CrowdSec's host-side install (the agent + nftables bouncer the LibrePortal
Traefik plugin talks to) had stayed on blanket sudo throughout the rootless +
de-sudo hardening: `sudo apt-get install crowdsec`, `curl | sudo bash`,
`sudo sed -i /etc/crowdsec/config.yaml`, `sudo touch + sudo chmod /var/log/
crowdsec*.log`, `echo $key | sudo tee /etc/crowdsec/traefik_bouncer.key`,
plus `sudo cscli capi register / console enroll / bouncers add`. None of
those are in the scoped LP_HELPERS / LP_SYSTEM sudoers grant the manager
now holds, so any user who enabled crowdsec would have hit hard sudo
failures on every privileged step.
Follow the libreportal-appcfg / libreportal-bininstall pattern: one new
root-owned helper at /usr/local/lib/libreportal/libreportal-crowdsec
that does every privileged op behind a fixed action vocabulary with strict
argument validation. The manager calls in via runCrowdsec — the scoped
sudoers grants exactly one binary, the same trust boundary the other
helpers rely on.
Actions:
install apt repo + agent + firewall-bouncer + enable +
crowdsecurity/{linux,sshd} collections + reload
(idempotent — skips parts already in place)
services <verb> enable | disable | restart
capi <verb> register | unregister | status
console <verb> enroll <token> | disenroll | status
token format strictly validated
bouncer-traefik-init cscli register + write the manager-owned key file
atomically (returns EXISTS or GENERATED:<key>)
bouncer-priority bouncer yaml nftables priority → -100
(moved from libreportal-appcfg; one helper for
every crowdsec root op)
bind-lapi flip listen_uri to 0.0.0.0:8080 in config.yaml
prometheus <on…|off> flip the prometheus block (validated addr/port)
touch-host-logs create + chmod 0644 /var/log/crowdsec*.log so the
libreportal container can tail them
Wired in via:
- new sudoers Cmnd_Alias entry for the helper in LP_HELPERS
- new helper baked alongside the others by initRootHelpers
(replaces __SYSTEM_DIR__ / __CONTAINERS_DIR__ / __MANAGER__ at
install, with safe runtime fallbacks if unbaked)
- new runCrowdsec dispatch in scripts/docker/command/run_privileged.sh
containers/crowdsec/scripts/crowdsec_install_host.sh now drives the whole
flow through runCrowdsec — every `sudo …` is gone, the compose-toggle sed
uses runFileOp, and the security_crowdsec CFG mirror uses runInstallOp
(configs/ is manager-owned). Net: install script shrinks ~80 lines while
gaining a single auditable trust boundary. crowdsec_fix_priority.sh swung
over to runCrowdsec bouncer-priority too — the appcfg crowdsec_priority
action drops out cleanly.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
LibrePortal
Your own private corner of the internet — free, open, and yours.
LibrePortal is a self-hosted platform for running the apps you rely on, on your own server: one-click installs, a reverse proxy with automatic SSL, rootless Docker, optional VPN routing, and a clean web dashboard to manage it all.
⚠️ v0.1.0 — early days. Expect rough edges while things settle.
Why LibrePortal
Too many services today treat your data as theirs to take — quietly overstepping boundaries that should never have been crossed. LibrePortal grew out of frustration with that: it's a way to run the apps you depend on on your own server, where your data stays yours. Privacy here isn't a feature to toggle — it's the whole point.
Free & open — forever
The entire platform is free software under the GNU AGPLv3. Self-host it and you get everything — every feature, no paywalls, no telemetry. See our Promise for exactly what that means.
What you get
- 📦 One-click self-hosted apps (Nextcloud, Vaultwarden, Jellyfin, Gitea, …)
- 🔀 Traefik reverse proxy + automatic Let's Encrypt SSL
- 🔒 Rootless Docker, CrowdSec, sane security defaults
- 🛡️ Optional VPN routing (gluetun) for any app
- 🖥️ A web dashboard to install, configure, back up, and monitor everything
Quick start
curl -fsSL https://get.libreportal.org/install.sh | sudo bash
This installs a versioned, checksum-verified release (Debian/Ubuntu, root). Put
data on separate disks with --system-dir= / --containers-dir= / --backups-dir=.
The
get.libreportal.orghost is still being set up — until it's live, build a release and install from it locally (see the docs below).
Documentation
- docs/USER.md — install, place data on separate disks/drives, update, back up, uninstall.
- docs/DEVELOPMENT.md — run a dev copy, cut stable/edge releases, and test them before publishing.
LibrePortal Connect (optional)
Self-hosting is free and complete. If you'd rather not fiddle with the tricky parts — like reaching your server from your phone, or keeping off-site backups — LibrePortal Connect will handle them for you. Here's the catch that makes us different: we work like a courier carrying a sealed box. We move your data between your devices and store backup copies, but it stays locked and you hold the only key — we can't open it, and we never run your apps for you. Everything we offer, you can also set up yourself for free. Our Promise spells out exactly where that line sits.
Contributing
PRs welcome — see CONTRIBUTING.md. We use a lightweight
DCO sign-off (git commit -s), no CLA.
Acknowledgments
LibrePortal has been built from scratch since 2023. Its spark of inspiration
was a small installer script from Brian McGonagill (OpenSourceIsAwesome):
gitlab.com/bmcgonag/docker_installs.
From that seed it grew start to finish — refined, extended, and refactored
into the platform it is today.
License
GNU AGPLv3. What's open stays open.