diff --git a/secrets.nix b/secrets.nix index c7a9245..f86dfd8 100644 --- a/secrets.nix +++ b/secrets.nix @@ -29,6 +29,7 @@ in { "services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql]; + "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql]; "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx]; "services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems; diff --git a/secrets/postgresql-lapi-key.age b/secrets/postgresql-lapi-key.age new file mode 100644 index 0000000..c2f798c --- /dev/null +++ b/secrets/postgresql-lapi-key.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBabEhV +SnYvWTR6NkE1U2xUM3huNzZ3bUdXRVh0MTJoUjhTY2taNmY2MFdvCnpmNTMzMWM0 +enhiMHQyWEpCYmxXZ3I3aStXYlh6UStrbFMvTTJwYjNOY2cKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIHRHY0dNbUt0aTJQdzNGTGRXeC9jbVVoVmN2WFpRaHZIU0Qvb0c3 +eUdhMXcKSi9NZEtjRENLNXFuVUVLdUlYbkNlT0EzeUVOSzJYcXlZcVRDaWFqMXVi +WQotPiBVb0wtZ3JlYXNlIGYrIEosIHpFRHBvbzI5ICljS0UKTmljdnFHQzBRTWxu +ZXpEdkhheHE5WVVJVVpXdzFaZC9HQ28KLS0tIDdmc3dNNGVYcC91QmQrcmhGaHhZ +WkNEa3FOcHZIU3loQmVDd29hd2ZqSXMKksjTw4Gh1PDeQpRnX5cg6uSv3hRRPL50 +4xKqLKC7kmEoSU3PXSrNYV5yppD4V+LTnj/WRXgoBD9A89ul9PLvbmJpcxzB5SVS ++gAi73lGkRFhFrYv5eCzsIWgCfVhQZ/LeyN9ak56/OisJm0YOKntWPEN/NKjVi1x +AvFJ2jF+4bSy+BaDK0qTecHbnVfS8uW4lBr3FE7Tfj83TpI= +-----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/default.nix b/services/grafana/default.nix index ff16f71..172ff0e 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -189,7 +189,7 @@ in { job_name = "jellyfin"; static_configs = [ { - targets = ["192.168.1.42:9100"]; + targets = ["192.168.1.42:9002"]; } ]; } @@ -256,6 +256,15 @@ in { } ]; } + { + job_name = "crowdsec_postgresql"; + metrics_path = "/metrics"; + static_configs = [ + { + targets = ["192.168.1.13:6060"]; + } + ]; + } ]; }; loki = { diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index b6fa00c..7b75a54 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -11,6 +11,10 @@ in { }; config = lib.mkIf cfg.enable { age.secrets = { + postgresql-lapi-key = { + file = ../../secrets/postgresql-lapi-key.age; + owner = "crowdsec"; + }; nextcloudDBPass = { file = ./secrets/nextcloudDBPass.age; owner = "postgres"; @@ -32,39 +36,58 @@ in { owner = "postgres"; }; }; - services.postgresql = { - enable = true; - package = pkgs.postgresql_16; - enableTCPIP = true; - settings.port = 5432; - authentication = " - host nextcloud nextcloud 192.168.1.45/32 md5 - host gitea gitea 192.168.1.14/32 md5 - host authentik authentik 192.168.1.125/32 md5 - host grafana grafana 192.168.1.27/32 md5 - host onlyoffice onlyoffice 192.168.1.46/32 md5 - "; - initialScript = pkgs.writeText "init-sql-script" '' - CREATE ROLE nextcloud WITH LOGIN CREATEDB; - CREATE DATABASE nextcloud; - GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; + services = { + crowdsec = { + hub.collections = [ + "crowdsecurity/pgsql" + ]; + settings.lapi.credentialsFile = "${config.age.secrets.postgresql-lapi-key.path}"; + localConfig = { + acquisitions = [ + { + source = "journalctl"; + journalctl_filter = [ "_SYSTEMD_UNIT=postgresql.service" ]; + labels = { + type = "syslog"; + }; + } + ]; + }; + }; + postgresql = { + enable = true; + package = pkgs.postgresql_16; + enableTCPIP = true; + settings.port = 5432; + authentication = " + host nextcloud nextcloud 192.168.1.45/32 md5 + host gitea gitea 192.168.1.14/32 md5 + host authentik authentik 192.168.1.125/32 md5 + host grafana grafana 192.168.1.27/32 md5 + host onlyoffice onlyoffice 192.168.1.46/32 md5 + "; + initialScript = pkgs.writeText "init-sql-script" '' + CREATE ROLE nextcloud WITH LOGIN CREATEDB; + CREATE DATABASE nextcloud; + GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; - CREATE ROLE gitea WITH LOGIN CREATEDB; - CREATE DATABASE gitea; - GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; + CREATE ROLE gitea WITH LOGIN CREATEDB; + CREATE DATABASE gitea; + GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; - CREATE ROLE authentik WITH LOGIN CREATEDB; - CREATE DATABASE authentik; - GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; + CREATE ROLE authentik WITH LOGIN CREATEDB; + CREATE DATABASE authentik; + GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; - CREATE ROLE grafana WITH LOGIN CREATEDB; - CREATE DATABASE grafana; - GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; + CREATE ROLE grafana WITH LOGIN CREATEDB; + CREATE DATABASE grafana; + GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; - CREATE ROLE onlyoffice WITH LOGIN CREATEDB; - CREATE DATABASE onlyoffice; - GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice; - ''; + CREATE ROLE onlyoffice WITH LOGIN CREATEDB; + CREATE DATABASE onlyoffice; + GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice; + ''; + }; }; # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3 # This is an awful situation diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix index 2dfd7a5..9de7c03 100644 --- a/systems/minimalLXCConfig.nix +++ b/systems/minimalLXCConfig.nix @@ -112,9 +112,6 @@ } ]; }; - fail2ban = { - enable = true; - }; crowdsec = { enable = true; package = pkgs.crowdsec; diff --git a/systems/minimalVMConfig.nix b/systems/minimalVMConfig.nix index 9af15f2..8eeb24e 100644 --- a/systems/minimalVMConfig.nix +++ b/systems/minimalVMConfig.nix @@ -99,9 +99,6 @@ } ]; }; - fail2ban = { - enable = true; - }; crowdsec = { enable = true; package = pkgs.crowdsec;