diff --git a/nixos/doc/manual/configuration/configuration.xml b/nixos/doc/manual/configuration/configuration.xml
index 5961209bc13ac..507d28814ead3 100644
--- a/nixos/doc/manual/configuration/configuration.xml
+++ b/nixos/doc/manual/configuration/configuration.xml
@@ -21,7 +21,6 @@
-
diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml
index b629c460f4cdd..20f232c9110e7 100644
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@@ -712,6 +712,55 @@ auth required pam_succeed_if.so uid >= 1000 quiet
For further reference, please read #68953 or the corresponding discourse thread.
+
+
+ The matrix-synapse-package has been updated to
+ v1.11.1.
+ Due to stricter requirements
+ for database configuration when using postgresql, the automated database setup
+ of the module has been removed to avoid any further edge-cases.
+
+
+ matrix-synapse expects postgresql-databases to have the options
+ LC_COLLATE and LC_CTYPE set to
+ 'C' which basically
+ instructs postgresql to ignore any locale-based preferences.
+
+
+ Depending on your setup, you need to incorporate one of the following changes in your setup to
+ upgrade to 20.03:
+
+ If you use sqlite3 you don't need to do anything.
+ If you use postgresql on a different server, you don't need
+ to change anything as well since this module was never designed to configure remote databases.
+
+ If you use postgresql and configured your synapse initially on
+ 19.09 or older, you simply need to enable postgresql-support
+ explicitly:
+{ ... }: {
+ services.matrix-synapse = {
+ enable = true;
+ /* and all the other config you've defined here */
+ };
+ services.postgresql.enable = true;
+}
+
+ If you deploy a fresh matrix-synapse, you need to configure
+ the database yourself (e.g. by using the
+ services.postgresql.initialScript
+ option). An example for this can be found in the
+ documentation of the Matrix module.
+
+ If you initially deployed your matrix-synapse on
+ nixos-unstableafter the 19.09-release,
+ your database is misconfigured due to a regression in NixOS. For now, matrix-synapse will
+ startup with a warning, but it's recommended to reconfigure the database to set the values
+ LC_COLLATE and LC_CTYPE to
+ 'C'.
+
+
+
+
diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix
index 750f4a292fb4a..d02fa13bb99c2 100644
--- a/nixos/modules/services/misc/matrix-synapse.nix
+++ b/nixos/modules/services/misc/matrix-synapse.nix
@@ -111,6 +111,9 @@ app_service_config_files: ${builtins.toJSON cfg.app_service_config_files}
${cfg.extraConfig}
'';
+
+ hasLocalPostgresDB = let args = cfg.database_args; in
+ usePostgresql && (!(args ? host) || (elem args.host [ "localhost" "127.0.0.1" "::1" ]));
in {
options = {
services.matrix-synapse = {
@@ -354,13 +357,6 @@ in {
The database engine name. Can be sqlite or psycopg2.
'';
};
- create_local_database = mkOption {
- type = types.bool;
- default = true;
- description = ''
- Whether to create a local database automatically.
- '';
- };
database_name = mkOption {
type = types.str;
default = "matrix-synapse";
@@ -657,6 +653,25 @@ in {
};
config = mkIf cfg.enable {
+ assertions = [
+ { assertion = hasLocalPostgresDB -> config.services.postgresql.enable;
+ message = ''
+ Cannot deploy matrix-synapse with a configuration for a local postgresql database
+ and a missing postgresql service. Since 20.03 it's mandatory to manually configure the
+ database (please read the thread in https://github.com/NixOS/nixpkgs/pull/80447 for
+ further reference).
+
+ If you
+ - try to deploy a fresh synapse, you need to configure the database yourself. An example
+ for this can be found in
+ - update your existing matrix-synapse instance, you simply need to add `services.postgresql.enable = true`
+ to your configuration.
+
+ For further information about this update, please read the release-notes of 20.03 carefully.
+ '';
+ }
+ ];
+
users.users.matrix-synapse = {
group = "matrix-synapse";
home = cfg.dataDir;
@@ -669,18 +684,9 @@ in {
gid = config.ids.gids.matrix-synapse;
};
- services.postgresql = mkIf (usePostgresql && cfg.create_local_database) {
- enable = mkDefault true;
- ensureDatabases = [ cfg.database_name ];
- ensureUsers = [{
- name = cfg.database_user;
- ensurePermissions = { "DATABASE \"${cfg.database_name}\"" = "ALL PRIVILEGES"; };
- }];
- };
-
systemd.services.matrix-synapse = {
description = "Synapse Matrix homeserver";
- after = [ "network.target" ] ++ lib.optional config.services.postgresql.enable "postgresql.service" ;
+ after = [ "network.target" ] ++ optional hasLocalPostgresDB "postgresql.service";
wantedBy = [ "multi-user.target" ];
preStart = ''
${cfg.package}/bin/homeserver \
@@ -709,6 +715,12 @@ in {
The `trusted_third_party_id_servers` option as been removed in `matrix-synapse` v1.4.0
as the behavior is now obsolete.
'')
+ (mkRemovedOptionModule [ "services" "matrix-synapse" "create_local_database" ] ''
+ Database configuration must be done manually. An exemplary setup is demonstrated in
+
+ '')
];
+ meta.doc = ./matrix-synapse.xml;
+
}
diff --git a/nixos/doc/manual/configuration/matrix.xml b/nixos/modules/services/misc/matrix-synapse.xml
similarity index 61%
rename from nixos/doc/manual/configuration/matrix.xml
rename to nixos/modules/services/misc/matrix-synapse.xml
index ef8d5cbda8895..053a3b2a563fc 100644
--- a/nixos/doc/manual/configuration/matrix.xml
+++ b/nixos/modules/services/misc/matrix-synapse.xml
@@ -40,26 +40,35 @@ let
in join config.networking.hostName config.networking.domain;
in {
networking = {
- hostName = "myhostname";
- domain = "example.org";
+ hostName = "myhostname";
+ domain = "example.org";
};
- networking.firewall.allowedTCPPorts = [ 80 443 ];
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+ services.postgresql.enable = true;
+ services.postgresql.initialScript = ''
+ CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+ CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+ TEMPLATE template0
+ LC_COLLATE = "C"
+ LC_CTYPE = "C";
+ '';
services.nginx = {
- enable = true;
+ enable = true;
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
# but the rest make sense as well
- recommendedTlsSettings = true;
- recommendedOptimisation = true;
- recommendedGzipSettings = true;
- recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ recommendedOptimisation = true;
+ recommendedGzipSettings = true;
+ recommendedProxySettings = true;
- virtualHosts = {
+ virtualHosts = {
# This host section can be placed on a different host than the rest,
# i.e. to delegate from the host being accessible as ${config.networking.domain}
# to another host actually running the Matrix homeserver.
"${config.networking.domain}" = {
- locations."= /.well-known/matrix/server".extraConfig =
+ locations."= /.well-known/matrix/server".extraConfig =
let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
@@ -68,7 +77,7 @@ in {
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
- locations."= /.well-known/matrix/client".extraConfig =
+ locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
@@ -84,34 +93,37 @@ in {
# Reverse proxy for Matrix client-server and server-server communication
${fqdn} = {
- enableACME = true;
- forceSSL = true;
+ enableACME = true;
+ forceSSL = true;
# Or do a redirect instead of the 404, or whatever is appropriate for you.
# But do not put a Matrix Web client here! See the Riot Web section below.
- locations."/".extraConfig = ''
+ locations."/".extraConfig = ''
return 404;
'';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {
- proxyPass = "http://[::1]:8008"; # without a trailing /
+ proxyPass = "http://[::1]:8008"; # without a trailing /
};
};
};
};
services.matrix-synapse = {
- enable = true;
- server_name = config.networking.domain;
- listeners = [
+ enable = true;
+ server_name = config.networking.domain;
+ listeners = [
{
- port = 8008;
- bind_address = "::1";
- type = "http";
- tls = false;
- x_forwarded = true;
- resources = [
- { names = [ "client" "federation" ]; compress = false; }
+ port = 8008;
+ bind_address = "::1";
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [
+ {
+ names = [ "client" "federation" ];
+ compress = false;
+ }
];
}
];
@@ -135,10 +147,10 @@ in {
If you want to run a server with public registration by anybody, you can
- then enable . Otherwise, or you can generate a registration secret with
+ then enable services.matrix-synapse.enable_registration =
+ true;. Otherwise, or you can generate a registration secret with
pwgen -s 64 1 and set it with
- . To
+ . To
create a new user or admin, run the following after you have set the secret
and have rebuilt NixOS:
@@ -154,8 +166,8 @@ Success!
@your-username:example.org. Note that the registration
secret ends up in the nix store and therefore is world-readable by any user
on your machine, so it makes sense to only temporarily activate the
- option until a better solution
- for NixOS is in place.
+ registration_shared_secret
+ option until a better solution for NixOS is in place.
@@ -177,15 +189,24 @@ Success!
Matrix Now! for a list of existing clients and their supported
featureset.
-services.nginx.virtualHosts."riot.${fqdn}" = {
- enableACME = true;
- forceSSL = true;
- serverAliases = [
- "riot.${config.networking.domain}"
- ];
+{
+ services.nginx.virtualHosts."riot.${fqdn}" = {
+ enableACME = true;
+ forceSSL = true;
+ serverAliases = [
+ "riot.${config.networking.domain}"
+ ];
- root = pkgs.riot-web;
-};
+ root = pkgs.riot-web.override {
+ conf = {
+ default_server_config."m.homeserver" = {
+ "base_url" = "${config.networking.domain}";
+ "server_name" = "${fqdn}";
+ };
+ };
+ };
+ };
+}
diff --git a/nixos/tests/matrix-synapse.nix b/nixos/tests/matrix-synapse.nix
index fca53009083a4..f3623aa3c094d 100644
--- a/nixos/tests/matrix-synapse.nix
+++ b/nixos/tests/matrix-synapse.nix
@@ -35,12 +35,31 @@ in {
nodes = {
# Since 0.33.0, matrix-synapse doesn't allow underscores in server names
- serverpostgres = args: {
+ serverpostgres = { pkgs, ... }: {
services.matrix-synapse = {
enable = true;
database_type = "psycopg2";
tls_certificate_path = "${cert}";
tls_private_key_path = "${key}";
+ database_args = {
+ password = "synapse";
+ };
+ };
+ services.postgresql = {
+ enable = true;
+
+ # The database name and user are configured by the following options:
+ # - services.matrix-synapse.database_name
+ # - services.matrix-synapse.database_user
+ #
+ # The values used here represent the default values of the module.
+ initialScript = pkgs.writeText "synapse-init.sql" ''
+ CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+ CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+ TEMPLATE template0
+ LC_COLLATE = "C"
+ LC_CTYPE = "C";
+ '';
};
};
diff --git a/pkgs/development/python-modules/signedjson/default.nix b/pkgs/development/python-modules/signedjson/default.nix
index 33a615fefd464..1214730dad879 100644
--- a/pkgs/development/python-modules/signedjson/default.nix
+++ b/pkgs/development/python-modules/signedjson/default.nix
@@ -4,19 +4,20 @@
, canonicaljson
, unpaddedbase64
, pynacl
+, typing-extensions
}:
buildPythonPackage rec {
pname = "signedjson";
- version = "1.0.0";
+ version = "1.1.0";
src = fetchgit {
url = "https://github.com/matrix-org/python-signedjson.git";
rev = "refs/tags/v${version}";
- sha256 = "0b8xxhc3npd4567kqapfp4gs7m0h057xam3an7424az262ind82n";
+ sha256 = "18s388hm3babnvakbbgfqk0jzq25nnznvhygywd3azp9b4yzmd5c";
};
- propagatedBuildInputs = [ canonicaljson unpaddedbase64 pynacl ];
+ propagatedBuildInputs = [ canonicaljson unpaddedbase64 pynacl typing-extensions ];
meta = with stdenv.lib; {
homepage = https://pypi.org/project/signedjson/;
diff --git a/pkgs/servers/matrix-synapse/default.nix b/pkgs/servers/matrix-synapse/default.nix
index 295881b03a335..8da5d4676d688 100644
--- a/pkgs/servers/matrix-synapse/default.nix
+++ b/pkgs/servers/matrix-synapse/default.nix
@@ -23,11 +23,11 @@ let
in buildPythonApplication rec {
pname = "matrix-synapse";
- version = "1.9.1";
+ version = "1.11.1";
src = fetchPypi {
inherit pname version;
- sha256 = "13csf18dchm75vw251a7h57diag94vw6rhg8kkkbpi35cibn0cz2";
+ sha256 = "0xd4bxsmk67r6pfj5lh0hn36r8z51mxsl39fjfrfdidvl1qqbxnk";
};
patches = [