gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
283f2567be
secubox-openwrt/package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-bouncer.defaults
CyberMind-FR 4e5d5275f9 refactor: Merge secubox-app-crowdsec-bouncer into cs-firewall-bouncer 
- Move UCI defaults script for auto-registration to cs-firewall-bouncer
- Remove redundant secubox-app-crowdsec-bouncer wrapper package
- Update luci-app-crowdsec-dashboard reference to new package name
- Increment PKG_RELEASE to 3

The defaults script handles:
- Automatic bouncer registration with CrowdSec LAPI
- Interface detection for LAN/WAN
- API key generation and UCI config update

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-17 06:46:09 +01:00

155 lines
4.2 KiB
Bash
Raw Blame History

#!/bin/sh
#
# CrowdSec Firewall Bouncer - UCI Defaults Script
# Automatically configures and registers the firewall bouncer on first install
#
BOUNCER_NAME="crowdsec-firewall-bouncer"
CONFIG_FILE="/etc/config/crowdsec"
BOUNCER_CONFIG="/etc/config/crowdsec-bouncer"
# Function to check if CrowdSec is installed and running
check_crowdsec() {
if ! command -v cscli >/dev/null 2>&1; then
echo "CrowdSec (cscli) not found. Please install crowdsec first."
return 1
fi
# Check if LAPI is reachable
if ! cscli lapi status >/dev/null 2>&1; then
echo "CrowdSec LAPI not running. Start crowdsec service first."
return 1
fi
return 0
}
# Function to register bouncer and get API key
register_bouncer() {
local api_key
# Check if bouncer already registered
if cscli bouncers list | grep -q "$BOUNCER_NAME"; then
echo "Bouncer '$BOUNCER_NAME' already registered"
# Try to get existing key (note: cscli doesn't show keys after creation)
return 0
fi
# Register new bouncer
echo "Registering bouncer '$BOUNCER_NAME' with CrowdSec LAPI..."
api_key=$(cscli bouncers add "$BOUNCER_NAME" -o raw 2>/dev/null)
if [ -n "$api_key" ] && [ "$api_key" != "null" ]; then
echo "Bouncer registered successfully"
# Update UCI config with API key
uci set crowdsec.bouncer.api_key="$api_key"
uci commit crowdsec
return 0
else
echo "Failed to register bouncer"
return 1
fi
}
# Function to detect network interfaces
detect_interfaces() {
local interfaces=""
local lan_iface
local wan_iface
# Get LAN interface
lan_iface=$(uci -q get network.lan.device)
[ -z "$lan_iface" ] && lan_iface=$(uci -q get network.lan.ifname)
[ -z "$lan_iface" ] && lan_iface="br-lan"
# Get WAN interface
wan_iface=$(uci -q get network.wan.device)
[ -z "$wan_iface" ] && wan_iface=$(uci -q get network.wan.ifname)
[ -z "$wan_iface" ] && wan_iface="eth1"
interfaces="$lan_iface $wan_iface"
echo "$interfaces"
}
# Function to merge bouncer config into main crowdsec config
merge_config() {
# Check if bouncer section already exists in main config
if ! uci -q get crowdsec.bouncer >/dev/null 2>&1; then
echo "Creating bouncer section in /etc/config/crowdsec..."
# Copy from template if it exists
if [ -f "$BOUNCER_CONFIG" ]; then
# Read values from bouncer config template
uci -q import crowdsec < "$BOUNCER_CONFIG"
else
# Create basic bouncer section
uci set crowdsec.bouncer=bouncer
uci set crowdsec.bouncer.enabled='0'
uci set crowdsec.bouncer.ipv4='1'
uci set crowdsec.bouncer.ipv6='1'
uci set crowdsec.bouncer.api_url='http://127.0.0.1:8080/'
uci set crowdsec.bouncer.update_frequency='10s'
uci set crowdsec.bouncer.deny_action='drop'
uci set crowdsec.bouncer.deny_log='1'
uci set crowdsec.bouncer.log_prefix='CrowdSec: '
uci set crowdsec.bouncer.log_level='info'
uci set crowdsec.bouncer.filter_input='1'
uci set crowdsec.bouncer.filter_forward='1'
fi
# Auto-detect and set interfaces
local ifaces
ifaces=$(detect_interfaces)
uci delete crowdsec.bouncer.interface 2>/dev/null
for iface in $ifaces; do
uci add_list crowdsec.bouncer.interface="$iface"
done
uci commit crowdsec
fi
}
# Function to load nftables kernel modules
load_nftables_modules() {
modprobe nf_tables 2>/dev/null
modprobe nft_chain_nat 2>/dev/null
modprobe nf_nat 2>/dev/null
}
# Main execution
main() {
echo "Configuring CrowdSec Firewall Bouncer..."
# Merge configuration
merge_config
# Load required kernel modules
load_nftables_modules
# Check if CrowdSec is available
if ! check_crowdsec; then
echo "CrowdSec not ready. Bouncer registration skipped."
echo "Run 'cscli bouncers add $BOUNCER_NAME' manually after starting crowdsec."
exit 0
fi
# Register bouncer
if register_bouncer; then
echo "Bouncer configuration complete"
echo "Enable the bouncer with: uci set crowdsec.bouncer.enabled='1'; uci commit crowdsec"
echo "Start the service with: /etc/init.d/crowdsec-firewall-bouncer enable && /etc/init.d/crowdsec-firewall-bouncer start"
else
echo "Bouncer registration failed. You may need to register manually:"
echo " cscli bouncers add $BOUNCER_NAME"
fi
}
# Run main function
main
# Cleanup: remove this script after execution
rm -f /etc/uci-defaults/99_crowdsec-bouncer
exit 0
Reference in New Issue View Git Blame Copy Permalink