From 7ca53774ce0449cd21743115dde510d214b68b87 Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Thu, 9 May 2024 01:57:10 +0200
Subject: [PATCH] wip: matrix moderation with draupnir

---
 flake.lock                               |  17 ++++++++++++++
 flake.nix                                |   1 +
 hosts/default.nix                        |   1 +
 modules/matrix-draupnir/default.nix      |  24 +++++++++++++++++++
 modules/matrix/default.nix               |  28 ++++++++++++++++++++++-
 overlays/default.nix                     |   2 ++
 secrets/matrix-draupnir-access-token.age | Bin 0 -> 2445 bytes
 secrets/secrets.nix                      |   1 +
 8 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 modules/matrix-draupnir/default.nix
 create mode 100644 secrets/matrix-draupnir-access-token.age

diff --git a/flake.lock b/flake.lock
index 8f2c047..3172ed8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -360,6 +360,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-draupnir": {
+      "locked": {
+        "lastModified": 1720089221,
+        "narHash": "sha256-8abrPKFI9eqopZ/ewSeSPen4X9bs6xoyvFsfirvbJmk=",
+        "owner": "teutat3s",
+        "repo": "nixpkgs",
+        "rev": "078583b84242644a668ee29e995bce02192dbd16",
+        "type": "github"
+      },
+      "original": {
+        "owner": "teutat3s",
+        "ref": "draupnir-pr",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-lib": {
       "locked": {
         "lastModified": 1717284937,
@@ -386,6 +402,7 @@
         "nixos-flake": "nixos-flake",
         "nixpkgs": "nixpkgs",
         "nixpkgs-2205": "nixpkgs-2205",
+        "nixpkgs-draupnir": "nixpkgs-draupnir",
         "simple-nixos-mailserver": "simple-nixos-mailserver",
         "triton-vmtools": "triton-vmtools",
         "unstable": "unstable"
diff --git a/flake.nix b/flake.nix
index b5473e1..1961fd4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,6 +5,7 @@
     unstable.url = "github:nixos/nixpkgs/nixos-unstable";
 
     nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05";
+    nixpkgs-draupnir.url = "github:teutat3s/nixpkgs/draupnir-pr";
 
     nix-darwin.url = "github:lnl7/nix-darwin/master";
     nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
diff --git a/hosts/default.nix b/hosts/default.nix
index e1881a4..e0716e1 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -35,6 +35,7 @@
           self.nixosModules.tmate
           self.nixosModules.obs-portal
           self.nixosModules.matrix
+          self.nixosModules.matrix-draupnir
           self.nixosModules.matrix-irc
           self.nixosModules.matrix-telegram
           self.nixosModules.nginx-matrix
diff --git a/modules/matrix-draupnir/default.nix b/modules/matrix-draupnir/default.nix
new file mode 100644
index 0000000..0d473ea
--- /dev/null
+++ b/modules/matrix-draupnir/default.nix
@@ -0,0 +1,24 @@
+{ config, flake, ... }:
+{
+  imports = [ "${flake.inputs.nixpkgs-draupnir}/nixos/modules/services/matrix/draupnir.nix" ];
+
+  disabledModules = [ "services/matrix/draupnir.nix" ];
+
+  age.secrets."matrix-draupnir-access-token" = {
+    file = "${flake.self}/secrets/matrix-draupnir-access-token.age";
+    mode = "640";
+    owner = "root";
+    group = "draupnir";
+  };
+
+  services.draupnir = {
+    enable = true;
+    accessTokenFile = config.age.secrets.matrix-draupnir-access-token.path;
+    # https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml
+    settings = {
+      homeserverUrl = "http://localhost:8008";
+      managementRoom = "#moderators:pub.solar";
+      protectAllJoinedRooms = true;
+    };
+  };
+}
diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix
index 66b071f..12a204e 100644
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@@ -248,6 +248,29 @@ in
         # "/matrix-mautrix-signal-registration.yaml"
         # "/matrix-mautrix-telegram-registration.yaml"
       ];
+
+      modules = [
+        {
+          module = "mjolnir.Module";
+          config = {
+            # Prevent servers/users in the ban lists from inviting users on this
+            # server to rooms. Default true.
+            block_invites = true;
+            # Flag messages sent by servers/users in the ban lists as spam. Currently
+            # this means that spammy messages will appear as empty to users. Default
+            # false.
+            block_messages = false;
+            # Remove users from the user directory search by filtering matrix IDs and
+            # display names by the entries in the user ban list. Default false.
+            block_usernames = false;
+            # The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
+            # this list cannot be room aliases or permalinks. This server is expected
+            # to already be joined to the room - Mjolnir will not automatically join
+            # these rooms.
+            ban_lists = [ "!roomid:example.org" ];
+          };
+        }
+      ];
     };
 
     withJemalloc = true;
@@ -269,7 +292,10 @@ in
       "redis"
     ];
 
-    plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
+    plugins = with config.services.matrix-synapse.package.plugins; [
+      matrix-synapse-shared-secret-auth
+      matrix-synapse-mjolnir-antispam
+    ];
   };
 
   services.matrix-sliding-sync = {
diff --git a/overlays/default.nix b/overlays/default.nix
index af9faa9..1897486 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -10,8 +10,10 @@
               final: prev:
               let
                 unstable = import inputs.unstable { system = prev.system; };
+                nixpkgs-draupnir = import inputs.nixpkgs-draupnir { system = prev.system; };
               in
               {
+                draupnir = nixpkgs-draupnir.draupnir;
                 element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
                 element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
                   inherit (inputs) element-stickers maunium-stickerpicker;
diff --git a/secrets/matrix-draupnir-access-token.age b/secrets/matrix-draupnir-access-token.age
new file mode 100644
index 0000000000000000000000000000000000000000..b586e646dc1dc50ca0ac75fe3d3a4d54423fae8f
GIT binary patch
literal 2445
zcmZA2Im`8E83%9&v`H(2ASjP@cqe;Kf+%D;$;rvd$-W9g_WfjE3o9F~1Y27z#KulR
z{039`1*Q-yL8h{?@KG3%_XFJgZvI@?^$+v(L;8xxqo2#}^;tLO(24*be)u*`#fLOO
z2?C+tN?xwE{H>wFb!7J>Wqn-Qpg9XJG)9Ri^R&Gs9OTzbnRaSv*{uUkRHGB3E%<J_
zF&SPhH4BEu*h$2AX)n^4(Yc0nl%7oa$J*k@{BwId`7CVCaIQi^c2-MW)RgNNpL%H7
zBYc8ZD!}(`Avl}Q0mMCSk`Rs5QW?6Pciw1D?)y_o;?=7##G{CeeRwYsRryLAr|>N!
ztXr1@QB6oPh3a>*(Mw~&%{?!>Au5`Qr=~QVII-RkZ}xmTHJ%tQ=~r*=<~d}A&=D?*
z2;h#F8c||`6KU5)+#9n5laRc4%NEOuh!^{%F&t#)>KY-ITtY{#&(*Xq-IhVwr~}{~
zJV_6y1E)s}MBru$diA=Ru{Tqt%Gl=io#meO<l@K4$?cq5FC^}6mo%E>7#bVE^3G>T
zlYApkPPw~7)<ZQ!3byGC4{Y-w=w1;Ex9t9G-9i3b+65jeL3z665-(4L2ck~C%Hw6<
z=Cm%BM~WzA+fTR&UQC6Ae1msURCVqJHlMATOQ3vpV{%LPjC52U0Z{-}P%m5hmKS*#
z+$iI?$bGPh?~(gN!c;r|D6&U&s3e;mlSWhUlX(upyLglrW%F!6JF<ENDON1kdG0AC
zMhRvz^C7$Lw}$hCaVCk!igE15wP+{mCORnRs)bf8Mv8b30qrIWW3@XfiiPEA98T87
zes5&E&*q1>Uu4?4VfN8xnks8lBAh#N+w*&0UD~8d0~Q!xyWIutjyAFd@8RX7ts>!6
zJj_FsQFw8vA8EK=g_Kf_(C0ekfH&xP=}d$`ra{X<n#HU&um|LO^jPQ{ox`0$k2rR-
z@jHlftJEQ>PFi*j)o}EBj_TFBuXbqYFNAmu1|Wq|Laq*Zf9>nB<GqK`RIAkbR+w&Q
zbz#+~NrJQLN>cwn$F;zlFawB_-#zH4Mld=RRK<~z>&CW~Rd2VR8+ST!DWqjOGIV<A
zK^3F-{=or}E>9)0hP*L>4o-sDASp4s*C(B`E82D~yqg_3h;SQFI5uzI-i!5^WRgf;
zu^`;h>XByqlM{0&0gy`74YE`b^m-cxd4iLA$bIW1?Y)cIbUvr++N{$8Ap`AFcgjd2
znj>vR1aCZ)RSh6R&+Wi<PE&fRIJ##g?Y&Q+RvVS}OQF%*>c+N{9DeaE_250O#k-^w
zDP%s5a~Bx~m;iGR5H7MvUTB2f25)wwvJC5oki&}YPH@V*2bwqpHLlpMaib*m4GDR<
z)I&zp0w)j7j>fBF$%r*}Py2ON`EaCCY)Jwqo?x*#*VqsrUZ5Z^nVmKnd<x;vI>UBe
zUK?Oo7wzOc=4EKJZ5#)*jZl-O{dP?Gd<<K##?R+YZ|Ca~i>InU)}0fe)usbGjN}Fb
zP>aJN_J}VIF4!Y{8CJ=0)v)$@upHc4a)(t3;Clo5q*0RdS_e=*IliR_H^?3a2@pH`
z<*!Q5!+TKbrIz`PL8ej2KJ3IKp;x6bplV?~k5l8;-Nlp%_sM8mnLwmlcgR42HUdad
z^-NbNc)HT-eoOAbZEYw6CwT++48tr;=Tu_%Y^(uoUmVVmtV<M;U%Fle5P~G6uR}A5
z!ok82zxIvE?6kY}!C5Xv_fXXNzKY-|#{Ze)zFa@_C_%oh#;LuZerAU&1g>TipQ2e$
zxB0%Ay--dS-SMrBI`CCvl&C!E6CHs`uDPZ%65QqDIAhBPQy{Ow-UHOp+gq+%R4K{*
zCZN%Oo92JkISf$wZV^r596QO2&$S$`1jRH2kDMMT!QvQ%w*n?#YQa8>s|o`g$V|Cp
zUag#88-p&bp>@MamrIVnTMWI!!$>?uG!qf~tNr|{Lw&(ir~IuaE~&|zr6N`moM!@c
zA~o$xc|2fOCO|Q{(Weo2+|k{Dxq>b4d2kYxdlx&|%PdQxCT>M!Ff^pdAjC18Ub}Tr
z{jpZw91>&R8t56B*ElhPQp(9__OME#D6iIE%fM<kPS0M9w?ur0_yEj_V{@lfI8vL&
zN83WdD{0a?e}g7iDo~OS%SX4iw+8=MW1Z=+m^WCeTTG?(71YI|!Ppx1c6x#M_bqq`
z*LzoPkiU(!+hRWOj90I#+zXS0hrOgZ?6065b6_v}w6UHu$oN&IR8L%CKGs0YK^y(8
zf1NdDGM&bYjH;c}J;AFWS9j0soZ2>Sx`jtWX@G@Q136Q_SBeALBL5J_%RMF9g)@kf
zmHCmF%|aqa8y6<Mo8OcC@ZoK3ZPM6_BFLBOKr}Tn_UKu5g2g4TmjR}iaCMM_*xcj_
z?9ku4Z(pF}lj<kG`T4Jce|-N>&3C`B|N6=Ilt2E#{~7-IZ|(2==*#3AUtrd^kUtCP
lPk;P_FaP$JU;g4#Zu{r)wNF3Cet!u6`rX&R82ev;^WTB;D_sBp

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 433bbcb..759aa19 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -46,6 +46,7 @@ in
   "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
   "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
   "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "matrix-draupnir-access-token.age".publicKeys = nachtigallKeys ++ adminKeys;
 
   "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
   "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
-- 
2.44.2