      driver = "docker"
+      config {
+        image = "crowdsecurity/crowdsec"
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock",
+          "/var/log:/var/log",
+          "local/acquis.yaml:/etc/crowdsec/acquis.yaml"
+        ]
+
+      }
+      env {
+        COLLECTIONS= "crowdsecurity/traefik"
+        DISABLE_LOCAL_API= "true"
+      }
+      template {
+        data = <<EOH
+---
+source: docker
+container_name_regexp:
+  - traefik-*
+labels:
+  type: traefik
+EOH
+        destination = "local/acquis.yaml"
+
+      }
+      template {
+        data = <<EOH
+        LOCAL_API_URL =  {{- range service "crowdsec-api" }} "http://{{ .Address }}:{{ .Port }}"{{- end }}
+AGENT_USERNAME = "{{ env "node.unique.name" }}"
+{{with secret "secrets/data/crowdsec"}}
+  AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}"
+{{end}}
+EOH
+        destination ="secret/agent.env"
+        env = "true"
+      }
+      resources {
+        memory = 100
+      }
+    }
+
+  }
+}
--- a/crowdsec-api.nomad
+++ b/crowdsec-api.nomad
@ -0,0 +1,63 @@
+job "crowdsec-api" {
+  datacenters = ["homelab"]
+  type = "service"
+  meta {
+    forcedeploy = "-1"
+  }
+  vault{
+    policies = ["access-tables"]
+  }
+  group "crowdsec-api" {
+    network {
+      mode = "host"
+      port "http" {
+        to = 8080
+      }
+      port "metric"{
+        to = 6060
+      }
+    }
+    task "crowdsec-api" {
+       service {
+        name= "crowdsec-metrics"
+        port = "metric"
+        tags = [
+        ]
+      }
+     driver = "docker"
+      service {
+        name= "crowdsec-api"
+        port = "http"
+        tags = [
+
+        ]
+      }
+      config {
+        image ="crowdsecurity/crowdsec"
+        ports = ["http","metric"]
+        volumes = [
+          "/mnt/diskstation/nomad/crowdsec/db:/var/lib/crowdsec/data",
+          "/mnt/diskstation/nomad/crowdsec/data:/etc/crowdsec_data",
+        ]
+
+      }
+      template {
+        data = <<EOH
+DISABLE_AGENT = "true"
+{{with secret "secrets/data/crowdsec"}}
+  AGENT_USERNAME = "{{.Data.data.AGENT_USERNAME}}"
+  AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}"
+{{end}}
+EOH
+        destination ="secret/api.env"
+        env = "true"
+      }
+      resources {
+        memory = 99
+      }
+    }
+    
+
+
+  }
+}
--- a/prometheus.nomad
+++ b/prometheus.nomad
@ -66,6 +66,11 @@ scrape_configs:
    - server: 'consul.service.consul:8500'
      services: ['alertmanager']

+  - job_name: 'crowdsec'
+    consul_sd_configs:
+    - server: 'consul.service.consul:8500'
+      services: ['crowdsec-metrics']
+

 EOH
      }