domverse
5d589915f7
All checks were successful
Deploy / deploy (push) Successful in 19s
LAPI does not let machine JWTs hit GET /v1/decisions even after the machine is validated (returns 403 access forbidden). Conversely, bouncer X-Api-Key does not satisfy DELETE /v1/decisions (returns 401 "cookie token is empty"). The webapp now holds both credentials and routes each call to the right authority. Adds LAPI_BOUNCER_KEY env var + Gitea secret. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
37 lines
1.3 KiB
YAML
37 lines
1.3 KiB
YAML
services:
|
|
crowdsec-admin:
|
|
build:
|
|
context: ./app
|
|
image: crowdsec-admin:local
|
|
container_name: crowdsec-admin
|
|
restart: unless-stopped
|
|
networks:
|
|
- domverse
|
|
extra_hosts:
|
|
- "host.docker.internal:host-gateway"
|
|
environment:
|
|
- TZ=Europe/Berlin
|
|
- LAPI_URL=http://host.docker.internal:8080
|
|
- LAPI_MACHINE_ID=${LAPI_MACHINE_ID}
|
|
- LAPI_MACHINE_PASSWORD=${LAPI_MACHINE_PASSWORD}
|
|
- LAPI_BOUNCER_KEY=${LAPI_BOUNCER_KEY}
|
|
- TRUSTED_PROXY_HOPS=1
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.crowdsec-admin.rule=Host(`crowdsec.domverse-berlin.eu`)"
|
|
- "traefik.http.routers.crowdsec-admin.entrypoints=https"
|
|
- "traefik.http.routers.crowdsec-admin.tls.certresolver=http"
|
|
- "traefik.http.routers.crowdsec-admin.middlewares=authentik@docker"
|
|
- "traefik.http.services.crowdsec-admin.loadbalancer.server.port=8000"
|
|
|
|
- "kuma.crowdsec-admin.http.name=CrowdSec Admin"
|
|
- "kuma.crowdsec-admin.http.url=https://crowdsec.domverse-berlin.eu"
|
|
- "kuma.crowdsec-admin.http.interval=120"
|
|
- "kuma.crowdsec-admin.http.max_retries=2"
|
|
- "kuma.crowdsec-admin.http.retry_interval=60"
|
|
- "kuma.crowdsec-admin.http.accepted_statuscodes=[\"200-399\"]"
|
|
|
|
networks:
|
|
domverse:
|
|
external: true
|