lutz/Traefik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Traefik/docker-compose.yml
Lutz Finsterle 34d11c0e29 Add CrowdSec MikroTik bouncer (edge firewall drop) 
- New crowdsec-mikrotik-bouncer service: mirrors CrowdSec decisions into a
  RouterOS address-list on the AX3 for WAN edge-dropping (covers all ports,
  incl. VPN/SSH), complementing the L7 Traefik bouncer.
- Connects over api-ssl/TLS using an OpenBAO-issued cert; trusts the OpenBAO
  root+intermediate via SSL_CERT_FILE (crowdsec/famfi-ca-bundle.pem).
- Secrets (MIKROTIK_PASS, LAPI key) kept in root-only .mikrotik.env, git-ignored.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 16:17:59 +02:00

90 lines
3.4 KiB
YAML
Raw Permalink Blame History

# docker-compose.yml
# Traefik + CrowdSec - migriert von CreateTraefikPod.sh
#
# Laeuft mit `docker compose` UND `podman compose` (Podman >= 4.1).
# Wegen Bind auf :443 und :1194 ist ROOTFUL noetig (rootless kann <1024 nur
# mit net.ipv4.ip_unprivileged_port_start-Tweak).
# Die Volume-Mounts behalten dein SELinux-Relabel (:Z) bei.
services:
traefik:
image: traefik:v3.7 # aktuell v3.7.5 (Jun 2026), enthaelt Fix fuer CVE-2026-22045 (TLS-ALPN)
container_name: traefik
restart: unless-stopped
depends_on:
- crowdsec
networks:
- proxy
volumes:
# deine bestehende statische + dynamische Config (unveraendert uebernommen)
- /srv/TRAEFIK/etc/traefik:/etc/traefik:Z
# Access-Log -> geteiltes Named Volume, das CrowdSec read-only mountet
- traefik-logs:/var/log/traefik
ports:
- "192.168.0.141:1180:1180"
- "192.168.0.142:443:443"
- "192.168.0.142:8880:8880"
- "192.168.0.142:40022:40022"
- "192.168.0.142:8888:8888"
- "192.168.0.142:54321:54321/udp"
- "192.168.0.142:5001:5001"
- "192.168.0.142:5000:5000"
- "192.168.0.142:8443:8443"
- "192.168.0.142:1194:1194"
- "192.168.0.142:1194:1194/udp"
crowdsec:
image: crowdsecurity/crowdsec:v1.7.8 # v1.7.x benoetigt das /var/lib/crowdsec/data Volume (vorhanden)
container_name: crowdsec
restart: unless-stopped
networks:
- proxy
environment:
# Collections, die die Traefik-Logs parsen und Scan-/CVE-/DoS-Muster erkennen
COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/base-http-scenarios crowdsecurity/http-dos"
# GID: "1000" # nur setzen, falls CrowdSec das Access-Log nicht lesen darf (Permissions)
volumes:
- crowdsec-config:/etc/crowdsec # Named Volume -> Image-Defaults bleiben erhalten
- crowdsec-db:/var/lib/crowdsec/data
- traefik-logs:/var/log/traefik:ro # liest Traefiks Access-Log
- ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.d/traefik.yaml:ro,Z
ports:
- "192.168.0.142:6060:6060" # Prometheus-Metriken (CrowdSec) fuer 192.168.0.23
# MikroTik-Bouncer: spiegelt CrowdSec-Decisions in eine RouterOS-Firewall-
# Address-List ("crowdsec") auf der AX3 -> Edge-Drop (alle Ports, auch VPN/SSH).
# Verbindet sich per RouterOS-API ueber TLS (api-ssl 8729). Der Hostname
# mt-az.famfi.home (extra_hosts -> 192.168.0.2) muss zum Cert-SAN passen;
# das OpenBAO-Root+Intermediate-Bundle wird via SSL_CERT_FILE vertraut.
crowdsec-mikrotik-bouncer:
image: ghcr.io/funkolab/cs-mikrotik-bouncer:latest
container_name: crowdsec-mikrotik-bouncer
restart: unless-stopped
depends_on:
- crowdsec
networks:
- proxy
extra_hosts:
- "mt-az.famfi.home:192.168.0.2"
environment:
CROWDSEC_URL: "http://crowdsec:8080/"
MIKROTIK_HOST: "mt-az.famfi.home:8729"
MIKROTIK_USER: "apics"
MIKROTIK_TLS: "true"
MIKROTIK_IPV6: "false"
LOG_LEVEL: "1"
SSL_CERT_FILE: "/etc/ssl/famfi-ca.pem" # trust OpenBAO CA for the RouterOS api-ssl cert
env_file:
- .mikrotik.env # MIKROTIK_PASS + CROWDSEC_BOUNCER_API_KEY (root-only, git-ignored)
volumes:
- ./crowdsec/famfi-ca-bundle.pem:/etc/ssl/famfi-ca.pem:ro
networks:
proxy:
driver: bridge
volumes:
traefik-logs:
crowdsec-config:
crowdsec-db:
Reference in New Issue View Git Blame Copy Permalink