Merge pull request #10 from h7x4/additional-nixpkgs-2511-stuff

Additional fixes for 25.11

MIGRATIONS.MD

@@ -2,6 +2,12 @@
 
 This is a best effort document descibing neccecary changes you might have to do when updating
 
+## 0.8.0
+
+`saml2` is no longer enabled, as it depends on vulnerable dependencies and isnt really built in nixpks anymore.
+
+If you need to authenticate with saml, you should deploy some sort of saml to openid bridge, instead.
+
 ## 0.6.1
 
 enableSlidingSync, and setting matrix-synapse.sliding-sync.environmentFile (or any other sliding-sync setting)

flake.lock

@@ -2,16 +2,16 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1706098335,
+        "lastModified": 1764983851,
-        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
+        "narHash": "sha256-y7RPKl/jJ/KAP/VKLMghMgXTlvNIJMHKskl8/Uuar7o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
+        "rev": "d9bc5c7dceb30d8d6fafa10aeb6aa8a48c218454",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-23.11",
+        "ref": "nixos-25.11",
         "type": "indirect"
       }
     },

flake.nix

@@ -2,7 +2,7 @@
   description = "NixOS modules for matrix related services";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.11";
+    nixpkgs.url = "nixpkgs/nixos-25.11";
   };
 
   outputs = { self, nixpkgs }: {
@@ -12,7 +12,7 @@
 
     lib = import ./lib.nix { lib = nixpkgs.lib; };
 
-    packages = let
+    checks = let
       forAllSystems = f:
         nixpkgs.lib.genAttrs [
           "x86_64-linux"
@@ -20,11 +20,13 @@
           "x86_64-darwin"
           "aarch64-darwin"
         ] (system: f nixpkgs.legacyPackages.${system});
-    in forAllSystems (pkgs: {
+    in forAllSystems (pkgs: let
       tests = import ./tests {
         inherit nixpkgs pkgs;
         matrix-lib = self.lib;
       };
+    in {
+      inherit (tests) nginx-pipeline-eval;
     });
   };
 }

module.nix

@@ -1,8 +1,14 @@
-{ ... }:
+{ lib, ... }:
 
 {
   imports = [
     ./synapse-module
-    ./sliding-sync
+
+    # TODO: Remove after 25.05
+    (lib.mkRemovedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] ''
+      `services.matrix-synapse.sliding-sync` is no longer necessary to use sliding-sync with synapse.
+      As synapse now includes this in itself, if you have a manually managed `.well-known/matrix/client` file
+      remove the proxy url from it.
+    '')
   ];
 }

sliding-sync/default.nix

@@ -1,126 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.services.matrix-synapse.sliding-sync;
-in
-{
-  disabledModules = [ "services/matrix/matrix-sliding-sync.nix" ];
-
-  options.services.matrix-synapse.sliding-sync = {
-    enable = lib.mkEnableOption (lib.mdDoc "sliding sync");
-
-    package = lib.mkOption {
-      type = lib.types.package;
-      default = pkgs.matrix-sliding-sync;
-      description = "What package to use for the sliding-sync proxy.";
-    };
-
-    enableNginx = lib.mkEnableOption (lib.mdDoc "autogenerated nginx config");
-    publicBaseUrl = lib.mkOption {
-      type = lib.types.str;
-      description = "The domain where clients connect, only has an effect with enableNginx";
-      example = "slidingsync.matrix.org";
-    };
-
-    settings = lib.mkOption {
-      type = lib.types.submodule {
-        freeformType = with lib.types; attrsOf str;
-        options = {
-          SYNCV3_SERVER = lib.mkOption {
-            type = lib.types.str;
-            description = lib.mdDoc ''
-              The destination homeserver to talk to not including `/_matrix/` e.g `https://matrix.example.org`.
-            '';
-          };
-
-          SYNCV3_DB = lib.mkOption {
-            type = lib.types.str;
-            default = "postgresql:///matrix-sliding-sync?host=/run/postgresql";
-            description = lib.mdDoc ''
-              The postgres connection string.
-              Refer to <https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING>.
-            '';
-          };
-
-          SYNCV3_BINDADDR = lib.mkOption {
-            type = lib.types.str;
-            default = "127.0.0.1:8009";
-            example = "[::]:8008";
-            description = lib.mdDoc "The interface and port to listen on.";
-          };
-
-          SYNCV3_LOG_LEVEL = lib.mkOption {
-            type = lib.types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ];
-            default = "info";
-            description = lib.mdDoc "The level of verbosity for messages logged.";
-          };
-        };
-      };
-      default = { };
-      description = ''
-        Freeform environment variables passed to the sliding sync proxy.
-        Refer to <https://github.com/matrix-org/sliding-sync#setup> for all supported values.
-      '';
-    };
-
-    createDatabase = lib.mkOption {
-      type = lib.types.bool;
-      default = true;
-      description = lib.mdDoc ''
-        Whether to enable and configure `services.postgres` to ensure that the database user `matrix-sliding-sync`
-        and the database `matrix-sliding-sync` exist.
-      '';
-    };
-
-    environmentFile = lib.mkOption {
-      type = lib.types.str;
-      description = lib.mdDoc ''
-        Environment file as defined in {manpage}`systemd.exec(5)`.
-
-        This must contain the {env}`SYNCV3_SECRET` variable which should
-        be generated with {command}`openssl rand -hex 32`.
-      '';
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    warnings = lib.optionals config.services.matrix-synapse-next.enable [
-      ''
-        services.matrix-synapse.sliding-sync is no longer necessary to use sliding-sync with synapse,
-        and the extra module will be removed from `nixos-matrix-modules` in the future.
-        If you are only using this service via `nixos-matrix-modules` you can safely remove options like
-        `services.matrix-synapse.sliding-sync.environmentFile`.
-      ''
-    ];
-
-    services.postgresql = lib.optionalAttrs cfg.createDatabase {
-      enable = true;
-      ensureDatabases = [ "matrix-sliding-sync" ];
-      ensureUsers = [ rec {
-        name = "matrix-sliding-sync";
-        ensureDBOwnership = true;
-      } ];
-    };
-
-    systemd.services.matrix-sliding-sync = {
-      after = lib.optional cfg.createDatabase "postgresql.service";
-      wantedBy = [ "multi-user.target" ];
-      environment = cfg.settings;
-      serviceConfig = {
-        DynamicUser = true;
-        EnvironmentFile = cfg.environmentFile;
-        ExecStart = lib.getExe cfg.package;
-        StateDirectory = "matrix-sliding-sync";
-        WorkingDirectory = "%S/matrix-sliding-sync";
-      };
-    };
-
-    services.nginx.virtualHosts.${cfg.publicBaseUrl} = lib.mkIf cfg.enableNginx {
-      enableACME = lib.mkDefault true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = lib.replaceStrings [ "0.0.0.0" "::" ] [ "127.0.0.1" "::1" ] "http://${cfg.settings.SYNCV3_BINDADDR}";
-      };
-    };
-  };
-}

synapse-module/default.nix

@@ -19,7 +19,6 @@ let
     inherit (cfg) plugins;
     extras = [
       "postgres"
-      "saml2"
       "oidc"
       "systemd"
       "url-preview"
@@ -27,7 +26,6 @@ let
       "jwt"
       "redis"
       "cache-memory"
-      "user-search"
     ];
   };
 
@@ -429,7 +427,7 @@ in
         wantedBy = [ "matrix-synapse.target" ];
 
         preStart = let
-          flags = lib.cli.toGNUCommandLineShell {} {
+          flags = lib.cli.toCommandLineShellGNU {} {
             config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
             keys-directory = cfg.dataDir;
             generate-keys = true;
@@ -445,12 +443,12 @@ in
           StateDirectory = "matrix-synapse";
           RuntimeDirectory = "matrix-synapse";
           ExecStart = let
-            flags = lib.cli.toGNUCommandLineShell {} {
+            flags = lib.cli.toCommandLineShellGNU {} {
               config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
               keys-directory = cfg.dataDir;
             };
           in "${wrapped}/bin/synapse_homeserver ${flags}";
-          ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
+          ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID";
           Restart = "on-failure";
         };
       };

synapse-module/workers.nix

@@ -389,7 +389,7 @@ in {
             done
           '';
           ExecStart = let
-            flags = lib.cli.toGNUCommandLineShell {} {
+            flags = lib.cli.toCommandLineShellGNU {} {
               config-path = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles;
               keys-directory = cfg.dataDir;
             };

tests/default.nix

@@ -1,4 +1,4 @@
 { nixpkgs, pkgs, matrix-lib, ... }:
 {
-  nginx-pipeline = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
+  nginx-pipeline-eval = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
 }

tests/nginx-pipeline/default.nix

@@ -5,7 +5,7 @@ let
     modules = [
       ../../module.nix
       {
-        system.stateVersion = "23.11";
+        system.stateVersion = "25.11";
         boot.isContainer = true;
         services.matrix-synapse-next = {
           enable = true;