From 72628f0f0e9b55c78a25f921063b39aff59e6968 Mon Sep 17 00:00:00 2001
From: Gabriel Radureau <arcodange@gmail.com>
Date: Wed, 26 Nov 2025 14:19:33 +0100
Subject: [PATCH] add crowdsec plugin and middleware for traefik

---
 .../arcodange/factory/playbooks/01_system.yml | 10 ++-
 .../factory/playbooks/tools/crowdsec.yml      | 81 +++++++++++++++++++
 .../factory/playbooks/tools/tools.yml         |  2 +
 3 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 ansible/arcodange/factory/playbooks/tools/crowdsec.yml

diff --git a/ansible/arcodange/factory/playbooks/01_system.yml b/ansible/arcodange/factory/playbooks/01_system.yml
index a0cc285..74049d9 100644
--- a/ansible/arcodange/factory/playbooks/01_system.yml
+++ b/ansible/arcodange/factory/playbooks/01_system.yml
@@ -263,6 +263,8 @@
                   localIp:
                     ipAllowList:
                       sourceRange:
+                        - "172.16.0.0/12"
+                        - "10.42.0.0/16"
                         - "192.168.1.0/24"
                         - "{{ ipify_public_ip }}/32"
                         # - "0.0.0.0/0"
@@ -306,7 +308,7 @@
                   value: 'true'
               logs:
                 general:
-                  level: DEBUG
+                  level: INFO
                   # format: json
                 access:
                   enabled: true
@@ -333,9 +335,15 @@
                 - name: traefik-configmap
                   mountPath: /config
                   type: configMap
+              experimental:
+                plugins:
+                  crowdsec-bouncer:
+                    moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin #https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin
+                    version: v1.3.3
               additionalArguments:
                 - '--providers.file.filename=/config/dynamic.yaml'
                 - '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik'
+                - "--providers.kubernetescrd"
               certificatesResolvers:
                 letsencrypt:
                   acme:
diff --git a/ansible/arcodange/factory/playbooks/tools/crowdsec.yml b/ansible/arcodange/factory/playbooks/tools/crowdsec.yml
new file mode 100644
index 0000000..bfe67da
--- /dev/null
+++ b/ansible/arcodange/factory/playbooks/tools/crowdsec.yml
@@ -0,0 +1,81 @@
+---
+- name: crowdsec
+  # hosts: raspberries:&local
+  hosts: localhost
+  # debugger: on_failed
+
+  tasks:
+    - name: Récupérer le nom du pod CrowdSec LAPI
+      kubernetes.core.k8s_info:
+        kind: Pod
+        namespace: tools
+        label_selectors:
+          - k8s-app = crowdsec
+          - type = lapi
+      register: crowdsec_lapi_pods
+
+    - name: Vérifier qu'un pod a été trouvé
+      assert:
+        that: crowdsec_lapi_pods.resources | length > 0
+        fail_msg: "Aucun pod CrowdSec LAPI trouvé dans le namespace 'tools' avec les labels 'k8s-app=crowdsec, type=lapi'."
+
+    - name: Définir le nom du pod CrowdSec LAPI
+      set_fact:
+        crowdsec_lapi_pod_name: "{{ crowdsec_lapi_pods.resources[0].metadata.name }}"
+
+    - name: Récupérer la clé API du bouncer CrowdSec
+      kubernetes.core.k8s_exec:
+        namespace: tools
+        pod: "{{ crowdsec_lapi_pod_name }}"
+        container: crowdsec-lapi
+        command: >
+          cscli bouncers add traefik-plugin
+      register: bouncer_key_result
+      ignore_errors: yes
+
+    - name: Supprimer le bouncer existant en cas d'échec
+      kubernetes.core.k8s_exec:
+        namespace: tools
+        pod: "{{ crowdsec_lapi_pod_name }}"
+        container: crowdsec-lapi
+        command: >
+          cscli bouncers delete traefik-plugin
+      when: bouncer_key_result.failed
+
+    - name: Réessayer de récupérer la clé API
+      kubernetes.core.k8s_exec:
+        namespace: tools
+        pod: "{{ crowdsec_lapi_pod_name }}"
+        container: crowdsec-lapi
+        command: >
+          cscli bouncers add traefik-plugin
+      register: bouncer_key_result
+      when: bouncer_key_result.failed
+
+    - name: Créer le Middleware Traefik pour CrowdSec
+      kubernetes.core.k8s:
+        state: present
+        definition:
+          apiVersion: traefik.io/v1alpha1
+          kind: Middleware
+          metadata:
+            name: crowdsec
+            namespace: kube-system
+          spec:
+            plugin:
+              crowdsec-bouncer:
+                enabled: true
+                crowdsecMode: stream
+                crowdsecLapiScheme: http
+                crowdsecLapiHost: crowdsec-service.tools.svc.cluster.local:8080
+                crowdsecLapiKey: "{{ bouncer_key_result.stdout_lines[2].strip() }}"
+                htttTimeoutSeconds: 60
+                crowdsecAppsecEnabled: false
+                crowdsecAppsecHost: crowdsec:7422
+                crowdsecAppsecFailureBlock: true
+                crowdsecAppsecUnreachableBlock: true
+                forwardedHeadersTrustedIPs:
+                - 10.0.10.23/32
+                - 10.0.20.0/24
+                clientTrustedIPs:
+                - 192.168.1.0/24
\ No newline at end of file
diff --git a/ansible/arcodange/factory/playbooks/tools/tools.yml b/ansible/arcodange/factory/playbooks/tools/tools.yml
index 4e23d1d..eafab79 100644
--- a/ansible/arcodange/factory/playbooks/tools/tools.yml
+++ b/ansible/arcodange/factory/playbooks/tools/tools.yml
@@ -1,3 +1,5 @@
 ---
 - name: hashicorp_vault
   ansible.builtin.import_playbook: hashicorp_vault.yml
+- name: crowdsec
+  ansible.builtin.import_playbook: crowdsec.yml
\ No newline at end of file