add mjolnir

configuration.nix

@@ -40,6 +40,8 @@ in {
     lshw
     pciutils
     gitea
+    matrix-synapse-tools.synadm
+    matrix-synapse
 #    ffmpeg-full
 
     pufferpanel

flake.nix

@@ -32,6 +32,7 @@
           ./modules/nextcloud.nix
           ./modules/prometheus.nix
           ./modules/letsencrypt.nix
+          ./modules/mjolnir.nix
           ./modules/fail2ban.nix
           ./modules/email.nix
           ./modules/mastodon.nix

modules/matrix.nix

@@ -68,11 +68,14 @@ host    replication     all             ::1/128                 md5
       suppress_key_server_warning = true;
       server_name = root_host;
       public_baseurl = "https://${root_host}";
-      enable_registration = false;
-      enable_registration_without_verification = true;
+      enable_registration = true;
+      registration_requires_token = true;
+      registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path;
+#      enable_registration_without_verification = true;
 #      mainLogConfig = ./matrix_synapse_log_config.yaml;
 
 #      registrations_require_3pid = [ "email" ];
+
       database = {
         name = "psycopg2";
         args = {
@@ -101,6 +104,13 @@ host    replication     all             ::1/128                 md5
     group = "matrix-synapse";
     mode = "0600";
   };
+  age.secrets.synapse_registration_shared_secret = {
+    file = ../secrets/synapse_registration_shared_secret.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+    mode = "0600";
+  };
+
 
   services.nginx = {
     enable = true;

modules/mjolnir.nix

@@ -0,0 +1,38 @@
+{ config, ... } : 
+let
+
+in {
+  age.secrets = {
+    matrix_mjolnir_pass = {
+      file = ../secrets/matrix_mjolnir_pass.age;
+      owner = "mjolnir";
+      group = "mjolnir";
+      mode = "0600";
+    };
+  matrix_mjolnir_token = {
+      file = ../secrets/matrix_mjolnir_token.age;
+      owner = "mjolnir";
+      group = "mjolnir";
+      mode = "0600";
+    };
+  };
+
+  
+  services.mjolnir = {
+    enable = true;
+    homeserverUrl = config.services.matrix-synapse-next.settings.public_baseurl;
+    protectedRooms = [
+      "https://matrix.to/#/!zDkrFrfuMIKbqYFbFv:grimmauld.de"
+    ];
+#    accessTokenFile = config.age.secrets.matrix_mjolnir_token.path;
+    managementRoom = "!kgfXXqEYHGgToIwhMP:grimmauld.de";
+    pantalaimon = {
+      enable = true;
+      username = "mjolnir";
+      options = {
+        homeserver = config.services.matrix-synapse-next.settings.public_baseurl;
+      };
+      passwordFile = config.age.secrets.matrix_mjolnir_pass.path;
+    };
+  };
+}

secrets/matrix_admin_pass.age

@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+Y34uAa+VEd/xy3iIs0rDEpF9iBQVpU//AQcTpP/lo1idGdUbVS2KeqkWZiGFfiOL
+PZNBZ9TkQhqKvw4dD7xdVNZoO9R2O9KApMIAtf4XRN+YvNA6l9dnpu/UDLFzh2F0
+NJY4TXRXJPRB3k5ngbCvYv2anQ6yMi7cpHZNEIgM/LdKGJ/56YHXQAxtOe4o+0Mz
+Q1FQOsEFGa2Kb5f5D9wdjfZvDkoUzG9W2Cao2GAKdtJQx0yAP3T4uEt+22nYo5OB
+mOuKJ0qNwfoSk0ErC+dYlkgknG6W4QsxA/G7ZMzFq/E70yNzAOAViXPMRSnJYpr2
+p2C8nhQ3lhlS2bFu46Jgi4NTj9FvnABVH+QiwL3P+WtqCMGy+LRfHDMJ1i14M35/
+6cTaeSw1d4UiZekxgCsHXrT4BipC70pH+9vZYGTVzP3SxfkbilwhQJvpREnNZq1o
+e2vfMHod3syDvZfYEILayODY+WwuqVp4O6NIOoPNygKwdoN+DiYKs7vhUFXU/AWA
+iVL5jQ0p4fI7qQm/jrNL3E7Mj+FMYQMBKTvSjF8O/YFBymsDtcN0bLlKIOdSdLP/
+Tm0tffNargbnrF9a4ZNjOihbNYocDfID7hyFsdpqF9TsANXeiRkBGWT/RnOzMBs0
+QZLz3iChOR87PPC4loqZJpQSYLnQ77m7ZcODzDnScwo
+--- UWFxzIGon0JaPMjmKUkZQGNLa44SSusFKXVb3eGhyFE
+̶¼w“ÂT©XP=žïÓ/m$nyßwϧç¿ð«‰,þïoùïƒØNé0Fò ’ø±,øî<C3B8>
+¡d
+ËSâ”

secrets/matrix_mjolnir_pass.age

@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+jXawkbb/FkE0/pdY3wvHC+iVx9RgIB7ytAKsk+mxx0hhwAOZL4oswvvKsnYdkUjv
+5UMexnENT9I1+ZLyVMusvxvlMM+LxZtkNOLCylFF4G/Xyrq6QS5NMFK5aD0slT1U
+nwufnIABuheku4yK3W/lYJcwsHT+lFfkSyqXw214AMHI37YVnsSxgjgV3KhC9ZhG
+dxWG010li/7uFh1+/006+DKoa7VejrJM7OUeUVCjBjSwYazMUAi8okuaZzhMeeWG
+sC8v7RmnZTM/mS0nBu0wcZxUB7Vz2c2evBNUuARELfMzxRfh9yIQMzg3k5A7xNqC
+qjj3KchocgNPoTrzG/x4uFFhCmF523LJ/85IlFIQ8X/1MrAgZg/L5N5fEmhHLRG6
+yVGRm0xs9wEWf1ZzSPALHO/fLUa6K+9IEo9e5Ne3+HtzeiSrlBTgAThm4iS/j9gJ
+Gh5cnAuG8dmvZsnV0VJLZCCa938PugsKxsbEGRgtIwj5FaBudLd6DzNwqq9n88Y3
+H3Vnc56ru/XWHVTnVNKAstXkUmAxCH2SKpETXgb2Nd7aLBEYd0Dp334wdYOYaBnR
+3p0jTTpU2TFA8zfLJRy0CnElfC11YYp5aF3+ONEuGFbiAdFSoixRd0xUdxKvQ6Ym
+KK875Yhl3KBCbQGHGzT9TRwqFv4GM5gntoV6QFXv8R4
+--- mty/HLWaSdsD6bxDTO2KJ9itaRpuI1OKyH3+KAMX6TM
+j©¡©Ÿžƒ÷¼ÍhŒV¹4*µ °á
+ÿÞ…tñÝ3šJ0ð!ÁhFB‚¹”'Ráxí¶}jÒJ¥

secrets/matrix_mjolnir_token.age

@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+GW+ky3+OLl0Q1pGVEH5Dqe5VTDrjDT+aCQxOtGDe35j9KWP1FetwlE/OpptKiV+R
+aKtWBHApRWXVTv5MhidcrAqTQ7E/D3Lly1QTscymRoXDXUeuybbAus/Dq8ZwFAsY
+/Wae0hvVtPoVi4P/HO9KHZ6oMGBzmBgASjblry84QEpY3XCWMUr92ZeXKO70bw/F
+uoGnBsvDqQTSWiYLD7yyw96f9t/nOUiEmtXvJvlDf/CzVjMEmZV9qgiAFVLbx03v
+8EE+I2cwPDXk/ELrxZQ7aNOepYKaHABewARZpgzvgCylnpdm2qqlbs2mcvQgnjrF
+MiVP8XQOjB5Tsmcl9qZxyGHdTouDulneOdkHuqHvXV1qM4LRptyCftgsxvWjwSk/
+sp/5dVYEKBtFhV3vdbc/NJM2/Xm2ZiXpKU5MBQU4igkvoDqd5vKRzGbyLW5XnDzj
+ynQ7sQ/cRXDXGRU96mm0wqCvTkPc93bUvaHjy5pvSqsLLHWyF/RzJ05DnaxNNSUe
+L7LEz11p+d3VPl9B3whd2+XJPoUg7WxP5HEplK3+ioEgSxZHUj7AIIOnxWBeWQKB
+c7SpfrOi8/Xyxzjsprzz6EEjNVj6oj9JXMDdon8D40dmHNX5fLmhyOhGrRpYMfq8
+9e62FJpqL+ArlfvT6wnH2aQ0tBl0751fR+baCSHDWBg
+--- pOWxhByGuQR+DCAWTEUID2qtKDmWxUmeAMENrwNueOQ
+B+Ä=ã²9Ö44“<34>x³Ú
â0
v%ä`Hsâ·T
+u«’!D©-óŠÜQÅàÙ_)<19>l«jƒm/è$ÉvWß:¼wåܵ‹<C2B5>û

secrets/secrets.nix

@@ -9,4 +9,8 @@ in
   "grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ];
   "nextcloud_admin_pass.age".publicKeys = [ contabo_nix_pub ];
   "nextcloud_db_pass.age".publicKeys = [ contabo_nix_pub ];
+  "synapse_registration_shared_secret.age".publicKeys = [ contabo_nix_pub ];
+  "matrix_admin_pass.age".publicKeys = [ contabo_nix_pub ];
+  "matrix_mjolnir_token.age".publicKeys = [ contabo_nix_pub ];
+  "matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub ];
 }