Working postgresql crowdsec config

2025-04-14 15:14:53 +02:00 · 2025-04-14 15:14:53 +02:00 · 473aba8072
commit 473aba8072
parent 0638a5d2e6
3 changed files with 97 additions and 59 deletions
--- a/secrets.nix
+++ b/secrets.nix
@ -29,6 +29,7 @@ in {
  "services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql];
  "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql];
  "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql];
+  "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql];

  "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx];
  "services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems;
--- a/secrets/postgresql-lapi-key.age
+++ b/secrets/postgresql-lapi-key.age
@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBabEhV
+SnYvWTR6NkE1U2xUM3huNzZ3bUdXRVh0MTJoUjhTY2taNmY2MFdvCnpmNTMzMWM0
+enhiMHQyWEpCYmxXZ3I3aStXYlh6UStrbFMvTTJwYjNOY2cKLT4gc3NoLWVkMjU1
+MTkgc2luZ3ZRIHRHY0dNbUt0aTJQdzNGTGRXeC9jbVVoVmN2WFpRaHZIU0Qvb0c3
+eUdhMXcKSi9NZEtjRENLNXFuVUVLdUlYbkNlT0EzeUVOSzJYcXlZcVRDaWFqMXVi
+WQotPiBVb0wtZ3JlYXNlIGYrIEosIHpFRHBvbzI5ICljS0UKTmljdnFHQzBRTWxu
+ZXpEdkhheHE5WVVJVVpXdzFaZC9HQ28KLS0tIDdmc3dNNGVYcC91QmQrcmhGaHhZ
+WkNEa3FOcHZIU3loQmVDd29hd2ZqSXMKksjTw4Gh1PDeQpRnX5cg6uSv3hRRPL50
+4xKqLKC7kmEoSU3PXSrNYV5yppD4V+LTnj/WRXgoBD9A89ul9PLvbmJpcxzB5SVS
+gAi73lGkRFhFrYv5eCzsIWgCfVhQZ/LeyN9ak56/OisJm0YOKntWPEN/NKjVi1x
+AvFJ2jF+4bSy+BaDK0qTecHbnVfS8uW4lBr3FE7Tfj83TpI=
+-----END AGE ENCRYPTED FILE-----
--- a/services/postgresql/default.nix
+++ b/services/postgresql/default.nix
@ -11,6 +11,10 @@ in {
  };
  config = lib.mkIf cfg.enable {
    age.secrets = {
+      postgresql-lapi-key = {
+        file = ../../secrets/postgresql-lapi-key.age;
+        owner = "crowdsec";
+      };
      nextcloudDBPass = {
        file = ./secrets/nextcloudDBPass.age;
        owner = "postgres";
@ -32,70 +36,90 @@ in {
        owner = "postgres";
      };
    };
-    services.postgresql = {
-      enable = true;
-      package = pkgs.postgresql_16;
-      enableTCPIP = true;
-      settings.port = 5432;
-      authentication = "
-        host  nextcloud  nextcloud  192.168.1.45/32   md5
-        host  gitea      gitea      192.168.1.14/32   md5
-        host  authentik  authentik  192.168.1.125/32  md5
-        host  grafana    grafana    192.168.1.27/32   md5
-        host  onlyoffice onlyoffice 192.168.1.46/32   md5
-        ";
-      initialScript = pkgs.writeText "init-sql-script" ''
-        CREATE ROLE nextcloud WITH LOGIN CREATEDB;
-        CREATE DATABASE nextcloud;
-        GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
+    services = {
+      crowdsec = {
+        hub.collections = [
+          "crowdsecurity/pgsql"
+        ];
+        settings.lapi.credentialsFile = "${config.age.secrets.postgresql-lapi-key.path}";
+        localConfig = {
+          acquisitions = [
+            {
+              filenames = [
+                "/var/log/postgresql/*.log"
+              ];
+              labels = {
+                type = "syslog";
+              };
+            }
+          ];
+        };
+      };
+      postgresql = {
+        enable = true;
+        package = pkgs.postgresql_16;
+        enableTCPIP = true;
+        settings.port = 5432;
+        authentication = "
+          host  nextcloud  nextcloud  192.168.1.45/32   md5
+          host  gitea      gitea      192.168.1.14/32   md5
+          host  authentik  authentik  192.168.1.125/32  md5
+          host  grafana    grafana    192.168.1.27/32   md5
+          host  onlyoffice onlyoffice 192.168.1.46/32   md5
+          ";
+        initialScript = pkgs.writeText "init-sql-script" ''
+          CREATE ROLE nextcloud WITH LOGIN CREATEDB;
+          CREATE DATABASE nextcloud;
+          GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;

-        CREATE ROLE gitea WITH LOGIN CREATEDB;
-        CREATE DATABASE gitea;
-        GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
+          CREATE ROLE gitea WITH LOGIN CREATEDB;
+          CREATE DATABASE gitea;
+          GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;

-        CREATE ROLE authentik WITH LOGIN CREATEDB;
-        CREATE DATABASE authentik;
-        GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
+          CREATE ROLE authentik WITH LOGIN CREATEDB;
+          CREATE DATABASE authentik;
+          GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;

-        CREATE ROLE grafana WITH LOGIN CREATEDB;
-        CREATE DATABASE grafana;
-        GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
+          CREATE ROLE grafana WITH LOGIN CREATEDB;
+          CREATE DATABASE grafana;
+          GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;

-        CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
-        CREATE DATABASE onlyoffice;
-        GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
+          CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
+          CREATE DATABASE onlyoffice;
+          GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
+        '';
+      };
+      # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
+      # This is an awful situation
+      systemd.services.postgresql.postStart = let
+        nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
+        giteaDBPass = config.age.secrets.giteaDBPass.path;
+        authentikDBPass = config.age.secrets.authentikDBPass.path;
+        grafanaDBPass = config.age.secrets.grafanaDBPass.path;
+        onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
+      in ''
+        $PSQL -tA <<'EOF'
+          DO $$
+          DECLARE password TEXT;
+          BEGIN
+            password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
+
+            password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
+
+            password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
+
+            password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
+
+            password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
+          END $$;
+        EOF
      '';
+      networking.firewall.allowedTCPPorts = [5432];
    };
-    # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
-    # This is an awful situation
-    systemd.services.postgresql.postStart = let
-      nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
-      giteaDBPass = config.age.secrets.giteaDBPass.path;
-      authentikDBPass = config.age.secrets.authentikDBPass.path;
-      grafanaDBPass = config.age.secrets.grafanaDBPass.path;
-      onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
-    in ''
-      $PSQL -tA <<'EOF'
-        DO $$
-        DECLARE password TEXT;
-        BEGIN
-          password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
-
-          password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
-
-          password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
-
-          password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
-
-          password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
-        END $$;
-      EOF
-    '';
-    networking.firewall.allowedTCPPorts = [5432];
  };
 }