Help needed for setting up CrowdSec on Proxmox LXCs

crowdsec
1

What I have are:

  1. Nextcloud

Port 443 (https): router (firewalled) → opnsense (firewalled) → Caddy - Proxmox debian LXC no. 8167 - firewalled & ssl terminated /letsencrypt) → nextcloud (Proxmox debian LXC no. 8151 - firewalled & ssl terminated / custom root-CA)

The corresponding Caddyfile:

# NextCloud

nextloud.foo.tld {
        reverse_proxy https://192.168.8.151:443 {
        header_up Host {upstream_hostport}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
        }
        log {
        format transform "{common_log}"
        output file /var/log/caddy/access-nextcloud.log
        }
}
  1. Vaultwarden

Port 443 (https): router (firewalled) → opnsense (firewalled) → Caddy - Proxmox debian LXC no. 8167 - firewalled & ssl terminated / letsencrypt) → vaultwarden (Proxmox debian LXC no. 8158 - firewalled & ssl terminated / custom root-CA)

The corresponding Caddyfile:

# Vaultwarden

vaultwarden.foo.tld {
        reverse_proxy https://192.168.8.158:8000 {
        header_up Host {upstream_hostport}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
        }
        log {
        format transform "{common_log}"
        output file /var/log/caddy/access-vaultwarden.log
        }
}

The auth-errors can only be seen in logs on Nextcloud and Vaultwarden LXCs.

The CrowdSec LAPI runs on a separate LXC.
All LXCs are debian 12 based.

Will it work if I enable only collections on Nextcloud & Vaultwarden LXCs and a bouncer on Caddy LXC? Do I need collections on Caddy LXC enabled as well?

2

Well it is working. I used that one: Setting up A Multi-Server Security Engine Installation

First, there are missing commands:

sudo -u postgres psql -c 'GRANT all ON SCHEMA public TO db_user' db_name

at least on debian 12.8.

and this one:

mv /etc/crowdsec/local_api_credentials.yaml /etc/crowdsec/local_api_credentials.yaml.bak

before evoking:

cscli machines add -a --force

Second, it should be indeed

cscli machines add -a --force

and not

cscli machines add -a –force

I have now installed:

  • LAPI (Proxmox LXC Container)
  • Caddy parser and bouncer (Proxmox LXC Container)
  • Vaultwarden parser (Proxmox LXC Container)
  • NextcloudPi parser (Proxmox LXC Container)
  • postfix parser and firewall bouncer (Proxmox LXC Container MTA)
  • dovecot parcer and firewall bouncer (Proxmox LXC Container MTA)
  • opnsense wireguard parser and opnsense bouncer on n100 native
  • wordpress parser and bouncer (external VPS)

All native w/o docker or so. Now testing and evaluating…

BTW.
Caddy compiled with:

xcaddy build \
    --with github.com/hslatman/caddy-crowdsec-bouncer/crowdsec