Merge branch 'main' into codeberg-pages-init

2025-05-18 16:59:05 +02:00 · 2025-05-18 16:59:05 +02:00 · 003104e7b2
commit 003104e7b2
parent a078e6f434 bad5c433e0
9 changed files with 122 additions and 16 deletions
--- a/docs/deletion-request.md
+++ b/docs/deletion-request.md
@ -6,10 +6,18 @@ Required:

 - [SSH access to host `nachtigall`](./administrative-access.md#ssh-access)

-SSH into nachtigall, and run the following script:
+SSH into nachtigall, and run the following script. Replace `<username>` with the `Username` found in keycloak.

 ```
-delete-pubsolar-id $(sudo cat /run/agenix/keycloak-admin-cli-client-secret) $(sudo cat /run/agenix/matrix-admin-access-token) $USERNAME
+delete-pubsolar-id $(sudo cat /run/agenix/keycloak-admin-cli-client-secret) $(sudo cat /run/agenix/matrix-admin-access-token) <username>
+```
+
+Make sure to close all Matrix user sessions:
+
+```
+# get full path to mas-cli command with current --config flags from
+# sudo systemctl cat matrix-authentication-service
+sudo -u matrix-authentication-service <nix-store-path>/mas-cli --config <nix-store-config> --config /run/agenix/matrix-authentication-service-secret-config.yml manage kill-sessions <username>
 ```

 ### Keycloak
@ -75,8 +83,18 @@ Docs: https://forgejo.org/docs/latest/admin/command-line/#delete

 ### Matrix

+Close all user sessions:
+
 ```
-curl --header "Authorization: Bearer <admin-access-token>" --request POST http://127.0.0.1:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
+# get full path to mas-cli command with current --config flags from
+# sudo systemctl cat matrix-authentication-service
+sudo -u matrix-authentication-service <nix-store-path>/mas-cli --config <nix-store-config> --config /run/agenix/matrix-authentication-service-secret-config.yml manage kill-sessions <username>
+```
+
+Deactivate the user and erase data:
+
+```
+curl --header "Authorization: Bearer <admin-access-token>" --request POST http://127.0.200.10:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
 ```

 Docs: https://element-hq.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account
@ -86,7 +104,7 @@ The authentication token should be in the keepass. If it is expired, you can get
 ```
 # get full path to mas-cli command with current --config flags from
 # sudo systemctl cat matrix-authentication-service
-sudo -u matrix-authentication-service mas-cli --config nix-store-config --config /run/agenix/matrix-authentication-service-secret-config.yml manage issue-compatibility-token --yes-i-want-to-grant-synapse-admin-privileges crew
+sudo -u matrix-authentication-service <nix-store-path>/mas-cli --config <nix-store-config> --config /run/agenix/matrix-authentication-service-secret-config.yml manage issue-compatibility-token --yes-i-want-to-grant-synapse-admin-privileges crew
 ```

 ### OpenBikeSensor
--- a/docs/matrix-draupnir.md
+++ b/docs/matrix-draupnir.md
@ -18,7 +18,7 @@ There are a number of steps to complete to get Draupnir running:
 Disable rate limit via synapse admin API:

 ```
-curl --header "Authorization: Bearer $TOKEN" 'http://127.0.0.1:8008/_synapse/admin/v1/users/@draupnir:pub.solar/override_ratelimit' -X POST -d '{"messages_per_second": 0,  "burst_count": 0}'
+curl --header "Authorization: Bearer $TOKEN" 'http://127.0.200.10:8008/_synapse/admin/v1/users/@draupnir:pub.solar/override_ratelimit' -X POST -d '{"messages_per_second": 0,  "burst_count": 0}'
 ```

 Make draupnir admin
--- a/docs/matrix-moderation.md
+++ b/docs/matrix-moderation.md
@ -0,0 +1,19 @@
+# Matrix Moderation using Draupnir
+
+Management room for draupnir: "Matrix Moderators" (Invite-Only)
+
+pub.solar community ban list (aka policy room): shorthand: `ps-bans`, room
+alias: `#ban-list:pub.solar`
+
+In the "Matrix Moderators" room, enter `!draupnir help` in the chat to see all
+available commands.
+
+If your account has the necessary permissions (moderator) in a room, it's also
+possible to use regular moderation actions, e.g. "Kick" / "Ban" provided by your
+Matrix client (e.g. Element). The moderation bot will then ask in the management
+room, if the kicked / banned account should be added to the `ps-bans` ban list,
+to enforce the kick / ban on all pub.solar community rooms.
+
+The bot uses message reactions to control moderation actions.
+
+Draupnir matrix moderator's guide: https://the-draupnir-project.github.io/draupnir-documentation/moderator/setting-up-and-configuring
--- a/docs/matrix-remove-spam.md
+++ b/docs/matrix-remove-spam.md
@ -0,0 +1,61 @@
+# Remove spam from Matrix synapse homeserver
+
+Required:
+
+- [SSH access to host `nachtigall`](./administrative-access.md#ssh-access)
+
+Connect to `matrix` PostgreSQL DB:
+
+```
+sudo -u postgres psql -d matrix
+```
+
+List all rooms joined by user:
+
+```
+SELECT e.room_id, r.name
+FROM current_state_events e
+JOIN room_stats_state r USING (room_id)
+WHERE e.state_key = '@<username>:pub.solar'
+AND e.type = 'm.room.member'
+AND e.membership = 'join';
+```
+
+Removing rooms, requires a list of room IDs:
+
+Example script `purge-rooms.sh`
+
+Usage:
+
+```
+./purge-rooms.sh <token> <file-containing-room-ids>
+```
+
+```
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+TOKEN=$1
+ROOMLIST=$2
+while IFS='' read ROOMID; do
+	echo "Cleaning up Room: $ROOMID"
+	curl "http://127.0.200.10:8008/_synapse/admin/v2/rooms/${ROOMID}" \
+		-X DELETE -H 'Accept: application/json' \
+		-H 'Referer: http://127.0.200.10:8080/' \
+		-H "Authorization: Bearer ${TOKEN}" \
+		--data '{ "purge": true, "message": "Sorry - kicking you out to clean up the database" }'
+	echo ""
+done < "$ROOMLIST"
+```
+
+Remove all media uploaded by user:
+
+```
+export TOKEN=$(sudo cat /run/agenix/matrix-admin-access-token)
+
+curl "http://127.0.200.10:8008/_synapse/admin/v1/users/@<username>:pub.solar/media" \
+  -X DELETE -H 'Accept: application/json' \
+  -H 'Referer: http://127.0.200.10:8080/' \
+  -H "Authorization: Bearer ${TOKEN}"
+```
--- a/docs/matrix-suspend-account.md
+++ b/docs/matrix-suspend-account.md
@ -17,13 +17,13 @@ Required:
 ## Suspending an account

 ```bash
-curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.0.1:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": true}'
+curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.200.10:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": true}'
 ```

 ## Unsuspending an account

 ```bash
-curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.0.1:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": false}'
+curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.200.10:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": false}'
 ```

 Links:
--- a/flake.lock
+++ b/flake.lock
@ -133,11 +133,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1745345582,
-        "narHash": "sha256-T4JHS/iZPMFFbSQJAYKZxRdvUk0y/r0GuaN/b0QD7s8=",
+        "lastModified": 1747481732,
+        "narHash": "sha256-rpiClWWUN0XU9GsuClTJJ6Rpzji1uxoKSIsfHBwLPTw=",
        "ref": "main",
-        "rev": "5c65f0fef48ce8193767a5d0453e7cf6ad046de4",
-        "revCount": 9,
+        "rev": "15a02d29fe2f1d17e7ca3fd975313f01d1d80d1c",
+        "revCount": 10,
        "type": "git",
        "url": "https://git.pub.solar/pub-solar/maunium-stickerpicker-nix"
      },
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@ -240,6 +240,9 @@ in
        default_room_version = "10";
        disable_msisdn_registration = true;
        enable_media_repo = true;
+        media_retention = {
+          remote_media_lifetime = "14d";
+        };
        enable_metrics = true;
        federation_metrics_domains = [
          "matrix.org"
@ -298,7 +301,7 @@ in
          pepper = "";
        };

-        presence.enabled = false;
+        presence.enabled = true;
        push.include_content = false;

        rc_admin_redaction = {
@ -447,7 +450,12 @@ in
              # this list cannot be room aliases or permalinks. This server is expected
              # to already be joined to the room - Mjolnir will not automatically join
              # these rooms.
-              ban_lists = [ "!roomid:example.org" ];
+              # Draupnir policy room for pub.solar "ps-bans" #ban-list:pub.solar
+              # Draupnir Community Moderation Effort policy room "cme-bans" #community-moderation-effort-bl:neko.dev
+              ban_lists = [
+                "!MffyQwXepPqFXLYRvk:pub.solar"
+                "!fTjMjIzNKEsFlUIiru:neko.dev"
+              ];
            };
          }
        ];
--- a/modules/nginx-website/default.nix
+++ b/modules/nginx-website/default.nix
@ -58,8 +58,8 @@
        "/.well-known/security.txt" =
          let
            securityTXT = lib.lists.foldr (a: b: a + "\n" + b) "" [
-              "Contact: mailto:admins@pub.solar"
-              "Expires: 2025-01-04T23:00:00.000Z"
+              "Contact: mailto:crew@pub.solar"
+              "Expires: 2027-01-31T23:00:00.000Z"
              "Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/8A8987ADE3736C8CA2EB315A9B809EBBDD62BAE3"
              "Preferred-Languages: en,de"
              "Canonical: https://${config.pub-solar-os.networking.domain}/.well-known/security.txt"
--- a/overlays/pkgs/delete-pubsolar-id/default.nix
+++ b/overlays/pkgs/delete-pubsolar-id/default.nix
@ -54,7 +54,7 @@ writeShellApplication {
    ### Matrix ###

    echo "Deleting matrix account"
-    curl --header "Authorization: Bearer $MATRIX_ADMIN_ACCESS_TOKEN" --request POST "http://127.0.0.1:8008/_synapse/admin/v1/deactivate/@$USERNAME:pub.solar" --data '{"erase": true}' || true
+    curl --header "Authorization: Bearer $MATRIX_ADMIN_ACCESS_TOKEN" --request POST "http://127.0.200.10:8008/_synapse/admin/v1/deactivate/@$USERNAME:pub.solar" --data '{"erase": true}' || true

    ### Forgejo ###