Merge pull request #723 from NixOS/draupnir

mweinelt · web-flow · commit aa43b31b3f5c · 2025-06-09T14:22:37.000Z
draupnir: migrate from mjolnir
diff --git a/non-critical-infra/hosts/caliban/default.nix b/non-critical-infra/hosts/caliban/default.nix
@@ -12,11 +12,11 @@
     inputs.srvos.nixosModules.hardware-hetzner-online-amd
     ../../../modules/rasdaemon.nix
     ../../modules/common.nix
+    ../../modules/draupnir.nix
     ../../modules/first-time-contribution-tagger.nix
     ../../modules/backup.nix
     ../../modules/element-web.nix
     ../../modules/matrix-synapse.nix
-    ../../modules/mjolnir.nix
     ../../modules/owncast.nix
     ../../modules/prometheus/node-exporter.nix
     ../../modules/vaultwarden.nix
diff --git a/non-critical-infra/modules/draupnir.nix b/non-critical-infra/modules/draupnir.nix
@@ -0,0 +1,63 @@
+{
+  config,
+  ...
+}:
+{
+  sops.secrets.mjolnir-access-token = {
+    sopsFile = ../secrets/mjolnir-access-token.caliban;
+    format = "binary";
+    restartUnits = [ "draupnir.service" ];
+  };
+
+  services.draupnir = {
+    enable = true;
+    secrets = {
+      accessToken = config.sops.secrets.mjolnir-access-token.path;
+    };
+    settings = {
+      # https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml
+      homeserverUrl = "https://matrix.nixos.org";
+      managementRoom = "#draupnir:nixos.org";
+      backgroundDelayMS = "10"; # snappy reactions, we don't mind the performance hit
+      protectAllJoinedRooms = true;
+      automaticallyRedactForReasons = [
+        "spam"
+      ];
+      web = {
+        enabled = true;
+        address = "127.0.0.1";
+        port = 8082;
+        abuseReporting.enabled = true;
+      };
+      displayReports = true;
+    };
+  };
+
+  services.nginx.virtualHosts."matrix.nixos.org" = {
+    # https://github.com/the-draupnir-project/Draupnir/blob/main/test/nginx.conf
+    locations = {
+      "~ ^/_matrix/client/(r0|v3)/rooms/([^/\\s]+)/report/(.*)$" = {
+        extraConfig = ''
+          mirror /report_mirror;
+
+          # Abuse reports should be sent to Draupnir.
+          # The r0 endpoint is deprecated but still used by many clients.
+          # As of this writing, the v3 endpoint is the up-to-date version.
+
+          # Alias the regexps, to ensure that they're not rewritten.
+          set $room_id $2;
+          set $event_id $3;
+        '';
+        proxyPass =
+          with config.services.draupnir.settings.web;
+          "http://${address}:${toString port}/api/1/report/$room_id/$event_id";
+      };
+      "/report_mirror" = {
+        proxyPass = "http://matrix-synapse$request_uri";
+        extraConfig = ''
+          internal;
+        '';
+      };
+    };
+  };
+}
diff --git a/non-critical-infra/modules/mjolnir.nix b/non-critical-infra/modules/mjolnir.nix
diff --git a/non-critical-infra/secrets/mjolnir-access-token.caliban b/non-critical-infra/secrets/mjolnir-access-token.caliban
@@ -0,0 +1,23 @@
+{
+	"data": "ENC[AES256_GCM,data:WuqhzFzf9bNkLGljc87P4SJcTLFFjzgfF1AwKTb7ecIW6GgiVp1X8y5ARw==,iv:htfPbSknGVotYObu7FOQhNHPzPttlTAYHeFZragGmsg=,tag:qP4l+RZPywXrupsLr8Vd/g==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkODRUSmNnTVcrUjl1bklF\nSHZaS3NMTmxoK3daQ0FqTXNQaUFPaGpHeVZjCk1ieXdUV0NpbU4rbUhIQlk5N1dS\nZFBtQ05yMHpqOFhKM2dXaU5qL3VXdWMKLS0tIGJFUlc2ell3cTEvQkhFVEg4bVND\nL2ljY3c0ZHVGWVo2MFRGeXZBOWlEWEkKQF46cGAKEXuI1ODorYHHrSeg+slLPPtu\nQ0vOqeK0yJwarsZWaWKCc4+O2cHQP3RNFp4OUcpk/szRo/htM3ZAhw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdVJiekRvejhRUnNuTHhy\nZmZ1b1YyenY4d2FNY2lBT0hYWGx0KzVHYVdZCnBueEphS2dTMC9YY0FBQUlwYWNj\ncUFYNERScDlQZDkrQ0ZNb08vNTNGUGMKLS0tIERTelJDZFF5b25FWStRWk5uWkda\nVm1tVGoyNm0rZm5teEt4VEdhL2RmZk0KwamvCxl8D1q8Koet4KIa4laMieqfk4xc\nx+M3xQg/A+OdBRbYhbMvNn3p6PooQljbi1MtTOystOLQEbG+MK6yNg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONzZIeGI0dDF1ajBWVEtu\nWUVRWG5kUHg0YlpDYm9nNVdraXJ6ZnpiaEY0Ck9UOEgwNWtCMVRDWjJmOEQzbUxH\nVDdvby9YUW5USzk5OExZMzRESEVuWlUKLS0tIG9leGZwMG1qb3lCVkJPUm13cGJz\nY1Z5aFVrWWt3aFpXUXkyRmhjV1JJNjQKa3OZQQIQLba4Lto6yaSZtVIxr+rpsO85\nwz1EOKTYvwjDPzLpDbdqUfwDlLkIQ1KAimN2XEqfq1iI87RY7botjw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-06T21:23:25Z",
+		"mac": "ENC[AES256_GCM,data:WrlVzDeD17VtFJLO2sdGDeG8JL536WTl2SDid6jnHSsUZsTqoYCRirzE5ZEKc4aN6DcBPNkuFGVSMVYcmvKq7v5khmW5Oyi0NjT+7hqcewrUAh5loDWzAZd7VOkCsD8GxjtBWtUbADIE2hJ9L8hWoATL9Yh07zwSjWvFg6pW5Bs=,iv:wTOdsNFfdqRluHAFOR1ZcOczYArurlsneqzr8se7SU4=,tag:iiYLrzEuyuuYerNPd9afBA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
