[infrastructure] Add CrowdSec LAPI container to self-hosted setup script#5880
Merged
[infrastructure] Add CrowdSec LAPI container to self-hosted setup script#5880
Conversation
2 tasks
Contributor
📝 WalkthroughWalkthroughAdds optional CrowdSec integration to the getting-started script: prompt, config variables, docker-compose service generation, bouncer registration with retries, conditional proxy env entries, cleanup, and post-setup enrollment instructions. Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant Script as getting-started.sh
participant Traefik as Built-in Traefik (proxy)
participant Cscli as cscli (local)
participant CrowdSec as crowdsec container
User->>Script: run setup (select built-in Traefik + enable proxy)
Script->>Script: read_enable_crowdsec() prompt
alt CrowdSec enabled
Script->>Script: create local crowdsec/ dir & render docker-compose with crowdsec service
Script->>Traefik: start core services (phase 1, depends_on crowdsec health)
Traefik->>Script: proxy token created
Script->>Cscli: attempt bouncer registration (poll readiness, up to 30 tries)
alt cscli returns bouncer key
Cscli->>Script: return bouncer key
Script->>Script: persist CROWDSEC_BOUNCER_KEY
Script->>Traefik: append NB_PROXY_CROWDSEC_API_URL/KEY to proxy env
else readiness failed or empty key
Script->>Script: set ENABLE_CROWDSEC="false" and skip CrowdSec setup
end
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@infrastructure_files/getting-started.sh`:
- Around line 649-653: The healthcheck currently uses "cscli capi status" which
checks Central API and can cause rate limiting; it should use "cscli lapi
status" to properly check Local API readiness for CrowdSec. Update the
healthcheck test command from "cscli capi status" to "cscli lapi status" in the
healthcheck section and similarly update the wait loop command at the specified
earlier line to use "cscli lapi status" instead of "cscli capi status".
🪄 Autofix (Beta)
❌ Autofix failed (check again to retry)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f2c6c6fb-d416-4559-86cb-d36f2c02c8fb
📒 Files selected for processing (1)
infrastructure_files/getting-started.sh
Contributor
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. The branch was updated while autofix was in progress. Please try again. |
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
|
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (1)
infrastructure_files/getting-started.sh (1)
472-486:⚠️ Potential issue | 🟡 MinorUse
cscli lapi statusfor the wait loop to match the healthcheck.The wait loop uses
cscli capi statuswhile the healthcheck (line 650) correctly usescscli lapi status. This inconsistency should be resolved—bouncer registration requires the Local API to be ready, not the Central API. Additionally, frequentcscli capi statuscalls can trigger rate-limiting on CrowdSec's Central API.🔧 Suggested fix
if [[ "$ENABLE_CROWDSEC" == "true" ]]; then echo "Registering CrowdSec bouncer..." local cs_retries=0 - while ! $DOCKER_COMPOSE_COMMAND exec -T crowdsec cscli capi status >/dev/null 2>&1; do + while ! $DOCKER_COMPOSE_COMMAND exec -T crowdsec cscli lapi status >/dev/null 2>&1; do cs_retries=$((cs_retries + 1)) if [[ $cs_retries -ge 30 ]]; then echo "WARNING: CrowdSec did not become ready. Skipping CrowdSec setup." > /dev/stderr🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@infrastructure_files/getting-started.sh` around lines 472 - 486, The wait loop currently checks CrowdSec readiness with "cscli capi status" which queries the Central API and can trigger rate limits; change the command used in the loop to "cscli lapi status" so it waits on the Local API (matching the healthcheck and ensuring bouncer registration waits for the correct service). Update the while condition that references $DOCKER_COMPOSE_COMMAND exec -T crowdsec cscli capi status to use cscli lapi status, keeping the retry/sleep logic, error messages, and the ENABLE_CROWDSEC toggle unchanged.
🧹 Nitpick comments (1)
infrastructure_files/getting-started.sh (1)
447-452: Consider using an array for service names.The unquoted
$core_servicesrelies on word splitting to pass multiple service names. While functional, using a bash array would be more explicit and avoids shellcheck warnings.♻️ Optional improvement
if [[ "$ENABLE_PROXY" == "true" ]]; then # Phase 1: Start core services (without proxy) - local core_services="traefik dashboard netbird-server" + local -a core_services=(traefik dashboard netbird-server) if [[ "$ENABLE_CROWDSEC" == "true" ]]; then - core_services="$core_services crowdsec" + core_services+=(crowdsec) fi echo "Starting core services..." - $DOCKER_COMPOSE_COMMAND up -d $core_services + $DOCKER_COMPOSE_COMMAND up -d "${core_services[@]}"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@infrastructure_files/getting-started.sh` around lines 447 - 452, The code builds a space-separated string in the local variable core_services and relies on unquoted word splitting when calling $DOCKER_COMPOSE_COMMAND up -d $core_services; change core_services to a Bash array (e.g., declare -a core_services) and append items with core_services+=("traefik" "dashboard" "netbird-server") and core_services+=("crowdsec") inside the ENABLE_CROWDSEC branch, then invoke the compose command with "$DOCKER_COMPOSE_COMMAND" up -d "${core_services[@]}" to avoid word-splitting issues and shellcheck warnings.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@infrastructure_files/getting-started.sh`:
- Around line 472-486: The wait loop currently checks CrowdSec readiness with
"cscli capi status" which queries the Central API and can trigger rate limits;
change the command used in the loop to "cscli lapi status" so it waits on the
Local API (matching the healthcheck and ensuring bouncer registration waits for
the correct service). Update the while condition that references
$DOCKER_COMPOSE_COMMAND exec -T crowdsec cscli capi status to use cscli lapi
status, keeping the retry/sleep logic, error messages, and the ENABLE_CROWDSEC
toggle unchanged.
---
Nitpick comments:
In `@infrastructure_files/getting-started.sh`:
- Around line 447-452: The code builds a space-separated string in the local
variable core_services and relies on unquoted word splitting when calling
$DOCKER_COMPOSE_COMMAND up -d $core_services; change core_services to a Bash
array (e.g., declare -a core_services) and append items with
core_services+=("traefik" "dashboard" "netbird-server") and
core_services+=("crowdsec") inside the ENABLE_CROWDSEC branch, then invoke the
compose command with "$DOCKER_COMPOSE_COMMAND" up -d "${core_services[@]}" to
avoid word-splitting issues and shellcheck warnings.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 25141a47-9468-4cd2-94ea-c762c95aec0b
📒 Files selected for processing (1)
infrastructure_files/getting-started.sh
jnfrati
approved these changes
Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Describe your changes
Add optional CrowdSec IP reputation support to the self-hosted getting-started.sh script.
Related PRs:
Stack
Checklist
Documentation
Select exactly one:
Docs PR URL (required if "docs added" is checked)
Paste the PR link from https://github.com/netbirdio/docs here:
netbirdio/docs#698
Summary by CodeRabbit
New Features
Chores
Documentation