forked from danio/nixos-matrix-modules
Compare commits
1 Commits
main
...
D4ndellion
| Author | SHA1 | Date | |
|---|---|---|---|
| 4364a998b3 |
@@ -2,12 +2,6 @@
|
||||
|
||||
This is a best effort document descibing neccecary changes you might have to do when updating
|
||||
|
||||
## 0.8.0
|
||||
|
||||
`saml2` is no longer enabled, as it depends on vulnerable dependencies and isnt really built in nixpks anymore.
|
||||
|
||||
If you need to authenticate with saml, you should deploy some sort of saml to openid bridge, instead.
|
||||
|
||||
## 0.6.1
|
||||
|
||||
enableSlidingSync, and setting matrix-synapse.sliding-sync.environmentFile (or any other sliding-sync setting)
|
||||
|
||||
8
flake.lock
generated
8
flake.lock
generated
@@ -2,16 +2,16 @@
|
||||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1764983851,
|
||||
"narHash": "sha256-y7RPKl/jJ/KAP/VKLMghMgXTlvNIJMHKskl8/Uuar7o=",
|
||||
"lastModified": 1706098335,
|
||||
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "d9bc5c7dceb30d8d6fafa10aeb6aa8a48c218454",
|
||||
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-25.11",
|
||||
"ref": "nixos-23.11",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
description = "NixOS modules for matrix related services";
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url = "nixpkgs/nixos-25.11";
|
||||
nixpkgs.url = "nixpkgs/nixos-23.11";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs }: {
|
||||
@@ -12,7 +12,7 @@
|
||||
|
||||
lib = import ./lib.nix { lib = nixpkgs.lib; };
|
||||
|
||||
checks = let
|
||||
packages = let
|
||||
forAllSystems = f:
|
||||
nixpkgs.lib.genAttrs [
|
||||
"x86_64-linux"
|
||||
@@ -20,13 +20,11 @@
|
||||
"x86_64-darwin"
|
||||
"aarch64-darwin"
|
||||
] (system: f nixpkgs.legacyPackages.${system});
|
||||
in forAllSystems (pkgs: let
|
||||
in forAllSystems (pkgs: {
|
||||
tests = import ./tests {
|
||||
inherit nixpkgs pkgs;
|
||||
matrix-lib = self.lib;
|
||||
};
|
||||
in {
|
||||
inherit (tests) nginx-pipeline-eval;
|
||||
});
|
||||
};
|
||||
}
|
||||
|
||||
@@ -70,14 +70,6 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
withJemalloc = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to preload jemalloc to reduce memory fragmentation and overall usage.
|
||||
'';
|
||||
};
|
||||
|
||||
dataDir = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/matrix-synapse";
|
||||
@@ -408,6 +400,7 @@ in
|
||||
group = "matrix-synapse";
|
||||
home = cfg.dataDir;
|
||||
createHome = true;
|
||||
shell = "${pkgs.bash}/bin/bash";
|
||||
uid = config.ids.uids.matrix-synapse;
|
||||
};
|
||||
|
||||
@@ -433,77 +426,30 @@ in
|
||||
partOf = [ "matrix-synapse.target" ];
|
||||
wantedBy = [ "matrix-synapse.target" ];
|
||||
|
||||
environment = lib.optionalAttrs cfg.withJemalloc {
|
||||
LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
|
||||
PYTHONMALLOC = "malloc";
|
||||
};
|
||||
preStart = let
|
||||
flags = lib.cli.toGNUCommandLineShell {} {
|
||||
config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
|
||||
keys-directory = cfg.dataDir;
|
||||
generate-keys = true;
|
||||
};
|
||||
in "${cfg.package}/bin/synapse_homeserver ${flags}";
|
||||
|
||||
serviceConfig = {
|
||||
Type = "notify";
|
||||
User = "matrix-synapse";
|
||||
Group = "matrix-synapse";
|
||||
Slice = "system-matrix-synapse.slice";
|
||||
|
||||
Restart = "always";
|
||||
RestartSec = 3;
|
||||
|
||||
WorkingDirectory = cfg.dataDir;
|
||||
StateDirectory = "matrix-synapse";
|
||||
RuntimeDirectory = "matrix-synapse";
|
||||
|
||||
ExecStartPre = let
|
||||
flags = lib.cli.toCommandLineShellGNU {} {
|
||||
config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
|
||||
keys-directory = cfg.dataDir;
|
||||
generate-keys = true;
|
||||
};
|
||||
in "${cfg.package}/bin/synapse_homeserver ${flags}";
|
||||
ExecStart = let
|
||||
flags = lib.cli.toCommandLineShellGNU {} {
|
||||
flags = lib.cli.toGNUCommandLineShell {} {
|
||||
config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
|
||||
keys-directory = cfg.dataDir;
|
||||
};
|
||||
in "${wrapped}/bin/synapse_homeserver ${flags}";
|
||||
ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID";
|
||||
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
ReadWritePaths = [
|
||||
cfg.dataDir
|
||||
cfg.settings.media_store_path
|
||||
]
|
||||
++ (map (listener: dirOf listener.path) (
|
||||
lib.filter (listener: listener.path != null) cfg.settings.listeners
|
||||
));
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@resources"
|
||||
"~@privileged"
|
||||
];
|
||||
ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
|
||||
Restart = "on-failure";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -24,7 +24,6 @@ in
|
||||
~^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ synapse_initial_sync;
|
||||
|
||||
# Federation requests
|
||||
~^/_matrix/federation/v1/version$ synapse_federation;
|
||||
~^/_matrix/federation/v1/event/ synapse_federation;
|
||||
~^/_matrix/federation/v1/state/ synapse_federation;
|
||||
~^/_matrix/federation/v1/state_ids/ synapse_federation;
|
||||
@@ -36,8 +35,6 @@ in
|
||||
~^/_matrix/federation/v1/make_leave/ synapse_federation;
|
||||
~^/_matrix/federation/(v1|v2)/send_join/ synapse_federation;
|
||||
~^/_matrix/federation/(v1|v2)/send_leave/ synapse_federation;
|
||||
~^/_matrix/federation/v1/make_knock/ synapse_federation;
|
||||
~^/_matrix/federation/v1/send_knock/ synapse_federation;
|
||||
~^/_matrix/federation/(v1|v2)/invite/ synapse_federation;
|
||||
~^/_matrix/federation/v1/event_auth/ synapse_federation;
|
||||
~^/_matrix/federation/v1/timestamp_to_event/ synapse_federation;
|
||||
@@ -59,23 +56,17 @@ in
|
||||
~^/_matrix/client/v1/rooms/.*/hierarchy$ synapse_client_interaction;
|
||||
~^/_matrix/client/(v1|unstable)/rooms/.*/relations/ synapse_client_interaction;
|
||||
~^/_matrix/client/v1/rooms/.*/threads$ synapse_client_interaction;
|
||||
~^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ synapse_client_interaction;
|
||||
~^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ synapse_client_interaction;
|
||||
~^/_matrix/client/(r0|v3|unstable)/account/3pid$ synapse_client_interaction;
|
||||
~^/_matrix/client/(r0|v3|unstable)/account/whoami$ synapse_client_interaction;
|
||||
~^/_matrix/client/(r0|v3|unstable)/account/deactivate$ synapse_client_interaction;
|
||||
~^/_matrix/client/(r0|v3)/delete_devices$ synapse_client_interaction;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$) synapse_client_interaction;
|
||||
~^/_matrix/client/(r0|v3|unstable)/devices$ synapse_client_interaction;
|
||||
~^/_matrix/client/versions$ synapse_client_interaction;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ synapse_client_interaction;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ synapse_client_interaction;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ synapse_client_interaction;
|
||||
~^/_matrix/client/v1/rooms/.*/timestamp_to_event$ synapse_client_interaction;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases synapse_client_interaction;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/search$ synapse_client_interaction;
|
||||
~^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) synapse_client_interaction;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$ synapse_client_interaction;
|
||||
~^/_matrix/client/(r0|v3|unstable)/capabilities$ synapse_client_interaction;
|
||||
~^/_matrix/client/(r0|v3|unstable)/notifications$ synapse_client_interaction;
|
||||
|
||||
# Encryption requests
|
||||
~^/_matrix/client/(r0|v3|unstable)/keys/query$ synapse_client_encryption;
|
||||
@@ -83,15 +74,11 @@ in
|
||||
~^/_matrix/client/(r0|v3|unstable)/keys/claim$ synapse_client_encryption;
|
||||
~^/_matrix/client/(r0|v3|unstable)/room_keys/ synapse_client_encryption;
|
||||
~^/_matrix/client/(r0|v3|unstable)/keys/upload/ synapse_client_encryption;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$ synapse_client_encryption;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$ synapse_client_encryption;
|
||||
|
||||
# Registration/login requests
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/login$ synapse_client_login;
|
||||
~^/_matrix/client/(r0|v3|unstable)/register$ synapse_client_login;
|
||||
~^/_matrix/client/(r0|v3|unstable)/register/available$ synapse_client_login;
|
||||
~^/_matrix/client/v1/register/m.login.registration_token/validity$ synapse_client_login;
|
||||
~^/_matrix/client/(r0|v3|unstable)/password_policy$ synapse_client_login;
|
||||
|
||||
# Event sending requests
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact synapse_client_transaction;
|
||||
@@ -99,7 +86,6 @@ in
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ synapse_client_transaction;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ synapse_client_transaction;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/join/ synapse_client_transaction;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/knock/ synapse_client_transaction;
|
||||
~^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ synapse_client_transaction;
|
||||
|
||||
# Account data requests
|
||||
|
||||
@@ -74,16 +74,6 @@ in {
|
||||
description = "Listener configuration for the worker, similar to the main synapse listener";
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
worker_log_config = mkOption {
|
||||
type = types.path;
|
||||
description = ''
|
||||
A yaml python logging config file as described by
|
||||
https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
|
||||
'';
|
||||
default = pkgs.writeText "log_config.yaml" cfg.mainLogConfig;
|
||||
defaultText = "A config file generated from ${cfgText}.mainLogConfig";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -384,25 +374,14 @@ in {
|
||||
wantedBy = [ "matrix-synapse.target" ];
|
||||
after = [ "matrix-synapse.service" ];
|
||||
requires = [ "matrix-synapse.service" ];
|
||||
|
||||
environment = lib.optionalAttrs cfg.withJemalloc {
|
||||
LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
|
||||
PYTHONMALLOC = "malloc";
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
Type = "notify";
|
||||
User = "matrix-synapse";
|
||||
Group = "matrix-synapse";
|
||||
Slice = "system-matrix-synapse.slice";
|
||||
|
||||
Restart = "always";
|
||||
RestartSec = 3;
|
||||
|
||||
WorkingDirectory = cfg.dataDir;
|
||||
RuntimeDirectory = "matrix-synapse";
|
||||
StateDirectory = "matrix-synapse";
|
||||
|
||||
ExecStartPre = pkgs.writers.writeBash "wait-for-synapse" ''
|
||||
# From https://md.darmstadt.ccc.de/synapse-at-work
|
||||
while ! systemctl is-active -q matrix-synapse.service; do
|
||||
@@ -410,50 +389,11 @@ in {
|
||||
done
|
||||
'';
|
||||
ExecStart = let
|
||||
flags = lib.cli.toCommandLineShellGNU {} {
|
||||
flags = lib.cli.toGNUCommandLineShell {} {
|
||||
config-path = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles;
|
||||
keys-directory = cfg.dataDir;
|
||||
};
|
||||
in "${wrapped}/bin/synapse_worker ${flags}";
|
||||
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
ReadWritePaths = [
|
||||
cfg.dataDir
|
||||
cfg.settings.media_store_path
|
||||
]
|
||||
++ (map (listener: dirOf listener.path) (
|
||||
lib.filter (listener: listener.path != null) cfg.settings.listeners
|
||||
));
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@resources"
|
||||
"~@privileged"
|
||||
];
|
||||
};
|
||||
};
|
||||
}));
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{ nixpkgs, pkgs, matrix-lib, ... }:
|
||||
{
|
||||
nginx-pipeline-eval = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
|
||||
nginx-pipeline = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
|
||||
}
|
||||
|
||||
@@ -5,7 +5,7 @@ let
|
||||
modules = [
|
||||
../../module.nix
|
||||
{
|
||||
system.stateVersion = "25.11";
|
||||
system.stateVersion = "23.11";
|
||||
boot.isContainer = true;
|
||||
services.matrix-synapse-next = {
|
||||
enable = true;
|
||||
|
||||
Reference in New Issue
Block a user