kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity

feat: add improved alerting for various things

Browse source
This commit is contained in:
Kat Inskip 2024-07-05 12:28:09 -07:00
parent ed4defc62f
commit 07ee692df8
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
11 changed files with 414 additions and 137 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.sops.yaml
View file

@ -5,6 +5,9 @@ keys:
- &yukari_kat age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh - &yukari_kat age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh
- &koishi age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc - &koishi age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc
- &koishi_kat age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n - &koishi_kat age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n
- &mei age1xgy03g3vjydsxcl0qpdgm8rahjcjq95ucxfwlgr22zwjx3p7jf2s9jk6u5
- &mai age1fv5dafs4n3r5n83qm2hfz7xmnflsz0xf9r3saralrptpgf8mvuxq4t8k3u
- &daiyousei age120530yclr75k6nrzp6k5jjftj8j4q9v3533guupzk4ct86mjxszqg9e5t5
creation_rules: creation_rules:
- path_regex: tf/terraform.tfvars.sops$ - path_regex: tf/terraform.tfvars.sops$
shamir_threshold: 1 shamir_threshold: 1
@ -21,6 +24,15 @@ creation_rules:
- *yukari_kat - *yukari_kat
- *koishi - *koishi
- *koishi_kat - *koishi_kat
- *mei
- *mai
- *daiyousei
- path_regex: nixos/[^/]+/.*\.yaml
shamir_threshold: 1
key_groups:
- pgp:
- *kat
age: *age_common
- path_regex: nixos/servers/[^/]+/.*\.yaml - path_regex: nixos/servers/[^/]+/.*\.yaml
shamir_threshold: 1 shamir_threshold: 1
key_groups: key_groups:

108
flake.lock generated
View file

@ -3,11 +3,11 @@
"arcexprs": { "arcexprs": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1717919469, "lastModified": 1719854708,
"narHash": "sha256-Pgco19bs3bMJiVG0HL8nXVFsMijdHIRnnUO8WmdhIVk=", "narHash": "sha256-EUjNXcLW6cN0UY89kkfncC/cVO0CY6qIUfKmlse/gLg=",
"owner": "arcnmx", "owner": "arcnmx",
"repo": "nixexprs", "repo": "nixexprs",
"rev": "625cc299098ac8cea904f2777d0cdf9a191b9e7d", "rev": "5165118a5c43addcaace24579f0e62f5d1a792a7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -129,11 +129,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718440858, "lastModified": 1719845423,
"narHash": "sha256-iMVwdob8F6P6Ib+pnhMZqyvYI10ZxmvA885jjnEaO54=", "narHash": "sha256-ZLHDmWAsHQQKnmfyhYSHJDlt8Wfjv6SQhl2qek42O7A=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "58b905ea87674592aa84c37873e6c07bc3807aba", "rev": "ec12b88104d6c117871fad55e931addac4626756",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -308,11 +308,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718526747, "lastModified": 1719992360,
"narHash": "sha256-sKrD/utGvmtQALvuDj4j0CT3AJXP1idOAq2p+27TpeE=", "narHash": "sha256-SRq0ZRkqagqpMGVf4z9q9CIWRbPYjO7FTqSJyWh7nes=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0a7ffb28e5df5844d0e8039c9833d7075cdee792", "rev": "36e2f9da91ce8b63a549a47688ae60d47c50de4b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -338,11 +338,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718368322, "lastModified": 1718450675,
"narHash": "sha256-VfMg3RsnRLQzbq0hFIh1dCM09b5C/F/qPFUOgU/CRi0=", "narHash": "sha256-jpsns6buS4bK+1sF8sL8AaixAiCRjA+nldTKvcwmvUs=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprcursor", "repo": "hyprcursor",
"rev": "dd3a853c8239d1c3f3f37de7d2b8ae4b4f3840df", "rev": "66d5b46ff94efbfa6fa3d1d1b66735f1779c34a6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -370,11 +370,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718566457, "lastModified": 1719949580,
"narHash": "sha256-IIUhBjiDa0TjvEJb1WTJ9TM8PTGJjl+sOWfSdZKIJNA=", "narHash": "sha256-Ht6ZUjQ6HO9vllB0CxeGgLYUzZCw9Q/2Aaq21Og+3hM=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "Hyprland", "repo": "Hyprland",
"rev": "b15be9c77de593581007de53b2bbca97d121900a", "rev": "8bb75a223db3ea9471d05d74fbed3328334a9f78",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -393,11 +393,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1714869498, "lastModified": 1718746314,
"narHash": "sha256-vbLVOWvQqo4n1yvkg/Q70VTlPbMmTiCQfNTgcWDCfJM=", "narHash": "sha256-HUklK5u86w2Yh9dOkk4FdsL8eehcOZ95jPhLixGDRQY=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprland-protocols", "repo": "hyprland-protocols",
"rev": "e06482e0e611130cd1929f75e8c1cf679e57d161", "rev": "1b61f0093afff20ab44d88ad707aed8bf2215290",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -444,11 +444,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717883389, "lastModified": 1719873906,
"narHash": "sha256-2A4Q56JFd3t9j3Xpa0kxw2fjv8nNqgNBOA34rRcLA8I=", "narHash": "sha256-0dy2hT1Q4PaFah8QxJkOfXGLuG7Ehq5Hi5pNhOpXd/A=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprlock", "repo": "hyprlock",
"rev": "c5b8ad03d03ddbd2b0ff8615c2f6dba31374b6a8", "rev": "88b9ce48ed0c561c44c3a09cd6cef0e1bebaf59f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -493,11 +493,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718271409, "lastModified": 1719316102,
"narHash": "sha256-8KvVqtApNt4FWTdn1TqVvw00rpqyG9UuUPA2ilPVD1U=", "narHash": "sha256-dmRz128j/lJmMuTYeCYPfSBRHHQO3VeH4PbmoyAhHzw=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprutils", "repo": "hyprutils",
"rev": "8e10e0626fb26a14b859b3811b6ed7932400c86e", "rev": "1f6bbec5954f623ff8d68e567bddcce97cd2f085",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -568,11 +568,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718119275, "lastModified": 1719067853,
"narHash": "sha256-nqDYXATNkyGXVmNMkT19fT4sjtSPBDS1LLOxa3Fueo4=", "narHash": "sha256-mAnZG/eQy72Fp1ImGtqCgUrDumnR1rMZv2E/zgP4U74=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprwayland-scanner", "repo": "hyprwayland-scanner",
"rev": "1419520d5f7f38d35e05504da5c1b38212a38525", "rev": "914f083741e694092ee60a39d31f693d0a6dc734",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -674,11 +674,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718328291, "lastModified": 1719969940,
"narHash": "sha256-+T30dHQeG7DDOAx7JDVXmQ0VoxNhmH7sP7XSua4Ap84=", "narHash": "sha256-ONh73rQPE476fUzQReW2LYBT4FTE51iIy6vUV8NEA/M=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "47148517641585988aac4d082c5c02c72ac77c49", "rev": "2fbed82e0e1f8dee8fe6a34c26cdc17237e7101c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -694,11 +694,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718507237, "lastModified": 1719832725,
"narHash": "sha256-xBEWCxWeRpWQggFFp8ugJCDa63cOJsVvx71R9F0Eowg=", "narHash": "sha256-dr8DkeS74KVNTgi8BE0BiUKALb+EKlMIV86G2xPYO64=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "6af2c5e58c20311276f59d247341cafeebfcb6f4", "rev": "2917972ed34ce292309b3a4976286f8b5c08db27",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -709,11 +709,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1718548414, "lastModified": 1719895800,
"narHash": "sha256-1obyIuQPR/Kq1j5/i/5EuAfQrDwjYnjCDG8iLtXmBhQ=", "narHash": "sha256-xNbjISJTFailxass4LmdWeV4jNhAlmJPwj46a/GxE6M=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "cde8f7e11f036160b0fd6a9e07dc4c8e4061cf06", "rev": "6e253f12b1009053eff5344be5e835f604bb64cd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -724,11 +724,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1718318537, "lastModified": 1719848872,
"narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=", "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420", "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -756,11 +756,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1718567081, "lastModified": 1720010855,
"narHash": "sha256-IPqZSLbNkBidOM8YYnugdwr0GneHoiPZyRXKac5ydIM=", "narHash": "sha256-tF36DiquJP8Ow9QwphDYEjZtBfhkiZOKybUSMnM47wg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "8a85dd301eda27f8ca394be91a706512f10fe897", "rev": "642b5070e3fa9f0be118fd46c741a4313231be22",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -779,11 +779,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718567165, "lastModified": 1719875930,
"narHash": "sha256-nhg4r4Kn3deooPiNao8oH/K7CcvRotDzBtg00MXiZkU=", "narHash": "sha256-jQmdWLxRP6BzOxRF8hQEhDD7UKw7UrnYbmaAPOSaXWY=",
"owner": "pjones", "owner": "pjones",
"repo": "plasma-manager", "repo": "plasma-manager",
"rev": "b906c67581fa12ad2821f295b37b5733fcc76926", "rev": "7e062fcd669e261fb06cf54fe0ef2e46c3db8e83",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -935,11 +935,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718506969, "lastModified": 1719873517,
"narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=", "narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251", "rev": "a11224af8d824935f363928074b4717ca2e280db",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1058,11 +1058,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718470009, "lastModified": 1719220171,
"narHash": "sha256-VBeDG3we0bkbFWMyZy+wjUkmeDN58pGFzw1dQCTeDV8=", "narHash": "sha256-xywM6JoGT8AwfoOFJBTv8GRlvNu8LYqqqMS/OQ6uCgE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NixOS-WSL", "repo": "NixOS-WSL",
"rev": "e0a970cbb8c3af05c80ef48a336ad91efd9b2bf6", "rev": "269411cfed6aab694e46f719277c972de96177bb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1087,11 +1087,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718272114, "lastModified": 1719942321,
"narHash": "sha256-KsX7sAwkEFpXiwyjt0HGTnnrUU58wW1jlzj5IA/LRz8=", "narHash": "sha256-Mb6EdUtgujTNTY6oRLxM/ZCyWUrk+p3V6XcJZ1hSUe4=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "xdg-desktop-portal-hyprland", "repo": "xdg-desktop-portal-hyprland",
"rev": "24be4a26f0706e456fca1b61b8c79f7486a9e86d", "rev": "c5b30938710d6c599f3f5cd99a3ffac35381fb0f",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
home/profiles/shell/zsh.nix
View file

@ -24,7 +24,7 @@ in {
programs.zsh = { programs.zsh = {
enable = true; enable = true;
syntaxHighlighting.enable = true; syntaxHighlighting.enable = true;
enableAutosuggestions = true; autosuggestion.enable = true;
initExtra = let initExtra = let
zshOpts = [ zshOpts = [
"auto_pushd" "auto_pushd"

2
nixos/common/access.nix
View file

@ -13,7 +13,7 @@
config.users.users); config.users.users);
}; };
in { in {
security.pam.enableSSHAgentAuth = true; security.pam.sshAgentAuth.enable = true;
security.sudo.enable = true; security.sudo.enable = true;
security.pam.services.sudo.sshAgentAuth = true; security.pam.services.sudo.sshAgentAuth = true;
users.users = { users.users = {

32
nixos/common/login-notify.nix Normal file
View file

@ -0,0 +1,32 @@
{ pkgs, lib, config, ... }: let
inherit (lib.modules) mkAfter mkDefault;
in {
sops.secrets.sshd-environment = {
sopsFile = ./secrets.yaml;
};
security.pam.services.sshd.text = let
notify = pkgs.writeShellScriptBin "notify" ''
export $(cat ${config.sops.secrets.sshd-environment.path} | xargs)
if [ "$PAM_USER" = "deploy" ]; then
if [ "$PAM_TYPE" = "open_session" ]; then
message="''${PAM_RHOST} has opened an SSH session as part of doing a Nix deployment on ${config.networking.hostName}."
elif [ "$PAM_TYPE" = "close_session" ]; then
message="''${PAM_RHOST} has closed an SSH session as part of doing a Nix deployment on ${config.networking.hostName}."
fi
else
if [ "$PAM_TYPE" = "open_session" ]; then
message="''${PAM_RHOST} opened an SSH session with ${config.networking.hostName} as user ''${PAM_USER}."
elif [ "$PAM_TYPE" = "close_session" ]; then
message="''${PAM_RHOST} closed their SSH session with ${config.networking.hostName} for user ''${PAM_USER}."
fi
fi
if [ -n "$message" ]; then
${pkgs.curl}/bin/curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"$message\"}" $DISCORD_WEBHOOK_LINK
fi
'';
in mkDefault (mkAfter ''
session required pam_exec.so seteuid ${notify}/bin/notify
'');
}

96
nixos/common/secrets.yaml Normal file
View file

@ -0,0 +1,96 @@
sshd-environment: ENC[AES256_GCM,data:lyzzRDxyNzBgrLthPjdJoXgkniCwLXFZE/GMpLlRzeSvAUN6yc8sFYTmvZiCe/t/33Yr5+BtOhAUI5JzTYJ/kc3Dg4ziB4KbHP4ejPtAb6x2UbEHcN6euPogwXR8lpeO9zJE4gWFOHoYJ4bLa1wuCYgbNkjWDYYHGEoWAMVDU6XYRb3riV21WWIQO/DbC7mAgw==,iv:ZysLG3x0wlxuTYnJrGtrTkjjduMoEOyiWWuC1nRIp4I=,tag:mlNO2yo7JkV2O7A2Da+EjQ==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtY29iK1hkSjlvR0xrd25l
dzhkME5jZGkwSEJEVVBXUW1Dbytka3BONlJVCjZCc2FBbHZ3dU0xRGlXbXZKTDJJ
R21rb2laOFJWN0d4Q3NjWjJYNm4vWk0KLS0tIHRxSkNCSDBORG1mMmRvdmtqazZV
VWpqVkRJZEc3d25oVDE0VEV5Vy96SWsKNH+E3PS2nGtRVjNYW3dAS3eGatkhTP5h
y+UWPIjQfh1uAmo6Fdh6biIcKZGQBOKEsaTcpHsBfWnMeue3nqf8mw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvemVLSGttZ1lyTkwreXhK
ZDNjQzhnZDNJcTZsSWNBWWcvNDJVUkhPZENRCmQxdkY3MVdSWE95QUpUN1VFcTVW
QnpCQmVoUTVCWlk3UWNTQkhJRUFXT3MKLS0tIFRGUTNlbVYrcjYwNUxrSjMvWDdN
dDJHMC9NazFlQ0tTb0E3TzRIWklLNU0KMCNhW8DXGDWYm2mlzAyikHvgQctt+WJI
1hDcVfEL0cDOpxL7/aqbtCdwQcGE0+suTbVs+pe6kFvgex/oHiiYpw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYnplUFIyZE1WNTBXSVJp
eUNoRTFlZ01vTjMxcFRaU295M0R5U2pKT1h3CllZZmZROWsrSEZHSklqUXdGMWlN
RkNXcVMxOGdzSmxBQlZRQTRiMnFxUkkKLS0tIDFKWnAvT3dobWxQOEU5aHBwMXVP
czR0d1JpbkowUGJ3bHArREZ6WGlobjQKkxfq4O+LjtQTSsqmCCpjLaIJYB+9WI08
2jnso1pI9oZ7sLkvN8vRnNO+9SORuuEpT6Hy7KybZM4UXpwnk/vvTw==
-----END AGE ENCRYPTED FILE-----
- recipient: age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFajQ3ME5KVnFXeFMvRnF4
VTRiUjB5aXBpTXZ1c2hVM29DbnFFck1SMEdVClE4NCt0MDBQMkdNQ0YzTFk4WWhK
b0hmMmxubEU0WG9kZTJDQ1N6VDV5OGcKLS0tIHI5S052V21mS1VRZ2NTbTJ6Y1gr
V0RWRDFRWmtLWGl3UHhjMXZ2Vm9YTm8K5T3Vy5/Ovmlm86yAZ8VCNjBKHqHCMvtr
jkOcVEkK4Fqj9nWCLu0wl2ZVbtsANc72CnXmZwxHaAUIPdx9xWEhig==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xgy03g3vjydsxcl0qpdgm8rahjcjq95ucxfwlgr22zwjx3p7jf2s9jk6u5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6K1EvMXZZUHF4dHdkQisz
K3NhL0hzTVBMUnhTK3VZaHVHUE1CNkFLTkNVCjNiSXl5MTMyQXczVkx5Q0l3VDUz
MlpyK0U1b2RUSk1QNC9VTGVCSThHaFkKLS0tIHUrVzBEK0hhSVR1WVF5VTZnOGgz
SWxOWktYVkZCNGVTZU9kaWFIbzVyb1EKkAGvXuomvWeTRWFM2kPfArqEpBL+NJ29
GNDKxx3NQH0BEeudT7LZhj0mWn1963T8Yp2/4OiGvKYHQPUzHa5Q4A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1fv5dafs4n3r5n83qm2hfz7xmnflsz0xf9r3saralrptpgf8mvuxq4t8k3u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmM25pTFlrbEExQnpDT2dy
NlpIT3FMWU9RVEx3VndHVGNVT1lYOTBKM3dVCmF5MU5ESEs1dTRmbFp6MmpyM2NN
MGRTelBMSU1XK1NteE9lbUpFQW5wQlkKLS0tIHRWTFBwTXcxbnM3Q1BPT1lzWkdo
U013SHFDeitxOThieXRjaTM4ei9sdWcKMnNtZUyguRGkvfqznbCdaqT8Q3BttPQo
fsUAk4bofW4jLvj96JLBtB280atU8k0oIuZbuz1dEMINDtgvIfadTw==
-----END AGE ENCRYPTED FILE-----
- recipient: age120530yclr75k6nrzp6k5jjftj8j4q9v3533guupzk4ct86mjxszqg9e5t5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtRldzUnRaUk05MVZob1VG
cm1MeDNqUEgxbjJLb1hoQ004TVB1TzZWbkY4Ckl3N05ObHZsRXp2VUYwL0RKSlR4
WVEyYlAxTDRtYWhGZE9SbUJaK1hDVzgKLS0tIDRLZ3BmMWlRMTR5c1hWOHByell6
N0hTL1A1MVE2MldocTFWZzc1OENobkUKUseg2IGSClvmrq6vlnF1sCgYlUaH4Ke0
sDdpVwg1b5WLwbZFeE/Ro1gRY3s+9iDFrU3Rh95R1KmigpMVYz1ILQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-04T21:22:16Z"
mac: ENC[AES256_GCM,data:5obbMHWEPm7KhJGWXpsKvGI99sJCx8hScIbS2vo3Ua0fvTwML8tkC3gsfLwaZ0D3KGHN6qxyjvP8ajIoxRK2Lj6G2FOWo7gmNzw9ULu+kPj53dqbmy/c3EeZU3WFNaRFXiQx0C80k8YFzPXQAkF/X5NdaRYRL6BFvPRRuq83Uds=,iv:EaeI+Z3e/QZIlU+EIGg+9sDFPtcfnVs8TQvvROOujg4=,tag:+P6U0/+b4nkZNob5fJ6pkg==,type:str]
pgp:
- created_at: "2024-07-04T21:21:19Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ/9HQ2oLUOQb1YLxMFnDhezNbjXxdUlMULwKLllGxRJ4joC
wonWbDL/AzXeK96ojI5xNZVGWFGnUArnpQRPpgHo/J8OKphSJ49oPxnDpuK2xa2x
yVR0CxPxqWUovFUABhk12Fp8g0iMa/+/GU+UuGQsMn9ncIZ9btqeTEXX9cn/+IM1
KWbfsuyYMtML13kSmKZDxazXE7v5RTlEf/VAGACqSuiVbZjUr7n/92spR1r3WKDj
7FJB4hrnvyd4ShgxsQtb27U+9R2zgl5LioaIpNwrnsDy9LDgjzKLpzT6x/zp9m90
Ws3A8sBsDQ2wE8nNi/uZUcIY9eNXsZQsTQqzE1vSrQsy8IgMJ7U7N2oXSezNlPPP
Jnm+jAcbW/Qly7aqOEQb+BqGhe03b+UxZX6HxS8USiiRKP8E3l8e81Wc0IYP76uj
CJWt7vhv2wCPMc8606BpvzFHH3fOIved/D+q+W8YBp43zJY4zMo00wBQd/az3z/P
O0k5mZDnVldZLiUA8/oXdz5gd1VpuoJzEM2u8Fm5sjESVrscyX0NL9YQW9wW4n8G
/0X0dXKnLf8aJKl0vU0zGNips+1lZUb+JRV8v6qPecgYvEyesRbeDjT96h1ZHD3S
y/wjuV4G6NYNmWbpN3uffIyo0r9QylM8FQcuLdOyVS7Aj/GJyJQ7TsL/SCJSfGfS
XgHcwNJhIQnBn2i0aZwPxkoBBSga8GP1IC8ezevpRseVgWWLDi0NwZK1vN1yBNze
JXpve2W/4KtXvAql0u4UX5BTSlW5ew4FaBEJL/sE1RU80xvPiTtiINr1Y8g2Qww=
=DFqp
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
unencrypted_suffix: _unencrypted
version: 3.8.1

1
nixos/profiles/gaming/lutris.nix
View file

@ -1,7 +1,6 @@
{pkgs, ...}: { {pkgs, ...}: {
hardware.opengl = { hardware.opengl = {
driSupport32Bit = true; driSupport32Bit = true;
driSupport = true;
}; };
hardware.opengl.extraPackages = with pkgs; [ hardware.opengl.extraPackages = with pkgs; [
rocm-opencl-icd rocm-opencl-icd

53
nixos/profiles/server/nix.nix
View file

@ -5,20 +5,63 @@ in {
automatic = true; automatic = true;
dates = "weekly"; dates = "weekly";
}; };
sops.secrets.nix-gc-environment = { sops.secrets.nix-gc-environment = {
sopsFile = ./secrets.yaml; sopsFile = ./secrets.yaml;
}; };
systemd.services.nix-gc = { systemd.services.nix-gc = {
script = let script = let
cfg = config.nix.gc; cfg = config.nix.gc;
in mkForce '' in mkForce ''
${pkgs.curl}/bin/curl -vvvv -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"Beginning nix garbage collection on ${config.networking.hostName}.${config.networking.domain}\"}" $DISCORD_WEBHOOK_LINK #!/usr/bin/env bash
OUTPUT=$(${config.nix.package.out}/bin/nix-collect-garbage ${cfg.options}); set -euo pipefail
${pkgs.curl}/bin/curl -vvvv -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"Finished nix garbage collection on ${config.networking.hostName}.${config.networking.domain}\"}" $DISCORD_WEBHOOK_LINK
${pkgs.curl}/bin/curl -vvvv -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \''${OUTPUT}\"}" $DISCORD_WEBHOOK_LINK # Helper functions
send_discord_message() {
local message="$1"
local escaped_message=$(printf '%s' "$message" | ${pkgs.jq}/bin/jq -R -s '.')
${pkgs.curl}/bin/curl -s -H "Accept: application/json" -H "Content-Type: application/json" \
-X POST --data "{\"content\": $escaped_message}" "$DISCORD_WEBHOOK_LINK"
}
get_filesystem_usage() {
${pkgs.coreutils}/bin/df -h / | ${pkgs.gawk}/bin/awk 'NR==2 {print $5 " (" $3 ")"}' | tr -d '\n'
}
calculate_ratio() {
local before="$1"
local after="$2"
${pkgs.gawk}/bin/awk "BEGIN {printf \"%.2f\", ($after / $before) * 100}"
}
# Initial filesystem usage
FS_BEFORE_USAGE=$(get_filesystem_usage)
send_discord_message "Beginning nix garbage collection on ${config.networking.hostName} - Filesystem usage before: $FS_BEFORE_USAGE"
# Perform garbage collection
OUTPUT=$(${config.nix.package.out}/bin/nix-collect-garbage ${cfg.options})
# Get filesystem usage after garbage collection
FS_AFTER_USAGE=$(get_filesystem_usage)
# Extract numeric values for calculation (assuming format like "75% (15G)")
BEFORE_PERCENT=$(echo $FS_BEFORE_USAGE | ${pkgs.coreutils}/bin/cut -d'%' -f1)
AFTER_PERCENT=$(echo $FS_AFTER_USAGE | ${pkgs.coreutils}/bin/cut -d'%' -f1)
# Calculate ratio
RATIO=$(calculate_ratio $BEFORE_PERCENT $AFTER_PERCENT)
send_discord_message "Finished nix garbage collection on ${config.networking.hostName} - Filesystem usage: $FS_BEFORE_USAGE -> $FS_AFTER_USAGE ($RATIO%)"
# Send the output of nix-collect-garbage
send_discord_message "$OUTPUT"
''; '';
serviceConfig = { serviceConfig = {
EnvironmentFile = config.sops.secrets.nix-gc-environment.path; EnvironmentFile = config.sops.secrets.nix-gc-environment.path;
Type = "oneshot";
}; };
}; };
} }

97
nixos/profiles/server/secrets.yaml
View file

@ -9,60 +9,87 @@ sops:
- recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuQ3piaWxpa1N4ZFRTdkhw YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrM1ZZbHlVazdHUWVtK1NT
d3BLOXdCd2NDeDJmcGl2UkxlV2RGMUdlYzFVCndmNk44aUVHRExJUmJXU2RpeHN2 ZmYyN1JNa2E2S3NldWR6dEFiNElCcWUvMXg0Ck5TeUs3REtzMVkvR2V2QlhvUWdB
c0Y5bnQyZ2IyaFVuTHBkdHR2cFlldEEKLS0tIGpjUkZpL01BemdQb3JFL3crQS8w eHJ4Nkl2MitIeitSci9KS1RRalRoMWsKLS0tIGdwL3RnNno0d1hRNFhRSUthU2hH
dlZmMjJtcHl2NUU3bzV1dzBQK0FmY1UKiKRO7lTSpF7DYhR6eO0AhW4jsWMC9Etm YUhWVjZiaTVyYmhZUDQrcUJ1T0Q2aUEKtkAw4R9MFUviuJkdXxHJyUzA2Syf23d8
Bcc6Zpec0QKgmoy63aDj6+Fx0V5fCVX1Lis0PADpeNIn9Dshv5ouGg== vPTA71uwvKYHu49/xmkV8Dw06V0nIC8DVkoiraeiElP0c49msbuqaw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh - recipient: age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbFRvTXQrK1ZNWWxPblB5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzeUdIOWx2R3V5QjArR0Y2
MGVsaUx4MzRlcW4xVkZNczFRdzBlM3VQQVV3CjdXUk9IVC9NRDBNeUMrSUo2anFS amJNUVg5d3NBcmNaNE9LWkFOeU9UcnV6WEJBClNFTzQ0TWxhNnBSOE55UjRuSXV4
eUhNYWZvdEhJamVYcXJXUExwdFQwb1kKLS0tIHZqNlFhWXZHSDAvdkFtMVhSdnlI dWJmdzZ5ZEVURmRNaVRqQSttZUwzaGMKLS0tIHorc3lBYkNLYWtWSzVJczlJS2VH
amhncGFzbktNVThyTHl6NFdMc3N5SFkK9NDy5U7Bfl6t8sSZem+EbqD5yW3ZHiex cDhxTmJzclM2c3Z4SEJGaDkrWUFJMzAKJpMErKgrSfibubv9FkPVGqM5+nyB8tqb
PUac2UJvy5Q8QA3knQUUtLuLAuE5WrpIOzV8w8YnMYpDBhZtwO9uDg== FKqpd/p/jDVYFTH2RmwmzSQZP0Pjjl0nKYfi0pC/K9716HE7uTy7Ww==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc - recipient: age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWFlRUFl2OHhuWnFWblBH YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSTNSWnVBT2pyTTdCYVRV
bWtRamd4ZDRURHRSYWRFc2tabWg1QTk1Vm1FCkV0akNpNTRxUURzQjQ3RHJMOFVI TWNNek1TNzI2dkJzVGZDUjlFbkF2Um54QkJRClcyU096ZUFhRXMyd3o1RTFkK0xx
T3lDZkFzdER3bmszcVVWZ1h1eWxwZXMKLS0tIFJianRjUm1tOWlxTGkxTkJ4a2hq K00xcTBTakxaa3hJRWpPWTV2aXdpQ2MKLS0tIHFvOERJRThQVStCejN2VVh0eENT
Z2lERWpVaXhqRDQ3YlpndTdKUklUcjgK5XCk4qbAerT2AfOlpjKK4sUTdAN3Edt0 WGRPV05WZHR0RzNWZ3NHV1RJMEZsRVUKbJR3qG7KTGgUsnsajndrUN+FNW+E3Rfu
XleLhGq+bPG3CHUEN7SIaoHh4fyCpwcNGJPAcmeGY1yJZh8y0UQvSw== 4bHisR1/sFINs9P25E4F353Ld5fVyt9+zkUO+GuHd2WEc1Hgge8HvQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n - recipient: age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2YlMzam1CMmFoSXVwWjdY YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTG1UUG51RVFXQTdHOEVO
bC9hem5manl2RngvMm1FdDU0anZlL0pDdHpZClhOdlVrM05aek1sMUdQdHNvRTRp L3ptclplbVgvUktMTDgrSENVL2FVaEc2TEN3Ci9CL0JQNnFzdjR6aFJHc3g2VUN0
UEZ4LzFXM3NtRzA0Nm80OFlGSWlnMW8KLS0tIGRPZWhRVStiUm9tYjErWmpZa3A4 V1UxUVkzcjI0aXZYb0Y3RlZBK3lSM0UKLS0tIGZpbi9Ba0dXY1E4c0Q1ZkZOYjlG
aDJmdGUxZWdqbXFjeCt4dHlSVDE4TEkKz+z1s1MvGcyVIPLQEnFFm1YpDDUc2KBf Nk1mbWR2MGFWZEdWbThWc2lNNWpwU28KDvpGGsTyRjyHvOjVyMzvjZa36y0WXcej
p92AFO+1CXZsQTKY6eRPIUxkXPKXsBYPosy7Z34mBKmjlrvxrM+2OA== FLjDVQt4MGQ6u/r91MMPk2rT5N1UPWDoraKKC6HZ+cw/UcgGgd4CNQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xgy03g3vjydsxcl0qpdgm8rahjcjq95ucxfwlgr22zwjx3p7jf2s9jk6u5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0dGdUeDZ3bzRDYVE0ZXIy
Ylc0Nk10UmpCV3JLWnY3SjdKKy9jTWpzSWxvClpyNTN3RnZiTmxGVjZIQzkyWXhq
NlgrV3RXMWZyMjRsUzltSTgxeThBbVEKLS0tIEtJZTJaekZkK1lpVThDTXZTUmRN
d1BES0pXSzZGV0xybjc4N2w5RTV5NU0K2EY6/uS0ZR9TxFywTXrbWwlQZ7M7NzxI
dDyeK+kMVhBXEyVO4j+uZPBAs8b2lih7AZPAioTiz/wh9PieaI2k5g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1fv5dafs4n3r5n83qm2hfz7xmnflsz0xf9r3saralrptpgf8mvuxq4t8k3u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SGpEZmFTOWRtT25XM0ll
SXVMVXBPTC9LQ3d6cG5NY2dqSmtldWJMdENFCjVyWm4vM2lHQW5nS0FkZFVjZGhV
eFk1NWRPZVJVaEN2ZXJXTUlEaHRnQTgKLS0tIGRQek41bTNXZXBJRDdtWklRM3pC
NzRyWXAyOFVlYXZOc0lxTGl5b3d0RWsKH0+TdY7D/mApS+110QGE09MdZh/RcSyh
9oNy3EDpB7GOy/UcMLz8Cl6rgMg8gsQwvDfRRig9HsCWY5lNXs/W1g==
-----END AGE ENCRYPTED FILE-----
- recipient: age120530yclr75k6nrzp6k5jjftj8j4q9v3533guupzk4ct86mjxszqg9e5t5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUGphZU9XL2M1Zm8ydG52
b0dYeThiaitUMkZjSkdacG1tOXM4YlE3MzFFCllZOVBSaGx1NkxINGhqRkhtZjNC
OU8vSzFxdkpBV2pNNzBFN0t3S1hyc2sKLS0tIGRJMXhzVlBUd091THJLSXUxVXVn
OGVicjRPMG1IcFdMckw4QmVyd05Lb1UKjbtiQonzA3nKWxRCcseRQsNmG+qgN71j
YSsTOP1ClhKnbBdldiRjGDyyuZ0XQQ1nXjcEwntlQ7PP08O/zwSsOw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-25T03:22:44Z" lastmodified: "2024-06-25T03:22:44Z"
mac: ENC[AES256_GCM,data:2uVqMaPYgG2hbkMZCd3xJjjoEJqsGhFEXAq4p+X7YWO4hwB+H/REJJkHCUBegggWJtKA1zDKDIVzvZv3BeRaIe63Kaj2A/7c3qwjCsBpzm5DdJ3WrlAIffFSgOs7jUyFwQtP0ZsbHigsr/rA5NqDeC+4hVHg9XKgLXKyPoVk+iM=,iv:rzf0xQGfGMirg1wwe3paq1+lNdISerFXRUsPLtZ09m0=,tag:6xkM9kvN/8NqzTYB5eHbVA==,type:str] mac: ENC[AES256_GCM,data:2uVqMaPYgG2hbkMZCd3xJjjoEJqsGhFEXAq4p+X7YWO4hwB+H/REJJkHCUBegggWJtKA1zDKDIVzvZv3BeRaIe63Kaj2A/7c3qwjCsBpzm5DdJ3WrlAIffFSgOs7jUyFwQtP0ZsbHigsr/rA5NqDeC+4hVHg9XKgLXKyPoVk+iM=,iv:rzf0xQGfGMirg1wwe3paq1+lNdISerFXRUsPLtZ09m0=,tag:6xkM9kvN/8NqzTYB5eHbVA==,type:str]
pgp: pgp:
- created_at: "2024-06-25T03:21:52Z" - created_at: "2024-07-03T16:38:04Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ/8CQAUzNv2BxCf8d+XPW+NeV5XsTqk06/QdFmyhguS4fn7 hQIMA82M54yws73UARAArVDBsn02FJbl6OXIW1YrT4O96F7wMuJYF5w9Qw1sMudi
eyclxiww6FBspxX8WxfLsE3qLjA1cGRv8W8kvZMzuIiJW7BECnzUvANNci3STl3w BKnZeiM9gJQPPgr9J/Pb5FGR6KQQzcz7ogYgZHGvxdDgIdqwSXWpP9Y3W0qCEZfc
Ei4zkWCuXYdgO0nbfzvv2MyXSdw5nnJIRpbh/QyR7UOJkHHkurtLXCupNImZUN0d y/BDfdGyOWa3cTMVQg7gO6nnhu/02hjUT/+dRe+kDwbm7Jn5o+SZBM+136YaQeiO
FKzM+Y0rM/rDQvNxk216T0eAE68su+wzNbPEgYzMSq/0N5kFl+31JU7hRdXf1+Kd 8Wqfa2pGPCMkh/CzrvywuD66Y8nYm75ViqzFsh0SzCw3huOQBn5tGYWbaoLz7IPk
MFFwu8owk/G0pqkOx3jIV5sia97CZbG7pZLNwfXTngVum/neRGCwNf+Ub4S51K0s +j9Yl7FAeWPVCV2mlQ+G0szZiZ7ouYv7e/xkDk7n+Z6hxzuqAg2LgCgVOhH2bDfa
pQZHDFgacRUCKkJs2XXZcYQHEn2NQ+z+6rvnmOEsMMRM2X+g1+6SocL2Rf6VZgDo LdWzdOD7wEdLwfT7hAf8EnaF5CcjShox0XqsUptXqBUu84A/8JH3vKFVN4JxO9YP
UNr6oUplzMdJFRM8ymqP6IsVK/L8NQF9sna2MevtDGxoFV6Dl2mOzyHUCCaHyp0O hviLuXk+VsIiFoIL6qvGbdtaqWPG8JN+OdtekLX3S0OHFltdPh1Jxyomh4+CCvLh
sWiIsnkogFDGOH7OjUSvTjv/o5RbeHGyLzzAYg8ZKRyqhdhzF+QFToQ4mqzyjrAd KlrkGMRC8xcff/p/mTSr+aiHbjqU3aEf+tNJyk/2ghHCCOcXTc3FuFhx87+NhVW5
NEqDgAYolgOPg2NmDpuBBnHwJhNQDaWA3wDDSEtH++xrjgZy0vovM79HUwYOGyPK u75Swb4u05cZSzDY3Ie3xmim5kvM7IyNwSJ4dyEHpGDmHUXQxGQPVsNGtImeyM7l
mOjl2CM52QFaORmSj561TgfOAO2ulVPIjXa88w9mFyyNqsecqWevQFBYn9/V7Yz0 AmVkSi3LfyV/DGBDy3iQbqotREd7OQEHnPFH0YFlr1PsM17Y6JrXHlSxDT7FsIg0
5SpnUpxhJ50ZeY/IZa5rz+JoZmX+Gg+dwqvG58o1Nh21tQzFemApi7FC1HqwukPS 6q593i+BV5tdfKc1UF77FOvxlr3wnxy9pXxKSNUoOTLzoeGadaJ3aV8ukVzNyXLS
XgEhEqzHm2ayA9wTLyFkaZeIMQyCm/bm3i0PN4N9yojq6/g3wXK2k/tld208ro5m XgELL1usQe/o03hxjEeQJuy1VEl0QRk8Y/6wtQDuJXG5Y/fwxl8XRn1ck12soU5P
682qNj7bIeWqwdfZxdmdgzutqojV1zrfaC2iYLd58waxua6w9UbE9jvkg0cz6H8= 3tV5aAiPjLrAFz1gopYHel+pSaKTUDavD5TBJ2jR+oswWRdFOlF5qYoEwlA7ADI=
=ceQ3 =TE06
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4 fp: CD8CE78CB0B3BDD4
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

146
packages/synapse-cleanup/cleanup.sh
View file

@ -1,52 +1,120 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
# Provide $HOMESERVER and $API_ID into the program via environment, or uncomment the two below lines: # Configuration
#read -p "Enter the homeserver name, without https:// prefix: " HOMESERVER HOMESERVER=${HOMESERVER:-""}
#read -sp "Enter the admin user token required: " API_ID API_ID=${API_ID:-""}
DISCORD_WEBHOOK_LINK=${DISCORD_WEBHOOK_LINK:-""}
TEMPDIR=$(mktemp -d) TEMPDIR=$(mktemp -d)
database_before_size=$(sudo -u postgres psql matrix-synapse -c "SELECT pg_size_pretty(pg_database_size( 'matrix-synapse' ));" | sed -n "3p") MONTHS_TO_KEEP=1
media_store_before_size=$(sudo du /var/lib/matrix-synapse/media_store -hd 0 | awk '{print $1}')
curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"Beginning matrix-synapse optimization process - Database before size: ${database_before_size}, Media store before size: ${media_store_before_size}\"}" $DISCORD_WEBHOOK_LINK
echo "Starting synapse, just to make sure it is online for these requests" # Helper functions
systemctl start matrix-synapse send_discord_message() {
sleep 5 local message="$1"
local escaped_message=$(printf '%s' "$message" | jq -R -s '.')
curl -s -H "Accept: application/json" -H "Content-Type: application/json" \
-X POST --data "{\"content\": $escaped_message}" "$DISCORD_WEBHOOK_LINK"
}
echo "Collecting required room data" get_db_size() {
curl --header "Authorization: Bearer ${API_ID}" "https://${HOMESERVER}/_synapse/admin/v1/rooms?limit=500" > "${TEMPDIR}/roomlist.json" sudo -u postgres psql matrix-synapse -t -c \
jq '.rooms[] | select(.joined_local_members == 0) | .room_id' < "${TEMPDIR}/roomlist.json" > "${TEMPDIR}/to_purge.txt" "SELECT pg_size_pretty(pg_database_size('matrix-synapse'));" | tr -d ' '
jq '.rooms[] | select(.joined_local_members != 0) | .room_id' < "${TEMPDIR}/roomlist.json" > "${TEMPDIR}/history_purge.txt" }
ts=$(( $(date --date="1 month ago" +%s)*1000 ))
echo "Cleaning up media store" get_media_store_size() {
curl --header "Authorization: Bearer ${API_ID}" -X POST "https://${HOMESERVER}/_synapse/admin/v1/media/delete?before_ts=${ts}" sudo du /var/lib/matrix-synapse/media_store -hd 0 | awk '{print $1}'
media_store_after_size=$(sudo du /var/lib/matrix-synapse/media_store -hd 0 | awk '{print $1}') }
echo "Deleting empty rooms" get_filesystem_usage() {
rooms_to_remove=$(awk -F '"' '{print $2}' < "${TEMPDIR}/to_purge.txt") df -h / | awk 'NR==2 {print $5 " (" $3 ")"}' | tr -d '\n'
for room_id in $rooms_to_remove; do }
if [ -n "${room_id}" ]; then
curl --header "Authorization: Bearer ${API_ID}" -X DELETE -H "Content-Type: application/json" -d "{}" "https://${HOMESERVER}/_synapse/admin/v2/rooms/${room_id}" calculate_ratio() {
local before="$1"
local after="$2"
awk "BEGIN {printf \"%.2f\", ($after / $before) * 100}"
}
# Main script
main() {
# Check for required variables
if [[ -z "$HOMESERVER" || -z "$API_ID" || -z "$DISCORD_WEBHOOK_LINK" ]]; then
send_discord_message "Error: HOMESERVER, API_ID, and DISCORD_WEBHOOK_LINK must be set."
exit 1
fi fi
done
rooms_to_clean=$(awk -F '"' '{print $2}' < "${TEMPDIR}"/history_purge.txt) # Initial sizes and usage
echo "Deleting unnecessary room history" local db_before_size=$(get_db_size)
for room_id in $rooms_to_clean; do local media_before_size=$(get_media_store_size)
curl --header "Authorization: Bearer ${API_ID}" -X POST -H "Content-Type: application/json" -d "{ \"delete_local_events\": true, \"purge_up_to_ts\": ${ts} }" "https://${HOMESERVER}/_synapse/admin/v1/purge_history/${room_id}" local fs_before_usage=$(get_filesystem_usage)
done
echo "Last optimization steps, database optimization, shutting down Synapse" send_discord_message "Beginning matrix-synapse optimization process - Database before size: ${db_before_size}, Media store before size: ${media_before_size}, Filesystem usage before: ${fs_before_usage}"
systemctl stop matrix-synapse
sudo -u matrix-synapse synapse_auto_compressor -p "postgresql://matrix-synapse?user=matrix-synapse&host=/var/run/postgresql/" -c 500 -n 100 send_discord_message "Starting synapse"
sudo -u postgres psql matrix-synapse -c "REINDEX (VERBOSE) DATABASE \"matrix-synapse\";" systemctl start matrix-synapse
sudo -u postgres psql matrix-synapse -c "VACUUM FULL VERBOSE;" sleep 5
rm -rf "${TEMPDIR}" send_discord_message "Collecting required room data"
echo "Synapse cleanup performed, booting up" curl --header "Authorization: Bearer ${API_ID}" \
systemctl start matrix-synapse "https://${HOMESERVER}/_synapse/admin/v1/rooms?limit=500" > "${TEMPDIR}/roomlist.json"
database_after_size=$(sudo -u postgres psql matrix-synapse -c "SELECT pg_size_pretty(pg_database_size( 'matrix-synapse' ));" | sed -n "3p")
curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"Matrix-synapse optimization process finished - Database after size: ${database_after_size}, ratio: ${database_ratio}, Media store after size: ${media_store_after_size}, ratio: ${media_store_ratio}\"}" $DISCORD_WEBHOOK_LINK jq '.rooms[] | select(.joined_local_members == 0) | .room_id' < "${TEMPDIR}/roomlist.json" > "${TEMPDIR}/to_purge.txt"
jq '.rooms[] | select(.joined_local_members != 0) | .room_id' < "${TEMPDIR}/roomlist.json" > "${TEMPDIR}/history_purge.txt"
local ts=$(( $(date --date="${MONTHS_TO_KEEP} month ago" +%s)*1000 ))
send_discord_message "Cleaning up media store"
curl --header "Authorization: Bearer ${API_ID}" -X POST \
"https://${HOMESERVER}/_synapse/admin/v1/media/delete?before_ts=${ts}"
send_discord_message "Deleting empty rooms"
while read -r room_id; do
if [ -n "${room_id}" ]; then
curl --header "Authorization: Bearer ${API_ID}" -X DELETE \
-H "Content-Type: application/json" -d "{}" \
"https://${HOMESERVER}/_synapse/admin/v2/rooms/${room_id}"
fi
done < <(jq -r '.[]' "${TEMPDIR}/to_purge.txt")
send_discord_message "Deleting unnecessary room history"
while read -r room_id; do
curl --header "Authorization: Bearer ${API_ID}" -X POST \
-H "Content-Type: application/json" \
-d "{ \"delete_local_events\": true, \"purge_up_to_ts\": ${ts} }" \
"https://${HOMESERVER}/_synapse/admin/v1/purge_history/${room_id}"
done < <(jq -r '.[]' "${TEMPDIR}/history_purge.txt")
send_discord_message "Performing database optimization"
systemctl stop matrix-synapse
send_discord_message "Running synapse_auto_compressor"
sudo -u matrix-synapse synapse_auto_compressor \
-p "postgresql://matrix-synapse?user=matrix-synapse&host=/var/run/postgresql/" \
-c 500 -n 100
send_discord_message "Reindexing database"
sudo -u postgres psql matrix-synapse -c "REINDEX (VERBOSE) DATABASE \"matrix-synapse\";"
send_discord_message "Vacuuming database"
sudo -u postgres psql matrix-synapse -c "VACUUM FULL VERBOSE;"
rm -rf "${TEMPDIR}"
send_discord_message "Synapse cleanup performed, booting up"
systemctl start matrix-synapse
# Final sizes, usage, and ratios
local db_after_size=$(get_db_size)
local media_after_size=$(get_media_store_size)
local fs_after_usage=$(get_filesystem_usage)
local db_ratio=$(calculate_ratio "${db_before_size//[A-Za-z]/}" "${db_after_size//[A-Za-z]/}")
local media_ratio=$(calculate_ratio "${media_before_size//[A-Za-z]/}" "${media_after_size//[A-Za-z]/}")
send_discord_message "Matrix-synapse optimization process finished -
Database: ${db_before_size} -> ${db_after_size} (${db_ratio}%),
Media store: ${media_before_size} -> ${media_after_size} (${media_ratio}%),
Filesystem usage: ${fs_before_usage} -> ${fs_after_usage}"
}
# Run the main function
main

2
systems/default.nix
View file

@ -168,7 +168,7 @@
(set.optional ((list.elem name (set.keys serverLocations)) && host.folder == "nixos") { (set.optional ((list.elem name (set.keys serverLocations)) && host.folder == "nixos") {
${name} = { ${name} = {
hostname = serverLocations.${name}; hostname = serverLocations.${name};
sshUser = "root"; sshUser = "deploy";
sshOpts = ["-oControlMaster=no" "-oControlPath=/tmp/willneverexist" "-p" "${builtins.toString (builtins.head inputs.self.nixosConfigurations.${name}.config.services.openssh.ports)}"]; sshOpts = ["-oControlMaster=no" "-oControlPath=/tmp/willneverexist" "-p" "${builtins.toString (builtins.head inputs.self.nixosConfigurations.${name}.config.services.openssh.ports)}"];
}; };
}) })