Working postgresql crowdsec config + remove fail2ban

secrets.nix

@@ -29,6 +29,7 @@ in {
   "services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql];
   "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql];
   "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql];
+  "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql];
 
   "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx];
   "services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems;

secrets/postgresql-lapi-key.age

@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBabEhV
+SnYvWTR6NkE1U2xUM3huNzZ3bUdXRVh0MTJoUjhTY2taNmY2MFdvCnpmNTMzMWM0
+enhiMHQyWEpCYmxXZ3I3aStXYlh6UStrbFMvTTJwYjNOY2cKLT4gc3NoLWVkMjU1
+MTkgc2luZ3ZRIHRHY0dNbUt0aTJQdzNGTGRXeC9jbVVoVmN2WFpRaHZIU0Qvb0c3
+eUdhMXcKSi9NZEtjRENLNXFuVUVLdUlYbkNlT0EzeUVOSzJYcXlZcVRDaWFqMXVi
+WQotPiBVb0wtZ3JlYXNlIGYrIEosIHpFRHBvbzI5ICljS0UKTmljdnFHQzBRTWxu
+ZXpEdkhheHE5WVVJVVpXdzFaZC9HQ28KLS0tIDdmc3dNNGVYcC91QmQrcmhGaHhZ
+WkNEa3FOcHZIU3loQmVDd29hd2ZqSXMKksjTw4Gh1PDeQpRnX5cg6uSv3hRRPL50
+4xKqLKC7kmEoSU3PXSrNYV5yppD4V+LTnj/WRXgoBD9A89ul9PLvbmJpcxzB5SVS
++gAi73lGkRFhFrYv5eCzsIWgCfVhQZ/LeyN9ak56/OisJm0YOKntWPEN/NKjVi1x
+AvFJ2jF+4bSy+BaDK0qTecHbnVfS8uW4lBr3FE7Tfj83TpI=
+-----END AGE ENCRYPTED FILE-----

services/grafana/default.nix

@@ -189,7 +189,7 @@ in {
             job_name = "jellyfin";
             static_configs = [
               {
-                targets = ["192.168.1.42:9100"];
+                targets = ["192.168.1.42:9002"];
               }
             ];
           }
@@ -256,6 +256,15 @@ in {
               }
             ];
           }
+          {
+            job_name = "crowdsec_postgresql";
+            metrics_path = "/metrics";
+            static_configs = [
+              {
+                targets = ["192.168.1.13:6060"];
+              }
+            ];
+          }
         ];
       };
       loki = {

services/postgresql/default.nix

@@ -11,6 +11,10 @@ in {
   };
   config = lib.mkIf cfg.enable {
     age.secrets = {
+      postgresql-lapi-key = {
+        file = ../../secrets/postgresql-lapi-key.age;
+        owner = "crowdsec";
+      };
       nextcloudDBPass = {
         file = ./secrets/nextcloudDBPass.age;
         owner = "postgres";
@@ -32,7 +36,25 @@ in {
         owner = "postgres";
       };
     };
-    services.postgresql = {
+    services = {
+      crowdsec = {
+        hub.collections = [
+          "crowdsecurity/pgsql"
+        ];
+        settings.lapi.credentialsFile = "${config.age.secrets.postgresql-lapi-key.path}";
+        localConfig = {
+          acquisitions = [
+            {
+              source = "journalctl";
+              journalctl_filter = [ "_SYSTEMD_UNIT=postgresql.service" ];
+              labels = {
+                type = "syslog";
+              };
+            }
+          ];
+        };
+      };
+      postgresql = {
         enable = true;
         package = pkgs.postgresql_16;
         enableTCPIP = true;
@@ -66,6 +88,7 @@ in {
           GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
         '';
       };
+    };
     # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
     # This is an awful situation
     systemd.services.postgresql.postStart = let

systems/minimalLXCConfig.nix

@@ -112,9 +112,6 @@
         }
       ];
     };
-    fail2ban = {
-      enable = true;
-    };
     crowdsec = {
       enable = true;
       package = pkgs.crowdsec;

systems/minimalVMConfig.nix

@@ -99,9 +99,6 @@
         }
       ];
     };
-    fail2ban = {
-      enable = true;
-    };
     crowdsec = {
       enable = true;
       package = pkgs.crowdsec;