diff --git a/secrets.nix b/secrets.nix index f86dfd8..c7a9245 100644 --- a/secrets.nix +++ b/secrets.nix @@ -29,7 +29,6 @@ in { "services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql]; - "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql]; "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx]; "services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems; diff --git a/secrets/postgresql-lapi-key.age b/secrets/postgresql-lapi-key.age deleted file mode 100644 index c2f798c..0000000 --- a/secrets/postgresql-lapi-key.age +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBabEhV -SnYvWTR6NkE1U2xUM3huNzZ3bUdXRVh0MTJoUjhTY2taNmY2MFdvCnpmNTMzMWM0 -enhiMHQyWEpCYmxXZ3I3aStXYlh6UStrbFMvTTJwYjNOY2cKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIHRHY0dNbUt0aTJQdzNGTGRXeC9jbVVoVmN2WFpRaHZIU0Qvb0c3 -eUdhMXcKSi9NZEtjRENLNXFuVUVLdUlYbkNlT0EzeUVOSzJYcXlZcVRDaWFqMXVi -WQotPiBVb0wtZ3JlYXNlIGYrIEosIHpFRHBvbzI5ICljS0UKTmljdnFHQzBRTWxu -ZXpEdkhheHE5WVVJVVpXdzFaZC9HQ28KLS0tIDdmc3dNNGVYcC91QmQrcmhGaHhZ -WkNEa3FOcHZIU3loQmVDd29hd2ZqSXMKksjTw4Gh1PDeQpRnX5cg6uSv3hRRPL50 -4xKqLKC7kmEoSU3PXSrNYV5yppD4V+LTnj/WRXgoBD9A89ul9PLvbmJpcxzB5SVS -+gAi73lGkRFhFrYv5eCzsIWgCfVhQZ/LeyN9ak56/OisJm0YOKntWPEN/NKjVi1x -AvFJ2jF+4bSy+BaDK0qTecHbnVfS8uW4lBr3FE7Tfj83TpI= ------END AGE ENCRYPTED FILE----- diff --git a/services/grafana/default.nix b/services/grafana/default.nix index 172ff0e..ff16f71 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -189,7 +189,7 @@ in { job_name = "jellyfin"; static_configs = [ { - targets = ["192.168.1.42:9002"]; + targets = ["192.168.1.42:9100"]; } ]; } @@ -256,15 +256,6 @@ in { } ]; } - { - job_name = "crowdsec_postgresql"; - metrics_path = "/metrics"; - static_configs = [ - { - targets = ["192.168.1.13:6060"]; - } - ]; - } ]; }; loki = { diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index 7b75a54..b6fa00c 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -11,10 +11,6 @@ in { }; config = lib.mkIf cfg.enable { age.secrets = { - postgresql-lapi-key = { - file = ../../secrets/postgresql-lapi-key.age; - owner = "crowdsec"; - }; nextcloudDBPass = { file = ./secrets/nextcloudDBPass.age; owner = "postgres"; @@ -36,58 +32,39 @@ in { owner = "postgres"; }; }; - services = { - crowdsec = { - hub.collections = [ - "crowdsecurity/pgsql" - ]; - settings.lapi.credentialsFile = "${config.age.secrets.postgresql-lapi-key.path}"; - localConfig = { - acquisitions = [ - { - source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=postgresql.service" ]; - labels = { - type = "syslog"; - }; - } - ]; - }; - }; - postgresql = { - enable = true; - package = pkgs.postgresql_16; - enableTCPIP = true; - settings.port = 5432; - authentication = " - host nextcloud nextcloud 192.168.1.45/32 md5 - host gitea gitea 192.168.1.14/32 md5 - host authentik authentik 192.168.1.125/32 md5 - host grafana grafana 192.168.1.27/32 md5 - host onlyoffice onlyoffice 192.168.1.46/32 md5 - "; - initialScript = pkgs.writeText "init-sql-script" '' - CREATE ROLE nextcloud WITH LOGIN CREATEDB; - CREATE DATABASE nextcloud; - GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; + services.postgresql = { + enable = true; + package = pkgs.postgresql_16; + enableTCPIP = true; + settings.port = 5432; + authentication = " + host nextcloud nextcloud 192.168.1.45/32 md5 + host gitea gitea 192.168.1.14/32 md5 + host authentik authentik 192.168.1.125/32 md5 + host grafana grafana 192.168.1.27/32 md5 + host onlyoffice onlyoffice 192.168.1.46/32 md5 + "; + initialScript = pkgs.writeText "init-sql-script" '' + CREATE ROLE nextcloud WITH LOGIN CREATEDB; + CREATE DATABASE nextcloud; + GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; - CREATE ROLE gitea WITH LOGIN CREATEDB; - CREATE DATABASE gitea; - GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; + CREATE ROLE gitea WITH LOGIN CREATEDB; + CREATE DATABASE gitea; + GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; - CREATE ROLE authentik WITH LOGIN CREATEDB; - CREATE DATABASE authentik; - GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; + CREATE ROLE authentik WITH LOGIN CREATEDB; + CREATE DATABASE authentik; + GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; - CREATE ROLE grafana WITH LOGIN CREATEDB; - CREATE DATABASE grafana; - GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; + CREATE ROLE grafana WITH LOGIN CREATEDB; + CREATE DATABASE grafana; + GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; - CREATE ROLE onlyoffice WITH LOGIN CREATEDB; - CREATE DATABASE onlyoffice; - GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice; - ''; - }; + CREATE ROLE onlyoffice WITH LOGIN CREATEDB; + CREATE DATABASE onlyoffice; + GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice; + ''; }; # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3 # This is an awful situation diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix index 9de7c03..2dfd7a5 100644 --- a/systems/minimalLXCConfig.nix +++ b/systems/minimalLXCConfig.nix @@ -112,6 +112,9 @@ } ]; }; + fail2ban = { + enable = true; + }; crowdsec = { enable = true; package = pkgs.crowdsec; diff --git a/systems/minimalVMConfig.nix b/systems/minimalVMConfig.nix index 8eeb24e..9af15f2 100644 --- a/systems/minimalVMConfig.nix +++ b/systems/minimalVMConfig.nix @@ -99,6 +99,9 @@ } ]; }; + fail2ban = { + enable = true; + }; crowdsec = { enable = true; package = pkgs.crowdsec;