eyJhb · August 24, 2024 12:55
diff --git a/matrix-synapse-janitor.nix b/matrix-synapse-janitor.nix
 {
 systemd.timers."matrix-synapse-janitor" = {
    wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "2h";
        OnUnitActiveSec = "2h";
        Unit = config.systemd.services."matrix-synapse-janitor".name;
      };
  };
  
  systemd.services."matrix-synapse-janitor" = let
    janitorUsername = "janitor";
    janitorPasswordFile = config.age.secrets.matrix-synapse-janitor-password.path;
    sharedSecretConfigFile = config.age.secrets.matrix-synapse-config-shared-secret.path;

    local_media_age = "8 weeks";
    remote_media_age = "1 weeks";
  in {
    serviceConfig = {
      Type = "oneshot";
      User = matrix_synapse_user;
      Group = matrix_synapse_group;
      ExecStart = pkgs.writeShellScript "matrix-synapse-janitor" ''
        export PATH=$PATH:${lib.makeBinPath (with pkgs; [ jq curl matrix-synapse config.services.postgresql.package ])}
        # ensure janitor user is setup, and with the correct password

        # try to register new user
        register_new_matrix_user --exists-ok \
          --config ${sharedSecretConfigFile} \
          --admin \
          --user ${janitorUsername} \
          --password-file ${janitorPasswordFile} \
          http://127.0.0.1:${builtins.toString matrix_port}

       # TODO(eyJhb): hash_password should accept stdin... but doesn't...............
       PASSWORD_HASH=$(hash_password -c ${config.services.matrix-synapse.configFile} -p "$(cat ${janitorPasswordFile})")

       # update password hash
       psql -c "UPDATE users SET password_hash = '$PASSWORD_HASH' WHERE name LIKE '@${janitorUsername}:%';"

       # get token to make request!!

       # delete media older than X months (add 000 because of ms)
       TS_LOCAL="$(date -d "${local_media_age} ago" '+%s')000"
       TS_REMOTE="$(date -d "${remote_media_age} ago" '+%s')000"

       # login -> get access token
       echo "Signing into Matrix with ${janitorUsername} account"
       ACCESS_TOKEN=$(jq -nc --rawfile password ${janitorPasswordFile} \
         '{"type":"m.login.password", "user":"${janitorUsername}", "password": $password | gsub("[\\n\\t]"; "")}' | \
         curl --silent -XPOST -d @- "http://localhost:${builtins.toString matrix_port}/_matrix/client/r0/login" | jq -r '.access_token')

       # cleanup local media
       echo "Deleting local media older than ${local_media_age}"
       curl --silent -XPOST --header "Authorization: Bearer $ACCESS_TOKEN" "http://localhost:${builtins.toString matrix_port}/_synapse/admin/v1/media/${config.services.matrix-synapse.settings.server_name}/delete?before_ts=$TS_LOCAL"

       # cleanup remote media
       echo "Deleting remote media older than ${remote_media_age}"
       curl --silent -XPOST --header "Authorization: Bearer $ACCESS_TOKEN" "http://localhost:${builtins.toString matrix_port}/_synapse/admin/v1/media/${config.services.matrix-synapse.settings.server_name}/delete?before_ts=$TS_REMOTE"

       # logout to invalidate access token
       echo "Signing out of ${janitorUsername}, invalidating token"
       curl --silent -XPOST --header "Authorization: Bearer $ACCESS_TOKEN" "http://localhost:${builtins.toString matrix_port}/_matrix/client/r0/logout"
     '';
    };
  };
 }
	{
	systemd.timers."matrix-synapse-janitor" = {
	wantedBy = [ "timers.target" ];
	timerConfig = {
	OnBootSec = "2h";
	OnUnitActiveSec = "2h";
	Unit = config.systemd.services."matrix-synapse-janitor".name;
	};
	};

	systemd.services."matrix-synapse-janitor" = let
	janitorUsername = "janitor";
	janitorPasswordFile = config.age.secrets.matrix-synapse-janitor-password.path;
	sharedSecretConfigFile = config.age.secrets.matrix-synapse-config-shared-secret.path;

	local_media_age = "8 weeks";
	remote_media_age = "1 weeks";
	in {
	serviceConfig = {
	Type = "oneshot";
	User = matrix_synapse_user;
	Group = matrix_synapse_group;
	ExecStart = pkgs.writeShellScript "matrix-synapse-janitor" ''
	export PATH=$PATH:${lib.makeBinPath (with pkgs; [ jq curl matrix-synapse config.services.postgresql.package ])}
	# ensure janitor user is setup, and with the correct password

	# try to register new user
	register_new_matrix_user --exists-ok \
	--config ${sharedSecretConfigFile} \
	--admin \
	--user ${janitorUsername} \
	--password-file ${janitorPasswordFile} \
	http://127.0.0.1:${builtins.toString matrix_port}

	# TODO(eyJhb): hash_password should accept stdin... but doesn't...............
	PASSWORD_HASH=$(hash_password -c ${config.services.matrix-synapse.configFile} -p "$(cat ${janitorPasswordFile})")

	# update password hash
	psql -c "UPDATE users SET password_hash = '$PASSWORD_HASH' WHERE name LIKE '@${janitorUsername}:%';"

	# get token to make request!!

	# delete media older than X months (add 000 because of ms)
	TS_LOCAL="$(date -d "${local_media_age} ago" '+%s')000"
	TS_REMOTE="$(date -d "${remote_media_age} ago" '+%s')000"

	# login -> get access token
	echo "Signing into Matrix with ${janitorUsername} account"
	ACCESS_TOKEN=$(jq -nc --rawfile password ${janitorPasswordFile} \
	'{"type":"m.login.password", "user":"${janitorUsername}", "password": $password \| gsub("[\\n\\t]"; "")}' \| \
	curl --silent -XPOST -d @- "http://localhost:${builtins.toString matrix_port}/_matrix/client/r0/login" \| jq -r '.access_token')

	# cleanup local media
	echo "Deleting local media older than ${local_media_age}"
	curl --silent -XPOST --header "Authorization: Bearer $ACCESS_TOKEN" "http://localhost:${builtins.toString matrix_port}/_synapse/admin/v1/media/${config.services.matrix-synapse.settings.server_name}/delete?before_ts=$TS_LOCAL"

	# cleanup remote media
	echo "Deleting remote media older than ${remote_media_age}"
	curl --silent -XPOST --header "Authorization: Bearer $ACCESS_TOKEN" "http://localhost:${builtins.toString matrix_port}/_synapse/admin/v1/media/${config.services.matrix-synapse.settings.server_name}/delete?before_ts=$TS_REMOTE"

	# logout to invalidate access token
	echo "Signing out of ${janitorUsername}, invalidating token"
	curl --silent -XPOST --header "Authorization: Bearer $ACCESS_TOKEN" "http://localhost:${builtins.toString matrix_port}/_matrix/client/r0/logout"
	'';
	};
	};
	}