From 21a784cc6337a82b3def6cbdf0f28b7992d20125 Mon Sep 17 00:00:00 2001
From: Adrien Reslinger <adrien@reslinger.net>
Date: Sat, 26 Mar 2022 00:30:49 +0100
Subject: [PATCH] WIP

---
 defaults/main.yml                             | 19 +++++++
 handlers/main.yml                             | 10 ++++
 tasks/add_bouncer.yml                         | 37 ++++++++++++
 tasks/main.yml                                | 34 ++++++++++-
 tasks/register_agent.yml                      | 18 ++++++
 templates/etc/crowdsec/config.yaml.j2         | 56 +++++++++++++++++++
 .../parsers/s02-enrich/mywhitelist.yaml.j2    |  7 +++
 7 files changed, 180 insertions(+), 1 deletion(-)
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/add_bouncer.yml
 create mode 100644 tasks/register_agent.yml
 create mode 100644 templates/etc/crowdsec/config.yaml.j2
 create mode 100644 templates/etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml.j2

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..a1d129f
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,19 @@
+---
+crowdsec_server:
+  enabled: true
+  listen_uri: 127.0.0.1:8080
+crowdsec_prometheus:
+  enabled: true
+crowdsec_lapi_url: http://127.0.0.1:8080/
+crowdsec_bouncer:
+  enabled: true
+crowdsec_whitelist:
+  enabled: false
+  ip:
+    - "1.1.1.1"
+    - "1.1.1.2"
+  cidr:
+    - "2.2.2.2/24"
+
+# Distributed environment
+crowdsec_delegate_server_hostname: "{{ inventory_hostname }}"
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..798eabf
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart crowdsec
+  systemd:
+    name: crowdsec
+    state: restarted
+
+- name: restart crowdsec-firewall-bouncer
+  systemd:
+    name: crowdsec-firewall-bouncer
+    state: restarted
\ No newline at end of file
diff --git a/tasks/add_bouncer.yml b/tasks/add_bouncer.yml
new file mode 100644
index 0000000..c5964ce
--- /dev/null
+++ b/tasks/add_bouncer.yml
@@ -0,0 +1,37 @@
+---
+- name: Install bouncer (currently only firewall)
+  ansible.builtin.apt:
+    name:
+      - crowdsec-firewall-bouncer
+      - crowdsec-firewall-bouncer-iptables
+  when:
+    - ansible_os_family == "Debian"
+
+- name: Install crowdsec
+  ansible.builtin.dnf:
+    name:
+      - crowdsec-firewall-bouncer-nftables
+    state: present
+  when:
+    - ansible_os_family == "RedHat"
+
+#- name: Register new bouncer
+#  command: cscli bouncers add {{ inventory_hostname }} -o raw
+#  register: _csbouncer
+#  delegate_to: "{{ crowdsec_delegate_server_hostname }}"
+#  changed_when: _csbouncer.stderr is not search("already exists")
+#
+#- name: Deploy bouncer config
+#  lineinfile:
+#    regex: "{{ item.regex }}"
+#    line: "{{ item.line }}"
+#    dest: /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
+#  with_items:
+#    - regex: "^api_url"
+#      line: "api_url: {{ crowdsec_lapi_url }}"
+#    - regex: "^api_key"
+#      line: "api_key: {{ _csbouncer.stdout }}"
+#  when: _csbouncer.changed
+#  notify: restart crowdsec-firewall-bouncer
+#  loop_control:
+#    label: "{{ item.regex }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 1765dc5..d4ce028 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -20,7 +20,7 @@
         state: present
 
     - name: add crowdsec repository
-      aansible.builtin.pt_repository:
+      ansible.builtin.apt_repository:
         repo: 'deb https://packagecloud.io/crowdsec/crowdsec/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} main'
         state: present
         update_cache: yes
@@ -63,5 +63,37 @@
       state: present
       update_cache: yes
 
+  - name: Deploy main config
+    template:
+      src: etc/crowdsec/config.yaml.j2
+      dest: /etc/crowdsec/config.yaml
+      owner: root
+      group: root
+      mode: 0644
+    notify: restart crowdsec
+
+  - name: Deploy whitelist
+    template:
+      src: etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml.j2
+      dest: /etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml
+      owner: root
+      group: root
+      mode: 0644
+    when: crowdsec_whitelist.enabled
+    notify: restart crowdsec
+
+  - name: Flush handlers to apply config
+    meta: flush_handlers
+
+#  - name: Register agent(s)
+#    include_tasks: register_agent.yml
+#    when:
+#      - crowdsec_delegate_server_hostname != inventory_hostname
+#
+  - name: Register distributed bouncers(s)
+    include_tasks: add_bouncer.yml
+    when:
+      - crowdsec_bouncer.enabled
+
   tags:
     - crowdsec
diff --git a/tasks/register_agent.yml b/tasks/register_agent.yml
new file mode 100644
index 0000000..59b4d32
--- /dev/null
+++ b/tasks/register_agent.yml
@@ -0,0 +1,18 @@
+---
+- name: Check if agent is already registered
+  shell: cscli machines list -o raw | grep {{ inventory_hostname }} | grep true || echo "Not found"
+  register: _csmachines
+  delegate_to: "{{ crowdsec_delegate_server_hostname }}"
+  changed_when: false
+
+- block:
+    - name: Register agent to server
+      command: cscli lapi register -u {{ crowdsec_lapi_url }} --machine {{ inventory_hostname }}
+      notify: restart crowdsec
+
+    - name: Validate agent on server
+      command: cscli machines validate {{ inventory_hostname }}
+      delegate_to: "{{ crowdsec_delegate_server_hostname }}"
+  when:
+    - _csmachines.rc == 0
+    - _csmachines.stdout is search("Not found")
diff --git a/templates/etc/crowdsec/config.yaml.j2 b/templates/etc/crowdsec/config.yaml.j2
new file mode 100644
index 0000000..028d3a3
--- /dev/null
+++ b/templates/etc/crowdsec/config.yaml.j2
@@ -0,0 +1,56 @@
+common:
+  daemonize: true
+  pid_dir: /var/run/
+  log_media: file
+  log_level: info
+  log_dir: /var/log/
+  working_dir: .
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: /var/lib/crowdsec/data/
+  simulation_path: /etc/crowdsec/simulation.yaml
+  hub_dir: /etc/crowdsec/hub/
+  index_path: /etc/crowdsec/hub/.index.json
+  notification_dir: /etc/crowdsec/notifications/
+  plugin_dir: /usr/lib64/crowdsec/plugins/
+crowdsec_service:
+  acquisition_path: /etc/crowdsec/acquis.yaml
+  parser_routines: 1
+cscli:
+  output: human
+db_config:
+  log_level: info
+  type: sqlite
+  db_path: /var/lib/crowdsec/data/crowdsec.db
+  #user: 
+  #password:
+  #db_name:
+  #host:
+  #port:
+  flush:
+    max_items: 5000
+    max_age: 7d
+plugin_config:
+  user: nobody # plugin process would be ran on behalf of this user
+  group: nobody # plugin process would be ran on behalf of this group
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+{% if crowdsec_server.enabled %}
+  server:
+    log_level: info
+    listen_uri: {{ crowdsec_server.listen_uri }}
+    profiles_path: /etc/crowdsec/profiles.yaml
+    console_path: /etc/crowdsec/console.yaml
+    online_client: # Central API credentials (to push signals and receive bad IPs)
+      credentials_path: /etc/crowdsec/online_api_credentials.yaml
+#    tls:
+#      cert_file: /etc/crowdsec/ssl/cert.pem
+#      key_file: /etc/crowdsec/ssl/key.pem
+{% endif %}
+prometheus:
+  enabled: {{ crowdsec_prometheus.enabled }}
+  level: full
+  listen_addr: 127.0.0.1
+  listen_port: 6060
diff --git a/templates/etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml.j2 b/templates/etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml.j2
new file mode 100644
index 0000000..c99a38e
--- /dev/null
+++ b/templates/etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml.j2
@@ -0,0 +1,7 @@
+---
+name: crowdsecurity/mywhitelists
+description: "Whitelist events from my ip addresses"
+whitelist:
+  reason: "my ip ranges"
+  ip: {{ crowdsec_whitelist.ip|to_yaml }}
+  cidr: {{ crowdsec_whitelist.cidr|to_yaml }}