Remove trailing whitespace

Pass signing_key_path through LoadCredential
Remove duplicate ReadWritePaths
2026-03-11 19:33:07 +01:00 · 2026-01-26 21:25:05 +09:00 · 2026-01-26 21:25:05 +09:00 · 2026-01-26 21:15:28 +09:00 · 2026-01-26 21:15:28 +09:00 · 2026-01-14 04:14:30 +09:00
4 changed files with 184 additions and 21 deletions
--- a/synapse-module/default.nix
+++ b/synapse-module/default.nix
@@ -12,6 +12,8 @@ let
  format = pkgs.formats.yaml {};
  matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // {
    listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
    media_store_path = "/var/lib/matrix-synapse/media_store";
    signing_key_path = "/run/credentials/matrix-synapse.service/signing_key";
  });
  # TODO: Align better with the upstream module
@@ -70,6 +72,14 @@ in
      '';
    };
    withJemalloc = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Whether to preload jemalloc to reduce memory fragmentation and overall usage.
      '';
    };
    dataDir = mkOption {
      type = types.path;
      default = "/var/lib/matrix-synapse";
@@ -398,9 +408,8 @@ in
    users.users.matrix-synapse = {
      group = "matrix-synapse";
-      home = cfg.dataDir;
+      home = "/var/lib/matrix-synapse";
      createHome = true;
      shell = "${pkgs.bash}/bin/bash";
      uid = config.ids.uids.matrix-synapse;
    };
@@ -421,35 +430,104 @@ in
        after= [ "system.slice" ];
      };
      tmpfiles.settings."10-matrix-synapse" = {
        "${cfg.dataDir}".d = lib.mkIf (cfg.dataDir != "/var/lib/matrix-synapse") {
          user = "matrix-synapse";
          group = "matrix-synapse";
          mode = "0700";
        };
        "${cfg.settings.media_store_path}".d = lib.mkIf (cfg.settings.media_store_path != "/var/lib/matrix-synapse/media_store") {
          user = "matrix-synapse";
          group = "matrix-synapse";
          mode = "0700";
        };
      };
      services.matrix-synapse = {
        description = "Synapse Matrix homeserver";
        partOf = [ "matrix-synapse.target" ];
        wantedBy = [ "matrix-synapse.target" ];
        after = lib.mkIf (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
          "systemd-tmpfiles-setup.service"
          "systemd-tmpfiles-resetup.service"
        ];
-        preStart = let
+        environment = lib.optionalAttrs cfg.withJemalloc {
-          flags = lib.cli.toCommandLineShellGNU {} {
+          LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
-            config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
+          PYTHONMALLOC = "malloc";
-            keys-directory = cfg.dataDir;
+        };
            generate-keys = true;
          };
        in "${cfg.package}/bin/synapse_homeserver ${flags}";
        serviceConfig = {
          Type = "notify";
          User = "matrix-synapse";
          Group = "matrix-synapse";
          Slice = "system-matrix-synapse.slice";
-          WorkingDirectory = cfg.dataDir;
+
          Restart = "always";
          RestartSec = 3;
          WorkingDirectory = "/var/lib/matrix-synapse";
          StateDirectory = "matrix-synapse";
          RuntimeDirectory = "matrix-synapse";
          ExecStartPre = let
            flags = lib.cli.toCommandLineShellGNU {} {
              config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
              keys-directory = "/var/lib/matrix-synapse";
              generate-keys = true;
            };
          in "${cfg.package}/bin/synapse_homeserver ${flags}";
          ExecStart = let
            flags = lib.cli.toCommandLineShellGNU {} {
              config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
-              keys-directory = cfg.dataDir;
+              keys-directory = "/var/lib/matrix-synapse";
            };
          in "${wrapped}/bin/synapse_homeserver ${flags}";
          ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID";
-          Restart = "on-failure";
+
          CapabilityBoundingSet = [ "" ];
          LockPersonality = true;
          NoNewPrivileges = true;
          PrivateDevices = true;
          PrivateTmp = true;
          PrivateUsers = true;
          ProcSubset = "pid";
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectProc = "invisible";
          ProtectSystem = "strict";
          BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
            "${cfg.dataDir}:/var/lib/matrix-synapse"
          ]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
             "${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
          ]);
          ReadWritePaths = lib.pipe cfg.settings.listeners [
            (lib.filter (listener: listener.path != null))
            (map (listener: dirOf listener.path))
            (lib.filter (path: path != "/run/matrix-synapse"))
            lib.uniqueStrings
          ];
          LoadCredential = [ "signing_key:${cfg.settings.signing_key_path}" ];
          RemoveIPC = true;
          RestrictAddressFamilies = [
            "AF_INET"
            "AF_INET6"
            "AF_UNIX"
          ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
          SystemCallFilter = [
            "@system-service"
            "~@resources"
            "~@privileged"
          ];
        };
      };
    };
--- a/synapse-module/nginx.nix
+++ b/synapse-module/nginx.nix
@@ -24,6 +24,7 @@ in
        ~^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ synapse_initial_sync;
        # Federation requests
        ~^/_matrix/federation/v1/version$ synapse_federation;
        ~^/_matrix/federation/v1/event/ synapse_federation;
        ~^/_matrix/federation/v1/state/ synapse_federation;
        ~^/_matrix/federation/v1/state_ids/ synapse_federation;
@@ -35,6 +36,8 @@ in
        ~^/_matrix/federation/v1/make_leave/ synapse_federation;
        ~^/_matrix/federation/(v1|v2)/send_join/ synapse_federation;
        ~^/_matrix/federation/(v1|v2)/send_leave/ synapse_federation;
        ~^/_matrix/federation/v1/make_knock/ synapse_federation;
        ~^/_matrix/federation/v1/send_knock/ synapse_federation;
        ~^/_matrix/federation/(v1|v2)/invite/ synapse_federation;
        ~^/_matrix/federation/v1/event_auth/ synapse_federation;
        ~^/_matrix/federation/v1/timestamp_to_event/ synapse_federation;
@@ -56,17 +59,23 @@ in
        ~^/_matrix/client/v1/rooms/.*/hierarchy$ synapse_client_interaction;
        ~^/_matrix/client/(v1|unstable)/rooms/.*/relations/ synapse_client_interaction;
        ~^/_matrix/client/v1/rooms/.*/threads$ synapse_client_interaction;
        ~^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ synapse_client_interaction;
        ~^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ synapse_client_interaction;
        ~^/_matrix/client/(r0|v3|unstable)/account/3pid$ synapse_client_interaction;
        ~^/_matrix/client/(r0|v3|unstable)/account/whoami$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3|unstable)/devices$ synapse_client_interaction;
+        ~^/_matrix/client/(r0|v3|unstable)/account/deactivate$ synapse_client_interaction;
        ~^/_matrix/client/(r0|v3)/delete_devices$ synapse_client_interaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$) synapse_client_interaction;
        ~^/_matrix/client/versions$ synapse_client_interaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ synapse_client_interaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ synapse_client_interaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ synapse_client_interaction;
        ~^/_matrix/client/v1/rooms/.*/timestamp_to_event$ synapse_client_interaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases synapse_client_interaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/search$ synapse_client_interaction;
        ~^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) synapse_client_interaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$ synapse_client_interaction;
        ~^/_matrix/client/(r0|v3|unstable)/capabilities$ synapse_client_interaction;
        ~^/_matrix/client/(r0|v3|unstable)/notifications$ synapse_client_interaction;
        # Encryption requests
        ~^/_matrix/client/(r0|v3|unstable)/keys/query$ synapse_client_encryption;
@@ -74,11 +83,15 @@ in
        ~^/_matrix/client/(r0|v3|unstable)/keys/claim$ synapse_client_encryption;
        ~^/_matrix/client/(r0|v3|unstable)/room_keys/ synapse_client_encryption;
        ~^/_matrix/client/(r0|v3|unstable)/keys/upload/ synapse_client_encryption;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$ synapse_client_encryption;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$ synapse_client_encryption;
        # Registration/login requests
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/login$ synapse_client_login;
        ~^/_matrix/client/(r0|v3|unstable)/register$ synapse_client_login;
        ~^/_matrix/client/(r0|v3|unstable)/register/available$ synapse_client_login;
        ~^/_matrix/client/v1/register/m.login.registration_token/validity$ synapse_client_login;
        ~^/_matrix/client/(r0|v3|unstable)/password_policy$ synapse_client_login;
        # Event sending requests
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact synapse_client_transaction;
@@ -86,6 +99,7 @@ in
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ synapse_client_transaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ synapse_client_transaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/join/ synapse_client_transaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/knock/ synapse_client_transaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ synapse_client_transaction;
        # Account data requests
--- a/synapse-module/workers.nix
+++ b/synapse-module/workers.nix
@@ -74,6 +74,16 @@ in {
          description = "Listener configuration for the worker, similar to the main synapse listener";
          default = [ ];
        };
        worker_log_config = mkOption {
          type = types.path;
          description = ''
            A yaml python logging config file as described by
            https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
          '';
          default = pkgs.writeText "log_config.yaml" cfg.mainLogConfig;
          defaultText = "A config file generated from ${cfgText}.mainLogConfig";
        };
      };
    };
@@ -365,6 +375,7 @@ in {
          worker_name = worker.name;
          worker_listeners =
            map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners;
          signing_key_path = "/run/credentials/matrix-synapse-worker-${worker.name}.service/signing_key";
        });
    in builtins.listToAttrs (lib.flip map workerList (worker: {
      name = "matrix-synapse-worker-${worker.name}";
@@ -372,16 +383,32 @@ in {
        description = "Synapse Matrix Worker";
        partOf = [ "matrix-synapse.target" ];
        wantedBy = [ "matrix-synapse.target" ];
-        after = [ "matrix-synapse.service" ];
+        after = [
          "matrix-synapse.service"
        ] ++ (lib.optionals (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
          "systemd-tmpfiles-setup.service"
          "systemd-tmpfiles-resetup.service"
        ]);
        requires = [ "matrix-synapse.service" ];
        environment = lib.optionalAttrs cfg.withJemalloc {
          LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
          PYTHONMALLOC = "malloc";
        };
        serviceConfig = {
          Type = "notify";
          User = "matrix-synapse";
          Group = "matrix-synapse";
          Slice = "system-matrix-synapse.slice";
-          WorkingDirectory = cfg.dataDir;
+
          Restart = "always";
          RestartSec = 3;
          WorkingDirectory = "/var/lib/matrix-synapse";
          RuntimeDirectory = "matrix-synapse";
          StateDirectory = "matrix-synapse";
          ExecStartPre = pkgs.writers.writeBash "wait-for-synapse" ''
            # From https://md.darmstadt.ccc.de/synapse-at-work
            while ! systemctl is-active -q matrix-synapse.service; do
@@ -391,9 +418,53 @@ in {
          ExecStart = let
            flags = lib.cli.toCommandLineShellGNU {} {
              config-path = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles;
-              keys-directory = cfg.dataDir;
+              keys-directory = "/var/lib/matrix-synapse";
            };
          in "${wrapped}/bin/synapse_worker ${flags}";
          CapabilityBoundingSet = [ "" ];
          LockPersonality = true;
          NoNewPrivileges = true;
          PrivateDevices = true;
          PrivateTmp = true;
          PrivateUsers = true;
          ProcSubset = "pid";
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectProc = "invisible";
          ProtectSystem = "strict";
          BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
            "${cfg.dataDir}:/var/lib/matrix-synapse"
          ]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
             "${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
          ]);
          ReadWritePaths = lib.pipe cfg.settings.listeners [
            (lib.filter (listener: listener.path != null))
            (map (listener: dirOf listener.path))
            (lib.filter (path: path != "/run/matrix-synapse"))
            lib.uniqueStrings
          ];
          LoadCredential = [ "signing_key:${cfg.settings.signing_key_path}" ];
          RemoveIPC = true;
          RestrictAddressFamilies = [
            "AF_INET"
            "AF_INET6"
            "AF_UNIX"
          ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
          SystemCallFilter = [
            "@system-service"
            "~@resources"
            "~@privileged"
          ];
        };
      };
    }));
Author	SHA1	Message	Date
h7x4	45e302b9ff	Remove trailing whitespace	2026-01-26 21:25:05 +09:00
h7x4	b6d3f51fa1	Pass `signing_key_path` through `LoadCredential`	2026-01-26 21:25:05 +09:00
h7x4	a18c7d129f	Remove duplicate `ReadWritePaths`	2026-01-26 21:15:28 +09:00
h7x4	86a3bdd368	Use `BindPaths` to force `stateDir` and `media_store_path` to `/var/lib`	2026-01-26 21:15:28 +09:00
h7x4	e1a0bd8054	nginx: add missing worker endpoints	2026-01-14 04:14:30 +09:00
h7x4	31baa00922	Restart both main process and workers on unexpected exit	2026-01-14 03:25:41 +09:00
h7x4	4c5ef718fe	workers: declare `worker_log_config` with default	2026-01-14 03:24:14 +09:00
h7x4	543b50dcf5	Add `withJemalloc` setting, enable by default	2026-01-14 03:23:51 +09:00
h7x4	114ca192c1	Get rid of bash	2026-01-14 03:22:54 +09:00
h7x4	318538066f	Add systemd hardening	2026-01-14 03:22:36 +09:00