A free, open, self-hosted app platform (GNU AGPLv3): one-click app deploys, Traefik reverse proxy with automatic SSL, rootless Docker support, gluetun VPN routing, and a web dashboard to manage it all. Free & open forever to self-host; optional paid hosted services fund it. See PROMISE.md. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
101 lines
3.9 KiB
Bash
101 lines
3.9 KiB
Bash
#!/bin/bash
|
|
|
|
# Category : Security
|
|
# Description : CrowdSec - Intrusion Prevention (c/u/s/r/i):
|
|
#
|
|
# Host-installed agent (apt + systemd) — no Docker container. Host install
|
|
# logic lives in scripts/install/install_crowdsec.sh (installCrowdsecHost);
|
|
# install registration uses the shared hostAppInstall helper
|
|
# (scripts/install/host_app.sh). uninstall/stop/restartCrowdsec (below) are the
|
|
# host-side hooks dockerUninstallApp / dockerStopApp / dockerRestartApp invoke.
|
|
|
|
installCrowdsec()
|
|
{
|
|
local config_variables="$1"
|
|
|
|
if [[ "$crowdsec" == *[cCtTuUsSrRiI]* ]]; then
|
|
dockerConfigSetupToContainer silent crowdsec;
|
|
initializeAppVariables "$CFG_CROWDSEC_APP_NAME";
|
|
fi
|
|
local app_name=$CFG_CROWDSEC_APP_NAME
|
|
|
|
if [[ "$crowdsec" == *[cC]* ]]; then
|
|
editAppConfig $app_name;
|
|
fi
|
|
|
|
# Uninstall / stop / restart are NOT dispatched here — the CLI and menu call
|
|
# dockerUninstallApp / dockerStopApp / dockerRestartApp directly. Those run
|
|
# the generic docker teardown (a no-op for a host app) and then invoke the
|
|
# uninstall/stop/restartCrowdsec hooks (bottom of this file) for the
|
|
# host-side work.
|
|
|
|
if [[ "$crowdsec" == *[iI]* ]]; then
|
|
installCrowdsecHost;
|
|
|
|
if command -v cscli >/dev/null 2>&1; then
|
|
# Register crowdsec as an installed host app — apps DB row + WebUI regen.
|
|
hostAppInstall "$app_name";
|
|
|
|
# Monitoring: gather crowdsec's scrape fragment + Grafana dashboards
|
|
# into Prometheus/Grafana. Run unconditionally — the refresh is
|
|
# self-correcting (adds when CFG_CROWDSEC_MONITORING=true, removes
|
|
# crowdsec's entry when it's been toggled off). No-ops with a notice
|
|
# when Prometheus/Grafana aren't installed.
|
|
monitoringRefreshAll;
|
|
else
|
|
isNotice "cscli missing — crowdsec host install did not complete. Skipping registration."
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# Host-side uninstall, invoked by dockerUninstallApp's uninstall<App> hook.
|
|
# dockerUninstallApp already handles the generic teardown (data dir, DB rows,
|
|
# WebUI regen) — this does what the generic path can't: stopping + purging the
|
|
# apt packages and detaching the log bind-mounts.
|
|
uninstallCrowdsec()
|
|
{
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Stopping CrowdSec host services."
|
|
echo ""
|
|
local result=$(sudo systemctl disable --now crowdsec-firewall-bouncer 2>&1)
|
|
checkSuccess "Disabling firewall bouncer"
|
|
local result=$(sudo systemctl disable --now crowdsec 2>&1)
|
|
checkSuccess "Disabling agent"
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Removing CrowdSec packages."
|
|
echo ""
|
|
local result=$(sudo DEBIAN_FRONTEND=noninteractive apt-get purge -y -q crowdsec crowdsec-firewall-bouncer-nftables </dev/null 2>&1)
|
|
checkSuccess "Purged packages"
|
|
local result=$(sudo DEBIAN_FRONTEND=noninteractive apt-get autoremove -y -q </dev/null 2>&1)
|
|
checkSuccess "Removed orphaned dependencies"
|
|
|
|
crowdsecToggleLibrePortalLogMounts off
|
|
}
|
|
|
|
# Host-side stop, invoked by dockerStopApp's stop<App> hook. crowdsec ships no
|
|
# docker container, so dockerStopApp is a no-op — this stops the host agent +
|
|
# bouncer. The package stays installed; only Uninstall removes it.
|
|
stopCrowdsec()
|
|
{
|
|
isNotice "Stopping CrowdSec host services..."
|
|
local result=$(sudo systemctl stop crowdsec-firewall-bouncer 2>&1)
|
|
checkSuccess "Stopped firewall bouncer"
|
|
local result=$(sudo systemctl stop crowdsec 2>&1)
|
|
checkSuccess "Stopped agent"
|
|
}
|
|
|
|
# Host-side restart, invoked by dockerRestartApp's restart<App> hook. crowdsec
|
|
# ships no docker container, so dockerRestartApp is a no-op — this restarts the
|
|
# host agent + bouncer.
|
|
restartCrowdsec()
|
|
{
|
|
isNotice "Restarting CrowdSec host services..."
|
|
local result=$(sudo systemctl restart crowdsec 2>&1)
|
|
checkSuccess "Restarted agent"
|
|
local result=$(sudo systemctl restart crowdsec-firewall-bouncer 2>&1)
|
|
checkSuccess "Restarted firewall bouncer"
|
|
}
|