my-self-host-services/crowdsec/docker-compose.yaml

networks:
  caddy:
    name: caddy
    driver: bridge
    external: true

services:
  crowdsec:
    image: crowdsecurity/crowdsec:latest-debian
    container_name: crowdsec
    restart: unless-stopped
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    environment:
      TZ: "Etc/UTC"
      USE_WAL: "true"
      COLLECTIONS: >-
        crowdsecurity/linux
        crowdsecurity/caddy
        crowdsecurity/http-cve
        crowdsecurity/sshd
        crowdsecurity/whitelist-good-actors
        crowdsecurity/appsec-virtual-patching
        crowdsecurity/appsec-generic-rules
        LePresidente/gitea
        Dominic-Wagner/vaultwarden
      BOUNCER_KEY_caddy: "${CROWDSEC_BOUNCER_KEY_CADDY}"
      BOUNCER_KEY_firewall: "${CROWDSEC_BOUNCER_KEY_FW}"
      BOUNCER_KEY_exporter: "${CROWDSEC_BOUNCER_KEY_EXPORTER}"
      ENROLL_KEY: "${CROWDSEC_ENROLL_KEY:-}"
      ENROLL_INSTANCE_NAME: "${CROWDSEC_ENROLL_INSTANCE_NAME:-aykhans-prod}"
    ports:
      - "127.0.0.1:18080:8080"
    networks:
      - caddy
    volumes:
      - ./data/db:/var/lib/crowdsec/data
      - ./data/config:/etc/crowdsec
      - ./acquis.d:/etc/crowdsec/acquis.d:ro
      - ./profiles/profiles.yaml:/etc/crowdsec/profiles.yaml:ro
      - ./parsers/s00-raw/stalwart-logs.yaml:/etc/crowdsec/parsers/s00-raw/stalwart-logs.yaml:ro
      - ./parsers/s01-parse/stalwart-logs-extended.yaml:/etc/crowdsec/parsers/s01-parse/stalwart-logs-extended.yaml:ro
      - ./parsers/s02-enrich/whitelist-trusted.yaml:/etc/crowdsec/parsers/s02-enrich/whitelist-trusted.yaml:ro
      - ./scenarios/stalwart-smtp-bruteforce.yaml:/etc/crowdsec/scenarios/stalwart-smtp-bruteforce.yaml:ro
      - ./scenarios/stalwart-auth-bruteforce.yaml:/etc/crowdsec/scenarios/stalwart-auth-bruteforce.yaml:ro
      - ./scenarios/http-admin-interface-probing.yaml:/etc/crowdsec/scenarios/http-admin-interface-probing.yaml:ro
      - /var/log/journal:/var/log/journal:ro
      - /run/log/journal:/run/log/journal:ro
      - /etc/machine-id:/etc/machine-id:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    logging:
      driver: "json-file"
      options:
        max-size: "100m"
        max-file: "3"

  exporter:
    build: ./exporter
    container_name: crowdsec_exporter
    restart: unless-stopped
    networks:
      - caddy
    environment:
      CROWDSEC_LAPI_URL: "http://crowdsec:8080"
      CROWDSEC_API_KEY: "${CROWDSEC_BOUNCER_KEY_EXPORTER}"
      POLL_INTERVAL_SECS: "30"
      LISTEN_PORT: "9100"
      GEOIP_CITY_DB: "/geoip/GeoLite2-City.mmdb"
    volumes:
      - ./data/geoip:/geoip:ro
    depends_on:
      - crowdsec
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
        max-file: "3"

  geoipupdate:
    image: ghcr.io/maxmind/geoipupdate:v7
    container_name: crowdsec_geoipupdate
    restart: unless-stopped
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    environment:
      GEOIPUPDATE_ACCOUNT_ID: "${MAXMIND_ACCOUNT_ID}"
      GEOIPUPDATE_LICENSE_KEY: "${MAXMIND_LICENSE_KEY}"
      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
      GEOIPUPDATE_FREQUENCY: "24"
    volumes:
      - ./data/geoip:/usr/share/GeoIP
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "2"