sliding-sync: remove

.gitignore

@@ -1,2 +1 @@
 result
-result-*

MIGRATIONS.MD

@@ -2,12 +2,6 @@
 
 This is a best effort document descibing neccecary changes you might have to do when updating
 
-## 0.8.0
-
-`saml2` is no longer enabled, as it depends on vulnerable dependencies and isnt really built in nixpks anymore.
-
-If you need to authenticate with saml, you should deploy some sort of saml to openid bridge, instead.
-
 ## 0.6.1
 
 enableSlidingSync, and setting matrix-synapse.sliding-sync.environmentFile (or any other sliding-sync setting)

flake.lock

@@ -2,16 +2,16 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1781216227,
-        "narHash": "sha256-9mUW6gNwoN2SWc/l0fW4svPNOulXLl8ijqKyeSOGgJE=",
+        "lastModified": 1706098335,
+        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a0374025a863d007d98e3297f6aa46cc3141c2f0",
+        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-26.05",
+        "ref": "nixos-23.11",
         "type": "indirect"
       }
     },

flake.nix

@@ -2,7 +2,7 @@
   description = "NixOS modules for matrix related services";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-26.05";
+    nixpkgs.url = "nixpkgs/nixos-23.11";
   };
 
   outputs = { self, nixpkgs }: {
@@ -12,7 +12,7 @@
 
     lib = import ./lib.nix { lib = nixpkgs.lib; };
 
-    checks = let
+    packages = let
       forAllSystems = f:
         nixpkgs.lib.genAttrs [
           "x86_64-linux"
@@ -20,17 +20,11 @@
           "x86_64-darwin"
           "aarch64-darwin"
         ] (system: f nixpkgs.legacyPackages.${system});
-    in forAllSystems (pkgs: let
+    in forAllSystems (pkgs: {
       tests = import ./tests {
         inherit nixpkgs pkgs;
         matrix-lib = self.lib;
       };
-    in {
-      inherit (tests)
-        nginx-pipeline-eval
-        synapse
-        synapse-workers
-        ;
     });
   };
 }

lib.nix

@@ -6,7 +6,7 @@ rec {
   firstListenerOfType = type: ls: lib.lists.findFirst (isListenerType type)
     (throw "No listener with resource: ${type} configured")
     ls;
-  # Get an attrset of the host and port from a listener
+  # Get an attrset of the host and port from a listener 
   connectionInfo = l: {
     host = lib.head l.bind_addresses;
     port = l.port;

module.nix

@@ -3,7 +3,7 @@
 {
   imports = [
     ./synapse-module
-
+    
     # TODO: Remove after 25.05
     (lib.mkRemovedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] ''
       `services.matrix-synapse.sliding-sync` is no longer necessary to use sliding-sync with synapse.

synapse-module/default.nix

@@ -1,8 +1,7 @@
-{ pkgs, lib, options, config, ... }:
-let
+{ pkgs, lib, config, ... }:
+let 
   matrix-lib = (import ../lib.nix { inherit lib; });
 
-  opt = options.services.matrix-synapse-next;
   cfg = config.services.matrix-synapse-next;
   wcfg = cfg.workers;
 
@@ -10,35 +9,17 @@ let
   cfgText = "config.services.matrix-synapse-next";
   wcfgText = "config.services.matrix-synapse-next.workers";
 
-  usesCustomSigningKeyPath = cfg.settings.signing_key_path != (opt.settings.type.getSubOptions { }).signing_key_path.default;
-
-  format = pkgs.formats.yaml { };
-  matrix-synapse-common-config = lib.pipe cfg.settings [
-    (settings: settings // {
-      listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
-      media_store_path = "/var/lib/matrix-synapse/media_store";
-    })
-    (settings: settings // (lib.optionalAttrs usesCustomSigningKeyPath {
-      signing_key_path = "/run/credentials/matrix-synapse.service/signing_key";
-    }))
-    (let
-      filterRecursiveNull =
-          o:
-          if lib.isAttrs o then
-            lib.mapAttrs (_: v: filterRecursiveNull v) (lib.filterAttrs (_: v: v != null) o)
-          else if lib.isList o then
-            map filterRecursiveNull (lib.filter (v: v != null) o)
-          else
-            o;
-    in filterRecursiveNull)
-    (format.generate "matrix-synapse-common-config.yaml")
-  ];
+  format = pkgs.formats.yaml {};
+  matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // {
+    listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
+  });
 
   # TODO: Align better with the upstream module
-  wrapped = cfg.package.override {
+  wrapped = cfg.package.override { 
     inherit (cfg) plugins;
     extras = [
       "postgres"
+      "saml2"
       "oidc"
       "systemd"
       "url-preview"
@@ -46,6 +27,7 @@ let
       "jwt"
       "redis"
       "cache-memory"
+      "user-search"
     ];
   };
 
@@ -90,14 +72,6 @@ in
       '';
     };
 
-    withJemalloc = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        Whether to preload jemalloc to reduce memory fragmentation and overall usage.
-      '';
-    };
-
     dataDir = mkOption {
       type = types.path;
       default = "/var/lib/matrix-synapse";
@@ -135,7 +109,7 @@ in
       description = "A yaml python logging config file";
     };
 
-    enableSlidingSync = mkEnableOption "automatic Sliding Sync setup at `slidingsync.<domain>`";
+    enableSlidingSync = mkEnableOption (lib.mdDoc "automatic Sliding Sync setup at `slidingsync.<domain>`");
 
     settings = mkOption {
       type = types.submodule {
@@ -288,30 +262,6 @@ in
             ];
           };
 
-          database.name = mkOption {
-            type = types.enum [ "psycopg2" ];
-            default = "psycopg2";
-            description = ''
-              The database engine name. Hardcoded to psycopg2, this module is not designed for use with sqlite.
-            '';
-          };
-
-          database.args.database = mkOption {
-            type = types.str;
-            default = "matrix-synapse";
-            description = ''
-              Name of the database.
-            '';
-          };
-
-          database.args.user = mkOption {
-            type = types.nullOr types.str;
-            default = "matrix-synapse";
-            description = ''
-              Username to use when connecting to postgresql.
-            '';
-          };
-
           federation_ip_range_blacklist = mkOption {
             type = types.listOf types.str;
             description = ''
@@ -450,8 +400,9 @@ in
 
     users.users.matrix-synapse = {
       group = "matrix-synapse";
-      home = "/var/lib/matrix-synapse";
+      home = cfg.dataDir;
       createHome = true;
+      shell = "${pkgs.bash}/bin/bash";
       uid = config.ids.uids.matrix-synapse;
     };
 
@@ -462,8 +413,7 @@ in
     systemd = {
       targets.matrix-synapse = {
         description = "Matrix synapse parent target";
-        after = [ "network-online.target" ];
-        requires = [ "network-online.target" ];
+        after = [ "network.target" ];
         wantedBy = [ "multi-user.target" ];
       };
 
@@ -473,110 +423,35 @@ in
         after= [ "system.slice" ];
       };
 
-      tmpfiles.settings."10-matrix-synapse" = {
-        "${cfg.dataDir}".d = lib.mkIf (cfg.dataDir != "/var/lib/matrix-synapse") {
-          user = "matrix-synapse";
-          group = "matrix-synapse";
-          mode = "0700";
-        };
-        "${cfg.settings.media_store_path}".d = lib.mkIf (cfg.settings.media_store_path != "/var/lib/matrix-synapse/media_store") {
-          user = "matrix-synapse";
-          group = "matrix-synapse";
-          mode = "0700";
-        };
-      };
-
       services.matrix-synapse = {
         description = "Synapse Matrix homeserver";
         partOf = [ "matrix-synapse.target" ];
         wantedBy = [ "matrix-synapse.target" ];
-        after = lib.mkIf (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
-          "systemd-tmpfiles-setup.service"
-          "systemd-tmpfiles-resetup.service"
-        ];
 
-        environment = lib.optionalAttrs cfg.withJemalloc {
-          LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
-          PYTHONMALLOC = "malloc";
-        };
+        preStart = let
+          flags = lib.cli.toGNUCommandLineShell {} {
+            config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
+            keys-directory = cfg.dataDir;
+            generate-keys = true;
+          };
+        in "${cfg.package}/bin/synapse_homeserver ${flags}";
 
         serviceConfig = {
           Type = "notify";
           User = "matrix-synapse";
           Group = "matrix-synapse";
           Slice = "system-matrix-synapse.slice";
-
-          Restart = "always";
-          RestartSec = 3;
-
-          WorkingDirectory = "/var/lib/matrix-synapse";
+          WorkingDirectory = cfg.dataDir;
           StateDirectory = "matrix-synapse";
           RuntimeDirectory = "matrix-synapse";
-
-          ExecStartPre = let
-            flags = lib.cli.toCommandLineShellGNU {} {
-              config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
-              keys-directory = "/var/lib/matrix-synapse";
-              generate-keys = true;
-            };
-          in "${cfg.package}/bin/synapse_homeserver ${flags}";
           ExecStart = let
-            flags = lib.cli.toCommandLineShellGNU {} {
+            flags = lib.cli.toGNUCommandLineShell {} {
               config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
-              keys-directory = "/var/lib/matrix-synapse";
+              keys-directory = cfg.dataDir;
             };
           in "${wrapped}/bin/synapse_homeserver ${flags}";
-          ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID";
-
-          AmbientCapabilities = [ "" ];
-          CapabilityBoundingSet = [ "" ];
-          LockPersonality = true;
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProcSubset = "pid";
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectProc = "invisible";
-          ProtectSystem = "strict";
-          BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
-            "${cfg.dataDir}:/var/lib/matrix-synapse"
-          ]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
-             "${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
-          ]);
-          ReadWritePaths = lib.pipe cfg.settings.listeners [
-            (lib.filter (listener: listener.path != null))
-            (map (listener: dirOf listener.path))
-            (lib.filter (path: path != "/run/matrix-synapse"))
-            lib.uniqueStrings
-          ];
-          LoadCredential = lib.mkIf usesCustomSigningKeyPath [
-            "signing_key:${cfg.settings.signing_key_path}"
-          ];
-          RemoveIPC = true;
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-          ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          SocketBindAllow = lib.catAttrs "port" cfg.settings.listeners;
-          SocketBindDeny = "any";
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@resources"
-            "~@privileged"
-          ];
-          UMask = "0027";
+          ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
+          Restart = "on-failure";
         };
       };
     };

synapse-module/nginx.nix

@@ -24,7 +24,6 @@ in
         ~^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ synapse_initial_sync;
 
         # Federation requests
-        ~^/_matrix/federation/v1/version$ synapse_federation;
         ~^/_matrix/federation/v1/event/ synapse_federation;
         ~^/_matrix/federation/v1/state/ synapse_federation;
         ~^/_matrix/federation/v1/state_ids/ synapse_federation;
@@ -36,8 +35,6 @@ in
         ~^/_matrix/federation/v1/make_leave/ synapse_federation;
         ~^/_matrix/federation/(v1|v2)/send_join/ synapse_federation;
         ~^/_matrix/federation/(v1|v2)/send_leave/ synapse_federation;
-        ~^/_matrix/federation/v1/make_knock/ synapse_federation;
-        ~^/_matrix/federation/v1/send_knock/ synapse_federation;
         ~^/_matrix/federation/(v1|v2)/invite/ synapse_federation;
         ~^/_matrix/federation/v1/event_auth/ synapse_federation;
         ~^/_matrix/federation/v1/timestamp_to_event/ synapse_federation;
@@ -59,23 +56,17 @@ in
         ~^/_matrix/client/v1/rooms/.*/hierarchy$ synapse_client_interaction;
         ~^/_matrix/client/(v1|unstable)/rooms/.*/relations/ synapse_client_interaction;
         ~^/_matrix/client/v1/rooms/.*/threads$ synapse_client_interaction;
+        ~^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ synapse_client_interaction;
         ~^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ synapse_client_interaction;
         ~^/_matrix/client/(r0|v3|unstable)/account/3pid$ synapse_client_interaction;
         ~^/_matrix/client/(r0|v3|unstable)/account/whoami$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3|unstable)/account/deactivate$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3)/delete_devices$ synapse_client_interaction;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$) synapse_client_interaction;
+        ~^/_matrix/client/(r0|v3|unstable)/devices$ synapse_client_interaction;
         ~^/_matrix/client/versions$ synapse_client_interaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ synapse_client_interaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ synapse_client_interaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ synapse_client_interaction;
         ~^/_matrix/client/v1/rooms/.*/timestamp_to_event$ synapse_client_interaction;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases synapse_client_interaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/search$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) synapse_client_interaction;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3|unstable)/capabilities$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3|unstable)/notifications$ synapse_client_interaction;
 
         # Encryption requests
         ~^/_matrix/client/(r0|v3|unstable)/keys/query$ synapse_client_encryption;
@@ -83,15 +74,11 @@ in
         ~^/_matrix/client/(r0|v3|unstable)/keys/claim$ synapse_client_encryption;
         ~^/_matrix/client/(r0|v3|unstable)/room_keys/ synapse_client_encryption;
         ~^/_matrix/client/(r0|v3|unstable)/keys/upload/ synapse_client_encryption;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$ synapse_client_encryption;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$ synapse_client_encryption;
 
         # Registration/login requests
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/login$ synapse_client_login;
         ~^/_matrix/client/(r0|v3|unstable)/register$ synapse_client_login;
-        ~^/_matrix/client/(r0|v3|unstable)/register/available$ synapse_client_login;
         ~^/_matrix/client/v1/register/m.login.registration_token/validity$ synapse_client_login;
-        ~^/_matrix/client/(r0|v3|unstable)/password_policy$ synapse_client_login;
 
         # Event sending requests
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact synapse_client_transaction;
@@ -99,7 +86,6 @@ in
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ synapse_client_transaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ synapse_client_transaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/join/ synapse_client_transaction;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable)/knock/ synapse_client_transaction;
         ~^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ synapse_client_transaction;
 
         # Account data requests

synapse-module/workers.nix

@@ -4,8 +4,8 @@
   throw',
   format
 }:
-{ pkgs, lib, options, config, ... }: let
-  opt = options.services.matrix-synapse-next;
+{ pkgs, lib, config, ... }: let
+
   cfg = config.services.matrix-synapse-next;
   wcfg = config.services.matrix-synapse-next.workers;
 
@@ -13,8 +13,6 @@
   cfgText = "config.services.matrix-synapse-next";
   wcfgText = "config.services.matrix-synapse-next.workers";
 
-  usesCustomSigningKeyPath = cfg.settings.signing_key_path != (opt.settings.type.getSubOptions { }).signing_key_path.default;
-
   inherit (lib) types mkOption mkEnableOption mkIf mkMerge literalExpression;
 
   mkWorkerCountOption = workerType: mkOption {
@@ -58,7 +56,7 @@ in {
 
     workerSettingsType = instanceCfg: types.submodule {
       freeformType = format.type;
-
+      
       options = {
         worker_app = mkOption {
           type = types.enum [
@@ -76,16 +74,6 @@ in {
           description = "Listener configuration for the worker, similar to the main synapse listener";
           default = [ ];
         };
-
-        worker_log_config = mkOption {
-          type = types.path;
-          description = ''
-            A yaml python logging config file as described by
-            https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
-          '';
-          default = pkgs.writeText "log_config.yaml" cfg.mainLogConfig;
-          defaultText = "A config file generated from ${cfgText}.mainLogConfig";
-        };
       };
     };
 
@@ -295,7 +283,7 @@ in {
 
       stream_writers.events =
         mkIf (wcfg.eventPersisters > 0)
-        (lib.genList (i: "auto-event-persist${toString (i + 1)}") wcfg.eventPersisters);
+        (lib.genList (i: "auto-event-persist${toString (i + 1)}") wcfg.eventPersisters); 
 
       update_user_directory_from_worker =
         mkIf wcfg.useUserDirectoryWorker "auto-user-dir";
@@ -372,51 +360,28 @@ in {
     systemd.services = let
       workerList = lib.mapAttrsToList lib.nameValuePair wcfg.instances;
       workerConfig = worker:
-        format.generate "matrix-synapse-worker-${worker.name}-config.yaml" (
-          worker.value.settings
-          //
-          {
-            worker_name = worker.name;
-            worker_listeners = map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners;
-          }
-          //
-          # NOTE: the workers cannot pick up creds from `/run/credentials/matrix-synapse.service/*`
-          (lib.optionalAttrs usesCustomSigningKeyPath {
-            signing_key_path = "/run/credentials/matrix-synapse-worker-${worker.name}.service/signing_key";
-          })
-        );
+        format.generate "matrix-synapse-worker-${worker.name}-config.yaml"
+        (worker.value.settings // {
+          worker_name = worker.name;
+          worker_listeners =
+            map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners;
+        });
     in builtins.listToAttrs (lib.flip map workerList (worker: {
       name = "matrix-synapse-worker-${worker.name}";
       value = {
         description = "Synapse Matrix Worker";
         partOf = [ "matrix-synapse.target" ];
         wantedBy = [ "matrix-synapse.target" ];
-        after = [
-          "matrix-synapse.service"
-        ] ++ (lib.optionals (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
-          "systemd-tmpfiles-setup.service"
-          "systemd-tmpfiles-resetup.service"
-        ]);
+        after = [ "matrix-synapse.service" ];
         requires = [ "matrix-synapse.service" ];
-
-        environment = lib.optionalAttrs cfg.withJemalloc {
-          LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
-          PYTHONMALLOC = "malloc";
-        };
-
         serviceConfig = {
           Type = "notify";
           User = "matrix-synapse";
           Group = "matrix-synapse";
           Slice = "system-matrix-synapse.slice";
-
-          Restart = "always";
-          RestartSec = 3;
-
-          WorkingDirectory = "/var/lib/matrix-synapse";
+          WorkingDirectory = cfg.dataDir;
           RuntimeDirectory = "matrix-synapse";
           StateDirectory = "matrix-synapse";
-
           ExecStartPre = pkgs.writers.writeBash "wait-for-synapse" ''
             # From https://md.darmstadt.ccc.de/synapse-at-work
             while ! systemctl is-active -q matrix-synapse.service; do
@@ -424,64 +389,11 @@ in {
             done
           '';
           ExecStart = let
-            flags = lib.cli.toCommandLineShellGNU {} {
+            flags = lib.cli.toGNUCommandLineShell {} {
               config-path = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles;
-              keys-directory = "/var/lib/matrix-synapse";
+              keys-directory = cfg.dataDir;
             };
           in "${wrapped}/bin/synapse_worker ${flags}";
-
-          AmbientCapabilities = [ "" ];
-          CapabilityBoundingSet = [ "" ];
-          LockPersonality = true;
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProcSubset = "pid";
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectProc = "invisible";
-          ProtectSystem = "strict";
-          BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
-            "${cfg.dataDir}:/var/lib/matrix-synapse"
-          ]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
-             "${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
-          ]);
-          ReadWritePaths = lib.pipe cfg.settings.listeners [
-            (lib.filter (listener: listener.path != null))
-            (map (listener: dirOf listener.path))
-            (lib.filter (path: path != "/run/matrix-synapse"))
-            lib.uniqueStrings
-          ];
-          LoadCredential = lib.mkIf usesCustomSigningKeyPath [
-            "signing_key:${cfg.settings.signing_key_path}"
-          ];
-          RemoveIPC = true;
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-          ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          SocketBindAllow = lib.pipe worker.value.settings.worker_listeners [
-            (map (lib.filterAttrsRecursive (_: v: v != null)))
-            (lib.catAttrs "port")
-          ];
-          SocketBindDeny = "any";
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@resources"
-            "~@privileged"
-          ];
-          UMask = "0027";
         };
       };
     }));

tests/default.nix

@@ -1,7 +1,4 @@
 { nixpkgs, pkgs, matrix-lib, ... }:
 {
-  nginx-pipeline-eval = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
-
-  synapse = pkgs.testers.runNixOSTest ./synapse;
-  synapse-workers = pkgs.testers.runNixOSTest ./synapse-workers;
+  nginx-pipeline = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
 }

tests/nginx-pipeline/default.nix

@@ -5,7 +5,7 @@ let
     modules = [
       ../../module.nix
       {
-        system.stateVersion = "25.11";
+        system.stateVersion = "23.11";
         boot.isContainer = true;
         services.matrix-synapse-next = {
           enable = true;

tests/synapse-workers/default.nix

@@ -1,52 +0,0 @@
-{ pkgs, ... }:
-{
-  name = "matrix-synapse-workers";
-  nodes = {
-    server =
-      {
-        pkgs,
-        nodes,
-        ...
-      }:
-      {
-        imports = [
-          ../../synapse-module
-        ];
-
-        services.postgresql = {
-          enable = true;
-          initialScript = pkgs.writeText "synapse-init.sql" ''
-            CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
-            CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-            TEMPLATE template0
-            LC_COLLATE = "C"
-            LC_CTYPE = "C";
-          '';
-        };
-
-        services.matrix-synapse-next = {
-          enable = true;
-
-          workers.federationSenders = 1;
-          workers.federationReceivers = 1;
-          workers.initialSyncers = 1;
-          workers.normalSyncers = 1;
-          workers.eventPersisters = 1;
-          workers.useUserDirectoryWorker = true;
-
-          settings = {
-            server_name = "example.com";
-            database = {
-              args.password = "synapse";
-            };
-          };
-        };
-
-        services.redis.servers."".enable = true;
-      };
-  };
-
-  testScript = ''
-    server.wait_for_unit("matrix-synapse.target");
-  '';
-}

tests/synapse/default.nix

@@ -1,213 +0,0 @@
-# Modified from https://github.com/NixOS/nixpkgs/blob/nixos-26.05/nixos/tests/matrix/synapse.nix
-
-{ pkgs, lib, ... }:
-let
-  mailerCerts = import /${pkgs.path}/nixos/tests/common/acme/server/snakeoil-certs.nix;
-  mailerDomain = mailerCerts.domain;
-
-  registrationSharedSecret = "unsecure123";
-  testUser = "alice";
-  testPassword = "alicealice";
-  testEmail = "alice@example.com";
-in
-{
-  name = "matrix-synapse";
-  nodes = {
-    # Since 0.33.0, matrix-synapse doesn't allow underscores in server names
-    server =
-      {
-        pkgs,
-        nodes,
-        config,
-        ...
-      }:
-      let
-        mailserverIP = nodes.mailserver.networking.primaryIPAddress;
-      in
-      {
-        imports = [
-          ../../synapse-module
-        ];
-
-        services.matrix-synapse-next = {
-          enable = true;
-          settings = {
-            registration_shared_secret = registrationSharedSecret;
-            server_name = "example.com";
-            public_baseurl = "https://example.com";
-
-            database = {
-              args.password = "synapse";
-            };
-
-            redis = {
-              enabled = true;
-              host = "localhost";
-              port = config.services.redis.servers.matrix-synapse.port;
-            };
-
-            email = {
-              smtp_host = mailerDomain;
-              smtp_port = 25;
-              require_transport_security = true;
-              notif_from = "matrix <matrix@${mailerDomain}>";
-              app_name = "Matrix";
-            };
-
-            listeners = [
-              {
-                port = 8448;
-                bind_addresses = [
-                  "127.0.0.1"
-                  "::1"
-                ];
-                type = "http";
-                x_forwarded = false;
-                resources = [
-                  {
-                    names = [
-                      "client"
-                    ];
-                    compress = true;
-                  }
-                  {
-                    names = [
-                      "federation"
-                    ];
-                    compress = false;
-                  }
-                ];
-              }
-            ];
-          };
-        };
-
-        services.postgresql = {
-          enable = true;
-
-          # The database name and user are configured by the following options:
-          #   - services.matrix-synapse.database_name
-          #   - services.matrix-synapse.database_user
-          #
-          # The values used here represent the default values of the module.
-          initialScript = pkgs.writeText "synapse-init.sql" ''
-            CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
-            CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-              TEMPLATE template0
-              LC_COLLATE = "C"
-              LC_CTYPE = "C";
-          '';
-        };
-
-        services.redis.servers.matrix-synapse = {
-          enable = true;
-          port = 6380;
-        };
-
-        networking.extraHosts = ''
-          ${mailserverIP} ${mailerDomain}
-        '';
-
-        security.pki.certificateFiles = [
-          mailerCerts.ca.cert
-        ];
-
-        environment.systemPackages =
-          let
-            sendTestMailStarttls = pkgs.writeScriptBin "send-testmail-starttls" ''
-              #!${pkgs.python3.interpreter}
-              import smtplib
-              import ssl
-
-              ctx = ssl.create_default_context()
-
-              with smtplib.SMTP('${mailerDomain}') as smtp:
-                smtp.ehlo()
-                smtp.starttls(context=ctx)
-                smtp.ehlo()
-                smtp.sendmail('matrix@${mailerDomain}', '${testEmail}', 'Subject: Test STARTTLS\n\nTest data.')
-                smtp.quit()
-            '';
-
-            obtainTokenAndRegisterEmail =
-              let
-                # adding the email through the API is quite complicated as it involves more than one step and some
-                # client-side calculation
-                insertEmailForAlice = pkgs.writeText "alice-email.sql" ''
-                  INSERT INTO user_threepids (user_id, medium, address, validated_at, added_at)
-                  VALUES ('${testUser}@server', 'email', '${testEmail}', '1629149927271', '1629149927270');
-                '';
-              in
-              pkgs.writeScriptBin "obtain-token-and-register-email" ''
-                #!${pkgs.runtimeShell}
-                set -o errexit
-                set -o pipefail
-                set -o nounset
-                su postgres -c "psql -d matrix-synapse -f ${insertEmailForAlice}"
-                curl --fail -XPOST -v 'http://localhost:8448/_matrix/client/r0/account/password/email/requestToken' --json '${builtins.toJSON {
-                  email = testEmail;
-                  client_secret = "foobar";
-                  send_attempt = 1;
-                }}'
-              '';
-          in
-          [
-            sendTestMailStarttls
-            pkgs.matrix-synapse
-            obtainTokenAndRegisterEmail
-          ];
-      };
-
-    # test mail delivery
-    mailserver = args: {
-      security.pki.certificateFiles = [
-        mailerCerts.ca.cert
-      ];
-
-      networking.firewall.enable = false;
-
-      services.postfix = {
-        enable = true;
-        enableSubmission = true;
-
-        # blackhole transport
-        transport = "example.com discard:silently";
-
-        settings.main = {
-          myhostname = "${mailerDomain}";
-          # open relay for subnet
-          mynetworks_style = "subnet";
-          debug_peer_level = "10";
-          smtpd_relay_restrictions = [
-            "permit_mynetworks"
-            "reject_unauth_destination"
-          ];
-
-          # disable obsolete protocols, something old versions of twisted are still using
-          smtpd_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
-          smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
-          smtpd_tls_chain_files = [
-            "${mailerCerts.${mailerDomain}.key}"
-            "${mailerCerts.${mailerDomain}.cert}"
-          ];
-        };
-      };
-    };
-  };
-
-  testScript = ''
-    start_all()
-    mailserver.wait_for_unit("postfix.service")
-    server.succeed("send-testmail-starttls")
-    server.wait_for_unit("matrix-synapse.service")
-    server.wait_until_succeeds(
-        "curl --fail -L http://localhost:8448/"
-    )
-    server.wait_until_succeeds(
-        "journalctl -u matrix-synapse.service | grep -q 'Connected to redis'"
-    )
-    server.require_unit_state("postgresql.target")
-    server.succeed("register_new_matrix_user -u ${testUser} -p ${testPassword} -a -k ${registrationSharedSecret} 'http://localhost:8448/'")
-    server.succeed("obtain-token-and-register-email")
-  '';
-}