pub-solar/infra
6
3
Fork 3
Code Issues 29 Pull requests 10 Projects 1 Releases Packages Wiki Activity Actions

matrix: update draupnir to latest beta, switch to

Browse source 
synapse-http-antispam module, add option for synapse-http-antispam secret
This commit is contained in:
teutat3s 2025-05-22 01:04:29 +02:00
parent 3f1c107e12
commit e2c4b61f16
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1
5 changed files with 77 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake.lock generated
View file

@ -368,11 +368,11 @@
},
"nixpkgs-draupnir": {
"locked": {
"lastModified": 1746282801,
"narHash": "sha256-lrPWzSULWzi6YyRjRA3nwQxRUO3z+dbKfKCzMBs4ac8=",
"lastModified": 1747866624,
"narHash": "sha256-Ds7GlcexBrHzbiDQ8b9OSJQtFOWdWVjkOMW5YRLuZm8=",
"owner": "teutat3s",
"repo": "nixpkgs",
"rev": "f5dd6147d90a94dac04f82fb4814c7c72fcfd177",
"rev": "92dcdc41a5ce668c1e9eb603e3e57b6bde066f85",
"type": "github"
},
"original": {

9
modules/matrix-draupnir/default.nix
View file

@ -29,6 +29,11 @@
description = "Path to access token file";
type = types.str;
};
http-antispam-authorization-file = mkOption {
description = "Path to synapse-http-antispam authorization file";
type = types.str;
};
};
config = lib.mkIf config.pub-solar-os.matrix.draupnir.enable {
@ -36,6 +41,7 @@
services.draupnir = {
enable = true;
accessTokenFile = config.pub-solar-os.matrix.draupnir.access-token-file;
httpAntispamAuthorizationFile = config.pub-solar-os.matrix.draupnir.http-antispam-authorization-file;
# https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml
homeserverUrl = config.pub-solar-os.matrix.draupnir.homeserver-url;
settings = {
@ -52,6 +58,9 @@
port = 8080;
address = "127.0.200.101";
abuseReporting.enabled = true;
synapseHTTPAntispam = {
enabled = true;
};
};
};
};

39
modules/matrix/default.nix
View file

@ -434,28 +434,25 @@ in
modules = [
{
module = "mjolnir.Module";
# https://the-draupnir-project.github.io/draupnir-documentation/bot/synapse-http-antispam
# https://github.com/maunium/synapse-http-antispam
module = "synapse_http_antispam.HTTPAntispam";
config = {
# Prevent servers/users in the ban lists from inviting users on this
# server to rooms. Default true.
block_invites = true;
# Flag messages sent by servers/users in the ban lists as spam. Currently
# this means that spammy messages will appear as empty to users. Default
# false.
block_messages = false;
# Remove users from the user directory search by filtering matrix IDs and
# display names by the entries in the user ban list. Default false.
block_usernames = false;
# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
# this list cannot be room aliases or permalinks. This server is expected
# to already be joined to the room - Mjolnir will not automatically join
# these rooms.
# Draupnir policy room for pub.solar "ps-bans" #ban-list:pub.solar
# Draupnir Community Moderation Effort policy room "cme-bans" #community-moderation-effort-bl:neko.dev
ban_lists = [
"!MffyQwXepPqFXLYRvk:pub.solar"
"!fTjMjIzNKEsFlUIiru:neko.dev"
base_url = "http://${config.services.draupnir.settings.web.address}:${toString config.services.draupnir.settings.web.port}/api/1/spam_check";
authorization_path = config.pub-solar-os.matrix.draupnir.http-antispam-authorization-file;
enabled_callbacks = [
"check_event_for_spam"
"user_may_invite"
"user_may_join_room"
];
fail_open = {
check_event_for_spam = true;
user_may_invite = true;
user_may_join_room = true;
};
async = {
check_event_for_spam = true;
};
};
}
];
@ -471,7 +468,7 @@ in
plugins = with config.services.matrix-synapse.package.plugins; [
matrix-synapse-shared-secret-auth
matrix-synapse-mjolnir-antispam
pkgs.synapse-http-antispam
];
};

6
overlays/default.nix
View file

@ -10,6 +10,7 @@
final: prev:
let
unstable = import inputs.unstable { system = prev.system; };
nixpkgs-draupnir = import inputs.nixpkgs-draupnir { system = prev.system; };
in
{
# Patch to always use port 443 in redirects from http -> https
@ -17,11 +18,14 @@
codeberg-pages = unstable.codeberg-pages.overrideAttrs (oldAttrs: {
patches = [ ./0001-workaround-don-t-change-ssl-port-in-redirect.patch ];
});
draupnir = unstable.draupnir;
# want draupnir v2.3.0-main-39e452
draupnir = nixpkgs-draupnir.draupnir;
element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
inherit (inputs) element-stickers maunium-stickerpicker;
};
# want synapse-http-antispam version 0.4.0
synapse-http-antispam = prev.callPackage ./pkgs/synapse-http-antispam { };
nextcloud-skeleton = prev.callPackage ./pkgs/nextcloud-skeleton { };
delete-pubsolar-id = prev.callPackage ./pkgs/delete-pubsolar-id { };
}

42
overlays/pkgs/synapse-http-antispam/default.nix Normal file
View file

@ -0,0 +1,42 @@
{
lib,
python3,
fetchFromGitHub,
matrix-synapse-unwrapped,
nix-update-script,
}:
python3.pkgs.buildPythonPackage rec {
pname = "synapse-http-antispam";
version = "0.4.0";
pyproject = true;
src = fetchFromGitHub {
owner = "maunium";
repo = "synapse-http-antispam";
tag = "v${version}";
hash = "sha256-YvgHIZ5Kr9WsX30QN8W5OJ4sxLB7EsLqUmCye3x+JQA=";
};
build-system = [ python3.pkgs.hatchling ];
pythonImportsCheck = [ "synapse_http_antispam" ];
prePatch = ''
# pythonRelaxDeps doesn't work here
substituteInPlace pyproject.toml --replace-fail 'license-files = ["LICENSE"]' 'license-files = { paths = ["LICENSE"] }'
'';
buildInputs = [ matrix-synapse-unwrapped ];
dependencies = [ python3.pkgs.twisted ];
passthru.updateScript = nix-update-script { };
meta = {
description = "Synapse module that forwards spam checking to an HTTP server";
homepage = "https://github.com/maunium/synapse-http-antispam";
changelog = "https://github.com/maunium/synapse-http-antispam/releases/tag/v${version}";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ sumnerevans ];
};
}