oysteikt/nixos-matrix-modules
0
0
Fork 0
forked from danio/nixos-matrix-modules
Code Issues 8 Pull Requests Activity

Compare commits

merge into: oysteikt/nixos-matrix-modules:main
Branches Tags
oysteikt/nixos-matrix-modules:main oysteikt/nixos-matrix-modules:fix-worker-load-creds oysteikt/nixos-matrix-modules:master oysteikt/nixos-matrix-modules:D4ndellion-patch-1 oysteikt/nixos-matrix-modules:nixos-25.05 oysteikt/nixos-matrix-modules:deprecate-proxy2 oysteikt/nixos-matrix-modules:deprecate-proxy oysteikt/nixos-matrix-modules:nixos-24.05 oysteikt/nixos-matrix-modules:add-support-for-unix-sockets oysteikt/nixos-matrix-modules:make-workers-use-path oysteikt/nixos-matrix-modules:out-of-your-element oysteikt/nixos-matrix-modules:time-to-break-our-workers oysteikt/nixos-matrix-modules:presence-stream-writer
oysteikt/nixos-matrix-modules:v0.8.0 oysteikt/nixos-matrix-modules:v0.7.1 oysteikt/nixos-matrix-modules:0.7.0 oysteikt/nixos-matrix-modules:v0.6.1 oysteikt/nixos-matrix-modules:v0.6.0 oysteikt/nixos-matrix-modules:v0.5.0 oysteikt/nixos-matrix-modules:v0.4.0 oysteikt/nixos-matrix-modules:v0.3.0 danio/nixos-matrix-modules:v0.8.0 danio/nixos-matrix-modules:v0.7.1 danio/nixos-matrix-modules:0.7.0 danio/nixos-matrix-modules:v0.6.1 danio/nixos-matrix-modules:v0.6.0 danio/nixos-matrix-modules:v0.5.0 danio/nixos-matrix-modules:v0.4.0 danio/nixos-matrix-modules:v0.3.0
..
pull from: oysteikt/nixos-matrix-modules:deprecate-proxy2
Branches Tags
oysteikt/nixos-matrix-modules:fix-worker-load-creds oysteikt/nixos-matrix-modules:main oysteikt/nixos-matrix-modules:master oysteikt/nixos-matrix-modules:D4ndellion-patch-1 oysteikt/nixos-matrix-modules:nixos-25.05 oysteikt/nixos-matrix-modules:deprecate-proxy2 oysteikt/nixos-matrix-modules:deprecate-proxy oysteikt/nixos-matrix-modules:nixos-24.05 oysteikt/nixos-matrix-modules:add-support-for-unix-sockets oysteikt/nixos-matrix-modules:make-workers-use-path oysteikt/nixos-matrix-modules:out-of-your-element oysteikt/nixos-matrix-modules:time-to-break-our-workers oysteikt/nixos-matrix-modules:presence-stream-writer danio/nixos-matrix-modules:master danio/nixos-matrix-modules:D4ndellion-patch-1 danio/nixos-matrix-modules:nixos-25.05 danio/nixos-matrix-modules:deprecate-proxy2 danio/nixos-matrix-modules:deprecate-proxy danio/nixos-matrix-modules:nixos-24.05 danio/nixos-matrix-modules:add-support-for-unix-sockets danio/nixos-matrix-modules:make-workers-use-path danio/nixos-matrix-modules:out-of-your-element danio/nixos-matrix-modules:time-to-break-our-workers danio/nixos-matrix-modules:presence-stream-writer
oysteikt/nixos-matrix-modules:v0.8.0 oysteikt/nixos-matrix-modules:v0.7.1 oysteikt/nixos-matrix-modules:0.7.0 oysteikt/nixos-matrix-modules:v0.6.1 oysteikt/nixos-matrix-modules:v0.6.0 oysteikt/nixos-matrix-modules:v0.5.0 oysteikt/nixos-matrix-modules:v0.4.0 oysteikt/nixos-matrix-modules:v0.3.0 danio/nixos-matrix-modules:v0.8.0 danio/nixos-matrix-modules:v0.7.1 danio/nixos-matrix-modules:0.7.0 danio/nixos-matrix-modules:v0.6.1 danio/nixos-matrix-modules:v0.6.0 danio/nixos-matrix-modules:v0.5.0 danio/nixos-matrix-modules:v0.4.0 danio/nixos-matrix-modules:v0.3.0

1 Commits
main .. deprecate-proxy2

Author SHA1 Message Date
danio eabdd9b4c2 sliding-sync: remove 2025-01-02 23:17:45 +01:00
13 changed files with 46 additions and 547 deletions
Expand all files Collapse all files
.gitignore
-1
View File
@@ -1,2 +1 @@
result result
result-*
MIGRATIONS.MD
-6
View File
@@ -2,12 +2,6 @@
This is a best effort document descibing neccecary changes you might have to do when updating This is a best effort document descibing neccecary changes you might have to do when updating
## 0.8.0
`saml2` is no longer enabled, as it depends on vulnerable dependencies and isnt really built in nixpks anymore.
If you need to authenticate with saml, you should deploy some sort of saml to openid bridge, instead.
## 0.6.1 ## 0.6.1
enableSlidingSync, and setting matrix-synapse.sliding-sync.environmentFile (or any other sliding-sync setting) enableSlidingSync, and setting matrix-synapse.sliding-sync.environmentFile (or any other sliding-sync setting)
flake.lock
Generated
+4 -4
View File
@@ -2,16 +2,16 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1781216227, "lastModified": 1706098335,
"narHash": "sha256-9mUW6gNwoN2SWc/l0fW4svPNOulXLl8ijqKyeSOGgJE=", "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a0374025a863d007d98e3297f6aa46cc3141c2f0", "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixos-26.05", "ref": "nixos-23.11",
"type": "indirect" "type": "indirect"
} }
}, },
flake.nix
+3 -9
View File
@@ -2,7 +2,7 @@
description = "NixOS modules for matrix related services"; description = "NixOS modules for matrix related services";
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-26.05"; nixpkgs.url = "nixpkgs/nixos-23.11";
}; };
outputs = { self, nixpkgs }: { outputs = { self, nixpkgs }: {
@@ -12,7 +12,7 @@
lib = import ./lib.nix { lib = nixpkgs.lib; }; lib = import ./lib.nix { lib = nixpkgs.lib; };
checks = let packages = let
forAllSystems = f: forAllSystems = f:
nixpkgs.lib.genAttrs [ nixpkgs.lib.genAttrs [
"x86_64-linux" "x86_64-linux"
@@ -20,17 +20,11 @@
"x86_64-darwin" "x86_64-darwin"
"aarch64-darwin" "aarch64-darwin"
] (system: f nixpkgs.legacyPackages.${system}); ] (system: f nixpkgs.legacyPackages.${system});
in forAllSystems (pkgs: let in forAllSystems (pkgs: {
tests = import ./tests { tests = import ./tests {
inherit nixpkgs pkgs; inherit nixpkgs pkgs;
matrix-lib = self.lib; matrix-lib = self.lib;
}; };
in {
inherit (tests)
nginx-pipeline-eval
synapse
synapse-workers
;
}); });
}; };
} }
lib.nix
+1 -1
View File
@@ -6,7 +6,7 @@ rec {
firstListenerOfType = type: ls: lib.lists.findFirst (isListenerType type) firstListenerOfType = type: ls: lib.lists.findFirst (isListenerType type)
(throw "No listener with resource: ${type} configured") (throw "No listener with resource: ${type} configured")
ls; ls;
# Get an attrset of the host and port from a listener # Get an attrset of the host and port from a listener
connectionInfo = l: { connectionInfo = l: {
host = lib.head l.bind_addresses; host = lib.head l.bind_addresses;
port = l.port; port = l.port;
module.nix
+1 -1
View File
@@ -3,7 +3,7 @@
{ {
imports = [ imports = [
./synapse-module ./synapse-module
# TODO: Remove after 25.05 # TODO: Remove after 25.05
(lib.mkRemovedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] '' (lib.mkRemovedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] ''
`services.matrix-synapse.sliding-sync` is no longer necessary to use sliding-sync with synapse. `services.matrix-synapse.sliding-sync` is no longer necessary to use sliding-sync with synapse.
synapse-module/default.nix
+25 -150
View File
@@ -1,8 +1,7 @@
{ pkgs, lib, options, config, ... }: { pkgs, lib, config, ... }:
let let
matrix-lib = (import ../lib.nix { inherit lib; }); matrix-lib = (import ../lib.nix { inherit lib; });
opt = options.services.matrix-synapse-next;
cfg = config.services.matrix-synapse-next; cfg = config.services.matrix-synapse-next;
wcfg = cfg.workers; wcfg = cfg.workers;
@@ -10,35 +9,17 @@ let
cfgText = "config.services.matrix-synapse-next"; cfgText = "config.services.matrix-synapse-next";
wcfgText = "config.services.matrix-synapse-next.workers"; wcfgText = "config.services.matrix-synapse-next.workers";
usesCustomSigningKeyPath = cfg.settings.signing_key_path != (opt.settings.type.getSubOptions { }).signing_key_path.default; format = pkgs.formats.yaml {};
matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // {
format = pkgs.formats.yaml { }; listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
matrix-synapse-common-config = lib.pipe cfg.settings [ });
(settings: settings // {
listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
media_store_path = "/var/lib/matrix-synapse/media_store";
})
(settings: settings // (lib.optionalAttrs usesCustomSigningKeyPath {
signing_key_path = "/run/credentials/matrix-synapse.service/signing_key";
}))
(let
filterRecursiveNull =
o:
if lib.isAttrs o then
lib.mapAttrs (_: v: filterRecursiveNull v) (lib.filterAttrs (_: v: v != null) o)
else if lib.isList o then
map filterRecursiveNull (lib.filter (v: v != null) o)
else
o;
in filterRecursiveNull)
(format.generate "matrix-synapse-common-config.yaml")
];
# TODO: Align better with the upstream module # TODO: Align better with the upstream module
wrapped = cfg.package.override { wrapped = cfg.package.override {
inherit (cfg) plugins; inherit (cfg) plugins;
extras = [ extras = [
"postgres" "postgres"
"saml2"
"oidc" "oidc"
"systemd" "systemd"
"url-preview" "url-preview"
@@ -46,6 +27,7 @@ let
"jwt" "jwt"
"redis" "redis"
"cache-memory" "cache-memory"
"user-search"
]; ];
}; };
@@ -90,14 +72,6 @@ in
''; '';
}; };
withJemalloc = mkOption {
type = types.bool;
default = true;
description = ''
Whether to preload jemalloc to reduce memory fragmentation and overall usage.
'';
};
dataDir = mkOption { dataDir = mkOption {
type = types.path; type = types.path;
default = "/var/lib/matrix-synapse"; default = "/var/lib/matrix-synapse";
@@ -135,7 +109,7 @@ in
description = "A yaml python logging config file"; description = "A yaml python logging config file";
}; };
enableSlidingSync = mkEnableOption "automatic Sliding Sync setup at `slidingsync.<domain>`"; enableSlidingSync = mkEnableOption (lib.mdDoc "automatic Sliding Sync setup at `slidingsync.<domain>`");
settings = mkOption { settings = mkOption {
type = types.submodule { type = types.submodule {
@@ -288,30 +262,6 @@ in
]; ];
}; };
database.name = mkOption {
type = types.enum [ "psycopg2" ];
default = "psycopg2";
description = ''
The database engine name. Hardcoded to psycopg2, this module is not designed for use with sqlite.
'';
};
database.args.database = mkOption {
type = types.str;
default = "matrix-synapse";
description = ''
Name of the database.
'';
};
database.args.user = mkOption {
type = types.nullOr types.str;
default = "matrix-synapse";
description = ''
Username to use when connecting to postgresql.
'';
};
federation_ip_range_blacklist = mkOption { federation_ip_range_blacklist = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
description = '' description = ''
@@ -450,8 +400,9 @@ in
users.users.matrix-synapse = { users.users.matrix-synapse = {
group = "matrix-synapse"; group = "matrix-synapse";
home = "/var/lib/matrix-synapse"; home = cfg.dataDir;
createHome = true; createHome = true;
shell = "${pkgs.bash}/bin/bash";
uid = config.ids.uids.matrix-synapse; uid = config.ids.uids.matrix-synapse;
}; };
@@ -462,8 +413,7 @@ in
systemd = { systemd = {
targets.matrix-synapse = { targets.matrix-synapse = {
description = "Matrix synapse parent target"; description = "Matrix synapse parent target";
after = [ "network-online.target" ]; after = [ "network.target" ];
requires = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
@@ -473,110 +423,35 @@ in
after= [ "system.slice" ]; after= [ "system.slice" ];
}; };
tmpfiles.settings."10-matrix-synapse" = {
"${cfg.dataDir}".d = lib.mkIf (cfg.dataDir != "/var/lib/matrix-synapse") {
user = "matrix-synapse";
group = "matrix-synapse";
mode = "0700";
};
"${cfg.settings.media_store_path}".d = lib.mkIf (cfg.settings.media_store_path != "/var/lib/matrix-synapse/media_store") {
user = "matrix-synapse";
group = "matrix-synapse";
mode = "0700";
};
};
services.matrix-synapse = { services.matrix-synapse = {
description = "Synapse Matrix homeserver"; description = "Synapse Matrix homeserver";
partOf = [ "matrix-synapse.target" ]; partOf = [ "matrix-synapse.target" ];
wantedBy = [ "matrix-synapse.target" ]; wantedBy = [ "matrix-synapse.target" ];
after = lib.mkIf (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
];
environment = lib.optionalAttrs cfg.withJemalloc { preStart = let
LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so"; flags = lib.cli.toGNUCommandLineShell {} {
PYTHONMALLOC = "malloc"; config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
}; keys-directory = cfg.dataDir;
generate-keys = true;
};
in "${cfg.package}/bin/synapse_homeserver ${flags}";
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
User = "matrix-synapse"; User = "matrix-synapse";
Group = "matrix-synapse"; Group = "matrix-synapse";
Slice = "system-matrix-synapse.slice"; Slice = "system-matrix-synapse.slice";
WorkingDirectory = cfg.dataDir;
Restart = "always";
RestartSec = 3;
WorkingDirectory = "/var/lib/matrix-synapse";
StateDirectory = "matrix-synapse"; StateDirectory = "matrix-synapse";
RuntimeDirectory = "matrix-synapse"; RuntimeDirectory = "matrix-synapse";
ExecStartPre = let
flags = lib.cli.toCommandLineShellGNU {} {
config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
keys-directory = "/var/lib/matrix-synapse";
generate-keys = true;
};
in "${cfg.package}/bin/synapse_homeserver ${flags}";
ExecStart = let ExecStart = let
flags = lib.cli.toCommandLineShellGNU {} { flags = lib.cli.toGNUCommandLineShell {} {
config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles; config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
keys-directory = "/var/lib/matrix-synapse"; keys-directory = cfg.dataDir;
}; };
in "${wrapped}/bin/synapse_homeserver ${flags}"; in "${wrapped}/bin/synapse_homeserver ${flags}";
ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID"; ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
"${cfg.dataDir}:/var/lib/matrix-synapse"
]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
"${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
]);
ReadWritePaths = lib.pipe cfg.settings.listeners [
(lib.filter (listener: listener.path != null))
(map (listener: dirOf listener.path))
(lib.filter (path: path != "/run/matrix-synapse"))
lib.uniqueStrings
];
LoadCredential = lib.mkIf usesCustomSigningKeyPath [
"signing_key:${cfg.settings.signing_key_path}"
];
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SocketBindAllow = lib.catAttrs "port" cfg.settings.listeners;
SocketBindDeny = "any";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@resources"
"~@privileged"
];
UMask = "0027";
}; };
}; };
}; };
synapse-module/nginx.nix
+2 -16
View File
@@ -24,7 +24,6 @@ in
~^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ synapse_initial_sync; ~^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ synapse_initial_sync;
# Federation requests # Federation requests
~^/_matrix/federation/v1/version$ synapse_federation;
~^/_matrix/federation/v1/event/ synapse_federation; ~^/_matrix/federation/v1/event/ synapse_federation;
~^/_matrix/federation/v1/state/ synapse_federation; ~^/_matrix/federation/v1/state/ synapse_federation;
~^/_matrix/federation/v1/state_ids/ synapse_federation; ~^/_matrix/federation/v1/state_ids/ synapse_federation;
@@ -36,8 +35,6 @@ in
~^/_matrix/federation/v1/make_leave/ synapse_federation; ~^/_matrix/federation/v1/make_leave/ synapse_federation;
~^/_matrix/federation/(v1|v2)/send_join/ synapse_federation; ~^/_matrix/federation/(v1|v2)/send_join/ synapse_federation;
~^/_matrix/federation/(v1|v2)/send_leave/ synapse_federation; ~^/_matrix/federation/(v1|v2)/send_leave/ synapse_federation;
~^/_matrix/federation/v1/make_knock/ synapse_federation;
~^/_matrix/federation/v1/send_knock/ synapse_federation;
~^/_matrix/federation/(v1|v2)/invite/ synapse_federation; ~^/_matrix/federation/(v1|v2)/invite/ synapse_federation;
~^/_matrix/federation/v1/event_auth/ synapse_federation; ~^/_matrix/federation/v1/event_auth/ synapse_federation;
~^/_matrix/federation/v1/timestamp_to_event/ synapse_federation; ~^/_matrix/federation/v1/timestamp_to_event/ synapse_federation;
@@ -59,23 +56,17 @@ in
~^/_matrix/client/v1/rooms/.*/hierarchy$ synapse_client_interaction; ~^/_matrix/client/v1/rooms/.*/hierarchy$ synapse_client_interaction;
~^/_matrix/client/(v1|unstable)/rooms/.*/relations/ synapse_client_interaction; ~^/_matrix/client/(v1|unstable)/rooms/.*/relations/ synapse_client_interaction;
~^/_matrix/client/v1/rooms/.*/threads$ synapse_client_interaction; ~^/_matrix/client/v1/rooms/.*/threads$ synapse_client_interaction;
~^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ synapse_client_interaction;
~^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ synapse_client_interaction; ~^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/account/3pid$ synapse_client_interaction; ~^/_matrix/client/(r0|v3|unstable)/account/3pid$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/account/whoami$ synapse_client_interaction; ~^/_matrix/client/(r0|v3|unstable)/account/whoami$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/account/deactivate$ synapse_client_interaction; ~^/_matrix/client/(r0|v3|unstable)/devices$ synapse_client_interaction;
~^/_matrix/client/(r0|v3)/delete_devices$ synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$) synapse_client_interaction;
~^/_matrix/client/versions$ synapse_client_interaction; ~^/_matrix/client/versions$ synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ synapse_client_interaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ synapse_client_interaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ synapse_client_interaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ synapse_client_interaction;
~^/_matrix/client/v1/rooms/.*/timestamp_to_event$ synapse_client_interaction; ~^/_matrix/client/v1/rooms/.*/timestamp_to_event$ synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/search$ synapse_client_interaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/search$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) synapse_client_interaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/capabilities$ synapse_client_interaction;
~^/_matrix/client/(r0|v3|unstable)/notifications$ synapse_client_interaction;
# Encryption requests # Encryption requests
~^/_matrix/client/(r0|v3|unstable)/keys/query$ synapse_client_encryption; ~^/_matrix/client/(r0|v3|unstable)/keys/query$ synapse_client_encryption;
@@ -83,15 +74,11 @@ in
~^/_matrix/client/(r0|v3|unstable)/keys/claim$ synapse_client_encryption; ~^/_matrix/client/(r0|v3|unstable)/keys/claim$ synapse_client_encryption;
~^/_matrix/client/(r0|v3|unstable)/room_keys/ synapse_client_encryption; ~^/_matrix/client/(r0|v3|unstable)/room_keys/ synapse_client_encryption;
~^/_matrix/client/(r0|v3|unstable)/keys/upload/ synapse_client_encryption; ~^/_matrix/client/(r0|v3|unstable)/keys/upload/ synapse_client_encryption;
~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$ synapse_client_encryption;
~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$ synapse_client_encryption;
# Registration/login requests # Registration/login requests
~^/_matrix/client/(api/v1|r0|v3|unstable)/login$ synapse_client_login; ~^/_matrix/client/(api/v1|r0|v3|unstable)/login$ synapse_client_login;
~^/_matrix/client/(r0|v3|unstable)/register$ synapse_client_login; ~^/_matrix/client/(r0|v3|unstable)/register$ synapse_client_login;
~^/_matrix/client/(r0|v3|unstable)/register/available$ synapse_client_login;
~^/_matrix/client/v1/register/m.login.registration_token/validity$ synapse_client_login; ~^/_matrix/client/v1/register/m.login.registration_token/validity$ synapse_client_login;
~^/_matrix/client/(r0|v3|unstable)/password_policy$ synapse_client_login;
# Event sending requests # Event sending requests
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact synapse_client_transaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact synapse_client_transaction;
@@ -99,7 +86,6 @@ in
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ synapse_client_transaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ synapse_client_transaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ synapse_client_transaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ synapse_client_transaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/join/ synapse_client_transaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/join/ synapse_client_transaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/knock/ synapse_client_transaction;
~^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ synapse_client_transaction; ~^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ synapse_client_transaction;
# Account data requests # Account data requests
synapse-module/workers.nix
+8 -89
View File
@@ -4,8 +4,8 @@
throw', throw',
format format
}: }:
{ pkgs, lib, options, config, ... }: let { pkgs, lib, config, ... }: let
opt = options.services.matrix-synapse-next;
cfg = config.services.matrix-synapse-next; cfg = config.services.matrix-synapse-next;
wcfg = config.services.matrix-synapse-next.workers; wcfg = config.services.matrix-synapse-next.workers;
@@ -13,8 +13,6 @@
cfgText = "config.services.matrix-synapse-next"; cfgText = "config.services.matrix-synapse-next";
wcfgText = "config.services.matrix-synapse-next.workers"; wcfgText = "config.services.matrix-synapse-next.workers";
usesCustomSigningKeyPath = cfg.settings.signing_key_path != (opt.settings.type.getSubOptions { }).signing_key_path.default;
inherit (lib) types mkOption mkEnableOption mkIf mkMerge literalExpression; inherit (lib) types mkOption mkEnableOption mkIf mkMerge literalExpression;
mkWorkerCountOption = workerType: mkOption { mkWorkerCountOption = workerType: mkOption {
@@ -58,7 +56,7 @@ in {
workerSettingsType = instanceCfg: types.submodule { workerSettingsType = instanceCfg: types.submodule {
freeformType = format.type; freeformType = format.type;
options = { options = {
worker_app = mkOption { worker_app = mkOption {
type = types.enum [ type = types.enum [
@@ -76,16 +74,6 @@ in {
description = "Listener configuration for the worker, similar to the main synapse listener"; description = "Listener configuration for the worker, similar to the main synapse listener";
default = [ ]; default = [ ];
}; };
worker_log_config = mkOption {
type = types.path;
description = ''
A yaml python logging config file as described by
https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
'';
default = pkgs.writeText "log_config.yaml" cfg.mainLogConfig;
defaultText = "A config file generated from ${cfgText}.mainLogConfig";
};
}; };
}; };
@@ -295,7 +283,7 @@ in {
stream_writers.events = stream_writers.events =
mkIf (wcfg.eventPersisters > 0) mkIf (wcfg.eventPersisters > 0)
(lib.genList (i: "auto-event-persist${toString (i + 1)}") wcfg.eventPersisters); (lib.genList (i: "auto-event-persist${toString (i + 1)}") wcfg.eventPersisters);
update_user_directory_from_worker = update_user_directory_from_worker =
mkIf wcfg.useUserDirectoryWorker "auto-user-dir"; mkIf wcfg.useUserDirectoryWorker "auto-user-dir";
@@ -384,32 +372,16 @@ in {
description = "Synapse Matrix Worker"; description = "Synapse Matrix Worker";
partOf = [ "matrix-synapse.target" ]; partOf = [ "matrix-synapse.target" ];
wantedBy = [ "matrix-synapse.target" ]; wantedBy = [ "matrix-synapse.target" ];
after = [ after = [ "matrix-synapse.service" ];
"matrix-synapse.service"
] ++ (lib.optionals (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
]);
requires = [ "matrix-synapse.service" ]; requires = [ "matrix-synapse.service" ];
environment = lib.optionalAttrs cfg.withJemalloc {
LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
PYTHONMALLOC = "malloc";
};
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
User = "matrix-synapse"; User = "matrix-synapse";
Group = "matrix-synapse"; Group = "matrix-synapse";
Slice = "system-matrix-synapse.slice"; Slice = "system-matrix-synapse.slice";
WorkingDirectory = cfg.dataDir;
Restart = "always";
RestartSec = 3;
WorkingDirectory = "/var/lib/matrix-synapse";
RuntimeDirectory = "matrix-synapse"; RuntimeDirectory = "matrix-synapse";
StateDirectory = "matrix-synapse"; StateDirectory = "matrix-synapse";
ExecStartPre = pkgs.writers.writeBash "wait-for-synapse" '' ExecStartPre = pkgs.writers.writeBash "wait-for-synapse" ''
# From https://md.darmstadt.ccc.de/synapse-at-work # From https://md.darmstadt.ccc.de/synapse-at-work
while ! systemctl is-active -q matrix-synapse.service; do while ! systemctl is-active -q matrix-synapse.service; do
@@ -417,64 +389,11 @@ in {
done done
''; '';
ExecStart = let ExecStart = let
flags = lib.cli.toCommandLineShellGNU {} { flags = lib.cli.toGNUCommandLineShell {} {
config-path = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles; config-path = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles;
keys-directory = "/var/lib/matrix-synapse"; keys-directory = cfg.dataDir;
}; };
in "${wrapped}/bin/synapse_worker ${flags}"; in "${wrapped}/bin/synapse_worker ${flags}";
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
"${cfg.dataDir}:/var/lib/matrix-synapse"
]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
"${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
]);
ReadWritePaths = lib.pipe cfg.settings.listeners [
(lib.filter (listener: listener.path != null))
(map (listener: dirOf listener.path))
(lib.filter (path: path != "/run/matrix-synapse"))
lib.uniqueStrings
];
LoadCredential = lib.mkIf usesCustomSigningKeyPath [
"signing_key:${cfg.settings.signing_key_path}"
];
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SocketBindAllow = lib.pipe worker.value.settings.worker_listeners [
(map (lib.filterAttrsRecursive (_: v: v != null)))
(lib.catAttrs "port")
];
SocketBindDeny = "any";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@resources"
"~@privileged"
];
UMask = "0027";
}; };
}; };
})); }));
tests/default.nix
+1 -4
View File
@@ -1,7 +1,4 @@
{ nixpkgs, pkgs, matrix-lib, ... }: { nixpkgs, pkgs, matrix-lib, ... }:
{ {
nginx-pipeline-eval = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; }; nginx-pipeline = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
synapse = pkgs.testers.runNixOSTest ./synapse;
synapse-workers = pkgs.testers.runNixOSTest ./synapse-workers;
} }
tests/nginx-pipeline/default.nix
+1 -1
View File
@@ -5,7 +5,7 @@ let
modules = [ modules = [
../../module.nix ../../module.nix
{ {
system.stateVersion = "25.11"; system.stateVersion = "23.11";
boot.isContainer = true; boot.isContainer = true;
services.matrix-synapse-next = { services.matrix-synapse-next = {
enable = true; enable = true;
tests/synapse-workers/default.nix
-52
View File
@@ -1,52 +0,0 @@
{ pkgs, ... }:
{
name = "matrix-synapse-workers";
nodes = {
server =
{
pkgs,
nodes,
...
}:
{
imports = [
../../synapse-module
];
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.matrix-synapse-next = {
enable = true;
workers.federationSenders = 1;
workers.federationReceivers = 1;
workers.initialSyncers = 1;
workers.normalSyncers = 1;
workers.eventPersisters = 1;
workers.useUserDirectoryWorker = true;
settings = {
server_name = "example.com";
database = {
args.password = "synapse";
};
};
};
services.redis.servers."".enable = true;
};
};
testScript = ''
server.wait_for_unit("matrix-synapse.target");
'';
}
tests/synapse/default.nix
-213
View File
@@ -1,213 +0,0 @@
# Modified from https://github.com/NixOS/nixpkgs/blob/nixos-26.05/nixos/tests/matrix/synapse.nix
{ pkgs, lib, ... }:
let
mailerCerts = import /${pkgs.path}/nixos/tests/common/acme/server/snakeoil-certs.nix;
mailerDomain = mailerCerts.domain;
registrationSharedSecret = "unsecure123";
testUser = "alice";
testPassword = "alicealice";
testEmail = "alice@example.com";
in
{
name = "matrix-synapse";
nodes = {
# Since 0.33.0, matrix-synapse doesn't allow underscores in server names
server =
{
pkgs,
nodes,
config,
...
}:
let
mailserverIP = nodes.mailserver.networking.primaryIPAddress;
in
{
imports = [
../../synapse-module
];
services.matrix-synapse-next = {
enable = true;
settings = {
registration_shared_secret = registrationSharedSecret;
server_name = "example.com";
public_baseurl = "https://example.com";
database = {
args.password = "synapse";
};
redis = {
enabled = true;
host = "localhost";
port = config.services.redis.servers.matrix-synapse.port;
};
email = {
smtp_host = mailerDomain;
smtp_port = 25;
require_transport_security = true;
notif_from = "matrix <matrix@${mailerDomain}>";
app_name = "Matrix";
};
listeners = [
{
port = 8448;
bind_addresses = [
"127.0.0.1"
"::1"
];
type = "http";
x_forwarded = false;
resources = [
{
names = [
"client"
];
compress = true;
}
{
names = [
"federation"
];
compress = false;
}
];
}
];
};
};
services.postgresql = {
enable = true;
# The database name and user are configured by the following options:
# - services.matrix-synapse.database_name
# - services.matrix-synapse.database_user
#
# The values used here represent the default values of the module.
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.redis.servers.matrix-synapse = {
enable = true;
port = 6380;
};
networking.extraHosts = ''
${mailserverIP} ${mailerDomain}
'';
security.pki.certificateFiles = [
mailerCerts.ca.cert
];
environment.systemPackages =
let
sendTestMailStarttls = pkgs.writeScriptBin "send-testmail-starttls" ''
#!${pkgs.python3.interpreter}
import smtplib
import ssl
ctx = ssl.create_default_context()
with smtplib.SMTP('${mailerDomain}') as smtp:
smtp.ehlo()
smtp.starttls(context=ctx)
smtp.ehlo()
smtp.sendmail('matrix@${mailerDomain}', '${testEmail}', 'Subject: Test STARTTLS\n\nTest data.')
smtp.quit()
'';
obtainTokenAndRegisterEmail =
let
# adding the email through the API is quite complicated as it involves more than one step and some
# client-side calculation
insertEmailForAlice = pkgs.writeText "alice-email.sql" ''
INSERT INTO user_threepids (user_id, medium, address, validated_at, added_at)
VALUES ('${testUser}@server', 'email', '${testEmail}', '1629149927271', '1629149927270');
'';
in
pkgs.writeScriptBin "obtain-token-and-register-email" ''
#!${pkgs.runtimeShell}
set -o errexit
set -o pipefail
set -o nounset
su postgres -c "psql -d matrix-synapse -f ${insertEmailForAlice}"
curl --fail -XPOST -v 'http://localhost:8448/_matrix/client/r0/account/password/email/requestToken' --json '${builtins.toJSON {
email = testEmail;
client_secret = "foobar";
send_attempt = 1;
}}'
'';
in
[
sendTestMailStarttls
pkgs.matrix-synapse
obtainTokenAndRegisterEmail
];
};
# test mail delivery
mailserver = args: {
security.pki.certificateFiles = [
mailerCerts.ca.cert
];
networking.firewall.enable = false;
services.postfix = {
enable = true;
enableSubmission = true;
# blackhole transport
transport = "example.com discard:silently";
settings.main = {
myhostname = "${mailerDomain}";
# open relay for subnet
mynetworks_style = "subnet";
debug_peer_level = "10";
smtpd_relay_restrictions = [
"permit_mynetworks"
"reject_unauth_destination"
];
# disable obsolete protocols, something old versions of twisted are still using
smtpd_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtpd_tls_chain_files = [
"${mailerCerts.${mailerDomain}.key}"
"${mailerCerts.${mailerDomain}.cert}"
];
};
};
};
};
testScript = ''
start_all()
mailserver.wait_for_unit("postfix.service")
server.succeed("send-testmail-starttls")
server.wait_for_unit("matrix-synapse.service")
server.wait_until_succeeds(
"curl --fail -L http://localhost:8448/"
)
server.wait_until_succeeds(
"journalctl -u matrix-synapse.service | grep -q 'Connected to redis'"
)
server.require_unit_state("postgresql.target")
server.succeed("register_new_matrix_user -u ${testUser} -p ${testPassword} -a -k ${registrationSharedSecret} 'http://localhost:8448/'")
server.succeed("obtain-token-and-register-email")
'';
}