librelad 875a60f90f LibrePortal v0.1.0 — initial release
A free, open, self-hosted app platform (GNU AGPLv3): one-click app deploys,
Traefik reverse proxy with automatic SSL, rootless Docker support, gluetun
VPN routing, and a web dashboard to manage it all.

Free & open forever to self-host; optional paid hosted services fund it.
See PROMISE.md.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-21 20:37:54 +01:00

101 lines
3.9 KiB
Bash

#!/bin/bash
# Category : Security
# Description : CrowdSec - Intrusion Prevention (c/u/s/r/i):
#
# Host-installed agent (apt + systemd) — no Docker container. Host install
# logic lives in scripts/install/install_crowdsec.sh (installCrowdsecHost);
# install registration uses the shared hostAppInstall helper
# (scripts/install/host_app.sh). uninstall/stop/restartCrowdsec (below) are the
# host-side hooks dockerUninstallApp / dockerStopApp / dockerRestartApp invoke.
installCrowdsec()
{
local config_variables="$1"
if [[ "$crowdsec" == *[cCtTuUsSrRiI]* ]]; then
dockerConfigSetupToContainer silent crowdsec;
initializeAppVariables "$CFG_CROWDSEC_APP_NAME";
fi
local app_name=$CFG_CROWDSEC_APP_NAME
if [[ "$crowdsec" == *[cC]* ]]; then
editAppConfig $app_name;
fi
# Uninstall / stop / restart are NOT dispatched here — the CLI and menu call
# dockerUninstallApp / dockerStopApp / dockerRestartApp directly. Those run
# the generic docker teardown (a no-op for a host app) and then invoke the
# uninstall/stop/restartCrowdsec hooks (bottom of this file) for the
# host-side work.
if [[ "$crowdsec" == *[iI]* ]]; then
installCrowdsecHost;
if command -v cscli >/dev/null 2>&1; then
# Register crowdsec as an installed host app — apps DB row + WebUI regen.
hostAppInstall "$app_name";
# Monitoring: gather crowdsec's scrape fragment + Grafana dashboards
# into Prometheus/Grafana. Run unconditionally — the refresh is
# self-correcting (adds when CFG_CROWDSEC_MONITORING=true, removes
# crowdsec's entry when it's been toggled off). No-ops with a notice
# when Prometheus/Grafana aren't installed.
monitoringRefreshAll;
else
isNotice "cscli missing — crowdsec host install did not complete. Skipping registration."
fi
fi
}
# Host-side uninstall, invoked by dockerUninstallApp's uninstall<App> hook.
# dockerUninstallApp already handles the generic teardown (data dir, DB rows,
# WebUI regen) — this does what the generic path can't: stopping + purging the
# apt packages and detaching the log bind-mounts.
uninstallCrowdsec()
{
((menu_number++))
echo ""
echo "---- $menu_number. Stopping CrowdSec host services."
echo ""
local result=$(sudo systemctl disable --now crowdsec-firewall-bouncer 2>&1)
checkSuccess "Disabling firewall bouncer"
local result=$(sudo systemctl disable --now crowdsec 2>&1)
checkSuccess "Disabling agent"
((menu_number++))
echo ""
echo "---- $menu_number. Removing CrowdSec packages."
echo ""
local result=$(sudo DEBIAN_FRONTEND=noninteractive apt-get purge -y -q crowdsec crowdsec-firewall-bouncer-nftables </dev/null 2>&1)
checkSuccess "Purged packages"
local result=$(sudo DEBIAN_FRONTEND=noninteractive apt-get autoremove -y -q </dev/null 2>&1)
checkSuccess "Removed orphaned dependencies"
crowdsecToggleLibrePortalLogMounts off
}
# Host-side stop, invoked by dockerStopApp's stop<App> hook. crowdsec ships no
# docker container, so dockerStopApp is a no-op — this stops the host agent +
# bouncer. The package stays installed; only Uninstall removes it.
stopCrowdsec()
{
isNotice "Stopping CrowdSec host services..."
local result=$(sudo systemctl stop crowdsec-firewall-bouncer 2>&1)
checkSuccess "Stopped firewall bouncer"
local result=$(sudo systemctl stop crowdsec 2>&1)
checkSuccess "Stopped agent"
}
# Host-side restart, invoked by dockerRestartApp's restart<App> hook. crowdsec
# ships no docker container, so dockerRestartApp is a no-op — this restarts the
# host agent + bouncer.
restartCrowdsec()
{
isNotice "Restarting CrowdSec host services..."
local result=$(sudo systemctl restart crowdsec 2>&1)
checkSuccess "Restarted agent"
local result=$(sudo systemctl restart crowdsec-firewall-bouncer 2>&1)
checkSuccess "Restarted firewall bouncer"
}