Working postgresql crowdsec config

secrets.nix

@@ -29,6 +29,7 @@ in {
   "services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql];
   "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql];
   "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql];
+  "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql];
 
   "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx];
   "services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems;

secrets/postgresql-lapi-key.age

@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBabEhV
+SnYvWTR6NkE1U2xUM3huNzZ3bUdXRVh0MTJoUjhTY2taNmY2MFdvCnpmNTMzMWM0
+enhiMHQyWEpCYmxXZ3I3aStXYlh6UStrbFMvTTJwYjNOY2cKLT4gc3NoLWVkMjU1
+MTkgc2luZ3ZRIHRHY0dNbUt0aTJQdzNGTGRXeC9jbVVoVmN2WFpRaHZIU0Qvb0c3
+eUdhMXcKSi9NZEtjRENLNXFuVUVLdUlYbkNlT0EzeUVOSzJYcXlZcVRDaWFqMXVi
+WQotPiBVb0wtZ3JlYXNlIGYrIEosIHpFRHBvbzI5ICljS0UKTmljdnFHQzBRTWxu
+ZXpEdkhheHE5WVVJVVpXdzFaZC9HQ28KLS0tIDdmc3dNNGVYcC91QmQrcmhGaHhZ
+WkNEa3FOcHZIU3loQmVDd29hd2ZqSXMKksjTw4Gh1PDeQpRnX5cg6uSv3hRRPL50
+4xKqLKC7kmEoSU3PXSrNYV5yppD4V+LTnj/WRXgoBD9A89ul9PLvbmJpcxzB5SVS
++gAi73lGkRFhFrYv5eCzsIWgCfVhQZ/LeyN9ak56/OisJm0YOKntWPEN/NKjVi1x
+AvFJ2jF+4bSy+BaDK0qTecHbnVfS8uW4lBr3FE7Tfj83TpI=
+-----END AGE ENCRYPTED FILE-----

services/postgresql/default.nix

@@ -11,6 +11,10 @@ in {
   };
   config = lib.mkIf cfg.enable {
     age.secrets = {
+      postgresql-lapi-key = {
+        file = ../../secrets/postgresql-lapi-key.age;
+        owner = "crowdsec";
+      };
       nextcloudDBPass = {
         file = ./secrets/nextcloudDBPass.age;
         owner = "postgres";
@@ -32,70 +36,90 @@ in {
         owner = "postgres";
       };
     };
-    services.postgresql = {
+    services = {
-      enable = true;
+      crowdsec = {
-      package = pkgs.postgresql_16;
+        hub.collections = [
-      enableTCPIP = true;
+          "crowdsecurity/pgsql"
-      settings.port = 5432;
+        ];
-      authentication = "
+        settings.lapi.credentialsFile = "${config.age.secrets.postgresql-lapi-key.path}";
-        host  nextcloud  nextcloud  192.168.1.45/32   md5
+        localConfig = {
-        host  gitea      gitea      192.168.1.14/32   md5
+          acquisitions = [
-        host  authentik  authentik  192.168.1.125/32  md5
+            {
-        host  grafana    grafana    192.168.1.27/32   md5
+              filenames = [
-        host  onlyoffice onlyoffice 192.168.1.46/32   md5
+                "/var/log/postgresql/*.log"
-        ";
+              ];
-      initialScript = pkgs.writeText "init-sql-script" ''
+              labels = {
-        CREATE ROLE nextcloud WITH LOGIN CREATEDB;
+                type = "syslog";
-        CREATE DATABASE nextcloud;
+              };
-        GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
+            }
+          ];
+        };
+      };
+      postgresql = {
+        enable = true;
+        package = pkgs.postgresql_16;
+        enableTCPIP = true;
+        settings.port = 5432;
+        authentication = "
+          host  nextcloud  nextcloud  192.168.1.45/32   md5
+          host  gitea      gitea      192.168.1.14/32   md5
+          host  authentik  authentik  192.168.1.125/32  md5
+          host  grafana    grafana    192.168.1.27/32   md5
+          host  onlyoffice onlyoffice 192.168.1.46/32   md5
+          ";
+        initialScript = pkgs.writeText "init-sql-script" ''
+          CREATE ROLE nextcloud WITH LOGIN CREATEDB;
+          CREATE DATABASE nextcloud;
+          GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
 
-        CREATE ROLE gitea WITH LOGIN CREATEDB;
+          CREATE ROLE gitea WITH LOGIN CREATEDB;
-        CREATE DATABASE gitea;
+          CREATE DATABASE gitea;
-        GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
+          GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
 
-        CREATE ROLE authentik WITH LOGIN CREATEDB;
+          CREATE ROLE authentik WITH LOGIN CREATEDB;
-        CREATE DATABASE authentik;
+          CREATE DATABASE authentik;
-        GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
+          GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
 
-        CREATE ROLE grafana WITH LOGIN CREATEDB;
+          CREATE ROLE grafana WITH LOGIN CREATEDB;
-        CREATE DATABASE grafana;
+          CREATE DATABASE grafana;
-        GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
+          GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
 
-        CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
+          CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
-        CREATE DATABASE onlyoffice;
+          CREATE DATABASE onlyoffice;
-        GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
+          GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
+        '';
+      };
+      # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
+      # This is an awful situation
+      systemd.services.postgresql.postStart = let
+        nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
+        giteaDBPass = config.age.secrets.giteaDBPass.path;
+        authentikDBPass = config.age.secrets.authentikDBPass.path;
+        grafanaDBPass = config.age.secrets.grafanaDBPass.path;
+        onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
+      in ''
+        $PSQL -tA <<'EOF'
+          DO $$
+          DECLARE password TEXT;
+          BEGIN
+            password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
+
+            password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
+
+            password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
+
+            password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
+
+            password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
+          END $$;
+        EOF
       '';
+      networking.firewall.allowedTCPPorts = [5432];
     };
-    # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
-    # This is an awful situation
-    systemd.services.postgresql.postStart = let
-      nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
-      giteaDBPass = config.age.secrets.giteaDBPass.path;
-      authentikDBPass = config.age.secrets.authentikDBPass.path;
-      grafanaDBPass = config.age.secrets.grafanaDBPass.path;
-      onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
-    in ''
-      $PSQL -tA <<'EOF'
-        DO $$
-        DECLARE password TEXT;
-        BEGIN
-          password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
-
-          password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
-
-          password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
-
-          password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
-
-          password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
-        END $$;
-      EOF
-    '';
-    networking.firewall.allowedTCPPorts = [5432];
   };
 }