diff --git a/nixos/module/generic/matrix-cluster.nix b/nixos/module/generic/matrix-cluster.nix index 165c959..9fac7c7 100644 --- a/nixos/module/generic/matrix-cluster.nix +++ b/nixos/module/generic/matrix-cluster.nix @@ -494,6 +494,10 @@ ${lib.concatStringsSep "\n" (map mkUserRegistration matrixUsers)} }) (lib.mkIf (cfg.role == "standby") { + systemd.targets.postgresql.requires = lib.mkForce [ + "postgresql.service" + ]; + # Hot-standby bootstrap: standby.signal + primary_conninfo with passfile. # pg_basebackup must be run manually (see runbook) before this activates # for the first time. diff --git a/nixos/system/bfs.poland.xray/bfs.poland.xray.nix b/nixos/system/bfs.poland.xray/bfs.poland.xray.nix index 855e431..10e1f6b 100644 --- a/nixos/system/bfs.poland.xray/bfs.poland.xray.nix +++ b/nixos/system/bfs.poland.xray/bfs.poland.xray.nix @@ -31,7 +31,7 @@ in { hectic.generic.matrix-cluster = { enable = true; - role = "standby"; + role = "primary"; matrixDomain = "accord.tube"; signingKeyFile = config.sops.secrets."matrix/signing-key".path; secretsFile = config.sops.secrets."matrix/secrets".path; @@ -190,6 +190,8 @@ in { }; sops.secrets."matrix/turn-secret" = { key = "matrix/turn-secret"; + owner = "turnserver"; + group = "turnserver"; mode = "0400"; sopsFile = "${flake}/sus/matrix-cluster.yaml"; }; diff --git a/nixos/system/hectic-lab/hectic-lab.nix b/nixos/system/hectic-lab/hectic-lab.nix index 9737707..c6c125a 100644 --- a/nixos/system/hectic-lab/hectic-lab.nix +++ b/nixos/system/hectic-lab/hectic-lab.nix @@ -62,7 +62,8 @@ in { generic.matrix-cluster = { enable = true; - role = "primary"; + overrideEnableSynapse = false; + role = "standby"; inherit matrixDomain; signingKeyFile = config.sops.secrets."matrix/signing-key".path; secretsFile = config.sops.secrets."matrix/secrets".path; @@ -95,7 +96,7 @@ in { allowedSourceIPs = [ "91.198.166.181/32" ]; }; acme = { - enable = true; + enable = false; porkbunApiKeyFile = config.sops.secrets."matrix/porkbun-api-key".path; porkbunSecretApiKeyFile = config.sops.secrets."matrix/porkbun-secret-api-key".path; }; @@ -187,8 +188,8 @@ in { }; sops.secrets."matrix/turn-secret" = { key = "matrix/turn-secret"; - owner = "turnserver"; - group = "turnserver"; + owner = "root"; + group = "root"; mode = "0400"; sopsFile = "${flake}/sus/matrix-cluster.yaml"; }; diff --git a/sus/hectic-lab.yaml b/sus/hectic-lab.yaml index 76802c6..a022cc4 100644 --- a/sus/hectic-lab.yaml +++ b/sus/hectic-lab.yaml @@ -27,6 +27,8 @@ matrix: password: ENC[AES256_GCM,data:heZSXKj9MCQcY7wH,iv:PdIo3PhXTiGt8JiwafxQA7ysjJ3MJ0hrgCMO+sCs4Oo=,tag:iQYP6r44F3J+xEkam7Zjiw==,type:str] vismajor: password: ENC[AES256_GCM,data:drD8JaqQ5tg=,iv:LnDMbaPRTxOBtqN7ZbWXd6FcSWJQ808Vv7Zxugozn8g=,tag:t6w4TPkYphF+wSbAKzHUIw==,type:str] + snuff: + password: ENC[AES256_GCM,data:DG+35VxkuCfmz4UxF70YI+E+TJTD,iv:1pdXLohOKVsmGrwLdg0p9wncCUnaJYQIPdGtJaG1Wsc=,tag:2Aa8zjSMiDfYW3Kh7/5Jrg==,type:str] turn-secret: ENC[AES256_GCM,data:2RerKgYNFXEVM/YVmXt2l+t3BqduS+FlmjBWTA==,iv:6odb0HB9mntsceNaJtU2kwEVAiF0O88u47eDPLZVJbs=,tag:BJXAvK8abcnCLi96Kra5zA==,type:str] wg-bfs: private-key: ENC[AES256_GCM,data:/J02asiesrQcsO7Xbq66HQIQeSPmFEMkM2q/z+9Y42K8SYEQP0OYQz+8fXI=,iv:PdGhPWgGxhe0a7C6CaVM/ePKABT+y8HRFOAPzNwQk+c=,tag:9AI30JFh6uyaXXVjMBJ1zg==,type:str] @@ -89,7 +91,7 @@ sops: Yk43ZmlTc09aNFV1VjdjN2RWQlFWTDQKcYSvA2lHP8GS0lkYY19Tm8RXmFHQX5Ck qV2Fn22Fic4M5FVKDEMfaO6WmeXgki9a8dGeO9LlC+Phf16SOq7eLw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-23T17:31:37Z" - mac: ENC[AES256_GCM,data:B8htf29e/p9cf8twsXohXGWBG6B7Onv9OZ9OSy4O/l7k1RaJOqIPazsmkTDs5Ipkr1X2k1roaS2tJYWm2uu5sAZxoHQw5ajTmTJ1g+R6TEZcnU+AQi1AkSeS+k0p4j5zbFDRjZswVc2slGfJNUm19f9v/Mc2b43o0u6yoVoYw/8=,iv:z+XqfLfJtKjyMuYfVvp4rjyOBI3ujzSJy6jDvkB2I70=,tag:ebQfV0hBu3JUb+OYMFP5xQ==,type:str] + lastmodified: "2026-05-25T20:54:48Z" + mac: ENC[AES256_GCM,data:fb6JjwTKbXayFOmLF/QaKiYHK1gnYK7E6y7OGARzfpwh9nV28n/aydgQiJ1+aS+88QgRbXbHdGH8GGeqKzApA1TczomYnm/BRA+gUsLIKGDbsamArtY8BqTC9ZEwVXK/izcwURWbTabJYA9FsK+ggYskwNOJmrukh5mhtKVmeUo=,iv:INodLtYp54Bm4YdGhJbrqaXMb90CyAG/8aHs3iIFXzY=,tag:jKMl0a9ZdmIh/ayvEvLNsw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2