WIP: fix(crowdsec): Make the whitelists actually work

configuration/services/metrics/default.nix

@@ -5,6 +5,5 @@
     ./exporters.nix
     ./grafana.nix
     ./victoriametrics.nix
-    ./victorialogs.nix
   ];
 }

configuration/services/metrics/grafana.nix

@@ -1,9 +1,4 @@
-{
-  pkgs,
-  config,
-  flake-inputs,
-  ...
-}:
+{ config, ... }:
 let
   domain = "metrics.${config.services.nginx.domain}";
 in
@@ -33,11 +28,6 @@ in
       };
     };
 
-    declarativePlugins = [
-      pkgs.grafanaPlugins.victoriametrics-metrics-datasource
-      flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.grafanaPlugins.victoriametrics-logs-datasource
-    ];
-
     provision = {
       enable = true;
 
@@ -45,16 +35,7 @@ in
         {
           name = "Victoriametrics - tlater.net";
           url = "http://localhost:8428";
-          type = "victoriametrics-metrics-datasource";
-          access = "proxy";
-          isDefault = true;
-        }
-
-        {
-          name = "Victorialogs - tlater.net";
-          url = "http://${config.services.victorialogs.bindAddress}";
-          type = "victoriametrics-logs-datasource";
-          access = "proxy";
+          type = "prometheus";
         }
       ];
     };

configuration/services/metrics/victorialogs.nix

@@ -1,110 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.services.victorialogs;
-  pkg = pkgs.victoriametrics;
-  dirname = "victorialogs";
-in
-{
-  options.services.victorialogs =
-    let
-      inherit (lib.types) str;
-    in
-    {
-      listenAddress = lib.mkOption {
-        default = ":9428";
-        type = str;
-      };
-
-      bindAddress = lib.mkOption {
-        readOnly = true;
-        type = str;
-        description = ''
-          Final address on which victorialogs listens.
-        '';
-      };
-    };
-
-  config = {
-    services.victorialogs.bindAddress =
-      (lib.optionalString (lib.hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
-
-    services.journald.upload = {
-      enable = true;
-      settings.Upload = {
-        URL = "http://${cfg.bindAddress}/insert/journald";
-        NetworkTimeoutSec = "20s";
-      };
-    };
-
-    systemd.services."systemd-journal-upload".after = [ "victorialogs.service" ];
-
-    systemd.services.victorialogs = {
-      description = "VictoriaLogs log database";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-      startLimitBurst = 5;
-
-      serviceConfig = {
-        ExecStart = lib.escapeShellArgs [
-          "${pkg}/bin/victoria-logs"
-          "-storageDataPath=/var/lib/${dirname}"
-          "-httpListenAddr=${cfg.listenAddress}"
-        ];
-
-        DynamicUser = true;
-        RestartSec = 1;
-        Restart = "on-failure";
-        RuntimeDirectory = dirname;
-        RuntimeDirectoryMode = "0700";
-        StateDirectory = dirname;
-        StateDirectoryMode = "0700";
-
-        LimitNOFILE = 1048576;
-
-        # Hardening
-        DeviceAllow = [ "/dev/null rw" ];
-        DevicePolicy = "strict";
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        PrivateTmp = true;
-        PrivateUsers = true;
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "full";
-        RemoveIPC = true;
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged"
-        ];
-      };
-
-      postStart = lib.mkBefore ''
-        until ${lib.getBin pkgs.curl}/bin/curl -s -o /dev/null http://${cfg.bindAddress}/ping; do
-          sleep 1;
-        done
-      '';
-    };
-  };
-}