feat: add CrowdSec service and configuration for container security

2025-05-06 15:32:20 +08:00
parent 016ac4af28
commit 0df1163756
3 changed files with 62 additions and 0 deletions
@@ -86,6 +86,8 @@ services:
        - traefik.http.routers.traefik-public-https.service=api@internal
        # Define the port inside of the Docker service to use
        - traefik.http.services.traefik-public.loadbalancer.server.port=8080
+        # - crowdsec.enable=true
+        # - crowdsec.labels.type=nginx
    volumes:
      # Add Docker as a mounted volume, so that Traefik can read the labels of other services
      - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -0,0 +1,57 @@
+services:
+  crowdsec:
+    image: crowdsecurity/crowdsec:slim
+    restart: always
+    networks:
+      crowdsec:
+    environment:
+      DOCKER_HOST: tcp://socket-proxy:2375
+      COLLECTIONS: "crowdsecurity/nginx"
+    ports:
+      - "127.0.0.1:8080:8080"
+    depends_on:
+      - 'socket-proxy'
+    volumes:
+      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
+      - crowdsec-db:/var/lib/crowdsec/data/
+      - crowdsec-config:/etc/crowdsec/
+
+  socket-proxy:
+    networks:
+      crowdsec:
+    restart: always
+    image: lscr.io/linuxserver/socket-proxy:latest
+    container_name: socket-proxy
+    environment:
+      INFO: 1
+      CONTAINERS: 1
+      POST: 0
+      BUILD: 0
+      COMMIT: 0
+      CONFIGS: 0
+      DISTRIBUTION: 0
+      EXEC: 0
+      GRPC: 0
+      IMAGES: 0
+      NETWORKS: 0
+      NODES: 0
+      PLUGINS: 0
+      SERVICES: 0
+      SESSION: 0
+      SWARM: 0
+      SYSTEM: 0
+      TASKS: 0
+      VOLUMES: 0
+    volumes:
+      - '/var/run/docker.sock:/var/run/docker.sock:ro'
+    read_only: true
+    tmpfs:
+      - /run
+
+volumes:
+  crowdsec-db:
+  crowdsec-config:
+
+networks:
+  crowdsec:
+    driver: bridge
@@ -0,0 +1,3 @@
+source: docker
+use_container_labels: true ## https://docs.crowdsec.net/docs/next/data_sources/docker#use_container_labels
+check_interval: 10s ## How often to check for new containers https://docs.crowdsec.net/docs/next/appsec/quickstart/traefik