sliding-sync: deprecate

refactor nginx upstream generation, add support for unix sockets

.gitignore

@@ -0,0 +1 @@
+result

README.MD

@@ -1,3 +1,5 @@
+For support and requests feel free to join [#nixos-matrix-modules:dodsorf.as](https://matrix.to/#/#nixos-matrix-modules:dodsorf.as), [uri](matrix:r/nixos-matrix-modules:dodsorf.as)
+
 With matrix.YOURDOMAIN pointing at the server:
 
 ```

flake.lock

@@ -1,23 +1,23 @@
 {
   "nodes": {
-    "nixpkgs-lib": {
+    "nixpkgs": {
       "locked": {
-        "lastModified": 1673743903,
-        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
+        "lastModified": 1706098335,
+        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
+        "id": "nixpkgs",
+        "ref": "nixos-23.11",
+        "type": "indirect"
       }
     },
     "root": {
       "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
+        "nixpkgs": "nixpkgs"
       }
     }
   },

flake.nix

@@ -2,13 +2,29 @@
   description = "NixOS modules for matrix related services";
 
   inputs = {
-    nixpkgs-lib.url = github:nix-community/nixpkgs.lib;
+    nixpkgs.url = "nixpkgs/nixos-23.11";
   };
 
-  outputs = { self, nixpkgs-lib }: {
+  outputs = { self, nixpkgs }: {
     nixosModules = {
       default = import ./module.nix;
     };
-    lib = import ./lib.nix { lib = nixpkgs-lib.lib; };
+
+    lib = import ./lib.nix { lib = nixpkgs.lib; };
+
+    packages = let
+      forAllSystems = f:
+        nixpkgs.lib.genAttrs [
+          "x86_64-linux"
+          "aarch64-linux"
+          "x86_64-darwin"
+          "aarch64-darwin"
+        ] (system: f nixpkgs.legacyPackages.${system});
+    in forAllSystems (pkgs: {
+      tests = import ./tests {
+        inherit nixpkgs pkgs;
+        matrix-lib = self.lib;
+      };
+    });
   };
 }

lib.nix

@@ -4,7 +4,7 @@ rec {
   isListenerType = type: l: lib.any (r: lib.any (n: n == type) r.names) l.resources;
   # Get the first listener that includes the given resource from worker
   firstListenerOfType = type: ls: lib.lists.findFirst (isListenerType type)
-    (lib.throw "No listener with resource: ${type} configured")
+    (throw "No listener with resource: ${type} configured")
     ls;
   # Get an attrset of the host and port from a listener 
   connectionInfo = l: {
@@ -17,4 +17,64 @@ rec {
     l = firstListenerOfType r w.settings.worker_listeners;
   in connectionInfo l;
 
+  mapWorkersToUpstreamsByType = workerInstances:
+    lib.pipe workerInstances [
+      lib.attrValues
+
+      # Index by worker type
+      (lib.foldl (acc: worker: acc // {
+        ${worker.type} = (acc.${worker.type} or [ ]) ++ [ worker ];
+      }) { })
+
+      # Subindex by resource names, listener types, and convert to upstreams
+      (lib.mapAttrs (_: workers: lib.pipe workers [
+        (lib.concatMap (worker: [ (lib.lists.head  worker.settings.worker_listeners) ]))
+        lib.flatten
+        mapListenersToUpstreamsByType
+      ]))
+    ];
+
+    mapListenersToUpstreamsByType = listenerInstances:
+      lib.pipe listenerInstances [
+        # Index by resource names
+        (lib.concatMap (listener: lib.pipe listener [
+          (listener: let
+            allResourceNames = lib.pipe listener.resources [
+              (map (resource: resource.names))
+              lib.flatten
+              lib.unique
+            ];
+          in if allResourceNames == [ ]
+            then { "empty" = listener; }
+            else lib.genAttrs allResourceNames (_: listener))
+          lib.attrsToList
+        ]))
+
+        (lib.foldl (acc: listener: acc // {
+          ${listener.name} = (acc.${listener.name} or [ ]) ++ [ listener.value ];
+        }) { })
+
+        # Index by listener type
+        (lib.mapAttrs (_:
+          (lib.foldl (acc: listener: acc // {
+            ${listener.type} = (acc.${listener.type} or [ ]) ++ [ listener ];
+          }) { })
+        ))
+
+        # Convert listeners to upstream URIs
+        (lib.mapAttrs (_:
+          (lib.mapAttrs (_: listeners:
+            lib.pipe listeners [
+              (lib.concatMap (listener:
+                if listener.path != null
+                  then [ "unix:${listener.path}" ]
+                  else (map (addr: "${addr}:${toString listener.port}") listener.bind_addresses)
+              ))
+              # NOTE: Adding ` = { }` to every upstream might seem unnecessary in isolation,
+              #       but it makes it easier to set upstreams in the nginx module.
+              (uris: lib.genAttrs uris (_: { }))
+            ]
+          ))
+        ))
+      ];
 }

sliding-sync/default.nix

@@ -84,12 +84,21 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    warnings = lib.optionals config.services.matrix-synapse-next.enable [
+      ''
+        services.matrix-synapse.sliding-sync is no longer necessary to use sliding-sync with synapse,
+        and the extra module will be removed from `nixos-matrix-modules` in the future.
+        If you are only using this service via `nixos-matrix-modules` you can safely remove options like
+        `services.matrix-synapse.sliding-sync.environmentFile`.
+      ''
+    ];
+
     services.postgresql = lib.optionalAttrs cfg.createDatabase {
       enable = true;
       ensureDatabases = [ "matrix-sliding-sync" ];
       ensureUsers = [ rec {
         name = "matrix-sliding-sync";
-        ensurePermissions."DATABASE \"${name}\"" = "ALL PRIVILEGES";
+        ensureDBOwnership = true;
       } ];
     };
 
@@ -107,7 +116,7 @@ in
     };
 
     services.nginx.virtualHosts.${cfg.publicBaseUrl} = lib.mkIf cfg.enableNginx {
-      enableACME = true;
+      enableACME = lib.mkDefault true;
       forceSSL = true;
       locations."/" = {
         proxyPass = lib.replaceStrings [ "0.0.0.0" "::" ] [ "127.0.0.1" "::1" ] "http://${cfg.settings.SYNCV3_BINDADDR}";

synapse-module/default.nix

@@ -395,6 +395,9 @@ in
         message = "Some listeners are missing either a socket path or a bind_address + port to listen on";
       }) cfg.settings.listeners);
 
+    warnings = [ ] ++ lib.optional cfg.enableSlidingSync
+      "the option services.matrix-synapse-next.enableSlidingSync no longer has any effect (and is enabled by default)";
+
     users.users.matrix-synapse = {
       group = "matrix-synapse";
       home = cfg.dataDir;
@@ -452,19 +455,5 @@ in
         };
       };
     };
-
-    services.matrix-synapse-next.settings.extra_well_known_client_content."org.matrix.msc3575.proxy" = mkIf cfg.enableSlidingSync {
-      url = "https://${config.services.matrix-synapse.sliding-sync.publicBaseUrl}";
-    };
-    services.matrix-synapse.sliding-sync = mkIf cfg.enableSlidingSync {
-      enable = true;
-      enableNginx = lib.mkDefault cfg.enableNginx;
-      publicBaseUrl = lib.mkDefault "slidingsync.${cfg.settings.server_name}";
-
-      settings = {
-        SYNCV3_SERVER = lib.mkDefault "https://${cfg.public_baseurl}";
-        SYNCV3_PROM = lib.mkIf cfg.settings.enable_metrics (lib.mkDefault "127.0.0.1:9001");
-      };
-    };
   };
 }

synapse-module/nginx.nix

@@ -2,54 +2,10 @@
 let
   cfg = config.services.matrix-synapse-next;
 
-  mapWorkersToUpstreamsByType = workerInstances: lib.pipe workerInstances [
-    lib.attrValues
+  matrix-lib = (import ../lib.nix { inherit lib; });
 
-    # Index by worker type
-    (lib.foldl (acc: worker: acc // {
-      ${worker.type} = (acc.${worker.type} or [ ]) ++ [ worker ];
-    }) { })
-
-    # Subindex by listener type (listener names), and convert to upstreams
-    (lib.mapAttrs (_: workers: lib.pipe workers [
-      (lib.concatMap (worker: worker.settings.worker_listeners))
-      lib.flatten
-      mapListenersToUpstreamsByType
-    ]))
-  ];
-
-  mapListenersToUpstreamsByType = listenerInstances: lib.pipe listenerInstances [
-    # Index by listener type (listener names)
-    (lib.concatMap (listener: lib.pipe listener [
-      (listener: let
-        allResourceNames = lib.pipe listener.resources [
-          (map (resource: resource.names))
-          lib.flatten
-          lib.unique
-        ];
-      in if allResourceNames == [ ]
-        then { "empty" = listener; }
-        else lib.genAttrs allResourceNames (_: listener))
-      lib.attrsToList
-    ]))
-
-    (lib.foldl (acc: listener: acc // {
-      ${listener.name} = (acc.${listener.name} or [ ]) ++ [ listener.value ];
-    }) { })
-
-    # Convert listeners to upstream URIs
-    (lib.mapAttrs (_: listeners: lib.pipe listeners [
-      (lib.concatMap (listener:
-        if listener.path != null
-          then [ "unix:${listener.path}" ]
-          else (map (addr: "${addr}:${toString listener.port}") listener.bind_addresses)
-      ))
-      (uris: lib.genAttrs uris (_: { }))
-    ]))
-  ];
-
-  workerUpstreams = mapWorkersToUpstreamsByType cfg.workers.instances;
-  listenerUpstreams = mapListenersToUpstreamsByType cfg.settings.listeners;
+  workerUpstreams = matrix-lib.mapWorkersToUpstreamsByType cfg.workers.instances;
+  listenerUpstreams = matrix-lib.mapListenersToUpstreamsByType cfg.settings.listeners;
 in
 {
   config = lib.mkIf cfg.enableNginx {
@@ -180,8 +136,8 @@ in
 
     services.nginx.upstreams.synapse_master.servers = let
       mainListeners = builtins.intersectAttrs
-        (listenerUpstreams."client" or { })
-        (listenerUpstreams."federation" or { });
+        (listenerUpstreams.client.http or { })
+        (listenerUpstreams.federation.http or { });
     in
       assert lib.assertMsg (mainListeners != { })
         "No catch-all listener configured, or listener is not bound to an address";
@@ -189,7 +145,7 @@ in
 
 
     services.nginx.upstreams.synapse_worker_federation = {
-      servers = workerUpstreams.fed-receiver.federation or config.services.nginx.upstreams.synapse_master.servers;
+      servers = workerUpstreams.fed-receiver.federation.http or config.services.nginx.upstreams.synapse_master.servers;
       extraConfig = ''
         ip_hash;
       '';
@@ -197,7 +153,7 @@ in
 
 
     services.nginx.upstreams.synapse_worker_initial_sync = {
-      servers = workerUpstreams.initial-sync.client or config.services.nginx.upstreams.synapse_master.servers;
+      servers = workerUpstreams.initial-sync.client.http or config.services.nginx.upstreams.synapse_master.servers;
       extraConfig = ''
         hash $mxid_localpart consistent;
       '';
@@ -205,7 +161,7 @@ in
 
 
     services.nginx.upstreams.synapse_worker_normal_sync = {
-      servers = workerUpstreams.normal-sync.client or config.services.nginx.upstreams.synapse_master.servers;
+      servers = workerUpstreams.normal-sync.client.http or config.services.nginx.upstreams.synapse_master.servers;
       extraConfig = ''
         hash $mxid_localpart consistent;
       '';
@@ -213,7 +169,7 @@ in
 
 
     services.nginx.upstreams.synapse_worker_user-dir = {
-      servers = workerUpstreams.user-dir.client or config.services.nginx.upstreams.synapse_master.servers;
+      servers = workerUpstreams.user-dir.client.http or config.services.nginx.upstreams.synapse_master.servers;
     };
 
     services.nginx.virtualHosts."${cfg.public_baseurl}" = {

tests/default.nix

@@ -0,0 +1,4 @@
+{ nixpkgs, pkgs, matrix-lib, ... }:
+{
+  nginx-pipeline = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
+}

tests/nginx-pipeline/default.nix

@@ -0,0 +1,53 @@
+{ nixpkgs, lib, matrix-lib, writeText, ... }:
+let
+  nixosConfig = nixpkgs.lib.nixosSystem {
+    system = "x86_64-linux";
+    modules = [
+      ../../module.nix
+      {
+        system.stateVersion = "23.11";
+        boot.isContainer = true;
+        services.matrix-synapse-next = {
+          enable = true;
+          enableNginx = true;
+
+          workers = {
+            enableMetrics = true;
+
+            federationSenders = 3;
+            federationReceivers = 3;
+            initialSyncers = 1;
+            normalSyncers = 1;
+            eventPersisters = 1;
+            useUserDirectoryWorker = true;
+
+            instances.auto-fed-receiver1.settings.worker_listeners = [
+              {
+                bind_addresses = [
+                  "127.0.0.2"
+                ];
+                port = 1337;
+                resources = [
+                  { compress = false;
+                    names = [ "federation" ];
+                  }
+                ];
+              }
+            ];
+          };
+
+          settings.server_name = "example.com";
+        };
+      }
+    ];
+  };
+
+  inherit (nixosConfig.config.services.matrix-synapse-next.workers) instances;
+in
+  writeText "matrix-synapse-next-nginx-pipeline-test.txt" ''
+    ${(lib.generators.toPretty {}) instances}
+
+    ====================================================
+
+    ${(lib.generators.toPretty {}) (matrix-lib.mapWorkersToUpstreamsByType instances)}
+  ''