Hosting Matrix Moderation-Bot

GhostPLACEHOLDER commented

2025-05-29 20:12:39 +00:00

Why?

The moderation on Matrix depends currently highly on the capabilities of the used clients (e.g. bulk deletion of spam comments).

A moderation tool like https://github.com/matrix-org/mjolnir would improve the management.

ToDo:

Decide if Mjolnir or Draupnir should be used (Moderation & DevOps team)
- Only Mjolnir seems to support MAS (https://matrix.org/blog/2025/04/morg-now-running-mas/)
Create configuration (Moderation team) - WIP: see attachment
Create bot user (Moderation team)
Deploy to forgejo infrastructure (DevOps team) (https://github.com/matrix-org/mjolnir/blob/main/docs/setup.md)
Setup and configure the bot (Moderation team)

<details> <summary>Why?</summary> The moderation on Matrix depends currently highly on the capabilities of the used clients (e.g. bulk deletion of spam comments). A moderation tool like https://github.com/matrix-org/mjolnir would improve the management. </details> ToDo: - [x] Decide if Mjolnir or Draupnir should be used (Moderation & DevOps team) - Only Mjolnir seems to support MAS (https://matrix.org/blog/2025/04/morg-now-running-mas/) - [ ] Create configuration (Moderation team) - WIP: see attachment - [x] Create bot user (Moderation team) - [ ] Deploy to forgejo infrastructure (DevOps team) (https://github.com/matrix-org/mjolnir/blob/main/docs/setup.md) - [ ] Setup and configure the bot (Moderation team)

👍 1

GhostPLACEHOLDER commented

2025-05-29 20:12:39 +00:00

Author

mjolnir-alpha-config.txt

This is a YAML file, right? Is it possible to specify more than one config file? That would be convenient to split the password part out of the rest. So that the config can be stored in the git repository while the password is stored in a secret in the cluster. If that's not possible, it is not a blocker, it is just not as easy.

> mjolnir-alpha-config.txt This is a YAML file, right? Is it possible to specify more than one config file? That would be convenient to split the password part out of the rest. So that the config can be stored in the git repository while the password is stored in a secret in the cluster. If that's not possible, it is not a blocker, it is just not as easy.

GhostPLACEHOLDER commented

2025-05-29 20:12:39 +00:00

Author

it seems we need #242 to securely store secrets here. will try to add next days

👍 1

GhostPLACEHOLDER commented

2025-05-29 20:12:39 +00:00

Author

@earl-warren wrote in https://code.forgejo.org/infrastructure/k8s-cluster/issues/415#issuecomment-37368:

This is a YAML file, right?

Yes, needed to change the extension to upload the file.

@earl-warren wrote in https://code.forgejo.org/infrastructure/k8s-cluster/issues/415#issuecomment-37368:

Is it possible to specify more than one config file?

As far as I can see this is not possible, it's also not possible to specify it as env variable.

@earl-warren wrote in https://code.forgejo.org/infrastructure/k8s-cluster/issues/415#issuecomment-37368: > This is a YAML file, right? Yes, needed to change the extension to upload the file. @earl-warren wrote in https://code.forgejo.org/infrastructure/k8s-cluster/issues/415#issuecomment-37368: > Is it possible to specify more than one config file? As far as I can see this is not possible, it's also not possible to specify it as env variable.

GhostPLACEHOLDER commented

2025-05-29 20:12:39 +00:00

Author

https://github.com/matrix-org/mjolnir/issues/602

- https://github.com/matrix-org/mjolnir/issues/602

👍 1

GhostPLACEHOLDER commented

2025-05-29 20:12:39 +00:00

Author

I created @forgejo-mod-bot:matrix.org (@forgejo-moderation-bot:matrix.org is already register by someone else) but it's fine and fluent :D

It is currently associated with an email from myself. I could change it to another one if we have a fitting one.

I created `@forgejo-mod-bot:matrix.org` (`@forgejo-moderation-bot:matrix.org` is already register by someone else) but it's fine and fluent :D It is currently associated with an email from myself. I could change it to another one if we have a fitting one.

GhostPLACEHOLDER commented

2025-05-29 20:12:39 +00:00

Author

moderation-bot@forgejo.org was created just now and is forwarded to moderation@forgejo.org.

Does that help?

moderation-bot@forgejo.org was created just now and is forwarded to moderation@forgejo.org. Does that help?

GhostPLACEHOLDER commented

2025-05-29 20:12:39 +00:00

Author

Changed the mail of the account

GhostPLACEHOLDER commented

2025-05-29 20:12:40 +00:00

Author

I can speak a bit about the various requirements laid out here that Draupnir meets.

Draupnir uses legacy long lived access tokens while we are waiting for MAS to implement proper service authentication like exists on platforms like Discord or Github. This is supported in MAS via legacy support. Whereas Mjolnir tries to login like a regular Matrix user and this is why Mjolnir needs to make special arrangements to support MAS.

Secrets can be loaded from separate secret files. This was implemented for environments that use secret management systems that allow file based secrets. NixOS with Systemd secret management was the environment that pushed the initial implementation but K8s is also a clear example of a environment that benefits. Documentation for secret management can be accessed here https://the-draupnir-project.github.io/draupnir-documentation/bot/starting_draupnir#secret-management

As for if E2EE is a good idea for your moderation bot that is a separate topic that the Draupnir documentation covers in https://the-draupnir-project.github.io/draupnir-documentation/concepts/encryption

I can speak a bit about the various requirements laid out here that Draupnir meets. Draupnir uses legacy long lived access tokens while we are waiting for MAS to implement proper service authentication like exists on platforms like Discord or Github. This is supported in MAS via legacy support. Whereas Mjolnir tries to login like a regular Matrix user and this is why Mjolnir needs to make special arrangements to support MAS. Secrets can be loaded from separate secret files. This was implemented for environments that use secret management systems that allow file based secrets. NixOS with Systemd secret management was the environment that pushed the initial implementation but K8s is also a clear example of a environment that benefits. Documentation for secret management can be accessed here https://the-draupnir-project.github.io/draupnir-documentation/bot/starting_draupnir#secret-management As for if E2EE is a good idea for your moderation bot that is a separate topic that the Draupnir documentation covers in https://the-draupnir-project.github.io/draupnir-documentation/concepts/encryption

GhostPLACEHOLDER commented

2025-05-29 20:12:40 +00:00

Author

This is supported in MAS via legacy support.

Ok, I'll have to look that up. In general, I would be in favour of Draupnir.

> This is supported in MAS via legacy support. Ok, I'll have to look that up. In general, I would be in favour of Draupnir.

Beowulf commented

2025-05-29 20:12:40 +00:00

Ok, so we can use Draupnir, which also solves the secret managment.

I attached a sample configuration which should be fine. (Will only update the wordlist probably in the future 🤔).

You probably want to activate the health setting to do automatic health checks in k8s.

https://the-draupnir-project.github.io/draupnir-documentation/bot/systemd

Regarding secrets: https://the-draupnir-project.github.io/draupnir-documentation/bot/starting_draupnir#secret-management

Ok, so we can use Draupnir, which also solves the secret managment. I attached a sample configuration which should be fine. (Will only update the wordlist probably in the future 🤔). You probably want to activate the `health` setting to do automatic health checks in k8s. https://the-draupnir-project.github.io/draupnir-documentation/bot/systemd Regarding secrets: https://the-draupnir-project.github.io/draupnir-documentation/bot/starting_draupnir#secret-management

config.txt

12 KiB

earl-warren commented

2025-05-29 20:12:40 +00:00

@viceice comments in the chatroom for the record.

if there is a helm chart, then it's probably easy
https://invisible.forgejo.org/infrastructure/k8s-cluster/src/branch/main/flux/apps/monitoring/kube-prometheus.yaml needs something like that
if not, then you probably need to manually create a chart
https://invisible.forgejo.org/infrastructure/k8s-cluster/src/branch/main/flux/apps/charts/git-mirror
something like that
it should reside in it's own namespace
https://invisible.forgejo.org/infrastructure/k8s-cluster/src/branch/main/flux/infrastructure/namespaces

@viceice comments in the chatroom for the record. > if there is a helm chart, then it's probably easy > https://invisible.forgejo.org/infrastructure/k8s-cluster/src/branch/main/flux/apps/monitoring/kube-prometheus.yaml needs something like that > if not, then you probably need to manually create a chart > https://invisible.forgejo.org/infrastructure/k8s-cluster/src/branch/main/flux/apps/charts/git-mirror > something like that > it should reside in it's own namespace > https://invisible.forgejo.org/infrastructure/k8s-cluster/src/branch/main/flux/infrastructure/namespaces

earl-warren commented

2025-05-29 20:12:40 +00:00

https://github.com/the-draupnir-project/helm-charts is WIP

57a29f5e61/charts/draupnir/values.yaml (L119)

the token can only be provided in cleartext

https://github.com/the-draupnir-project/helm-charts/issues/1

https://github.com/the-draupnir-project/helm-charts is WIP https://github.com/the-draupnir-project/helm-charts/blob/57a29f5e61be20a73e69878d13d79a96c0611a9a/charts/draupnir/values.yaml#L119 the token can only be provided in cleartext https://github.com/the-draupnir-project/helm-charts/issues/1

Beowulf commented

2025-05-29 20:12:40 +00:00

@earl-warren wrote in https://invisible.forgejo.org/infrastructure/k8s-cluster/issues/415#issuecomment-3934:

https://github.com/the-draupnir-project/helm-charts/issues/1

Sounds like the chart is in it's early days and the ticket is just as reminder for somewhere in the future 🤔

@earl-warren wrote in https://invisible.forgejo.org/infrastructure/k8s-cluster/issues/415#issuecomment-3934: > https://github.com/the-draupnir-project/helm-charts/issues/1 Sounds like the chart is in it's early days and the ticket is just as reminder for somewhere in the future 🤔

Beowulf commented

2025-05-29 20:12:40 +00:00

@earl-warren whats the best/preferred way to provide you the access token and in the best case I also provide the username and password for gopass.

ToDo: I need to update the docs page, it still links to the meta repo and the secret keepers team...

@earl-warren whats the best/preferred way to provide you the access token and in the best case I also provide the username and password for gopass. _ToDo: I need to update the docs page, it still links to the meta repo and the secret keepers team..._

earl-warren commented

2025-05-29 20:12:40 +00:00

A message via matrix would be fine.

Beowulf commented

2025-05-29 20:12:41 +00:00

@earl-warren wrote in https://invisible.forgejo.org/infrastructure/k8s-cluster/issues/415#issuecomment-3937:

A message via matrix would be fine.

Done

@earl-warren wrote in https://invisible.forgejo.org/infrastructure/k8s-cluster/issues/415#issuecomment-3937: > A message via matrix would be fine. Done

👍 1

earl-warren commented

2025-05-29 20:12:41 +00:00

https://github.com/the-draupnir-project/helm-charts is soft forked at https://code.forgejo.org/forgejo-contrib/draupnir-helm-charts in order to produce releases and maintain hacks/fixes until an official release is ready.

Rows
Columns

Hosting Matrix Moderation-Bot #58