wip: matrix moderation with draupnir

2024-05-09 01:57:10 +02:00 · 2024-05-09 01:57:10 +02:00 · 7ca53774ce
parent 57a5ace727
commit 7ca53774ce
8 changed files with 73 additions and 1 deletions
--- a/flake.lock
+++ b/flake.lock
@ -360,6 +360,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-draupnir": {
+      "locked": {
+        "lastModified": 1720089221,
+        "narHash": "sha256-8abrPKFI9eqopZ/ewSeSPen4X9bs6xoyvFsfirvbJmk=",
+        "owner": "teutat3s",
+        "repo": "nixpkgs",
+        "rev": "078583b84242644a668ee29e995bce02192dbd16",
+        "type": "github"
+      },
+      "original": {
+        "owner": "teutat3s",
+        "ref": "draupnir-pr",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-lib": {
      "locked": {
        "lastModified": 1717284937,
@ -386,6 +402,7 @@
        "nixos-flake": "nixos-flake",
        "nixpkgs": "nixpkgs",
        "nixpkgs-2205": "nixpkgs-2205",
+        "nixpkgs-draupnir": "nixpkgs-draupnir",
        "simple-nixos-mailserver": "simple-nixos-mailserver",
        "triton-vmtools": "triton-vmtools",
        "unstable": "unstable"
--- a/flake.nix
+++ b/flake.nix
@ -5,6 +5,7 @@
    unstable.url = "github:nixos/nixpkgs/nixos-unstable";

    nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05";
+    nixpkgs-draupnir.url = "github:teutat3s/nixpkgs/draupnir-pr";

    nix-darwin.url = "github:lnl7/nix-darwin/master";
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -35,6 +35,7 @@
          self.nixosModules.tmate
          self.nixosModules.obs-portal
          self.nixosModules.matrix
+          self.nixosModules.matrix-draupnir
          self.nixosModules.matrix-irc
          self.nixosModules.matrix-telegram
          self.nixosModules.nginx-matrix
--- a/modules/matrix-draupnir/default.nix
+++ b/modules/matrix-draupnir/default.nix
@ -0,0 +1,24 @@
+{ config, flake, ... }:
+{
+  imports = [ "${flake.inputs.nixpkgs-draupnir}/nixos/modules/services/matrix/draupnir.nix" ];
+
+  disabledModules = [ "services/matrix/draupnir.nix" ];
+
+  age.secrets."matrix-draupnir-access-token" = {
+    file = "${flake.self}/secrets/matrix-draupnir-access-token.age";
+    mode = "640";
+    owner = "root";
+    group = "draupnir";
+  };
+
+  services.draupnir = {
+    enable = true;
+    accessTokenFile = config.age.secrets.matrix-draupnir-access-token.path;
+    # https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml
+    settings = {
+      homeserverUrl = "http://localhost:8008";
+      managementRoom = "#moderators:pub.solar";
+      protectAllJoinedRooms = true;
+    };
+  };
+}
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@ -248,6 +248,29 @@ in
        # "/matrix-mautrix-signal-registration.yaml"
        # "/matrix-mautrix-telegram-registration.yaml"
      ];
+
+      modules = [
+        {
+          module = "mjolnir.Module";
+          config = {
+            # Prevent servers/users in the ban lists from inviting users on this
+            # server to rooms. Default true.
+            block_invites = true;
+            # Flag messages sent by servers/users in the ban lists as spam. Currently
+            # this means that spammy messages will appear as empty to users. Default
+            # false.
+            block_messages = false;
+            # Remove users from the user directory search by filtering matrix IDs and
+            # display names by the entries in the user ban list. Default false.
+            block_usernames = false;
+            # The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
+            # this list cannot be room aliases or permalinks. This server is expected
+            # to already be joined to the room - Mjolnir will not automatically join
+            # these rooms.
+            ban_lists = [ "!roomid:example.org" ];
+          };
+        }
+      ];
    };

    withJemalloc = true;
@ -269,7 +292,10 @@ in
      "redis"
    ];

-    plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
+    plugins = with config.services.matrix-synapse.package.plugins; [
+      matrix-synapse-shared-secret-auth
+      matrix-synapse-mjolnir-antispam
+    ];
  };

  services.matrix-sliding-sync = {
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -10,8 +10,10 @@
              final: prev:
              let
                unstable = import inputs.unstable { system = prev.system; };
+                nixpkgs-draupnir = import inputs.nixpkgs-draupnir { system = prev.system; };
              in
              {
+                draupnir = nixpkgs-draupnir.draupnir;
                element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
                element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
                  inherit (inputs) element-stickers maunium-stickerpicker;
--- a/secrets/matrix-draupnir-access-token.age
+++ b/secrets/matrix-draupnir-access-token.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -46,6 +46,7 @@ in
  "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
  "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
  "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "matrix-draupnir-access-token.age".publicKeys = nachtigallKeys ++ adminKeys;

  "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
  "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;