Remove trailing whitespace

Additional fixes for 25.11

MIGRATIONS.MD

@@ -2,6 +2,12 @@
 
 This is a best effort document descibing neccecary changes you might have to do when updating
 
+## 0.8.0
+
+`saml2` is no longer enabled, as it depends on vulnerable dependencies and isnt really built in nixpks anymore.
+
+If you need to authenticate with saml, you should deploy some sort of saml to openid bridge, instead.
+
 ## 0.6.1
 
 enableSlidingSync, and setting matrix-synapse.sliding-sync.environmentFile (or any other sliding-sync setting)

flake.lock

@@ -2,16 +2,16 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1706098335,
+        "lastModified": 1764983851,
-        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
+        "narHash": "sha256-y7RPKl/jJ/KAP/VKLMghMgXTlvNIJMHKskl8/Uuar7o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
+        "rev": "d9bc5c7dceb30d8d6fafa10aeb6aa8a48c218454",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-23.11",
+        "ref": "nixos-25.11",
         "type": "indirect"
       }
     },

flake.nix

@@ -2,7 +2,7 @@
   description = "NixOS modules for matrix related services";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.11";
+    nixpkgs.url = "nixpkgs/nixos-25.11";
   };
 
   outputs = { self, nixpkgs }: {
@@ -12,7 +12,7 @@
 
     lib = import ./lib.nix { lib = nixpkgs.lib; };
 
-    packages = let
+    checks = let
       forAllSystems = f:
         nixpkgs.lib.genAttrs [
           "x86_64-linux"
@@ -20,11 +20,13 @@
           "x86_64-darwin"
           "aarch64-darwin"
         ] (system: f nixpkgs.legacyPackages.${system});
-    in forAllSystems (pkgs: {
+    in forAllSystems (pkgs: let
       tests = import ./tests {
         inherit nixpkgs pkgs;
         matrix-lib = self.lib;
       };
+    in {
+      inherit (tests) nginx-pipeline-eval;
     });
   };
 }

synapse-module/default.nix

@@ -12,6 +12,8 @@ let
   format = pkgs.formats.yaml {};
   matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // {
     listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
+    media_store_path = "/var/lib/matrix-synapse/media_store";
+    signing_key_path = "/run/credentials/matrix-synapse.service/signing_key";
   });
 
   # TODO: Align better with the upstream module
@@ -19,7 +21,6 @@ let
     inherit (cfg) plugins;
     extras = [
       "postgres"
-      "saml2"
       "oidc"
       "systemd"
       "url-preview"
@@ -27,7 +28,6 @@ let
       "jwt"
       "redis"
       "cache-memory"
-      "user-search"
     ];
   };
 
@@ -72,6 +72,14 @@ in
       '';
     };
 
+    withJemalloc = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to preload jemalloc to reduce memory fragmentation and overall usage.
+      '';
+    };
+
     dataDir = mkOption {
       type = types.path;
       default = "/var/lib/matrix-synapse";
@@ -400,9 +408,8 @@ in
 
     users.users.matrix-synapse = {
       group = "matrix-synapse";
-      home = cfg.dataDir;
+      home = "/var/lib/matrix-synapse";
       createHome = true;
-      shell = "${pkgs.bash}/bin/bash";
       uid = config.ids.uids.matrix-synapse;
     };
 
@@ -423,35 +430,104 @@ in
         after= [ "system.slice" ];
       };
 
+      tmpfiles.settings."10-matrix-synapse" = {
+        "${cfg.dataDir}".d = lib.mkIf (cfg.dataDir != "/var/lib/matrix-synapse") {
+          user = "matrix-synapse";
+          group = "matrix-synapse";
+          mode = "0700";
+        };
+        "${cfg.settings.media_store_path}".d = lib.mkIf (cfg.settings.media_store_path != "/var/lib/matrix-synapse/media_store") {
+          user = "matrix-synapse";
+          group = "matrix-synapse";
+          mode = "0700";
+        };
+      };
+
       services.matrix-synapse = {
         description = "Synapse Matrix homeserver";
         partOf = [ "matrix-synapse.target" ];
         wantedBy = [ "matrix-synapse.target" ];
+        after = lib.mkIf (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
+          "systemd-tmpfiles-setup.service"
+          "systemd-tmpfiles-resetup.service"
+        ];
 
-        preStart = let
+        environment = lib.optionalAttrs cfg.withJemalloc {
-          flags = lib.cli.toGNUCommandLineShell {} {
+          LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
-            config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
+          PYTHONMALLOC = "malloc";
-            keys-directory = cfg.dataDir;
+        };
-            generate-keys = true;
-          };
-        in "${cfg.package}/bin/synapse_homeserver ${flags}";
 
         serviceConfig = {
           Type = "notify";
           User = "matrix-synapse";
           Group = "matrix-synapse";
           Slice = "system-matrix-synapse.slice";
-          WorkingDirectory = cfg.dataDir;
+
+          Restart = "always";
+          RestartSec = 3;
+
+          WorkingDirectory = "/var/lib/matrix-synapse";
           StateDirectory = "matrix-synapse";
           RuntimeDirectory = "matrix-synapse";
-          ExecStart = let
+
-            flags = lib.cli.toGNUCommandLineShell {} {
+          ExecStartPre = let
+            flags = lib.cli.toCommandLineShellGNU {} {
               config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
-              keys-directory = cfg.dataDir;
+              keys-directory = "/var/lib/matrix-synapse";
+              generate-keys = true;
+            };
+          in "${cfg.package}/bin/synapse_homeserver ${flags}";
+          ExecStart = let
+            flags = lib.cli.toCommandLineShellGNU {} {
+              config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
+              keys-directory = "/var/lib/matrix-synapse";
             };
           in "${wrapped}/bin/synapse_homeserver ${flags}";
-          ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
+          ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID";
-          Restart = "on-failure";
+
+          CapabilityBoundingSet = [ "" ];
+          LockPersonality = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
+            "${cfg.dataDir}:/var/lib/matrix-synapse"
+          ]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
+             "${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
+          ]);
+          ReadWritePaths = lib.pipe cfg.settings.listeners [
+            (lib.filter (listener: listener.path != null))
+            (map (listener: dirOf listener.path))
+            (lib.filter (path: path != "/run/matrix-synapse"))
+            lib.uniqueStrings
+          ];
+          LoadCredential = [ "signing_key:${cfg.settings.signing_key_path}" ];
+          RemoveIPC = true;
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_UNIX"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "~@resources"
+            "~@privileged"
+          ];
         };
       };
     };

synapse-module/nginx.nix

@@ -24,6 +24,7 @@ in
         ~^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ synapse_initial_sync;
 
         # Federation requests
+        ~^/_matrix/federation/v1/version$ synapse_federation;
         ~^/_matrix/federation/v1/event/ synapse_federation;
         ~^/_matrix/federation/v1/state/ synapse_federation;
         ~^/_matrix/federation/v1/state_ids/ synapse_federation;
@@ -35,6 +36,8 @@ in
         ~^/_matrix/federation/v1/make_leave/ synapse_federation;
         ~^/_matrix/federation/(v1|v2)/send_join/ synapse_federation;
         ~^/_matrix/federation/(v1|v2)/send_leave/ synapse_federation;
+        ~^/_matrix/federation/v1/make_knock/ synapse_federation;
+        ~^/_matrix/federation/v1/send_knock/ synapse_federation;
         ~^/_matrix/federation/(v1|v2)/invite/ synapse_federation;
         ~^/_matrix/federation/v1/event_auth/ synapse_federation;
         ~^/_matrix/federation/v1/timestamp_to_event/ synapse_federation;
@@ -56,17 +59,23 @@ in
         ~^/_matrix/client/v1/rooms/.*/hierarchy$ synapse_client_interaction;
         ~^/_matrix/client/(v1|unstable)/rooms/.*/relations/ synapse_client_interaction;
         ~^/_matrix/client/v1/rooms/.*/threads$ synapse_client_interaction;
-        ~^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ synapse_client_interaction;
         ~^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ synapse_client_interaction;
         ~^/_matrix/client/(r0|v3|unstable)/account/3pid$ synapse_client_interaction;
         ~^/_matrix/client/(r0|v3|unstable)/account/whoami$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3|unstable)/devices$ synapse_client_interaction;
+        ~^/_matrix/client/(r0|v3|unstable)/account/deactivate$ synapse_client_interaction;
+        ~^/_matrix/client/(r0|v3)/delete_devices$ synapse_client_interaction;
+        ~^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$) synapse_client_interaction;
         ~^/_matrix/client/versions$ synapse_client_interaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ synapse_client_interaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ synapse_client_interaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ synapse_client_interaction;
         ~^/_matrix/client/v1/rooms/.*/timestamp_to_event$ synapse_client_interaction;
+        ~^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases synapse_client_interaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/search$ synapse_client_interaction;
+        ~^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) synapse_client_interaction;
+        ~^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$ synapse_client_interaction;
+        ~^/_matrix/client/(r0|v3|unstable)/capabilities$ synapse_client_interaction;
+        ~^/_matrix/client/(r0|v3|unstable)/notifications$ synapse_client_interaction;
 
         # Encryption requests
         ~^/_matrix/client/(r0|v3|unstable)/keys/query$ synapse_client_encryption;
@@ -74,11 +83,15 @@ in
         ~^/_matrix/client/(r0|v3|unstable)/keys/claim$ synapse_client_encryption;
         ~^/_matrix/client/(r0|v3|unstable)/room_keys/ synapse_client_encryption;
         ~^/_matrix/client/(r0|v3|unstable)/keys/upload/ synapse_client_encryption;
+        ~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$ synapse_client_encryption;
+        ~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$ synapse_client_encryption;
 
         # Registration/login requests
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/login$ synapse_client_login;
         ~^/_matrix/client/(r0|v3|unstable)/register$ synapse_client_login;
+        ~^/_matrix/client/(r0|v3|unstable)/register/available$ synapse_client_login;
         ~^/_matrix/client/v1/register/m.login.registration_token/validity$ synapse_client_login;
+        ~^/_matrix/client/(r0|v3|unstable)/password_policy$ synapse_client_login;
 
         # Event sending requests
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact synapse_client_transaction;
@@ -86,6 +99,7 @@ in
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ synapse_client_transaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ synapse_client_transaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/join/ synapse_client_transaction;
+        ~^/_matrix/client/(api/v1|r0|v3|unstable)/knock/ synapse_client_transaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ synapse_client_transaction;
 
         # Account data requests

synapse-module/workers.nix

@@ -74,6 +74,16 @@ in {
           description = "Listener configuration for the worker, similar to the main synapse listener";
           default = [ ];
         };
+
+        worker_log_config = mkOption {
+          type = types.path;
+          description = ''
+            A yaml python logging config file as described by
+            https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
+          '';
+          default = pkgs.writeText "log_config.yaml" cfg.mainLogConfig;
+          defaultText = "A config file generated from ${cfgText}.mainLogConfig";
+        };
       };
     };
 
@@ -365,6 +375,7 @@ in {
           worker_name = worker.name;
           worker_listeners =
             map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners;
+          signing_key_path = "/run/credentials/matrix-synapse-worker-${worker.name}.service/signing_key";
         });
     in builtins.listToAttrs (lib.flip map workerList (worker: {
       name = "matrix-synapse-worker-${worker.name}";
@@ -372,16 +383,32 @@ in {
         description = "Synapse Matrix Worker";
         partOf = [ "matrix-synapse.target" ];
         wantedBy = [ "matrix-synapse.target" ];
-        after = [ "matrix-synapse.service" ];
+        after = [
+          "matrix-synapse.service"
+        ] ++ (lib.optionals (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
+          "systemd-tmpfiles-setup.service"
+          "systemd-tmpfiles-resetup.service"
+        ]);
         requires = [ "matrix-synapse.service" ];
+
+        environment = lib.optionalAttrs cfg.withJemalloc {
+          LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
+          PYTHONMALLOC = "malloc";
+        };
+
         serviceConfig = {
           Type = "notify";
           User = "matrix-synapse";
           Group = "matrix-synapse";
           Slice = "system-matrix-synapse.slice";
-          WorkingDirectory = cfg.dataDir;
+
+          Restart = "always";
+          RestartSec = 3;
+
+          WorkingDirectory = "/var/lib/matrix-synapse";
           RuntimeDirectory = "matrix-synapse";
           StateDirectory = "matrix-synapse";
+
           ExecStartPre = pkgs.writers.writeBash "wait-for-synapse" ''
             # From https://md.darmstadt.ccc.de/synapse-at-work
             while ! systemctl is-active -q matrix-synapse.service; do
@@ -389,11 +416,55 @@ in {
             done
           '';
           ExecStart = let
-            flags = lib.cli.toGNUCommandLineShell {} {
+            flags = lib.cli.toCommandLineShellGNU {} {
               config-path = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles;
-              keys-directory = cfg.dataDir;
+              keys-directory = "/var/lib/matrix-synapse";
             };
           in "${wrapped}/bin/synapse_worker ${flags}";
+
+          CapabilityBoundingSet = [ "" ];
+          LockPersonality = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
+            "${cfg.dataDir}:/var/lib/matrix-synapse"
+          ]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
+             "${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
+          ]);
+          ReadWritePaths = lib.pipe cfg.settings.listeners [
+            (lib.filter (listener: listener.path != null))
+            (map (listener: dirOf listener.path))
+            (lib.filter (path: path != "/run/matrix-synapse"))
+            lib.uniqueStrings
+          ];
+          LoadCredential = [ "signing_key:${cfg.settings.signing_key_path}" ];
+          RemoveIPC = true;
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_UNIX"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "~@resources"
+            "~@privileged"
+          ];
         };
       };
     }));

tests/default.nix

@@ -1,4 +1,4 @@
 { nixpkgs, pkgs, matrix-lib, ... }:
 {
-  nginx-pipeline = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
+  nginx-pipeline-eval = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
 }

tests/nginx-pipeline/default.nix

@@ -5,7 +5,7 @@ let
     modules = [
       ../../module.nix
       {
-        system.stateVersion = "23.11";
+        system.stateVersion = "25.11";
         boot.isContainer = true;
         services.matrix-synapse-next = {
           enable = true;