Using Crowdsec in mcvlans

Hey there

i got a problem / beeing confused with using crowdsec on docker-container, specificly on mcvlans.

Before i start:
I have a NAS and a Rasp-Pi with docker-compose and portainer. I’m using nginx and like 20 services each in different stacks with addressed IPs. This is perfect to me, because im running uptime kuma with gotify by just ping an IP to see if its running.

The issue im facing now is, that i dont use “lamb-stacks” like one machine with 3 services. My docker-compose file just adds 3 Services together but every single service got an own container and addressed ip. The problem now is that im running out of IPs soon but i can create another subnet for that.

Now my question:
How can i secure my containers and host systems “smart” ?

For example Nextcloud looks like that (i shrinked everything for sure)

services:
  db:
    image: postgres
    networks:
      nextcloud:
        ipv4_address: 192.168.178.34
        
  redis:
    image: redis
    networks:
      nextcloud:
        ipv4_address: 192.168.178.36
 
  nextcloud:
    image: nextcloud
    networks:
      nextcloud:
        ipv4_address: 192.168.178.33
  
networks:
  nextcloud:
    name: nasmcvlan
    external: true

As i saw to secure nextcloud properly, you need the crowdsec agent and the nextcloud collection but also ssh and apache. Because of that its hard to run just 1 agent and just install the bouncers on all containers.

I understand crowdsec and how its working and managed to create a bouncer, api key the bouncer is running with shared by the agent and also connected the agent to the console.

Long story short. I have no clue how to setup crowdsec properly and what would be “overkill”.
Normaly i want to secure my host (raspy and nas), and every container-host with different services on it.

1. Crowdsec needs to be on each container
   1.1. Because it needs permission to see system logs like ssh or apache exept im mounting every damn logfile of every service somewhere central
   1.3 How to make it persistent if i restart the container?
2. Bouncer needs to be on each container
   2.1 Because i want to block on that
   2.2 It it possible with a new ip / container or networkmode: host? can the bouncer block properly then?

I hope someone got an idea for me to get for example the agents running on each container beeing persistent.

Best wishes and sorry for my bad english:)

I’m not sure how your question is related to crowdsec but I would share my view on your deployment.

• I don’t understand the reason to expose internal services.. docker-compose gives you an “internal” network for free - ll services of a compose file are connected to this network by default so you don’t need to expose internal services like redis and postgres - additional (or maybe absolute security).
• I would would recommend to expose only the “front-end” service - in this case Nextcloud application container.. other services are automatically protected by docker!.
• as next you might review how you expose the services externally - because you usually trust your internal network and don’t need protection here.. usually you use reverse proxy like nginx, caddy or traefik as external entrypoint - so you can move your border further to this one service expose externally - no need to add crowdsec to each service you run..

First of all thank your for reply that fast.

• Is this Forum wrong for me in general? I thougt i have a question to crowdsec and just opened a ticket - sry then!

• I guess there are crashing two worlds as dev and hobby dev at home. That’s fairly a good point. I crashed my pihole+unbound by using bridged mode and moved on with mcvlan and never turned back. Seems to be i have to dive deeper into “depents on” in my docker-compose file.

• Normaly i trust my Network but since i’m running a vpn maybe someone gets in at some time.

I found a way today by using one central agent and sideload the dockered version of the firewall-bouncer with the docker-flag:

network_mode: "container:xyz"

I know that this isn’t recommend and maybe its not working in the end but as you mentioned i should think about my network again in general.

Thank you very much for answering beside that i may be wrong here!