From 1ca5805e801e68aef50702fda53792b3d91a6c7f Mon Sep 17 00:00:00 2001 From: elAgala Date: Mon, 3 Feb 2025 02:34:53 -0300 Subject: [PATCH] Lots of stuff --- images/caddy_full/Dockerfile | 4 ++-- install.sh | 5 +++-- templates/caddy/full/Makefile | 7 ++++++- templates/caddy/full/caddy/Caddyfile | 8 +++++++- templates/caddy/full/docker-compose.yml | 2 +- templates/monitoring/docker-compose.yml | 18 ++++++++++++++++-- templates/monitoring/prometheus.yml | 6 +++++- user/create_deploy_user.sh | 20 ++++++++++++++++++++ 8 files changed, 60 insertions(+), 10 deletions(-) create mode 100644 user/create_deploy_user.sh diff --git a/images/caddy_full/Dockerfile b/images/caddy_full/Dockerfile index af580f6..43620d4 100644 --- a/images/caddy_full/Dockerfile +++ b/images/caddy_full/Dockerfile @@ -3,8 +3,8 @@ FROM caddy:builder AS builder # Install xcaddy and build Caddy with plugins RUN xcaddy build \ - --with github.com/corazawaf/coraza-caddy \ - --with github.com/hslatman/caddy-crowdsec-bouncer/http + --with github.com/corazawaf/coraza-caddy/v2@v2.0.0 \ + --with github.com/hslatman/caddy-crowdsec-bouncer/http@v0.8.1 # Stage to download OWASP CRS FROM alpine:latest AS crs diff --git a/install.sh b/install.sh index 16bf7f4..9c3c699 100644 --- a/install.sh +++ b/install.sh @@ -1,6 +1,7 @@ #!/bin/bash source ./user/create_user.sh +source ./user/create_deploy_user.sh source ./user/ssh_config.sh source ./web/install_caddy.sh source ./web/setup_ufw.sh @@ -12,7 +13,6 @@ source ./monitoring/install_prometheus.sh chmod +x ./user/create_user.sh chmod +x ./user/ssh_config.sh -chmod +x ./web/install_nginx.sh chmod +x ./web/setup_ufw.sh chmod +x ./docker/install_docker.sh chmod +x ./utils/install_vim.sh @@ -34,7 +34,8 @@ setup_ufw # User create_user $1 -config_ssh $1 +create_deploy_user +config_ssh "deploy" # Utils install_vim diff --git a/templates/caddy/full/Makefile b/templates/caddy/full/Makefile index 05d3189..022ebb4 100644 --- a/templates/caddy/full/Makefile +++ b/templates/caddy/full/Makefile @@ -8,11 +8,16 @@ caddy\:restart: docker exec caddy caddy reload --config /etc/caddy/Caddyfile @echo "Caddy configuration reloaded successfully." -caddy\:crowdsec-key +caddy\:crowdsec-key: @echo "Generating new CrowdSec API key..." docker exec crowdsec cscli bouncers add caddy-bouncer @echo "\n=== IMPORTANT ===\nCopy the API_KEY from the output above and replace the value of CROWDSEC_API_KEY in your .env file." +caddy\:generate-password: + @echo "Generating new password..." + docker exec -it caddy caddy hash-password + @echo "\n=== IMPORTANT ===\nCopy the password from the output above and replace the value of PROMETHEUS_PASSWORD in your Caddyfile." + caddy\:logs: @echo "Showing Caddy logs..." docker compose logs -f caddy diff --git a/templates/caddy/full/caddy/Caddyfile b/templates/caddy/full/caddy/Caddyfile index 6cc01b7..6645b4c 100644 --- a/templates/caddy/full/caddy/Caddyfile +++ b/templates/caddy/full/caddy/Caddyfile @@ -42,11 +42,17 @@ # reverse_proxy * http://{CONTAINER_NAME}:{CONTAINER_PORT} # } -# Example: Bypassing WAF for given API path (Useful for allowing prometheus query) +# Example: Bypassing WAF for given API path +# NEEDED FOR PROMETHEUS # api.example2.com { +# basic_auth { +# agala {$PROMETHEUS_PASSWORD} +# } +# # @waf { # not path /api/v1/* # } +# # handle @waf { # coraza_waf { # directives ` diff --git a/templates/caddy/full/docker-compose.yml b/templates/caddy/full/docker-compose.yml index 730741f..678d2f0 100644 --- a/templates/caddy/full/docker-compose.yml +++ b/templates/caddy/full/docker-compose.yml @@ -1,6 +1,6 @@ services: crowdsec: - image: crowdsecurity/crowdsec:latest + image: crowdsecurity/crowdsec:v1.6.4 container_name: crowdsec volumes: - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml diff --git a/templates/monitoring/docker-compose.yml b/templates/monitoring/docker-compose.yml index 20548d4..d1d7399 100644 --- a/templates/monitoring/docker-compose.yml +++ b/templates/monitoring/docker-compose.yml @@ -1,7 +1,7 @@ services: # PORT 9099 prometheus: - image: prom/prometheus:latest + image: prom/prometheus:v3.1.0 container_name: prometheus restart: always volumes: @@ -12,12 +12,26 @@ services: # PORT 9100 node_exporter: - image: prom/node-exporter:latest + image: prom/node-exporter:v1.8.2 container_name: node-exporter restart: always networks: - monitoring_net + # PORT 8080 + cadvisor: + image: gcr.io/cadvisor/cadvisor:v0.49.2 + container_name: cadvisor + volumes: + - /:/rootfs:ro + - /var/run:/var/run:ro + - /sys:/sys:ro + - /var/lib/docker/:/var/lib/docker:ro + - /dev/disk/:/dev/disk:ro + restart: unless-stopped + networks: + - monitoring_net + networks: monitoring_net: external: true diff --git a/templates/monitoring/prometheus.yml b/templates/monitoring/prometheus.yml index 3773141..4a9528a 100644 --- a/templates/monitoring/prometheus.yml +++ b/templates/monitoring/prometheus.yml @@ -1,5 +1,5 @@ global: - scrape_interval: 5s + scrape_interval: 15s scrape_configs: @@ -18,3 +18,7 @@ scrape_configs: - job_name: 'caddy' static_configs: - targets: ['caddy:2019'] + + - job_name: 'cadvisor' + static_configs: + - targets: ['cadvisor:8080'] diff --git a/user/create_deploy_user.sh b/user/create_deploy_user.sh new file mode 100644 index 0000000..3f404bb --- /dev/null +++ b/user/create_deploy_user.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +function create_deploy_user() { + username="deploy" + echo "[ USER ]: Starting user $usernname setup" + sudo useradd $username + echo "[ USER ]: Set a password for user [$username]:" + sudo passwd $username + echo "[ USER ]: User [deploy] created succesfully" + + echo "[ USER ]: Adding user to groups" + sudo usermod -aG www-data $username + sudo usermod -aG docker $username + echo "[ USER ]: User added to the following groupps (www-data, docker)" + + echo "[ USER ]: Setting ownership of /home/$username folder" + sudo chown -R $username:$username /home/$username + + echo "[ USER ]: User setup finished" +}