From 07ee692df8447af412b8fbc20374abd294c5b325 Mon Sep 17 00:00:00 2001 From: Kat Inskip Date: Fri, 5 Jul 2024 12:28:09 -0700 Subject: [PATCH] feat: add improved alerting for various things --- .sops.yaml | 12 +++ flake.lock | 108 ++++++++++---------- home/profiles/shell/zsh.nix | 2 +- nixos/common/access.nix | 2 +- nixos/common/login-notify.nix | 32 ++++++ nixos/common/secrets.yaml | 96 ++++++++++++++++++ nixos/profiles/gaming/lutris.nix | 1 - nixos/profiles/server/nix.nix | 53 +++++++++- nixos/profiles/server/secrets.yaml | 97 +++++++++++------- packages/synapse-cleanup/cleanup.sh | 146 ++++++++++++++++++++-------- systems/default.nix | 2 +- 11 files changed, 414 insertions(+), 137 deletions(-) create mode 100644 nixos/common/login-notify.nix create mode 100644 nixos/common/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 865b9f50..07100dec 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,9 @@ keys: - &yukari_kat age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh - &koishi age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc - &koishi_kat age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n +- &mei age1xgy03g3vjydsxcl0qpdgm8rahjcjq95ucxfwlgr22zwjx3p7jf2s9jk6u5 +- &mai age1fv5dafs4n3r5n83qm2hfz7xmnflsz0xf9r3saralrptpgf8mvuxq4t8k3u +- &daiyousei age120530yclr75k6nrzp6k5jjftj8j4q9v3533guupzk4ct86mjxszqg9e5t5 creation_rules: - path_regex: tf/terraform.tfvars.sops$ shamir_threshold: 1 @@ -21,6 +24,15 @@ creation_rules: - *yukari_kat - *koishi - *koishi_kat + - *mei + - *mai + - *daiyousei +- path_regex: nixos/[^/]+/.*\.yaml + shamir_threshold: 1 + key_groups: + - pgp: + - *kat + age: *age_common - path_regex: nixos/servers/[^/]+/.*\.yaml shamir_threshold: 1 key_groups: diff --git a/flake.lock b/flake.lock index 847d80c4..2f74946f 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "arcexprs": { "flake": false, "locked": { - "lastModified": 1717919469, - "narHash": "sha256-Pgco19bs3bMJiVG0HL8nXVFsMijdHIRnnUO8WmdhIVk=", + "lastModified": 1719854708, + "narHash": "sha256-EUjNXcLW6cN0UY89kkfncC/cVO0CY6qIUfKmlse/gLg=", "owner": "arcnmx", "repo": "nixexprs", - "rev": "625cc299098ac8cea904f2777d0cdf9a191b9e7d", + "rev": "5165118a5c43addcaace24579f0e62f5d1a792a7", "type": "github" }, "original": { @@ -129,11 +129,11 @@ ] }, "locked": { - "lastModified": 1718440858, - "narHash": "sha256-iMVwdob8F6P6Ib+pnhMZqyvYI10ZxmvA885jjnEaO54=", + "lastModified": 1719845423, + "narHash": "sha256-ZLHDmWAsHQQKnmfyhYSHJDlt8Wfjv6SQhl2qek42O7A=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "58b905ea87674592aa84c37873e6c07bc3807aba", + "rev": "ec12b88104d6c117871fad55e931addac4626756", "type": "github" }, "original": { @@ -308,11 +308,11 @@ ] }, "locked": { - "lastModified": 1718526747, - "narHash": "sha256-sKrD/utGvmtQALvuDj4j0CT3AJXP1idOAq2p+27TpeE=", + "lastModified": 1719992360, + "narHash": "sha256-SRq0ZRkqagqpMGVf4z9q9CIWRbPYjO7FTqSJyWh7nes=", "owner": "nix-community", "repo": "home-manager", - "rev": "0a7ffb28e5df5844d0e8039c9833d7075cdee792", + "rev": "36e2f9da91ce8b63a549a47688ae60d47c50de4b", "type": "github" }, "original": { @@ -338,11 +338,11 @@ ] }, "locked": { - "lastModified": 1718368322, - "narHash": "sha256-VfMg3RsnRLQzbq0hFIh1dCM09b5C/F/qPFUOgU/CRi0=", + "lastModified": 1718450675, + "narHash": "sha256-jpsns6buS4bK+1sF8sL8AaixAiCRjA+nldTKvcwmvUs=", "owner": "hyprwm", "repo": "hyprcursor", - "rev": "dd3a853c8239d1c3f3f37de7d2b8ae4b4f3840df", + "rev": "66d5b46ff94efbfa6fa3d1d1b66735f1779c34a6", "type": "github" }, "original": { @@ -370,11 +370,11 @@ ] }, "locked": { - "lastModified": 1718566457, - "narHash": "sha256-IIUhBjiDa0TjvEJb1WTJ9TM8PTGJjl+sOWfSdZKIJNA=", + "lastModified": 1719949580, + "narHash": "sha256-Ht6ZUjQ6HO9vllB0CxeGgLYUzZCw9Q/2Aaq21Og+3hM=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "b15be9c77de593581007de53b2bbca97d121900a", + "rev": "8bb75a223db3ea9471d05d74fbed3328334a9f78", "type": "github" }, "original": { @@ -393,11 +393,11 @@ ] }, "locked": { - "lastModified": 1714869498, - "narHash": "sha256-vbLVOWvQqo4n1yvkg/Q70VTlPbMmTiCQfNTgcWDCfJM=", + "lastModified": 1718746314, + "narHash": "sha256-HUklK5u86w2Yh9dOkk4FdsL8eehcOZ95jPhLixGDRQY=", "owner": "hyprwm", "repo": "hyprland-protocols", - "rev": "e06482e0e611130cd1929f75e8c1cf679e57d161", + "rev": "1b61f0093afff20ab44d88ad707aed8bf2215290", "type": "github" }, "original": { @@ -444,11 +444,11 @@ ] }, "locked": { - "lastModified": 1717883389, - "narHash": "sha256-2A4Q56JFd3t9j3Xpa0kxw2fjv8nNqgNBOA34rRcLA8I=", + "lastModified": 1719873906, + "narHash": "sha256-0dy2hT1Q4PaFah8QxJkOfXGLuG7Ehq5Hi5pNhOpXd/A=", "owner": "hyprwm", "repo": "hyprlock", - "rev": "c5b8ad03d03ddbd2b0ff8615c2f6dba31374b6a8", + "rev": "88b9ce48ed0c561c44c3a09cd6cef0e1bebaf59f", "type": "github" }, "original": { @@ -493,11 +493,11 @@ ] }, "locked": { - "lastModified": 1718271409, - "narHash": "sha256-8KvVqtApNt4FWTdn1TqVvw00rpqyG9UuUPA2ilPVD1U=", + "lastModified": 1719316102, + "narHash": "sha256-dmRz128j/lJmMuTYeCYPfSBRHHQO3VeH4PbmoyAhHzw=", "owner": "hyprwm", "repo": "hyprutils", - "rev": "8e10e0626fb26a14b859b3811b6ed7932400c86e", + "rev": "1f6bbec5954f623ff8d68e567bddcce97cd2f085", "type": "github" }, "original": { @@ -568,11 +568,11 @@ ] }, "locked": { - "lastModified": 1718119275, - "narHash": "sha256-nqDYXATNkyGXVmNMkT19fT4sjtSPBDS1LLOxa3Fueo4=", + "lastModified": 1719067853, + "narHash": "sha256-mAnZG/eQy72Fp1ImGtqCgUrDumnR1rMZv2E/zgP4U74=", "owner": "hyprwm", "repo": "hyprwayland-scanner", - "rev": "1419520d5f7f38d35e05504da5c1b38212a38525", + "rev": "914f083741e694092ee60a39d31f693d0a6dc734", "type": "github" }, "original": { @@ -674,11 +674,11 @@ ] }, "locked": { - "lastModified": 1718328291, - "narHash": "sha256-+T30dHQeG7DDOAx7JDVXmQ0VoxNhmH7sP7XSua4Ap84=", + "lastModified": 1719969940, + "narHash": "sha256-ONh73rQPE476fUzQReW2LYBT4FTE51iIy6vUV8NEA/M=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "47148517641585988aac4d082c5c02c72ac77c49", + "rev": "2fbed82e0e1f8dee8fe6a34c26cdc17237e7101c", "type": "github" }, "original": { @@ -694,11 +694,11 @@ ] }, "locked": { - "lastModified": 1718507237, - "narHash": "sha256-xBEWCxWeRpWQggFFp8ugJCDa63cOJsVvx71R9F0Eowg=", + "lastModified": 1719832725, + "narHash": "sha256-dr8DkeS74KVNTgi8BE0BiUKALb+EKlMIV86G2xPYO64=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "6af2c5e58c20311276f59d247341cafeebfcb6f4", + "rev": "2917972ed34ce292309b3a4976286f8b5c08db27", "type": "github" }, "original": { @@ -709,11 +709,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1718548414, - "narHash": "sha256-1obyIuQPR/Kq1j5/i/5EuAfQrDwjYnjCDG8iLtXmBhQ=", + "lastModified": 1719895800, + "narHash": "sha256-xNbjISJTFailxass4LmdWeV4jNhAlmJPwj46a/GxE6M=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "cde8f7e11f036160b0fd6a9e07dc4c8e4061cf06", + "rev": "6e253f12b1009053eff5344be5e835f604bb64cd", "type": "github" }, "original": { @@ -724,11 +724,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1718318537, - "narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=", + "lastModified": 1719848872, + "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420", + "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", "type": "github" }, "original": { @@ -756,11 +756,11 @@ }, "nur": { "locked": { - "lastModified": 1718567081, - "narHash": "sha256-IPqZSLbNkBidOM8YYnugdwr0GneHoiPZyRXKac5ydIM=", + "lastModified": 1720010855, + "narHash": "sha256-tF36DiquJP8Ow9QwphDYEjZtBfhkiZOKybUSMnM47wg=", "owner": "nix-community", "repo": "NUR", - "rev": "8a85dd301eda27f8ca394be91a706512f10fe897", + "rev": "642b5070e3fa9f0be118fd46c741a4313231be22", "type": "github" }, "original": { @@ -779,11 +779,11 @@ ] }, "locked": { - "lastModified": 1718567165, - "narHash": "sha256-nhg4r4Kn3deooPiNao8oH/K7CcvRotDzBtg00MXiZkU=", + "lastModified": 1719875930, + "narHash": "sha256-jQmdWLxRP6BzOxRF8hQEhDD7UKw7UrnYbmaAPOSaXWY=", "owner": "pjones", "repo": "plasma-manager", - "rev": "b906c67581fa12ad2821f295b37b5733fcc76926", + "rev": "7e062fcd669e261fb06cf54fe0ef2e46c3db8e83", "type": "github" }, "original": { @@ -935,11 +935,11 @@ ] }, "locked": { - "lastModified": 1718506969, - "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=", + "lastModified": 1719873517, + "narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=", "owner": "Mic92", "repo": "sops-nix", - "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251", + "rev": "a11224af8d824935f363928074b4717ca2e280db", "type": "github" }, "original": { @@ -1058,11 +1058,11 @@ ] }, "locked": { - "lastModified": 1718470009, - "narHash": "sha256-VBeDG3we0bkbFWMyZy+wjUkmeDN58pGFzw1dQCTeDV8=", + "lastModified": 1719220171, + "narHash": "sha256-xywM6JoGT8AwfoOFJBTv8GRlvNu8LYqqqMS/OQ6uCgE=", "owner": "nix-community", "repo": "NixOS-WSL", - "rev": "e0a970cbb8c3af05c80ef48a336ad91efd9b2bf6", + "rev": "269411cfed6aab694e46f719277c972de96177bb", "type": "github" }, "original": { @@ -1087,11 +1087,11 @@ ] }, "locked": { - "lastModified": 1718272114, - "narHash": "sha256-KsX7sAwkEFpXiwyjt0HGTnnrUU58wW1jlzj5IA/LRz8=", + "lastModified": 1719942321, + "narHash": "sha256-Mb6EdUtgujTNTY6oRLxM/ZCyWUrk+p3V6XcJZ1hSUe4=", "owner": "hyprwm", "repo": "xdg-desktop-portal-hyprland", - "rev": "24be4a26f0706e456fca1b61b8c79f7486a9e86d", + "rev": "c5b30938710d6c599f3f5cd99a3ffac35381fb0f", "type": "github" }, "original": { diff --git a/home/profiles/shell/zsh.nix b/home/profiles/shell/zsh.nix index cf45ce96..416b7806 100644 --- a/home/profiles/shell/zsh.nix +++ b/home/profiles/shell/zsh.nix @@ -24,7 +24,7 @@ in { programs.zsh = { enable = true; syntaxHighlighting.enable = true; - enableAutosuggestions = true; + autosuggestion.enable = true; initExtra = let zshOpts = [ "auto_pushd" diff --git a/nixos/common/access.nix b/nixos/common/access.nix index 2f4ac053..23d2164f 100644 --- a/nixos/common/access.nix +++ b/nixos/common/access.nix @@ -13,7 +13,7 @@ config.users.users); }; in { - security.pam.enableSSHAgentAuth = true; + security.pam.sshAgentAuth.enable = true; security.sudo.enable = true; security.pam.services.sudo.sshAgentAuth = true; users.users = { diff --git a/nixos/common/login-notify.nix b/nixos/common/login-notify.nix new file mode 100644 index 00000000..4fbc2fa3 --- /dev/null +++ b/nixos/common/login-notify.nix @@ -0,0 +1,32 @@ +{ pkgs, lib, config, ... }: let + inherit (lib.modules) mkAfter mkDefault; +in { + sops.secrets.sshd-environment = { + sopsFile = ./secrets.yaml; + }; +security.pam.services.sshd.text = let + notify = pkgs.writeShellScriptBin "notify" '' + export $(cat ${config.sops.secrets.sshd-environment.path} | xargs) + + if [ "$PAM_USER" = "deploy" ]; then + if [ "$PAM_TYPE" = "open_session" ]; then + message="''${PAM_RHOST} has opened an SSH session as part of doing a Nix deployment on ${config.networking.hostName}." + elif [ "$PAM_TYPE" = "close_session" ]; then + message="''${PAM_RHOST} has closed an SSH session as part of doing a Nix deployment on ${config.networking.hostName}." + fi + else + if [ "$PAM_TYPE" = "open_session" ]; then + message="''${PAM_RHOST} opened an SSH session with ${config.networking.hostName} as user ''${PAM_USER}." + elif [ "$PAM_TYPE" = "close_session" ]; then + message="''${PAM_RHOST} closed their SSH session with ${config.networking.hostName} for user ''${PAM_USER}." + fi + fi + + if [ -n "$message" ]; then + ${pkgs.curl}/bin/curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"$message\"}" $DISCORD_WEBHOOK_LINK + fi + ''; +in mkDefault (mkAfter '' + session required pam_exec.so seteuid ${notify}/bin/notify +''); +} \ No newline at end of file diff --git a/nixos/common/secrets.yaml b/nixos/common/secrets.yaml new file mode 100644 index 00000000..c00d73d6 --- /dev/null +++ b/nixos/common/secrets.yaml @@ -0,0 +1,96 @@ +sshd-environment: ENC[AES256_GCM,data:lyzzRDxyNzBgrLthPjdJoXgkniCwLXFZE/GMpLlRzeSvAUN6yc8sFYTmvZiCe/t/33Yr5+BtOhAUI5JzTYJ/kc3Dg4ziB4KbHP4ejPtAb6x2UbEHcN6euPogwXR8lpeO9zJE4gWFOHoYJ4bLa1wuCYgbNkjWDYYHGEoWAMVDU6XYRb3riV21WWIQO/DbC7mAgw==,iv:ZysLG3x0wlxuTYnJrGtrTkjjduMoEOyiWWuC1nRIp4I=,tag:mlNO2yo7JkV2O7A2Da+EjQ==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtY29iK1hkSjlvR0xrd25l + dzhkME5jZGkwSEJEVVBXUW1Dbytka3BONlJVCjZCc2FBbHZ3dU0xRGlXbXZKTDJJ + R21rb2laOFJWN0d4Q3NjWjJYNm4vWk0KLS0tIHRxSkNCSDBORG1mMmRvdmtqazZV + VWpqVkRJZEc3d25oVDE0VEV5Vy96SWsKNH+E3PS2nGtRVjNYW3dAS3eGatkhTP5h + y+UWPIjQfh1uAmo6Fdh6biIcKZGQBOKEsaTcpHsBfWnMeue3nqf8mw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvemVLSGttZ1lyTkwreXhK + ZDNjQzhnZDNJcTZsSWNBWWcvNDJVUkhPZENRCmQxdkY3MVdSWE95QUpUN1VFcTVW + QnpCQmVoUTVCWlk3UWNTQkhJRUFXT3MKLS0tIFRGUTNlbVYrcjYwNUxrSjMvWDdN + dDJHMC9NazFlQ0tTb0E3TzRIWklLNU0KMCNhW8DXGDWYm2mlzAyikHvgQctt+WJI + 1hDcVfEL0cDOpxL7/aqbtCdwQcGE0+suTbVs+pe6kFvgex/oHiiYpw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYnplUFIyZE1WNTBXSVJp + eUNoRTFlZ01vTjMxcFRaU295M0R5U2pKT1h3CllZZmZROWsrSEZHSklqUXdGMWlN + RkNXcVMxOGdzSmxBQlZRQTRiMnFxUkkKLS0tIDFKWnAvT3dobWxQOEU5aHBwMXVP + czR0d1JpbkowUGJ3bHArREZ6WGlobjQKkxfq4O+LjtQTSsqmCCpjLaIJYB+9WI08 + 2jnso1pI9oZ7sLkvN8vRnNO+9SORuuEpT6Hy7KybZM4UXpwnk/vvTw== + -----END AGE ENCRYPTED FILE----- + - recipient: age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFajQ3ME5KVnFXeFMvRnF4 + VTRiUjB5aXBpTXZ1c2hVM29DbnFFck1SMEdVClE4NCt0MDBQMkdNQ0YzTFk4WWhK + b0hmMmxubEU0WG9kZTJDQ1N6VDV5OGcKLS0tIHI5S052V21mS1VRZ2NTbTJ6Y1gr + V0RWRDFRWmtLWGl3UHhjMXZ2Vm9YTm8K5T3Vy5/Ovmlm86yAZ8VCNjBKHqHCMvtr + jkOcVEkK4Fqj9nWCLu0wl2ZVbtsANc72CnXmZwxHaAUIPdx9xWEhig== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xgy03g3vjydsxcl0qpdgm8rahjcjq95ucxfwlgr22zwjx3p7jf2s9jk6u5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6K1EvMXZZUHF4dHdkQisz + K3NhL0hzTVBMUnhTK3VZaHVHUE1CNkFLTkNVCjNiSXl5MTMyQXczVkx5Q0l3VDUz + MlpyK0U1b2RUSk1QNC9VTGVCSThHaFkKLS0tIHUrVzBEK0hhSVR1WVF5VTZnOGgz + SWxOWktYVkZCNGVTZU9kaWFIbzVyb1EKkAGvXuomvWeTRWFM2kPfArqEpBL+NJ29 + GNDKxx3NQH0BEeudT7LZhj0mWn1963T8Yp2/4OiGvKYHQPUzHa5Q4A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fv5dafs4n3r5n83qm2hfz7xmnflsz0xf9r3saralrptpgf8mvuxq4t8k3u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmM25pTFlrbEExQnpDT2dy + NlpIT3FMWU9RVEx3VndHVGNVT1lYOTBKM3dVCmF5MU5ESEs1dTRmbFp6MmpyM2NN + MGRTelBMSU1XK1NteE9lbUpFQW5wQlkKLS0tIHRWTFBwTXcxbnM3Q1BPT1lzWkdo + U013SHFDeitxOThieXRjaTM4ei9sdWcKMnNtZUyguRGkvfqznbCdaqT8Q3BttPQo + fsUAk4bofW4jLvj96JLBtB280atU8k0oIuZbuz1dEMINDtgvIfadTw== + -----END AGE ENCRYPTED FILE----- + - recipient: age120530yclr75k6nrzp6k5jjftj8j4q9v3533guupzk4ct86mjxszqg9e5t5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtRldzUnRaUk05MVZob1VG + cm1MeDNqUEgxbjJLb1hoQ004TVB1TzZWbkY4Ckl3N05ObHZsRXp2VUYwL0RKSlR4 + WVEyYlAxTDRtYWhGZE9SbUJaK1hDVzgKLS0tIDRLZ3BmMWlRMTR5c1hWOHByell6 + N0hTL1A1MVE2MldocTFWZzc1OENobkUKUseg2IGSClvmrq6vlnF1sCgYlUaH4Ke0 + sDdpVwg1b5WLwbZFeE/Ro1gRY3s+9iDFrU3Rh95R1KmigpMVYz1ILQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-04T21:22:16Z" + mac: ENC[AES256_GCM,data:5obbMHWEPm7KhJGWXpsKvGI99sJCx8hScIbS2vo3Ua0fvTwML8tkC3gsfLwaZ0D3KGHN6qxyjvP8ajIoxRK2Lj6G2FOWo7gmNzw9ULu+kPj53dqbmy/c3EeZU3WFNaRFXiQx0C80k8YFzPXQAkF/X5NdaRYRL6BFvPRRuq83Uds=,iv:EaeI+Z3e/QZIlU+EIGg+9sDFPtcfnVs8TQvvROOujg4=,tag:+P6U0/+b4nkZNob5fJ6pkg==,type:str] + pgp: + - created_at: "2024-07-04T21:21:19Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ/9HQ2oLUOQb1YLxMFnDhezNbjXxdUlMULwKLllGxRJ4joC + wonWbDL/AzXeK96ojI5xNZVGWFGnUArnpQRPpgHo/J8OKphSJ49oPxnDpuK2xa2x + yVR0CxPxqWUovFUABhk12Fp8g0iMa/+/GU+UuGQsMn9ncIZ9btqeTEXX9cn/+IM1 + KWbfsuyYMtML13kSmKZDxazXE7v5RTlEf/VAGACqSuiVbZjUr7n/92spR1r3WKDj + 7FJB4hrnvyd4ShgxsQtb27U+9R2zgl5LioaIpNwrnsDy9LDgjzKLpzT6x/zp9m90 + Ws3A8sBsDQ2wE8nNi/uZUcIY9eNXsZQsTQqzE1vSrQsy8IgMJ7U7N2oXSezNlPPP + Jnm+jAcbW/Qly7aqOEQb+BqGhe03b+UxZX6HxS8USiiRKP8E3l8e81Wc0IYP76uj + CJWt7vhv2wCPMc8606BpvzFHH3fOIved/D+q+W8YBp43zJY4zMo00wBQd/az3z/P + O0k5mZDnVldZLiUA8/oXdz5gd1VpuoJzEM2u8Fm5sjESVrscyX0NL9YQW9wW4n8G + /0X0dXKnLf8aJKl0vU0zGNips+1lZUb+JRV8v6qPecgYvEyesRbeDjT96h1ZHD3S + y/wjuV4G6NYNmWbpN3uffIyo0r9QylM8FQcuLdOyVS7Aj/GJyJQ7TsL/SCJSfGfS + XgHcwNJhIQnBn2i0aZwPxkoBBSga8GP1IC8ezevpRseVgWWLDi0NwZK1vN1yBNze + JXpve2W/4KtXvAql0u4UX5BTSlW5ew4FaBEJL/sE1RU80xvPiTtiINr1Y8g2Qww= + =DFqp + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/profiles/gaming/lutris.nix b/nixos/profiles/gaming/lutris.nix index a3920116..bfa9c7a5 100644 --- a/nixos/profiles/gaming/lutris.nix +++ b/nixos/profiles/gaming/lutris.nix @@ -1,7 +1,6 @@ {pkgs, ...}: { hardware.opengl = { driSupport32Bit = true; - driSupport = true; }; hardware.opengl.extraPackages = with pkgs; [ rocm-opencl-icd diff --git a/nixos/profiles/server/nix.nix b/nixos/profiles/server/nix.nix index a94658c7..607eee73 100644 --- a/nixos/profiles/server/nix.nix +++ b/nixos/profiles/server/nix.nix @@ -5,20 +5,63 @@ in { automatic = true; dates = "weekly"; }; + sops.secrets.nix-gc-environment = { sopsFile = ./secrets.yaml; }; + systemd.services.nix-gc = { script = let cfg = config.nix.gc; in mkForce '' - ${pkgs.curl}/bin/curl -vvvv -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"Beginning nix garbage collection on ${config.networking.hostName}.${config.networking.domain}\"}" $DISCORD_WEBHOOK_LINK - OUTPUT=$(${config.nix.package.out}/bin/nix-collect-garbage ${cfg.options}); - ${pkgs.curl}/bin/curl -vvvv -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"Finished nix garbage collection on ${config.networking.hostName}.${config.networking.domain}\"}" $DISCORD_WEBHOOK_LINK - ${pkgs.curl}/bin/curl -vvvv -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \''${OUTPUT}\"}" $DISCORD_WEBHOOK_LINK + #!/usr/bin/env bash + set -euo pipefail + + # Helper functions + send_discord_message() { + local message="$1" + local escaped_message=$(printf '%s' "$message" | ${pkgs.jq}/bin/jq -R -s '.') + ${pkgs.curl}/bin/curl -s -H "Accept: application/json" -H "Content-Type: application/json" \ + -X POST --data "{\"content\": $escaped_message}" "$DISCORD_WEBHOOK_LINK" + } + + get_filesystem_usage() { + ${pkgs.coreutils}/bin/df -h / | ${pkgs.gawk}/bin/awk 'NR==2 {print $5 " (" $3 ")"}' | tr -d '\n' + } + + calculate_ratio() { + local before="$1" + local after="$2" + ${pkgs.gawk}/bin/awk "BEGIN {printf \"%.2f\", ($after / $before) * 100}" + } + + # Initial filesystem usage + FS_BEFORE_USAGE=$(get_filesystem_usage) + + send_discord_message "Beginning nix garbage collection on ${config.networking.hostName} - Filesystem usage before: $FS_BEFORE_USAGE" + + # Perform garbage collection + OUTPUT=$(${config.nix.package.out}/bin/nix-collect-garbage ${cfg.options}) + + # Get filesystem usage after garbage collection + FS_AFTER_USAGE=$(get_filesystem_usage) + + # Extract numeric values for calculation (assuming format like "75% (15G)") + BEFORE_PERCENT=$(echo $FS_BEFORE_USAGE | ${pkgs.coreutils}/bin/cut -d'%' -f1) + AFTER_PERCENT=$(echo $FS_AFTER_USAGE | ${pkgs.coreutils}/bin/cut -d'%' -f1) + + # Calculate ratio + RATIO=$(calculate_ratio $BEFORE_PERCENT $AFTER_PERCENT) + + send_discord_message "Finished nix garbage collection on ${config.networking.hostName} - Filesystem usage: $FS_BEFORE_USAGE -> $FS_AFTER_USAGE ($RATIO%)" + + # Send the output of nix-collect-garbage + send_discord_message "$OUTPUT" ''; + serviceConfig = { EnvironmentFile = config.sops.secrets.nix-gc-environment.path; + Type = "oneshot"; }; }; -} \ No newline at end of file +} diff --git a/nixos/profiles/server/secrets.yaml b/nixos/profiles/server/secrets.yaml index 45e40950..df4652ce 100644 --- a/nixos/profiles/server/secrets.yaml +++ b/nixos/profiles/server/secrets.yaml @@ -9,60 +9,87 @@ sops: - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuQ3piaWxpa1N4ZFRTdkhw - d3BLOXdCd2NDeDJmcGl2UkxlV2RGMUdlYzFVCndmNk44aUVHRExJUmJXU2RpeHN2 - c0Y5bnQyZ2IyaFVuTHBkdHR2cFlldEEKLS0tIGpjUkZpL01BemdQb3JFL3crQS8w - dlZmMjJtcHl2NUU3bzV1dzBQK0FmY1UKiKRO7lTSpF7DYhR6eO0AhW4jsWMC9Etm - Bcc6Zpec0QKgmoy63aDj6+Fx0V5fCVX1Lis0PADpeNIn9Dshv5ouGg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrM1ZZbHlVazdHUWVtK1NT + ZmYyN1JNa2E2S3NldWR6dEFiNElCcWUvMXg0Ck5TeUs3REtzMVkvR2V2QlhvUWdB + eHJ4Nkl2MitIeitSci9KS1RRalRoMWsKLS0tIGdwL3RnNno0d1hRNFhRSUthU2hH + YUhWVjZiaTVyYmhZUDQrcUJ1T0Q2aUEKtkAw4R9MFUviuJkdXxHJyUzA2Syf23d8 + vPTA71uwvKYHu49/xmkV8Dw06V0nIC8DVkoiraeiElP0c49msbuqaw== -----END AGE ENCRYPTED FILE----- - recipient: age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbFRvTXQrK1ZNWWxPblB5 - MGVsaUx4MzRlcW4xVkZNczFRdzBlM3VQQVV3CjdXUk9IVC9NRDBNeUMrSUo2anFS - eUhNYWZvdEhJamVYcXJXUExwdFQwb1kKLS0tIHZqNlFhWXZHSDAvdkFtMVhSdnlI - amhncGFzbktNVThyTHl6NFdMc3N5SFkK9NDy5U7Bfl6t8sSZem+EbqD5yW3ZHiex - PUac2UJvy5Q8QA3knQUUtLuLAuE5WrpIOzV8w8YnMYpDBhZtwO9uDg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzeUdIOWx2R3V5QjArR0Y2 + amJNUVg5d3NBcmNaNE9LWkFOeU9UcnV6WEJBClNFTzQ0TWxhNnBSOE55UjRuSXV4 + dWJmdzZ5ZEVURmRNaVRqQSttZUwzaGMKLS0tIHorc3lBYkNLYWtWSzVJczlJS2VH + cDhxTmJzclM2c3Z4SEJGaDkrWUFJMzAKJpMErKgrSfibubv9FkPVGqM5+nyB8tqb + FKqpd/p/jDVYFTH2RmwmzSQZP0Pjjl0nKYfi0pC/K9716HE7uTy7Ww== -----END AGE ENCRYPTED FILE----- - recipient: age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWFlRUFl2OHhuWnFWblBH - bWtRamd4ZDRURHRSYWRFc2tabWg1QTk1Vm1FCkV0akNpNTRxUURzQjQ3RHJMOFVI - T3lDZkFzdER3bmszcVVWZ1h1eWxwZXMKLS0tIFJianRjUm1tOWlxTGkxTkJ4a2hq - Z2lERWpVaXhqRDQ3YlpndTdKUklUcjgK5XCk4qbAerT2AfOlpjKK4sUTdAN3Edt0 - XleLhGq+bPG3CHUEN7SIaoHh4fyCpwcNGJPAcmeGY1yJZh8y0UQvSw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSTNSWnVBT2pyTTdCYVRV + TWNNek1TNzI2dkJzVGZDUjlFbkF2Um54QkJRClcyU096ZUFhRXMyd3o1RTFkK0xx + K00xcTBTakxaa3hJRWpPWTV2aXdpQ2MKLS0tIHFvOERJRThQVStCejN2VVh0eENT + WGRPV05WZHR0RzNWZ3NHV1RJMEZsRVUKbJR3qG7KTGgUsnsajndrUN+FNW+E3Rfu + 4bHisR1/sFINs9P25E4F353Ld5fVyt9+zkUO+GuHd2WEc1Hgge8HvQ== -----END AGE ENCRYPTED FILE----- - recipient: age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2YlMzam1CMmFoSXVwWjdY - bC9hem5manl2RngvMm1FdDU0anZlL0pDdHpZClhOdlVrM05aek1sMUdQdHNvRTRp - UEZ4LzFXM3NtRzA0Nm80OFlGSWlnMW8KLS0tIGRPZWhRVStiUm9tYjErWmpZa3A4 - aDJmdGUxZWdqbXFjeCt4dHlSVDE4TEkKz+z1s1MvGcyVIPLQEnFFm1YpDDUc2KBf - p92AFO+1CXZsQTKY6eRPIUxkXPKXsBYPosy7Z34mBKmjlrvxrM+2OA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTG1UUG51RVFXQTdHOEVO + L3ptclplbVgvUktMTDgrSENVL2FVaEc2TEN3Ci9CL0JQNnFzdjR6aFJHc3g2VUN0 + V1UxUVkzcjI0aXZYb0Y3RlZBK3lSM0UKLS0tIGZpbi9Ba0dXY1E4c0Q1ZkZOYjlG + Nk1mbWR2MGFWZEdWbThWc2lNNWpwU28KDvpGGsTyRjyHvOjVyMzvjZa36y0WXcej + FLjDVQt4MGQ6u/r91MMPk2rT5N1UPWDoraKKC6HZ+cw/UcgGgd4CNQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xgy03g3vjydsxcl0qpdgm8rahjcjq95ucxfwlgr22zwjx3p7jf2s9jk6u5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0dGdUeDZ3bzRDYVE0ZXIy + Ylc0Nk10UmpCV3JLWnY3SjdKKy9jTWpzSWxvClpyNTN3RnZiTmxGVjZIQzkyWXhq + NlgrV3RXMWZyMjRsUzltSTgxeThBbVEKLS0tIEtJZTJaekZkK1lpVThDTXZTUmRN + d1BES0pXSzZGV0xybjc4N2w5RTV5NU0K2EY6/uS0ZR9TxFywTXrbWwlQZ7M7NzxI + dDyeK+kMVhBXEyVO4j+uZPBAs8b2lih7AZPAioTiz/wh9PieaI2k5g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fv5dafs4n3r5n83qm2hfz7xmnflsz0xf9r3saralrptpgf8mvuxq4t8k3u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SGpEZmFTOWRtT25XM0ll + SXVMVXBPTC9LQ3d6cG5NY2dqSmtldWJMdENFCjVyWm4vM2lHQW5nS0FkZFVjZGhV + eFk1NWRPZVJVaEN2ZXJXTUlEaHRnQTgKLS0tIGRQek41bTNXZXBJRDdtWklRM3pC + NzRyWXAyOFVlYXZOc0lxTGl5b3d0RWsKH0+TdY7D/mApS+110QGE09MdZh/RcSyh + 9oNy3EDpB7GOy/UcMLz8Cl6rgMg8gsQwvDfRRig9HsCWY5lNXs/W1g== + -----END AGE ENCRYPTED FILE----- + - recipient: age120530yclr75k6nrzp6k5jjftj8j4q9v3533guupzk4ct86mjxszqg9e5t5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUGphZU9XL2M1Zm8ydG52 + b0dYeThiaitUMkZjSkdacG1tOXM4YlE3MzFFCllZOVBSaGx1NkxINGhqRkhtZjNC + OU8vSzFxdkpBV2pNNzBFN0t3S1hyc2sKLS0tIGRJMXhzVlBUd091THJLSXUxVXVn + OGVicjRPMG1IcFdMckw4QmVyd05Lb1UKjbtiQonzA3nKWxRCcseRQsNmG+qgN71j + YSsTOP1ClhKnbBdldiRjGDyyuZ0XQQ1nXjcEwntlQ7PP08O/zwSsOw== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-06-25T03:22:44Z" mac: ENC[AES256_GCM,data:2uVqMaPYgG2hbkMZCd3xJjjoEJqsGhFEXAq4p+X7YWO4hwB+H/REJJkHCUBegggWJtKA1zDKDIVzvZv3BeRaIe63Kaj2A/7c3qwjCsBpzm5DdJ3WrlAIffFSgOs7jUyFwQtP0ZsbHigsr/rA5NqDeC+4hVHg9XKgLXKyPoVk+iM=,iv:rzf0xQGfGMirg1wwe3paq1+lNdISerFXRUsPLtZ09m0=,tag:6xkM9kvN/8NqzTYB5eHbVA==,type:str] pgp: - - created_at: "2024-06-25T03:21:52Z" + - created_at: "2024-07-03T16:38:04Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA82M54yws73UAQ/8CQAUzNv2BxCf8d+XPW+NeV5XsTqk06/QdFmyhguS4fn7 - eyclxiww6FBspxX8WxfLsE3qLjA1cGRv8W8kvZMzuIiJW7BECnzUvANNci3STl3w - Ei4zkWCuXYdgO0nbfzvv2MyXSdw5nnJIRpbh/QyR7UOJkHHkurtLXCupNImZUN0d - FKzM+Y0rM/rDQvNxk216T0eAE68su+wzNbPEgYzMSq/0N5kFl+31JU7hRdXf1+Kd - MFFwu8owk/G0pqkOx3jIV5sia97CZbG7pZLNwfXTngVum/neRGCwNf+Ub4S51K0s - pQZHDFgacRUCKkJs2XXZcYQHEn2NQ+z+6rvnmOEsMMRM2X+g1+6SocL2Rf6VZgDo - UNr6oUplzMdJFRM8ymqP6IsVK/L8NQF9sna2MevtDGxoFV6Dl2mOzyHUCCaHyp0O - sWiIsnkogFDGOH7OjUSvTjv/o5RbeHGyLzzAYg8ZKRyqhdhzF+QFToQ4mqzyjrAd - NEqDgAYolgOPg2NmDpuBBnHwJhNQDaWA3wDDSEtH++xrjgZy0vovM79HUwYOGyPK - mOjl2CM52QFaORmSj561TgfOAO2ulVPIjXa88w9mFyyNqsecqWevQFBYn9/V7Yz0 - 5SpnUpxhJ50ZeY/IZa5rz+JoZmX+Gg+dwqvG58o1Nh21tQzFemApi7FC1HqwukPS - XgEhEqzHm2ayA9wTLyFkaZeIMQyCm/bm3i0PN4N9yojq6/g3wXK2k/tld208ro5m - 682qNj7bIeWqwdfZxdmdgzutqojV1zrfaC2iYLd58waxua6w9UbE9jvkg0cz6H8= - =ceQ3 + hQIMA82M54yws73UARAArVDBsn02FJbl6OXIW1YrT4O96F7wMuJYF5w9Qw1sMudi + BKnZeiM9gJQPPgr9J/Pb5FGR6KQQzcz7ogYgZHGvxdDgIdqwSXWpP9Y3W0qCEZfc + y/BDfdGyOWa3cTMVQg7gO6nnhu/02hjUT/+dRe+kDwbm7Jn5o+SZBM+136YaQeiO + 8Wqfa2pGPCMkh/CzrvywuD66Y8nYm75ViqzFsh0SzCw3huOQBn5tGYWbaoLz7IPk + +j9Yl7FAeWPVCV2mlQ+G0szZiZ7ouYv7e/xkDk7n+Z6hxzuqAg2LgCgVOhH2bDfa + LdWzdOD7wEdLwfT7hAf8EnaF5CcjShox0XqsUptXqBUu84A/8JH3vKFVN4JxO9YP + hviLuXk+VsIiFoIL6qvGbdtaqWPG8JN+OdtekLX3S0OHFltdPh1Jxyomh4+CCvLh + KlrkGMRC8xcff/p/mTSr+aiHbjqU3aEf+tNJyk/2ghHCCOcXTc3FuFhx87+NhVW5 + u75Swb4u05cZSzDY3Ie3xmim5kvM7IyNwSJ4dyEHpGDmHUXQxGQPVsNGtImeyM7l + AmVkSi3LfyV/DGBDy3iQbqotREd7OQEHnPFH0YFlr1PsM17Y6JrXHlSxDT7FsIg0 + 6q593i+BV5tdfKc1UF77FOvxlr3wnxy9pXxKSNUoOTLzoeGadaJ3aV8ukVzNyXLS + XgELL1usQe/o03hxjEeQJuy1VEl0QRk8Y/6wtQDuJXG5Y/fwxl8XRn1ck12soU5P + 3tV5aAiPjLrAFz1gopYHel+pSaKTUDavD5TBJ2jR+oswWRdFOlF5qYoEwlA7ADI= + =TE06 -----END PGP MESSAGE----- fp: CD8CE78CB0B3BDD4 unencrypted_suffix: _unencrypted diff --git a/packages/synapse-cleanup/cleanup.sh b/packages/synapse-cleanup/cleanup.sh index cf8c41d3..2f10e6e7 100644 --- a/packages/synapse-cleanup/cleanup.sh +++ b/packages/synapse-cleanup/cleanup.sh @@ -1,52 +1,120 @@ #!/usr/bin/env bash set -euo pipefail -# Provide $HOMESERVER and $API_ID into the program via environment, or uncomment the two below lines: -#read -p "Enter the homeserver name, without https:// prefix: " HOMESERVER -#read -sp "Enter the admin user token required: " API_ID - +# Configuration +HOMESERVER=${HOMESERVER:-""} +API_ID=${API_ID:-""} +DISCORD_WEBHOOK_LINK=${DISCORD_WEBHOOK_LINK:-""} TEMPDIR=$(mktemp -d) -database_before_size=$(sudo -u postgres psql matrix-synapse -c "SELECT pg_size_pretty(pg_database_size( 'matrix-synapse' ));" | sed -n "3p") -media_store_before_size=$(sudo du /var/lib/matrix-synapse/media_store -hd 0 | awk '{print $1}') -curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"Beginning matrix-synapse optimization process - Database before size: ${database_before_size}, Media store before size: ${media_store_before_size}\"}" $DISCORD_WEBHOOK_LINK +MONTHS_TO_KEEP=1 -echo "Starting synapse, just to make sure it is online for these requests" -systemctl start matrix-synapse -sleep 5 +# Helper functions +send_discord_message() { + local message="$1" + local escaped_message=$(printf '%s' "$message" | jq -R -s '.') + curl -s -H "Accept: application/json" -H "Content-Type: application/json" \ + -X POST --data "{\"content\": $escaped_message}" "$DISCORD_WEBHOOK_LINK" +} -echo "Collecting required room data" -curl --header "Authorization: Bearer ${API_ID}" "https://${HOMESERVER}/_synapse/admin/v1/rooms?limit=500" > "${TEMPDIR}/roomlist.json" -jq '.rooms[] | select(.joined_local_members == 0) | .room_id' < "${TEMPDIR}/roomlist.json" > "${TEMPDIR}/to_purge.txt" -jq '.rooms[] | select(.joined_local_members != 0) | .room_id' < "${TEMPDIR}/roomlist.json" > "${TEMPDIR}/history_purge.txt" -ts=$(( $(date --date="1 month ago" +%s)*1000 )) +get_db_size() { + sudo -u postgres psql matrix-synapse -t -c \ + "SELECT pg_size_pretty(pg_database_size('matrix-synapse'));" | tr -d ' ' +} -echo "Cleaning up media store" -curl --header "Authorization: Bearer ${API_ID}" -X POST "https://${HOMESERVER}/_synapse/admin/v1/media/delete?before_ts=${ts}" -media_store_after_size=$(sudo du /var/lib/matrix-synapse/media_store -hd 0 | awk '{print $1}') +get_media_store_size() { + sudo du /var/lib/matrix-synapse/media_store -hd 0 | awk '{print $1}' +} -echo "Deleting empty rooms" -rooms_to_remove=$(awk -F '"' '{print $2}' < "${TEMPDIR}/to_purge.txt") -for room_id in $rooms_to_remove; do - if [ -n "${room_id}" ]; then - curl --header "Authorization: Bearer ${API_ID}" -X DELETE -H "Content-Type: application/json" -d "{}" "https://${HOMESERVER}/_synapse/admin/v2/rooms/${room_id}" +get_filesystem_usage() { + df -h / | awk 'NR==2 {print $5 " (" $3 ")"}' | tr -d '\n' +} + +calculate_ratio() { + local before="$1" + local after="$2" + awk "BEGIN {printf \"%.2f\", ($after / $before) * 100}" +} + +# Main script +main() { + # Check for required variables + if [[ -z "$HOMESERVER" || -z "$API_ID" || -z "$DISCORD_WEBHOOK_LINK" ]]; then + send_discord_message "Error: HOMESERVER, API_ID, and DISCORD_WEBHOOK_LINK must be set." + exit 1 fi -done -rooms_to_clean=$(awk -F '"' '{print $2}' < "${TEMPDIR}"/history_purge.txt) -echo "Deleting unnecessary room history" -for room_id in $rooms_to_clean; do - curl --header "Authorization: Bearer ${API_ID}" -X POST -H "Content-Type: application/json" -d "{ \"delete_local_events\": true, \"purge_up_to_ts\": ${ts} }" "https://${HOMESERVER}/_synapse/admin/v1/purge_history/${room_id}" -done + # Initial sizes and usage + local db_before_size=$(get_db_size) + local media_before_size=$(get_media_store_size) + local fs_before_usage=$(get_filesystem_usage) -echo "Last optimization steps, database optimization, shutting down Synapse" -systemctl stop matrix-synapse + send_discord_message "Beginning matrix-synapse optimization process - Database before size: ${db_before_size}, Media store before size: ${media_before_size}, Filesystem usage before: ${fs_before_usage}" -sudo -u matrix-synapse synapse_auto_compressor -p "postgresql://matrix-synapse?user=matrix-synapse&host=/var/run/postgresql/" -c 500 -n 100 -sudo -u postgres psql matrix-synapse -c "REINDEX (VERBOSE) DATABASE \"matrix-synapse\";" -sudo -u postgres psql matrix-synapse -c "VACUUM FULL VERBOSE;" + send_discord_message "Starting synapse" + systemctl start matrix-synapse + sleep 5 -rm -rf "${TEMPDIR}" -echo "Synapse cleanup performed, booting up" -systemctl start matrix-synapse -database_after_size=$(sudo -u postgres psql matrix-synapse -c "SELECT pg_size_pretty(pg_database_size( 'matrix-synapse' ));" | sed -n "3p") -curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"Matrix-synapse optimization process finished - Database after size: ${database_after_size}, ratio: ${database_ratio}, Media store after size: ${media_store_after_size}, ratio: ${media_store_ratio}\"}" $DISCORD_WEBHOOK_LINK + send_discord_message "Collecting required room data" + curl --header "Authorization: Bearer ${API_ID}" \ + "https://${HOMESERVER}/_synapse/admin/v1/rooms?limit=500" > "${TEMPDIR}/roomlist.json" + + jq '.rooms[] | select(.joined_local_members == 0) | .room_id' < "${TEMPDIR}/roomlist.json" > "${TEMPDIR}/to_purge.txt" + jq '.rooms[] | select(.joined_local_members != 0) | .room_id' < "${TEMPDIR}/roomlist.json" > "${TEMPDIR}/history_purge.txt" + + local ts=$(( $(date --date="${MONTHS_TO_KEEP} month ago" +%s)*1000 )) + + send_discord_message "Cleaning up media store" + curl --header "Authorization: Bearer ${API_ID}" -X POST \ + "https://${HOMESERVER}/_synapse/admin/v1/media/delete?before_ts=${ts}" + + send_discord_message "Deleting empty rooms" + while read -r room_id; do + if [ -n "${room_id}" ]; then + curl --header "Authorization: Bearer ${API_ID}" -X DELETE \ + -H "Content-Type: application/json" -d "{}" \ + "https://${HOMESERVER}/_synapse/admin/v2/rooms/${room_id}" + fi + done < <(jq -r '.[]' "${TEMPDIR}/to_purge.txt") + + send_discord_message "Deleting unnecessary room history" + while read -r room_id; do + curl --header "Authorization: Bearer ${API_ID}" -X POST \ + -H "Content-Type: application/json" \ + -d "{ \"delete_local_events\": true, \"purge_up_to_ts\": ${ts} }" \ + "https://${HOMESERVER}/_synapse/admin/v1/purge_history/${room_id}" + done < <(jq -r '.[]' "${TEMPDIR}/history_purge.txt") + + send_discord_message "Performing database optimization" + systemctl stop matrix-synapse + + send_discord_message "Running synapse_auto_compressor" + sudo -u matrix-synapse synapse_auto_compressor \ + -p "postgresql://matrix-synapse?user=matrix-synapse&host=/var/run/postgresql/" \ + -c 500 -n 100 + + send_discord_message "Reindexing database" + sudo -u postgres psql matrix-synapse -c "REINDEX (VERBOSE) DATABASE \"matrix-synapse\";" + + send_discord_message "Vacuuming database" + sudo -u postgres psql matrix-synapse -c "VACUUM FULL VERBOSE;" + + rm -rf "${TEMPDIR}" + + send_discord_message "Synapse cleanup performed, booting up" + systemctl start matrix-synapse + + # Final sizes, usage, and ratios + local db_after_size=$(get_db_size) + local media_after_size=$(get_media_store_size) + local fs_after_usage=$(get_filesystem_usage) + local db_ratio=$(calculate_ratio "${db_before_size//[A-Za-z]/}" "${db_after_size//[A-Za-z]/}") + local media_ratio=$(calculate_ratio "${media_before_size//[A-Za-z]/}" "${media_after_size//[A-Za-z]/}") + + send_discord_message "Matrix-synapse optimization process finished - +Database: ${db_before_size} -> ${db_after_size} (${db_ratio}%), +Media store: ${media_before_size} -> ${media_after_size} (${media_ratio}%), +Filesystem usage: ${fs_before_usage} -> ${fs_after_usage}" +} + +# Run the main function +main diff --git a/systems/default.nix b/systems/default.nix index 67e30a74..e5e38cd5 100644 --- a/systems/default.nix +++ b/systems/default.nix @@ -168,7 +168,7 @@ (set.optional ((list.elem name (set.keys serverLocations)) && host.folder == "nixos") { ${name} = { hostname = serverLocations.${name}; - sshUser = "root"; + sshUser = "deploy"; sshOpts = ["-oControlMaster=no" "-oControlPath=/tmp/willneverexist" "-p" "${builtins.toString (builtins.head inputs.self.nixosConfigurations.${name}.config.services.openssh.ports)}"]; }; })