From e66bc8fd7bab1959070960e6e62911d343780157 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Wed, 23 Apr 2025 10:28:49 +0200 Subject: [PATCH] Add netbox psql DB --- secrets.nix | 2 +- services/netbox/default.nix | 45 +++++++++++++++++++ services/postgresql/default.nix | 18 ++++---- services/postgresql/secrets/netboxDBPass.age | 12 +++++ .../postgresql/secrets/onlyofficeDBPass.age | 12 ----- 5 files changed, 67 insertions(+), 22 deletions(-) create mode 100644 services/netbox/default.nix create mode 100644 services/postgresql/secrets/netboxDBPass.age delete mode 100644 services/postgresql/secrets/onlyofficeDBPass.age diff --git a/secrets.nix b/secrets.nix index f86dfd8..fd66a09 100644 --- a/secrets.nix +++ b/secrets.nix @@ -28,7 +28,7 @@ in { "services/postgresql/secrets/giteaDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql]; - "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql]; + "services/postgresql/secrets/netboxDBPass.age".publicKeys = [tbarnouin postgresql]; "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql]; "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx]; diff --git a/services/netbox/default.nix b/services/netbox/default.nix new file mode 100644 index 0000000..7e634e9 --- /dev/null +++ b/services/netbox/default.nix @@ -0,0 +1,45 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.services.vm_netbox; +in { + options.services.vm_netbox = { + enable = lib.mkEnableOption "Enable minimal config"; + pgsql_ip = lib.mkOption { + type = lib.types.str; + description = "Netbox database IP address"; + }; + }; + config = lib.mkIf cfg.enable { + age.secrets.netbox-lapi-key = { + file = ../../secrets/netbox-lapi-key.age; + owner = "crowdsec"; + }; + }; + services = { + crowdsec = { + settings.lapi.credentialsFile = "${config.age.secrets.netbox-lapi-key.path}"; + localConfig = { + acquisitions = [ + { + source = "journalctl"; + journalctl_filter = [ "_SYSTEMD_UNIT=netbox.service" ]; + labels = { + type = "syslog"; + }; + } + ]; + }; + }; + netbox = { + enable = true; + package = pkgs.netbox_3_7; + port = 8001; + }; + }; + networking.firewall.allowedTCPPorts = [8001]; + }; +} diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index 7b75a54..cf20b53 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -31,8 +31,8 @@ in { file = ./secrets/grafanaDBPass.age; owner = "postgres"; }; - onlyofficeDBPass = { - file = ./secrets/onlyofficeDBPass.age; + netboxDBPass = { + file = ./secrets/netboxDBPass.age; owner = "postgres"; }; }; @@ -64,7 +64,7 @@ in { host gitea gitea 192.168.1.14/32 md5 host authentik authentik 192.168.1.125/32 md5 host grafana grafana 192.168.1.27/32 md5 - host onlyoffice onlyoffice 192.168.1.46/32 md5 + host netbox netbox 192.168.1.90/32 md5 "; initialScript = pkgs.writeText "init-sql-script" '' CREATE ROLE nextcloud WITH LOGIN CREATEDB; @@ -83,9 +83,9 @@ in { CREATE DATABASE grafana; GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; - CREATE ROLE onlyoffice WITH LOGIN CREATEDB; - CREATE DATABASE onlyoffice; - GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice; + CREATE ROLE netbox WITH LOGIN CREATEDB; + CREATE DATABASE netbox; + GRANT ALL PRIVILEGES ON DATABASE netbox TO netbox; ''; }; }; @@ -96,7 +96,7 @@ in { giteaDBPass = config.age.secrets.giteaDBPass.path; authentikDBPass = config.age.secrets.authentikDBPass.path; grafanaDBPass = config.age.secrets.grafanaDBPass.path; - onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path; + netboxDBPass = config.age.secrets.netboxDBPass.path; in '' $PSQL -tA <<'EOF' DO $$ @@ -114,8 +114,8 @@ in { password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', ''')); EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password); - password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password); + password := trim(both from replace(pg_read_file('${netboxDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE netbox WITH PASSWORD '''%s''';', password); END $$; EOF ''; diff --git a/services/postgresql/secrets/netboxDBPass.age b/services/postgresql/secrets/netboxDBPass.age new file mode 100644 index 0000000..36d3930 --- /dev/null +++ b/services/postgresql/secrets/netboxDBPass.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBLM1pP +MXRibnRQQitFVjdQUVRrVGI5NFNMaWFpRE1OOU1zd2dOa09mOGp3CmUxZFRpWTVG +aFVQWE0ydnA0Z3ZYYm5MMkFJMURudS9GcWs1ck9hcjUwVWcKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIHBGajlwYkwwOFRlbTcwSFgvZmU3b3Q5VGFvWFJ5ZXU3WFJwaFFM +OFRHU1kKZFVSVjlZSXl5VUZXR2dJMmxmZHdHNWZ1Z05yS0luMHhaZmt1UlJaMVpS +NAotPiByLjkuRC1ncmVhc2UgKVlbJjYuIG9hCmRxVWNOdzRvRWdvdjZuTzBWQTRU +VGVjdjV6eTk4WDRheEJWM0xGR2RuQUloaFBsSUNia0E2ZlRlOW1aSENoT2kKNWpU +bWxIYU5sQTlURmZzTElIT2FxdwotLS0gQW5RS3NNcCt1cXJob041Y1YwOG9WcXIv +ZkR3OTRXckhQajArV21jbGg4cwroe/kLvfTDiri3Am6Of2J0JsYvthO1PVnekHZT +R4Xrt9NKzfi2+KYJey8= +-----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/onlyofficeDBPass.age b/services/postgresql/secrets/onlyofficeDBPass.age deleted file mode 100644 index 0a517da..0000000 --- a/services/postgresql/secrets/onlyofficeDBPass.age +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBDTm1X -aTB5SXpwTDRHS1dlMm1LaEpKQkViYlUwZE0xNE04d0dWOVErYVFvCnAvK096M2Np -WWxZUUZGYWZjc0ZtTktSMlFNbjBzU1A2U282VHZWdFNrMEEKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIEpiR2FpR2ltelBwbVhKRTZpRzdLM2U4bGZwc0kvMU1rSlNwb1NR -UVlKV28KV3pEblFFN3hZeEd5TG4yVXRFeHhabVJweGpWejY1eTUveTdYU1ZTRUJl -YwotPiBHbWZPdC1ncmVhc2UgRjJyeiYjTyBCR20hUFsqIC4gMTQqPy1zRwo0NFFS -Rm1HYlUwOXhNenlKcW90MEJOOEFtTjROU1JMWWEzMHJFRVUvS0phY1cxV09abG5a -TkEKLS0tIG1EZnJGanhDUjVRUm5sRTlaVWtFQUN1Q3QrVm1GQnkvVm42eUxWSGNq -M2sKXJmL2j6j+iA26zzQ/rLZrQTXRyIFZ3EvAgpbidiCDqefQrtlSXeQXjiaYI53 -AWK6 ------END AGE ENCRYPTED FILE-----