Merge branch 'main' of https://git.cyperpunk.de/DerGrumpf/cyper-nix

2026-05-09 11:20:12 +02:00
parent dddb070b69 66c24c9192
commit 56f5c4dc8e
14 changed files with 230 additions and 26 deletions
@@ -18,7 +18,7 @@
    ./regreet.nix
    ./plymouth.nix
    ./audio.nix
-    ./webcam.nix
+    #    ./webcam.nix
    ./virt.nix
    ./catppuccin.nix
  ];
@@ -95,7 +95,7 @@
  // lib.optionalAttrs (!isServer) {
    dconf.enable = true;
    hyprland = {
-      enable = true;
+      enable = false;
      package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
    };
    steam.enable = true;
@@ -159,6 +159,7 @@
      "video"
      "audio"
      "libvirtd"
+      "input"
    ];
  };
 }
@@ -1,5 +1,6 @@
 {
  lib,
+  pkgs,
  ...
 }:
 {
@@ -13,7 +14,7 @@
  };

  programs.regreet = {
-    enable = true;
+    enable = false;

    cageArgs = [
      "-s"
@@ -63,4 +64,18 @@
      };
    };
  };
+
+  services.greetd = {
+    enable = true;
+    settings = {
+      default_session = {
+        command = "${pkgs.tuigreet}/bin/tuigreet --cmd start-hyprland";
+        user = "greeter";
+      };
+      initial_session = {
+        command = "Hyprland";
+        user = "phil";
+      };
+    };
+  };
 }
@@ -8,6 +8,7 @@
    ./clients.nix
    ./mjolnir.nix
    ./coturn.nix
+    ./maubot.nix
    ./discord-bridge.nix
    ./whatsapp-bridge.nix
  ];
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 {
  nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];

@@ -61,4 +61,5 @@
      };
    };
  };
+  systemd.services.mautrix-discord-registration.serviceConfig.UMask = lib.mkForce "0022";
 }
@@ -0,0 +1,46 @@
+{ config, ... }:
+{
+  services = {
+    maubot = {
+      enable = true;
+      plugins = [ config.services.maubot.package.plugins.weather ];
+      settings = {
+        database = "postgresql:///maubot?host=/run/postgresql";
+        homeservers = {
+          "cyperpunk.de" = {
+            url = "https://matrix.cyperpunk.de";
+          };
+        };
+        admins = {
+          root = "";
+          dergrumpf = "$2b$12$62kYoqsSloK3hco/N/EZUupD/JOjTMMVhUf064cqveBJYXGJJF8Hi";
+        };
+        plugin_directories = {
+          upload = "/var/lib/maubot/plugins";
+          load = [ "/var/lib/maubot/plugins" ];
+          trash = "/var/lib/maubot/trash";
+        };
+      };
+    };
+
+    postgresql = {
+      ensureUsers = [
+        {
+          name = "maubot";
+          ensureDBOwnership = true;
+        }
+      ];
+      ensureDatabases = [ "maubot" ];
+    };
+
+    nginx.virtualHosts."cyperpunk.de".locations."/_matrix/maubot/" = {
+      proxyPass = "http://127.0.0.1:29316";
+      proxyWebsockets = true;
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/maubot/plugins 0750 maubot maubot -"
+    "d /var/lib/maubot/trash 0750 maubot maubot -"
+  ];
+}
@@ -0,0 +1,102 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  sops.secrets = {
+    pg_replication_password = {
+      owner = "postgres";
+      group = "postgres";
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_15; # must match cyper-proxy's PG version exactly
+
+    settings = {
+      hot_standby = true;
+      hot_standby_feedback = true;
+      max_standby_streaming_delay = "30s";
+      listen_addresses = "127.0.0.1"; # only local, no external exposure
+      wal_receiver_timeout = "60s";
+      recovery_min_apply_delay = "0"; # set e.g. "1h" for a delayed safety replica
+    };
+  };
+
+  # Writes standby.signal and primary_conninfo before PostgreSQL starts.
+  systemd.services.postgresql = {
+    preStart = lib.mkAfter ''
+      DATADIR="${config.services.postgresql.dataDir}"
+      PG_PASS=$(cat ${config.sops.secrets.pg_replication_password.path})
+
+      # Tell Postgres to start as a hot standby
+      if [ ! -f "$DATADIR/standby.signal" ]; then
+        touch "$DATADIR/standby.signal"
+        chown postgres:postgres "$DATADIR/standby.signal"
+      fi
+
+      # primary_conninfo via Tailscale — no public IP involved
+      CONNINFO="host=100.109.10.91 port=5432 user=replicator password=$PG_PASS application_name=cyper-controller sslmode=require"
+
+      grep -v "^primary_conninfo" "$DATADIR/postgresql.auto.conf" 2>/dev/null > /tmp/auto.conf.tmp || true
+      echo "primary_conninfo = '$CONNINFO'" >> /tmp/auto.conf.tmp
+      mv /tmp/auto.conf.tmp "$DATADIR/postgresql.auto.conf"
+      chown postgres:postgres "$DATADIR/postgresql.auto.conf"
+    '';
+  };
+
+  # Run once manually to seed the standby: systemctl start postgresql-basebackup
+  # Do NOT add it to wantedBy — it would wipe the data dir on every reboot.
+  systemd.services.postgresql-basebackup = {
+    description = "Bootstrap PostgreSQL standby via pg_basebackup from cyper-proxy";
+    requires = [
+      "network-online.target"
+      "tailscaled.service"
+    ];
+    after = [
+      "network-online.target"
+      "tailscaled.service"
+    ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "postgres";
+      RemainAfterExit = false;
+    };
+
+    script = ''
+      DATADIR="${config.services.postgresql.dataDir}"
+      PG_PASS=$(cat ${config.sops.secrets.pg_replication_password.path})
+
+      if [ -d "$DATADIR/global" ]; then
+        echo "Data directory already exists — skipping."
+        echo "Remove $DATADIR manually to force a re-initialise."
+        exit 0
+      fi
+
+      echo "Running pg_basebackup from cyper-proxy via Tailscale..."
+      PGPASSWORD="$PG_PASS" ${config.services.postgresql.package}/bin/pg_basebackup \
+        --host=100.109.10.91 \
+        --port=5432 \
+        --username=replicator \
+        --pgdata="$DATADIR" \
+        --wal-method=stream \
+        --write-recovery-conf \
+        --checkpoint=fast \
+        --progress \
+        --verbose
+
+      chown -R postgres:postgres "$DATADIR"
+      chmod 0700 "$DATADIR"
+      echo "Done. Start postgresql.service to begin streaming replication."
+    '';
+  };
+
+  # Block any external access to postgres on the public interface
+  networking.firewall = {
+    interfaces."tailscale0".allowedTCPPorts = [ ]; # replication is outbound only
+  };
+}
@@ -1,6 +1,7 @@
 {
  config,
  pkgs,
+  lib,
  ...
 }:
 let
@@ -33,6 +34,7 @@ in
      owner = "matrix-synapse";
      group = "matrix-synapse";
    };
+    pg_replication_password = { };
  };

  services = {
@@ -144,11 +146,34 @@ in
      enable = true;
      initialScript = pkgs.writeText "synapse-init.sql" ''
        CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+        CREATE ROLE replicator WITH REPLICATION LOGIN;
        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
          TEMPLATE template0
          LC_COLLATE = "C"
          LC_CTYPE = "C";
      '';
+
+      settings = {
+        wal_level = "replica";
+        max_wal_senders = 3;
+        wal_keep_size = "512MB";
+      };
+
+      authentication = lib.mkAfter ''
+        host replication replicator 100.0.0.0/8 scram-sha-256
+      '';
    };
  };
+
+  systemd.services = {
+    matrix-synapse.serviceConfig.ReadOnlyPaths = [
+      "/var/lib/mautrix-discord"
+      "/var/lib/mautrix-whatsapp"
+    ];
+    postgresql.postStart = lib.mkAfter ''
+      PG_PASS=$(cat ${config.sops.secrets.pg_replication_password.path})
+      ${config.services.postgresql.package}/bin/psql -U postgres -c \
+        "ALTER ROLE replicator WITH PASSWORD '$PG_PASS';"
+    '';
+  };
 }