fix: use ENV defaults instead of shell syntax for env vars

- StrictExpand doesn't support ${VAR:-default} syntax
- Set default values via ENV in Dockerfile
- Simplify docker.yaml to use plain ${VAR} substitution
- Update README to clarify only CROWDSEC_KEY is required

Author: LaurenceJJones

Dockerfile

@@ -16,6 +16,17 @@ RUN mkdir -p /run/crowdsec-spoa /var/log/crowdsec-spoa && \
 # Final minimal image
 FROM scratch
 
+# Default environment variables (can be overridden at runtime)
+ENV LOG_MODE=stdout \
+    LOG_LEVEL=info \
+    CROWDSEC_URL=http://crowdsec:8080/ \
+    UPDATE_FREQUENCY=10s \
+    INSECURE_SKIP_VERIFY=false \
+    LISTEN_TCP=0.0.0.0:9000 \
+    PROMETHEUS_ENABLED=true \
+    PROMETHEUS_ADDR=0.0.0.0 \
+    PROMETHEUS_PORT=6060
+
 # Copy CA certificates for HTTPS connections to LAPI
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 

config/crowdsec-spoa-bouncer.docker.yaml

@@ -1,41 +1,39 @@
 ## Docker-optimized configuration for CrowdSec SPOA Bouncer
-## Environment variables can be used for configuration: ${VAR_NAME}
+## Environment variables can override settings: ${VAR_NAME}
+## If a variable is not set, the default value is used.
 
 ## Log configuration
 ## stdout is recommended for Docker (use `docker logs` to view)
-log_mode: ${LOG_MODE:-stdout}
-log_level: ${LOG_LEVEL:-info}
+log_mode: ${LOG_MODE}
+log_level: ${LOG_LEVEL}
 
 ## LAPI configuration
-api_url: ${CROWDSEC_URL:-http://crowdsec:8080/}
+api_url: ${CROWDSEC_URL}
 api_key: ${CROWDSEC_KEY}
-update_frequency: ${UPDATE_FREQUENCY:-10s}
-insecure_skip_verify: ${INSECURE_SKIP_VERIFY:-false}
+update_frequency: ${UPDATE_FREQUENCY}
+insecure_skip_verify: ${INSECURE_SKIP_VERIFY}
 
 ## SPOA listener configuration
-## TCP listener - recommended for Docker networking
-listen_tcp: ${LISTEN_TCP:-0.0.0.0:9000}
-## Unix socket - uncomment if using shared volume with HAProxy
-#listen_unix: ${LISTEN_UNIX:-/run/crowdsec-spoa/spoa.sock}
+listen_tcp: ${LISTEN_TCP}
+#listen_unix: ${LISTEN_UNIX}
 
 ## GeoIP databases (optional, mount as volumes)
-#asn_database_path: ${ASN_DB_PATH:-/var/lib/crowdsec/data/GeoLite2-ASN.mmdb}
-#city_database_path: ${CITY_DB_PATH:-/var/lib/crowdsec/data/GeoLite2-City.mmdb}
+#asn_database_path: /var/lib/crowdsec/data/GeoLite2-ASN.mmdb
+#city_database_path: /var/lib/crowdsec/data/GeoLite2-City.mmdb
 
 ## Global AppSec configuration (optional)
 #appsec_url: ${APPSEC_URL}
-#appsec_timeout: ${APPSEC_TIMEOUT:-200ms}
+#appsec_timeout: ${APPSEC_TIMEOUT}
 
 ## Prometheus metrics endpoint
 prometheus:
-  enabled: ${PROMETHEUS_ENABLED:-true}
-  listen_addr: ${PROMETHEUS_ADDR:-0.0.0.0}
-  listen_port: ${PROMETHEUS_PORT:-6060}
+  enabled: ${PROMETHEUS_ENABLED}
+  listen_addr: ${PROMETHEUS_ADDR}
+  listen_port: ${PROMETHEUS_PORT}
 
 ## pprof debug endpoint (disabled by default)
 ## WARNING: Only enable for debugging, exposes internal runtime data
 #pprof:
-#  enabled: ${PPROF_ENABLED:-false}
-#  listen_addr: ${PPROF_ADDR:-0.0.0.0}
-#  listen_port: ${PPROF_PORT:-6070}
-
+#  enabled: false
+#  listen_addr: 0.0.0.0
+#  listen_port: 6070

docker/README.md

@@ -32,21 +32,20 @@ The Docker image uses a configuration file optimized for containers with extensi
 
 | Variable | Default | Description |
 |----------|---------|-------------|
-| `CROWDSEC_KEY` | *(required)* | API key for CrowdSec LAPI |
+| `CROWDSEC_KEY` | **required** | API key for CrowdSec LAPI |
 | `CROWDSEC_URL` | `http://crowdsec:8080/` | CrowdSec LAPI URL |
 | `LOG_MODE` | `stdout` | Log output: `stdout` or `file` |
 | `LOG_LEVEL` | `info` | Log level: `trace`, `debug`, `info`, `warn`, `error` |
 | `UPDATE_FREQUENCY` | `10s` | How often to poll LAPI for decisions |
 | `INSECURE_SKIP_VERIFY` | `false` | Skip TLS verification for LAPI |
 | `LISTEN_TCP` | `0.0.0.0:9000` | TCP listener address |
-| `LISTEN_UNIX` | *(disabled)* | Unix socket path (uncomment in config) |
 | `PROMETHEUS_ENABLED` | `true` | Enable Prometheus metrics |
 | `PROMETHEUS_ADDR` | `0.0.0.0` | Prometheus listen address |
 | `PROMETHEUS_PORT` | `6060` | Prometheus listen port |
-| `APPSEC_URL` | *(disabled)* | AppSec endpoint URL |
-| `APPSEC_TIMEOUT` | `200ms` | AppSec request timeout |
 | `GOMEMLIMIT` | *(unset)* | Go memory limit (e.g., `200MiB`) |
 
+**Note:** Default values are set in the Docker image. Only `CROWDSEC_KEY` must be provided.
+
 ### Custom Configuration
 
 ```bash