sliding-sync: remove

2025-01-02 23:17:45 +01:00
10 changed files with 36 additions and 205 deletions
--- a/MIGRATIONS.MD
+++ b/MIGRATIONS.MD
@@ -2,12 +2,6 @@

 This is a best effort document descibing neccecary changes you might have to do when updating

-## 0.8.0
-
-`saml2` is no longer enabled, as it depends on vulnerable dependencies and isnt really built in nixpks anymore.
-
-If you need to authenticate with saml, you should deploy some sort of saml to openid bridge, instead.
-
 ## 0.6.1

 enableSlidingSync, and setting matrix-synapse.sliding-sync.environmentFile (or any other sliding-sync setting)
--- a/flake.lock
+++ b/flake.lock
@@ -2,16 +2,16 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1764983851,
-        "narHash": "sha256-y7RPKl/jJ/KAP/VKLMghMgXTlvNIJMHKskl8/Uuar7o=",
+        "lastModified": 1706098335,
+        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d9bc5c7dceb30d8d6fafa10aeb6aa8a48c218454",
+        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-25.11",
+        "ref": "nixos-23.11",
        "type": "indirect"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@@ -2,7 +2,7 @@
  description = "NixOS modules for matrix related services";

  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-25.11";
+    nixpkgs.url = "nixpkgs/nixos-23.11";
  };

  outputs = { self, nixpkgs }: {
@@ -12,7 +12,7 @@

    lib = import ./lib.nix { lib = nixpkgs.lib; };

-    checks = let
+    packages = let
      forAllSystems = f:
        nixpkgs.lib.genAttrs [
          "x86_64-linux"
@@ -20,13 +20,11 @@
          "x86_64-darwin"
          "aarch64-darwin"
        ] (system: f nixpkgs.legacyPackages.${system});
-    in forAllSystems (pkgs: let
+    in forAllSystems (pkgs: {
      tests = import ./tests {
        inherit nixpkgs pkgs;
        matrix-lib = self.lib;
      };
-    in {
-      inherit (tests) nginx-pipeline-eval;
    });
  };
 }
--- a/lib.nix
+++ b/lib.nix
@@ -6,7 +6,7 @@ rec {
  firstListenerOfType = type: ls: lib.lists.findFirst (isListenerType type)
    (throw "No listener with resource: ${type} configured")
    ls;
-  # Get an attrset of the host and port from a listener
+  # Get an attrset of the host and port from a listener 
  connectionInfo = l: {
    host = lib.head l.bind_addresses;
    port = l.port;
--- a/module.nix
+++ b/module.nix
@@ -3,7 +3,7 @@
 {
  imports = [
    ./synapse-module
-
+    
    # TODO: Remove after 25.05
    (lib.mkRemovedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] ''
      `services.matrix-synapse.sliding-sync` is no longer necessary to use sliding-sync with synapse.
--- a/synapse-module/default.nix
+++ b/synapse-module/default.nix
@@ -12,15 +12,14 @@ let
  format = pkgs.formats.yaml {};
  matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // {
    listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
-    media_store_path = "/var/lib/matrix-synapse/media_store";
-    signing_key_path = "/run/credentials/matrix-synapse.service/signing_key";
  });

  # TODO: Align better with the upstream module
-  wrapped = cfg.package.override {
+  wrapped = cfg.package.override { 
    inherit (cfg) plugins;
    extras = [
      "postgres"
+      "saml2"
      "oidc"
      "systemd"
      "url-preview"
@@ -28,6 +27,7 @@ let
      "jwt"
      "redis"
      "cache-memory"
+      "user-search"
    ];
  };

@@ -72,14 +72,6 @@ in
      '';
    };

-    withJemalloc = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        Whether to preload jemalloc to reduce memory fragmentation and overall usage.
-      '';
-    };
-
    dataDir = mkOption {
      type = types.path;
      default = "/var/lib/matrix-synapse";
@@ -408,8 +400,9 @@ in

    users.users.matrix-synapse = {
      group = "matrix-synapse";
-      home = "/var/lib/matrix-synapse";
+      home = cfg.dataDir;
      createHome = true;
+      shell = "${pkgs.bash}/bin/bash";
      uid = config.ids.uids.matrix-synapse;
    };

@@ -430,104 +423,35 @@ in
        after= [ "system.slice" ];
      };

-      tmpfiles.settings."10-matrix-synapse" = {
-        "${cfg.dataDir}".d = lib.mkIf (cfg.dataDir != "/var/lib/matrix-synapse") {
-          user = "matrix-synapse";
-          group = "matrix-synapse";
-          mode = "0700";
-        };
-        "${cfg.settings.media_store_path}".d = lib.mkIf (cfg.settings.media_store_path != "/var/lib/matrix-synapse/media_store") {
-          user = "matrix-synapse";
-          group = "matrix-synapse";
-          mode = "0700";
-        };
-      };
-
      services.matrix-synapse = {
        description = "Synapse Matrix homeserver";
        partOf = [ "matrix-synapse.target" ];
        wantedBy = [ "matrix-synapse.target" ];
-        after = lib.mkIf (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
-          "systemd-tmpfiles-setup.service"
-          "systemd-tmpfiles-resetup.service"
-        ];

-        environment = lib.optionalAttrs cfg.withJemalloc {
-          LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
-          PYTHONMALLOC = "malloc";
-        };
+        preStart = let
+          flags = lib.cli.toGNUCommandLineShell {} {
+            config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
+            keys-directory = cfg.dataDir;
+            generate-keys = true;
+          };
+        in "${cfg.package}/bin/synapse_homeserver ${flags}";

        serviceConfig = {
          Type = "notify";
          User = "matrix-synapse";
          Group = "matrix-synapse";
          Slice = "system-matrix-synapse.slice";
-
-          Restart = "always";
-          RestartSec = 3;
-
-          WorkingDirectory = "/var/lib/matrix-synapse";
+          WorkingDirectory = cfg.dataDir;
          StateDirectory = "matrix-synapse";
          RuntimeDirectory = "matrix-synapse";
-
-          ExecStartPre = let
-            flags = lib.cli.toCommandLineShellGNU {} {
-              config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
-              keys-directory = "/var/lib/matrix-synapse";
-              generate-keys = true;
-            };
-          in "${cfg.package}/bin/synapse_homeserver ${flags}";
          ExecStart = let
-            flags = lib.cli.toCommandLineShellGNU {} {
+            flags = lib.cli.toGNUCommandLineShell {} {
              config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
-              keys-directory = "/var/lib/matrix-synapse";
+              keys-directory = cfg.dataDir;
            };
          in "${wrapped}/bin/synapse_homeserver ${flags}";
-          ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID";
-
-          CapabilityBoundingSet = [ "" ];
-          LockPersonality = true;
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProcSubset = "pid";
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectProc = "invisible";
-          ProtectSystem = "strict";
-          BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
-            "${cfg.dataDir}:/var/lib/matrix-synapse"
-          ]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
-             "${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
-          ]);
-          ReadWritePaths = lib.pipe cfg.settings.listeners [
-            (lib.filter (listener: listener.path != null))
-            (map (listener: dirOf listener.path))
-            (lib.filter (path: path != "/run/matrix-synapse"))
-            lib.uniqueStrings
-          ];
-          LoadCredential = [ "signing_key:${cfg.settings.signing_key_path}" ];
-          RemoveIPC = true;
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-          ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@resources"
-            "~@privileged"
-          ];
+          ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
+          Restart = "on-failure";
        };
      };
    };
--- a/synapse-module/nginx.nix
+++ b/synapse-module/nginx.nix
@@ -24,7 +24,6 @@ in
        ~^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ synapse_initial_sync;

        # Federation requests
-        ~^/_matrix/federation/v1/version$ synapse_federation;
        ~^/_matrix/federation/v1/event/ synapse_federation;
        ~^/_matrix/federation/v1/state/ synapse_federation;
        ~^/_matrix/federation/v1/state_ids/ synapse_federation;
@@ -36,8 +35,6 @@ in
        ~^/_matrix/federation/v1/make_leave/ synapse_federation;
        ~^/_matrix/federation/(v1|v2)/send_join/ synapse_federation;
        ~^/_matrix/federation/(v1|v2)/send_leave/ synapse_federation;
-        ~^/_matrix/federation/v1/make_knock/ synapse_federation;
-        ~^/_matrix/federation/v1/send_knock/ synapse_federation;
        ~^/_matrix/federation/(v1|v2)/invite/ synapse_federation;
        ~^/_matrix/federation/v1/event_auth/ synapse_federation;
        ~^/_matrix/federation/v1/timestamp_to_event/ synapse_federation;
@@ -59,23 +56,17 @@ in
        ~^/_matrix/client/v1/rooms/.*/hierarchy$ synapse_client_interaction;
        ~^/_matrix/client/(v1|unstable)/rooms/.*/relations/ synapse_client_interaction;
        ~^/_matrix/client/v1/rooms/.*/threads$ synapse_client_interaction;
+        ~^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ synapse_client_interaction;
        ~^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ synapse_client_interaction;
        ~^/_matrix/client/(r0|v3|unstable)/account/3pid$ synapse_client_interaction;
        ~^/_matrix/client/(r0|v3|unstable)/account/whoami$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3|unstable)/account/deactivate$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3)/delete_devices$ synapse_client_interaction;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$) synapse_client_interaction;
+        ~^/_matrix/client/(r0|v3|unstable)/devices$ synapse_client_interaction;
        ~^/_matrix/client/versions$ synapse_client_interaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ synapse_client_interaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ synapse_client_interaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ synapse_client_interaction;
        ~^/_matrix/client/v1/rooms/.*/timestamp_to_event$ synapse_client_interaction;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases synapse_client_interaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/search$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) synapse_client_interaction;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3|unstable)/capabilities$ synapse_client_interaction;
-        ~^/_matrix/client/(r0|v3|unstable)/notifications$ synapse_client_interaction;

        # Encryption requests
        ~^/_matrix/client/(r0|v3|unstable)/keys/query$ synapse_client_encryption;
@@ -83,15 +74,11 @@ in
        ~^/_matrix/client/(r0|v3|unstable)/keys/claim$ synapse_client_encryption;
        ~^/_matrix/client/(r0|v3|unstable)/room_keys/ synapse_client_encryption;
        ~^/_matrix/client/(r0|v3|unstable)/keys/upload/ synapse_client_encryption;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$ synapse_client_encryption;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$ synapse_client_encryption;

        # Registration/login requests
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/login$ synapse_client_login;
        ~^/_matrix/client/(r0|v3|unstable)/register$ synapse_client_login;
-        ~^/_matrix/client/(r0|v3|unstable)/register/available$ synapse_client_login;
        ~^/_matrix/client/v1/register/m.login.registration_token/validity$ synapse_client_login;
-        ~^/_matrix/client/(r0|v3|unstable)/password_policy$ synapse_client_login;

        # Event sending requests
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact synapse_client_transaction;
@@ -99,7 +86,6 @@ in
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ synapse_client_transaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ synapse_client_transaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/join/ synapse_client_transaction;
-        ~^/_matrix/client/(api/v1|r0|v3|unstable)/knock/ synapse_client_transaction;
        ~^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ synapse_client_transaction;

        # Account data requests
--- a/synapse-module/workers.nix
+++ b/synapse-module/workers.nix
@@ -56,7 +56,7 @@ in {

    workerSettingsType = instanceCfg: types.submodule {
      freeformType = format.type;
-
+      
      options = {
        worker_app = mkOption {
          type = types.enum [
@@ -74,16 +74,6 @@ in {
          description = "Listener configuration for the worker, similar to the main synapse listener";
          default = [ ];
        };
-
-        worker_log_config = mkOption {
-          type = types.path;
-          description = ''
-            A yaml python logging config file as described by
-            https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
-          '';
-          default = pkgs.writeText "log_config.yaml" cfg.mainLogConfig;
-          defaultText = "A config file generated from ${cfgText}.mainLogConfig";
-        };
      };
    };

@@ -293,7 +283,7 @@ in {

      stream_writers.events =
        mkIf (wcfg.eventPersisters > 0)
-        (lib.genList (i: "auto-event-persist${toString (i + 1)}") wcfg.eventPersisters);
+        (lib.genList (i: "auto-event-persist${toString (i + 1)}") wcfg.eventPersisters); 

      update_user_directory_from_worker =
        mkIf wcfg.useUserDirectoryWorker "auto-user-dir";
@@ -375,7 +365,6 @@ in {
          worker_name = worker.name;
          worker_listeners =
            map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners;
-          signing_key_path = "/run/credentials/matrix-synapse-worker-${worker.name}.service/signing_key";
        });
    in builtins.listToAttrs (lib.flip map workerList (worker: {
      name = "matrix-synapse-worker-${worker.name}";
@@ -383,32 +372,16 @@ in {
        description = "Synapse Matrix Worker";
        partOf = [ "matrix-synapse.target" ];
        wantedBy = [ "matrix-synapse.target" ];
-        after = [
-          "matrix-synapse.service"
-        ] ++ (lib.optionals (config.systemd.tmpfiles.settings."10-matrix-synapse" != { }) [
-          "systemd-tmpfiles-setup.service"
-          "systemd-tmpfiles-resetup.service"
-        ]);
+        after = [ "matrix-synapse.service" ];
        requires = [ "matrix-synapse.service" ];
-
-        environment = lib.optionalAttrs cfg.withJemalloc {
-          LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
-          PYTHONMALLOC = "malloc";
-        };
-
        serviceConfig = {
          Type = "notify";
          User = "matrix-synapse";
          Group = "matrix-synapse";
          Slice = "system-matrix-synapse.slice";
-
-          Restart = "always";
-          RestartSec = 3;
-
-          WorkingDirectory = "/var/lib/matrix-synapse";
+          WorkingDirectory = cfg.dataDir;
          RuntimeDirectory = "matrix-synapse";
          StateDirectory = "matrix-synapse";
-
          ExecStartPre = pkgs.writers.writeBash "wait-for-synapse" ''
            # From https://md.darmstadt.ccc.de/synapse-at-work
            while ! systemctl is-active -q matrix-synapse.service; do
@@ -416,55 +389,11 @@ in {
            done
          '';
          ExecStart = let
-            flags = lib.cli.toCommandLineShellGNU {} {
+            flags = lib.cli.toGNUCommandLineShell {} {
              config-path = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles;
-              keys-directory = "/var/lib/matrix-synapse";
+              keys-directory = cfg.dataDir;
            };
          in "${wrapped}/bin/synapse_worker ${flags}";
-
-          CapabilityBoundingSet = [ "" ];
-          LockPersonality = true;
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProcSubset = "pid";
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectProc = "invisible";
-          ProtectSystem = "strict";
-          BindPaths = (lib.optionals (cfg.dataDir != "/var/lib/matrix-synapse") [
-            "${cfg.dataDir}:/var/lib/matrix-synapse"
-          ]) ++ (lib.optionals (cfg.settings.media_store_path != "${cfg.dataDir}/media_store") [
-             "${cfg.settings.media_store_path}:/var/lib/matrix-synapse/media_store"
-          ]);
-          ReadWritePaths = lib.pipe cfg.settings.listeners [
-            (lib.filter (listener: listener.path != null))
-            (map (listener: dirOf listener.path))
-            (lib.filter (path: path != "/run/matrix-synapse"))
-            lib.uniqueStrings
-          ];
-          LoadCredential = [ "signing_key:${cfg.settings.signing_key_path}" ];
-          RemoveIPC = true;
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-          ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@resources"
-            "~@privileged"
-          ];
        };
      };
    }));
--- a/tests/default.nix
+++ b/tests/default.nix
@@ -1,4 +1,4 @@
 { nixpkgs, pkgs, matrix-lib, ... }:
 {
-  nginx-pipeline-eval = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
+  nginx-pipeline = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
 }
--- a/tests/nginx-pipeline/default.nix
+++ b/tests/nginx-pipeline/default.nix
@@ -5,7 +5,7 @@ let
    modules = [
      ../../module.nix
      {
-        system.stateVersion = "25.11";
+        system.stateVersion = "23.11";
        boot.isContainer = true;
        services.matrix-synapse-next = {
          enable = true;