Compare commits
3 commits
0638a5d2e6
...
d6eb45c45a
| Author | SHA1 | Date | |
|---|---|---|---|
|
d6eb45c45a | ||
|
|
fd8349cf91 | ||
|
|
473aba8072 |
6 changed files with 76 additions and 36 deletions
|
|
@ -29,6 +29,7 @@ in {
|
||||||
"services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql];
|
"services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql];
|
||||||
"services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql];
|
"services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql];
|
||||||
"services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql];
|
"services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql];
|
||||||
|
"secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql];
|
||||||
|
|
||||||
"services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx];
|
"services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx];
|
||||||
"services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems;
|
"services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems;
|
||||||
|
|
|
||||||
13
secrets/postgresql-lapi-key.age
Normal file
13
secrets/postgresql-lapi-key.age
Normal file
|
|
@ -0,0 +1,13 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBabEhV
|
||||||
|
SnYvWTR6NkE1U2xUM3huNzZ3bUdXRVh0MTJoUjhTY2taNmY2MFdvCnpmNTMzMWM0
|
||||||
|
enhiMHQyWEpCYmxXZ3I3aStXYlh6UStrbFMvTTJwYjNOY2cKLT4gc3NoLWVkMjU1
|
||||||
|
MTkgc2luZ3ZRIHRHY0dNbUt0aTJQdzNGTGRXeC9jbVVoVmN2WFpRaHZIU0Qvb0c3
|
||||||
|
eUdhMXcKSi9NZEtjRENLNXFuVUVLdUlYbkNlT0EzeUVOSzJYcXlZcVRDaWFqMXVi
|
||||||
|
WQotPiBVb0wtZ3JlYXNlIGYrIEosIHpFRHBvbzI5ICljS0UKTmljdnFHQzBRTWxu
|
||||||
|
ZXpEdkhheHE5WVVJVVpXdzFaZC9HQ28KLS0tIDdmc3dNNGVYcC91QmQrcmhGaHhZ
|
||||||
|
WkNEa3FOcHZIU3loQmVDd29hd2ZqSXMKksjTw4Gh1PDeQpRnX5cg6uSv3hRRPL50
|
||||||
|
4xKqLKC7kmEoSU3PXSrNYV5yppD4V+LTnj/WRXgoBD9A89ul9PLvbmJpcxzB5SVS
|
||||||
|
+gAi73lGkRFhFrYv5eCzsIWgCfVhQZ/LeyN9ak56/OisJm0YOKntWPEN/NKjVi1x
|
||||||
|
AvFJ2jF+4bSy+BaDK0qTecHbnVfS8uW4lBr3FE7Tfj83TpI=
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
|
@ -189,7 +189,7 @@ in {
|
||||||
job_name = "jellyfin";
|
job_name = "jellyfin";
|
||||||
static_configs = [
|
static_configs = [
|
||||||
{
|
{
|
||||||
targets = ["192.168.1.42:9100"];
|
targets = ["192.168.1.42:9002"];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
@ -256,6 +256,15 @@ in {
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
job_name = "crowdsec_postgresql";
|
||||||
|
metrics_path = "/metrics";
|
||||||
|
static_configs = [
|
||||||
|
{
|
||||||
|
targets = ["192.168.1.13:6060"];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
loki = {
|
loki = {
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,10 @@ in {
|
||||||
};
|
};
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
|
postgresql-lapi-key = {
|
||||||
|
file = ../../secrets/postgresql-lapi-key.age;
|
||||||
|
owner = "crowdsec";
|
||||||
|
};
|
||||||
nextcloudDBPass = {
|
nextcloudDBPass = {
|
||||||
file = ./secrets/nextcloudDBPass.age;
|
file = ./secrets/nextcloudDBPass.age;
|
||||||
owner = "postgres";
|
owner = "postgres";
|
||||||
|
|
@ -32,39 +36,58 @@ in {
|
||||||
owner = "postgres";
|
owner = "postgres";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.postgresql = {
|
services = {
|
||||||
enable = true;
|
crowdsec = {
|
||||||
package = pkgs.postgresql_16;
|
hub.collections = [
|
||||||
enableTCPIP = true;
|
"crowdsecurity/pgsql"
|
||||||
settings.port = 5432;
|
];
|
||||||
authentication = "
|
settings.lapi.credentialsFile = "${config.age.secrets.postgresql-lapi-key.path}";
|
||||||
host nextcloud nextcloud 192.168.1.45/32 md5
|
localConfig = {
|
||||||
host gitea gitea 192.168.1.14/32 md5
|
acquisitions = [
|
||||||
host authentik authentik 192.168.1.125/32 md5
|
{
|
||||||
host grafana grafana 192.168.1.27/32 md5
|
source = "journalctl";
|
||||||
host onlyoffice onlyoffice 192.168.1.46/32 md5
|
journalctl_filter = [ "_SYSTEMD_UNIT=postgresql.service" ];
|
||||||
";
|
labels = {
|
||||||
initialScript = pkgs.writeText "init-sql-script" ''
|
type = "syslog";
|
||||||
CREATE ROLE nextcloud WITH LOGIN CREATEDB;
|
};
|
||||||
CREATE DATABASE nextcloud;
|
}
|
||||||
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
postgresql = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.postgresql_16;
|
||||||
|
enableTCPIP = true;
|
||||||
|
settings.port = 5432;
|
||||||
|
authentication = "
|
||||||
|
host nextcloud nextcloud 192.168.1.45/32 md5
|
||||||
|
host gitea gitea 192.168.1.14/32 md5
|
||||||
|
host authentik authentik 192.168.1.125/32 md5
|
||||||
|
host grafana grafana 192.168.1.27/32 md5
|
||||||
|
host onlyoffice onlyoffice 192.168.1.46/32 md5
|
||||||
|
";
|
||||||
|
initialScript = pkgs.writeText "init-sql-script" ''
|
||||||
|
CREATE ROLE nextcloud WITH LOGIN CREATEDB;
|
||||||
|
CREATE DATABASE nextcloud;
|
||||||
|
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
|
||||||
|
|
||||||
CREATE ROLE gitea WITH LOGIN CREATEDB;
|
CREATE ROLE gitea WITH LOGIN CREATEDB;
|
||||||
CREATE DATABASE gitea;
|
CREATE DATABASE gitea;
|
||||||
GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
|
GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
|
||||||
|
|
||||||
CREATE ROLE authentik WITH LOGIN CREATEDB;
|
CREATE ROLE authentik WITH LOGIN CREATEDB;
|
||||||
CREATE DATABASE authentik;
|
CREATE DATABASE authentik;
|
||||||
GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
|
GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
|
||||||
|
|
||||||
CREATE ROLE grafana WITH LOGIN CREATEDB;
|
CREATE ROLE grafana WITH LOGIN CREATEDB;
|
||||||
CREATE DATABASE grafana;
|
CREATE DATABASE grafana;
|
||||||
GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
|
GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
|
||||||
|
|
||||||
CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
|
CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
|
||||||
CREATE DATABASE onlyoffice;
|
CREATE DATABASE onlyoffice;
|
||||||
GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
|
GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
|
||||||
'';
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
# Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
|
# Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
|
||||||
# This is an awful situation
|
# This is an awful situation
|
||||||
|
|
|
||||||
|
|
@ -112,9 +112,6 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
fail2ban = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
crowdsec = {
|
crowdsec = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.crowdsec;
|
package = pkgs.crowdsec;
|
||||||
|
|
|
||||||
|
|
@ -99,9 +99,6 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
fail2ban = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
crowdsec = {
|
crowdsec = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.crowdsec;
|
package = pkgs.crowdsec;
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue