add crowdsec job

2022-05-26 14:19:32 +02:00 · 2022-05-26 14:19:32 +02:00 · 8e44459e51
commit 8e44459e51
parent f3e7bb9813
3 changed files with 126 additions and 0 deletions
--- a/crowdsec-agent.nomad
+++ b/crowdsec-agent.nomad
@ -0,0 +1,58 @@
 job "crowdsec-agent" {
  datacenters = ["homelab","hetzner"]
  type = "system"
  meta {
    forcedeploy = "2"
  }
  vault{
    policies= ["access-tables"]
  }
  group "crowdsec-agent"{
    task "crowdsec-agent" {
      driver = "docker"
      config {
        image = "crowdsecurity/crowdsec"
        volumes = [
          "/var/run/docker.sock:/var/run/docker.sock",
          "/var/log:/var/log",
          "local/acquis.yaml:/etc/crowdsec/acquis.yaml"
        ]
      }
      env {
        COLLECTIONS= "crowdsecurity/traefik"
        DISABLE_LOCAL_API= "true"
      }
      template {
        data = <<EOH
 ---
 source: docker
 container_name_regexp:
  - traefik-*
 labels:
  type: traefik
 EOH
        destination = "local/acquis.yaml"
      }
      template {
        data = <<EOH
        LOCAL_API_URL =  {{- range service "crowdsec-api" }} "http://{{ .Address }}:{{ .Port }}"{{- end }}
 AGENT_USERNAME = "{{ env "node.unique.name" }}"
 {{with secret "secrets/data/crowdsec"}}
  AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}"
 {{end}}
 EOH
        destination ="secret/agent.env"
        env = "true"
      }
      resources {
        memory = 100
      }
    }
  }
 }
--- a/crowdsec-api.nomad
+++ b/crowdsec-api.nomad
@ -0,0 +1,63 @@
 job "crowdsec-api" {
  datacenters = ["homelab"]
  type = "service"
  meta {
    forcedeploy = "-1"
  }
  vault{
    policies = ["access-tables"]
  }
  group "crowdsec-api" {
    network {
      mode = "host"
      port "http" {
        to = 8080
      }
      port "metric"{
        to = 6060
      }
    }
    task "crowdsec-api" {
       service {
        name= "crowdsec-metrics"
        port = "metric"
        tags = [
        ]
      }
     driver = "docker"
      service {
        name= "crowdsec-api"
        port = "http"
        tags = [
        ]
      }
      config {
        image ="crowdsecurity/crowdsec"
        ports = ["http","metric"]
        volumes = [
          "/mnt/diskstation/nomad/crowdsec/db:/var/lib/crowdsec/data",
          "/mnt/diskstation/nomad/crowdsec/data:/etc/crowdsec_data",
        ]
      }
      template {
        data = <<EOH
 DISABLE_AGENT = "true"
 {{with secret "secrets/data/crowdsec"}}
  AGENT_USERNAME = "{{.Data.data.AGENT_USERNAME}}"
  AGENT_PASSWORD = "{{.Data.data.AGENT_PASSWORD}}"
 {{end}}
 EOH
        destination ="secret/api.env"
        env = "true"
      }
      resources {
        memory = 99
      }
    }
  }
 }
--- a/prometheus.nomad
+++ b/prometheus.nomad
@ -66,6 +66,11 @@ scrape_configs:
    - server: 'consul.service.consul:8500'
      services: ['alertmanager']
  - job_name: 'crowdsec'
    consul_sd_configs:
    - server: 'consul.service.consul:8500'
      services: ['crowdsec-metrics']
 EOH
      }