bicep/postgres: add cleanup timers

bicep/matrix/livekit: open the rtc ports
base/hardening: ban a few more modules
2026-05-20 21:41:12 +02:00 · 2026-05-21 04:14:34 +09:00 · 2026-05-20 20:04:33 +02:00 · 2026-05-20 23:15:25 +09:00 · 2026-05-20 23:15:25 +09:00
5 changed files with 78 additions and 16 deletions
--- a/base/hardening.nix
+++ b/base/hardening.nix
@@ -7,7 +7,13 @@
    "ax25"
    "batman-adv"
    "can"
    "dccp"
    "ipx"
    "llc"
    "n-hdlc"
    "netrom"
    "p8022"
    "p8023"
    "psnap"
    "rds"
    "rose"
@@ -23,7 +29,6 @@
    "cramfs"
    "efs"
    "exofs"
    "orangefs"
    "freevxfs"
    "gfs2"
    "hfs"
@@ -35,10 +40,12 @@
    "nilfs2"
    "ntfs"
    "omfs"
    "orangefs"
    "qnx4"
    "qnx6"
    "sysv"
    "ubifs"
    "udf"
    "ufs"
    # Legacy hardware
--- a/base/mitigations.nix
+++ b/base/mitigations.nix
@@ -1,17 +1,24 @@
-{ ... }:
+{ pkgs, lib, ... }:
 let
  modulesToBan = [
    # copy.fail
    "af_alg"
    "algif_aead"
    "algif_hash"
    "algif_rng"
    "algif_skcipher"
    # dirtyfrag / Fragnesia
    "esp4"
    "esp6"
    "rxrpc"
    # PinTheft
    "rds"
  ];
 in
 {
-  boot.blacklistedKernelModules = [
+  boot.blacklistedKernelModules = modulesToBan;
-  "rxrpc" # dirtyfrag
+
-  "esp6" # dirtyfrag
+  boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
  "esp4" # dirtyfrag
 ];
 boot.extraModprobeConfig = ''
  # dirtyfrag
  install esp4 /bin/false
  # dirtyfrag
  install esp6 /bin/false
  # dirtyfrag
  install rxrpc /bin/false
 '';
 }
--- a/hosts/bicep/services/matrix/livekit.nix
+++ b/hosts/bicep/services/matrix/livekit.nix
@@ -64,4 +64,11 @@ in
      '';
    };
  };
  networking.firewall.allowedUDPPortRanges = [
    {
      from = cfg.settings.rtc.port_range_start;
      to = cfg.settings.rtc.port_range_end;
    }
  ];
 }
--- a/hosts/bicep/services/postgresql/cleanup-timers.nix
+++ b/hosts/bicep/services/postgresql/cleanup-timers.nix
@@ -0,0 +1,37 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.postgresql;
 in
 {
  config = lib.mkIf cfg.enable {
    systemd.services = {
      postgresql-repack = {
        requires = [ "postgresql.service" ];
        after = [ "postgresql.target" ];
        description = "Repack all PostgreSQL databases";
        startAt = "Mon 06:00:00";
        serviceConfig = {
          Type = "oneshot";
          User = "postgres";
          Group = "postgres";
          ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --port=${builtins.toString cfg.settings.port} --all";
        };
      };
      postgresql-vacuum-analyze = {
        requires = [ "postgresql.service" ];
        after = [ "postgresql.target" ];
        description = "Vacuum and analyze all PostgreSQL databases";
        startAt = "Tue 06:00:00";
        serviceConfig = {
          Type = "oneshot";
          User = "postgres";
          Group = "postgres";
          ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
        };
      };
    };
  };
 }
--- a/hosts/bicep/services/postgresql/default.nix
+++ b/hosts/bicep/services/postgresql/default.nix
@@ -3,11 +3,15 @@ let
  cfg = config.services.postgresql;
 in
 {
-  imports = [ ./backup.nix ];
+  imports = [
    ./backup.nix
    ./cleanup-timers.nix
  ];
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_18;
    extensions = ps: with ps; [ pg_repack ];
    enableTCPIP = true;
    authentication = ''
Author	SHA1	Message	Date
h7x4	0d7f05e56d	bicep/postgres: add cleanup timers	2026-05-21 04:14:34 +09:00
Daniel Olsen	4a67eddf52	bicep/matrix/livekit: open the rtc ports	2026-05-20 20:04:33 +02:00
h7x4	08a23bd380	base/hardening: ban a few more modules	2026-05-20 23:15:25 +09:00
h7x4	28b67c3578	base/mitigations: blacklist modules for copyfail and pintheft	2026-05-20 23:15:25 +09:00