nixos/tests/matrix/synapse.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / matrix / synapse.nix
at 23.11-pre 7.1 kB view raw
  1import ../make-test-python.nix ({ pkgs, ... } : let
  2
  3
  4  runWithOpenSSL = file: cmd: pkgs.runCommand file {
  5    buildInputs = [ pkgs.openssl ];
  6  } cmd;
  7
  8
  9  ca_key = runWithOpenSSL "ca-key.pem" "openssl genrsa -out $out 2048";
 10  ca_pem = runWithOpenSSL "ca.pem" ''
 11    openssl req \
 12      -x509 -new -nodes -key ${ca_key} \
 13      -days 10000 -out $out -subj "/CN=snakeoil-ca"
 14  '';
 15  key = runWithOpenSSL "matrix_key.pem" "openssl genrsa -out $out 2048";
 16  csr = runWithOpenSSL "matrix.csr" ''
 17    openssl req \
 18       -new -key ${key} \
 19       -out $out -subj "/CN=localhost" \
 20  '';
 21  cert = runWithOpenSSL "matrix_cert.pem" ''
 22    openssl x509 \
 23      -req -in ${csr} \
 24      -CA ${ca_pem} -CAkey ${ca_key} \
 25      -CAcreateserial -out $out \
 26      -days 365
 27  '';
 28
 29
 30  mailerCerts = import ../common/acme/server/snakeoil-certs.nix;
 31  mailerDomain = mailerCerts.domain;
 32  registrationSharedSecret = "unsecure123";
 33  testUser = "alice";
 34  testPassword = "alicealice";
 35  testEmail = "alice@example.com";
 36
 37  listeners = [ {
 38    port = 8448;
 39    bind_addresses = [
 40      "127.0.0.1"
 41      "::1"
 42    ];
 43    type = "http";
 44    tls = true;
 45    x_forwarded = false;
 46    resources = [ {
 47      names = [
 48        "client"
 49      ];
 50      compress = true;
 51    } {
 52      names = [
 53        "federation"
 54      ];
 55      compress = false;
 56    } ];
 57  } ];
 58
 59in {
 60
 61  name = "matrix-synapse";
 62  meta = with pkgs.lib; {
 63    maintainers = teams.matrix.members;
 64  };
 65
 66  nodes = {
 67    # Since 0.33.0, matrix-synapse doesn't allow underscores in server names
 68    serverpostgres = { pkgs, nodes, ... }: let
 69      mailserverIP = nodes.mailserver.config.networking.primaryIPAddress;
 70    in
 71    {
 72      services.matrix-synapse = {
 73        enable = true;
 74        settings = {
 75          inherit listeners;
 76          database = {
 77            name = "psycopg2";
 78            args.password = "synapse";
 79          };
 80          tls_certificate_path = "${cert}";
 81          tls_private_key_path = "${key}";
 82          registration_shared_secret = registrationSharedSecret;
 83          public_baseurl = "https://example.com";
 84          email = {
 85            smtp_host = mailerDomain;
 86            smtp_port = 25;
 87            require_transport_security = true;
 88            notif_from = "matrix <matrix@${mailerDomain}>";
 89            app_name = "Matrix";
 90          };
 91        };
 92      };
 93      services.postgresql = {
 94        enable = true;
 95
 96        # The database name and user are configured by the following options:
 97        #   - services.matrix-synapse.database_name
 98        #   - services.matrix-synapse.database_user
 99        #
100        # The values used here represent the default values of the module.
101        initialScript = pkgs.writeText "synapse-init.sql" ''
102          CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
103          CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
104            TEMPLATE template0
105            LC_COLLATE = "C"
106            LC_CTYPE = "C";
107        '';
108      };
109
110      networking.extraHosts = ''
111        ${mailserverIP} ${mailerDomain}
112      '';
113
114      security.pki.certificateFiles = [
115        mailerCerts.ca.cert ca_pem
116      ];
117
118      environment.systemPackages = let
119        sendTestMailStarttls = pkgs.writeScriptBin "send-testmail-starttls" ''
120          #!${pkgs.python3.interpreter}
121          import smtplib
122          import ssl
123
124          ctx = ssl.create_default_context()
125
126          with smtplib.SMTP('${mailerDomain}') as smtp:
127            smtp.ehlo()
128            smtp.starttls(context=ctx)
129            smtp.ehlo()
130            smtp.sendmail('matrix@${mailerDomain}', '${testEmail}', 'Subject: Test STARTTLS\n\nTest data.')
131            smtp.quit()
132         '';
133
134        obtainTokenAndRegisterEmail = let
135          # adding the email through the API is quite complicated as it involves more than one step and some
136          # client-side calculation
137          insertEmailForAlice = pkgs.writeText "alice-email.sql" ''
138            INSERT INTO user_threepids (user_id, medium, address, validated_at, added_at) VALUES ('${testUser}@serverpostgres', 'email', '${testEmail}', '1629149927271', '1629149927270');
139          '';
140        in
141        pkgs.writeScriptBin "obtain-token-and-register-email" ''
142          #!${pkgs.runtimeShell}
143          set -o errexit
144          set -o pipefail
145          set -o nounset
146          su postgres -c "psql -d matrix-synapse -f ${insertEmailForAlice}"
147          curl --fail -XPOST 'https://localhost:8448/_matrix/client/r0/account/password/email/requestToken' -d '{"email":"${testEmail}","client_secret":"foobar","send_attempt":1}' -v
148        '';
149        in [ sendTestMailStarttls pkgs.matrix-synapse obtainTokenAndRegisterEmail ];
150    };
151
152    # test mail delivery
153    mailserver = args: let
154    in
155    {
156      security.pki.certificateFiles = [
157        mailerCerts.ca.cert
158      ];
159
160      networking.firewall.enable = false;
161
162      services.postfix = {
163        enable = true;
164        hostname = "${mailerDomain}";
165        # open relay for subnet
166        networksStyle = "subnet";
167        enableSubmission = true;
168        tlsTrustedAuthorities = "${mailerCerts.ca.cert}";
169        sslCert = "${mailerCerts.${mailerDomain}.cert}";
170        sslKey = "${mailerCerts.${mailerDomain}.key}";
171
172        # blackhole transport
173        transport = "example.com discard:silently";
174
175        config = {
176          debug_peer_level = "10";
177          smtpd_relay_restrictions = [
178            "permit_mynetworks" "reject_unauth_destination"
179          ];
180
181          # disable obsolete protocols, something old versions of twisted are still using
182          smtpd_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
183          smtp_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
184          smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
185          smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
186        };
187      };
188    };
189
190    serversqlite = args: {
191      services.matrix-synapse = {
192        enable = true;
193        settings = {
194          inherit listeners;
195          database.name = "sqlite3";
196          tls_certificate_path = "${cert}";
197          tls_private_key_path = "${key}";
198        };
199      };
200    };
201  };
202
203  testScript = ''
204    start_all()
205    mailserver.wait_for_unit("postfix.service")
206    serverpostgres.succeed("send-testmail-starttls")
207    serverpostgres.wait_for_unit("matrix-synapse.service")
208    serverpostgres.wait_until_succeeds(
209        "curl --fail -L --cacert ${ca_pem} https://localhost:8448/"
210    )
211    serverpostgres.require_unit_state("postgresql.service")
212    serverpostgres.succeed("register_new_matrix_user -u ${testUser} -p ${testPassword} -a -k ${registrationSharedSecret} https://localhost:8448/")
213    serverpostgres.succeed("obtain-token-and-register-email")
214    serversqlite.wait_for_unit("matrix-synapse.service")
215    serversqlite.wait_until_succeeds(
216        "curl --fail -L --cacert ${ca_pem} https://localhost:8448/"
217    )
218    serversqlite.succeed("[ -e /var/lib/matrix-synapse/homeserver.db ]")
219  '';
220
221})