headscale-stack-crowdsec/init.sh at main · OLife97/headscale-stack-crowdsec · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/bin/bash
# init.sh - Prepares the environment for the Headscale + Caddy + CrowdSec stack

set -e

echo "Creating necessary directories for bind mounts..."
# We only create directories that are explicitly bind-mounted in compose.yaml.
# Caddy's config and logs are  handled natively by Docker Volumes.
mkdir -p caddy/data
mkdir -p crowdsec/config/notifications crowdsec/data
mkdir -p headscale/config headscale/data

echo "Preparing Headscale configuration..."
# Headscale crashes if config.yaml is empty. We download the official template
if [ ! -f headscale/config/config.yaml ]; then
  echo "Downloading default Headscale config..."
  wget -qO headscale/config/config.yaml "https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml"

  sed -i 's|db_path:.*|db_path: /var/lib/headscale/db.sqlite|' headscale/config/config.yaml
  echo "✅ Headscale config downloaded."
fi

  # Set the correct SQLite database path for our Docker container
echo "Preparing CrowdSec configurations..."
# ==========================================
# CROWDSEC CONFIGURATIONS (Only if missing)
# ==========================================

# Acquis.yaml
if [ ! -f crowdsec/acquis.yaml ]; then
cat << 'EOF' > crowdsec/acquis.yaml
filenames:
  - /var/log/caddy/*.log
labels:
  type: caddy
poll_without_inotify: true
EOF
fi

# Http.yaml (Notification template for NTFY/Gotify)
if [ ! -f crowdsec/config/notifications/http.yaml ]; then
cat << 'EOF' > crowdsec/config/notifications/http.yaml
type: http
name: http_default
log_level: info

# Accumulate alerts for 30 seconds before sending to avoid notification flood
group_wait: 30s

format: |
  {{range . -}}
  {{$alert := . -}}
  {{range .Decisions -}}
  🚨 CrowdSec Ban
  IP: {{.Value}}
  Duration: {{.Duration}}
  Scenario: {{$alert.Scenario}}
  {{end -}}
  {{end -}}

url: ${CROWDSEC_NOTIFY_URL}
method: POST

# --- Choose your provider and comment the other ---
#
# NTFY: uncomment these two lines
headers:
  Authorization: ${CROWDSEC_NOTIFY_AUTH_TOKEN}
  Title: "CrowdSec Alert"
  Tags: "warning,skull"
#
# GOTIFY: comment the block above and uncomment these two lines
# headers:
#   X-Gotify-Key: ${CROWDSEC_NOTIFY_AUTH_TOKEN}
EOF
fi

# Profiles.yaml
if [ ! -f crowdsec/config/profiles.yaml ]; then
cat << 'EOF' > crowdsec/config/profiles.yaml
name: default_ip_remediation
filters:
  - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
  - type: ban
    duration: 4h
notifications:
  - http_default
on_success: break
EOF
fi

# ==========================================
# GEOIP MAXMIND: DOWNLOAD DATABASE
# ==========================================
GEOIP_DB="caddy/data/GeoLite2-Country.mmdb"
GEOIP_URL="https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb"

# check if file exists
if [ -f "$GEOIP_DB" ]; then
    FILE_AGE_DAYS=$(( ($(date +%s) - $(stat -c %Y "$GEOIP_DB")) / 86400 ))
    if [ $FILE_AGE_DAYS -gt 30 ]; then
        echo "⚠️  GeoIP DB exists but is $FILE_AGE_DAYS days old. Update available."
        read -p "Download latest MaxMind GeoLite2-Country DB? [Y/n]: " -n 1 -r
        echo
        if [[ $REPLY =~ ^[Yy]$ || -z $REPLY ]]; then
            wget -qO "$GEOIP_DB" "$GEOIP_URL"
            echo "✅ GeoIP DB updated."
        else
            echo "Skipped GeoIP update."
        fi
    else
        echo "✅ GeoIP DB is recent ($FILE_AGE_DAYS days old)."
    fi
else
    echo "Downloading MaxMind GeoLite2-Country DB..."
    wget -qO "$GEOIP_DB" "$GEOIP_URL"
    echo "✅ GeoIP DB downloaded."
fi

# ==========================================
# ENV FILE GENERATION
# ==========================================
if [ ! -f .env ]; then
    echo "Generating .env file from .env.example..."
    cp .env.example .env
    BOUNCER_KEY=$(openssl rand -hex 32)
    sed -i "s/INSERT_GENERATED_KEY_HERE/$BOUNCER_KEY/g" .env
    echo "✅ .env file created."
fi

echo "Initialization complete! Edit .env and start with 'docker compose up -d'"