From 5fbad016c3204b023c1c5d762f903ec26c7a226a Mon Sep 17 00:00:00 2001
From: saltydk <salty@saltbox.dev>
Date: Sat, 5 Oct 2024 17:12:16 +0200
Subject: [PATCH] crowdsec: add Traefik router whitelist configuration

---
 roles/crowdsec/defaults/main.yml        |  3 +++
 roles/crowdsec/tasks/main.yml           |  8 ++++++++
 roles/crowdsec/templates/saltbox.yml.j2 | 22 ++++++++++++++++++++++
 3 files changed, 33 insertions(+)
 create mode 100644 roles/crowdsec/templates/saltbox.yml.j2

diff --git a/roles/crowdsec/defaults/main.yml b/roles/crowdsec/defaults/main.yml
index 67bc0c0796..0082abf89e 100644
--- a/roles/crowdsec/defaults/main.yml
+++ b/roles/crowdsec/defaults/main.yml
@@ -42,6 +42,9 @@ crowdsec_prometheus_level: "full"
 crowdsec_prometheus_listen_addr: "127.0.0.1"
 crowdsec_prometheus_listen_port: "6060"
 
+# Takes a list of exact router names to ignore when parsing Traefik access logs.
+crowdsec_whitelisted_routers: []
+
 ################################
 # Lookups
 ################################
diff --git a/roles/crowdsec/tasks/main.yml b/roles/crowdsec/tasks/main.yml
index 98882140ed..f3611896bf 100644
--- a/roles/crowdsec/tasks/main.yml
+++ b/roles/crowdsec/tasks/main.yml
@@ -150,6 +150,14 @@
     group: "root"
     mode: "0644"
 
+- name: Import 'saltbox.yml'
+  ansible.builtin.template:
+    src: saltbox.yml.j2
+    dest: "/etc/crowdsec/parsers/s02-enrich/saltbox.yml"
+    owner: "root"
+    group: "root"
+    mode: "0600"
+
 - name: Enable and restart 'crowdsec' service
   ansible.builtin.systemd_service:
     name: crowdsec
diff --git a/roles/crowdsec/templates/saltbox.yml.j2 b/roles/crowdsec/templates/saltbox.yml.j2
new file mode 100644
index 0000000000..b4a0f98b41
--- /dev/null
+++ b/roles/crowdsec/templates/saltbox.yml.j2
@@ -0,0 +1,22 @@
+name: saltbox/traefik-router-allowlist
+description: "Allowlist events from specific Traefik routers"
+filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
+whitelist:
+  reason: "Traefik Router Allowlist"
+  expression:
+{% for item in plex_instances %}
+   - evt.Meta.traefik_router_name == '{{ item }}'
+   - evt.Meta.traefik_router_name == '{{ item }}-http'
+{% endfor %}
+{% for item in jellyfin_instances %}
+   - evt.Meta.traefik_router_name == '{{ item }}'
+   - evt.Meta.traefik_router_name == '{{ item }}-http'
+{% endfor %}
+{% for item in emby_instances %}
+   - evt.Meta.traefik_router_name == '{{ item }}'
+   - evt.Meta.traefik_router_name == '{{ item }}-http'
+{% endfor %}
+{% for item in crowdsec_whitelisted_routers %}
+   - evt.Meta.traefik_router_name == '{{ item }}'
+   - evt.Meta.traefik_router_name == '{{ item }}-http'
+{% endfor %}