2022-02-15 16:10:15 +00:00
|
|
|
#!/bin/bash
|
2020-11-30 09:37:17 +00:00
|
|
|
|
2021-10-14 15:02:38 +00:00
|
|
|
# Set the crowdsec config file
|
|
|
|
|
CS_CONFIG_FILE="/etc/crowdsec/config.yaml"
|
|
|
|
|
if [ "$CONFIG_FILE" != "" ]; then
|
|
|
|
|
CS_CONFIG_FILE="$CONFIG_FILE"
|
|
|
|
|
fi
|
|
|
|
|
|
2022-02-02 12:20:12 +00:00
|
|
|
# TLS defaults
|
|
|
|
|
CERT_FILE="${CERT_FILE:-/etc/ssl/cert.pem}"
|
|
|
|
|
KEY_FILE="${KEY_FILE:-/etc/ssl/key.pem}"
|
|
|
|
|
|
2022-02-15 16:10:15 +00:00
|
|
|
# Plugins directory default
|
|
|
|
|
PLUGIN_DIR="${PLUGIN_DIR:-/usr/local/lib/crowdsec/plugins/}"
|
|
|
|
|
|
2022-11-08 11:28:57 +00:00
|
|
|
# Check & prestage databases
|
|
|
|
|
for geodb in GeoLite2-ASN.mmdb GeoLite2-City.mmdb; do
|
|
|
|
|
# We keep the pre-populated geoib databases in /staging instead of /var,
|
|
|
|
|
# because if the data directory is bind-mounted from the host, it will be
|
|
|
|
|
# empty and the files will be out of reach, requiring a runtime download.
|
|
|
|
|
# We link to them to save about 80Mb compared to cp/mv.
|
|
|
|
|
if [ ! -e "/var/lib/crowdsec/data/$geodb" ] && [ -e "/staging/var/lib/crowdsec/data/$geodb" ]; then
|
|
|
|
|
mkdir -p /var/lib/crowdsec/data
|
|
|
|
|
ln -s "/staging/var/lib/crowdsec/data/$geodb" /var/lib/crowdsec/data/
|
|
|
|
|
fi
|
|
|
|
|
done
|
2022-02-01 11:35:57 +00:00
|
|
|
|
|
|
|
|
#Check & prestage /etc/crowdsec
|
|
|
|
|
if [ ! -e "/etc/crowdsec/local_api_credentials.yaml" ] && [ ! -e "/etc/crowdsec/config.yaml" ]; then
|
|
|
|
|
mkdir -p /etc/crowdsec
|
|
|
|
|
cp -r /staging/etc/* /etc/
|
|
|
|
|
fi
|
|
|
|
|
|
2021-11-02 08:19:22 +00:00
|
|
|
# regenerate local agent credentials (ignore if agent is disabled)
|
2021-09-10 12:59:22 +00:00
|
|
|
if [ "$DISABLE_AGENT" == "" ] ; then
|
2021-10-14 15:02:38 +00:00
|
|
|
echo "Regenerate local agent credentials"
|
2022-11-08 11:28:57 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" machines delete "${CUSTOM_HOSTNAME:-localhost}"
|
2022-02-01 16:45:04 +00:00
|
|
|
if [ "$LOCAL_API_URL" != "" ] ; then
|
2022-11-08 11:28:57 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" machines add "${CUSTOM_HOSTNAME:-localhost}" --auto --url "$LOCAL_API_URL"
|
2022-02-01 16:45:04 +00:00
|
|
|
else
|
2022-11-08 11:28:57 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" machines add "${CUSTOM_HOSTNAME:-localhost}" --auto
|
2022-02-01 16:45:04 +00:00
|
|
|
fi
|
2021-09-10 12:59:22 +00:00
|
|
|
if [ "$AGENT_USERNAME" != "" ] && [ "$AGENT_PASSWORD" != "" ] && [ "$LOCAL_API_URL" != "" ] ; then
|
|
|
|
|
echo "set up lapi credentials for agent"
|
2021-10-14 15:02:38 +00:00
|
|
|
CONFIG_PATH=$(yq eval '.api.client.credentials_path' "$CS_CONFIG_FILE" )
|
2022-11-08 11:28:57 +00:00
|
|
|
echo "url: $LOCAL_API_URL" > "$CONFIG_PATH"
|
|
|
|
|
echo "login: $AGENT_USERNAME" >> "$CONFIG_PATH"
|
|
|
|
|
echo "password: $AGENT_PASSWORD" >> "$CONFIG_PATH"
|
2021-09-10 12:59:22 +00:00
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
2021-11-02 08:19:22 +00:00
|
|
|
# Check if lapi needs to automatically register an agent
|
2022-02-15 16:10:15 +00:00
|
|
|
echo "Check if lapi need to register automatically an agent"
|
2021-09-10 12:59:22 +00:00
|
|
|
if [ "$DISABLE_LOCAL_API" == "" ] && [ "$AGENT_USERNAME" != "" ] && [ "$AGENT_PASSWORD" != "" ] ; then
|
2022-02-03 11:26:20 +00:00
|
|
|
if [ "$LOCAL_API_URL" != "" ] ; then
|
2022-11-08 11:28:57 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" machines add "$AGENT_USERNAME" --password "$AGENT_PASSWORD" --url "$LOCAL_API_URL"
|
2022-02-03 11:26:20 +00:00
|
|
|
else
|
2022-11-08 11:28:57 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" machines add "$AGENT_USERNAME" --password "$AGENT_PASSWORD"
|
2022-02-03 11:26:20 +00:00
|
|
|
fi
|
2021-09-21 08:54:05 +00:00
|
|
|
echo "Agent registered to lapi"
|
2020-11-30 09:37:17 +00:00
|
|
|
fi
|
|
|
|
|
|
2021-02-10 08:29:29 +00:00
|
|
|
# registration to online API for signal push
|
2022-06-22 09:31:55 +00:00
|
|
|
if [ "${DISABLE_ONLINE_API,,}" != "true" ] && [ "$CONFIG_FILE" == "" ] ; then
|
2021-10-14 15:02:38 +00:00
|
|
|
CONFIG_EXIST=$(yq eval '.api.server.online_client | has("credentials_path")' "$CS_CONFIG_FILE")
|
2021-02-10 08:29:29 +00:00
|
|
|
if [ "$CONFIG_EXIST" != "true" ]; then
|
2021-10-14 15:02:38 +00:00
|
|
|
yq eval '.api.server.online_client = {"credentials_path": "/etc/crowdsec/online_api_credentials.yaml"}' "$CS_CONFIG_FILE" > /etc/crowdsec/config2.yaml
|
|
|
|
|
mv /etc/crowdsec/config2.yaml "$CS_CONFIG_FILE"
|
|
|
|
|
cscli -c "$CS_CONFIG_FILE" capi register > /etc/crowdsec/online_api_credentials.yaml
|
2021-09-21 08:54:05 +00:00
|
|
|
echo "registration to online API done"
|
2020-11-30 09:37:17 +00:00
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
2022-04-20 11:35:22 +00:00
|
|
|
## Enroll instance if enroll key is provided
|
2022-06-22 09:31:55 +00:00
|
|
|
if [ "${DISABLE_ONLINE_API,,}" != "true" ] && [ "$ENROLL_KEY" != "" ] ; then
|
2022-04-20 11:35:22 +00:00
|
|
|
enroll_args=""
|
|
|
|
|
if [ "$ENROLL_INSTANCE_NAME" != "" ] ; then
|
|
|
|
|
enroll_args="--name $ENROLL_INSTANCE_NAME"
|
|
|
|
|
fi
|
|
|
|
|
if [ "$ENROLL_TAGS" != "" ] ; then
|
2022-11-08 11:28:57 +00:00
|
|
|
#shellcheck disable=SC2086
|
2022-04-20 11:35:22 +00:00
|
|
|
for tag in ${ENROLL_TAGS}
|
|
|
|
|
do
|
|
|
|
|
enroll_args="$enroll_args --tags $tag"
|
|
|
|
|
done
|
|
|
|
|
fi
|
2022-11-08 11:28:57 +00:00
|
|
|
#shellcheck disable=SC2086
|
|
|
|
|
cscli console enroll $enroll_args "$ENROLL_KEY"
|
2022-04-20 11:35:22 +00:00
|
|
|
fi
|
|
|
|
|
|
2021-02-25 10:29:39 +00:00
|
|
|
# crowdsec sqlite database permissions
|
|
|
|
|
if [ "$GID" != "" ]; then
|
2021-10-14 15:02:38 +00:00
|
|
|
IS_SQLITE=$(yq eval '.db_config.type == "sqlite"' "$CS_CONFIG_FILE")
|
|
|
|
|
DB_PATH=$(yq eval '.db_config.db_path' "$CS_CONFIG_FILE")
|
2021-02-25 10:29:39 +00:00
|
|
|
if [ "$IS_SQLITE" == "true" ]; then
|
2022-11-08 11:28:57 +00:00
|
|
|
chown ":$GID" "$DB_PATH"
|
2021-09-21 08:54:05 +00:00
|
|
|
echo "sqlite database permissions updated"
|
2021-02-25 10:29:39 +00:00
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
2022-10-07 14:31:03 +00:00
|
|
|
if [ "${USE_TLS,,}" == "true" ]; then
|
2022-04-04 08:18:44 +00:00
|
|
|
yq -i eval ".api.server.tls.cert_file = \"$CERT_FILE\"" "$CS_CONFIG_FILE"
|
|
|
|
|
yq -i eval ".api.server.tls.key_file = \"$KEY_FILE\"" "$CS_CONFIG_FILE"
|
|
|
|
|
yq -i eval '... comments=""' "$CS_CONFIG_FILE"
|
2022-02-02 12:20:12 +00:00
|
|
|
fi
|
|
|
|
|
|
2022-02-15 16:10:15 +00:00
|
|
|
if [ "$PLUGIN_DIR" != "/usr/local/lib/crowdsec/plugins/" ]; then
|
2022-04-04 08:18:44 +00:00
|
|
|
yq -i eval ".config_paths.plugin_dir = \"$PLUGIN_DIR\"" "$CS_CONFIG_FILE"
|
2022-02-15 16:10:15 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
## Install collections, parsers, scenarios & postoverflows
|
2021-10-14 15:02:38 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" hub update
|
|
|
|
|
cscli -c "$CS_CONFIG_FILE" collections upgrade crowdsecurity/linux || true
|
|
|
|
|
cscli -c "$CS_CONFIG_FILE" parsers upgrade crowdsecurity/whitelists || true
|
|
|
|
|
cscli -c "$CS_CONFIG_FILE" parsers install crowdsecurity/docker-logs || true
|
2020-11-30 09:37:17 +00:00
|
|
|
if [ "$COLLECTIONS" != "" ]; then
|
2022-11-08 11:28:57 +00:00
|
|
|
#shellcheck disable=SC2086
|
2021-10-14 15:02:38 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" collections install $COLLECTIONS
|
2020-11-30 09:37:17 +00:00
|
|
|
fi
|
|
|
|
|
if [ "$PARSERS" != "" ]; then
|
2022-11-08 11:28:57 +00:00
|
|
|
#shellcheck disable=SC2086
|
2021-10-14 15:02:38 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" parsers install $PARSERS
|
2020-11-30 09:37:17 +00:00
|
|
|
fi
|
|
|
|
|
if [ "$SCENARIOS" != "" ]; then
|
2022-11-08 11:28:57 +00:00
|
|
|
#shellcheck disable=SC2086
|
2021-10-14 15:02:38 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" scenarios install $SCENARIOS
|
2020-11-30 09:37:17 +00:00
|
|
|
fi
|
|
|
|
|
if [ "$POSTOVERFLOWS" != "" ]; then
|
2022-11-08 11:28:57 +00:00
|
|
|
#shellcheck disable=SC2086
|
2021-10-14 15:02:38 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" postoverflows install $POSTOVERFLOWS
|
2020-11-30 09:37:17 +00:00
|
|
|
fi
|
|
|
|
|
|
2022-02-15 16:10:15 +00:00
|
|
|
## Remove collections, parsers, scenarios & postoverflows
|
|
|
|
|
if [ "$DISABLE_COLLECTIONS" != "" ]; then
|
2022-11-08 11:28:57 +00:00
|
|
|
#shellcheck disable=SC2086
|
2022-02-15 16:10:15 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" collections remove $DISABLE_COLLECTIONS
|
|
|
|
|
fi
|
|
|
|
|
if [ "$DISABLE_PARSERS" != "" ]; then
|
2022-11-08 11:28:57 +00:00
|
|
|
#shellcheck disable=SC2086
|
2022-02-15 16:10:15 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" parsers remove $DISABLE_PARSERS
|
|
|
|
|
fi
|
|
|
|
|
if [ "$DISABLE_SCENARIOS" != "" ]; then
|
2022-11-08 11:28:57 +00:00
|
|
|
#shellcheck disable=SC2086
|
2022-02-15 16:10:15 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" scenarios remove $DISABLE_SCENARIOS
|
|
|
|
|
fi
|
|
|
|
|
if [ "$DISABLE_POSTOVERFLOWS" != "" ]; then
|
2022-11-08 11:28:57 +00:00
|
|
|
#shellcheck disable=SC2086
|
2022-02-15 16:10:15 +00:00
|
|
|
cscli -c "$CS_CONFIG_FILE" postoverflows remove $DISABLE_POSTOVERFLOWS
|
|
|
|
|
fi
|
|
|
|
|
|
2022-04-04 08:18:44 +00:00
|
|
|
function register_bouncer {
|
2022-11-07 09:07:26 +00:00
|
|
|
if ! cscli -c "$CS_CONFIG_FILE" bouncers list -o json | sed '/^ *"name"/!d;s/^ *"name": "\(.*\)",/\1/' | grep -q "^${NAME}$"; then
|
2022-04-04 08:18:44 +00:00
|
|
|
if cscli -c "$CS_CONFIG_FILE" bouncers add "${NAME}" -k "${KEY}" > /dev/null; then
|
|
|
|
|
echo "Registered bouncer for ${NAME}"
|
|
|
|
|
else
|
|
|
|
|
echo "Failed to register bouncer for ${NAME}"
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
## Register bouncers via env
|
|
|
|
|
for BOUNCER in $(compgen -A variable | grep -i BOUNCER_KEY); do
|
|
|
|
|
KEY=$(printf '%s' "${!BOUNCER}")
|
|
|
|
|
NAME=$(printf '%s' "$BOUNCER" | cut -d_ -f2-)
|
|
|
|
|
if [[ -n $KEY ]] && [[ -n $NAME ]]; then
|
|
|
|
|
register_bouncer
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
## Register bouncers via secrets
|
|
|
|
|
shopt -s nullglob extglob
|
|
|
|
|
for BOUNCER in /run/secrets/@(bouncer_key|BOUNCER_KEY)* ; do
|
|
|
|
|
KEY=$(cat "${BOUNCER}")
|
|
|
|
|
NAME=$(echo "${BOUNCER}" | awk -F "/" '{printf $NF}' | cut -d_ -f2-)
|
|
|
|
|
if [[ -n $KEY ]] && [[ -n $NAME ]]; then
|
|
|
|
|
register_bouncer
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
shopt -u nullglob extglob
|
|
|
|
|
|
2020-11-30 09:37:17 +00:00
|
|
|
ARGS=""
|
|
|
|
|
if [ "$CONFIG_FILE" != "" ]; then
|
|
|
|
|
ARGS="-c $CONFIG_FILE"
|
|
|
|
|
fi
|
2021-06-29 16:03:45 +00:00
|
|
|
if [ "$DSN" != "" ]; then
|
|
|
|
|
ARGS="$ARGS -dsn ${DSN}"
|
2020-11-30 09:37:17 +00:00
|
|
|
fi
|
2021-06-29 16:03:45 +00:00
|
|
|
|
2020-11-30 09:37:17 +00:00
|
|
|
if [ "$TYPE" != "" ]; then
|
|
|
|
|
ARGS="$ARGS -type $TYPE"
|
|
|
|
|
fi
|
2022-06-22 09:31:55 +00:00
|
|
|
if [ "${TEST_MODE,,}" == "true" ]; then
|
2020-11-30 09:37:17 +00:00
|
|
|
ARGS="$ARGS -t"
|
|
|
|
|
fi
|
2022-06-22 09:31:55 +00:00
|
|
|
if [ "${DISABLE_AGENT,,}" == "true" ]; then
|
2020-11-30 09:37:17 +00:00
|
|
|
ARGS="$ARGS -no-cs"
|
|
|
|
|
fi
|
2022-06-22 09:31:55 +00:00
|
|
|
if [ "${DISABLE_LOCAL_API,,}" == "true" ]; then
|
2020-11-30 09:37:17 +00:00
|
|
|
ARGS="$ARGS -no-api"
|
|
|
|
|
fi
|
2022-06-22 09:31:55 +00:00
|
|
|
if [ "${LEVEL_TRACE,,}" == "true" ]; then
|
2020-11-30 09:37:17 +00:00
|
|
|
ARGS="$ARGS -trace"
|
|
|
|
|
fi
|
2022-06-22 09:31:55 +00:00
|
|
|
if [ "${LEVEL_DEBUG,,}" == "true" ]; then
|
2020-11-30 09:37:17 +00:00
|
|
|
ARGS="$ARGS -debug"
|
|
|
|
|
fi
|
2022-06-22 09:31:55 +00:00
|
|
|
if [ "${LEVEL_INFO,,}" == "true" ]; then
|
2020-11-30 09:37:17 +00:00
|
|
|
ARGS="$ARGS -info"
|
|
|
|
|
fi
|
|
|
|
|
|
2022-11-08 11:28:57 +00:00
|
|
|
#shellcheck disable=SC2086
|
2021-11-02 08:19:22 +00:00
|
|
|
exec crowdsec $ARGS
|
