aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKevin Daudt <kdaudt@alpinelinux.org>2022-06-05 16:16:57 +0000
committerKevin Daudt <kdaudt@alpinelinux.org>2022-06-05 16:18:08 +0000
commitc08036b2191f2d06207decfb8f1e0992245df542 (patch)
tree208d0b0047c665eac04cd8f56fa88e3a63f52419
parente26c1e065b8395ab57bca8ed5d2d323d7e99aeb8 (diff)
downloadaports-c08036b2191f2d06207decfb8f1e0992245df542.tar.gz
aports-c08036b2191f2d06207decfb8f1e0992245df542.tar.bz2
aports-c08036b2191f2d06207decfb8f1e0992245df542.tar.xz
testing/cs-firewall-bouncer: new aport
Crowdsec firewall bouncer, which enforces crowdsec decissions through various firewall backends.
-rw-r--r--testing/cs-firewall-bouncer/APKBUILD49
-rw-r--r--testing/cs-firewall-bouncer/awall-policy.json19
-rw-r--r--testing/cs-firewall-bouncer/cs-firewall-bouncer.initd10
3 files changed, 78 insertions, 0 deletions
diff --git a/testing/cs-firewall-bouncer/APKBUILD b/testing/cs-firewall-bouncer/APKBUILD
new file mode 100644
index 0000000000..15c2b9a335
--- /dev/null
+++ b/testing/cs-firewall-bouncer/APKBUILD
@@ -0,0 +1,49 @@
+# Contributor: Kevin Daudt <kdaudt@alpinelinux.org>
+# Maintainer: Kevin Daudt <kdaudt@alpinelinux.org>
+pkgname=cs-firewall-bouncer
+pkgver=0.0.23
+pkgrel=0
+pkgdesc="Crowdsec bouncer for firewalls"
+url="https://github.com/crowdsecurity/cs-firewall-bouncer"
+arch="all"
+license="MIT"
+makedepends="go gettext"
+subpackages="$pkgname-openrc $pkgname-awall::noarch"
+options="!check" # no tests
+source="$pkgname-$pkgver.tar.gz::https://github.com/crowdsecurity/cs-firewall-bouncer/archive/refs/tags/v$pkgver.tar.gz
+ cs-firewall-bouncer.initd
+ awall-policy.json
+ "
+
+export GOFLAGS="$GOFLAGS -modcacherw"
+export GOCACHE=$srcdir/go-build
+
+build() {
+ make BUILD_VERSION=$pkgver BUILD_TAG=master
+}
+
+package() {
+ install -Dm0755 crowdsec-firewall-bouncer -t "$pkgdir"/usr/bin/
+ install -dm0755 "$pkgdir"/etc/crowdsec/bouncers
+ BACKEND=iptables API_KEY="" envsubst \
+ <config/crowdsec-firewall-bouncer.yaml \
+ >"$pkgdir"/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
+
+ install -Dm0755 "$srcdir"/$pkgname.initd \
+ "$pkgdir"/etc/init.d/cs-firewall-bouncer
+}
+
+awall() {
+ pkgdesc="crowdsec bouncer awall policy"
+ depends="$pkgname"
+ install_if="awall $pkgname=$pkgver-r$pkgrel"
+
+ install -Dm0644 "$srcdir"/awall-policy.json \
+ "$subpkgdir"/etc/awall/optional/cs-firewall-bouncer.json
+}
+
+sha512sums="
+8b8599829a4799b3a5f0391b9cd749c042ffd178ace2c05e9ae0ec63bf69ce70ecd1fb83de29c1e9a70f115961e26e69c47f17e42888ef4807d84946c678596c cs-firewall-bouncer-0.0.23.tar.gz
+edaf9cd6af81586fa1b4469f623f5c284934accf3d3717a6d53a9fab964b906f046d45507609c792813bb10977be5fe3a01944d1ec85d7f99579218393eed06d cs-firewall-bouncer.initd
+1d1226e47a2950a2141303da9f5be57cfeee664de9b84cf91791d71034390e6e6a58f0b570939ad7576ccdf5cfe6b3c4f2069aaa98c6e98869d609d6b81f1552 awall-policy.json
+"
diff --git a/testing/cs-firewall-bouncer/awall-policy.json b/testing/cs-firewall-bouncer/awall-policy.json
new file mode 100644
index 0000000000..dd0e2d785a
--- /dev/null
+++ b/testing/cs-firewall-bouncer/awall-policy.json
@@ -0,0 +1,19 @@
+{
+ "description": "Integration with cs-firewall-bouncer in ipset mode",
+
+ "ipset": {
+ "crowdsec-blacklists": { "type": "hash:ip", "family": "inet" },
+ "crowdsec6-blacklists": { "type": "hash:ip", "family": "inet6" }
+ },
+
+ "filter": [
+ {
+ "in": "adp-wan",
+ "ipset": [
+ { "name": "crowdsec-blacklists", "args": ["in"] },
+ { "name": "crowdsec6-blacklists", "args": ["in"] }
+ ],
+ "action": "drop"
+ }
+ ]
+}
diff --git a/testing/cs-firewall-bouncer/cs-firewall-bouncer.initd b/testing/cs-firewall-bouncer/cs-firewall-bouncer.initd
new file mode 100644
index 0000000000..54f957d5dd
--- /dev/null
+++ b/testing/cs-firewall-bouncer/cs-firewall-bouncer.initd
@@ -0,0 +1,10 @@
+#!/sbin/openrc-run
+
+command=/usr/bin/crowdsec-firewall-bouncer
+command_args="-c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml"
+pidfile="/run/${RC_SVCNAME}.pid"
+command_background=true
+
+depend() {
+ after firewall
+}