diff --git a/secrets.nix b/secrets.nix index c7a9245..f86dfd8 100644 --- a/secrets.nix +++ b/secrets.nix @@ -29,6 +29,7 @@ in { "services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql]; + "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql]; "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx]; "services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems; diff --git a/secrets/postgresql-lapi-key.age b/secrets/postgresql-lapi-key.age new file mode 100644 index 0000000..c2f798c --- /dev/null +++ b/secrets/postgresql-lapi-key.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBabEhV +SnYvWTR6NkE1U2xUM3huNzZ3bUdXRVh0MTJoUjhTY2taNmY2MFdvCnpmNTMzMWM0 +enhiMHQyWEpCYmxXZ3I3aStXYlh6UStrbFMvTTJwYjNOY2cKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIHRHY0dNbUt0aTJQdzNGTGRXeC9jbVVoVmN2WFpRaHZIU0Qvb0c3 +eUdhMXcKSi9NZEtjRENLNXFuVUVLdUlYbkNlT0EzeUVOSzJYcXlZcVRDaWFqMXVi +WQotPiBVb0wtZ3JlYXNlIGYrIEosIHpFRHBvbzI5ICljS0UKTmljdnFHQzBRTWxu +ZXpEdkhheHE5WVVJVVpXdzFaZC9HQ28KLS0tIDdmc3dNNGVYcC91QmQrcmhGaHhZ +WkNEa3FOcHZIU3loQmVDd29hd2ZqSXMKksjTw4Gh1PDeQpRnX5cg6uSv3hRRPL50 +4xKqLKC7kmEoSU3PXSrNYV5yppD4V+LTnj/WRXgoBD9A89ul9PLvbmJpcxzB5SVS ++gAi73lGkRFhFrYv5eCzsIWgCfVhQZ/LeyN9ak56/OisJm0YOKntWPEN/NKjVi1x +AvFJ2jF+4bSy+BaDK0qTecHbnVfS8uW4lBr3FE7Tfj83TpI= +-----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index b6fa00c..d5b6d1b 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -11,6 +11,10 @@ in { }; config = lib.mkIf cfg.enable { age.secrets = { + postgresql-lapi-key = { + file = ../../secrets/postgresql-lapi-key.age; + owner = "crowdsec"; + }; nextcloudDBPass = { file = ./secrets/nextcloudDBPass.age; owner = "postgres"; @@ -32,70 +36,90 @@ in { owner = "postgres"; }; }; - services.postgresql = { - enable = true; - package = pkgs.postgresql_16; - enableTCPIP = true; - settings.port = 5432; - authentication = " - host nextcloud nextcloud 192.168.1.45/32 md5 - host gitea gitea 192.168.1.14/32 md5 - host authentik authentik 192.168.1.125/32 md5 - host grafana grafana 192.168.1.27/32 md5 - host onlyoffice onlyoffice 192.168.1.46/32 md5 - "; - initialScript = pkgs.writeText "init-sql-script" '' - CREATE ROLE nextcloud WITH LOGIN CREATEDB; - CREATE DATABASE nextcloud; - GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; + services = { + crowdsec = { + hub.collections = [ + "crowdsecurity/pgsql" + ]; + settings.lapi.credentialsFile = "${config.age.secrets.postgresql-lapi-key.path}"; + localConfig = { + acquisitions = [ + { + filenames = [ + "/var/log/postgresql/*.log" + ]; + labels = { + type = "syslog"; + }; + } + ]; + }; + }; + postgresql = { + enable = true; + package = pkgs.postgresql_16; + enableTCPIP = true; + settings.port = 5432; + authentication = " + host nextcloud nextcloud 192.168.1.45/32 md5 + host gitea gitea 192.168.1.14/32 md5 + host authentik authentik 192.168.1.125/32 md5 + host grafana grafana 192.168.1.27/32 md5 + host onlyoffice onlyoffice 192.168.1.46/32 md5 + "; + initialScript = pkgs.writeText "init-sql-script" '' + CREATE ROLE nextcloud WITH LOGIN CREATEDB; + CREATE DATABASE nextcloud; + GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; - CREATE ROLE gitea WITH LOGIN CREATEDB; - CREATE DATABASE gitea; - GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; + CREATE ROLE gitea WITH LOGIN CREATEDB; + CREATE DATABASE gitea; + GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; - CREATE ROLE authentik WITH LOGIN CREATEDB; - CREATE DATABASE authentik; - GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; + CREATE ROLE authentik WITH LOGIN CREATEDB; + CREATE DATABASE authentik; + GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; - CREATE ROLE grafana WITH LOGIN CREATEDB; - CREATE DATABASE grafana; - GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; + CREATE ROLE grafana WITH LOGIN CREATEDB; + CREATE DATABASE grafana; + GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; - CREATE ROLE onlyoffice WITH LOGIN CREATEDB; - CREATE DATABASE onlyoffice; - GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice; + CREATE ROLE onlyoffice WITH LOGIN CREATEDB; + CREATE DATABASE onlyoffice; + GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice; + ''; + }; + # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3 + # This is an awful situation + systemd.services.postgresql.postStart = let + nextcloudDBPass = config.age.secrets.nextcloudDBPass.path; + giteaDBPass = config.age.secrets.giteaDBPass.path; + authentikDBPass = config.age.secrets.authentikDBPass.path; + grafanaDBPass = config.age.secrets.grafanaDBPass.path; + onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path; + in '' + $PSQL -tA <<'EOF' + DO $$ + DECLARE password TEXT; + BEGIN + password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password); + END $$; + EOF ''; + networking.firewall.allowedTCPPorts = [5432]; }; - # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3 - # This is an awful situation - systemd.services.postgresql.postStart = let - nextcloudDBPass = config.age.secrets.nextcloudDBPass.path; - giteaDBPass = config.age.secrets.giteaDBPass.path; - authentikDBPass = config.age.secrets.authentikDBPass.path; - grafanaDBPass = config.age.secrets.grafanaDBPass.path; - onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path; - in '' - $PSQL -tA <<'EOF' - DO $$ - DECLARE password TEXT; - BEGIN - password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password); - END $$; - EOF - ''; - networking.firewall.allowedTCPPorts = [5432]; }; }