danio/nixos-matrix-modules
0
2
Fork 1
mirror of https://github.com/dali99/nixos-matrix-modules.git synced 2026-06-22 16:07:57 +02:00
Code Issues Releases Activity

Compare commits

merge into: danio/nixos-matrix-modules:master
Branches Tags
danio/nixos-matrix-modules:master danio/nixos-matrix-modules:D4ndellion-patch-1 danio/nixos-matrix-modules:nixos-25.05 danio/nixos-matrix-modules:deprecate-proxy2 danio/nixos-matrix-modules:deprecate-proxy danio/nixos-matrix-modules:nixos-24.05 danio/nixos-matrix-modules:add-support-for-unix-sockets danio/nixos-matrix-modules:make-workers-use-path danio/nixos-matrix-modules:out-of-your-element danio/nixos-matrix-modules:time-to-break-our-workers danio/nixos-matrix-modules:presence-stream-writer
danio/nixos-matrix-modules:v0.8.0 danio/nixos-matrix-modules:v0.7.1 danio/nixos-matrix-modules:0.7.0 danio/nixos-matrix-modules:v0.6.1 danio/nixos-matrix-modules:v0.6.0 danio/nixos-matrix-modules:v0.5.0 danio/nixos-matrix-modules:v0.4.0 danio/nixos-matrix-modules:v0.3.0
..
pull from: danio/nixos-matrix-modules:D4ndellion-patch-1
Branches Tags
danio/nixos-matrix-modules:master danio/nixos-matrix-modules:D4ndellion-patch-1 danio/nixos-matrix-modules:nixos-25.05 danio/nixos-matrix-modules:deprecate-proxy2 danio/nixos-matrix-modules:deprecate-proxy danio/nixos-matrix-modules:nixos-24.05 danio/nixos-matrix-modules:add-support-for-unix-sockets danio/nixos-matrix-modules:make-workers-use-path danio/nixos-matrix-modules:out-of-your-element danio/nixos-matrix-modules:time-to-break-our-workers danio/nixos-matrix-modules:presence-stream-writer
danio/nixos-matrix-modules:v0.8.0 danio/nixos-matrix-modules:v0.7.1 danio/nixos-matrix-modules:0.7.0 danio/nixos-matrix-modules:v0.6.1 danio/nixos-matrix-modules:v0.6.0 danio/nixos-matrix-modules:v0.5.0 danio/nixos-matrix-modules:v0.4.0 danio/nixos-matrix-modules:v0.3.0

1 Commits
master .. D4ndellion-patch-1

Author SHA1 Message Date
danio 4364a998b3 Remove 'saml2' from extras, as it is currently broken 2025-12-01 01:09:59 +01:00
12 changed files with 49 additions and 559 deletions
Expand all files Collapse all files
.gitignore
-1
View File
@@ -1,2 +1 @@
result result
result-*
MIGRATIONS.MD
-6
View File
@@ -2,12 +2,6 @@
This is a best effort document descibing neccecary changes you might have to do when updating This is a best effort document descibing neccecary changes you might have to do when updating
## 0.8.0
`saml2` is no longer enabled, as it depends on vulnerable dependencies and isnt really built in nixpks anymore.
If you need to authenticate with saml, you should deploy some sort of saml to openid bridge, instead.
## 0.6.1 ## 0.6.1
enableSlidingSync, and setting matrix-synapse.sliding-sync.environmentFile (or any other sliding-sync setting) enableSlidingSync, and setting matrix-synapse.sliding-sync.environmentFile (or any other sliding-sync setting)
flake.lock
Generated
+4 -4
View File
@@ -2,16 +2,16 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1781216227, "lastModified": 1706098335,
"narHash": "sha256-9mUW6gNwoN2SWc/l0fW4svPNOulXLl8ijqKyeSOGgJE=", "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a0374025a863d007d98e3297f6aa46cc3141c2f0", "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixos-26.05", "ref": "nixos-23.11",
"type": "indirect" "type": "indirect"
} }
}, },
flake.nix
+3 -9
View File
@@ -2,7 +2,7 @@
description = "NixOS modules for matrix related services"; description = "NixOS modules for matrix related services";
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-26.05"; nixpkgs.url = "nixpkgs/nixos-23.11";
}; };
outputs = { self, nixpkgs }: { outputs = { self, nixpkgs }: {
@@ -12,7 +12,7 @@
lib = import ./lib.nix { lib = nixpkgs.lib; }; lib = import ./lib.nix { lib = nixpkgs.lib; };
checks = let packages = let
forAllSystems = f: forAllSystems = f:
nixpkgs.lib.genAttrs [ nixpkgs.lib.genAttrs [
"x86_64-linux" "x86_64-linux"
@@ -20,17 +20,11 @@
"x86_64-darwin" "x86_64-darwin"
"aarch64-darwin" "aarch64-darwin"
] (system: f nixpkgs.legacyPackages.${system}); ] (system: f nixpkgs.legacyPackages.${system});
in forAllSystems (pkgs: let in forAllSystems (pkgs: {
tests = import ./tests { tests = import ./tests {
inherit nixpkgs pkgs; inherit nixpkgs pkgs;
matrix-lib = self.lib; matrix-lib = self.lib;
}; };
in {
inherit (tests)
nginx-pipeline-eval
synapse
synapse-workers
;
}); });
}; };
} }
synapse-module/default.nix
+21 -148
View File
@@ -1,8 +1,7 @@
{ pkgs, lib, options, config, ... }: { pkgs, lib, config, ... }:
let let
matrix-lib = (import ../lib.nix { inherit lib; }); matrix-lib = (import ../lib.nix { inherit lib; });
opt = options.services.matrix-synapse-next;
cfg = config.services.matrix-synapse-next; cfg = config.services.matrix-synapse-next;
wcfg = cfg.workers; wcfg = cfg.workers;
@@ -10,29 +9,10 @@ let
cfgText = "config.services.matrix-synapse-next"; cfgText = "config.services.matrix-synapse-next";
wcfgText = "config.services.matrix-synapse-next.workers"; wcfgText = "config.services.matrix-synapse-next.workers";
usesCustomSigningKeyPath = cfg.settings.signing_key_path != (opt.settings.type.getSubOptions { }).signing_key_path.default; format = pkgs.formats.yaml {};
matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // {
format = pkgs.formats.yaml { }; listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
matrix-synapse-common-config = lib.pipe cfg.settings [ });
(settings: settings // {
listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
media_store_path = "/var/lib/matrix-synapse/media_store";
})
(settings: settings // (lib.optionalAttrs usesCustomSigningKeyPath {
signing_key_path = "/run/credentials/matrix-synapse.service/signing_key";
}))
(let
filterRecursiveNull =
o:
if lib.isAttrs o then
lib.mapAttrs (_: v: filterRecursiveNull v) (lib.filterAttrs (_: v: v != null) o)
else if lib.isList o then
map filterRecursiveNull (lib.filter (v: v != null) o)
else
o;
in filterRecursiveNull)
(format.generate "matrix-synapse-common-config.yaml")
];
# TODO: Align better with the upstream module # TODO: Align better with the upstream module
wrapped = cfg.package.override { wrapped = cfg.package.override {
@@ -90,14 +70,6 @@ in
''; '';
}; };
withJemalloc = mkOption {
type = types.bool;
default = true;
description = ''
Whether to preload jemalloc to reduce memory fragmentation and overall usage.
'';
};
dataDir = mkOption { dataDir = mkOption {
type = types.path; type = types.path;
default = "/var/lib/matrix-synapse"; default = "/var/lib/matrix-synapse";
@@ -135,7 +107,7 @@ in
description = "A yaml python logging config file"; description = "A yaml python logging config file";
}; };
enableSlidingSync = mkEnableOption "automatic Sliding Sync setup at `slidingsync.<domain>`"; enableSlidingSync = mkEnableOption (lib.mdDoc "automatic Sliding Sync setup at `slidingsync.<domain>`");
settings = mkOption { settings = mkOption {
type = types.submodule { type = types.submodule {
@@ -288,30 +260,6 @@ in
]; ];
}; };
database.name = mkOption {
type = types.enum [ "psycopg2" ];
default = "psycopg2";
description = ''
The database engine name. Hardcoded to psycopg2, this module is not designed for use with sqlite.
'';
};
database.args.database = mkOption {
type = types.str;
default = "matrix-synapse";
description = ''
Name of the database.
'';
};
database.args.user = mkOption {
type = types.nullOr types.str;
default = "matrix-synapse";
description = ''
Username to use when connecting to postgresql.
'';
};
federation_ip_range_blacklist = mkOption { federation_ip_range_blacklist = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
description = '' description = ''
@@ -450,8 +398,9 @@ in
users.users.matrix-synapse = { users.users.matrix-synapse = {
group = "matrix-synapse"; group = "matrix-synapse";
home = "/var/lib/matrix-synapse"; home = cfg.dataDir;
createHome = true; createHome = true;
shell = "${pkgs.bash}/bin/bash";
uid = config.ids.uids.matrix-synapse; uid = config.ids.uids.matrix-synapse;
}; };
@@ -462,8 +411,7 @@ in
systemd = { systemd = {
targets.matrix-synapse = { targets.matrix-synapse = {
description = "Matrix synapse parent target"; description = "Matrix synapse parent target";
after = [ "network-online.target" ]; after = [ "network.target" ];
requires = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
@@ -473,110 +421,35 @@ in
after= [ "system.slice" ]; after= [ "system.slice" ];
}; };
tmpfiles.settings."10-matrix-synapse" = {
"${cfg.dataDir}".d = lib.mkIf (cfg.dataDir != "/var/lib/matrix-synapse") {
user = "matrix-synapse";
group = "matrix-synapse";
mode = "0700";
};
"${cfg.settings.media_store_path}".d = lib.mkIf (cfg.settings.media_store_path != "/var/lib/matrix-synapse/media_store") {
user = "matrix-synapse";
group = "matrix-synapse";
mode = "0700";
};
};
services.matrix-synapse = { services.matrix-synapse = {
description = "Synapse Matrix homeserver"; description = "Synapse Matrix homeserver";
partOf = [ "matrix-synapse.target" ]; partOf = [ "matrix-synapse.target" ];
wantedBy = [ "matrix-synapse.target" ]; wantedBy = [ "matrix-synapse.target" ];
after = lib.mkIf (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
];
environment = lib.optionalAttrs cfg.withJemalloc { preStart = let
LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so"; flags = lib.cli.toGNUCommandLineShell {} {
PYTHONMALLOC = "malloc"; config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
}; keys-directory = cfg.dataDir;
generate-keys = true;
};
in "${cfg.package}/bin/synapse_homeserver ${flags}";
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
User = "matrix-synapse"; User = "matrix-synapse";
Group = "matrix-synapse"; Group = "matrix-synapse";
Slice = "system-matrix-synapse.slice"; Slice = "system-matrix-synapse.slice";
WorkingDirectory = cfg.dataDir;
Restart = "always";
RestartSec = 3;
WorkingDirectory = "/var/lib/matrix-synapse";
StateDirectory = "matrix-synapse"; StateDirectory = "matrix-synapse";
RuntimeDirectory = "matrix-synapse"; RuntimeDirectory = "matrix-synapse";
ExecStartPre = let
flags = lib.cli.toCommandLineShellGNU {} {
config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
keys-directory = "/var/lib/matrix-synapse";
generate-keys = true;
};
in "${cfg.package}/bin/synapse_homeserver ${flags}";
ExecStart = let ExecStart = let
flags = lib.cli.toCommandLineShellGNU {} { flags = lib.cli.toGNUCommandLineShell {} {
config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles; config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
keys-directory = "/var/lib/matrix-synapse"; keys-directory = cfg.dataDir;
}; };
in "${wrapped}/bin/synapse_homeserver ${flags}"; in "${wrapped}/bin/synapse_homeserver ${flags}";
ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID"; ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
"${cfg.dataDir}:/var/lib/matrix-synapse"
]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
"${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
]);
ReadWritePaths = lib.pipe cfg.settings.listeners [
(lib.filter (listener: listener.path != null))
(map (listener: dirOf listener.path))
(lib.filter (path: path != "/run/matrix-synapse"))
lib.uniqueStrings
];
LoadCredential = lib.mkIf usesCustomSigningKeyPath [
"signing_key:${cfg.settings.signing_key_path}"
];
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SocketBindAllow = lib.catAttrs "port" cfg.settings.listeners;
SocketBindDeny = "any";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@resources"
"~@privileged"
];
UMask = "0027";
}; };
}; };
}; };
synapse-module/nginx.nix
+2 -16
View File
@@ -24,7 +24,6 @@ in
~^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ synapse_initial_sync; ~^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ synapse_initial_sync;
# Federation requests # Federation requests
~^/_matrix/federation/v1/version$ synapse_federation;
~^/_matrix/federation/v1/event/ synapse_federation; ~^/_matrix/federation/v1/event/ synapse_federation;
~^/_matrix/federation/v1/state/ synapse_federation; ~^/_matrix/federation/v1/state/ synapse_federation;
~^/_matrix/federation/v1/state_ids/ synapse_federation; ~^/_matrix/federation/v1/state_ids/ synapse_federation;
@@ -36,8 +35,6 @@ in
~^/_matrix/federation/v1/make_leave/ synapse_federation; ~^/_matrix/federation/v1/make_leave/ synapse_federation;
~^/_matrix/federation/(v1|v2)/send_join/ synapse_federation; ~^/_matrix/federation/(v1|v2)/send_join/ synapse_federation;
~^/_matrix/federation/(v1|v2)/send_leave/ synapse_federation; ~^/_matrix/federation/(v1|v2)/send_leave/ synapse_federation;
~^/_matrix/federation/v1/make_knock/ synapse_federation;
~^/_matrix/federation/v1/send_knock/ synapse_federation;
~^/_matrix/federation/(v1|v2)/invite/ synapse_federation; ~^/_matrix/federation/(v1|v2)/invite/ synapse_federation;
~^/_matrix/federation/v1/event_auth/ synapse_federation; ~^/_matrix/federation/v1/event_auth/ synapse_federation;
~^/_matrix/federation/v1/timestamp_to_event/ synapse_federation; ~^/_matrix/federation/v1/timestamp_to_event/ synapse_federation;
@@ -59,23 +56,17 @@ in
~^/_matrix/client/v1/rooms/.*/hierarchy$ synapse_client_interaction; ~^/_matrix/client/v1/rooms/.*/hierarchy$ synapse_client_interaction;
~^/_matrix/client/(v1|unstable)/rooms/.*/relations/ synapse_client_interaction; ~^/_matrix/client/(v1|unstable)/rooms/.*/relations/ synapse_client_interaction;
~^/_matrix/client/v1/rooms/.*/threads$ synapse_client_interaction; ~^/_matrix/client/v1/rooms/.*/threads$ synapse_client_interaction;
~^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ synapse_client_interaction;
~^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ synapse_client_interaction; ~^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/account/3pid$ synapse_client_interaction; ~^/_matrix/client/(r0|v3|unstable)/account/3pid$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/account/whoami$ synapse_client_interaction; ~^/_matrix/client/(r0|v3|unstable)/account/whoami$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/account/deactivate$ synapse_client_interaction; ~^/_matrix/client/(r0|v3|unstable)/devices$ synapse_client_interaction;
~^/_matrix/client/(r0|v3)/delete_devices$ synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$) synapse_client_interaction;
~^/_matrix/client/versions$ synapse_client_interaction; ~^/_matrix/client/versions$ synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ synapse_client_interaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ synapse_client_interaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ synapse_client_interaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ synapse_client_interaction;
~^/_matrix/client/v1/rooms/.*/timestamp_to_event$ synapse_client_interaction; ~^/_matrix/client/v1/rooms/.*/timestamp_to_event$ synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/search$ synapse_client_interaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/search$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/capabilities$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/notifications$ synapse_client_interaction;
# Encryption requests # Encryption requests
~^/_matrix/client/(r0|v3|unstable)/keys/query$ synapse_client_encryption; ~^/_matrix/client/(r0|v3|unstable)/keys/query$ synapse_client_encryption;
@@ -83,15 +74,11 @@ in
~^/_matrix/client/(r0|v3|unstable)/keys/claim$ synapse_client_encryption; ~^/_matrix/client/(r0|v3|unstable)/keys/claim$ synapse_client_encryption;
~^/_matrix/client/(r0|v3|unstable)/room_keys/ synapse_client_encryption; ~^/_matrix/client/(r0|v3|unstable)/room_keys/ synapse_client_encryption;
~^/_matrix/client/(r0|v3|unstable)/keys/upload/ synapse_client_encryption; ~^/_matrix/client/(r0|v3|unstable)/keys/upload/ synapse_client_encryption;
~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$ synapse_client_encryption;
~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$ synapse_client_encryption;
# Registration/login requests # Registration/login requests
~^/_matrix/client/(api/v1|r0|v3|unstable)/login$ synapse_client_login; ~^/_matrix/client/(api/v1|r0|v3|unstable)/login$ synapse_client_login;
~^/_matrix/client/(r0|v3|unstable)/register$ synapse_client_login; ~^/_matrix/client/(r0|v3|unstable)/register$ synapse_client_login;
~^/_matrix/client/(r0|v3|unstable)/register/available$ synapse_client_login;
~^/_matrix/client/v1/register/m.login.registration_token/validity$ synapse_client_login; ~^/_matrix/client/v1/register/m.login.registration_token/validity$ synapse_client_login;
~^/_matrix/client/(r0|v3|unstable)/password_policy$ synapse_client_login;
# Event sending requests # Event sending requests
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact synapse_client_transaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact synapse_client_transaction;
@@ -99,7 +86,6 @@ in
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ synapse_client_transaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ synapse_client_transaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ synapse_client_transaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ synapse_client_transaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/join/ synapse_client_transaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/join/ synapse_client_transaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/knock/ synapse_client_transaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ synapse_client_transaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ synapse_client_transaction;
# Account data requests # Account data requests
synapse-module/workers.nix
+12 -100
View File
@@ -4,8 +4,8 @@
throw', throw',
format format
}: }:
{ pkgs, lib, options, config, ... }: let { pkgs, lib, config, ... }: let
opt = options.services.matrix-synapse-next;
cfg = config.services.matrix-synapse-next; cfg = config.services.matrix-synapse-next;
wcfg = config.services.matrix-synapse-next.workers; wcfg = config.services.matrix-synapse-next.workers;
@@ -13,8 +13,6 @@
cfgText = "config.services.matrix-synapse-next"; cfgText = "config.services.matrix-synapse-next";
wcfgText = "config.services.matrix-synapse-next.workers"; wcfgText = "config.services.matrix-synapse-next.workers";
usesCustomSigningKeyPath = cfg.settings.signing_key_path != (opt.settings.type.getSubOptions { }).signing_key_path.default;
inherit (lib) types mkOption mkEnableOption mkIf mkMerge literalExpression; inherit (lib) types mkOption mkEnableOption mkIf mkMerge literalExpression;
mkWorkerCountOption = workerType: mkOption { mkWorkerCountOption = workerType: mkOption {
@@ -76,16 +74,6 @@ in {
description = "Listener configuration for the worker, similar to the main synapse listener"; description = "Listener configuration for the worker, similar to the main synapse listener";
default = [ ]; default = [ ];
}; };
worker_log_config = mkOption {
type = types.path;
description = ''
A yaml python logging config file as described by
https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
'';
default = pkgs.writeText "log_config.yaml" cfg.mainLogConfig;
defaultText = "A config file generated from ${cfgText}.mainLogConfig";
};
}; };
}; };
@@ -372,51 +360,28 @@ in {
systemd.services = let systemd.services = let
workerList = lib.mapAttrsToList lib.nameValuePair wcfg.instances; workerList = lib.mapAttrsToList lib.nameValuePair wcfg.instances;
workerConfig = worker: workerConfig = worker:
format.generate "matrix-synapse-worker-${worker.name}-config.yaml" ( format.generate "matrix-synapse-worker-${worker.name}-config.yaml"
worker.value.settings (worker.value.settings // {
// worker_name = worker.name;
{ worker_listeners =
worker_name = worker.name; map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners;
worker_listeners = map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners; });
}
//
# NOTE: the workers cannot pick up creds from `/run/credentials/matrix-synapse.service/*`
(lib.optionalAttrs usesCustomSigningKeyPath {
signing_key_path = "/run/credentials/matrix-synapse-worker-${worker.name}.service/signing_key";
})
);
in builtins.listToAttrs (lib.flip map workerList (worker: { in builtins.listToAttrs (lib.flip map workerList (worker: {
name = "matrix-synapse-worker-${worker.name}"; name = "matrix-synapse-worker-${worker.name}";
value = { value = {
description = "Synapse Matrix Worker"; description = "Synapse Matrix Worker";
partOf = [ "matrix-synapse.target" ]; partOf = [ "matrix-synapse.target" ];
wantedBy = [ "matrix-synapse.target" ]; wantedBy = [ "matrix-synapse.target" ];
after = [ after = [ "matrix-synapse.service" ];
"matrix-synapse.service"
] ++ (lib.optionals (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
]);
requires = [ "matrix-synapse.service" ]; requires = [ "matrix-synapse.service" ];
environment = lib.optionalAttrs cfg.withJemalloc {
LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
PYTHONMALLOC = "malloc";
};
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
User = "matrix-synapse"; User = "matrix-synapse";
Group = "matrix-synapse"; Group = "matrix-synapse";
Slice = "system-matrix-synapse.slice"; Slice = "system-matrix-synapse.slice";
WorkingDirectory = cfg.dataDir;
Restart = "always";
RestartSec = 3;
WorkingDirectory = "/var/lib/matrix-synapse";
RuntimeDirectory = "matrix-synapse"; RuntimeDirectory = "matrix-synapse";
StateDirectory = "matrix-synapse"; StateDirectory = "matrix-synapse";
ExecStartPre = pkgs.writers.writeBash "wait-for-synapse" '' ExecStartPre = pkgs.writers.writeBash "wait-for-synapse" ''
# From https://md.darmstadt.ccc.de/synapse-at-work # From https://md.darmstadt.ccc.de/synapse-at-work
while ! systemctl is-active -q matrix-synapse.service; do while ! systemctl is-active -q matrix-synapse.service; do
@@ -424,64 +389,11 @@ in {
done done
''; '';
ExecStart = let ExecStart = let
flags = lib.cli.toCommandLineShellGNU {} { flags = lib.cli.toGNUCommandLineShell {} {
config-path = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles; config-path = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles;
keys-directory = "/var/lib/matrix-synapse"; keys-directory = cfg.dataDir;
}; };
in "${wrapped}/bin/synapse_worker ${flags}"; in "${wrapped}/bin/synapse_worker ${flags}";
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
"${cfg.dataDir}:/var/lib/matrix-synapse"
]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
"${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
]);
ReadWritePaths = lib.pipe cfg.settings.listeners [
(lib.filter (listener: listener.path != null))
(map (listener: dirOf listener.path))
(lib.filter (path: path != "/run/matrix-synapse"))
lib.uniqueStrings
];
LoadCredential = lib.mkIf usesCustomSigningKeyPath [
"signing_key:${cfg.settings.signing_key_path}"
];
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SocketBindAllow = lib.pipe worker.value.settings.worker_listeners [
(map (lib.filterAttrsRecursive (_: v: v != null)))
(lib.catAttrs "port")
];
SocketBindDeny = "any";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@resources"
"~@privileged"
];
UMask = "0027";
}; };
}; };
})); }));
tests/default.nix
+1 -4
View File
@@ -1,7 +1,4 @@
{ nixpkgs, pkgs, matrix-lib, ... }: { nixpkgs, pkgs, matrix-lib, ... }:
{ {
nginx-pipeline-eval = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; }; nginx-pipeline = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
synapse = pkgs.testers.runNixOSTest ./synapse;
synapse-workers = pkgs.testers.runNixOSTest ./synapse-workers;
} }
tests/nginx-pipeline/default.nix
+1 -1
View File
@@ -5,7 +5,7 @@ let
modules = [ modules = [
../../module.nix ../../module.nix
{ {
system.stateVersion = "25.11"; system.stateVersion = "23.11";
boot.isContainer = true; boot.isContainer = true;
services.matrix-synapse-next = { services.matrix-synapse-next = {
enable = true; enable = true;
tests/synapse-workers/default.nix
-52
View File
@@ -1,52 +0,0 @@
{ pkgs, ... }:
{
name = "matrix-synapse-workers";
nodes = {
server =
{
pkgs,
nodes,
...
}:
{
imports = [
../../synapse-module
];
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.matrix-synapse-next = {
enable = true;
workers.federationSenders = 1;
workers.federationReceivers = 1;
workers.initialSyncers = 1;
workers.normalSyncers = 1;
workers.eventPersisters = 1;
workers.useUserDirectoryWorker = true;
settings = {
server_name = "example.com";
database = {
args.password = "synapse";
};
};
};
services.redis.servers."".enable = true;
};
};
testScript = ''
server.wait_for_unit("matrix-synapse.target");
'';
}
tests/synapse/default.nix
-213
View File
@@ -1,213 +0,0 @@
# Modified from https://github.com/NixOS/nixpkgs/blob/nixos-26.05/nixos/tests/matrix/synapse.nix
{ pkgs, lib, ... }:
let
mailerCerts = import /${pkgs.path}/nixos/tests/common/acme/server/snakeoil-certs.nix;
mailerDomain = mailerCerts.domain;
registrationSharedSecret = "unsecure123";
testUser = "alice";
testPassword = "alicealice";
testEmail = "alice@example.com";
in
{
name = "matrix-synapse";
nodes = {
# Since 0.33.0, matrix-synapse doesn't allow underscores in server names
server =
{
pkgs,
nodes,
config,
...
}:
let
mailserverIP = nodes.mailserver.networking.primaryIPAddress;
in
{
imports = [
../../synapse-module
];
services.matrix-synapse-next = {
enable = true;
settings = {
registration_shared_secret = registrationSharedSecret;
server_name = "example.com";
public_baseurl = "https://example.com";
database = {
args.password = "synapse";
};
redis = {
enabled = true;
host = "localhost";
port = config.services.redis.servers.matrix-synapse.port;
};
email = {
smtp_host = mailerDomain;
smtp_port = 25;
require_transport_security = true;
notif_from = "matrix <matrix@${mailerDomain}>";
app_name = "Matrix";
};
listeners = [
{
port = 8448;
bind_addresses = [
"127.0.0.1"
"::1"
];
type = "http";
x_forwarded = false;
resources = [
{
names = [
"client"
];
compress = true;
}
{
names = [
"federation"
];
compress = false;
}
];
}
];
};
};
services.postgresql = {
enable = true;
# The database name and user are configured by the following options:
# - services.matrix-synapse.database_name
# - services.matrix-synapse.database_user
#
# The values used here represent the default values of the module.
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.redis.servers.matrix-synapse = {
enable = true;
port = 6380;
};
networking.extraHosts = ''
${mailserverIP} ${mailerDomain}
'';
security.pki.certificateFiles = [
mailerCerts.ca.cert
];
environment.systemPackages =
let
sendTestMailStarttls = pkgs.writeScriptBin "send-testmail-starttls" ''
#!${pkgs.python3.interpreter}
import smtplib
import ssl
ctx = ssl.create_default_context()
with smtplib.SMTP('${mailerDomain}') as smtp:
smtp.ehlo()
smtp.starttls(context=ctx)
smtp.ehlo()
smtp.sendmail('matrix@${mailerDomain}', '${testEmail}', 'Subject: Test STARTTLS\n\nTest data.')
smtp.quit()
'';
obtainTokenAndRegisterEmail =
let
# adding the email through the API is quite complicated as it involves more than one step and some
# client-side calculation
insertEmailForAlice = pkgs.writeText "alice-email.sql" ''
INSERT INTO user_threepids (user_id, medium, address, validated_at, added_at)
VALUES ('${testUser}@server', 'email', '${testEmail}', '1629149927271', '1629149927270');
'';
in
pkgs.writeScriptBin "obtain-token-and-register-email" ''
#!${pkgs.runtimeShell}
set -o errexit
set -o pipefail
set -o nounset
su postgres -c "psql -d matrix-synapse -f ${insertEmailForAlice}"
curl --fail -XPOST -v 'http://localhost:8448/_matrix/client/r0/account/password/email/requestToken' --json '${builtins.toJSON {
email = testEmail;
client_secret = "foobar";
send_attempt = 1;
}}'
'';
in
[
sendTestMailStarttls
pkgs.matrix-synapse
obtainTokenAndRegisterEmail
];
};
# test mail delivery
mailserver = args: {
security.pki.certificateFiles = [
mailerCerts.ca.cert
];
networking.firewall.enable = false;
services.postfix = {
enable = true;
enableSubmission = true;
# blackhole transport
transport = "example.com discard:silently";
settings.main = {
myhostname = "${mailerDomain}";
# open relay for subnet
mynetworks_style = "subnet";
debug_peer_level = "10";
smtpd_relay_restrictions = [
"permit_mynetworks"
"reject_unauth_destination"
];
# disable obsolete protocols, something old versions of twisted are still using
smtpd_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtpd_tls_chain_files = [
"${mailerCerts.${mailerDomain}.key}"
"${mailerCerts.${mailerDomain}.cert}"
];
};
};
};
};
testScript = ''
start_all()
mailserver.wait_for_unit("postfix.service")
server.succeed("send-testmail-starttls")
server.wait_for_unit("matrix-synapse.service")
server.wait_until_succeeds(
"curl --fail -L http://localhost:8448/"
)
server.wait_until_succeeds(
"journalctl -u matrix-synapse.service | grep -q 'Connected to redis'"
)
server.require_unit_state("postgresql.target")
server.succeed("register_new_matrix_user -u ${testUser} -p ${testPassword} -a -k ${registrationSharedSecret} 'http://localhost:8448/'")
server.succeed("obtain-token-and-register-email")
'';
}