bicep/mysql: enable slow query logs

bicep/synapse: enable auto-compressor timer
bicep/mysql: pin version, upgrade from 11.4 -> 11.8
2026-02-20 08:57:53 +01:00 · 2026-01-28 14:55:52 +09:00 · 2026-01-28 14:50:57 +09:00 · 2026-01-28 14:01:14 +09:00 · 2026-01-28 14:00:25 +09:00
4 changed files with 65 additions and 3 deletions
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -1,8 +1,9 @@
 { config, ... }:
 {
  imports = [
-    ./synapse.nix
    ./synapse-admin.nix
+    ./synapse-auto-compressor.nix
+    ./synapse.nix
    ./element.nix
    ./coturn.nix
    ./livekit.nix
--- a/hosts/bicep/services/matrix/synapse-auto-compressor.nix
+++ b/hosts/bicep/services/matrix/synapse-auto-compressor.nix
@@ -0,0 +1,56 @@
+{ config, lib, utils, ... }:
+let
+  cfg = config.services.synapse-auto-compressor;
+in
+{
+  services.synapse-auto-compressor = {
+    # enable = true;
+    postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql";
+  };
+
+  # NOTE: nixpkgs has some broken asserts, vendored the entire unit
+  systemd.services.synapse-auto-compressor = {
+    description = "synapse-auto-compressor";
+    requires = [
+      "postgresql.target"
+    ];
+    inherit (cfg) startAt;
+    serviceConfig = {
+      Type = "oneshot";
+      DynamicUser = true;
+      User = "matrix-synapse";
+      PrivateTmp = true;
+      ExecStart = utils.escapeSystemdExecArgs [
+        "${cfg.package}/bin/synapse_auto_compressor"
+        "-p"
+        cfg.postgresUrl
+        "-c"
+        cfg.settings.chunk_size
+        "-n"
+        cfg.settings.chunks_to_compress
+        "-l"
+        (lib.concatStringsSep "," (map toString cfg.settings.levels))
+      ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      ProcSubset = "pid";
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+    };
+  };
+}
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@@ -13,7 +13,7 @@ in

  services.mysql = {
    enable = true;
-    package = pkgs.mariadb;
+    package = pkgs.mariadb_118;
    settings = {
      mysqld = {
        # PVV allows a lot of connections at the same time
@@ -24,6 +24,9 @@ in
        # This was needed in order to be able to use all of the old users
        # during migration from knakelibrak to bicep in Sep. 2023
        secure_auth = 0;
+
+        slow-query-log = 1;
+        slow-query-log-file = "/var/log/mysql/mysql-slow.log";
      };
    };

@@ -76,6 +79,8 @@ in
    serviceConfig = {
      BindPaths = [ "${dataDir}:${cfg.dataDir}" ];

+      LogsDirectory = "mysql";
+
      IPAddressDeny = "any";
      IPAddressAllow = [
        values.ipv4-space
--- a/hosts/bicep/services/postgres.nix
+++ b/hosts/bicep/services/postgres.nix
@@ -5,7 +5,7 @@ in
 {
  services.postgresql = {
    enable = true;
-    package = pkgs.postgresql_15;
+    package = pkgs.postgresql_18;
    enableTCPIP = true;

    authentication = ''
Author	SHA1	Message	Date
h7x4	49d1122ee5	bicep/mysql: enable slow query logs	2026-01-28 14:55:52 +09:00
h7x4	31bbf4b25f	bicep/synapse: enable auto-compressor timer	2026-01-28 14:50:57 +09:00
h7x4	2f7e1439d0	bicep/mysql: pin version, upgrade from 11.4 -> 11.8	2026-01-28 14:01:14 +09:00
h7x4	fa31a84bd2	bicep/postgres: upgrade from 15 -> 18	2026-01-28 14:00:25 +09:00