bicep/postgres: add cleanup timers

bicep/matrix/livekit: open the rtc ports
base/hardening: ban a few more modules
2026-05-21 05:51:12 +02:00 · 2026-05-21 04:14:34 +09:00 · 2026-05-20 20:04:33 +02:00 · 2026-05-20 23:15:25 +09:00 · 2026-05-20 23:15:25 +09:00
4 changed files with 57 additions and 5 deletions
--- a/base/mitigations.nix
+++ b/base/mitigations.nix
@@ -1,7 +1,6 @@
-{ ... }:
-
-{
-  boot.blacklistedKernelModules = [
+{ pkgs, lib, ... }:
+let
+  modulesToBan = [
    # copy.fail
    "af_alg"
    "algif_aead"
@@ -17,4 +16,9 @@
    # PinTheft
    "rds"
  ];
+in
+{
+  boot.blacklistedKernelModules = modulesToBan;
+
+  boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
 }
--- a/hosts/bicep/services/matrix/livekit.nix
+++ b/hosts/bicep/services/matrix/livekit.nix
@@ -64,4 +64,11 @@ in
      '';
    };
  };
+
+  networking.firewall.allowedUDPPortRanges = [
+    {
+      from = cfg.settings.rtc.port_range_start;
+      to = cfg.settings.rtc.port_range_end;
+    }
+  ];
 }
--- a/hosts/bicep/services/postgresql/cleanup-timers.nix
+++ b/hosts/bicep/services/postgresql/cleanup-timers.nix
@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.postgresql;
+in
+{
+  config = lib.mkIf cfg.enable {
+    systemd.services = {
+      postgresql-repack = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Repack all PostgreSQL databases";
+        startAt = "Mon 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --port=${builtins.toString cfg.settings.port} --all";
+        };
+      };
+
+      postgresql-vacuum-analyze = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.target" ];
+        description = "Vacuum and analyze all PostgreSQL databases";
+        startAt = "Tue 06:00:00";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "postgres";
+          Group = "postgres";
+
+          ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
+        };
+      };
+    };
+  };
+}
--- a/hosts/bicep/services/postgresql/default.nix
+++ b/hosts/bicep/services/postgresql/default.nix
@@ -3,11 +3,15 @@ let
  cfg = config.services.postgresql;
 in
 {
-  imports = [ ./backup.nix ];
+  imports = [
+    ./backup.nix
+    ./cleanup-timers.nix
+  ];

  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_18;
+    extensions = ps: with ps; [ pg_repack ];
    enableTCPIP = true;

    authentication = ''
Author	SHA1	Message	Date
h7x4	0d7f05e56d	bicep/postgres: add cleanup timers	2026-05-21 04:14:34 +09:00
Daniel Olsen	4a67eddf52	bicep/matrix/livekit: open the rtc ports	2026-05-20 20:04:33 +02:00
h7x4	08a23bd380	base/hardening: ban a few more modules	2026-05-20 23:15:25 +09:00
h7x4	28b67c3578	base/mitigations: blacklist modules for copyfail and pintheft	2026-05-20 23:15:25 +09:00