add crowdsec deployment

apps/dendrite/ingress.yaml

@@ -1,18 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: dendrite-ingressroute
-
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`dendrite.kluster.moll.re`)
-    kind: Rule
-    services:
-    - name: dendrite
-      port: 8008
-      # scheme: https
-
-  tls:
-    certResolver: default-tls 

apps/dendrite/kustomization.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: 
-  - namespace.yaml
-  - postgres.yaml
-  - postgres-user.secret.yaml
-  - ingress.yaml
-
-namespace: dendrite
-
-helmCharts:
-  - name: dendrite
-    releaseName: dendrite
-    version: 0.13.5
-    valuesFile: values.yaml
-    repo: https://matrix-org.github.io/dendrite/

apps/dendrite/postgres.yaml

@@ -1,25 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: dendrite-postgres
-spec:
-  instances: 1
-  imageName: ghcr.io/cloudnative-pg/postgresql:16.4
-  bootstrap:
-    initdb:
-      owner: dendrite
-      database: dendrite
-      secret:
-        name: postgres-password
-
-  # Persistent storage configuration
-  storage:
-    size: 2Gi
-    pvcTemplate:
-      accessModes:
-        - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi
-      storageClassName: nfs-client
-      volumeMode: Filesystem

apps/dendrite/values.yaml

@@ -1,287 +0,0 @@
-
-# signing key to use
-signing_key:
-  # -- Create a new signing key, if not exists
-  create: true
-
-persistence:
-  jetstream:
-    # -- PVC Storage Request for the jetstream volume
-    capacity: "1Gi"
-    # -- The storage class to use for volume claims.
-    storageClass: "nfs-client"
-  media:
-    # -- PVC Storage Request for the media volume
-    capacity: "1Gi"
-    # -- The storage class to use for volume claims.
-    storageClass: "nfs-client"
-  search:
-    # -- PVC Storage Request for the search volume
-    capacity: "1Gi"
-    # -- The storage class to use for volume claims.
-    storageClass: "nfs-client"
-
-
-
-dendrite_config:
-  version: 2
-  global:
-    # -- **REQUIRED** Servername for this Dendrite deployment.
-    server_name: "dendrite.kluster.moll.re"
-
-    # -- The server name to delegate server-server communications to, with optional port
-    # e.g. localhost:443
-    well_known_server_name: ""
-
-    # -- The server name to delegate client-server communications to, with optional port
-    # e.g. localhost:443
-    well_known_client_name: ""
-
-    # -- Lists of domains that the server will trust as identity servers to verify third
-    # party identifiers such as phone numbers and email addresses.
-    trusted_third_party_id_servers:
-      - matrix.org
-      - vector.im
-
-    # -- The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
-    # to old signing keys that were formerly in use on this domain name. These
-    # keys will not be used for federation request or event signing, but will be
-    # provided to any other homeserver that asks when trying to verify old events.
-    old_private_keys:
-    #  If the old private key file is available:
-    #  - private_key: old_matrix_key.pem
-    #    expired_at: 1601024554498
-    #  If only the public key (in base64 format) and key ID are known:
-    #  - public_key: mn59Kxfdq9VziYHSBzI7+EDPDcBS2Xl7jeUdiiQcOnM=
-    #    key_id: ed25519:mykeyid
-    #    expired_at: 1601024554498
-
-    # -- Disable federation. Dendrite will not be able to make any outbound HTTP requests
-    # to other servers and the federation API will not be exposed.
-    disable_federation: false
-
-    key_validity_period: 168h0m0s
-
-    database:
-      # -- The connection string for connections to Postgres.
-      # This will be set automatically if using the Postgres dependency
-      connection_string: "postgresql://dendrite:supersecretpassword!@dendrite-postgres-rw/dendrite"
-      # -- Default database maximum open connections
-      max_open_conns: 90
-      # -- Default database maximum idle connections
-      max_idle_conns: 5
-      # -- Default database maximum lifetime
-      conn_max_lifetime: -1
-
-    jetstream:
-      # -- Persistent directory to store JetStream streams in.
-      storage_path: "/data/jetstream"
-      # -- NATS JetStream server addresses if not using internal NATS.
-      addresses: []
-      # -- The prefix for JetStream streams
-      topic_prefix: "Dendrite"
-      # -- Keep all data in memory. (**NOTE**: This is overriden in Helm to `false`)
-      in_memory: false
-      # -- Disables TLS validation. This should **NOT** be used in production.
-      disable_tls_validation: true
-
-    cache:
-      # -- The estimated maximum size for the global cache in bytes, or in terabytes,
-      # gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
-      # 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
-      # memory limit for the entire process. A cache that is too small may ultimately
-      # provide little or no benefit.
-      max_size_estimated: 1gb
-      # -- The maximum amount of time that a cache entry can live for in memory before
-      # it will be evicted and/or refreshed from the database. Lower values result in
-      # easier admission of new cache entries but may also increase database load in
-      # comparison to higher values, so adjust conservatively. Higher values may make
-      # it harder for new items to make it into the cache, e.g. if new rooms suddenly
-      # become popular.
-      max_age: 1h
-
-    report_stats:
-      # -- Configures phone-home statistics reporting. These statistics contain the server
-      # name, number of active users and some information on your deployment config.
-      # We use this information to understand how Dendrite is being used in the wild.
-      enabled: false
-
-    presence:
-      # -- Controls whether we receive presence events from other servers
-      enable_inbound: false
-      # -- Controls whether we send presence events for our local users to other servers.
-      # (_May increase CPU/memory usage_)
-      enable_outbound: false
-
-    server_notices:
-      # -- Server notices allows server admins to send messages to all users on the server.
-      enabled: false
-      # -- The local part for the user sending server notices.
-      local_part: "_server"
-      # -- The display name for the user sending server notices.
-      display_name: "Server Alerts"
-      # -- The avatar URL (as a mxc:// URL) name for the user sending server notices.
-      avatar_url: ""
-      # The room name to be used when sending server notices. This room name will
-      # appear in user clients.
-      room_name: "Server Alerts"
-
-    # prometheus metrics
-    metrics:
-      # -- Whether or not Prometheus metrics are enabled.
-      enabled: false
-      # HTTP basic authentication to protect access to monitoring.
-      basic_auth:
-        # -- HTTP basic authentication username
-        user: "metrics"
-        # -- HTTP basic authentication password
-        password: metrics
-
-  app_service_api:
-    # -- Disable the validation of TLS certificates of appservices. This is
-    # not recommended in production since it may allow appservice traffic
-    # to be sent to an insecure endpoint.
-    disable_tls_validation: false
-    # -- Appservice config files to load on startup. (**NOTE**: This is overriden by Helm, if a folder `./appservices/` exists)
-    config_files: []
-
-  client_api:
-    # -- Prevents new users from being able to register on this homeserver, except when
-    # using the registration shared secret below.
-    registration_disabled: true
-
-    # Prevents new guest accounts from being created. Guest registration is also
-    # disabled implicitly by setting 'registration_disabled' above.
-    guests_disabled: true
-
-    # -- If set, allows registration by anyone who knows the shared secret, regardless of
-    # whether registration is otherwise disabled.
-    registration_shared_secret: "supersecretpassword"
-
-
-    # TURN server information that this homeserver should send to clients.
-    turn:
-      # -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
-      turn_user_lifetime: "24h"
-      turn_uris: []
-      turn_shared_secret: ""
-      # -- The TURN username
-      turn_username: ""
-      # -- The TURN password
-      turn_password: ""
-
-    rate_limiting:
-      # -- Enable rate limiting
-      enabled: true
-      # -- After how many requests a rate limit should be activated
-      threshold: 20
-      # -- Cooloff time in milliseconds
-      cooloff_ms: 500
-      # -- Users which should be exempt from rate limiting
-      exempt_user_ids:
-
-  federation_api:
-    # -- Federation failure threshold. How many consecutive failures that we should
-    # tolerate when sending federation requests to a specific server. The backoff
-    # is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds, etc.
-    # The default value is 16 if not specified, which is circa 18 hours.
-    send_max_retries: 16
-    # -- Disable TLS validation. This should **NOT** be used in production.
-    disable_tls_validation: false
-    prefer_direct_fetch: false
-    # -- Prevents Dendrite from keeping HTTP connections
-    # open for reuse for future requests. Connections will be closed quicker
-    # but we may spend more time on TLS handshakes instead.
-    disable_http_keepalives: false
-    # -- Perspective keyservers, to use as a backup when direct key fetch
-    # requests don't succeed.
-    # @default -- See value.yaml
-    key_perspectives:
-      - server_name: matrix.org
-        keys:
-          - key_id: ed25519:auto
-            public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
-          - key_id: ed25519:a_RXGa
-            public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
-
-  media_api:
-    # -- The path to store media files (e.g. avatars) in
-    base_path: "/data/media_store"
-    # -- The max file size for uploaded media files
-    max_file_size_bytes: 10485760
-    # Whether to dynamically generate thumbnails if needed.
-    dynamic_thumbnails: false
-    # -- The maximum number of simultaneous thumbnail generators to run.
-    max_thumbnail_generators: 10
-    # -- A list of thumbnail sizes to be generated for media content.
-    # @default -- See value.yaml
-    thumbnail_sizes:
-      - width: 32
-        height: 32
-        method: crop
-      - width: 96
-        height: 96
-        method: crop
-      - width: 640
-        height: 480
-        method: scale
-
-  sync_api:
-    # -- This option controls which HTTP header to inspect to find the real remote IP
-    # address of the client. This is likely required if Dendrite is running behind
-    # a reverse proxy server.
-    real_ip_header: X-Real-IP
-    # -- Configuration for the full-text search engine.
-    search:
-      # -- Whether fulltext search is enabled.
-      enabled: true
-      # -- The path to store the search index in.
-      index_path: "/data/search"
-      # -- The language most likely to be used on the server - used when indexing, to
-      # ensure the returned results match expectations. A full list of possible languages
-      # can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46)
-      language: "en"
-
-  user_api:
-    # -- bcrypt cost to use when hashing passwords.
-    # (ranges from 4-31; 4 being least secure, 31 being most secure; _NOTE: Using a too high value can cause clients to timeout and uses more CPU._)
-    bcrypt_cost: 10
-    # -- OpenID Token lifetime in milliseconds.
-    openid_token_lifetime_ms: 3600000
-    # - Disable TLS validation when hitting push gateways. This should **NOT** be used in production.
-    push_gateway_disable_tls_validation: false
-    # -- Rooms to join users to after registration
-    auto_join_rooms: []
-
-  # -- Default logging configuration
-  logging:
-  - type: std
-    level: info
-
-postgresql:
-  # -- Enable and configure postgres as the database for dendrite.
-  # @default -- See value.yaml
-  enabled: false
-
-ingress:
-  # -- Create an ingress for the deployment
-  enabled: false
-
-service:
-  type: ClusterIP
-  port: 8008
-
-prometheus:
-  servicemonitor:
-    # -- Enable ServiceMonitor for Prometheus-Operator for scrape metric-endpoint
-    enabled: false
-    # -- Extra Labels on ServiceMonitor for selector of Prometheus Instance
-    labels: {}
-  rules:
-    # -- Enable PrometheusRules for Prometheus-Operator for setup alerting
-    enabled: false
-    # -- Extra Labels on PrometheusRules for selector of Prometheus Instance
-    labels: {}
-    # -- additional alertrules (no default alertrules are provided)
-    additionalRules: []
-

infrastructure/crowdsec/bouncer-api-key.sealedsecret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: bouncer-api-key
+  namespace: crowdsec
+spec:
+  encryptedData:
+    BOUNCER_KEY_TRAEFIK: AgAQYtZ9nhTcPudhhvBb/UC01CXLsItYr8u890ctD9AsTcn/tVZELCYDmmhoRCebMZofdLwhsnR4BoaBvFU4NgQk7qCUOm2O5YG11RXwOLuQv50+XcK2NTIuj9DsBqwLjYjWdRwV2PG++twP33mRFe+L/nw9d2JjyujF9FoFWL9OyU/IH8qb3FK9652wBTrC0VX251lZ2AU0xMvgGEa9BhTtobw+cE7xUbhazsRc7SqimW0iJ6ZiYYsJcVnMustHRx951YiVin2c0ub1v+JfvsMTiXUfbdt235BMXgevmvWVqPDlUgBHEfAiKl1ktQKqdd2KijEPCzEtVKbRXfFRtv0SOebLeQ949uNUmnhYUn7k+s9QiDo/4Pl4w5p5+i//BKbDe/dyagUFxNTw3ZpsGusI4B2dHwTtE0y8TTW4BDxNh4PaTVT0hN0ctSsG6joBCTes6dWfdFDo7NzRZ4suZGfTpZbJknYcp+hbaJxeHLnJUAkFHLj9AfT1tAAZVc8wVy3Nw/hwnntEBGUJJ35BhyKKYvkWWPqk/5Ay6U8CeaiupHHMbTRisiqZfuZ4KI6zJZlBMLcdK32d1gMqTJpvhkiC8h4+U3ygBf+rxf6R66+kDzalrLFX8sU3Sl7fVc8qYTPESrz9/RXBGHegunhrmfq6g5lyYyM+KPK71C7NCyhqDfzY4nqO6omh83UDOlCjm+++N7/UHHf+9hs6OUi1BmAOMJkvb8bX43SVDDA4gxoZplVgAK7E0w==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: bouncer-api-key
+      namespace: crowdsec

infrastructure/crowdsec/bouncer.middleware.yaml

@@ -0,0 +1,12 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: bouncer
+spec:
+  plugin:
+    bouncer:
+      enabled: true
+      crowdsecMode: stream
+      crowdsecLapiScheme: https
+      crowdsecLapiHost: crowdsec-service.crowdsec:8080
+      crowdsecLapiKey: saödlkfhhqäüweo1p30947ß4rfepoihäp

infrastructure/crowdsec/dashboard-api-key.sealedsecret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: dashboard-api-key
+  namespace: crowdsec
+spec:
+  encryptedData:
+    ENROLL_KEY: AgAOEbB81UuCj2qgR4p+gsvnDY3LC+IcI8kMwFlPl91pVngyrGDHutafilDZD/QiGxu+3mBVMlFRzYXyAl2RjaO4YZ8p59hznSn6jf3bcfbfhQJhXjUfKkf1Jmm6gWbeDMKcOuRvxgG2YWRtOo+xNLhHtMnTKC4B7R7X160GjlNV7SdXn4S+q9Oo/ZIz/q2Y6p5wXccpPNS6OEMjb8YJlfhj6FrsAoeO25fNruELBtzgHApVvx922wx9mpYialkQOsC+3IcogQprXQZZ+B8qph7PYQ1vIzD8Ch7df3Wj4JmMHsfpK5DRP6tACrM6PsYUy0BVqaBHWT9EHbIGc2w1/g9qPfauuTS8ZDsUEl7wpyQvHfXsQER63er5xT9Xv9kSrBUvSEaYoZr+Gw8Qi4N/SNW7e1JPiwQEpFP3GrFnnDLdGhGHvrvMzO5FAz1m+tnziVhfjpoOYQDlrvsS4+h+qU17/Kmu6EoGcpjqrEvUwN19Ar9pNz8qLbumTGlIzRbeVQWmv9F6icdT3idd8sCHeiAplE99kBAz780pxMgXRR/YmaBQz1xeOrKHAVBLegdj9eNmS62b72DHdsiY2jX7D1s1dFGWl45lIyv4RlNAQhjTiqFHeaUzJUii85WNSxpp9n8Cw/ua/mdUvcn8z9WQ11uVbVqurYD3TvsOnva0V6rffaeJjIovyMOXs2wHk6nokxj4L4Ut4YkmRGZaTu7wptjqBanaROZgEHEd
+  template:
+    metadata:
+      creationTimestamp: null
+      name: dashboard-api-key
+      namespace: crowdsec

infrastructure/crowdsec/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - dashboard-api-key.sealedsecret.yaml
+  - bouncer-api-key.sealedsecret.yaml
+  - bouncer.middleware.yaml
+
+
+namespace: crowdsec
+
+
+helmCharts:
+  - name: crowdsec
+    releaseName: crowdsec
+    version: 0.12.0
+    valuesFile: values.yaml
+    repo: https://crowdsecurity.github.io/helm-charts

infrastructure/crowdsec/values.yaml

@@ -0,0 +1,93 @@
+# -- for raw logs format: json or cri (docker|containerd)
+container_runtime: containerd
+
+
+
+# lapi will deploy pod with crowdsec lapi and dashboard as deployment
+lapi:
+  # -- replicas for local API
+  replicas: 1
+  # -- environment variables from crowdsecurity/crowdsec docker image
+  env:
+    - name: ENROLL_INSTANCE_NAME
+      value: "kluster"
+
+  # Allows you to load environment variables from kubernetes secret or config map
+  envFrom:
+    - secretRef:
+        name: dashboard-api-key
+    - secretRef:
+        name: bouncer-api-key
+
+
+  dashboard:
+    # -- Enable Metabase Dashboard (by default disabled)
+    enabled: false
+
+  # -- Enable persistent volumes
+  persistentVolume:
+    # -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
+    data:
+      enabled: true
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: "nfs-client"
+      size: 1Gi
+    # -- Persistent volume for config folder. Stores e.g. online api credentials
+    config:
+      enabled: true
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: "nfs-client"
+      size: 100Mi
+
+
+  # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus)
+  metrics:
+    enabled: true
+    # -- Creates a ServiceMonitor so Prometheus will monitor this service
+    # -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors
+    # -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape
+    # -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774
+    serviceMonitor:
+      enabled: true
+
+
+# agent will deploy pod on every node as daemonSet to read wanted pods logs
+agent:
+  acquisition:
+    # The namespace where the pod is located
+    - namespace: traefik-system
+      # The pod name
+      podName: traefik-*
+      # as in crowdsec configuration, we need to specify the program name to find a matching parser
+      program: traefik
+
+  # -- Enable persistent volumes
+  persistentVolume:
+    # -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
+    config:
+      enabled: false
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: ""
+      existingClaim: ""
+      size: 100Mi
+  # -- Enable hostPath to /var/log
+  hostVarLog: true
+  # -- environment variables from crowdsecurity/crowdsec docker image
+  env:
+    - name: COLLECTIONS
+      value: "crowdsecurity/traefik"
+
+  # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus)
+  metrics:
+    enabled: true
+    # -- Creates a ServiceMonitor so Prometheus will monitor this service
+    # -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors
+    # -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape
+    # -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774
+    serviceMonitor:
+      enabled: false
+      additionalLabels: {}
+