diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 2d37e9d..8dcd106 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -6,13 +6,16 @@ # flight-radar. # # PREREQUISITES (one-time): -# 1. Host LAPI machine registered: -# sudo cscli machines add crowdsec-admin --password '' -# 2. Repo secrets set in Gitea → Settings → Secrets: +# 1. Host LAPI machine registered (for DELETE auth): +# sudo cscli machines add crowdsec-admin --password '' -f - +# 2. Host LAPI bouncer registered (for GET auth): +# sudo cscli bouncers add crowdsec-admin +# 3. Repo secrets set in Gitea → Settings → Secrets: # LAPI_MACHINE_ID=crowdsec-admin # LAPI_MACHINE_PASSWORD= -# 3. DNS: crowdsec.domverse-berlin.eu → host IP. -# 4. Authentik wildcard forward_domain already covers *.domverse-berlin.eu. +# LAPI_BOUNCER_KEY= +# 4. DNS: crowdsec.domverse-berlin.eu → host IP. +# 5. Authentik wildcard forward_domain already covers *.domverse-berlin.eu. # ────────────────────────────────────────────────────────────────────────────── name: Deploy @@ -39,6 +42,7 @@ jobs: cat > .env <' + sudo cscli machines add crowdsec-admin --password '' -f - ``` -2. **Gitea repo secrets** (Settings → Secrets and variables → Actions): +2. **Register a bouncer** on the host (for GET). Save the key in `secrets.yml`. + + ```bash + sudo cscli bouncers add crowdsec-admin + ``` + +3. **Gitea repo secrets** (Settings → Secrets and variables → Actions): - `LAPI_MACHINE_ID=crowdsec-admin` - `LAPI_MACHINE_PASSWORD=` + - `LAPI_BOUNCER_KEY=` -3. **DNS**: `crowdsec.domverse-berlin.eu` → host IP. +4. **DNS**: `crowdsec.domverse-berlin.eu` → host IP. -4. **Authentik**: nothing — the existing wildcard `forward_domain` provider covers `*.domverse-berlin.eu`, and the `authentik@docker` label in `docker-compose.yml` gates the router. +5. **Authentik**: nothing — the existing wildcard `forward_domain` provider covers `*.domverse-berlin.eu`, and the `authentik@docker` label in `docker-compose.yml` gates the router. -5. **First deploy**: push to `main` or trigger `workflow_dispatch`. Runner builds the image, brings the stack up, and reports health. +6. **First deploy**: push to `main` or trigger `workflow_dispatch`. Runner builds the image, brings the stack up, and reports health. ## Layout diff --git a/app/app.py b/app/app.py index dd69214..acb7c92 100644 --- a/app/app.py +++ b/app/app.py @@ -2,7 +2,6 @@ import os import time import ipaddress import logging -from functools import wraps import requests from flask import Flask, render_template, request, jsonify, abort @@ -10,9 +9,14 @@ from flask import Flask, render_template, request, jsonify, abort LAPI_URL = os.environ["LAPI_URL"].rstrip("/") MACHINE_ID = os.environ["LAPI_MACHINE_ID"] MACHINE_PW = os.environ["LAPI_MACHINE_PASSWORD"] +BOUNCER_KEY = os.environ["LAPI_BOUNCER_KEY"] TRUSTED_HOPS = int(os.environ.get("TRUSTED_PROXY_HOPS", "1")) REQ_TIMEOUT = 5 +# LAPI splits read vs write: +# GET /v1/decisions → bouncer X-Api-Key +# DELETE /v1/decisions → machine Bearer JWT (from /v1/watchers/login) + app = Flask(__name__) logging.basicConfig(level=logging.INFO) log = app.logger @@ -27,10 +31,7 @@ def _login(): timeout=REQ_TIMEOUT, ) r.raise_for_status() - data = r.json() - _token["jwt"] = data["code"] if "code" in data and isinstance(data["code"], str) else data.get("token") - if not _token["jwt"]: - _token["jwt"] = data.get("code") or data.get("token") + _token["jwt"] = r.json()["token"] _token["exp"] = time.time() + 60 * 13 return _token["jwt"] @@ -41,7 +42,13 @@ def _jwt(): return _token["jwt"] -def _lapi(method, path, **kw): +def _bouncer(method, path, **kw): + headers = kw.pop("headers", {}) + headers["X-Api-Key"] = BOUNCER_KEY + return requests.request(method, f"{LAPI_URL}{path}", headers=headers, timeout=REQ_TIMEOUT, **kw) + + +def _machine(method, path, **kw): headers = kw.pop("headers", {}) headers["Authorization"] = f"Bearer {_jwt()}" r = requests.request(method, f"{LAPI_URL}{path}", headers=headers, timeout=REQ_TIMEOUT, **kw) @@ -88,7 +95,7 @@ def list_decisions(): if not valid_ip(q): return render_template("_decisions.html", error="invalid IP", decisions=[]), 400 params["ip"] = q - r = _lapi("GET", "/v1/decisions", params=params) + r = _bouncer("GET", "/v1/decisions", params=params) if r.status_code != 200: return render_template("_decisions.html", error=f"LAPI {r.status_code}: {r.text[:200]}", decisions=[]), 502 decisions = r.json() or [] @@ -102,11 +109,11 @@ def unban(): if decision_id: if not decision_id.isdigit(): return "invalid id", 400 - r = _lapi("DELETE", f"/v1/decisions/{decision_id}") + r = _machine("DELETE", f"/v1/decisions/{decision_id}") elif ip: if not valid_ip(ip): return "invalid IP", 400 - r = _lapi("DELETE", "/v1/decisions", params={"ip": ip}) + r = _machine("DELETE", "/v1/decisions", params={"ip": ip}) else: return "need id or ip", 400 if r.status_code not in (200, 204): @@ -118,7 +125,7 @@ def unban(): @app.post("/unban-me") def unban_me(): ip = caller_ip() - r = _lapi("DELETE", "/v1/decisions", params={"ip": ip}) + r = _machine("DELETE", "/v1/decisions", params={"ip": ip}) if r.status_code not in (200, 204): return f"LAPI {r.status_code}: {r.text[:200]}", 502 log.info("unban-me by=%s", ip) @@ -128,7 +135,7 @@ def unban_me(): @app.get("/healthz") def healthz(): try: - r = _lapi("GET", "/v1/decisions", params={"limit": 1}) + r = _bouncer("GET", "/v1/decisions", params={"limit": 1}) return jsonify(ok=r.status_code == 200, lapi_status=r.status_code), 200 if r.status_code == 200 else 503 except Exception as e: return jsonify(ok=False, error=str(e)), 503 diff --git a/docker-compose.yml b/docker-compose.yml index aeab00f..7f0e971 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -14,6 +14,7 @@ services: - LAPI_URL=http://host.docker.internal:8080 - LAPI_MACHINE_ID=${LAPI_MACHINE_ID} - LAPI_MACHINE_PASSWORD=${LAPI_MACHINE_PASSWORD} + - LAPI_BOUNCER_KEY=${LAPI_BOUNCER_KEY} - TRUSTED_PROXY_HOPS=1 labels: - "traefik.enable=true"