Working postgresql crowdsec config + remove fail2ban
Some checks are pending
/ Build Nix targets (push) Waiting to run
Some checks are pending
/ Build Nix targets (push) Waiting to run
This commit is contained in:
Théo Barnouin
parent
fd8349cf91
commit
d6eb45c45a
4 changed files with 42 additions and 40 deletions
|
|
@ -189,7 +189,7 @@ in {
|
||||||
job_name = "jellyfin";
|
job_name = "jellyfin";
|
||||||
static_configs = [
|
static_configs = [
|
||||||
{
|
{
|
||||||
targets = ["192.168.1.42:9100"];
|
targets = ["192.168.1.42:9002"];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
@ -256,6 +256,15 @@ in {
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
job_name = "crowdsec_postgresql";
|
||||||
|
metrics_path = "/metrics";
|
||||||
|
static_configs = [
|
||||||
|
{
|
||||||
|
targets = ["192.168.1.13:6060"];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
loki = {
|
loki = {
|
||||||
|
|
|
||||||
|
|
@ -45,9 +45,8 @@ in {
|
||||||
localConfig = {
|
localConfig = {
|
||||||
acquisitions = [
|
acquisitions = [
|
||||||
{
|
{
|
||||||
filenames = [
|
source = "journalctl";
|
||||||
"/var/log/postgresql/*.log"
|
journalctl_filter = [ "_SYSTEMD_UNIT=postgresql.service" ];
|
||||||
];
|
|
||||||
labels = {
|
labels = {
|
||||||
type = "syslog";
|
type = "syslog";
|
||||||
};
|
};
|
||||||
|
|
@ -89,37 +88,37 @@ in {
|
||||||
GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
|
GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
# Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
|
|
||||||
# This is an awful situation
|
|
||||||
systemd.services.postgresql.postStart = let
|
|
||||||
nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
|
|
||||||
giteaDBPass = config.age.secrets.giteaDBPass.path;
|
|
||||||
authentikDBPass = config.age.secrets.authentikDBPass.path;
|
|
||||||
grafanaDBPass = config.age.secrets.grafanaDBPass.path;
|
|
||||||
onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
|
|
||||||
in ''
|
|
||||||
$PSQL -tA <<'EOF'
|
|
||||||
DO $$
|
|
||||||
DECLARE password TEXT;
|
|
||||||
BEGIN
|
|
||||||
password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
|
|
||||||
EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
|
|
||||||
|
|
||||||
password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
|
|
||||||
EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
|
|
||||||
|
|
||||||
password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
|
|
||||||
EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
|
|
||||||
|
|
||||||
password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
|
|
||||||
EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
|
|
||||||
|
|
||||||
password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
|
|
||||||
EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
|
|
||||||
END $$;
|
|
||||||
EOF
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
# Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
|
||||||
|
# This is an awful situation
|
||||||
|
systemd.services.postgresql.postStart = let
|
||||||
|
nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
|
||||||
|
giteaDBPass = config.age.secrets.giteaDBPass.path;
|
||||||
|
authentikDBPass = config.age.secrets.authentikDBPass.path;
|
||||||
|
grafanaDBPass = config.age.secrets.grafanaDBPass.path;
|
||||||
|
onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
|
||||||
|
in ''
|
||||||
|
$PSQL -tA <<'EOF'
|
||||||
|
DO $$
|
||||||
|
DECLARE password TEXT;
|
||||||
|
BEGIN
|
||||||
|
password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
|
||||||
|
EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
|
||||||
|
|
||||||
|
password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
|
||||||
|
EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
|
||||||
|
|
||||||
|
password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
|
||||||
|
EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
|
||||||
|
|
||||||
|
password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
|
||||||
|
EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
|
||||||
|
|
||||||
|
password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
|
||||||
|
EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
|
||||||
|
END $$;
|
||||||
|
EOF
|
||||||
|
'';
|
||||||
networking.firewall.allowedTCPPorts = [5432];
|
networking.firewall.allowedTCPPorts = [5432];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -112,9 +112,6 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
fail2ban = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
crowdsec = {
|
crowdsec = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.crowdsec;
|
package = pkgs.crowdsec;
|
||||||
|
|
|
||||||
|
|
@ -99,9 +99,6 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
fail2ban = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
crowdsec = {
|
crowdsec = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.crowdsec;
|
package = pkgs.crowdsec;
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue