typo

README.md

@@ -1,10 +1,73 @@
+# Operational notes
+
+## Postgres upgrade
+
+1. Stop services that use postgres
+```bash
+systemctl stop matrix-synapse grafana
+```
+2. Login as postgres user
+```bash
+sudo -su postgres
+old=16
+cd /var/lib/postgresql/
+pg_old=$(nix-build --no-out-link -A postgresql_${old:?} '<nixpkgs>')
+pg_new=$(nix-build --no-out-link -A postgresql_$((old+1)) '<nixpkgs>')
+```
+3. Initialize new data directory
+```bash
+$pg_new/bin/initdb --encoding=UTF8 --locale=C $((old+1))
+```
+4. Run check
+```bash
+$pg_new/bin/pg_upgrade \
+	--old-bindir=$pg_old/bin \
+	--new-bindir=$pg_new/bin \
+	--old-datadir=/var/lib/postgresql/${old:?} \
+	--new-datadir=/var/lib/postgresql/$((old+1)) \
+	-j16 \
+	--clone \
+	--check
+```
+5. Stop the old Postgres
+```bash
+systemctl stop postgresql
+```
+6. Run the migration
+```bash
+$pg_new/bin/pg_upgrade \
+	--old-bindir=$pg_old/bin \
+	--new-bindir=$pg_new/bin \
+	--old-datadir=/var/lib/postgresql/${old:?} \
+	--new-datadir=/var/lib/postgresql/$((old+1)) \
+	-j16 \
+	--clone
+```
+7. Start the new Postgres
+```bash
+services.postgres.packages = pkgs.postgresql_17;
+nixos-rebuild switch
+```
+
+Cleanup (after a few days):
+
+```bash
+sudo -su postgres
+vacuumdb --all --analyze-in-stages
+cd /var/lib/postgresql/
+./delete_old_cluster.sh
+rm -v delete_old_cluster.sh
+```
+
 # Tarball
 
 ```bash
-nix build .#nixosConfigurations.matrix.config.system.build.image
+nix build .#nixosConfigurations.<hostname>.config.system.build.image
 ```
 
-# HTTP
+# Matrix
+
+## HTTP
 
 Configure `berlin.ccc.de` web server to send federation traffic to the matrix server:
 
@@ -24,7 +87,7 @@ server {
 }
 ```
 
-# DNS
+## DNS
 
 ```dns
 _matrix-fed._tcp.berlin.ccc.de.  IN SRV    10 0 443 matrix.berlin.ccc.de.
@@ -39,7 +102,7 @@ matrix.berlin.ccc.de.            IN SSHFP  4 1 62d10fa57f8a1aa7469cd9b00621e4ce8
 matrix.berlin.ccc.de.            IN SSHFP  4 2 ca80a6685984da140ac850e4951fa31e70b616e87f62f46437af3bfd215af887
 ```
 
-# Bots
+## Bots
 
 ```bash
 register_new_matrix_user \
@@ -49,7 +112,7 @@ register_new_matrix_user \
     --password <YOUR_PASSWORD>
 ```
 
-# Draupnir
+## Draupnir
 
 Remove rate limit for account:
 

flake.lock

@@ -68,11 +68,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1764677808,
+        "lastModified": 1769598131,
-        "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=",
+        "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a",
+        "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,13 +1,11 @@
 {
-  description = "Matrix server for CCCB";
+  description = "CCCB services";
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
     #flake-utils.url = "github:numtide/flake-utils";
     agenix = {
       url = "github:ryantm/agenix";
-      inputs = {
+      inputs.nixpkgs.follows = "nixpkgs";
-        nixpkgs.follows = "nixpkgs";
-      };
     };
   };
   outputs =
@@ -73,8 +71,8 @@
               draupnir_access_token = {
                 file = ./secrets/draupnir_access_token.age;
                 mode = "440";
-                owner = "draupnir";
+                owner = "root";
-                group = "draupnir";
+                group = "root";
               };
               grafana_secret_key = {
                 file = ./secrets/grafana_secret_key.age;
@@ -90,7 +88,9 @@
               };
             };
           }
-          ./configuration.nix
+          ./hosts/matrix.nix
+
+          ./services/openssh.nix
 
           ./services/nginx.nix
           ./services/postgres.nix
@@ -102,6 +102,19 @@
           ./services/grafana.nix
         ];
       };
+      nixosConfigurations."hedgedoc" = nixpkgs.lib.nixosSystem {
+        #system = "x86_64-linux";
+        #pkgs = import nixpkgs { inherit system; };
+        inherit system;
+        modules = [
+          agenix.nixosModules.default
+          { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
+
+          ./hosts/hedgedoc.nix
+
+          ./services/openssh.nix
+        ];
+      };
     };
   #);
 }

hosts/hedgedoc.nix

@@ -0,0 +1,158 @@
+{
+  config,
+  modulesPath,
+  pkgs,
+  lib,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ];
+
+  systemd.suppressedSystemUnits = [
+    "dev-mqueue.mount"
+    "sys-kernel-debug.mount"
+    "sys-fs-fuse-connections.mount"
+  ];
+
+  nix = {
+    optimise = {
+      automatic = true;
+      dates = [ "11:00" ];
+    };
+    settings = {
+      auto-optimise-store = true;
+      sandbox = false;
+      # Allow remote updates
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+    };
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 14d";
+    };
+  };
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+  ];
+
+  proxmoxLXC = {
+    manageNetwork = false;
+    manageHostName = false;
+    privileged = false;
+  };
+
+  users.users.root = {
+    packages = with pkgs; [
+      kitty # for terminfo
+      fastfetch # for shits and giggles
+    ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmb+mJfo84IagUaRoDEqY9ROjjQUOQ7tMclpN6NDPrX xengi@kota_2022-01-16"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyklb7dvEHH0VBEMmTUQFKHN6ekBQqkDKj09+EilUIQ xengi@lucy_2018-09-08"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjv9W8WXq9QGkgmANNPQR24/I1Pm1ghxNIHftEI+jlZ xengi@mayu_2021-06-11"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhyfD+8jMl6FDSADb11sfAsJk0KNoVzjjiDRZjUOtmf xengi@nana_2019-08-16"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPtGqhV7io3mhIoZho4Yf7eCo0sUZvjT2NziM2PkXSo xengi@nyu_2017-10-11"
+    ];
+  };
+
+  networking = {
+    hostName = "hedgedoc";
+    domain = "berlin.ccc.de";
+    nameservers = [
+      "2606:4700:4700::1111#one.one.one.one"
+      "2620:fe::fe#dns.quad9.net"
+      "1.1.1.1#one.one.one.one"
+      "9.9.9.9#dns.quad9.net"
+    ];
+    useDHCP = false;
+    useNetworkd = true;
+    dhcpcd.enable = false;
+    nftables.enable = true;
+    tempAddresses = "disabled";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22 # SSH
+        80 # HTTP/1
+        443 # HTTP/2
+      ];
+      allowedUDPPorts = [
+        443 # HTTP/3
+      ];
+    };
+  };
+
+  time.timeZone = "Europe/Berlin";
+  i18n.defaultLocale = "en_GB.UTF-8";
+  console.font = "Lat2-Terminus16";
+
+  services = {
+    fstrim.enable = false; # Let Proxmox host handle fstrim
+    openssh.banner = ''
+       __                 __                     __
+      /\ \               /\ \                   /\ \
+      \ \ \___      __   \_\ \     __      __   \_\ \    ___     ___
+       \ \  _ `\  /'__`\ /'_` \  /'_ `\  /'__`\ /'_` \  / __`\  /'___\
+        \ \ \ \ \/\  __//\ \L\ \/\ \L\ \/\  __//\ \L\ \/\ \L\ \/\ \__/
+         \ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\
+          \/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/  \/____/
+                                   /\____/
+                                   \_/__/
+    '';
+    # Cache DNS lookups to improve performance
+    resolved = {
+      enable = true;
+      dnssec = "allow-downgrade";
+      dnsovertls = "true";
+      extraConfig = ''
+        Cache=true
+        CacheFromLocalhost=true
+      '';
+    };
+  };
+
+  programs = {
+    mtr.enable = true;
+    vim = {
+      enable = true;
+      defaultEditor = true;
+    };
+    htop = {
+      enable = true;
+    };
+    tmux = {
+      enable = true;
+      terminal = "screen-256color";
+      shortcut = "a";
+      newSession = true;
+      clock24 = true;
+    };
+    ssh.startAgent = true;
+  };
+
+  security = {
+    acme = {
+      acceptTerms = true;
+      defaults = {
+        validMinDays = 14;
+        renewInterval = "daily";
+        email = "acme@xengi.de";
+        group = "nginx";
+      };
+    };
+  };
+
+  system.stateVersion = "25.11";
+}

hosts/matrix.nix

@@ -74,6 +74,8 @@
     nameservers = [
       "2606:4700:4700::1111#one.one.one.one"
       "2620:fe::fe#dns.quad9.net"
+      "1.1.1.1#one.one.one.one"
+      "9.9.9.9#dns.quad9.net"
     ];
     useDHCP = false;
     useNetworkd = true;
@@ -95,20 +97,12 @@
   };
 
   time.timeZone = "Europe/Berlin";
-  i18n.defaultLocale = "en_US.UTF-8";
+  i18n.defaultLocale = "en_GB.UTF-8";
   console.font = "Lat2-Terminus16";
 
   services = {
     fstrim.enable = false; # Let Proxmox host handle fstrim
-    openssh = {
+    openssh.banner = ''
-      enable = true;
-      settings = {
-        PermitEmptyPasswords = "no";
-        PermitRootLogin = "prohibit-password";
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-      };
-      banner = ''
                           __                                               __
                          /\ \__         __                                /\ \
         ___ ___      __  \ \ ,_\  _ __ /\_\   __  _      ___    ___    ___\ \ \____
@@ -117,18 +111,9 @@
       \ \_\ \_\ \_\ \__/.\_\\ \__\\ \_\  \ \_\/\_/\_\  \ \____\ \____\ \____\\ \_,__/
        \/_/\/_/\/_/\/__/\/_/ \/__/ \/_/   \/_/\//\/_/   \/____/\/____/\/____/ \/___/
     '';
-    };
-    sshguard = {
-      enable = true;
-      services = [ "sshd" ];
-    };
     # Cache DNS lookups to improve performance
     resolved = {
       enable = true;
-      fallbackDns = [
-        "1.1.1.1#one.one.one.one"
-        "9.9.9.9#dns.quad9.net"
-      ];
       dnssec = "allow-downgrade";
       dnsovertls = "true";
       extraConfig = ''
@@ -139,6 +124,7 @@
   };
 
   programs = {
+    mtr.enable = true;
     vim = {
       enable = true;
       defaultEditor = true;

services/openssh.nix

@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+  services = {
+    openssh = {
+      enable = true;
+      settings = {
+        PermitEmptyPasswords = "no";
+        PermitRootLogin = "prohibit-password";
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+      };
+    };
+    sshguard = {
+      enable = true;
+      services = [ "sshd" ];
+    };
+  };
+}

services/postgres.nix

@@ -1,10 +1,10 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
   services = {
     postgresql = {
       enable = true;
-      #package = pkgs.postgresql_18;
+      package = pkgs.postgresql_16;
       enableJIT = true;
       initdbArgs = [
         "--locale=C"