No changes to IP rules [docker]

[travisboss]

Attaching to cloudflare-bouncer
cloudflare-bouncer  | time="19-05-2024 13:25:48" level=info msg="Starting crowdsec-cloudflare-bouncer v0.2.1-6b30687c25027607083926cb2112dd06e04dae59"
cloudflare-bouncer  | time="19-05-2024 13:25:48" level=info msg="Using API key auth"
cloudflare-bouncer  | time="19-05-2024 13:25:49" level=info msg="created firewall rule for managed_challenge action" account_id=[redacted] zone_id=[redacted]
cloudflare-bouncer  | time="19-05-2024 13:25:49" level=info msg="created firewall rule for managed_challenge action" account_id=[redacted] zone_id=[redacted]
cloudflare-bouncer  | time="19-05-2024 13:25:50" level=info msg="created firewall rule for managed_challenge action" account_id=[redacted] zone_id=[redacted]
cloudflare-bouncer  | time="19-05-2024 13:25:50" level=info msg="setup of firewall rules complete" account_id=[redacted]
cloudflare-bouncer  | time="19-05-2024 13:26:20" level=info msg="processing decisions with scope=Ip" account_id=[redacted]
cloudflare-bouncer  | time="19-05-2024 13:26:20" level=info msg="no changes to IP rules "
cloudflare-bouncer  | time="19-05-2024 13:26:20" level=info msg="done processing decisions with scope=Ip" account_id=[redacted]

Not sure what is going on, I checked and I have no rules on any of my domains and no main firewall rule, I ran this to remove everything to make sure. sudo docker run --rm -it -v ./cloudflare/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml --name BouncerRecovery 'crowdsecurity/cloudflare-bouncer' -d

Here are the API permissions:

But no matter what I do I get No changes to IP rules which means I have zero rules added to cloudflare.

Here is my cfg.yaml

# Config generated by using /etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml as base
crowdsec_lapi_url: http://crowdsec:8080/
crowdsec_lapi_key: [redacted]
crowdsec_update_frequency: 10s
include_scenarios_containing: [] # ignore IPs banned for triggering scenarios not containing either of provided word
exclude_scenarios_containing: [] # ignore IPs banned for triggering scenarios containing either of provided word
only_include_decisions_from: [] # only include IPs banned due to decisions orginating from provided sources. eg value ["cscli", "crowdsec"]cloudflare_config:
    accounts:
        - id: [redacted]
          zones:
            - zone_id: [redacted]
              actions:
                - managed_challenge
            - zone_id: [redacted]
              actions:
                - managed_challenge
            - zone_id: [redacted]
              actions:
                - managed_challenge
          token: [redacted]
          ip_list_prefix: crowdsec
          default_action: managed_challenge
          total_ip_list_capacity: 9990 # only this many latest IP decisions would be kept
    update_frequency: 30s
daemon: false
log_mode: stdout
log_dir: /var/log/
log_level: info
log_max_size: 0
log_max_age: 0
log_max_backups: 0
compress_logs: null
prometheus:
    enabled: true
    listen_addr: 127.0.0.1
    listen_port: "2112"
key_path: ""
cert_path: ""
ca_cert_path: ""

And my docker compose:

  crowdsec:
    image: docker.io/crowdsecurity/crowdsec:latest
    container_name: crowdsec
    environment:
      - UID=${PUID}
      - GID=${PGID}
      - TZ=${TZ}
      - COLLECTIONS=${COLLECTIONS}
      - CUSTOM_HOSTNAME=${CUSTOM_HOSTNAME}
    volumes:
      - ./crowdsec/config:/etc/crowdsec:rw
      - ./crowdsec/data:/var/lib/crowdsec/data:rw
      - /pool/containers/swag/swag/config/log/nginx:/var/log/swag:ro
      - /var/log:/var/log/host:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 9090:8080
      - 1518:1518/udp
    restart: unless-stopped
    security_opt:
      - no-new-privileges=true
    networks:
      - docker-services

  cloudflare-bouncer:
    image: crowdsecurity/cloudflare-bouncer
    container_name: cloudflare-bouncer
    environment:
      - TZ=${TZ}
    volumes:
      - ./cloudflare/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml
    depends_on:
      - crowdsec
    security_opt:
      - no-new-privileges=true
    networks:
      - docker-services
    restart: unless-stopped