nixos/draupnir: init, nixosTests.draupnir: init #400194
Conversation
github-actions
bot
added
6.topic: nixos
h7x4
added
8.has: module (new)
|
@TheArcaneBrony feel free to cherry-pick my commit to fix the manual build: teutat3s@5b44d46 |
github-actions
bot
added
the
8.has: documentation
|
We probably need a way to securely provide the |
|
I did a first teutat3s@726c08d stab teutat3s@92dcdc4 at it in my fork of this PR. |
|
The changes you applied from me require hooking up the flag within the test. Right now both test cases are the same. |
|
Marking this as draft because it still needs some work (e.g. the tests don't eval for multiple reasons). @TheArcaneBrony would you be fine if I implement the remaining To-Dos and review feedback by simply pushing the changes to your branch/PR? :) |
|
@emilylange i suppose you have push access, so go for it :) i can sync whenever |
|
@emilylang @TheArcaneBrony I am a summer of nix 2025 participant and this is one of our intended packages. If it is okay with yall, I would be more than happy to take over and start working on it (and I would provide credit to you both). Let me know what you think. |
|
@ethancedwards8 hi, thanks for asking. |
|
Sounds good. Thank you! We thought we would offer :). I would be more than happy to help review. |
emilylange
force-pushed
the
module/draupnir
branch
from
596cb4d to
2d552c5
Compare
github-actions
bot
added
the
8.has: changelog
emilylange
changed the title
emilylange
force-pushed
the
module/draupnir
branch
from
2d552c5 to
9e50f97
Compare
emilylange
left a comment
emilylange
left a comment
There was a problem hiding this comment.
I believe this is ready to review now :)
There was a problem hiding this comment.
I added this warning, because unlike the option reference in the manual, https://search.nixos.org/options hides the fact that this is a read-only option.
E.g. https://nixos.org/manual/nixos/unstable/options#opt-services.kanidm.serverSettings.db_path vs https://search.nixos.org/options?channel=unstable&show=services.kanidm.serverSettings.db_path
There was a problem hiding this comment.
Previously this had serviceConfig.StartLimitBurst= "infinity" which was ignored because it should have been in unitConfig.
I am not sure if I agree on having draupnir.service restart indefinitely, but I suppose there is a case where one does not want one's moderation bot be down indefinitely because something caused it to crash.
Either way, this fixes the implementation of those endless restarts.
Open to discuss.
There was a problem hiding this comment.
Keep in mind Draupnir hardcrashes by design on seemingly benign errors, like being unable to sync due to slow server startup etc.
There was a problem hiding this comment.
As mentioned in #400194 (comment), I removed the Pantalaimon "shortcut" options.
Initially they were simply copied over from nixos/mjolnir.
I have fairly strong opinions on this. Pantalaimon is deprecated, marked as insecure in nixpkgs and should no longer be used.
Upstream is also very vocal about not recommending using Pantalaimon with Draupnir:
- https://the-draupnir-project.github.io/draupnir-documentation/bot/encryption
- https://the-draupnir-project.github.io/draupnir-documentation/shared/dogfood#e2ee-support
Those that for some reason want to use Pantalaimon with Draupnir anyway can configure services.pantalaimon-headless.instances on their own.
I do not believe carrying over the options from services.mjolnir.pantalaimon is worth the complexity and a VM test for it would not be run by hydra.nixos.org anyway because olm is marked as insecure and thus skipped.
There was a problem hiding this comment.
RFC 42 for those coming from services.mjolnir.
There was a problem hiding this comment.
I kept it at top-level.
Should be easier to spot this way and I don't think there are even remotely enough secrets to justify making this truly generic.
I am open to move those into services.draupnir.secrets.accessToken and services.draupnir.secrets.pantalaimon.password nonetheless.
Just not free-form.
https://search.nixos.org/options?channel=unstable&show=services.forgejo.secrets for reference by what I mean by "truly generic".
There was a problem hiding this comment.
With the addition of third secret for --http-antispam-authorization-path/web.synapseHTTPAntispam.authorization via #400194 (comment) I decided to move the secrets from top-level to services.draupnir.secrets, matching the structure of services.draupnir.settings:
cfg.secrets.accessTokenforcfg.settings.accessTokencfg.secrets.pantalaimon.passwordforcfg.settings.pantalaimon.passwordcfg.secrets.web.synapseHTTPAntispam.authorizationforcfg.settings.web.synapseHTTPAntispam.authorization
There was a problem hiding this comment.
I suggest deferring sandboxing to some future PR, if someone is interested in this.
I removed some options that are already implied by DynamicUser=true.
emilylange
force-pushed
the
module/draupnir
branch
from
9e50f97 to
e1f3095
Compare
|
# git fetch origin master
# git fetch origin 596cb4db3f6531f637d116c7a5f8566a91ae6cd3
# git fetch origin pull/400194/head
# git range-diff --creation-factor=100 origin/master 596cb4db3f6531f637d116c7a5f8566a91ae6cd3 FETCH_HEAD
At least until 596cb4db3f6531f637d116c7a5f8566a91ae6cd3 (the |
mweinelt
left a comment
mweinelt
left a comment
There was a problem hiding this comment.
Thanks, that makeover looks awesome!
|
Thank you for pushing this closer to the finish line. |
emilylange
force-pushed
the
module/draupnir
branch
from
e1f3095 to
ba8d294
Compare
|
@teutat3s I implemented Note that I did not test this. It should just work though. |
There was a problem hiding this comment.
I tested this PR on a staging server and it works fine. One thing I forgot to mention earlier, we might want to set a default for rawHomeserverUrl or expose it via - we already expose it via settings as wellsettings.
The settings.web functionality depends on it being correctly set and it defaults to http://localhost:8008, which does not work with e.g. synapse workers.
Maybe just default it to the same value as homeserverUrl and mention it?
Co-authored-by: emilylange <git@emilylange.de> Co-authored-by: Martin Weinelt <hexa@darmstadt.ccc.de> Co-authored-by: teutat3s <10206665+teutat3s@users.noreply.github.com>
Co-authored-by: emilylange <git@emilylange.de> Co-authored-by: Martin Weinelt <hexa@darmstadt.ccc.de> Co-authored-by: teutat3s <10206665+teutat3s@users.noreply.github.com>
emilylange
force-pushed
the
module/draupnir
branch
from
ba8d294 to
d6413ba
Compare
There was a problem hiding this comment.
Thank you so much, this works. Tested with:
accessTokenweb.synapseHTTPAntispam.authorizationservices.draupnir.settings.web.enabled = true;services.draupnir.settings.web.synapseHTTPAntispam.enabled = true;
Example config:
{
services.matrix-synapse = {
...
plugins = with config.services.matrix-synapse.package.plugins; [
synapse-http-antispam
];
modules = [
{
# https://the-draupnir-project.github.io/draupnir-documentation/bot/synapse-http-antispam
# https://github.com/maunium/synapse-http-antispam
module = "synapse_http_antispam.HTTPAntispam";
config = {
base_url = "http://${config.services.draupnir.settings.web.address}:${toString config.services.draupnir.settings.web.port}/api/1/spam_check";
authorization_path = "<http-antispam-authorization-file>";
enabled_callbacks = [
"check_event_for_spam"
"user_may_invite"
"user_may_join_room"
];
fail_open = {
check_event_for_spam = true;
user_may_invite = true;
user_may_join_room = true;
};
async = {
check_event_for_spam = true;
};
};
}
];
};
services.draupnir = {
enable = true;
secrets = {
accessToken = "<access-token-file>";
web.synapseHTTPAntispam.authorization = "<http-antispam-authorization-file>";
};
settings = {
# https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml
homeserverUrl = "<homeserver-url>";
managementRoom = "#moderators:example.org";
protectAllJoinedRooms = true;
recordIgnoredInvites = true;
automaticallyRedactForReasons = [
"*spam"
"advertising"
];
web = {
enabled = true;
port = 8080;
address = "127.0.200.101";
abuseReporting.enabled = true;
synapseHTTPAntispam.enabled = true;
};
};
};
}
teutat3s
added
the
12.approvals: 2
|
Backport failed for Please cherry-pick the changes locally and resolve any conflicts. git fetch origin release-25.05
git worktree add -d .worktree/backport-400194-to-release-25.05 origin/release-25.05
cd .worktree/backport-400194-to-release-25.05
git switch --create backport-400194-to-release-25.05
git cherry-pick -x 4b153aad5d363b9d88ca4b47b4628f8032d05863 d6413ba43682273de9595d4193f64209ff8d770e |
|
Just wanted to again thank everyone involved in the past two years for getting this from #222939 to merged. |
mdaniels5757
added
the
8.has: port to stable
8 participants
Description of changes
NOTE: This PR is a successor of #398457.
Scope change: The package has been merged in #398489! 🎉
Original description:
Draupnir is a hardfork of Mjolnir. Mjolnir package has been unmaintained due to upstream bugs. This package is mostly a drop-in replacement. This package also uses newer methods of handling dependencies.
Repository can be found at:
https://github.com/the-draupnir-project/Draupnir
Note on testing: package and module were (and still are) tested in our production environment, works fine as far as it's been used.
Note on replacing Mjolnir: Not sure whether this is appropriate, due to general usage of the bot changing. You can however fully automatically migrate from mjolnir to draupnir.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.