fix(crowdsec): fetch bouncer binary from GitHub releases in Docker build.

Avoids flaky packagecloud/apt installs and systemd postinst failures during image build.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: imevul

contrib/crowdsec/Dockerfile.bouncer

@@ -1,14 +1,34 @@
 # EvuProxy CrowdSec nftables bouncer — host network + NET_ADMIN updates inet evuproxy.
-# Built locally by install.sh / docker compose (no official CrowdSec bouncer image on Docker Hub).
+# Binary from official GitHub releases (no packagecloud/apt during image build).
 
 FROM debian:bookworm-slim
 
+ARG BOUNCER_VERSION=0.0.34
+ARG TARGETARCH
+
+ENV DEBIAN_FRONTEND=noninteractive
+
 RUN apt-get update \
-	&& apt-get install -y --no-install-recommends curl ca-certificates gettext-base \
-	&& curl -fsSL https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash \
-	&& apt-get install -y --no-install-recommends crowdsec-firewall-bouncer-nftables \
+	&& apt-get install -y --no-install-recommends ca-certificates curl gettext-base \
 	&& rm -rf /var/lib/apt/lists/*
 
+RUN set -e; \
+	raw_arch="${TARGETARCH:-$(dpkg --print-architecture)}"; \
+	case "$raw_arch" in \
+	amd64) bouncer_arch=amd64 ;; \
+	arm64) bouncer_arch=arm64 ;; \
+	arm|armhf|armv7) bouncer_arch=armv7 ;; \
+	386|i386) bouncer_arch=386 ;; \
+	ppc64le) bouncer_arch=ppc64le ;; \
+	riscv64) bouncer_arch=riscv64 ;; \
+	s390x) bouncer_arch=s390x ;; \
+	*) echo "unsupported architecture for cs-firewall-bouncer: ${raw_arch}" >&2; exit 1 ;; \
+	esac; \
+	curl -fsSL "https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v${BOUNCER_VERSION}/crowdsec-firewall-bouncer-linux-${bouncer_arch}.tgz" \
+	| tar -xzf - -C /tmp; \
+	install -m 0755 "/tmp/crowdsec-firewall-bouncer-v${BOUNCER_VERSION}/crowdsec-firewall-bouncer" /usr/local/bin/crowdsec-firewall-bouncer; \
+	rm -rf "/tmp/crowdsec-firewall-bouncer-v${BOUNCER_VERSION}"
+
 COPY docker-bouncer-entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 

contrib/crowdsec/README.md

@@ -62,7 +62,7 @@ CROWDSEC_INSTALL_YES=1 CROWDSEC_INSTALL_MODE=docker make crowdsec-install
 | [`acquis.yaml.example`](acquis.yaml.example) | Log sources (copied to `acquis.yaml` by install) |
 | [`docker-compose.example.yaml`](docker-compose.example.yaml) | Docker: CrowdSec + locally built nft bouncer (`Dockerfile.bouncer`) |
 | [`docker-bouncer.yaml.example`](docker-bouncer.yaml.example) | Docker bouncer config (copied to `docker-bouncer.yaml` by install) |
-| [`Dockerfile.bouncer`](Dockerfile.bouncer) | Builds `evuproxy-crowdsec-firewall-bouncer:local` from CrowdSec packages |
+| [`Dockerfile.bouncer`](Dockerfile.bouncer) | Builds `evuproxy-crowdsec-firewall-bouncer:local` (GitHub release binary + config) |
 | [`native-bouncer.yaml.example`](native-bouncer.yaml.example) | Native nft bouncer config template (table/set for EvuProxy) |
 | [`.env.example`](.env.example) | Docker: bouncer API key template (install writes `.env`) |
 | [`.install-mode`](.install-mode) | Legacy copy beside this directory (gitignored) |
@@ -232,6 +232,7 @@ Store the API key in `/etc/evuproxy/crowdsec-bouncer.key` when merging manually.
 | Symptom | Things to check |
 |---------|------------------|
 | Install fails: missing key | Run `install.sh bouncer-key` or delete bouncer and re-run install (see script message) |
+| Bouncer image build fails | Ensure GitHub releases are reachable from the host; re-run `docker compose -f docker-compose.example.yaml build crowdsec-firewall-bouncer`. Or use native: `CROWDSEC_INSTALL_MODE=native make crowdsec-install` |
 | Bouncer auth errors | `.env` key matches `cscli bouncers list`; LAPI at `http://127.0.0.1:8080` |
 | No decisions | Hub collection installed; logs acquired (`cscli metrics show acquisition`) |
 | Set always empty | Bouncer running with `NET_ADMIN`, `network_mode: host`; EvuProxy `crowdsec.enabled` + reload |