gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2168d76f96
secubox-openwrt/package/secubox/secubox-app-crowdsec/files/crowdsec.defaults
CyberMind-FR 2168d76f96 fix: CrowdSec defaults - disable CAPI & improve setup robustness 
Package Installation Improvements:
- Automatically create /etc/machine-id from UUID if missing
- Disable Central API (CAPI) by default in config.yaml
- Create minimal online_api_credentials.yaml to prevent errors
- Add fallback curl download for hub index (works around 403 errors)
- Make all setup commands non-fatal with || true

CAPI Status:
- Disabled by default due to HTTP 403 errors from api.crowdsec.net
- Custom User-Agent (crowdsec/v1.7.4-openwrt-*) appears blocked
- Can be manually enabled with: cscli console enroll <key>
- Local-only mode provides full SSH brute-force protection

Hub Updates:
- Manual curl download works (HTTP 200)
- cscli hub update fails (HTTP 403)
- Weekly auto-update via curl in defaults script

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-06 16:49:45 +01:00

53 lines
2.1 KiB
Bash
Raw Blame History

#!/bin/sh
CONFIG=/etc/crowdsec/config.yaml
data_dir=`uci get "crowdsec.crowdsec.data_dir"`
sed -i "s,^\(\s*data_dir\s*:\s*\).*\$,\1$data_dir," $CONFIG
db_path=`uci get "crowdsec.crowdsec.db_path"`
sed -i "s,^\(\s*db_path\s*:\s*\).*\$,\1$db_path," $CONFIG
# Create data dir & permissions if needed
if [ ! -d "${data_dir}" ]; then
mkdir -m 0755 -p "${data_dir}"
fi;
# Create machine-id if not exists
if [ ! -f /etc/machine-id ]; then
cat /proc/sys/kernel/random/uuid | tr -d "-" > /etc/machine-id
fi
# Register local API machine
if grep -q "login:" /etc/crowdsec/local_api_credentials.yaml 2>/dev/null; then
echo "Local API already registered"
else
echo "Registering local API machine..."
cscli -c /etc/crowdsec/config.yaml machines add -a -f /etc/crowdsec/local_api_credentials.yaml
fi
# Disable online_client (CAPI) by default - can be enabled manually later
if grep -q "^ online_client:" /etc/crowdsec/config.yaml 2>/dev/null; then
echo "Disabling Central API (CAPI) - running in local-only mode"
sed -i 's/^ online_client:/# online_client:/' /etc/crowdsec/config.yaml
sed -i 's/^ credentials_path: \/etc\/crowdsec\/online_api_credentials.yaml/# credentials_path: \/etc\/crowdsec\/online_api_credentials.yaml/' /etc/crowdsec/config.yaml
fi
# Create minimal online_api_credentials.yaml to prevent errors
if [ ! -f /etc/crowdsec/online_api_credentials.yaml ]; then
echo "url: https://api.crowdsec.net/" > /etc/crowdsec/online_api_credentials.yaml
fi
# Update hub index manually (cscli hub update may fail with 403)
if [ ! -f /etc/crowdsec/hub/.index.json ] || [ $(find /etc/crowdsec/hub/.index.json -mtime +7 2>/dev/null | wc -l) -gt 0 ]; then
echo "Updating hub index..."
curl -s -o /tmp/.index.json.new https://cdn-hub.crowdsec.net/crowdsecurity/master/.index.json 2>/dev/null && \
mv /tmp/.index.json.new /etc/crowdsec/hub/.index.json || \
cscli hub update 2>/dev/null || true
fi
# Install default collections
cscli collections install crowdsecurity/linux 2>/dev/null || true
cscli parsers install crowdsecurity/whitelists 2>/dev/null || true
cscli hub upgrade 2>/dev/null || true
exit 0
Reference in New Issue View Git Blame Copy Permalink