librelad 3ba3f77f0b feat(backup): expose per-app strategy override on all apps, context-aware
Every backup-scope app now carries CFG_<APP>_BACKUP_STRATEGY=auto, so the
Backup Strategy dropdown appears in each app's Advanced tab — not just the
DB apps.

To keep it honest, the 'live' option is hidden where it isn't safe:
- apps.json generator emits backup_live_capable per app (from compose backup
  labels: a dumpable DB, or a live-safe marker).
- apps-manager filters the live option out of the strategy select when the
  current app isn't live-capable, so apps like gitea/focalboard (a DB we don't
  yet dump) never offer it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 15:41:55 +01:00

70 lines
3.6 KiB
Plaintext

#
# =============================================================================
# GENERAL CONFIGURATION
# =============================================================================
# APP_NAME = name of application for use in scripts
# HOST_INSTALL = true means apt + systemd install on the host, not Docker
# HOST_PACKAGE = dpkg package name; drives the "installed" badge
# HOST_SERVICE = primary systemd unit; stop/restart actions hit this
# HOST_SERVICES = all units; feeds the Services + Logs tabs
# HOST_LOG_FILES = <unit>|<path>,... mapping for the log viewer
# BACKUP = include in backup operations
# MONITORING = if true, export this app's metrics to Prometheus + Grafana (needs both apps installed; ships the official CrowdSec Grafana dashboards)
# PROMETHEUS_LISTEN = address CrowdSec's metrics endpoint binds to; must be reachable from the Prometheus container (default: all interfaces, port 6060 — keep the :6060 port)
#
CFG_CROWDSEC_APP_NAME=crowdsec
CFG_CROWDSEC_HOST_INSTALL=true
CFG_CROWDSEC_HOST_PACKAGE=crowdsec
CFG_CROWDSEC_HOST_SERVICE=crowdsec
CFG_CROWDSEC_HOST_SERVICES=crowdsec.service,crowdsec-firewall-bouncer.service
CFG_CROWDSEC_HOST_LOG_FILES="crowdsec.service|/var/log/crowdsec.log,crowdsec-firewall-bouncer.service|/var/log/crowdsec-firewall-bouncer.log"
CFG_CROWDSEC_BACKUP=true
CFG_CROWDSEC_BACKUP_STRATEGY=auto
CFG_CROWDSEC_MONITORING=false
CFG_CROWDSEC_PROMETHEUS_LISTEN=0.0.0.0:6060
#
# =============================================================================
# BEHAVIOUR
# =============================================================================
# ENABLED = master switch; false disables services (package stays)
# AUTO_UPDATE = pull hub parser/scenario updates from hub.crowdsec.net
# COMMUNITY_BLOCKLIST = subscribe to the free pooled blocklist (CAPI)
# CONSOLE_ENROLL = enroll this agent with the hosted SaaS at app.crowdsec.net (NOT the local dashboard)
# CONSOLE_TOKEN = enrollment token from app.crowdsec.net (only used when CONSOLE_ENROLL=true)
# BOUNCER = attach the Traefik bouncer middleware to every public route
#
CFG_CROWDSEC_ENABLED=true
CFG_CROWDSEC_AUTO_UPDATE=true
CFG_CROWDSEC_COMMUNITY_BLOCKLIST=true
CFG_CROWDSEC_CONSOLE_ENROLL=false
CFG_CROWDSEC_CONSOLE_TOKEN=
CFG_CROWDSEC_BOUNCER=true
#
# =============================================================================
# METADATA
# =============================================================================
# CATEGORY = grouping in the app grid
# TITLE = display name
# DESCRIPTION = one-liner
# LONG_DESCRIPTION = card body text
# URL = source / docs link
# ACTIONS = available lifecycle verbs
#
CFG_CROWDSEC_CATEGORY="security,recommended"
CFG_CROWDSEC_TITLE="CrowdSec"
CFG_CROWDSEC_DESCRIPTION="Intrusion Prevention"
CFG_CROWDSEC_LONG_DESCRIPTION="CrowdSec is an open-source intrusion prevention system. It detects attacks from log patterns — brute-force, scans, web exploits — and blocks offending IPs at the firewall. Includes community-shared threat intelligence."
CFG_CROWDSEC_URL="https://www.crowdsec.net"
CFG_CROWDSEC_ACTIONS="configure|install|restart|shutdown|uninstall|tools"
#
# =============================================================================
# ADVANCED
# =============================================================================
# LAPI_HOST = LAPI bind address; 0.0.0.0 so Traefik can reach via host.docker.internal
# BOUNCER_NAME_TRAEFIK = bouncer name registered with cscli bouncers add
# TRAEFIK_LAPI_KEY = auto-generated by installCrowdsec; use the rotate Tools action to change
#
CFG_CROWDSEC_LAPI_HOST=0.0.0.0:8080
CFG_CROWDSEC_BOUNCER_NAME_TRAEFIK=traefik-bouncer
CFG_CROWDSEC_TRAEFIK_LAPI_KEY=