Lots of stuff

images/caddy_full/Dockerfile

@@ -3,8 +3,8 @@ FROM caddy:builder AS builder
 
 # Install xcaddy and build Caddy with plugins
 RUN xcaddy build \
-  --with github.com/corazawaf/coraza-caddy \
-  --with github.com/hslatman/caddy-crowdsec-bouncer/http
+  --with github.com/corazawaf/coraza-caddy/v2@v2.0.0 \
+  --with github.com/hslatman/caddy-crowdsec-bouncer/http@v0.8.1
 
 # Stage to download OWASP CRS
 FROM alpine:latest AS crs

install.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 source ./user/create_user.sh
+source ./user/create_deploy_user.sh
 source ./user/ssh_config.sh
 source ./web/install_caddy.sh
 source ./web/setup_ufw.sh
@@ -12,7 +13,6 @@ source ./monitoring/install_prometheus.sh
 
 chmod +x ./user/create_user.sh
 chmod +x ./user/ssh_config.sh
-chmod +x ./web/install_nginx.sh
 chmod +x ./web/setup_ufw.sh
 chmod +x ./docker/install_docker.sh
 chmod +x ./utils/install_vim.sh
@@ -34,7 +34,8 @@ setup_ufw
 
 # User
 create_user $1
-config_ssh $1
+create_deploy_user
+config_ssh "deploy"
 
 # Utils
 install_vim

templates/caddy/full/Makefile

@@ -8,11 +8,16 @@ caddy\:restart:
 	docker exec caddy caddy reload --config /etc/caddy/Caddyfile
 	@echo "Caddy configuration reloaded successfully."
 
-caddy\:crowdsec-key
+caddy\:crowdsec-key:
 	@echo "Generating new CrowdSec API key..."
 	docker exec crowdsec cscli bouncers add caddy-bouncer
 	@echo "\n=== IMPORTANT ===\nCopy the API_KEY from the output above and replace the value of CROWDSEC_API_KEY in your .env file."
 
+caddy\:generate-password:
+	@echo "Generating new password..."
+	docker exec -it caddy caddy hash-password
+	@echo "\n=== IMPORTANT ===\nCopy the password from the output above and replace the value of PROMETHEUS_PASSWORD in your Caddyfile."
+
 caddy\:logs:
 	@echo "Showing Caddy logs..."
 	docker compose logs -f caddy

templates/caddy/full/caddy/Caddyfile

@@ -42,11 +42,17 @@
 #   reverse_proxy * http://{CONTAINER_NAME}:{CONTAINER_PORT}
 # }
 
-# Example: Bypassing WAF for given API path (Useful for allowing prometheus query)
+# Example: Bypassing WAF for given API path
+# NEEDED FOR PROMETHEUS
 # api.example2.com {
+#   basic_auth {
+#     agala {$PROMETHEUS_PASSWORD}
+#   }
+#
 #   @waf {
 #     not path /api/v1/*
 #   }
+#
 #   handle @waf {
 #     coraza_waf {
 #       directives `

templates/caddy/full/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   crowdsec:
-    image: crowdsecurity/crowdsec:latest
+    image: crowdsecurity/crowdsec:v1.6.4
     container_name: crowdsec
     volumes:
       - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml

templates/monitoring/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   # PORT 9099
   prometheus:
-    image: prom/prometheus:latest
+    image: prom/prometheus:v3.1.0
     container_name: prometheus
     restart: always
     volumes:
@@ -12,12 +12,26 @@ services:
 
   # PORT 9100
   node_exporter:
-    image: prom/node-exporter:latest
+    image: prom/node-exporter:v1.8.2
     container_name: node-exporter
     restart: always
     networks:
       - monitoring_net
 
+  # PORT 8080
+  cadvisor:
+    image: gcr.io/cadvisor/cadvisor:v0.49.2
+    container_name: cadvisor
+    volumes:
+      - /:/rootfs:ro
+      - /var/run:/var/run:ro
+      - /sys:/sys:ro
+      - /var/lib/docker/:/var/lib/docker:ro
+      - /dev/disk/:/dev/disk:ro
+    restart: unless-stopped
+    networks:
+      - monitoring_net
+
 networks:
   monitoring_net:
     external: true

templates/monitoring/prometheus.yml

@@ -1,5 +1,5 @@
 global:
-  scrape_interval: 5s
+  scrape_interval: 15s
 
 scrape_configs:
 
@@ -18,3 +18,7 @@ scrape_configs:
   - job_name: 'caddy'
     static_configs:
       - targets: ['caddy:2019']
+
+  - job_name: 'cadvisor'
+    static_configs:
+      - targets: ['cadvisor:8080']

user/create_deploy_user.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+function create_deploy_user() {
+  username="deploy"
+  echo "[ USER ]: Starting user $usernname setup"
+  sudo useradd $username
+  echo "[ USER ]: Set a password for user [$username]:"
+  sudo passwd $username
+  echo "[ USER ]: User [deploy] created succesfully"
+
+  echo "[ USER ]: Adding user to groups"
+  sudo usermod -aG www-data $username
+  sudo usermod -aG docker $username
+  echo "[ USER ]: User added to the following groupps (www-data, docker)"
+
+  echo "[ USER ]: Setting ownership of /home/$username folder"
+  sudo chown -R $username:$username /home/$username
+
+  echo "[ USER ]: User setup finished"
+}