Working postgresql crowdsec config + remove fail2ban

2025-04-14 15:28:01 +02:00 · 2025-04-14 15:28:01 +02:00 · d6eb45c45a
commit d6eb45c45a
parent fd8349cf91
4 changed files with 42 additions and 40 deletions
--- a/services/grafana/default.nix
+++ b/services/grafana/default.nix
@ -189,7 +189,7 @@ in {
            job_name = "jellyfin";
            static_configs = [
              {
-                targets = ["192.168.1.42:9100"];
+                targets = ["192.168.1.42:9002"];
              }
            ];
          }
@ -256,6 +256,15 @@ in {
              }
            ];
          }
+          {
+            job_name = "crowdsec_postgresql";
+            metrics_path = "/metrics";
+            static_configs = [
+              {
+                targets = ["192.168.1.13:6060"];
+              }
+            ];
+          }
        ];
      };
      loki = {
--- a/services/postgresql/default.nix
+++ b/services/postgresql/default.nix
@ -45,9 +45,8 @@ in {
        localConfig = {
          acquisitions = [
            {
-              filenames = [
-                "/var/log/postgresql/*.log"
-              ];
+              source = "journalctl";
+              journalctl_filter = [ "_SYSTEMD_UNIT=postgresql.service" ];
              labels = {
                type = "syslog";
              };
@ -89,37 +88,37 @@ in {
          GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
        '';
      };
-      # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
-      # This is an awful situation
-      systemd.services.postgresql.postStart = let
-        nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
-        giteaDBPass = config.age.secrets.giteaDBPass.path;
-        authentikDBPass = config.age.secrets.authentikDBPass.path;
-        grafanaDBPass = config.age.secrets.grafanaDBPass.path;
-        onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
-      in ''
-        $PSQL -tA <<'EOF'
-          DO $$
-          DECLARE password TEXT;
-          BEGIN
-            password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
-            EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
-
-            password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
-            EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
-
-            password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
-            EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
-
-            password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
-            EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
-
-            password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
-            EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
-          END $$;
-        EOF
-      '';
    };
+    # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
+    # This is an awful situation
+    systemd.services.postgresql.postStart = let
+      nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
+      giteaDBPass = config.age.secrets.giteaDBPass.path;
+      authentikDBPass = config.age.secrets.authentikDBPass.path;
+      grafanaDBPass = config.age.secrets.grafanaDBPass.path;
+      onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
+    in ''
+      $PSQL -tA <<'EOF'
+        DO $$
+        DECLARE password TEXT;
+        BEGIN
+          password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
+
+          password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
+
+          password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
+
+          password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
+
+          password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
+        END $$;
+      EOF
+    '';
    networking.firewall.allowedTCPPorts = [5432];
  };
 }
--- a/systems/minimalLXCConfig.nix
+++ b/systems/minimalLXCConfig.nix
@ -112,9 +112,6 @@
        }
      ];
    };
-    fail2ban = {
-      enable = true;
-    };
    crowdsec = {
      enable = true;
      package = pkgs.crowdsec;
--- a/systems/minimalVMConfig.nix
+++ b/systems/minimalVMConfig.nix
@ -99,9 +99,6 @@
        }
      ];
    };
-    fail2ban = {
-      enable = true;
-    };
    crowdsec = {
      enable = true;
      package = pkgs.crowdsec;