LaurenceJJones/init-script.sh

## init-script.sh
#!/bin/bash
##########
## Maintained by Laurence from CrowdSec
## Discord: https://discord.gg/crowdsec
## Website: https://www.crowdsec.net/
## Docs: https://docs.crowdsec.net/
##########

# Linode users can use the UI to change these variables
# Digital ocean users uncomment and change these variables
# ------------------------------------------------------------------------------
#VERSION="1.6.0" # Crowdsec version to install please check https://github.com/crowdsecurity/crowdsec/releases/latest
#COLLECTIONS="" # Additional collections you may want installed after auto detection
#CONSOLEKEY="" # Console enroll key signup at https://app.crowdsec.net/
#FIREWALL="nftables" # nftables or iptables
# ------------------------------------------------------------------------------


# ------------------------------------------------------------------------------
# Script start
# You shouldn't need to scroll past here unless you want to know what it does
# ------------------------------------------------------------------------------

## These are used to set defaults and are the used variables in the script
# ------------------------------------------------------------------------------
CROWDSEC_VERSION="${VERSION:-1.6.0}"
COLLECTIONS="$COLLECTIONS"
CONSOLE_ENROLL="$CONSOLEKEY"
FIREWALL="${FIREWALL:-nftables}"
# ------------------------------------------------------------------------------
## You don't need to change these unless you want to change the defaults

## Database config
MAX_ITEMS="100000" # How many items to keep in the database before flushing old ones
MAX_AGE="14d" # How long to keep items in the database before flushing them

# ------------------------------------------------------------------------------
# General helpers
# ------------------------------------------------------------------------------

detect_distro() {
    if [ -f /etc/debian_version ]; then
        echo "deb"
    elif [ -f /etc/redhat-release ]; then
        echo "rpm"
    else
        echo "Unsupported distribution."
        exit 1
    fi
}

echo_separator() {
    echo "----------------------"
}

# ------------------------------------------------------------------------------
# Install
# ------------------------------------------------------------------------------

# uses curl or wget depending on what is available
download() {
    if [ -z "$1" ]; then
        echo "download() requires a URL as first argument"
        exit 1
    fi
    if [ -z "$2" ]; then
        echo "download() requires a destination directory as second argument"
        exit 1
    fi
    if [ ! -d "$2" ]; then
        echo "$2 is not a directory"
        exit 1
    fi

    if command -v curl >/dev/null; then
        cd "$2" || (echo "Could not cd to $2" && exit 1)
        # older versions of curl don't support --output-dir
        curl -sSLO --fail --remote-name "$1"
        cd - >/dev/null
    elif command -v wget >/dev/null; then
        wget -nv -P "$2" "$1"
    else
        echo "Neither curl nor wget is available, cannot download files."
        exit 1
    fi
}


install_crowdsec_from_repo() {
    distro=$(detect_distro)

    echo "Installing CrowdSec $CROWDSEC_VERSION for a ${distro}-based distribution."

    script_name="script.${distro}.sh"

    script_url="https://packagecloud.io/install/repositories/crowdsec/crowdsec/${script_name}"

    # remove a previous download
    rm -f "/tmp/$script_name"

    download "$script_url" "/tmp/"

    echo "Installing the repository.."
    bash "/tmp/$script_name"

    if [ "$distro" = "deb" ]; then
        apt-get update
        apt-get install -y "crowdsec=$CROWDSEC_VERSION"
    elif [ "$distro" = "rpm" ]; then
        dnf install -y "crowdsec-$CROWDSEC_VERSION"
    fi
    rm -f "/tmp/$script_name"
}

detect_and_install_base_firewall () {
	if [ "$FIREWALL" = "nftables" ]; then
		if ! command -v nft >/dev/null; then
			echo "nftables not found, installing it"
			if [ "$distro" = "deb" ]; then
				apt-get remove -y iptables
				apt-get install -y nftables
			elif [ "$distro" = "rpm" ]; then
				dnf remove -y iptables
				dnf install -y nftables
			fi
			systemctl enable --now nftables.service
		fi
	elif [ "$FIREWALL" = "iptables" ]; then
		if ! command -v iptables >/dev/null; then
			echo "iptables not found, installing it"
			if [ "$distro" = "deb" ]; then
				apt-get remove -y nftables
				apt-get install -y iptables
			elif [ "$distro" = "rpm" ]; then
				dnf remove -y nftables
				dnf install -y iptables
			fi
			systemctl enable --now iptables.service
		fi
	fi
}

install_firewall_remediation() {
    distro=$(detect_distro)
    if [ "$FIREWALL" = "nftables" ]; then
	    echo "Installing nftables remediation"
        detect_and_install_base_firewall
	    if [ "$distro" = "deb" ]; then
	        apt-get install -y crowdsec-firewall-bouncer-nftables
	    elif [ "$distro" = "rpm" ]; then
	        dnf install -y crowdsec-firewall-bouncer-nftables
	    fi
    elif [ "$FIREWALL" = "iptables" ]; then
	    echo "Installing iptables remediation"
        detect_and_install_base_firewall
	    if [ "$distro" = "deb" ]; then
	            apt-get install -y crowdsec-firewall-bouncer-iptables
	    elif [ "$distro" = "rpm" ]; then
	        dnf install -y crowdsec-firewall-bouncer-iptables
	    fi
    else
	    echo "No firewall remediation to install"
    fi
}

install_crowdsec() {
    echo_separator
    install_crowdsec_from_repo
}

# ------------------------------------------------------------------------------
# Configure
# ------------------------------------------------------------------------------

configure_database() {
    echo "updating config.yaml.local..."
    cat <<-EOT > "/etc/crowdsec/config.yaml.local"
	db_config:
	  use_wal: true
	  flush:
	    max_items: $MAX_ITEMS
	    max_age: $MAX_AGE
	EOT
}

enroll_instance_to_app() {
    if [ ! -z "$CONSOLE_ENROLL" ]; then
    	cscli console enroll "$CONSOLE_ENROLL"
    fi
}

install_collections () {
    if [ ! -z "$COLLECTIONS" ]; then
        cscli collections install --ignore "$COLLECTIONS"
    fi
}

# ------------------------------------------------------------------------------
# Run
# ------------------------------------------------------------------------------
start_crowdsec_service() {
    if systemctl is-active --quiet crowdsec; then
        systemctl start crowdsec
    fi
}

restart_crowdsec_service() {
    if systemctl is-active --quiet crowdsec; then
        systemctl restart crowdsec
    fi
}

# ------------------------------------------------------------------------------

install_crowdsec
configure_database
enroll_instance_to_app
install_collections
restart_crowdsec_service
install_firewall_remediation

##########
# Linode UDF
# <UDF name="firewall" label="Firewall Remediation" oneOf="nftables,iptables" />
# <UDF name="version" label="Crowdsec Version" default="1.6.0" example="Please see latest version https://github.com/crowdsecurity/crowdsec/releases/latest"/>
# <UDF name="collections" label="Additional Collections" default="" example="Additional collections you wish to install"/>
# <UDF name="consolekey" label="Console Enrolment Key" default="" example="Enrolment key of the CrowdSec console"/>
##########
	#!/bin/bash
	##########
	## Maintained by Laurence from CrowdSec
	## Discord: https://discord.gg/crowdsec
	## Website: https://www.crowdsec.net/
	## Docs: https://docs.crowdsec.net/
	##########

	# Linode users can use the UI to change these variables
	# Digital ocean users uncomment and change these variables
	# ------------------------------------------------------------------------------
	#VERSION="1.6.0" # Crowdsec version to install please check https://github.com/crowdsecurity/crowdsec/releases/latest
	#COLLECTIONS="" # Additional collections you may want installed after auto detection
	#CONSOLEKEY="" # Console enroll key signup at https://app.crowdsec.net/
	#FIREWALL="nftables" # nftables or iptables
	# ------------------------------------------------------------------------------


	# ------------------------------------------------------------------------------
	# Script start
	# You shouldn't need to scroll past here unless you want to know what it does
	# ------------------------------------------------------------------------------

	## These are used to set defaults and are the used variables in the script
	# ------------------------------------------------------------------------------
	CROWDSEC_VERSION="${VERSION:-1.6.0}"
	COLLECTIONS="$COLLECTIONS"
	CONSOLE_ENROLL="$CONSOLEKEY"
	FIREWALL="${FIREWALL:-nftables}"
	# ------------------------------------------------------------------------------
	## You don't need to change these unless you want to change the defaults

	## Database config
	MAX_ITEMS="100000" # How many items to keep in the database before flushing old ones
	MAX_AGE="14d" # How long to keep items in the database before flushing them

	# ------------------------------------------------------------------------------
	# General helpers
	# ------------------------------------------------------------------------------

	detect_distro() {
	if [ -f /etc/debian_version ]; then
	echo "deb"
	elif [ -f /etc/redhat-release ]; then
	echo "rpm"
	else
	echo "Unsupported distribution."
	exit 1
	fi
	}

	echo_separator() {
	echo "----------------------"
	}

	# ------------------------------------------------------------------------------
	# Install
	# ------------------------------------------------------------------------------

	# uses curl or wget depending on what is available
	download() {
	if [ -z "$1" ]; then
	echo "download() requires a URL as first argument"
	exit 1
	fi
	if [ -z "$2" ]; then
	echo "download() requires a destination directory as second argument"
	exit 1
	fi
	if [ ! -d "$2" ]; then
	echo "$2 is not a directory"
	exit 1
	fi

	if command -v curl >/dev/null; then
	cd "$2" \|\| (echo "Could not cd to $2" && exit 1)
	# older versions of curl don't support --output-dir
	curl -sSLO --fail --remote-name "$1"
	cd - >/dev/null
	elif command -v wget >/dev/null; then
	wget -nv -P "$2" "$1"
	else
	echo "Neither curl nor wget is available, cannot download files."
	exit 1
	fi
	}


	install_crowdsec_from_repo() {
	distro=$(detect_distro)

	echo "Installing CrowdSec $CROWDSEC_VERSION for a ${distro}-based distribution."

	script_name="script.${distro}.sh"

	script_url="https://packagecloud.io/install/repositories/crowdsec/crowdsec/${script_name}"

	# remove a previous download
	rm -f "/tmp/$script_name"

	download "$script_url" "/tmp/"

	echo "Installing the repository.."
	bash "/tmp/$script_name"

	if [ "$distro" = "deb" ]; then
	apt-get update
	apt-get install -y "crowdsec=$CROWDSEC_VERSION"
	elif [ "$distro" = "rpm" ]; then
	dnf install -y "crowdsec-$CROWDSEC_VERSION"
	fi
	rm -f "/tmp/$script_name"
	}

	detect_and_install_base_firewall () {
	if [ "$FIREWALL" = "nftables" ]; then
	if ! command -v nft >/dev/null; then
	echo "nftables not found, installing it"
	if [ "$distro" = "deb" ]; then
	apt-get remove -y iptables
	apt-get install -y nftables
	elif [ "$distro" = "rpm" ]; then
	dnf remove -y iptables
	dnf install -y nftables
	fi
	systemctl enable --now nftables.service
	fi
	elif [ "$FIREWALL" = "iptables" ]; then
	if ! command -v iptables >/dev/null; then
	echo "iptables not found, installing it"
	if [ "$distro" = "deb" ]; then
	apt-get remove -y nftables
	apt-get install -y iptables
	elif [ "$distro" = "rpm" ]; then
	dnf remove -y nftables
	dnf install -y iptables
	fi
	systemctl enable --now iptables.service
	fi
	fi
	}

	install_firewall_remediation() {
	distro=$(detect_distro)
	if [ "$FIREWALL" = "nftables" ]; then
	echo "Installing nftables remediation"
	detect_and_install_base_firewall
	if [ "$distro" = "deb" ]; then
	apt-get install -y crowdsec-firewall-bouncer-nftables
	elif [ "$distro" = "rpm" ]; then
	dnf install -y crowdsec-firewall-bouncer-nftables
	fi
	elif [ "$FIREWALL" = "iptables" ]; then
	echo "Installing iptables remediation"
	detect_and_install_base_firewall
	if [ "$distro" = "deb" ]; then
	apt-get install -y crowdsec-firewall-bouncer-iptables
	elif [ "$distro" = "rpm" ]; then
	dnf install -y crowdsec-firewall-bouncer-iptables
	fi
	else
	echo "No firewall remediation to install"
	fi
	}

	install_crowdsec() {
	echo_separator
	install_crowdsec_from_repo
	}

	# ------------------------------------------------------------------------------
	# Configure
	# ------------------------------------------------------------------------------

	configure_database() {
	echo "updating config.yaml.local..."
	cat <<-EOT > "/etc/crowdsec/config.yaml.local"
	db_config:
	use_wal: true
	flush:
	max_items: $MAX_ITEMS
	max_age: $MAX_AGE
	EOT
	}

	enroll_instance_to_app() {
	if [ ! -z "$CONSOLE_ENROLL" ]; then
	cscli console enroll "$CONSOLE_ENROLL"
	fi
	}

	install_collections () {
	if [ ! -z "$COLLECTIONS" ]; then
	cscli collections install --ignore "$COLLECTIONS"
	fi
	}

	# ------------------------------------------------------------------------------
	# Run
	# ------------------------------------------------------------------------------
	start_crowdsec_service() {
	if systemctl is-active --quiet crowdsec; then
	systemctl start crowdsec
	fi
	}

	restart_crowdsec_service() {
	if systemctl is-active --quiet crowdsec; then
	systemctl restart crowdsec
	fi
	}

	# ------------------------------------------------------------------------------

	install_crowdsec
	configure_database
	enroll_instance_to_app
	install_collections
	restart_crowdsec_service
	install_firewall_remediation

	##########
	# Linode UDF
	# <UDF name="firewall" label="Firewall Remediation" oneOf="nftables,iptables" />
	# <UDF name="version" label="Crowdsec Version" default="1.6.0" example="Please see latest version https://github.com/crowdsecurity/crowdsec/releases/latest"/>
	# <UDF name="collections" label="Additional Collections" default="" example="Additional collections you wish to install"/>
	# <UDF name="consolekey" label="Console Enrolment Key" default="" example="Enrolment key of the CrowdSec console"/>
	##########