about summary refs log tree commit diff
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-07-09 15:48:36 +0900
committersefidel <contact@sefidel.net>2023-07-09 15:53:28 +0900
commit99f6c0b130dd37673ebc94901db2db19d9a4655a (patch)
treef4ed655ef2ded212a05c01fe05136326be24d16e
parent758b66d8787758790018d5dd33a734b3e0d3f1ae (diff)
downloadinfra-99f6c0b130dd37673ebc94901db2db19d9a4655a.tar.gz
infra-99f6c0b130dd37673ebc94901db2db19d9a4655a.zip
chore(flake): bump
-rw-r--r--TODO.md2
-rw-r--r--flake.lock54
-rw-r--r--modules/services/matrix-moderation.nix8
-rw-r--r--modules/services/nixos-mailserver.nix2
-rw-r--r--overlays/default.nix1
-rw-r--r--overlays/mjolnir-module/default.nix242
-rw-r--r--overlays/mjolnir-module/mjolnir.md110
-rw-r--r--overlays/mjolnir-module/pantalaimon-options.nix70
-rw-r--r--overlays/mjolnir-package/default.nix80
-rw-r--r--overlays/mjolnir-package/package.json69
-rw-r--r--overlays/mjolnir-package/pin.json5
-rwxr-xr-xoverlays/mjolnir-package/update.sh36
-rw-r--r--systems/cobalt/default.nix2
13 files changed, 37 insertions, 644 deletions
diff --git a/TODO.md b/TODO.md
index b08a964..8338818 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,7 +1,5 @@
 # infra->todo
 
-* BEFORE-RELEASE: send mjolnir patch upstream
-
 * move dendrite and matrix-\* modules to modules/matrix/[..]
 * Ensure functionality on polylith setup
     1. Mirror userdb (mirror ldap, or migrate to pgsql+libnss-pgsql)
diff --git a/flake.lock b/flake.lock
index 158573d..b7cbc7b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -49,11 +49,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1682268411,
-        "narHash": "sha256-ICDKQ7tournRVtfM8C2II0qHiOZOH1b3dXVOCsgr11o=",
+        "lastModified": 1684264534,
+        "narHash": "sha256-K0zr+ry3FwIo3rN2U/VWAkCJSgBslBisvfRIPwMbuCQ=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "df1692e2d9f1efc4300b1ea9201831730e0b817d",
+        "rev": "89253fb1518063556edd5e54509c30ac3089d5e6",
         "type": "github"
       },
       "original": {
@@ -70,14 +70,15 @@
           "unstable"
         ],
         "nixpkgs-22_11": "nixpkgs-22_11",
+        "nixpkgs-23_05": "nixpkgs-23_05",
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1671738303,
-        "narHash": "sha256-PRgqtaWf2kMSYqVmcnmhTh+UsC0RmvXRTr+EOw5VZUA=",
+        "lastModified": 1688586836,
+        "narHash": "sha256-5uLYGa+8lysS1X5ehdU3ewmrMIG8p9+qS7yJ0LyhMHs=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "6d0d9fb966cc565a3df74d3b686f924c7615118c",
+        "rev": "d460e9ff62ea1238fb3348a87326b743ae177902",
         "type": "gitlab"
       },
       "original": {
@@ -133,18 +134,33 @@
         "type": "indirect"
       }
     },
+    "nixpkgs-23_05": {
+      "locked": {
+        "lastModified": 1684782344,
+        "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.05",
+        "type": "indirect"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1682173319,
-        "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=",
+        "lastModified": 1688868408,
+        "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c",
+        "rev": "510d721ce097150ae3b80f84b04b13b039186571",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -187,11 +203,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1682338428,
-        "narHash": "sha256-T7AL/Us6ecxowjMAlO77GETTQO2SO+1XX2+Y/OSfHk8=",
+        "lastModified": 1688873469,
+        "narHash": "sha256-9TMSXvXmrr7bDYi+WeskWe/yho9UP01dGbV9vW5bRVc=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "7c8e9727a2ecf9994d4a63d577ad5327e933b6a4",
+        "rev": "b2047c8fc963407916ad3834165309007dc5a1f7",
         "type": "github"
       },
       "original": {
@@ -202,11 +218,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1682453498,
-        "narHash": "sha256-WoWiAd7KZt5Eh6n+qojcivaVpnXKqBsVgpixpV2L9CE=",
+        "lastModified": 1688679045,
+        "narHash": "sha256-t3xGEfYIwhaLTPU8FLtN/pLPytNeDwbLI6a7XFFBlGo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c8018361fa1d1650ee8d4b96294783cf564e8a7f",
+        "rev": "3c7487575d9445185249a159046cc02ff364bff8",
         "type": "github"
       },
       "original": {
@@ -218,11 +234,11 @@
     },
     "unstable-small": {
       "locked": {
-        "lastModified": 1682476574,
-        "narHash": "sha256-diM+haOZnOUPOp3dLLbuAgEZBCE7Iv9iyNzO5YVmwq0=",
+        "lastModified": 1688838498,
+        "narHash": "sha256-eVUXBuBLbhP5j0Q0Gk0lDTNVvQyFqXJuHVPBFZ/dDBY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8bac227a5a27ba29240e496e3e3fd55a2351f68b",
+        "rev": "1cfa64e7bd6f4f6d5dc3b28ec3e88139c45b36f8",
         "type": "github"
       },
       "original": {
diff --git a/modules/services/matrix-moderation.nix b/modules/services/matrix-moderation.nix
index c8f0702..f2b76eb 100644
--- a/modules/services/matrix-moderation.nix
+++ b/modules/services/matrix-moderation.nix
@@ -7,14 +7,6 @@ let
   cfg = config.modules.services.matrix-moderation;
 in
 {
-  disabledModules = [
-    "services/matrix/mjolnir.nix"
-  ];
-
-  imports = [
-    ../../overlays/mjolnir-module
-  ];
-
   options.modules.services.matrix-moderation = {
     enable = mkEnableOption "matrix-moderation";
     domain = mkOption { type = types.str; };
diff --git a/modules/services/nixos-mailserver.nix b/modules/services/nixos-mailserver.nix
index cba1386..b361287 100644
--- a/modules/services/nixos-mailserver.nix
+++ b/modules/services/nixos-mailserver.nix
@@ -89,7 +89,7 @@ in
         };
       };
       localDnsResolver = false;
-      certificateScheme = 1;
+      certificateScheme = "manual";
       certificateFile = "${config.security.acme.certs."exotic.sh".directory}/cert.pem";
       keyFile = "${config.security.acme.certs."exotic.sh".directory}/key.pem";
       enableImap = true;
diff --git a/overlays/default.nix b/overlays/default.nix
index 353d5bd..3c5f857 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -1,4 +1,3 @@
 self: super: {
-  mjolnir = super.callPackage ./mjolnir-package { };
   sliding-sync = super.callPackage ./sliding-sync.nix { };
 }
diff --git a/overlays/mjolnir-module/default.nix b/overlays/mjolnir-module/default.nix
deleted file mode 100644
index 87ed761..0000000
--- a/overlays/mjolnir-module/default.nix
+++ /dev/null
@@ -1,242 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
-  cfg = config.services.mjolnir;
-
-  yamlConfig = {
-    inherit (cfg) dataPath managementRoom protectedRooms;
-
-    accessToken = "@ACCESS_TOKEN@"; # will be replaced in "generateConfig"
-    homeserverUrl =
-      if cfg.pantalaimon.enable then
-        "http://${cfg.pantalaimon.options.listenAddress}:${toString cfg.pantalaimon.options.listenPort}"
-      else
-        cfg.homeserverUrl;
-
-    rawHomeserverUrl = cfg.homeserverUrl;
-
-    pantalaimon = {
-      inherit (cfg.pantalaimon) username;
-
-      use = cfg.pantalaimon.enable;
-      password = "@PANTALAIMON_PASSWORD@"; # will be replaced in "generateConfig"
-    };
-  };
-
-  moduleConfigFile = pkgs.writeText "module-config.yaml" (
-    generators.toYAML { } (filterAttrs (_: v: v != null)
-      (fold recursiveUpdate { } [ yamlConfig cfg.settings ])));
-
-  # these config files will be merged one after the other to build the final config
-  configFiles = [
-    "${pkgs.mjolnir}/libexec/mjolnir/deps/mjolnir/config/default.yaml"
-    moduleConfigFile
-  ];
-
-  # this will generate the default.yaml file with all configFiles as inputs and
-  # replace all secret strings using replace-secret
-  generateConfig = pkgs.writeShellScript "mjolnir-generate-config" (
-    let
-      yqEvalStr = concatImapStringsSep " * " (pos: _: "select(fileIndex == ${toString (pos - 1)})") configFiles;
-      yqEvalArgs = concatStringsSep " " configFiles;
-    in
-    ''
-      set -euo pipefail
-
-      umask 077
-
-      # mjolnir will try to load a config from "./config/default.yaml" in the working directory
-      # -> let's place the generated config there
-      mkdir -p ${cfg.dataPath}/config
-
-      # merge all config files into one, overriding settings of the previous one with the next config
-      # e.g. "eval-all 'select(fileIndex == 0) * select(fileIndex == 1)' filea.yaml fileb.yaml" will merge filea.yaml with fileb.yaml
-      ${pkgs.yq-go}/bin/yq eval-all -P '${yqEvalStr}' ${yqEvalArgs} > ${cfg.dataPath}/config/default.yaml
-
-      ${optionalString (cfg.accessTokenFile != null) ''
-        ${pkgs.replace-secret}/bin/replace-secret '@ACCESS_TOKEN@' '${cfg.accessTokenFile}' ${cfg.dataPath}/config/default.yaml
-      ''}
-      ${optionalString (cfg.pantalaimon.passwordFile != null) ''
-        ${pkgs.replace-secret}/bin/replace-secret '@PANTALAIMON_PASSWORD@' '${cfg.pantalaimon.passwordFile}' ${cfg.dataPath}/config/default.yaml
-      ''}
-    ''
-  );
-in
-{
-  options.services.mjolnir = {
-    enable = mkEnableOption (lib.mdDoc "Mjolnir, a moderation tool for Matrix");
-
-    homeserverUrl = mkOption {
-      type = types.str;
-      default = "https://matrix.org";
-      description = lib.mdDoc ''
-        Where the homeserver is located (client-server URL).
-
-        If `pantalaimon.enable` is `true`, this option will become the homeserver to which `pantalaimon` connects.
-        The listen address of `pantalaimon` will then become the `homeserverUrl` of `mjolnir`.
-      '';
-    };
-
-    accessTokenFile = mkOption {
-      type = with types; nullOr path;
-      default = null;
-      description = lib.mdDoc ''
-        File containing the matrix access token for the `mjolnir` user.
-      '';
-    };
-
-    pantalaimon = mkOption {
-      description = lib.mdDoc ''
-        `pantalaimon` options (enables E2E Encryption support).
-
-        This will create a `pantalaimon` instance with the name "mjolnir".
-      '';
-      default = { };
-      type = types.submodule {
-        options = {
-          enable = mkEnableOption (lib.mdDoc ''
-            If true, accessToken is ignored and the username/password below will be
-            used instead. The access token of the bot will be stored in the dataPath.
-          '');
-
-          username = mkOption {
-            type = types.str;
-            description = lib.mdDoc "The username to login with.";
-          };
-
-          passwordFile = mkOption {
-            type = with types; nullOr path;
-            default = null;
-            description = lib.mdDoc ''
-              File containing the matrix password for the `mjolnir` user.
-            '';
-          };
-
-          options = mkOption {
-            type = types.submodule (import ./pantalaimon-options.nix);
-            default = { };
-            description = lib.mdDoc ''
-              passthrough additional options to the `pantalaimon` service.
-            '';
-          };
-        };
-      };
-    };
-
-    dataPath = mkOption {
-      type = types.path;
-      default = "/var/lib/mjolnir";
-      description = lib.mdDoc ''
-        The directory the bot should store various bits of information in.
-      '';
-    };
-
-    managementRoom = mkOption {
-      type = types.str;
-      default = "#moderators:example.org";
-      description = lib.mdDoc ''
-        The room ID where people can use the bot. The bot has no access controls, so
-        anyone in this room can use the bot - secure your room!
-        This should be a room alias or room ID - not a matrix.to URL.
-        Note: `mjolnir` is fairly verbose - expect a lot of messages from it.
-      '';
-    };
-
-    protectedRooms = mkOption {
-      type = types.listOf types.str;
-      default = [ ];
-      example = literalExpression ''
-        [
-          "https://matrix.to/#/#yourroom:example.org"
-          "https://matrix.to/#/#anotherroom:example.org"
-        ]
-      '';
-      description = lib.mdDoc ''
-        A list of rooms to protect (matrix.to URLs).
-      '';
-    };
-
-    settings = mkOption {
-      default = { };
-      type = (pkgs.formats.yaml { }).type;
-      example = literalExpression ''
-        {
-          autojoinOnlyIfManager = true;
-          automaticallyRedactForReasons = [ "spam" "advertising" ];
-        }
-      '';
-      description = lib.mdDoc ''
-        Additional settings (see [mjolnir default config](https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml) for available settings). These settings will override settings made by the module config.
-      '';
-    };
-  };
-
-  config = mkIf config.services.mjolnir.enable {
-    assertions = [
-      {
-        assertion = !(cfg.pantalaimon.enable && cfg.pantalaimon.passwordFile == null);
-        message = "Specify pantalaimon.passwordFile";
-      }
-      {
-        assertion = !(cfg.pantalaimon.enable && cfg.accessTokenFile != null);
-        message = "Do not specify accessTokenFile when using pantalaimon";
-      }
-      {
-        assertion = !(!cfg.pantalaimon.enable && cfg.accessTokenFile == null);
-        message = "Specify accessTokenFile when not using pantalaimon";
-      }
-    ];
-
-    services.pantalaimon-headless.instances."mjolnir" = mkIf cfg.pantalaimon.enable
-      {
-        homeserver = cfg.homeserverUrl;
-      } // cfg.pantalaimon.options;
-
-    systemd.services.mjolnir = {
-      description = "mjolnir - a moderation tool for Matrix";
-      wants = [ "network-online.target" ] ++ optionals (cfg.pantalaimon.enable) [ "pantalaimon-mjolnir.service" ];
-      after = [ "network-online.target" ] ++ optionals (cfg.pantalaimon.enable) [ "pantalaimon-mjolnir.service" ];
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig = {
-        ExecStart = ''${pkgs.mjolnir}/bin/mjolnir'';
-        ExecStartPre = [ generateConfig ];
-        WorkingDirectory = cfg.dataPath;
-        StateDirectory = "mjolnir";
-        StateDirectoryMode = "0700";
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        PrivateTmp = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        User = "mjolnir";
-        Restart = "on-failure";
-
-        /* TODO: wait for #102397 to be resolved. Then load secrets from $CREDENTIALS_DIRECTORY+"/NAME"
-        DynamicUser = true;
-        LoadCredential = [] ++
-          optionals (cfg.accessTokenFile != null) [
-            "access_token:${cfg.accessTokenFile}"
-          ] ++
-          optionals (cfg.pantalaimon.passwordFile != null) [
-            "pantalaimon_password:${cfg.pantalaimon.passwordFile}"
-          ];
-        */
-      };
-    };
-
-    users = {
-      users.mjolnir = {
-        group = "mjolnir";
-        isSystemUser = true;
-      };
-      groups.mjolnir = { };
-    };
-  };
-
-  meta = {
-    doc = ./mjolnir.md;
-    maintainers = with maintainers; [ jojosch ];
-  };
-}
diff --git a/overlays/mjolnir-module/mjolnir.md b/overlays/mjolnir-module/mjolnir.md
deleted file mode 100644
index f6994ee..0000000
--- a/overlays/mjolnir-module/mjolnir.md
+++ /dev/null
@@ -1,110 +0,0 @@
-# Mjolnir (Matrix Moderation Tool) {#module-services-mjolnir}
-
-This chapter will show you how to set up your own, self-hosted
-[Mjolnir](https://github.com/matrix-org/mjolnir) instance.
-
-As an all-in-one moderation tool, it can protect your server from
-malicious invites, spam messages, and whatever else you don't want.
-In addition to server-level protection, Mjolnir is great for communities
-wanting to protect their rooms without having to use their personal
-accounts for moderation.
-
-The bot by default includes support for bans, redactions, anti-spam,
-server ACLs, room directory changes, room alias transfers, account
-deactivation, room shutdown, and more.
-
-See the [README](https://github.com/matrix-org/mjolnir#readme)
-page and the [Moderator's guide](https://github.com/matrix-org/mjolnir/blob/main/docs/moderators.md)
-for additional instructions on how to setup and use Mjolnir.
-
-For [additional settings](#opt-services.mjolnir.settings)
-see [the default configuration](https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml).
-
-## Mjolnir Setup {#module-services-mjolnir-setup}
-
-First create a new Room which will be used as a management room for Mjolnir. In
-this room, Mjolnir will log possible errors and debugging information. You'll
-need to set this Room-ID in [services.mjolnir.managementRoom](#opt-services.mjolnir.managementRoom).
-
-Next, create a new user for Mjolnir on your homeserver, if not present already.
-
-The Mjolnir Matrix user expects to be free of any rate limiting.
-See [Synapse #6286](https://github.com/matrix-org/synapse/issues/6286)
-for an example on how to achieve this.
-
-If you want Mjolnir to be able to deactivate users, move room aliases, shutdown rooms, etc.
-you'll need to make the Mjolnir user a Matrix server admin.
-
-Now invite the Mjolnir user to the management room.
-
-It is recommended to use [Pantalaimon](https://github.com/matrix-org/pantalaimon),
-so your management room can be encrypted. This also applies if you are looking to moderate an encrypted room.
-
-To enable the Pantalaimon E2E Proxy for mjolnir, enable
-[services.mjolnir.pantalaimon](#opt-services.mjolnir.pantalaimon.enable). This will
-autoconfigure a new Pantalaimon instance, which will connect to the homeserver
-set in [services.mjolnir.homeserverUrl](#opt-services.mjolnir.homeserverUrl) and Mjolnir itself
-will be configured to connect to the new Pantalaimon instance.
-
-```
-{
-  services.mjolnir = {
-    enable = true;
-    homeserverUrl = "https://matrix.domain.tld";
-    pantalaimon = {
-       enable = true;
-       username = "mjolnir";
-       passwordFile = "/run/secrets/mjolnir-password";
-    };
-    protectedRooms = [
-      "https://matrix.to/#/!xxx:domain.tld"
-    ];
-    managementRoom = "!yyy:domain.tld";
-  };
-}
-```
-
-### Element Matrix Services (EMS) {#module-services-mjolnir-setup-ems}
-
-If you are using a managed ["Element Matrix Services (EMS)"](https://ems.element.io/)
-server, you will need to consent to the terms and conditions. Upon startup, an error
-log entry with a URL to the consent page will be generated.
-
-## Synapse Antispam Module {#module-services-mjolnir-matrix-synapse-antispam}
-
-A Synapse module is also available to apply the same rulesets the bot
-uses across an entire homeserver.
-
-To use the Antispam Module, add `matrix-synapse-plugins.matrix-synapse-mjolnir-antispam`
-to the Synapse plugin list and enable the `mjolnir.Module` module.
-
-```
-{
-  services.matrix-synapse = {
-    plugins = with pkgs; [
-      matrix-synapse-plugins.matrix-synapse-mjolnir-antispam
-    ];
-    extraConfig = ''
-      modules:
-        - module: mjolnir.Module
-          config:
-            # Prevent servers/users in the ban lists from inviting users on this
-            # server to rooms. Default true.
-            block_invites: true
-            # Flag messages sent by servers/users in the ban lists as spam. Currently
-            # this means that spammy messages will appear as empty to users. Default
-            # false.
-            block_messages: false
-            # Remove users from the user directory search by filtering matrix IDs and
-            # display names by the entries in the user ban list. Default false.
-            block_usernames: false
-            # The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
-            # this list cannot be room aliases or permalinks. This server is expected
-            # to already be joined to the room - Mjolnir will not automatically join
-            # these rooms.
-            ban_lists:
-              - "!roomid:example.org"
-    '';
-  };
-}
-```
diff --git a/overlays/mjolnir-module/pantalaimon-options.nix b/overlays/mjolnir-module/pantalaimon-options.nix
deleted file mode 100644
index 3945a70..0000000
--- a/overlays/mjolnir-module/pantalaimon-options.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{ config, lib, name, ... }:
-
-with lib;
-{
-  options = {
-    dataPath = mkOption {
-      type = types.path;
-      default = "/var/lib/pantalaimon-${name}";
-      description = lib.mdDoc ''
-        The directory where `pantalaimon` should store its state such as the database file.
-      '';
-    };
-
-    logLevel = mkOption {
-      type = types.enum [ "info" "warning" "error" "debug" ];
-      default = "warning";
-      description = lib.mdDoc ''
-        Set the log level of the daemon.
-      '';
-    };
-
-    homeserver = mkOption {
-      type = types.str;
-      example = "https://matrix.org";
-      description = lib.mdDoc ''
-        The URI of the homeserver that the `pantalaimon` proxy should
-        forward requests to, without the matrix API path but including
-        the http(s) schema.
-      '';
-    };
-
-    ssl = mkOption {
-      type = types.bool;
-      default = true;
-      description = lib.mdDoc ''
-        Whether or not SSL verification should be enabled for outgoing
-        connections to the homeserver.
-      '';
-    };
-
-    listenAddress = mkOption {
-      type = types.str;
-      default = "localhost";
-      description = lib.mdDoc ''
-        The address where the daemon will listen to client connections
-        for this homeserver.
-      '';
-    };
-
-    listenPort = mkOption {
-      type = types.port;
-      default = 8009;
-      description = lib.mdDoc ''
-        The port where the daemon will listen to client connections for
-        this homeserver. Note that the listen address/port combination
-        needs to be unique between different homeservers.
-      '';
-    };
-
-    extraSettings = mkOption {
-      type = types.attrs;
-      default = { };
-      description = lib.mdDoc ''
-        Extra configuration options. See
-        [pantalaimon(5)](https://github.com/matrix-org/pantalaimon/blob/master/docs/man/pantalaimon.5.md)
-        for available options.
-      '';
-    };
-  };
-}
diff --git a/overlays/mjolnir-package/default.nix b/overlays/mjolnir-package/default.nix
deleted file mode 100644
index 833124b..0000000
--- a/overlays/mjolnir-package/default.nix
+++ /dev/null
@@ -1,80 +0,0 @@
-{ lib
-, nixosTests
-, mkYarnPackage
-, fetchYarnDeps
-, fetchFromGitHub
-, makeWrapper
-, nodejs
-, pkgs
-, matrix-sdk-crypto-nodejs
-}:
-
-let
-  pin = lib.importJSON ./pin.json;
-in
-mkYarnPackage rec {
-  pname = "mjolnir";
-  inherit (pin) version;
-
-  src = fetchFromGitHub {
-    owner = "matrix-org";
-    repo = "mjolnir";
-    rev = "v${version}";
-    sha256 = pin.srcSha256;
-  };
-
-  packageJSON = ./package.json;
-  offlineCache = fetchYarnDeps {
-    yarnLock = "${src}/yarn.lock";
-    sha256 = pin.yarnSha256;
-  };
-
-  packageResolutions = {
-    "@matrix-org/matrix-sdk-crypto-nodejs" = "${matrix-sdk-crypto-nodejs}/lib/node_modules/@matrix-org/matrix-sdk-crypto-nodejs";
-  };
-
-  nativeBuildInputs = [
-    makeWrapper
-  ];
-
-  buildPhase = ''
-    runHook preBuild
-    yarn --offline build
-    runHook postBuild
-  '';
-
-  postInstall = ''
-    makeWrapper ${nodejs}/bin/node $out/bin/mjolnir \
-      --add-flags $out/libexec/mjolnir/deps/mjolnir/lib/index.js
-  '';
-
-  doDist = false;
-
-  passthru = {
-    tests = {
-      inherit (nixosTests) mjolnir;
-    };
-    updateScript = ./update.sh;
-  };
-
-  meta = with lib; {
-    description = "A moderation tool for Matrix";
-    homepage = "https://github.com/matrix-org/mjolnir";
-    longDescription = ''
-      As an all-in-one moderation tool, it can protect your server from
-      malicious invites, spam messages, and whatever else you don't want.
-      In addition to server-level protection, Mjolnir is great for communities
-      wanting to protect their rooms without having to use their personal
-      accounts for moderation.
-
-      The bot by default includes support for bans, redactions, anti-spam,
-      server ACLs, room directory changes, room alias transfers, account
-      deactivation, room shutdown, and more.
-
-      A Synapse module is also available to apply the same rulesets the bot
-      uses across an entire homeserver.
-    '';
-    license = licenses.asl20;
-    maintainers = with maintainers; [ jojosch ];
-  };
-}
diff --git a/overlays/mjolnir-package/package.json b/overlays/mjolnir-package/package.json
deleted file mode 100644
index f7ed5ab..0000000
--- a/overlays/mjolnir-package/package.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
-  "name": "mjolnir",
-  "version": "1.6.3",
-  "description": "A moderation tool for Matrix",
-  "main": "lib/index.js",
-  "repository": "git@github.com:matrix-org/mjolnir.git",
-  "author": "The Matrix.org Foundation C.I.C.",
-  "license": "Apache-2.0",
-  "private": true,
-  "scripts": {
-    "build": "tsc",
-    "postbuild": "rm -rf lib/test/ && cp -r lib/src/* lib/ && rm -rf lib/src/",
-    "lint": "tslint --project ./tsconfig.json -t stylish",
-    "start:dev": "yarn build && node --async-stack-traces lib/index.js",
-    "test": "ts-mocha --project ./tsconfig.json test/commands/**/*.ts",
-    "test:integration": "NODE_ENV=harness ts-mocha --async-stack-traces --require test/integration/fixtures.ts --timeout 300000 --project ./tsconfig.json \"test/integration/**/*Test.ts\"",
-    "test:integration:single": "NODE_ENV=harness npx ts-mocha --require test/integration/fixtures.ts --timeout 300000 --project ./tsconfig.json",
-    "test:appservice:integration": "NODE_ENV=harness ts-mocha --async-stack-traces --timeout 300000 --project ./tsconfig.json \"test/appservice/integration/**/*Test.ts\"",
-    "test:appservice:integration:single": "NODE_ENV=harness npx ts-mocha --timeout 300000 --project ./tsconfig.json",
-    "test:manual": "NODE_ENV=harness ts-node test/integration/manualLaunchScript.ts",
-    "version": "sed -i '/# version automated/s/[0-9][0-9]*\\.[0-9][0-9]*\\.[0-9][0-9]*/'$npm_package_version'/' synapse_antispam/setup.py && git add synapse_antispam/setup.py && cat synapse_antispam/setup.py"
-  },
-  "devDependencies": {
-    "@types/config": "^3.3.0",
-    "@types/crypto-js": "^4.0.2",
-    "@types/express": "^4.17.13",
-    "@types/html-to-text": "^8.0.1",
-    "@types/humanize-duration": "^3.27.1",
-    "@types/js-yaml": "^4.0.5",
-    "@types/jsdom": "^16.2.11",
-    "@types/mocha": "^9.0.0",
-    "@types/nedb": "^1.8.12",
-    "@types/node": "^16.7.10",
-    "@types/pg": "^8.6.5",
-    "@types/request": "^2.48.8",
-    "@types/shell-quote": "1.7.1",
-    "crypto-js": "^4.1.1",
-    "eslint": "^7.32",
-    "expect": "^27.0.6",
-    "mocha": "^9.0.1",
-    "ts-mocha": "^9.0.2",
-    "tslint": "^6.1.3",
-    "typescript": "^4.8.4",
-    "typescript-formatter": "^7.2"
-  },
-  "dependencies": {
-    "@sentry/node": "^7.17.2",
-    "@sentry/tracing": "^7.17.2",
-    "await-lock": "^2.2.2",
-    "body-parser": "^1.20.1",
-    "config": "^3.3.8",
-    "express": "^4.17",
-    "html-to-text": "^8.0.0",
-    "humanize-duration": "^3.27.1",
-    "humanize-duration-ts": "^2.1.1",
-    "js-yaml": "^4.1.0",
-    "jsdom": "^16.6.0",
-    "matrix-appservice-bridge": "8.0.0",
-    "parse-duration": "^1.0.2",
-    "pg": "^8.8.0",
-    "prom-client": "^14.1.0",
-    "shell-quote": "^1.7.3",
-    "ulidx": "^0.3.0",
-    "yaml": "^2.1.1"
-  },
-  "engines": {
-    "node": ">=16.0.0"
-  }
-}
diff --git a/overlays/mjolnir-package/pin.json b/overlays/mjolnir-package/pin.json
deleted file mode 100644
index 2ff9e4d..0000000
--- a/overlays/mjolnir-package/pin.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "version": "v1.6.4",
-  "srcSha256": "/vnojWLpu/fktqPUhAdL1QTESxDwFrBVYAkyF79Fj9w=",
-  "yarnSha256": "00x5vx6qdvhmplb8ykq4ngh5nhygfw396709w8hil8pri84k92q7"
-}
diff --git a/overlays/mjolnir-package/update.sh b/overlays/mjolnir-package/update.sh
deleted file mode 100755
index 548de93..0000000
--- a/overlays/mjolnir-package/update.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p nix curl jq prefetch-yarn-deps nix-prefetch-github
-
-if [ "$#" -gt 1 ] || [[ "$1" == -* ]]; then
-  echo "Regenerates packaging data for mjolnir."
-  echo "Usage: $0 [git release tag]"
-  exit 1
-fi
-
-version=$1
-
-set -euo pipefail
-
-if [ -z "$version" ]; then
-  version=$(curl "https://api.github.com/repos/matrix-org/mjolnir/releases/latest" | jq -r '.tag_name')
-fi
-
-src="https://raw.githubusercontent.com/matrix-org/mjolnir/$version"
-src_hash=$(nix-prefetch-github matrix-org mjolnir --rev ${version} | jq -r .sha256)
-
-tmpdir=$(mktemp -d)
-trap 'rm -rf "$tmpdir"' EXIT
-
-pushd $tmpdir
-curl -O "$src/yarn.lock"
-yarn_hash=$(prefetch-yarn-deps yarn.lock)
-popd
-
-curl -O "$src/package.json"
-cat > pin.json << EOF
-{
-  "version": "$version",
-  "srcSha256": "$src_hash",
-  "yarnSha256": "$yarn_hash"
-}
-EOF
diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix
index d9a279b..9dd0f63 100644
--- a/systems/cobalt/default.nix
+++ b/systems/cobalt/default.nix
@@ -113,7 +113,7 @@ in
   users.users.root.initialHashedPassword = ""; # FIXME: use proper secret
   users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
   services.openssh.enable = true;
-  services.openssh.settings.permitRootLogin = "prohibit-password";
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
 
   services.openssh.hostKeys = [
     {