K3S/addons/crowdsec/role/tasks/main.yml

---
- name: Add CrowdSec Helm repo
  kubernetes.core.helm_repository:
    name: crowdsec
    repo_url: "{{ crowdsec_chart_repo }}"
  environment:
    KUBECONFIG: "{{ k3s_kubeconfig_path }}"

- name: Deploy CrowdSec via Helm
  kubernetes.core.helm:
    name: crowdsec
    chart_ref: crowdsec/crowdsec
    chart_version: "{{ crowdsec_version }}"
    release_namespace: "{{ crowdsec_namespace }}"
    create_namespace: true
    wait: true
    timeout: "10m0s"
    values:
      container_runtime: "{{ crowdsec_container_runtime }}"
      lapi:
        env: >-
          {{
            ([{'name': 'ENROLL_KEY', 'value': crowdsec_enroll_key},
              {'name': 'ENROLL_INSTANCE_NAME', 'value': crowdsec_instance_name},
              {'name': 'ENROLL_TAGS', 'value': crowdsec_enroll_tags}])
            if crowdsec_enroll_key
            else []
          }}
        persistentVolume:
          config:
            enabled: "{{ crowdsec_lapi_storage_enabled | bool }}"
            size: "{{ crowdsec_lapi_storage_size }}"
            storageClassName: "{{ crowdsec_lapi_storage_class }}"
        resources: "{{ crowdsec_lapi_resources }}"
      agent:
        acquisition: "{{ crowdsec_acquisition }}"
        env:
          - name: COLLECTIONS
            value: "{{ crowdsec_collections }}"
        resources: "{{ crowdsec_agent_resources }}"
  environment:
    KUBECONFIG: "{{ k3s_kubeconfig_path }}"

- name: Deploy CrowdSec nginx bouncer
  kubernetes.core.helm:
    name: crowdsec-nginx-bouncer
    chart_ref: crowdsec/crowdsec-nginx-bouncer
    chart_version: "{{ crowdsec_nginx_bouncer_version }}"
    release_namespace: "{{ crowdsec_namespace }}"
    create_namespace: false
    wait: true
    timeout: "5m0s"
    values:
      bouncer:
        crowdsec_lapi_url: "http://crowdsec-service.{{ crowdsec_namespace }}.svc.cluster.local:8080"
  environment:
    KUBECONFIG: "{{ k3s_kubeconfig_path }}"
  when: crowdsec_nginx_bouncer_enabled | bool

- name: Show CrowdSec access info
  ansible.builtin.debug:
    msg:
      - "══════════════════════════════════════════════"
      - " CrowdSec установлен"
      - "══════════════════════════════════════════════"
      - " Namespace:  {{ crowdsec_namespace }}"
      - " Runtime:    {{ crowdsec_container_runtime }}"
      - " Коллекции: {{ crowdsec_collections }}"
      - "{% if crowdsec_enroll_key %} Статус энролмента: см. https://app.crowdsec.net{% endif %}"
      - "──────────────────────────────────────────────"
      - " Статус агентов:"
      - "   kubectl exec -n {{ crowdsec_namespace }} deploy/crowdsec -- cscli metrics"
      - " Список решений (бан/разбан):"
      - "   kubectl exec -n {{ crowdsec_namespace }} deploy/crowdsec -- cscli decisions list"
      - " Список алертов:"
      - "   kubectl exec -n {{ crowdsec_namespace }} deploy/crowdsec -- cscli alerts list"
      - "──────────────────────────────────────────────"
      - "{% if not crowdsec_nginx_bouncer_enabled %} Nginx bouncer не установлен."
      - " Включи: crowdsec_nginx_bouncer_enabled: true{% endif %}"
      - "══════════════════════════════════════════════"