···
1
+
{ config, lib, pkgs, ... }:
5
+
cfg = config.services.mjolnir;
8
+
inherit (cfg) dataPath managementRoom protectedRooms;
10
+
accessToken = "@ACCESS_TOKEN@"; # will be replaced in "generateConfig"
12
+
if cfg.pantalaimon.enable then
13
+
"http://${cfg.pantalaimon.options.listenAddress}:${toString cfg.pantalaimon.options.listenPort}"
18
+
inherit (cfg.pantalaimon) username;
20
+
use = cfg.pantalaimon.enable;
21
+
password = "@PANTALAIMON_PASSWORD@"; # will be replaced in "generateConfig"
25
+
moduleConfigFile = pkgs.writeText "module-config.yaml" (
26
+
generators.toYAML { } (filterAttrs (_: v: v != null)
27
+
(fold recursiveUpdate { } [ yamlConfig cfg.settings ])));
29
+
# these config files will be merged one after the other to build the final config
31
+
"${pkgs.mjolnir}/share/mjolnir/config/default.yaml"
35
+
# this will generate the default.yaml file with all configFiles as inputs and
36
+
# replace all secret strings using replace-secret
37
+
generateConfig = pkgs.writeShellScript "mjolnir-generate-config" (
39
+
yqEvalStr = concatImapStringsSep " * " (pos: _: "select(fileIndex == ${toString (pos - 1)})") configFiles;
40
+
yqEvalArgs = concatStringsSep " " configFiles;
47
+
# mjolnir will try to load a config from "./config/default.yaml" in the working directory
48
+
# -> let's place the generated config there
49
+
mkdir -p ${cfg.dataPath}/config
51
+
# merge all config files into one, overriding settings of the previous one with the next config
52
+
# e.g. "eval-all 'select(fileIndex == 0) * select(fileIndex == 1)' filea.yaml fileb.yaml" will merge filea.yaml with fileb.yaml
53
+
${pkgs.yq-go}/bin/yq eval-all -P '${yqEvalStr}' ${yqEvalArgs} > ${cfg.dataPath}/config/default.yaml
55
+
${optionalString (cfg.accessTokenFile != null) ''
56
+
${pkgs.replace-secret}/bin/replace-secret '@ACCESS_TOKEN@' '${cfg.accessTokenFile}' ${cfg.dataPath}/config/default.yaml
58
+
${optionalString (cfg.pantalaimon.passwordFile != null) ''
59
+
${pkgs.replace-secret}/bin/replace-secret '@PANTALAIMON_PASSWORD@' '${cfg.pantalaimon.passwordFile}' ${cfg.dataPath}/config/default.yaml
65
+
options.services.mjolnir = {
66
+
enable = mkEnableOption "Mjolnir, a moderation tool for Matrix";
68
+
homeserverUrl = mkOption {
70
+
default = "https://matrix.org";
72
+
Where the homeserver is located (client-server URL).
74
+
If <literal>pantalaimon.enable</literal> is <literal>true</literal>, this option will become the homeserver to which <literal>pantalaimon</literal> connects.
75
+
The listen address of <literal>pantalaimon</literal> will then become the <literal>homeserverUrl</literal> of <literal>mjolnir</literal>.
79
+
accessTokenFile = mkOption {
80
+
type = with types; nullOr path;
83
+
File containing the matrix access token for the <literal>mjolnir</literal> user.
87
+
pantalaimon = mkOption {
89
+
<literal>pantalaimon</literal> options (enables E2E Encryption support).
91
+
This will create a <literal>pantalaimon</literal> instance with the name "mjolnir".
94
+
type = types.submodule {
96
+
enable = mkEnableOption ''
97
+
If true, accessToken is ignored and the username/password below will be
98
+
used instead. The access token of the bot will be stored in the dataPath.
101
+
username = mkOption {
103
+
description = "The username to login with.";
106
+
passwordFile = mkOption {
107
+
type = with types; nullOr path;
110
+
File containing the matrix password for the <literal>mjolnir</literal> user.
114
+
options = mkOption {
115
+
type = types.submodule (import ./pantalaimon-options.nix);
118
+
passthrough additional options to the <literal>pantalaimon</literal> service.
125
+
dataPath = mkOption {
127
+
default = "/var/lib/mjolnir";
129
+
The directory the bot should store various bits of information in.
133
+
managementRoom = mkOption {
135
+
default = "#moderators:example.org";
137
+
The room ID where people can use the bot. The bot has no access controls, so
138
+
anyone in this room can use the bot - secure your room!
139
+
This should be a room alias or room ID - not a matrix.to URL.
140
+
Note: <literal>mjolnir</literal> is fairly verbose - expect a lot of messages from it.
144
+
protectedRooms = mkOption {
145
+
type = types.listOf types.str;
147
+
example = literalExample ''
149
+
"https://matrix.to/#/#yourroom:example.org"
150
+
"https://matrix.to/#/#anotherroom:example.org"
154
+
A list of rooms to protect (matrix.to URLs).
158
+
settings = mkOption {
160
+
type = (pkgs.formats.yaml { }).type;
161
+
example = literalExample ''
163
+
autojoinOnlyIfManager = true;
164
+
automaticallyRedactForReasons = [ "spam" "advertising" ];
168
+
Additional settings (see <link xlink:href="https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml">mjolnir default config</link> for available settings). These settings will override settings made by the module config.
173
+
config = mkIf config.services.mjolnir.enable {
176
+
assertion = !(cfg.pantalaimon.enable && cfg.pantalaimon.passwordFile == null);
177
+
message = "Specify pantalaimon.passwordFile";
180
+
assertion = !(cfg.pantalaimon.enable && cfg.accessTokenFile != null);
181
+
message = "Do not specify accessTokenFile when using pantalaimon";
184
+
assertion = !(!cfg.pantalaimon.enable && cfg.accessTokenFile == null);
185
+
message = "Specify accessTokenFile when not using pantalaimon";
189
+
services.pantalaimon-headless.instances."mjolnir" = mkIf cfg.pantalaimon.enable
191
+
homeserver = cfg.homeserverUrl;
192
+
} // cfg.pantalaimon.options;
194
+
systemd.services.mjolnir = {
195
+
description = "mjolnir - a moderation tool for Matrix";
196
+
wants = [ "network-online.target" ] ++ optionals (cfg.pantalaimon.enable) [ "pantalaimon-mjolnir.service" ];
197
+
after = [ "network-online.target" ] ++ optionals (cfg.pantalaimon.enable) [ "pantalaimon-mjolnir.service" ];
198
+
wantedBy = [ "multi-user.target" ];
201
+
ExecStart = ''${pkgs.mjolnir}/bin/mjolnir'';
202
+
ExecStartPre = [ generateConfig ];
203
+
WorkingDirectory = cfg.dataPath;
204
+
StateDirectory = "mjolnir";
205
+
StateDirectoryMode = "0700";
206
+
ProtectSystem = "strict";
207
+
ProtectHome = true;
209
+
NoNewPrivileges = true;
210
+
PrivateDevices = true;
212
+
Restart = "on-failure";
214
+
/* TODO: wait for #102397 to be resolved. Then load secrets from $CREDENTIALS_DIRECTORY+"/NAME"
215
+
DynamicUser = true;
216
+
LoadCredential = [] ++
217
+
optionals (cfg.accessTokenFile != null) [
218
+
"access_token:${cfg.accessTokenFile}"
220
+
optionals (cfg.pantalaimon.passwordFile != null) [
221
+
"pantalaimon_password:${cfg.pantalaimon.passwordFile}"
230
+
isSystemUser = true;
232
+
groups.mjolnir = { };
237
+
maintainers = with maintainers; [ jojosch ];
pyrox.dev