diff --git a/README.md b/README.md index 1169c52..9b23b5f 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,73 @@ +# Operational notes + +## Postgres upgrade + +1. Stop services that use postgres +```bash +systemctl stop matrix-synapse grafana +``` +2. Login as postgres user +```bash +sudo -su postgres +old=16 +cd /var/lib/postgresql/ +pg_old=$(nix-build --no-out-link -A postgresql_${old:?} '') +pg_new=$(nix-build --no-out-link -A postgresql_$((old+1)) '') +``` +3. Initialize new data directory +```bash +$pg_new/bin/initdb --encoding=UTF8 --locale=C $((old+1)) +``` +4. Run check +```bash +$pg_new/bin/pg_upgrade \ + --old-bindir=$pg_old/bin \ + --new-bindir=$pg_new/bin \ + --old-datadir=/var/lib/postgresql/${old:?} \ + --new-datadir=/var/lib/postgresql/$((old+1)) \ + -j16 \ + --clone \ + --check +``` +5. Stop the old Postgres +```bash +systemctl stop postgresql +``` +6. Run the migration +```bash +$pg_new/bin/pg_upgrade \ + --old-bindir=$pg_old/bin \ + --new-bindir=$pg_new/bin \ + --old-datadir=/var/lib/postgresql/${old:?} \ + --new-datadir=/var/lib/postgresql/$((old+1)) \ + -j16 \ + --clone +``` +7. Start the new Postgres +```bash +services.postgres.packages = pkgs.postgresql_17; +nixos-rebuild switch +``` + +Cleanup (after a few days): + +```bash +sudo -su postgres +vacuumdb --all --analyze-in-stages +cd /var/lib/postgresql/ +./delete_old_cluster.sh +rm -v delete_old_cluster.sh +``` + # Tarball ```bash -nix build .#nixosConfigurations.matrix.config.system.build.image +nix build .#nixosConfigurations..config.system.build.image ``` -# HTTP +# Matrix + +## HTTP Configure `berlin.ccc.de` web server to send federation traffic to the matrix server: @@ -24,7 +87,7 @@ server { } ``` -# DNS +## DNS ```dns _matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. @@ -39,7 +102,7 @@ matrix.berlin.ccc.de. IN SSHFP 4 1 62d10fa57f8a1aa7469cd9b00621e4ce8 matrix.berlin.ccc.de. IN SSHFP 4 2 ca80a6685984da140ac850e4951fa31e70b616e87f62f46437af3bfd215af887 ``` -# Bots +## Bots ```bash register_new_matrix_user \ @@ -49,7 +112,7 @@ register_new_matrix_user \ --password ``` -# Draupnir +## Draupnir Remove rate limit for account: diff --git a/flake.lock b/flake.lock index 811cfc3..0025b4a 100644 --- a/flake.lock +++ b/flake.lock @@ -68,11 +68,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1764677808, - "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=", + "lastModified": 1769598131, + "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a", + "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 791a00f..fbc725b 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,11 @@ { - description = "Matrix server for CCCB"; + description = "CCCB services"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; #flake-utils.url = "github:numtide/flake-utils"; agenix = { url = "github:ryantm/agenix"; - inputs = { - nixpkgs.follows = "nixpkgs"; - }; + inputs.nixpkgs.follows = "nixpkgs"; }; }; outputs = @@ -73,9 +71,9 @@ draupnir_access_token = { file = ./secrets/draupnir_access_token.age; mode = "440"; - owner = "draupnir"; - group = "draupnir"; - }; + owner = "root"; + group = "root"; + }; grafana_secret_key = { file = ./secrets/grafana_secret_key.age; mode = "440"; @@ -90,7 +88,9 @@ }; }; } - ./configuration.nix + ./hosts/matrix.nix + + ./services/openssh.nix ./services/nginx.nix ./services/postgres.nix @@ -102,6 +102,19 @@ ./services/grafana.nix ]; }; + nixosConfigurations."hedgedoc" = nixpkgs.lib.nixosSystem { + #system = "x86_64-linux"; + #pkgs = import nixpkgs { inherit system; }; + inherit system; + modules = [ + agenix.nixosModules.default + { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } + + ./hosts/hedgedoc.nix + + ./services/openssh.nix + ]; + }; }; #); } diff --git a/hosts/hedgedoc.nix b/hosts/hedgedoc.nix new file mode 100644 index 0000000..0f5ed23 --- /dev/null +++ b/hosts/hedgedoc.nix @@ -0,0 +1,158 @@ +{ + config, + modulesPath, + pkgs, + lib, + ... +}: + +{ + imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; + + systemd.suppressedSystemUnits = [ + "dev-mqueue.mount" + "sys-kernel-debug.mount" + "sys-fs-fuse-connections.mount" + ]; + + nix = { + optimise = { + automatic = true; + dates = [ "11:00" ]; + }; + settings = { + auto-optimise-store = true; + sandbox = false; + # Allow remote updates + trusted-users = [ + "root" + "@wheel" + ]; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + gc = { + automatic = true; + options = "--delete-older-than 14d"; + }; + }; + + nixpkgs.hostPlatform = "x86_64-linux"; + + environment.systemPackages = with pkgs; [ + vim + git + ]; + + proxmoxLXC = { + manageNetwork = false; + manageHostName = false; + privileged = false; + }; + + users.users.root = { + packages = with pkgs; [ + kitty # for terminfo + fastfetch # for shits and giggles + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmb+mJfo84IagUaRoDEqY9ROjjQUOQ7tMclpN6NDPrX xengi@kota_2022-01-16" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyklb7dvEHH0VBEMmTUQFKHN6ekBQqkDKj09+EilUIQ xengi@lucy_2018-09-08" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjv9W8WXq9QGkgmANNPQR24/I1Pm1ghxNIHftEI+jlZ xengi@mayu_2021-06-11" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhyfD+8jMl6FDSADb11sfAsJk0KNoVzjjiDRZjUOtmf xengi@nana_2019-08-16" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPtGqhV7io3mhIoZho4Yf7eCo0sUZvjT2NziM2PkXSo xengi@nyu_2017-10-11" + ]; + }; + + networking = { + hostName = "hedgedoc"; + domain = "berlin.ccc.de"; + nameservers = [ + "2606:4700:4700::1111#one.one.one.one" + "2620:fe::fe#dns.quad9.net" + "1.1.1.1#one.one.one.one" + "9.9.9.9#dns.quad9.net" + ]; + useDHCP = false; + useNetworkd = true; + dhcpcd.enable = false; + nftables.enable = true; + tempAddresses = "disabled"; + firewall = { + enable = true; + allowedTCPPorts = [ + 22 # SSH + 80 # HTTP/1 + 443 # HTTP/2 + ]; + allowedUDPPorts = [ + 443 # HTTP/3 + ]; + }; + }; + + time.timeZone = "Europe/Berlin"; + i18n.defaultLocale = "en_GB.UTF-8"; + console.font = "Lat2-Terminus16"; + + services = { + fstrim.enable = false; # Let Proxmox host handle fstrim + openssh.banner = '' + __ __ __ + /\ \ /\ \ /\ \ + \ \ \___ __ \_\ \ __ __ \_\ \ ___ ___ + \ \ _ `\ /'__`\ /'_` \ /'_ `\ /'__`\ /'_` \ / __`\ /'___\ + \ \ \ \ \/\ __//\ \L\ \/\ \L\ \/\ __//\ \L\ \/\ \L\ \/\ \__/ + \ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\ + \/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/ \/____/ + /\____/ + \_/__/ + ''; + # Cache DNS lookups to improve performance + resolved = { + enable = true; + dnssec = "allow-downgrade"; + dnsovertls = "true"; + extraConfig = '' + Cache=true + CacheFromLocalhost=true + ''; + }; + }; + + programs = { + mtr.enable = true; + vim = { + enable = true; + defaultEditor = true; + }; + htop = { + enable = true; + }; + tmux = { + enable = true; + terminal = "screen-256color"; + shortcut = "a"; + newSession = true; + clock24 = true; + }; + ssh.startAgent = true; + }; + + security = { + acme = { + acceptTerms = true; + defaults = { + validMinDays = 14; + renewInterval = "daily"; + email = "acme@xengi.de"; + group = "nginx"; + }; + }; + }; + + system.stateVersion = "25.11"; +} diff --git a/configuration.nix b/hosts/matrix.nix similarity index 75% rename from configuration.nix rename to hosts/matrix.nix index 0f7677a..ca2942d 100644 --- a/configuration.nix +++ b/hosts/matrix.nix @@ -74,6 +74,8 @@ nameservers = [ "2606:4700:4700::1111#one.one.one.one" "2620:fe::fe#dns.quad9.net" + "1.1.1.1#one.one.one.one" + "9.9.9.9#dns.quad9.net" ]; useDHCP = false; useNetworkd = true; @@ -95,40 +97,23 @@ }; time.timeZone = "Europe/Berlin"; - i18n.defaultLocale = "en_US.UTF-8"; + i18n.defaultLocale = "en_GB.UTF-8"; console.font = "Lat2-Terminus16"; services = { fstrim.enable = false; # Let Proxmox host handle fstrim - openssh = { - enable = true; - settings = { - PermitEmptyPasswords = "no"; - PermitRootLogin = "prohibit-password"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - banner = '' - __ __ - /\ \__ __ /\ \ - ___ ___ __ \ \ ,_\ _ __ /\_\ __ _ ___ ___ ___\ \ \____ - /' __` __`\ /'__`\ \ \ \/ /\`'__\/\ \ /\ \/'\ /'___\ /'___\ /'___\ \ '__`\ - /\ \/\ \/\ \/\ \L\.\_\ \ \_\ \ \/ \ \ \\/>