DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of https://git.cyperpunk.de/DerGrumpf/cyper-nix

Browse Source
This commit is contained in:
DerGrumpf
2026-05-09 11:20:12 +02:00
parent dddb070b69 66c24c9192
commit 56f5c4dc8e
14 changed files with 230 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixos/roles/matrix/default.nix
+1
View File
@@ -8,6 +8,7 @@
./clients.nix
./mjolnir.nix
./coturn.nix
./maubot.nix
./discord-bridge.nix
./whatsapp-bridge.nix
];
nixos/roles/matrix/discord-bridge.nix
+2 -1
View File
@@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, lib, ... }:
{
nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
@@ -61,4 +61,5 @@
};
};
};
systemd.services.mautrix-discord-registration.serviceConfig.UMask = lib.mkForce "0022";
}
nixos/roles/matrix/maubot.nix
+46
View File
@@ -0,0 +1,46 @@
{ config, ... }:
{
services = {
maubot = {
enable = true;
plugins = [ config.services.maubot.package.plugins.weather ];
settings = {
database = "postgresql:///maubot?host=/run/postgresql";
homeservers = {
"cyperpunk.de" = {
url = "https://matrix.cyperpunk.de";
};
};
admins = {
root = "";
dergrumpf = "$2b$12$62kYoqsSloK3hco/N/EZUupD/JOjTMMVhUf064cqveBJYXGJJF8Hi";
};
plugin_directories = {
upload = "/var/lib/maubot/plugins";
load = [ "/var/lib/maubot/plugins" ];
trash = "/var/lib/maubot/trash";
};
};
};
postgresql = {
ensureUsers = [
{
name = "maubot";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "maubot" ];
};
nginx.virtualHosts."cyperpunk.de".locations."/_matrix/maubot/" = {
proxyPass = "http://127.0.0.1:29316";
proxyWebsockets = true;
};
};
systemd.tmpfiles.rules = [
"d /var/lib/maubot/plugins 0750 maubot maubot -"
"d /var/lib/maubot/trash 0750 maubot maubot -"
];
}
nixos/roles/matrix/postgres-backup.nix
+102
View File
@@ -0,0 +1,102 @@
{
config,
pkgs,
lib,
...
}:
{
sops.secrets = {
pg_replication_password = {
owner = "postgres";
group = "postgres";
};
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_15; # must match cyper-proxy's PG version exactly
settings = {
hot_standby = true;
hot_standby_feedback = true;
max_standby_streaming_delay = "30s";
listen_addresses = "127.0.0.1"; # only local, no external exposure
wal_receiver_timeout = "60s";
recovery_min_apply_delay = "0"; # set e.g. "1h" for a delayed safety replica
};
};
# Writes standby.signal and primary_conninfo before PostgreSQL starts.
systemd.services.postgresql = {
preStart = lib.mkAfter ''
DATADIR="${config.services.postgresql.dataDir}"
PG_PASS=$(cat ${config.sops.secrets.pg_replication_password.path})
# Tell Postgres to start as a hot standby
if [ ! -f "$DATADIR/standby.signal" ]; then
touch "$DATADIR/standby.signal"
chown postgres:postgres "$DATADIR/standby.signal"
fi
# primary_conninfo via Tailscale no public IP involved
CONNINFO="host=100.109.10.91 port=5432 user=replicator password=$PG_PASS application_name=cyper-controller sslmode=require"
grep -v "^primary_conninfo" "$DATADIR/postgresql.auto.conf" 2>/dev/null > /tmp/auto.conf.tmp || true
echo "primary_conninfo = '$CONNINFO'" >> /tmp/auto.conf.tmp
mv /tmp/auto.conf.tmp "$DATADIR/postgresql.auto.conf"
chown postgres:postgres "$DATADIR/postgresql.auto.conf"
'';
};
# Run once manually to seed the standby: systemctl start postgresql-basebackup
# Do NOT add it to wantedBy — it would wipe the data dir on every reboot.
systemd.services.postgresql-basebackup = {
description = "Bootstrap PostgreSQL standby via pg_basebackup from cyper-proxy";
requires = [
"network-online.target"
"tailscaled.service"
];
after = [
"network-online.target"
"tailscaled.service"
];
serviceConfig = {
Type = "oneshot";
User = "postgres";
RemainAfterExit = false;
};
script = ''
DATADIR="${config.services.postgresql.dataDir}"
PG_PASS=$(cat ${config.sops.secrets.pg_replication_password.path})
if [ -d "$DATADIR/global" ]; then
echo "Data directory already exists skipping."
echo "Remove $DATADIR manually to force a re-initialise."
exit 0
fi
echo "Running pg_basebackup from cyper-proxy via Tailscale..."
PGPASSWORD="$PG_PASS" ${config.services.postgresql.package}/bin/pg_basebackup \
--host=100.109.10.91 \
--port=5432 \
--username=replicator \
--pgdata="$DATADIR" \
--wal-method=stream \
--write-recovery-conf \
--checkpoint=fast \
--progress \
--verbose
chown -R postgres:postgres "$DATADIR"
chmod 0700 "$DATADIR"
echo "Done. Start postgresql.service to begin streaming replication."
'';
};
# Block any external access to postgres on the public interface
networking.firewall = {
interfaces."tailscale0".allowedTCPPorts = [ ]; # replication is outbound only
};
}
nixos/roles/matrix/synapse.nix
+25
View File
@@ -1,6 +1,7 @@
{
config,
pkgs,
lib,
...
}:
let
@@ -33,6 +34,7 @@ in
owner = "matrix-synapse";
group = "matrix-synapse";
};
pg_replication_password = { };
};
services = {
@@ -144,11 +146,34 @@ in
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE ROLE replicator WITH REPLICATION LOGIN;
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
settings = {
wal_level = "replica";
max_wal_senders = 3;
wal_keep_size = "512MB";
};
authentication = lib.mkAfter ''
host replication replicator 100.0.0.0/8 scram-sha-256
'';
};
};
systemd.services = {
matrix-synapse.serviceConfig.ReadOnlyPaths = [
"/var/lib/mautrix-discord"
"/var/lib/mautrix-whatsapp"
];
postgresql.postStart = lib.mkAfter ''
PG_PASS=$(cat ${config.sops.secrets.pg_replication_password.path})
${config.services.postgresql.package}/bin/psql -U postgres -c \
"ALTER ROLE replicator WITH PASSWORD '$PG_PASS';"
'';
};
}