tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Working postgresql crowdsec config

Browse source
This commit is contained in:
Théo Barnouin 2025-04-14 15:14:53 +02:00
parent 0638a5d2e6
commit 473aba8072
3 changed files with 97 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

142
services/postgresql/default.nix
View file

@ -11,6 +11,10 @@ in {
};
config = lib.mkIf cfg.enable {
age.secrets = {
postgresql-lapi-key = {
file = ../../secrets/postgresql-lapi-key.age;
owner = "crowdsec";
};
nextcloudDBPass = {
file = ./secrets/nextcloudDBPass.age;
owner = "postgres";
@ -32,70 +36,90 @@ in {
owner = "postgres";
};
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
enableTCPIP = true;
settings.port = 5432;
authentication = "
host nextcloud nextcloud 192.168.1.45/32 md5
host gitea gitea 192.168.1.14/32 md5
host authentik authentik 192.168.1.125/32 md5
host grafana grafana 192.168.1.27/32 md5
host onlyoffice onlyoffice 192.168.1.46/32 md5
";
initialScript = pkgs.writeText "init-sql-script" ''
CREATE ROLE nextcloud WITH LOGIN CREATEDB;
CREATE DATABASE nextcloud;
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
services = {
crowdsec = {
hub.collections = [
"crowdsecurity/pgsql"
];
settings.lapi.credentialsFile = "${config.age.secrets.postgresql-lapi-key.path}";
localConfig = {
acquisitions = [
{
filenames = [
"/var/log/postgresql/*.log"
];
labels = {
type = "syslog";
};
}
];
};
};
postgresql = {
enable = true;
package = pkgs.postgresql_16;
enableTCPIP = true;
settings.port = 5432;
authentication = "
host nextcloud nextcloud 192.168.1.45/32 md5
host gitea gitea 192.168.1.14/32 md5
host authentik authentik 192.168.1.125/32 md5
host grafana grafana 192.168.1.27/32 md5
host onlyoffice onlyoffice 192.168.1.46/32 md5
";
initialScript = pkgs.writeText "init-sql-script" ''
CREATE ROLE nextcloud WITH LOGIN CREATEDB;
CREATE DATABASE nextcloud;
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
CREATE ROLE gitea WITH LOGIN CREATEDB;
CREATE DATABASE gitea;
GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
CREATE ROLE gitea WITH LOGIN CREATEDB;
CREATE DATABASE gitea;
GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
CREATE ROLE authentik WITH LOGIN CREATEDB;
CREATE DATABASE authentik;
GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
CREATE ROLE authentik WITH LOGIN CREATEDB;
CREATE DATABASE authentik;
GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
CREATE ROLE grafana WITH LOGIN CREATEDB;
CREATE DATABASE grafana;
GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
CREATE ROLE grafana WITH LOGIN CREATEDB;
CREATE DATABASE grafana;
GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
CREATE DATABASE onlyoffice;
GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
CREATE DATABASE onlyoffice;
GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
'';
};
# Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
# This is an awful situation
systemd.services.postgresql.postStart = let
nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
giteaDBPass = config.age.secrets.giteaDBPass.path;
authentikDBPass = config.age.secrets.authentikDBPass.path;
grafanaDBPass = config.age.secrets.grafanaDBPass.path;
onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
in ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
networking.firewall.allowedTCPPorts = [5432];
};
# Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
# This is an awful situation
systemd.services.postgresql.postStart = let
nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
giteaDBPass = config.age.secrets.giteaDBPass.path;
authentikDBPass = config.age.secrets.authentikDBPass.path;
grafanaDBPass = config.age.secrets.grafanaDBPass.path;
onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
in ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
networking.firewall.allowedTCPPorts = [5432];
};
}