From 6c6db60af624e573016770fed0d14d59d376856d Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sat, 6 Dec 2025 17:52:11 +0100 Subject: [PATCH 01/10] set fixed postgres version --- services/postgres.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/postgres.nix b/services/postgres.nix index a866fa5..98d526d 100644 --- a/services/postgres.nix +++ b/services/postgres.nix @@ -1,10 +1,10 @@ -{ ... }: +{ pkgs, ... }: { services = { postgresql = { enable = true; - #package = pkgs.postgresql_18; + package = pkgs.postgresql_16; enableJIT = true; initdbArgs = [ "--locale=C" From 128e0f6c44f65c1f4a155c16e55fafdb9092294f Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sat, 6 Dec 2025 17:55:03 +0100 Subject: [PATCH 02/10] upgrade postgres to 17 --- services/postgres.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/postgres.nix b/services/postgres.nix index 98d526d..1c083b2 100644 --- a/services/postgres.nix +++ b/services/postgres.nix @@ -4,7 +4,7 @@ services = { postgresql = { enable = true; - package = pkgs.postgresql_16; + package = pkgs.postgresql_17; enableJIT = true; initdbArgs = [ "--locale=C" From 8e535d4f1c4e497b83d5ebf38977faba7518d399 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sat, 6 Dec 2025 17:58:18 +0100 Subject: [PATCH 03/10] downgrade postgres to 16 --- services/postgres.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/postgres.nix b/services/postgres.nix index 1c083b2..98d526d 100644 --- a/services/postgres.nix +++ b/services/postgres.nix @@ -4,7 +4,7 @@ services = { postgresql = { enable = true; - package = pkgs.postgresql_17; + package = pkgs.postgresql_16; enableJIT = true; initdbArgs = [ "--locale=C" From 217a778a8fd9c4de2e961dc0df830081882b8fb6 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sat, 6 Dec 2025 18:20:01 +0100 Subject: [PATCH 04/10] document upgrade process --- README.md | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/README.md b/README.md index 1169c52..25a191d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,64 @@ +# Operational notes + +## Postgres upgrade + +1. Stop services that use postgres +```bash +systemctl stop matrix-synapse grafana +``` +2. Login as postgres user +```bash +sudo -su postgres +old=16 +cd /var/lib/postgresql/ +pg_old=$(nix-build --no-out-link -A postgresql_${old:?} '') +pg_new=$(nix-build --no-out-link -A postgresql_$((old+1)) '') +``` +3. Initialize new data directory +```bash +$pg_new/bin/initdb --encoding=UTF8 --no-locale $((old+1)) +``` +4. Run check +```bash +$pg_new/bin/pg_upgrade \ + --old-bindir=$pg_old/bin \ + --new-bindir=$pg_new/bin \ + --old-datadir=/var/lib/postgresql/${old:?} \ + --new-datadir=/var/lib/postgresql/$((old+1)) \ + -j16 \ + --clone \ + --check +``` +5. Stop the old Postgres +```bash +systemctl stop postgresql +``` +6. Run the migration +```bash +$pg_new/bin/pg_upgrade \ + --old-bindir=$pg_old/bin \ + --new-bindir=$pg_new/bin \ + --old-datadir=/var/lib/postgresql/${old:?} \ + --new-datadir=/var/lib/postgresql/$((old+1)) \ + -j16 \ + --clone +``` +7. Start the new Postgres +```bash +services.postgres.packages = pkgs.postgresql_17; +nixos-rebuild switch +``` + +Cleanup (after a few days): + +```bash +sudo -su postgres +vacuumdb --all --analyze-in-stages +cd /var/lib/postgresql/ +./delete_old_cluster.sh +rm -v delete_old_cluster.sh +``` + # Tarball ```bash From c10e6b9fdbf6f8cc91aeb4051aed18496bbba806 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sat, 6 Dec 2025 18:28:21 +0100 Subject: [PATCH 05/10] document upgrade process --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 25a191d..ed4efef 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ pg_new=$(nix-build --no-out-link -A postgresql_$((old+1)) '') ``` 3. Initialize new data directory ```bash -$pg_new/bin/initdb --encoding=UTF8 --no-locale $((old+1)) +$pg_new/bin/initdb --encoding=UTF8 --locale=C $((old+1)) ``` 4. Run check ```bash From d70cc8efddc5142633eb237bb32f664bea5262e6 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 25 Dec 2025 11:55:59 +0100 Subject: [PATCH 06/10] add ipv4 dns --- configuration.nix | 7 +++---- flake.lock | 6 +++--- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/configuration.nix b/configuration.nix index 0f7677a..bf26909 100644 --- a/configuration.nix +++ b/configuration.nix @@ -74,6 +74,8 @@ nameservers = [ "2606:4700:4700::1111#one.one.one.one" "2620:fe::fe#dns.quad9.net" + "1.1.1.1#one.one.one.one" + "9.9.9.9#dns.quad9.net" ]; useDHCP = false; useNetworkd = true; @@ -125,10 +127,6 @@ # Cache DNS lookups to improve performance resolved = { enable = true; - fallbackDns = [ - "1.1.1.1#one.one.one.one" - "9.9.9.9#dns.quad9.net" - ]; dnssec = "allow-downgrade"; dnsovertls = "true"; extraConfig = '' @@ -139,6 +137,7 @@ }; programs = { + mtr.enable = true; vim = { enable = true; defaultEditor = true; diff --git a/flake.lock b/flake.lock index 811cfc3..b25cf0b 100644 --- a/flake.lock +++ b/flake.lock @@ -68,11 +68,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1764677808, - "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=", + "lastModified": 1766473571, + "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a", + "rev": "76701a179d3a98b07653e2b0409847499b2a07d3", "type": "github" }, "original": { From 41bc2bff699388e1e581c2e28a0fa18d68d3302b Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 25 Dec 2025 12:10:08 +0100 Subject: [PATCH 07/10] secret is dynamically added to systemd unit --- flake.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 791a00f..afe9bf0 100644 --- a/flake.nix +++ b/flake.nix @@ -73,9 +73,9 @@ draupnir_access_token = { file = ./secrets/draupnir_access_token.age; mode = "440"; - owner = "draupnir"; - group = "draupnir"; - }; + owner = "root"; + group = "root"; + }; grafana_secret_key = { file = ./secrets/grafana_secret_key.age; mode = "440"; From a3a5cc794cdbe9d1a2eb3d881a7a35ca1cd6a212 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sun, 1 Feb 2026 00:26:41 +0100 Subject: [PATCH 08/10] add hedgedoc config --- README.md | 12 +- flake.nix | 23 +++- hosts/hedgedoc.nix | 158 ++++++++++++++++++++++++++ configuration.nix => hosts/matrix.nix | 32 ++---- services/openssh.nix | 19 ++++ 5 files changed, 212 insertions(+), 32 deletions(-) create mode 100644 hosts/hedgedoc.nix rename configuration.nix => hosts/matrix.nix (77%) create mode 100644 services/openssh.nix diff --git a/README.md b/README.md index ed4efef..9b23b5f 100644 --- a/README.md +++ b/README.md @@ -62,10 +62,12 @@ rm -v delete_old_cluster.sh # Tarball ```bash -nix build .#nixosConfigurations.matrix.config.system.build.image +nix build .#nixosConfigurations..config.system.build.image ``` -# HTTP +# Matrix + +## HTTP Configure `berlin.ccc.de` web server to send federation traffic to the matrix server: @@ -85,7 +87,7 @@ server { } ``` -# DNS +## DNS ```dns _matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. @@ -100,7 +102,7 @@ matrix.berlin.ccc.de. IN SSHFP 4 1 62d10fa57f8a1aa7469cd9b00621e4ce8 matrix.berlin.ccc.de. IN SSHFP 4 2 ca80a6685984da140ac850e4951fa31e70b616e87f62f46437af3bfd215af887 ``` -# Bots +## Bots ```bash register_new_matrix_user \ @@ -110,7 +112,7 @@ register_new_matrix_user \ --password ``` -# Draupnir +## Draupnir Remove rate limit for account: diff --git a/flake.nix b/flake.nix index afe9bf0..fbc725b 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,11 @@ { - description = "Matrix server for CCCB"; + description = "CCCB services"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; #flake-utils.url = "github:numtide/flake-utils"; agenix = { url = "github:ryantm/agenix"; - inputs = { - nixpkgs.follows = "nixpkgs"; - }; + inputs.nixpkgs.follows = "nixpkgs"; }; }; outputs = @@ -90,7 +88,9 @@ }; }; } - ./configuration.nix + ./hosts/matrix.nix + + ./services/openssh.nix ./services/nginx.nix ./services/postgres.nix @@ -102,6 +102,19 @@ ./services/grafana.nix ]; }; + nixosConfigurations."hedgedoc" = nixpkgs.lib.nixosSystem { + #system = "x86_64-linux"; + #pkgs = import nixpkgs { inherit system; }; + inherit system; + modules = [ + agenix.nixosModules.default + { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } + + ./hosts/hedgedoc.nix + + ./services/openssh.nix + ]; + }; }; #); } diff --git a/hosts/hedgedoc.nix b/hosts/hedgedoc.nix new file mode 100644 index 0000000..0f5ed23 --- /dev/null +++ b/hosts/hedgedoc.nix @@ -0,0 +1,158 @@ +{ + config, + modulesPath, + pkgs, + lib, + ... +}: + +{ + imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; + + systemd.suppressedSystemUnits = [ + "dev-mqueue.mount" + "sys-kernel-debug.mount" + "sys-fs-fuse-connections.mount" + ]; + + nix = { + optimise = { + automatic = true; + dates = [ "11:00" ]; + }; + settings = { + auto-optimise-store = true; + sandbox = false; + # Allow remote updates + trusted-users = [ + "root" + "@wheel" + ]; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + gc = { + automatic = true; + options = "--delete-older-than 14d"; + }; + }; + + nixpkgs.hostPlatform = "x86_64-linux"; + + environment.systemPackages = with pkgs; [ + vim + git + ]; + + proxmoxLXC = { + manageNetwork = false; + manageHostName = false; + privileged = false; + }; + + users.users.root = { + packages = with pkgs; [ + kitty # for terminfo + fastfetch # for shits and giggles + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmb+mJfo84IagUaRoDEqY9ROjjQUOQ7tMclpN6NDPrX xengi@kota_2022-01-16" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyklb7dvEHH0VBEMmTUQFKHN6ekBQqkDKj09+EilUIQ xengi@lucy_2018-09-08" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjv9W8WXq9QGkgmANNPQR24/I1Pm1ghxNIHftEI+jlZ xengi@mayu_2021-06-11" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhyfD+8jMl6FDSADb11sfAsJk0KNoVzjjiDRZjUOtmf xengi@nana_2019-08-16" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPtGqhV7io3mhIoZho4Yf7eCo0sUZvjT2NziM2PkXSo xengi@nyu_2017-10-11" + ]; + }; + + networking = { + hostName = "hedgedoc"; + domain = "berlin.ccc.de"; + nameservers = [ + "2606:4700:4700::1111#one.one.one.one" + "2620:fe::fe#dns.quad9.net" + "1.1.1.1#one.one.one.one" + "9.9.9.9#dns.quad9.net" + ]; + useDHCP = false; + useNetworkd = true; + dhcpcd.enable = false; + nftables.enable = true; + tempAddresses = "disabled"; + firewall = { + enable = true; + allowedTCPPorts = [ + 22 # SSH + 80 # HTTP/1 + 443 # HTTP/2 + ]; + allowedUDPPorts = [ + 443 # HTTP/3 + ]; + }; + }; + + time.timeZone = "Europe/Berlin"; + i18n.defaultLocale = "en_GB.UTF-8"; + console.font = "Lat2-Terminus16"; + + services = { + fstrim.enable = false; # Let Proxmox host handle fstrim + openssh.banner = '' + __ __ __ + /\ \ /\ \ /\ \ + \ \ \___ __ \_\ \ __ __ \_\ \ ___ ___ + \ \ _ `\ /'__`\ /'_` \ /'_ `\ /'__`\ /'_` \ / __`\ /'___\ + \ \ \ \ \/\ __//\ \L\ \/\ \L\ \/\ __//\ \L\ \/\ \L\ \/\ \__/ + \ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\ + \/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/ \/____/ + /\____/ + \_/__/ + ''; + # Cache DNS lookups to improve performance + resolved = { + enable = true; + dnssec = "allow-downgrade"; + dnsovertls = "true"; + extraConfig = '' + Cache=true + CacheFromLocalhost=true + ''; + }; + }; + + programs = { + mtr.enable = true; + vim = { + enable = true; + defaultEditor = true; + }; + htop = { + enable = true; + }; + tmux = { + enable = true; + terminal = "screen-256color"; + shortcut = "a"; + newSession = true; + clock24 = true; + }; + ssh.startAgent = true; + }; + + security = { + acme = { + acceptTerms = true; + defaults = { + validMinDays = 14; + renewInterval = "daily"; + email = "acme@xengi.de"; + group = "nginx"; + }; + }; + }; + + system.stateVersion = "25.11"; +} diff --git a/configuration.nix b/hosts/matrix.nix similarity index 77% rename from configuration.nix rename to hosts/matrix.nix index bf26909..46ec9e8 100644 --- a/configuration.nix +++ b/hosts/matrix.nix @@ -97,32 +97,20 @@ }; time.timeZone = "Europe/Berlin"; - i18n.defaultLocale = "en_US.UTF-8"; + i18n.defaultLocale = "en_GB.UTF-8"; console.font = "Lat2-Terminus16"; services = { fstrim.enable = false; # Let Proxmox host handle fstrim - openssh = { - enable = true; - settings = { - PermitEmptyPasswords = "no"; - PermitRootLogin = "prohibit-password"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - banner = '' - __ __ - /\ \__ __ /\ \ - ___ ___ __ \ \ ,_\ _ __ /\_\ __ _ ___ ___ ___\ \ \____ - /' __` __`\ /'__`\ \ \ \/ /\`'__\/\ \ /\ \/'\ /'___\ /'___\ /'___\ \ '__`\ - /\ \/\ \/\ \/\ \L\.\_\ \ \_\ \ \/ \ \ \\/> Date: Sun, 1 Feb 2026 00:27:19 +0100 Subject: [PATCH 09/10] update flake --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index b25cf0b..0025b4a 100644 --- a/flake.lock +++ b/flake.lock @@ -68,11 +68,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1766473571, - "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=", + "lastModified": 1769598131, + "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "76701a179d3a98b07653e2b0409847499b2a07d3", + "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", "type": "github" }, "original": { From d7eb597cfcbaea6f644f481b1551c3657f69ddfd Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sun, 1 Feb 2026 00:28:21 +0100 Subject: [PATCH 10/10] typo --- hosts/matrix.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/matrix.nix b/hosts/matrix.nix index 46ec9e8..ca2942d 100644 --- a/hosts/matrix.nix +++ b/hosts/matrix.nix @@ -111,7 +111,6 @@ \ \_\ \_\ \_\ \__/.\_\\ \__\\ \_\ \ \_\/\_/\_\ \ \____\ \____\ \____\\ \_,__/ \/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/ ''; - }; # Cache DNS lookups to improve performance resolved = { enable = true;