this post was submitted on 20 Jun 2025
26 points (100.0% liked)

Selfhosted

48963 readers
1062 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
26
Suggestions for crowdsec + caddy + docker setup (lemmy.dbzer0.com)
submitted 1 week ago* (last edited 1 week ago) by whysofurious@lemmy.dbzer0.com to c/selfhosted@lemmy.world
7 comments fedilink hide all child comments
 

Hi all!

I'll try to be quick but I apologise first as I am pretty new to security stuff and my questions might be obvious to the more experts.

I have a VPS (hetzner) set up with docker, caddy for the reverse proxy, and authentik as the only login method for a couple of services (hedgedoc and forgejo). Since most of these has to be available and accessible on the internet, I also setup crowdsec and built caddy with the relevant bouncer. This allows crowdsec to inspect the caddy logs for all the services I am serving through it and act accordingly. Edit: all the services are in docker containers.

So far, so good. However, I also saw that crowdsec can directly monitor container logs with the docker integration or through container labels. Also, I saw a couple of collections on crowdsec hub specifically for Authentik and Gitea.

I feel I am missing something so my question are:

  1. Would it be useful to monitor container logs given my setup or would it be redundant?
  2. Should I add the app-specific collections, or would docker logs monitoring be enough?

My current crowdsec collections

  • crowdsecurity/linux
  • crowdsecurity/appsec-generic-rules
  • crowdsecurity/caddy
  • crowdsecurity/whitelist-good-actors
  • crowdsecurity/http-cve
  • crowdsecurity/iptables

Edit: bonus question, does someone know if the Gitea collection would be useful for Forgejo after it being a hard-fork now?

you are viewing a single comment's thread
view the rest of the comments
[–] just_another_person@lemmy.world 5 points 1 week ago* (last edited 1 week ago) (1 children)

You only need Crowdsec to monitor the exposed service ports. If Authentik is exposed, and has a Crowdsec plugin, then add it. Otherwise, you're just wasting resources having it watch things it can't take action with.

If you just need something to consolidate logs where you can watch them, use a centralized logging tool for that job.

[–] whysofurious@lemmy.dbzer0.com 2 points 1 week ago (1 children)

Thanks for the answer :) make sense, I will go through with the plugins for the services I have exposed, although not all of them have crowdsec collections.

[–] just_another_person@lemmy.world 1 points 1 week ago (1 children)

You can easily create custom rules and bouncers if needed for something specific as well. They're templatized for the most part. Possibly even something a stupid AI could kick out, but make sure you know what it's doing, and don't trust it outright.

[–] whysofurious@lemmy.dbzer0.com 1 points 1 week ago

Thanks for the input, yes I was mostly thinking about hedgedoc, that doesn't have parsers or anything. I need to delve more into crowdsec logic and rules before trying to do my own thing, for sure. Thanks a lot tough, I followed your advice and I got Crowdsec working on both Authentik and Forgejo :)