diff --git a/flake.lock b/flake.lock index 8f2c047..3172ed8 100644 --- a/flake.lock +++ b/flake.lock @@ -360,6 +360,22 @@ "type": "github" } }, + "nixpkgs-draupnir": { + "locked": { + "lastModified": 1720089221, + "narHash": "sha256-8abrPKFI9eqopZ/ewSeSPen4X9bs6xoyvFsfirvbJmk=", + "owner": "teutat3s", + "repo": "nixpkgs", + "rev": "078583b84242644a668ee29e995bce02192dbd16", + "type": "github" + }, + "original": { + "owner": "teutat3s", + "ref": "draupnir-pr", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-lib": { "locked": { "lastModified": 1717284937, @@ -386,6 +402,7 @@ "nixos-flake": "nixos-flake", "nixpkgs": "nixpkgs", "nixpkgs-2205": "nixpkgs-2205", + "nixpkgs-draupnir": "nixpkgs-draupnir", "simple-nixos-mailserver": "simple-nixos-mailserver", "triton-vmtools": "triton-vmtools", "unstable": "unstable" diff --git a/flake.nix b/flake.nix index b5473e1..1961fd4 100644 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,7 @@ unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05"; + nixpkgs-draupnir.url = "github:teutat3s/nixpkgs/draupnir-pr"; nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/default.nix b/hosts/default.nix index e1881a4..e0716e1 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -35,6 +35,7 @@ self.nixosModules.tmate self.nixosModules.obs-portal self.nixosModules.matrix + self.nixosModules.matrix-draupnir self.nixosModules.matrix-irc self.nixosModules.matrix-telegram self.nixosModules.nginx-matrix diff --git a/modules/matrix-draupnir/default.nix b/modules/matrix-draupnir/default.nix new file mode 100644 index 0000000..0d473ea --- /dev/null +++ b/modules/matrix-draupnir/default.nix @@ -0,0 +1,24 @@ +{ config, flake, ... }: +{ + imports = [ "${flake.inputs.nixpkgs-draupnir}/nixos/modules/services/matrix/draupnir.nix" ]; + + disabledModules = [ "services/matrix/draupnir.nix" ]; + + age.secrets."matrix-draupnir-access-token" = { + file = "${flake.self}/secrets/matrix-draupnir-access-token.age"; + mode = "640"; + owner = "root"; + group = "draupnir"; + }; + + services.draupnir = { + enable = true; + accessTokenFile = config.age.secrets.matrix-draupnir-access-token.path; + # https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml + settings = { + homeserverUrl = "http://localhost:8008"; + managementRoom = "#moderators:pub.solar"; + protectAllJoinedRooms = true; + }; + }; +} diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 66b071f..12a204e 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -248,6 +248,29 @@ in # "/matrix-mautrix-signal-registration.yaml" # "/matrix-mautrix-telegram-registration.yaml" ]; + + modules = [ + { + module = "mjolnir.Module"; + config = { + # Prevent servers/users in the ban lists from inviting users on this + # server to rooms. Default true. + block_invites = true; + # Flag messages sent by servers/users in the ban lists as spam. Currently + # this means that spammy messages will appear as empty to users. Default + # false. + block_messages = false; + # Remove users from the user directory search by filtering matrix IDs and + # display names by the entries in the user ban list. Default false. + block_usernames = false; + # The room IDs of the ban lists to honour. Unlike other parts of Mjolnir, + # this list cannot be room aliases or permalinks. This server is expected + # to already be joined to the room - Mjolnir will not automatically join + # these rooms. + ban_lists = [ "!roomid:example.org" ]; + }; + } + ]; }; withJemalloc = true; @@ -269,7 +292,10 @@ in "redis" ]; - plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; + plugins = with config.services.matrix-synapse.package.plugins; [ + matrix-synapse-shared-secret-auth + matrix-synapse-mjolnir-antispam + ]; }; services.matrix-sliding-sync = { diff --git a/overlays/default.nix b/overlays/default.nix index af9faa9..1897486 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -10,8 +10,10 @@ final: prev: let unstable = import inputs.unstable { system = prev.system; }; + nixpkgs-draupnir = import inputs.nixpkgs-draupnir { system = prev.system; }; in { + draupnir = nixpkgs-draupnir.draupnir; element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; }; element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker { inherit (inputs) element-stickers maunium-stickerpicker; diff --git a/secrets/matrix-draupnir-access-token.age b/secrets/matrix-draupnir-access-token.age new file mode 100644 index 0000000..b586e64 Binary files /dev/null and b/secrets/matrix-draupnir-access-token.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 433bbcb..759aa19 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -46,6 +46,7 @@ in "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + "matrix-draupnir-access-token.age".publicKeys = nachtigallKeys ++ adminKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys; "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;