-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
168 lines (126 loc) · 4.75 KB
/
Copy pathdocker-compose.yml
File metadata and controls
168 lines (126 loc) · 4.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
networks:
openbl_net:
driver: bridge
ipam:
config:
- subnet: 172.30.0.0/24
services:
etcd:
image: ${ETCD_IMAGE:-registry.k8s.io/etcd:3.5.15-0}
container_name: open-blocklist-etcd
hostname: etcd
command: >
/usr/local/bin/etcd
--advertise-client-urls=http://0.0.0.0:2379
--listen-client-urls=http://0.0.0.0:2379
--data-dir=/etcd-data
networks:
openbl_net:
ipv4_address: 172.30.0.20
ports:
- "${ETCD_HOST_PORT:-2379}:2379"
volumes:
- open-blocklist-etcd-data:/etcd-data
open-blocklist:
image: ${OPENBL_IMAGE:-ghcr.io/nashcom/open-blocklist:latest}
container_name: open-blocklist-main
hostname: open-blocklist
depends_on:
- etcd
networks:
openbl_net:
ipv4_address: 172.30.0.10
environment:
OPENBL_ETCD_ENDPOINT: http://172.30.0.20:2379
OPENBL_LOGLEVEL: ${OPENBL_LOGLEVEL:-INFO}
OPENBL_LOG_FILENAME: ${OPENBL_LOG_FILENAME}
# CrowdSec bouncer (optional — set OPENBL_CROWDSEC_ENABLED=true in .env)
OPENBL_CROWDSEC_ENABLED: ${OPENBL_CROWDSEC_ENABLED:-false}
OPENBL_CROWDSEC_LAPI_URL: http://172.30.0.40:8080
OPENBL_CROWDSEC_API_KEY: ${CROWDSEC_BOUNCER_KEY}
OPENBL_CROWDSEC_POLL_INTERVAL: ${OPENBL_CROWDSEC_POLL_INTERVAL:-30s}
ports:
- "${LOOKUP_HOST_PORT:-8090}:8090"
- "${BLOCK_HOST_PORT:-8091}:8091"
- "${METRICS_HOST_PORT:-9100}:9100"
- "${DNS_HOST_PORT:-5353}:5353/udp"
- "${DNS_HOST_PORT:-5353}:5353/tcp"
- "${PPROF_HOST_PORT:-6060}:6060/tcp"
coredns:
image: ${COREDNS_IMAGE:-coredns/coredns:latest}
container_name: open-blocklist-dns
hostname: dns
depends_on:
- open-blocklist
- etcd
networks:
openbl_net:
ipv4_address: 172.30.0.30
volumes:
- ./Corefile:/Corefile:ro
command: -conf /Corefile
ports:
- "${DNS_HOST_PORT:-55}:53/udp"
- "${DNS_HOST_PORT:-55}:53/tcp"
crowdsec:
image: ${CROWDSEC_IMAGE:-crowdsecurity/crowdsec:latest}
container_name: open-blocklist-crowdsec
hostname: crowdsec
networks:
openbl_net:
ipv4_address: 172.30.0.40
environment:
# Pre-register the open-blocklist bouncer with a fixed key.
# Set CROWDSEC_BOUNCER_KEY in your .env file (any random string).
BOUNCER_KEY_OPEN_BLOCKLIST: ${CROWDSEC_BOUNCER_KEY}
# Set to false to enable hub updates and telemetry
DISABLE_ONLINE_API: ${CROWDSEC_DISABLE_ONLINE_API:-true}
volumes:
# All acquisition configs (one file per log source)
- ./crowdsec/acquis.d:/etc/crowdsec/acquis.d
# Custom parsers — one line per parser file (directory mounts conflict)
- ./crowdsec/domino/parsers/s01-parse/domino.yaml:/etc/crowdsec/parsers/s01-parse/domino.yaml
- ./crowdsec/ssh/parsers/s01-parse/sshd.yaml:/etc/crowdsec/parsers/s01-parse/sshd.yaml
# Override default whitelist to allow private IPs (Docker network) for testing
- ./crowdsec/testing/whitelists.yaml:/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
# Custom scenarios
- ./crowdsec/domino/scenarios/domino-bf.yaml:/etc/crowdsec/scenarios/domino-bf.yaml
- ./crowdsec/ssh/scenarios/ssh-bf.yaml:/etc/crowdsec/scenarios/ssh-bf.yaml
# SSH log file (shared with ssh-server container via named volume)
- sshd-logs:/logs/ssh
# Log directory for file-based sources (e.g. Domino)
- ${CROWDSEC_LOG_DIR:-./crowdsec/domino/testing/logs}:/logs/domino
# Persist CrowdSec decisions and state across restarts.
# /etc/crowdsec is NOT persisted — config is managed via bind mounts above.
- crowdsec-data:/var/lib/crowdsec/data
ports:
# Expose LAPI to the host for cscli access
- "${CROWDSEC_HOST_PORT:-18080}:8080"
ssh-server:
image: ${SSH_IMAGE:-alpine:latest}
container_name: open-blocklist-ssh
hostname: ssh-server
# Run sshd in the foreground (-D) and log to stderr (-e), redirected to
# a file on a shared volume. CrowdSec tails that file directly — the same
# file-based approach used for Domino and any other log source.
command: >
/bin/sh -c "
apk add --no-cache openssh &&
ssh-keygen -A &&
adduser -D -s /bin/sh ${SSH_USER:-testuser} &&
echo '${SSH_USER:-testuser}:${SSH_PASSWORD:-testpassword}' | chpasswd &&
echo 'PasswordAuthentication yes' > /etc/ssh/sshd_config.d/demo.conf &&
echo 'PermitRootLogin no' >> /etc/ssh/sshd_config.d/demo.conf &&
/usr/sbin/sshd -D -e 2>/logs/sshd.log
"
volumes:
- sshd-logs:/logs
networks:
openbl_net:
ipv4_address: 172.30.0.50
ports:
- "${SSH_HOST_PORT:-2222}:22"
volumes:
open-blocklist-etcd-data:
crowdsec-data:
sshd-logs: