Update MIGRATIONS.MD for version 0.8.0 changes

Added migration notes for version 0.8.0 regarding saml2 deprecation and its alternatives.
Remove 'saml2' from extras as it is broken
2025-12-04 11:28:15 +01:00 · 2025-12-01 01:10:31 +01:00 · 2025-07-22 22:35:55 +02:00 · 2025-01-02 23:34:05 +01:00 · 2024-09-27 06:21:37 +02:00 · 2024-09-27 06:09:23 +02:00
15 changed files with 422 additions and 410 deletions
--- a/MIGRATIONS.MD
+++ b/MIGRATIONS.MD
@@ -2,9 +2,20 @@

 This is a best effort document descibing neccecary changes you might have to do when updating

-## 0.5.0 UNRELEASED
-
-The module has been renamed from `synapse` to `default`
+## 0.8.0

+`saml2` is no longer enabled, as it depends on vulnerable dependencies and isnt really built in nixpks anymore.
+
+If you need to authenticate with saml, you should deploy some sort of saml to openid bridge, instead.
+
+## 0.6.1
+
+enableSlidingSync, and setting matrix-synapse.sliding-sync.environmentFile (or any other sliding-sync setting)
+is no longer needed for a sliding-sync setup. Upgrading will force relogins for all users.
+
+## 0.5.0
+
+* The module has been renamed from `synapse` to `default`
+* The synapse module now expects a wrapper-style package. This means the module is now incompatible with nixpkgs < 23.11.


--- a/README.MD
+++ b/README.MD
@@ -1,3 +1,5 @@
+For support and requests feel free to join [#nixos-matrix-modules:dodsorf.as](https://matrix.to/#/#nixos-matrix-modules:dodsorf.as), [uri](matrix:r/nixos-matrix-modules:dodsorf.as)
+
 With matrix.YOURDOMAIN pointing at the server:

 ```
@@ -36,19 +38,3 @@ With matrix.YOURDOMAIN pointing at the server:
 ```

 is ~enough to get a functional matrix-server running with some workers
-
-## Sliding Sync (Element X)
-
-Just add the following to your config and point `slidingsync.YOURDOMAIN` at the server
-
-```
-services.matrix-synapse-next = {
-  enableSlidingSync = true;
-};
-
-services.matrix-synapse.sliding-sync.environmentFile = "/some/file/containing/SYNCV3_SECRET=<some secret>";
-
-```
-
-If using [well-known delagation](https://matrix-org.github.io/synapse/v1.37/delegate.html) make sure `YOURDOMAIN/.well-known/matrix/client` matches
-what's in `matrix.YOURDOMAIN/.well-known/matrix/client`
--- a/flake.lock
+++ b/flake.lock
@@ -2,38 +2,22 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1690789960,
-        "narHash": "sha256-3K+2HuyGTiJUSZNJxXXvc0qj4xFx1FHC/ItYtEa7/Xs=",
+        "lastModified": 1706098335,
+        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fb942492b7accdee4e6d17f5447091c65897dde4",
+        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-unstable",
+        "ref": "nixos-23.11",
        "type": "indirect"
      }
    },
-    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1673743903,
-        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
-        "nixpkgs": "nixpkgs",
-        "nixpkgs-lib": "nixpkgs-lib"
+        "nixpkgs": "nixpkgs"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@@ -2,27 +2,29 @@
  description = "NixOS modules for matrix related services";

  inputs = {
-    nixpkgs-lib.url = "github:nix-community/nixpkgs.lib";
-    nixpkgs.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "nixpkgs/nixos-23.11";
  };

-  outputs = { self, nixpkgs, nixpkgs-lib }: {
+  outputs = { self, nixpkgs }: {
    nixosModules = {
      default = import ./module.nix;
    };

-    lib = import ./lib.nix { lib = nixpkgs-lib.lib; };
+    lib = import ./lib.nix { lib = nixpkgs.lib; };

    packages = let
-      system = "x86_64-linux";
-      pkgs = nixpkgs.legacyPackages.${system};
-    in {
-        ${system}.tests = import ./tests {
-        inherit system;
-        inherit nixpkgs;
-        inherit pkgs;
-        nixosModule = self.outputs.nixosModules.synapse;
+      forAllSystems = f:
+        nixpkgs.lib.genAttrs [
+          "x86_64-linux"
+          "aarch64-linux"
+          "x86_64-darwin"
+          "aarch64-darwin"
+        ] (system: f nixpkgs.legacyPackages.${system});
+    in forAllSystems (pkgs: {
+      tests = import ./tests {
+        inherit nixpkgs pkgs;
+        matrix-lib = self.lib;
      };
-    };
+    });
  };
 }
--- a/lib.nix
+++ b/lib.nix
@@ -4,7 +4,7 @@ rec {
  isListenerType = type: l: lib.any (r: lib.any (n: n == type) r.names) l.resources;
  # Get the first listener that includes the given resource from worker
  firstListenerOfType = type: ls: lib.lists.findFirst (isListenerType type)
-    (lib.throw "No listener with resource: ${type} configured")
+    (throw "No listener with resource: ${type} configured")
    ls;
  # Get an attrset of the host and port from a listener 
  connectionInfo = l: {
@@ -17,4 +17,64 @@ rec {
    l = firstListenerOfType r w.settings.worker_listeners;
  in connectionInfo l;

+  mapWorkersToUpstreamsByType = workerInstances:
+    lib.pipe workerInstances [
+      lib.attrValues
+
+      # Index by worker type
+      (lib.foldl (acc: worker: acc // {
+        ${worker.type} = (acc.${worker.type} or [ ]) ++ [ worker ];
+      }) { })
+
+      # Subindex by resource names, listener types, and convert to upstreams
+      (lib.mapAttrs (_: workers: lib.pipe workers [
+        (lib.concatMap (worker: [ (lib.lists.head  worker.settings.worker_listeners) ]))
+        lib.flatten
+        mapListenersToUpstreamsByType
+      ]))
+    ];
+
+    mapListenersToUpstreamsByType = listenerInstances:
+      lib.pipe listenerInstances [
+        # Index by resource names
+        (lib.concatMap (listener: lib.pipe listener [
+          (listener: let
+            allResourceNames = lib.pipe listener.resources [
+              (map (resource: resource.names))
+              lib.flatten
+              lib.unique
+            ];
+          in if allResourceNames == [ ]
+            then { "empty" = listener; }
+            else lib.genAttrs allResourceNames (_: listener))
+          lib.attrsToList
+        ]))
+
+        (lib.foldl (acc: listener: acc // {
+          ${listener.name} = (acc.${listener.name} or [ ]) ++ [ listener.value ];
+        }) { })
+
+        # Index by listener type
+        (lib.mapAttrs (_:
+          (lib.foldl (acc: listener: acc // {
+            ${listener.type} = (acc.${listener.type} or [ ]) ++ [ listener ];
+          }) { })
+        ))
+
+        # Convert listeners to upstream URIs
+        (lib.mapAttrs (_:
+          (lib.mapAttrs (_: listeners:
+            lib.pipe listeners [
+              (lib.concatMap (listener:
+                if listener.path != null
+                  then [ "unix:${listener.path}" ]
+                  else (map (addr: "${addr}:${toString listener.port}") listener.bind_addresses)
+              ))
+              # NOTE: Adding ` = { }` to every upstream might seem unnecessary in isolation,
+              #       but it makes it easier to set upstreams in the nginx module.
+              (uris: lib.genAttrs uris (_: { }))
+            ]
+          ))
+        ))
+      ];
 }
--- a/module.nix
+++ b/module.nix
@@ -1,8 +1,14 @@
-{ ... }:
+{ lib, ... }:

 {
  imports = [
    ./synapse-module
-    ./sliding-sync
+
+    # TODO: Remove after 25.05
+    (lib.mkRemovedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] ''
+      `services.matrix-synapse.sliding-sync` is no longer necessary to use sliding-sync with synapse.
+      As synapse now includes this in itself, if you have a manually managed `.well-known/matrix/client` file
+      remove the proxy url from it.
+    '')
  ];
 }
--- a/pkgs/matrix-sliding-sync/default.nix
+++ b/pkgs/matrix-sliding-sync/default.nix
@@ -1,37 +0,0 @@
-{ lib
-, buildGoModule
-, fetchFromGitHub
-}:
-
-buildGoModule rec {
-  pname = "matrix-sliding-sync";
-  version = "0.99.11";
-
-  src = fetchFromGitHub {
-    owner = "matrix-org";
-    repo = "sliding-sync";
-    rev = "refs/tags/v${version}";
-    hash = "sha256-Wd/nnJhKg+BDyOIz42zEScjzQRrpEq6YG9/9Tk24hgg=";
-  };
-
-  vendorHash = "sha256-0QSyYhOht1j1tWNxHQh+NUZA/W1xy7ANu+29H/gusOE=";
-
-  subPackages = [ "cmd/syncv3" ];
-
-  ldflags = [
-    "-s"
-    "-w"
-    "-X main.GitCommit=${src.rev}"
-  ];
-
-  # requires a running matrix-synapse
-  doCheck = false;
-
-  meta = with lib; {
-    description = "A sliding sync implementation of MSC3575 for matrix";
-    homepage = "https://github.com/matrix-org/sliding-sync";
-    license = with licenses; [ asl20 ];
-    maintainers = with maintainers; [ emilylange ];
-    mainProgram = "syncv3";
-  };
-}
--- a/sliding-sync/default.nix
+++ b/sliding-sync/default.nix
@@ -1,117 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.services.matrix-synapse.sliding-sync;
-in
-{
-  disabledModules = [ "services/matrix/matrix-sliding-sync.nix" ];
-
-  options.services.matrix-synapse.sliding-sync = {
-    enable = lib.mkEnableOption (lib.mdDoc "sliding sync");
-
-    package = lib.mkOption {
-      type = lib.types.package;
-      default = pkgs.callPackage ../pkgs/matrix-sliding-sync { };
-      description = "What package to use for the sliding-sync proxy.";
-    };
-
-    enableNginx = lib.mkEnableOption (lib.mdDoc "autogenerated nginx config");
-    publicBaseUrl = lib.mkOption {
-      type = lib.types.str;
-      description = "The domain where clients connect, only has an effect with enableNginx";
-      example = "slidingsync.matrix.org";
-    };
-
-    settings = lib.mkOption {
-      type = lib.types.submodule {
-        freeformType = with lib.types; attrsOf str;
-        options = {
-          SYNCV3_SERVER = lib.mkOption {
-            type = lib.types.str;
-            description = lib.mdDoc ''
-              The destination homeserver to talk to not including `/_matrix/` e.g `https://matrix.example.org`.
-            '';
-          };
-
-          SYNCV3_DB = lib.mkOption {
-            type = lib.types.str;
-            default = "postgresql:///matrix-sliding-sync?host=/run/postgresql";
-            description = lib.mdDoc ''
-              The postgres connection string.
-              Refer to <https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING>.
-            '';
-          };
-
-          SYNCV3_BINDADDR = lib.mkOption {
-            type = lib.types.str;
-            default = "127.0.0.1:8009";
-            example = "[::]:8008";
-            description = lib.mdDoc "The interface and port to listen on.";
-          };
-
-          SYNCV3_LOG_LEVEL = lib.mkOption {
-            type = lib.types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ];
-            default = "info";
-            description = lib.mdDoc "The level of verbosity for messages logged.";
-          };
-        };
-      };
-      default = { };
-      description = ''
-        Freeform environment variables passed to the sliding sync proxy.
-        Refer to <https://github.com/matrix-org/sliding-sync#setup> for all supported values.
-      '';
-    };
-
-    createDatabase = lib.mkOption {
-      type = lib.types.bool;
-      default = true;
-      description = lib.mdDoc ''
-        Whether to enable and configure `services.postgres` to ensure that the database user `matrix-sliding-sync`
-        and the database `matrix-sliding-sync` exist.
-      '';
-    };
-
-    environmentFile = lib.mkOption {
-      type = lib.types.str;
-      description = lib.mdDoc ''
-        Environment file as defined in {manpage}`systemd.exec(5)`.
-
-        This must contain the {env}`SYNCV3_SECRET` variable which should
-        be generated with {command}`openssl rand -hex 32`.
-      '';
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.postgresql = lib.optionalAttrs cfg.createDatabase {
-      enable = true;
-      ensureDatabases = [ "matrix-sliding-sync" ];
-      ensureUsers = [ rec {
-        name = "matrix-sliding-sync";
-        ensurePermissions."DATABASE \"${name}\"" = "ALL PRIVILEGES";
-      } ];
-    };
-
-    systemd.services.matrix-sliding-sync = {
-      after = lib.optional cfg.createDatabase "postgresql.service";
-      wantedBy = [ "multi-user.target" ];
-      environment = cfg.settings;
-      serviceConfig = {
-        DynamicUser = true;
-        EnvironmentFile = cfg.environmentFile;
-        ExecStart = lib.getExe cfg.package;
-        StateDirectory = "matrix-sliding-sync";
-        WorkingDirectory = "%S/matrix-sliding-sync";
-      };
-    };
-
-    services.nginx.virtualHosts.${cfg.publicBaseUrl} = lib.mkIf cfg.enableNginx {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = lib.replaceStrings [ "0.0.0.0" "::" ] [ "127.0.0.1" "::1" ] "http://${cfg.settings.SYNCV3_BINDADDR}";
-      };
-    };
-  };
-}
--- a/synapse-module/default.nix
+++ b/synapse-module/default.nix
@@ -10,9 +10,23 @@ let
  wcfgText = "config.services.matrix-synapse-next.workers";

  format = pkgs.formats.yaml {};
-  matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" cfg.settings;
-  pluginsEnv = cfg.package.python.buildEnv.override {
-    extraLibs = cfg.plugins;
+  matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // {
+    listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
+  });
+
+  # TODO: Align better with the upstream module
+  wrapped = cfg.package.override { 
+    inherit (cfg) plugins;
+    extras = [
+      "postgres"
+      "oidc"
+      "systemd"
+      "url-preview"
+      "sentry"
+      "jwt"
+      "redis"
+      "cache-memory"
+    ];
  };

  inherit (lib)
@@ -33,7 +47,7 @@ in
  imports = [
    ./nginx.nix
    (import ./workers.nix {
-      inherit matrix-lib throw' format matrix-synapse-common-config pluginsEnv;
+      inherit matrix-lib throw' format matrix-synapse-common-config wrapped;
    })
  ];

@@ -65,6 +79,15 @@ in
      '';
    };

+    socketDir = mkOption {
+      type = types.path;
+      default = "/run/matrix-synapse";
+      description = ''
+        The directory where matrix-synapse by default stores the sockets of
+        all listeners that bind to UNIX sockets.
+      '';
+    };
+
    enableNginx = mkEnableOption "The synapse module managing nginx";

    public_baseurl = mkOption {
@@ -121,14 +144,42 @@ in
            type = types.listOf (types.submodule {
              options = {
                port = mkOption {
-                  type = types.port;
-                  description = "The TCP port to bind to";
+                  type = with types; nullOr types.port;
+                  default = null;
+                  description = ''
+                    The TCP port to bind to.
+
+                    ::: {.note}
+                      This option will be ignored if {option}`path` is set to a non-null value.
+                    :::
+                  '';
                  example = 8448;
                };

+                path = mkOption {
+                  type = with types; nullOr path;
+                  default = null;
+                  description = ''
+                    The UNIX socket to bind to.
+
+                    ::: {.note}
+                      This option will override {option}`bind_addresses` and {option}`port`
+                      if set to a non-null value.
+                    :::
+                  '';
+                  example = literalExpression ''''${${cfgText}.socketDir}/matrix-synapse.sock'';
+                };
+
                bind_addresses = mkOption {
                  type = types.listOf types.str;
-                  description = "A list of local addresses to listen on";
+                  default = [ ];
+                  description = ''
+                    A list of local addresses to listen on.
+
+                    ::: {.note}
+                      This option will be ignored if {option}`path` is set to a non-null value.
+                    :::
+                  '';
                };

                type = mkOption {
@@ -187,16 +238,14 @@ in
            # TODO: add defaultText
            default = [
              {
-                port = 8008;
-                bind_addresses = [ "127.0.0.1" ];
+                path = "${cfg.socketDir}/matrix-synapse.sock";
                resources = [
                  { names = [ "client" ]; compress = true; }
                  { names = [ "federation" ]; compress = false; }
                ];
              }
              (mkIf (wcfg.instances != { }) {
-                port = 9093;
-                bind_addresses = [ "127.0.0.1" ];
+                path = "${cfg.socketDir}/matrix-synapse-replication.sock";
                resources = [
                  {  names = [ "replication" ]; }
                ];
@@ -338,6 +387,15 @@ in
  };

  config = mkIf cfg.enable {
+    assertions = [ ]
+      ++ (map (l: {
+        assertion = l.path == null -> (l.bind_addresses != [ ] && l.port != null);
+        message = "Some listeners are missing either a socket path or a bind_address + port to listen on";
+      }) cfg.settings.listeners);
+
+    warnings = [ ] ++ lib.optional cfg.enableSlidingSync
+      "the option services.matrix-synapse-next.enableSlidingSync no longer has any effect (and is enabled by default)";
+
    users.users.matrix-synapse = {
      group = "matrix-synapse";
      home = cfg.dataDir;
@@ -376,39 +434,24 @@ in
          };
        in "${cfg.package}/bin/synapse_homeserver ${flags}";

-        environment.PYTHONPATH =
-          lib.makeSearchPathOutput "lib" cfg.package.python.sitePackages [ pluginsEnv ];
-
        serviceConfig = {
          Type = "notify";
          User = "matrix-synapse";
          Group = "matrix-synapse";
          Slice = "system-matrix-synapse.slice";
          WorkingDirectory = cfg.dataDir;
+          StateDirectory = "matrix-synapse";
+          RuntimeDirectory = "matrix-synapse";
          ExecStart = let
            flags = lib.cli.toGNUCommandLineShell {} {
              config-path = [ matrix-synapse-common-config ] ++ cfg.extraConfigFiles;
              keys-directory = cfg.dataDir;
            };
-          in "${cfg.package}/bin/synapse_homeserver ${flags}";
+          in "${wrapped}/bin/synapse_homeserver ${flags}";
          ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
          Restart = "on-failure";
        };
      };
    };
-
-    services.matrix-synapse-next.settings.extra_well_known_client_content."org.matrix.msc3575.proxy" = mkIf cfg.enableSlidingSync {
-      url = "https://${config.services.matrix-synapse.sliding-sync.publicBaseUrl}";
-    };
-    services.matrix-synapse.sliding-sync = mkIf cfg.enableSlidingSync {
-      enable = true;
-      enableNginx = lib.mkDefault cfg.enableNginx;
-      publicBaseUrl = lib.mkDefault "slidingsync.${cfg.settings.server_name}";
-
-      settings = {
-        SYNCV3_SERVER = lib.mkDefault "https://${cfg.public_baseurl}";
-        SYNCV3_PROM = lib.mkIf cfg.settings.enable_metrics (lib.mkDefault "127.0.0.1:9001");
-      };
-    };
  };
 }
--- a/synapse-module/nginx.nix
+++ b/synapse-module/nginx.nix
@@ -2,13 +2,10 @@
 let
  cfg = config.services.matrix-synapse-next;

-  getWorkersOfType = type: lib.filterAttrs (_: w: w.type == type) cfg.workers.instances;
-  isListenerType = type: listener: lib.lists.any (r: lib.lists.any (n: n == type) r.names) listener.resources;
-  firstListenerOfType = type: worker: lib.lists.findFirst (isListenerType type) (throw "No federation endpoint on receiver") worker.settings.worker_listeners;
-  wAddressOfType = type: w: lib.lists.findFirst (_: true) (throw "No address in receiver") (firstListenerOfType type w).bind_addresses;
-  wPortOfType = type: w: (firstListenerOfType type w).port;
-  wSocketAddressOfType = type: w: "${wAddressOfType type w}:${builtins.toString (wPortOfType type w)}";
-  generateSocketAddresses = type: workers: lib.mapAttrsToList (_: w: "${wSocketAddressOfType type w}") workers;
+  matrix-lib = (import ../lib.nix { inherit lib; });
+
+  workerUpstreams = matrix-lib.mapWorkersToUpstreamsByType cfg.workers.instances;
+  listenerUpstreams = matrix-lib.mapListenersToUpstreamsByType cfg.settings.listeners;
 in
 {
  config = lib.mkIf cfg.enableNginx {
@@ -138,24 +135,17 @@ in
    '';

    services.nginx.upstreams.synapse_master.servers = let
-      isMainListener = l: isListenerType "client" l && isListenerType "federation" l;
-      firstMainListener = lib.findFirst isMainListener
-        (throw "No catch-all listener configured") cfg.settings.listeners;
-        address = lib.findFirst (_: true) (throw "No address in main listener") firstMainListener.bind_addresses;
-        port = firstMainListener.port;
-        socketAddress = "${address}:${builtins.toString port}";
-    in {
-      "${socketAddress}" = { };
-    };
+      mainListeners = builtins.intersectAttrs
+        (listenerUpstreams.client.http or { })
+        (listenerUpstreams.federation.http or { });
+    in
+      assert lib.assertMsg (mainListeners != { })
+        "No catch-all listener configured, or listener is not bound to an address";
+        mainListeners;


    services.nginx.upstreams.synapse_worker_federation = {
-      servers = let
-        fedReceivers = getWorkersOfType "fed-receiver";
-        socketAddresses = generateSocketAddresses "federation" fedReceivers;
-        in if fedReceivers != { } then
-          lib.genAttrs socketAddresses (_: { })
-      else config.services.nginx.upstreams.synapse_master.servers;
+      servers = workerUpstreams.fed-receiver.federation.http or config.services.nginx.upstreams.synapse_master.servers;
      extraConfig = ''
        ip_hash;
      '';
@@ -163,12 +153,7 @@ in


    services.nginx.upstreams.synapse_worker_initial_sync = {
-      servers = let
-        initialSyncers = getWorkersOfType "initial-sync";
-        socketAddresses = generateSocketAddresses "client" initialSyncers;
-      in if initialSyncers != { } then
-        lib.genAttrs socketAddresses (_: { })
-      else config.services.nginx.upstreams.synapse_master.servers;
+      servers = workerUpstreams.initial-sync.client.http or config.services.nginx.upstreams.synapse_master.servers;
      extraConfig = ''
        hash $mxid_localpart consistent;
      '';
@@ -176,12 +161,7 @@ in


    services.nginx.upstreams.synapse_worker_normal_sync = {
-      servers = let
-        normalSyncers = getWorkersOfType "normal-sync";
-        socketAddresses = generateSocketAddresses "client" normalSyncers;
-      in if normalSyncers != { } then
-        lib.genAttrs socketAddresses (_: { })
-      else config.services.nginx.upstreams.synapse_master.servers;
+      servers = workerUpstreams.normal-sync.client.http or config.services.nginx.upstreams.synapse_master.servers;
      extraConfig = ''
        hash $mxid_localpart consistent;
      '';
@@ -189,12 +169,7 @@ in


    services.nginx.upstreams.synapse_worker_user-dir = {
-      servers = let
-        workers = getWorkersOfType "user-dir";
-        socketAddresses = generateSocketAddresses "client" workers;
-      in if workers != { } then
-        lib.genAttrs socketAddresses (_: { })
-      else config.services.nginx.upstreams.synapse_master.servers;
+      servers = workerUpstreams.user-dir.client.http or config.services.nginx.upstreams.synapse_master.servers;
    };

    services.nginx.virtualHosts."${cfg.public_baseurl}" = {
--- a/synapse-module/workers.nix
+++ b/synapse-module/workers.nix
@@ -1,6 +1,6 @@
 { matrix-synapse-common-config,
  matrix-lib,
-  pluginsEnv,
+  wrapped,
  throw',
  format
 }:
@@ -19,7 +19,6 @@
    type = types.ints.unsigned;
    description = "How many automatically configured ${workerType} workers to set up";
    default = 0;
-    example = 1;
  };

  genAttrs' = items: f: g: builtins.listToAttrs (map (i: lib.nameValuePair (f i) (g i)) items);
@@ -34,25 +33,11 @@ in {
          type = types.bool;
          internal = true;
          default = false;
-          description = ''
-            This is an internal flag that signals that this worker is part of the
-            workers generated by either of the following:
-
-            - federationSenders
-            - federationReceivers
-            - initialSyncers
-            - normalSyncers
-            - eventPersisters
-            - useUserDirectoryWorker
-          '';
        };

        index = mkOption {
          internal = true;
          type = types.ints.positive;
-          description = ''
-            This is an internal variable that indexes the worker of this type.
-          '';
        };

        # The custom string type here is mainly for the name to use
@@ -100,25 +85,24 @@ in {
          default = "http";
        };

-        path = mkOption {
-          type = types.path;
-          default = instanceCfg.name;
-          description = ''
-            A path and filename for a Unix socket.
-          '';
+        port = mkOption {
+          type = with types; nullOr port;
+          default = null;
+          description = "The TCP port to bind to";
        };

-        # port = mkOption {
-        #   type = types.port;
-        #   description = "The TCP port to bind to";
-        # };
+        path = mkOption {
+          type = with types; nullOr path;
+          default = null;
+          description = "The UNIX socket to bind to";
+        };

-        # bind_addresses = mkOption {
-        #   type = with types; listOf str;
-        #   description = "A list of local addresses to listen on";
-        #   default = [ wcfg.defaultListenerAddress ];
-        #   defaultText = literalExpression "[ ${wcfgText}.defaultListenerAddress ]";
-        # };
+        bind_addresses = mkOption {
+          type = with types; listOf str;
+          description = "A list of local addresses to listen on";
+          default = [ wcfg.defaultListenerAddress ];
+          defaultText = literalExpression "[ ${wcfgText}.defaultListenerAddress ]";
+        };

        tls = mkOption {
          type = types.bool;
@@ -183,6 +167,52 @@ in {
      };
    };
  in {
+    mainReplicationHost = mkOption {
+      type = with types; nullOr str;
+      default = let
+        host = (matrix-lib.connectionInfo mainReplicationListener).host;
+      in
+        # To avoid connecting to 0.0.0.0 and so on
+        if builtins.elem host [ "0.0.0.0" "::" ]
+          then "127.0.0.1"
+          else host;
+      # TODO: add defaultText
+      description = "Host of the main synapse instance's replication listener";
+    };
+
+    mainReplicationPort = mkOption {
+      type = with types; nullOr port;
+      default = mainReplicationListener.port;
+      # TODO: add defaultText
+      description = "Port for the main synapse instance's replication listener";
+    };
+
+    mainReplicationPath = mkOption {
+      type = with types; nullOr path;
+      default = mainReplicationListener.path;
+      # TODO: add defaultText
+      description = "Path to the UNIX socket of the main synapse instance's replication listener";
+    };
+
+    defaultListenerAddress = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+      description = "The default listener address for the worker";
+    };
+
+    workersUsePath = mkOption {
+      type = types.bool;
+      description = "Whether to enable UNIX sockets for all automatically generated workers";
+      default = true;
+      example = false;
+    };
+
+    workerStartingPort = mkOption {
+      type = types.port;
+      description = "What port should the automatically configured workers start enumerating from";
+      default = 8083;
+    };
+
    enableMetrics = mkOption {
      type = types.bool;
      default = cfg.settings.enable_metrics;
@@ -190,6 +220,12 @@ in {
      # TODO: add description
    };

+    metricsStartingPort = mkOption {
+      type = types.port;
+      default = 18083;
+      # TODO: add description
+    };
+
    federationSenders = mkWorkerCountOption "federation-sender";
    federationReceivers = mkWorkerCountOption "federation-reciever";
    initialSyncers = mkWorkerCountOption "initial-syncer";
@@ -203,14 +239,13 @@ in {
      default = { };
      description = "Worker configuration";
      example = {
-        "federation-sender-1" = {
+        "federation_sender1" = {
          settings = {
-            worker_name = "federation-sender-1";
+            worker_name = "federation_sender1";
            worker_app = "synapse.app.generic_worker";

-            path = "/run/matrix-synapse/federation-sender-1.sock";
-            # worker_replication_host = "127.0.0.1";
-            # worker_replication_http_port = 9093;
+            worker_replication_host = "127.0.0.1";
+            worker_replication_http_port = 9093;
            worker_listeners = [ ];
          };
        };
@@ -218,87 +253,135 @@ in {
    };
  };

-  config = let 
-    genList1 = f: builtins.genList (i: f (i + 1));
-  in {
+  config = {
+    assertions = [ ]
+      ++ (lib.concatMap (worker:
+        (map (l: {
+          assertion = l.path == null -> (l.bind_addresses != [ ] && l.port != null);
+          message = "At least one worker listener is missing either a socket path or a bind_address + port to listen on";
+        }) worker.settings.worker_listeners)
+      ) (lib.attrValues wcfg.instances));
+
    services.matrix-synapse-next.settings = {
      federation_sender_instances =
-        genList1 (i: "auto-fed-sender-${toString i}") wcfg.federationSenders;
+        lib.genList (i: "auto-fed-sender${toString (i + 1)}") wcfg.federationSenders;

-      instance_map = lib.mkIf (cfg.workers.instances != { }) ({
-        main.path = "/run/matrix-synapse/main-replication-worker.sock";
-      } // builtins.mapAttrs (n: v: {
-        inherit (builtins.head v.settings.worker_listeners) path;
-      }) wcfg.instances);
+      instance_map = (lib.mkIf (cfg.workers.instances != { }) ({
+        main = if wcfg.mainReplicationPath != null then {
+          path = wcfg.mainReplicationPath;
+        } else {
+          host = wcfg.mainReplicationHost;
+          port = wcfg.mainReplicationPort;
+        };
+      } // genAttrs' (lib.lists.range 1 wcfg.eventPersisters)
+        (i: "auto-event-persist${toString i}")
+        (i: let
+          wRL = matrix-lib.firstListenerOfType "replication" wcfg.instances."auto-event-persist${toString i}".settings.worker_listeners;
+        in if wRL.path != null then {
+          inherit (wRL) path;
+        } else matrix-lib.connectionInfo wRL)));

      stream_writers.events =
        mkIf (wcfg.eventPersisters > 0)
-          (genList1 (i: "auto-event-persist-${toString i}") wcfg.eventPersisters); 
+        (lib.genList (i: "auto-event-persist${toString (i + 1)}") wcfg.eventPersisters); 

      update_user_directory_from_worker =
-        mkIf wcfg.useUserDirectoryWorker "auto-user-dir-1";
+        mkIf wcfg.useUserDirectoryWorker "auto-user-dir";
    };

-    services.matrix-synapse-next.workers.instances =
-      let
-        workerInstances = {
-          "fed-sender" = wcfg.federationSenders;
-          "fed-receiver" = wcfg.federationReceivers;
-          "initial-sync" = wcfg.initialSyncers;
-          "normal-sync" = wcfg.normalSyncers;
-          "event-persist" = wcfg.eventPersisters;
-          "user-dir" = if wcfg.useUserDirectoryWorker then 1 else 0;
+    services.matrix-synapse-next.workers.instances = let
+      sum = lib.foldl lib.add 0;
+      workerListenersWithMetrics = portOffset: name:
+        [(if wcfg.workersUsePath
+          then {
+            path = "${cfg.socketDir}/matrix-synapse-worker-${name}.sock";
+          }
+          else {
+            port = wcfg.workerStartingPort + portOffset - 1;
+          }
+        )]
+        ++ lib.optional wcfg.enableMetrics {
+          port = wcfg.metricsStartingPort + portOffset;
+          resources = [ { names = [ "metrics" ]; } ];
        };
-      in
-        lib.pipe workerInstances [
-          (lib.mapAttrsToList (type: count: { inherit type count; }))
-          (map ({ type, count }: genList1 (i: rec {
-            name = "auto-${type}-${toString i}";
-            value = {
-              inherit type;
-              isAuto = true;
-              index = i;
-              settings.worker_listeners =
-                [
-                  { path = "/run/matrix-synapse/${name}.sock"; }
-                ] ++ lib.optionals wcfg.enableMetrics [{
-                  path = "/run/matrix-synapse/${name}-metrics.sock";
-                  resources = [{ names = [ "metrics" ]; }];
-                  type = "metrics";
-                }];
-            };
-          }) count))
-          lib.flatten
-          builtins.listToAttrs
-        ];
+
+      makeWorkerInstances = {
+        type,
+        numberOfWorkers,
+        portOffset ? 0,
+        nameFn ? i: "auto-${type}${toString i}",
+        workerListenerFn ? i: name: workerListenersWithMetrics (portOffset + i) name
+      }: genAttrs'
+        (lib.lists.range 1 numberOfWorkers)
+        nameFn
+        (i: {
+          isAuto = true;
+          inherit type;
+          index = i;
+          settings.worker_listeners = workerListenerFn i (nameFn i);
+        });
+
+      workerInstances = {
+        "fed-sender" = wcfg.federationSenders;
+        "fed-receiver" = wcfg.federationReceivers;
+        "initial-sync" = wcfg.initialSyncers;
+        "normal-sync" = wcfg.normalSyncers;
+        "event-persist" = wcfg.eventPersisters;
+      } // (lib.optionalAttrs wcfg.useUserDirectoryWorker {
+        "user-dir" = {
+          numberOfWorkers = 1;
+          nameFn = _: "auto-user-dir";
+        };
+      });
+
+      coerceWorker = { name, value }: if builtins.isInt value then {
+        type = name;
+        numberOfWorkers = value;
+      } else { type = name; } // value;
+
+      # Like foldl, but keeps all intermediate values
+      #
+      # (b -> a -> b) -> b -> [a] -> [b]
+      scanl = f: x1: list: let
+        x2 = lib.head list;
+        x1' = f x1 x2;
+      in if list == [] then [] else [x1'] ++ (scanl f x1' (lib.tail list));
+
+      f = { portOffset, numberOfWorkers, ... }: x: x // { portOffset = portOffset + numberOfWorkers; };
+      init = { portOffset = 0; numberOfWorkers = 0; };
+    in lib.pipe workerInstances [
+      (lib.mapAttrsToList lib.nameValuePair)
+      (map coerceWorker)
+      (scanl f init)
+      (map makeWorkerInstances)
+      mkMerge
+    ];

    systemd.services = let
      workerList = lib.mapAttrsToList lib.nameValuePair wcfg.instances;
-      workerConfig = worker: format.generate "matrix-synapse-worker-${worker.name}-config.yaml"
-        (worker.value.settings // { worker_name = worker.name; });
+      workerConfig = worker:
+        format.generate "matrix-synapse-worker-${worker.name}-config.yaml"
+        (worker.value.settings // {
+          worker_name = worker.name;
+          worker_listeners =
+            map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners;
+        });
    in builtins.listToAttrs (lib.flip map workerList (worker: {
      name = "matrix-synapse-worker-${worker.name}";
      value = {
-        documentation = [ "https://github.com/matrix-org/synapse/blob/develop/docs/workers.md" ];
        description = "Synapse Matrix Worker";
        partOf = [ "matrix-synapse.target" ];
        wantedBy = [ "matrix-synapse.target" ];
        after = [ "matrix-synapse.service" ];
        requires = [ "matrix-synapse.service" ];
-        restartTriggers = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles;
-        environment = {
-          PYTHONPATH = lib.makeSearchPathOutput "lib" cfg.package.python.sitePackages [
-            pluginsEnv
-          ];
-        };
        serviceConfig = {
-          Restart = "always";
          Type = "notify";
          User = "matrix-synapse";
          Group = "matrix-synapse";
          Slice = "system-matrix-synapse.slice";
          WorkingDirectory = cfg.dataDir;
-          RuntimeDirectory = [ "matrix-synapse" ];
+          RuntimeDirectory = "matrix-synapse";
+          StateDirectory = "matrix-synapse";
          ExecStartPre = pkgs.writers.writeBash "wait-for-synapse" ''
            # From https://md.darmstadt.ccc.de/synapse-at-work
            while ! systemctl is-active -q matrix-synapse.service; do
@@ -310,7 +393,7 @@ in {
              config-path = [ matrix-synapse-common-config (workerConfig worker) ] ++ cfg.extraConfigFiles;
              keys-directory = cfg.dataDir;
            };
-          in "${cfg.package}/bin/synapse_worker ${flags}";
+          in "${wrapped}/bin/synapse_worker ${flags}";
        };
      };
    }));
--- a/tests/auto-workers-config.nix
+++ b/tests/auto-workers-config.nix
@@ -1,18 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  services.matrix-synapse-next = {
-    enable = true;
-    settings.server_name = "matrix.example.com";
-
-    workers = {
-      enableMetrics = true;
-
-      federationSenders = 2;
-      federationReceivers = 2;
-      initialSyncers = 2;
-      normalSyncers = 2;
-      eventPersisters = 2;
-      useUserDirectoryWorker = true;
-    };
-  };
-}
--- a/tests/base-config.nix
+++ b/tests/base-config.nix
@@ -1,7 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  services.matrix-synapse-next = {
-    enable = true;
-    settings.server_name = "matrix.example.com";
-  };
-}
--- a/tests/default.nix
+++ b/tests/default.nix
@@ -1,16 +1,4 @@
-{ nixpkgs, pkgs, system ? pkgs.system, nixosModule, ... }: let
-  buildSystemWithConfig = configPath: (nixpkgs.lib.nixosSystem {
-    inherit system;
-    modules = [
-      nixosModule
-      configPath
-      {
-        boot.isContainer = true;
-      }
-    ];
-  }).config.system.build.toplevel;
-in {
-  a = pkgs.writeText "hello-world" ''a'';
-  base-config = buildSystemWithConfig ./base-config.nix;
-  auto-workers-config = buildSystemWithConfig ./auto-workers-config.nix;
+{ nixpkgs, pkgs, matrix-lib, ... }:
+{
+  nginx-pipeline = pkgs.callPackage ./nginx-pipeline { inherit nixpkgs matrix-lib; };
 }
--- a/tests/nginx-pipeline/default.nix
+++ b/tests/nginx-pipeline/default.nix
@@ -0,0 +1,53 @@
+{ nixpkgs, lib, matrix-lib, writeText, ... }:
+let
+  nixosConfig = nixpkgs.lib.nixosSystem {
+    system = "x86_64-linux";
+    modules = [
+      ../../module.nix
+      {
+        system.stateVersion = "23.11";
+        boot.isContainer = true;
+        services.matrix-synapse-next = {
+          enable = true;
+          enableNginx = true;
+
+          workers = {
+            enableMetrics = true;
+
+            federationSenders = 3;
+            federationReceivers = 3;
+            initialSyncers = 1;
+            normalSyncers = 1;
+            eventPersisters = 1;
+            useUserDirectoryWorker = true;
+
+            instances.auto-fed-receiver1.settings.worker_listeners = [
+              {
+                bind_addresses = [
+                  "127.0.0.2"
+                ];
+                port = 1337;
+                resources = [
+                  { compress = false;
+                    names = [ "federation" ];
+                  }
+                ];
+              }
+            ];
+          };
+
+          settings.server_name = "example.com";
+        };
+      }
+    ];
+  };
+
+  inherit (nixosConfig.config.services.matrix-synapse-next.workers) instances;
+in
+  writeText "matrix-synapse-next-nginx-pipeline-test.txt" ''
+    ${(lib.generators.toPretty {}) instances}
+
+    ====================================================
+
+    ${(lib.generators.toPretty {}) (matrix-lib.mapWorkersToUpstreamsByType instances)}
+  ''
Author	SHA1	Message	Date
Daniel Løvbrøtte Olsen	25b9f31ef1	Update MIGRATIONS.MD for version 0.8.0 changes Added migration notes for version 0.8.0 regarding saml2 deprecation and its alternatives.	2025-12-04 11:28:15 +01:00
Daniel Løvbrøtte Olsen	19c690bb4f	Remove 'saml2' from extras as it is broken	2025-12-01 01:10:31 +01:00
Daniel Løvbrøtte Olsen	099db715d1	synapse: Remove removed extra feature	2025-07-22 22:35:55 +02:00
Daniel Olsen	da9dc0479f	sliding-sync: remove	2025-01-02 23:34:05 +01:00
Daniel Olsen	ff787d410c	Add documentation for new sliding-sync setup and upgrade info	2024-09-27 06:21:37 +02:00
Daniel Olsen	f8843835e2	sliding-sync: deprecate	2024-09-27 06:09:23 +02:00
Daniel Løvbrøtte Olsen	f4e20d0360	Update README.MD	2024-08-29 10:32:38 +02:00
Daniel Olsen	d7dc42c9bb	sliding-sync: make enableAcme lib.mkDefault to match synapse	2024-06-01 11:39:05 +02:00
Daniel Olsen	61b366f5f6	migrate to ensureDBOwnership	2024-06-01 11:11:14 +02:00
Daniel Olsen	6c9b67974b	fix generating multiple upstreams of same type	2024-03-13 07:39:59 +01:00
Daniel Løvbrøtte Olsen	19b85a2562	Merge pull request #7 from dali99/refactor-nginx-upstream-generation refactor nginx upstream generation, add support for unix sockets	2024-03-13 06:23:07 +01:00
Daniel Olsen	d48997cfb4	generate only one upstream per worker	2024-03-13 06:22:24 +01:00
h7x4	b8d7c76a7e	treewide: add support for unix sockets	2024-01-27 07:52:26 +01:00
h7x4	19d50fae63	nginx-pipeline: add basic test	2024-01-27 07:52:26 +01:00
h7x4	18d3b34406	nginx: refactor upstream generation	2024-01-27 07:52:25 +01:00
h7x4	85804fce8d	lib: fix bug where `lib.throw` does not exist	2024-01-27 07:40:40 +01:00
Daniel Olsen	046194cdad	v0.5.0 This is mostly a maintainance release to be compatible with nixos-23.11 but comes with some small improvements as well	2023-12-02 09:58:52 +01:00
Daniel Olsen	3f92b5f197	use nixpkgs sliding sync package	2023-12-02 09:49:03 +01:00
Daniel Olsen	a24a5e5da4	update to 23.11	2023-12-02 09:44:45 +01:00