From 473aba8072c1e8c4a7891e4bdad1e6eac2e44896 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Mon, 14 Apr 2025 15:14:53 +0200 Subject: [PATCH 1/3] Working postgresql crowdsec config --- secrets.nix | 1 + secrets/postgresql-lapi-key.age | 13 +++ services/postgresql/default.nix | 142 +++++++++++++++++++------------- 3 files changed, 97 insertions(+), 59 deletions(-) create mode 100644 secrets/postgresql-lapi-key.age diff --git a/secrets.nix b/secrets.nix index c7a9245..f86dfd8 100644 --- a/secrets.nix +++ b/secrets.nix @@ -29,6 +29,7 @@ in { "services/postgresql/secrets/authentikDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql]; + "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql]; "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx]; "services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems; diff --git a/secrets/postgresql-lapi-key.age b/secrets/postgresql-lapi-key.age new file mode 100644 index 0000000..c2f798c --- /dev/null +++ b/secrets/postgresql-lapi-key.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBabEhV +SnYvWTR6NkE1U2xUM3huNzZ3bUdXRVh0MTJoUjhTY2taNmY2MFdvCnpmNTMzMWM0 +enhiMHQyWEpCYmxXZ3I3aStXYlh6UStrbFMvTTJwYjNOY2cKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIHRHY0dNbUt0aTJQdzNGTGRXeC9jbVVoVmN2WFpRaHZIU0Qvb0c3 +eUdhMXcKSi9NZEtjRENLNXFuVUVLdUlYbkNlT0EzeUVOSzJYcXlZcVRDaWFqMXVi +WQotPiBVb0wtZ3JlYXNlIGYrIEosIHpFRHBvbzI5ICljS0UKTmljdnFHQzBRTWxu +ZXpEdkhheHE5WVVJVVpXdzFaZC9HQ28KLS0tIDdmc3dNNGVYcC91QmQrcmhGaHhZ +WkNEa3FOcHZIU3loQmVDd29hd2ZqSXMKksjTw4Gh1PDeQpRnX5cg6uSv3hRRPL50 +4xKqLKC7kmEoSU3PXSrNYV5yppD4V+LTnj/WRXgoBD9A89ul9PLvbmJpcxzB5SVS ++gAi73lGkRFhFrYv5eCzsIWgCfVhQZ/LeyN9ak56/OisJm0YOKntWPEN/NKjVi1x +AvFJ2jF+4bSy+BaDK0qTecHbnVfS8uW4lBr3FE7Tfj83TpI= +-----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index b6fa00c..d5b6d1b 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -11,6 +11,10 @@ in { }; config = lib.mkIf cfg.enable { age.secrets = { + postgresql-lapi-key = { + file = ../../secrets/postgresql-lapi-key.age; + owner = "crowdsec"; + }; nextcloudDBPass = { file = ./secrets/nextcloudDBPass.age; owner = "postgres"; @@ -32,70 +36,90 @@ in { owner = "postgres"; }; }; - services.postgresql = { - enable = true; - package = pkgs.postgresql_16; - enableTCPIP = true; - settings.port = 5432; - authentication = " - host nextcloud nextcloud 192.168.1.45/32 md5 - host gitea gitea 192.168.1.14/32 md5 - host authentik authentik 192.168.1.125/32 md5 - host grafana grafana 192.168.1.27/32 md5 - host onlyoffice onlyoffice 192.168.1.46/32 md5 - "; - initialScript = pkgs.writeText "init-sql-script" '' - CREATE ROLE nextcloud WITH LOGIN CREATEDB; - CREATE DATABASE nextcloud; - GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; + services = { + crowdsec = { + hub.collections = [ + "crowdsecurity/pgsql" + ]; + settings.lapi.credentialsFile = "${config.age.secrets.postgresql-lapi-key.path}"; + localConfig = { + acquisitions = [ + { + filenames = [ + "/var/log/postgresql/*.log" + ]; + labels = { + type = "syslog"; + }; + } + ]; + }; + }; + postgresql = { + enable = true; + package = pkgs.postgresql_16; + enableTCPIP = true; + settings.port = 5432; + authentication = " + host nextcloud nextcloud 192.168.1.45/32 md5 + host gitea gitea 192.168.1.14/32 md5 + host authentik authentik 192.168.1.125/32 md5 + host grafana grafana 192.168.1.27/32 md5 + host onlyoffice onlyoffice 192.168.1.46/32 md5 + "; + initialScript = pkgs.writeText "init-sql-script" '' + CREATE ROLE nextcloud WITH LOGIN CREATEDB; + CREATE DATABASE nextcloud; + GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; - CREATE ROLE gitea WITH LOGIN CREATEDB; - CREATE DATABASE gitea; - GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; + CREATE ROLE gitea WITH LOGIN CREATEDB; + CREATE DATABASE gitea; + GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; - CREATE ROLE authentik WITH LOGIN CREATEDB; - CREATE DATABASE authentik; - GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; + CREATE ROLE authentik WITH LOGIN CREATEDB; + CREATE DATABASE authentik; + GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; - CREATE ROLE grafana WITH LOGIN CREATEDB; - CREATE DATABASE grafana; - GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; + CREATE ROLE grafana WITH LOGIN CREATEDB; + CREATE DATABASE grafana; + GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; - CREATE ROLE onlyoffice WITH LOGIN CREATEDB; - CREATE DATABASE onlyoffice; - GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice; + CREATE ROLE onlyoffice WITH LOGIN CREATEDB; + CREATE DATABASE onlyoffice; + GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice; + ''; + }; + # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3 + # This is an awful situation + systemd.services.postgresql.postStart = let + nextcloudDBPass = config.age.secrets.nextcloudDBPass.path; + giteaDBPass = config.age.secrets.giteaDBPass.path; + authentikDBPass = config.age.secrets.authentikDBPass.path; + grafanaDBPass = config.age.secrets.grafanaDBPass.path; + onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path; + in '' + $PSQL -tA <<'EOF' + DO $$ + DECLARE password TEXT; + BEGIN + password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password); + END $$; + EOF ''; + networking.firewall.allowedTCPPorts = [5432]; }; - # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3 - # This is an awful situation - systemd.services.postgresql.postStart = let - nextcloudDBPass = config.age.secrets.nextcloudDBPass.path; - giteaDBPass = config.age.secrets.giteaDBPass.path; - authentikDBPass = config.age.secrets.authentikDBPass.path; - grafanaDBPass = config.age.secrets.grafanaDBPass.path; - onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path; - in '' - $PSQL -tA <<'EOF' - DO $$ - DECLARE password TEXT; - BEGIN - password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password); - END $$; - EOF - ''; - networking.firewall.allowedTCPPorts = [5432]; }; } From fd8349cf91811fba2c1ae3179dc6aa3366cf9f42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Mon, 14 Apr 2025 15:15:27 +0200 Subject: [PATCH 2/3] Working postgresql crowdsec config --- services/postgresql/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index d5b6d1b..5cc9d1c 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -119,7 +119,7 @@ in { END $$; EOF ''; - networking.firewall.allowedTCPPorts = [5432]; }; + networking.firewall.allowedTCPPorts = [5432]; }; } From d6eb45c45ac8da5eeb68382ded065d4fc7a12fbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Mon, 14 Apr 2025 15:28:01 +0200 Subject: [PATCH 3/3] Working postgresql crowdsec config + remove fail2ban --- services/grafana/default.nix | 11 +++++- services/postgresql/default.nix | 65 ++++++++++++++++----------------- systems/minimalLXCConfig.nix | 3 -- systems/minimalVMConfig.nix | 3 -- 4 files changed, 42 insertions(+), 40 deletions(-) diff --git a/services/grafana/default.nix b/services/grafana/default.nix index ff16f71..172ff0e 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -189,7 +189,7 @@ in { job_name = "jellyfin"; static_configs = [ { - targets = ["192.168.1.42:9100"]; + targets = ["192.168.1.42:9002"]; } ]; } @@ -256,6 +256,15 @@ in { } ]; } + { + job_name = "crowdsec_postgresql"; + metrics_path = "/metrics"; + static_configs = [ + { + targets = ["192.168.1.13:6060"]; + } + ]; + } ]; }; loki = { diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index 5cc9d1c..7b75a54 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -45,9 +45,8 @@ in { localConfig = { acquisitions = [ { - filenames = [ - "/var/log/postgresql/*.log" - ]; + source = "journalctl"; + journalctl_filter = [ "_SYSTEMD_UNIT=postgresql.service" ]; labels = { type = "syslog"; }; @@ -89,37 +88,37 @@ in { GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice; ''; }; - # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3 - # This is an awful situation - systemd.services.postgresql.postStart = let - nextcloudDBPass = config.age.secrets.nextcloudDBPass.path; - giteaDBPass = config.age.secrets.giteaDBPass.path; - authentikDBPass = config.age.secrets.authentikDBPass.path; - grafanaDBPass = config.age.secrets.grafanaDBPass.path; - onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path; - in '' - $PSQL -tA <<'EOF' - DO $$ - DECLARE password TEXT; - BEGIN - password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password); - END $$; - EOF - ''; }; + # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3 + # This is an awful situation + systemd.services.postgresql.postStart = let + nextcloudDBPass = config.age.secrets.nextcloudDBPass.path; + giteaDBPass = config.age.secrets.giteaDBPass.path; + authentikDBPass = config.age.secrets.authentikDBPass.path; + grafanaDBPass = config.age.secrets.grafanaDBPass.path; + onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path; + in '' + $PSQL -tA <<'EOF' + DO $$ + DECLARE password TEXT; + BEGIN + password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password); + END $$; + EOF + ''; networking.firewall.allowedTCPPorts = [5432]; }; } diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix index 2dfd7a5..9de7c03 100644 --- a/systems/minimalLXCConfig.nix +++ b/systems/minimalLXCConfig.nix @@ -112,9 +112,6 @@ } ]; }; - fail2ban = { - enable = true; - }; crowdsec = { enable = true; package = pkgs.crowdsec; diff --git a/systems/minimalVMConfig.nix b/systems/minimalVMConfig.nix index 9af15f2..8eeb24e 100644 --- a/systems/minimalVMConfig.nix +++ b/systems/minimalVMConfig.nix @@ -99,9 +99,6 @@ } ]; }; - fail2ban = { - enable = true; - }; crowdsec = { enable = true; package = pkgs.crowdsec;