update restic image

2024-11-26 17:51:47 +01:00 · 2024-11-26 17:51:47 +01:00 · 9cf4d822c3
commit 9cf4d822c3
parent f6ae23c51a
2 changed files with 81 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -9,6 +9,10 @@
  - [Prerequisites](#prerequisites)
    - [Server Setup](#server-setup)
    - [Base23 Docker registry login](#base23-docker-registry-login)
+    - [CrowdSec](#crowdsec)
+      - [Setup CrowdSec Repo](#setup-crowdsec-repo)
+      - [Install CrowdSec](#install-crowdsec)
+      - [Configure CrowdSec](#configure-crowdsec)
  - [Installation](#installation)
    - [Clone \& configure initially](#clone--configure-initially)
    - [Fist run](#fist-run)
@ -50,6 +54,75 @@ apt update \
 docker login -u gitlab+deploy-token-5 registry.git.base23.de
 ```

+### CrowdSec
+
+#### Setup CrowdSec Repo
+
+```shell
+apt update \
+  && apt upgrade -y \
+  && apt install -y debian-archive-keyring \
+  && apt install -y curl gnupg apt-transport-https \
+  && mkdir -p /etc/apt/keyrings/ \
+  && curl -fsSL https://packagecloud.io/crowdsec/crowdsec/gpgkey | gpg --dearmor > /etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg \
+  && cat << EOF > /etc/apt/sources.list.d/crowdsec_crowdsec.list \
+  && apt update
+deb [signed-by=/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg] https://packagecloud.io/crowdsec/crowdsec/any any main
+deb-src [signed-by=/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg] https://packagecloud.io/crowdsec/crowdsec/any any main
+EOF
+```
+
+#### Install CrowdSec
+
+```shell
+apt install -y crowdsec crowdsec-firewall-bouncer-iptables \
+  && cscli completion bash | tee /etc/bash_completion.d/cscli \
+  && source ~/.bashrc
+```
+
+#### Configure CrowdSec
+
+Whitelist Tailscale IPs:
+
+```shell
+cat << EOF > /etc/crowdsec/parsers/s02-enrich/01-base23-tailscale.yaml \
+  && systemctl restart crowdsec; journalctl -xef -u crowdsec.service
+name: base23/tailscale ## Must be unqiue
+description: "Whitelist Tailscale"
+whitelist:
+  reason: "Tailscale clients"
+  cidr: 
+    - "100.64.0.0/10"
+EOF
+```
+
+Add Authentik integration:
+
+```shell
+cscli collections install firix/authentik \
+  && cat << EOF > /etc/crowdsec/acquis.d/authentik.yaml \
+  && crowdsec -t && systemctl restart crowdsec
+---
+source: docker
+container_name_regexp:
+  - sso-base23-de-server-*
+  - sso-base23-de-worker-*
+labels:
+  type: authentik
+EOF
+```
+
+Enable increasing ban time:
+
+```shell
+sed -i -e 's/^#duration_expr/duration_expr/g' /etc/crowdsec/profiles.yaml \
+  && crowdsec -t && systemctl restart crowdsec
+```
+
+Setup notifications:
+
+
+
 ## Installation

 ### Clone & configure initially
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -145,7 +145,7 @@ services:
      - frontend

  backup:
-    image: registry.git.base23.de/base23/backup/resticker:0.11.0
+    image: registry.git.base23.de/base23/backup/resticker:0.17.0
    environment:
      PRE_COMMANDS: |-
        docker exec sso-base23-de-postgresql-1 pg_dump -U ${PG_USER:-authentik} -d ${PG_DB:-authentik} -f /var/lib/postgresql/backups/${PG_DB:-authentik}.sql
@ -153,7 +153,7 @@ services:
      BACKUP_CRON: "32 2 * * *"
      RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
      RESTIC_PASSWORD: ${RESTIC_REPO_PASSWORD:?Restic repository password is required}
-      RESTIC_BACKUP_SOURCES: /var/lib/backups
+      RESTIC_BACKUP_SOURCES: /var/lib/postgresql/backups /var/lib/authentik/backups /var/lib/lego/backups
      RESTIC_BACKUP_ARGS: >-
        --tag ${RESTIC_TAG:?Restic tag is required}
        --verbose
@ -164,14 +164,14 @@ services:
        --keep-monthly 12
      TZ: Europe/Berlin
    volumes:
-      - ./data/restic/ssh/:/tmp/.ssh/:ro
+      - ./data/restic/ssh/:/run/secrets/.ssh:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - ./docker-compose.yml:/sso.base23.de/docker-compose.yml:ro
-      - backups_db:/var/lib/backups/postgresql:ro
-      - ./data/authentik/certs:/var/lib/backups/authentik/certs:ro
-      - ./data/authentik/custom-templates:/var/lib/backups/authentik/templates:ro
-      - ./data/authentik/media:/var/lib/backups/authentik/media:ro
-      - ./data/.lego:/var/lib/backups/lego:ro
+      - backups_db:/var/lib/postgresql/backups:ro
+      - ./data/authentik/certs:/var/lib/authentik/backups/certs:ro
+      - ./data/authentik/custom-templates:/var/lib/authentik/backups/templates:ro
+      - ./data/authentik/media:/var/lib/authentik/backups/media:ro
+      - ./data/.lego:/var/lib/lego/backups:ro

  prune-backup:
    image: registry.git.base23.de/base23/backup/resticker:0.11.0