commit be4a0e6e406a334b6dc50d343f7f81ff93f9e371 · pyrox.dev/nixpkgs

+110

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

···

       390
       390
        
             </listitem>

     

       391
       391
        
             <listitem>

     

       392
       392
        
               <para>

     

       393
       393
       +
                 The <literal>matrix-synapse</literal> service

     

       394
       394
       +
                 (<literal>services.matrix-synapse</literal>) has been

     

       395
       395
       +
                 converted to use the <literal>settings</literal> option

     

       396
       396
       +
                 defined in RFC42. This means that options that are part of

     

       397
       397
       +
                 your <literal>homeserver.yaml</literal> configuration, and

     

       398
       398
       +
                 that were specified at the top-level of the module

     

       399
       399
       +
                 (<literal>services.matrix-synapse</literal>) now need to be

     

       400
       400
       +
                 moved into

     

       401
       401
       +
                 <literal>services.matrix-synapse.settings</literal>. And while

     

       402
       402
       +
                 not all options you may use are defined in there, they are

     

       403
       403
       +
                 still supported, because you can set arbitrary values in this

     

       404
       404
       +
                 freeform type.

     

       405
       405
       +
               </para>

     

       406
       406
       +
               <para>

     

       407
       407
       +
                 An example to make the required migration clearer:

     

       408
       408
       +
               </para>

     

       409
       409
       +
               <para>

     

       410
       410
       +
                 Before:

     

       411
       411
       +
               </para>

     

       412
       412
       +
               <programlisting language="bash">

     

       413
       413
       +
       {

     

       414
       414
       +
         services.matrix-synapse = {

     

       415
       415
       +
           enable = true;

     

       416
       416
       +
       

     

       417
       417
       +
           server_name = &quot;example.com&quot;;

     

       418
       418
       +
           public_baseurl = &quot;https://example.com:8448&quot;;

     

       419
       419
       +
       

     

       420
       420
       +
           enable_registration = false;

     

       421
       421
       +
           registration_shared_secret = &quot;xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut&quot;;

     

       422
       422
       +
           macaroon_secret_key = &quot;xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l&quot;;

     

       423
       423
       +
       

     

       424
       424
       +
           tls_certificate_path = &quot;/var/lib/acme/example.com/fullchain.pem&quot;;

     

       425
       425
       +
           tls_certificate_path = &quot;/var/lib/acme/example.com/fullchain.pem&quot;;

     

       426
       426
       +
       

     

       427
       427
       +
           listeners = [ {

     

       428
       428
       +
             port = 8448;

     

       429
       429
       +
             bind_address = &quot;&quot;;

     

       430
       430
       +
             type = &quot;http&quot;;

     

       431
       431
       +
             tls = true;

     

       432
       432
       +
             resources = [ {

     

       433
       433
       +
               names = [ &quot;client&quot; ];

     

       434
       434
       +
               compress = true;

     

       435
       435
       +
             } {

     

       436
       436
       +
               names = [ &quot;federation&quot; ];

     

       437
       437
       +
               compress = false;

     

       438
       438
       +
             } ];

     

       439
       439
       +
           } ];

     

       440
       440
       +
       

     

       441
       441
       +
         };

     

       442
       442
       +
       }

     

       443
       443
       +
       </programlisting>

     

       444
       444
       +
               <para>

     

       445
       445
       +
                 After:

     

       446
       446
       +
               </para>

     

       447
       447
       +
               <programlisting language="bash">

     

       448
       448
       +
       {

     

       449
       449
       +
         services.matrix-synapse = {

     

       450
       450
       +
           enable = true;

     

       451
       451
       +
       

     

       452
       452
       +
           # this attribute set holds all values that go into your homeserver.yaml configuration

     

       453
       453
       +
           # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for

     

       454
       454
       +
           # possible values.

     

       455
       455
       +
           settings = {

     

       456
       456
       +
             server_name = &quot;example.com&quot;;

     

       457
       457
       +
             public_baseurl = &quot;https://example.com:8448&quot;;

     

       458
       458
       +
       

     

       459
       459
       +
             enable_registration = false;

     

       460
       460
       +
             # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead

     

       461
       461
       +
       

     

       462
       462
       +
             tls_certificate_path = &quot;/var/lib/acme/example.com/fullchain.pem&quot;;

     

       463
       463
       +
             tls_certificate_path = &quot;/var/lib/acme/example.com/fullchain.pem&quot;;

     

       464
       464
       +
       

     

       465
       465
       +
             listeners = [ {

     

       466
       466
       +
               port = 8448;

     

       467
       467
       +
               bind_address = [

     

       468
       468
       +
                 &quot;::&quot;

     

       469
       469
       +
                 &quot;0.0.0.0&quot;

     

       470
       470
       +
               ];

     

       471
       471
       +
               type = &quot;http&quot;;

     

       472
       472
       +
               tls = true;

     

       473
       473
       +
               resources = [ {

     

       474
       474
       +
                 names = [ &quot;client&quot; ];

     

       475
       475
       +
                 compress = true;

     

       476
       476
       +
               } {

     

       477
       477
       +
                 names = [ &quot;federation&quot; ];

     

       478
       478
       +
                 compress = false;

     

       479
       479
       +
               } ];

     

       480
       480
       +
             } ];

     

       481
       481
       +
           };

     

       482
       482
       +
       

     

       483
       483
       +
           extraConfigFiles = [

     

       484
       484
       +
             /run/keys/matrix-synapse/secrets.yaml

     

       485
       485
       +
           ];

     

       486
       486
       +
         };

     

       487
       487
       +
       }

     

       488
       488
       +
       </programlisting>

     

       489
       489
       +
               <para>

     

       490
       490
       +
                 The secrets in your original config should be migrated into a

     

       491
       491
       +
                 YAML file that is included via

     

       492
       492
       +
                 <literal>extraConfigFiles</literal>.

     

       493
       493
       +
               </para>

     

       494
       494
       +
               <para>

     

       495
       495
       +
                 Additionally a few option defaults have been synced up with

     

       496
       496
       +
                 upstream default values, for example the

     

       497
       497
       +
                 <literal>max_upload_size</literal> grew from

     

       498
       498
       +
                 <literal>10M</literal> to <literal>50M</literal>.

     

       499
       499
       +
               </para>

     

       500
       500
       +
             </listitem>

     

       501
       501
       +
             <listitem>

     

       502
       502
       +
               <para>

     

       393
       503
        
                 The MoinMoin wiki engine

     

       394
       504
        
                 (<literal>services.moinmoin</literal>) has been removed,

     

       395
       505
        
                 because Python 2 is being retired from nixpkgs.

+89

nixos/doc/manual/release-notes/rl-2205.section.md

···

       128
       128
        
       

     

       129
       129
        
       - The `mailpile` email webclient (`services.mailpile`) has been removed due to its reliance on python2.

     

       130
       130
        
       

     

       131
       131
       +
       - The `matrix-synapse` service (`services.matrix-synapse`) has been converted to use the `settings` option defined in RFC42.

     

       132
       132
       +
         This means that options that are part of your `homeserver.yaml` configuration, and that were specified at the top-level of the

     

       133
       133
       +
         module (`services.matrix-synapse`) now need to be moved into `services.matrix-synapse.settings`. And while not all options you

     

       134
       134
       +
         may use are defined in there, they are still supported, because you can set arbitrary values in this freeform type.

     

       135
       135
       +
       

     

       136
       136
       +
         An example to make the required migration clearer:

     

       137
       137
       +
       

     

       138
       138
       +
         Before:

     

       139
       139
       +
         ```nix

     

       140
       140
       +
         {

     

       141
       141
       +
           services.matrix-synapse = {

     

       142
       142
       +
             enable = true;

     

       143
       143
       +
       

     

       144
       144
       +
             server_name = "example.com";

     

       145
       145
       +
             public_baseurl = "https://example.com:8448";

     

       146
       146
       +
       

     

       147
       147
       +
             enable_registration = false;

     

       148
       148
       +
             registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut";

     

       149
       149
       +
             macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l";

     

       150
       150
       +
       

     

       151
       151
       +
             tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";

     

       152
       152
       +
             tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";

     

       153
       153
       +
       

     

       154
       154
       +
             listeners = [ {

     

       155
       155
       +
               port = 8448;

     

       156
       156
       +
               bind_address = "";

     

       157
       157
       +
               type = "http";

     

       158
       158
       +
               tls = true;

     

       159
       159
       +
               resources = [ {

     

       160
       160
       +
                 names = [ "client" ];

     

       161
       161
       +
                 compress = true;

     

       162
       162
       +
               } {

     

       163
       163
       +
                 names = [ "federation" ];

     

       164
       164
       +
                 compress = false;

     

       165
       165
       +
               } ];

     

       166
       166
       +
             } ];

     

       167
       167
       +
       

     

       168
       168
       +
           };

     

       169
       169
       +
         }

     

       170
       170
       +
         ```

     

       171
       171
       +
       

     

       172
       172
       +
         After:

     

       173
       173
       +
         ```nix

     

       174
       174
       +
         {

     

       175
       175
       +
           services.matrix-synapse = {

     

       176
       176
       +
             enable = true;

     

       177
       177
       +
       

     

       178
       178
       +
             # this attribute set holds all values that go into your homeserver.yaml configuration

     

       179
       179
       +
             # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for

     

       180
       180
       +
             # possible values.

     

       181
       181
       +
             settings = {

     

       182
       182
       +
               server_name = "example.com";

     

       183
       183
       +
               public_baseurl = "https://example.com:8448";

     

       184
       184
       +
       

     

       185
       185
       +
               enable_registration = false;

     

       186
       186
       +
               # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead

     

       187
       187
       +
       

     

       188
       188
       +
               tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";

     

       189
       189
       +
               tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";

     

       190
       190
       +
       

     

       191
       191
       +
               listeners = [ {

     

       192
       192
       +
                 port = 8448;

     

       193
       193
       +
                 bind_address = [

     

       194
       194
       +
                   "::"

     

       195
       195
       +
                   "0.0.0.0"

     

       196
       196
       +
                 ];

     

       197
       197
       +
                 type = "http";

     

       198
       198
       +
                 tls = true;

     

       199
       199
       +
                 resources = [ {

     

       200
       200
       +
                   names = [ "client" ];

     

       201
       201
       +
                   compress = true;

     

       202
       202
       +
                 } {

     

       203
       203
       +
                   names = [ "federation" ];

     

       204
       204
       +
                   compress = false;

     

       205
       205
       +
                 } ];

     

       206
       206
       +
               } ];

     

       207
       207
       +
             };

     

       208
       208
       +
       

     

       209
       209
       +
             extraConfigFiles = [

     

       210
       210
       +
               /run/keys/matrix-synapse/secrets.yaml

     

       211
       211
       +
             ];

     

       212
       212
       +
           };

     

       213
       213
       +
         }

     

       214
       214
       +
         ```

     

       215
       215
       +
       

     

       216
       216
       +
         The secrets in your original config should be migrated into a YAML file that is included via `extraConfigFiles`.

     

       217
       217
       +
       

     

       218
       218
       +
         Additionally a few option defaults have been synced up with upstream default values, for example the `max_upload_size` grew from `10M` to `50M`.

     

       219
       219
       +
       

     

       131
       220
        
       - The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs.

     

       132
       221
        
       

     

       133
       222
        
       - The `wafHook` hook now honors `NIX_BUILD_CORES` when `enableParallelBuilding` is not set explicitly. Packages can restore the old behaviour by setting `enableParallelBuilding=false`.

+1 -1

nixos/modules/module-list.nix

···

       499
       499
        
         ./services/mail/roundcube.nix

     

       500
       500
        
         ./services/mail/sympa.nix

     

       501
       501
        
         ./services/mail/nullmailer.nix

     

       502
       502
       +
         ./services/matrix/matrix-synapse.nix

     

       502
       503
        
         ./services/matrix/mjolnir.nix

     

       503
       504
        
         ./services/matrix/pantalaimon.nix

     

       504
       505
        
         ./services/misc/ananicy.nix

     
···

       565
       566
        
         ./services/misc/matrix-appservice-discord.nix

     

       566
       567
        
         ./services/misc/matrix-appservice-irc.nix

     

       567
       568
        
         ./services/misc/matrix-conduit.nix

     

       568
       568
       -
         ./services/misc/matrix-synapse.nix

     

       569
       569
        
         ./services/misc/mautrix-facebook.nix

     

       570
       570
        
         ./services/misc/mautrix-telegram.nix

     

       571
       571
        
         ./services/misc/mbpfan.nix

+773

nixos/modules/services/matrix/matrix-synapse.nix

···

       1
       1
       +
       { config, lib, options, pkgs, ... }:

     

       2
       2
       +
       

     

       3
       3
       +
       with lib;

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         cfg = config.services.matrix-synapse;

     

       7
       7
       +
         format = pkgs.formats.yaml {};

     

       8
       8
       +
       

     

       9
       9
       +
         # remove null values from the final configuration

     

       10
       10
       +
         finalSettings = lib.filterAttrsRecursive (_: v: v != null) cfg.settings;

     

       11
       11
       +
         configFile = format.generate "homeserver.yaml" finalSettings;

     

       12
       12
       +
         logConfigFile = format.generate "log_config.yaml" cfg.logConfig;

     

       13
       13
       +
       

     

       14
       14
       +
         pluginsEnv = cfg.package.python.buildEnv.override {

     

       15
       15
       +
           extraLibs = cfg.plugins;

     

       16
       16
       +
         };

     

       17
       17
       +
       

     

       18
       18
       +
         usePostgresql = cfg.settings.database.name == "psycopg2";

     

       19
       19
       +
         hasLocalPostgresDB = let args = cfg.settings.database.args; in

     

       20
       20
       +
           usePostgresql && (!(args ? host) || (elem args.host [ "localhost" "127.0.0.1" "::1" ]));

     

       21
       21
       +
       

     

       22
       22
       +
         registerNewMatrixUser =

     

       23
       23
       +
           let

     

       24
       24
       +
             isIpv6 = x: lib.length (lib.splitString ":" x) > 1;

     

       25
       25
       +
             listener =

     

       26
       26
       +
               lib.findFirst (

     

       27
       27
       +
                 listener: lib.any (

     

       28
       28
       +
                   resource: lib.any (

     

       29
       29
       +
                     name: name == "client"

     

       30
       30
       +
                   ) resource.names

     

       31
       31
       +
                 ) listener.resources

     

       32
       32
       +
               ) (lib.last cfg.settings.listeners) cfg.settings.listeners;

     

       33
       33
       +
               # FIXME: Handle cases with missing client listener properly,

     

       34
       34
       +
               # don't rely on lib.last, this will not work.

     

       35
       35
       +
       

     

       36
       36
       +
             # add a tail, so that without any bind_addresses we still have a useable address

     

       37
       37
       +
             bindAddress = head (listener.bind_addresses ++ [ "127.0.0.1" ]);

     

       38
       38
       +
             listenerProtocol = if listener.tls

     

       39
       39
       +
               then "https"

     

       40
       40
       +
               else "http";

     

       41
       41
       +
           in

     

       42
       42
       +
           pkgs.writeShellScriptBin "matrix-synapse-register_new_matrix_user" ''

     

       43
       43
       +
             exec ${cfg.package}/bin/register_new_matrix_user \

     

       44
       44
       +
               $@ \

     

       45
       45
       +
               ${lib.concatMapStringsSep " " (x: "-c ${x}") ([ configFile ] ++ cfg.extraConfigFiles)} \

     

       46
       46
       +
               "${listenerProtocol}://${

     

       47
       47
       +
                 if (isIpv6 bindAddress) then

     

       48
       48
       +
                   "[${bindAddress}]"

     

       49
       49
       +
                 else

     

       50
       50
       +
                   "${bindAddress}"

     

       51
       51
       +
               }:${builtins.toString listener.port}/"

     

       52
       52
       +
           '';

     

       53
       53
       +
       in {

     

       54
       54
       +
       

     

       55
       55
       +
         imports = [

     

       56
       56
       +
       

     

       57
       57
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "trusted_third_party_id_servers" ] ''

     

       58
       58
       +
             The `trusted_third_party_id_servers` option as been removed in `matrix-synapse` v1.4.0

     

       59
       59
       +
             as the behavior is now obsolete.

     

       60
       60
       +
           '')

     

       61
       61
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "create_local_database" ] ''

     

       62
       62
       +
             Database configuration must be done manually. An exemplary setup is demonstrated in

     

       63
       63
       +
             <nixpkgs/nixos/tests/matrix-synapse.nix>

     

       64
       64
       +
           '')

     

       65
       65
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "web_client" ] "")

     

       66
       66
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "room_invite_state_types" ] ''

     

       67
       67
       +
             You may add additional event types via

     

       68
       68
       +
             `services.matrix-synapse.room_prejoin_state.additional_event_types` and

     

       69
       69
       +
             disable the default events via

     

       70
       70
       +
             `services.matrix-synapse.room_prejoin_state.disable_default_event_types`.

     

       71
       71
       +
           '')

     

       72
       72
       +
       

     

       73
       73
       +
           # options that don't exist in synapse anymore

     

       74
       74
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "bind_host" ] "Use listener settings instead." )

     

       75
       75
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "bind_port" ] "Use listener settings instead." )

     

       76
       76
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "expire_access_tokens" ] "" )

     

       77
       77
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "no_tls" ] "It is no longer supported by synapse." )

     

       78
       78
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "tls_dh_param_path" ] "It was removed from synapse." )

     

       79
       79
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "unsecure_port" ] "Use settings.listeners instead." )

     

       80
       80
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "user_creation_max_duration" ] "It is no longer supported by synapse." )

     

       81
       81
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "verbose" ] "Use a log config instead." )

     

       82
       82
       +
       

     

       83
       83
       +
           # options that were moved into rfc42 style settigns

     

       84
       84
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "app_service_config_files" ] "Use settings.app_service_config_Files instead" )

     

       85
       85
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "database_args" ] "Use settings.database.args instead" )

     

       86
       86
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "database_name" ] "Use settings.database.args.database instead" )

     

       87
       87
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "database_type" ] "Use settings.database.name instead" )

     

       88
       88
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "database_user" ] "Use settings.database.args.user instead" )

     

       89
       89
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "dynamic_thumbnails" ] "Use settings.dynamic_thumbnails instead" )

     

       90
       90
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "enable_metrics" ] "Use settings.enable_metrics instead" )

     

       91
       91
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "enable_registration" ] "Use settings.enable_registration instead" )

     

       92
       92
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "extraConfig" ] "Use settings instead." )

     

       93
       93
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "listeners" ] "Use settings.listeners instead" )

     

       94
       94
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "logConfig" ] "Use settings.log_config instead" )

     

       95
       95
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "max_image_pixels" ] "Use settings.max_image_pixels instead" )

     

       96
       96
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "max_upload_size" ] "Use settings.max_upload_size instead" )

     

       97
       97
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "presence" "enabled" ] "Use settings.presence.enabled instead" )

     

       98
       98
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "public_baseurl" ] "Use settings.public_baseurl instead" )

     

       99
       99
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "report_stats" ] "Use settings.report_stats instead" )

     

       100
       100
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "server_name" ] "Use settings.server_name instead" )

     

       101
       101
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "servers" ] "Use settings.trusted_key_servers instead." )

     

       102
       102
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "tls_certificate_path" ] "Use settings.tls_certificate_path instead" )

     

       103
       103
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "tls_private_key_path" ] "Use settings.tls_private_key_path instead" )

     

       104
       104
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "turn_shared_secret" ] "Use settings.turn_shared_secret instead" )

     

       105
       105
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "turn_uris" ] "Use settings.turn_uris instead" )

     

       106
       106
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "turn_user_lifetime" ] "Use settings.turn_user_lifetime instead" )

     

       107
       107
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "url_preview_enabled" ] "Use settings.url_preview_enabled instead" )

     

       108
       108
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "url_preview_ip_range_blacklist" ] "Use settings.url_preview_ip_range_blacklist instead" )

     

       109
       109
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "url_preview_ip_range_whitelist" ] "Use settings.url_preview_ip_range_whitelist instead" )

     

       110
       110
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "url_preview_url_blacklist" ] "Use settings.url_preview_url_blacklist instead" )

     

       111
       111
       +
       

     

       112
       112
       +
           # options that are too specific to mention them explicitly in settings

     

       113
       113
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "account_threepid_delegates" "email" ] "Use settings.account_threepid_delegates.email instead" )

     

       114
       114
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "account_threepid_delegates" "msisdn" ] "Use settings.account_threepid_delegates.msisdn instead" )

     

       115
       115
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "allow_guest_access" ] "Use settings.allow_guest_access instead" )

     

       116
       116
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "bcrypt_rounds" ] "Use settings.bcrypt_rounds instead" )

     

       117
       117
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "enable_registration_captcha" ] "Use settings.enable_registration_captcha instead" )

     

       118
       118
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "event_cache_size" ] "Use settings.event_cache_size instead" )

     

       119
       119
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "federation_rc_concurrent" ] "Use settings.rc_federation.concurrent instead" )

     

       120
       120
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "federation_rc_reject_limit" ] "Use settings.rc_federation.reject_limit instead" )

     

       121
       121
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "federation_rc_sleep_delay" ] "Use settings.rc_federation.sleep_delay instead" )

     

       122
       122
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "federation_rc_sleep_limit" ] "Use settings.rc_federation.sleep_limit instead" )

     

       123
       123
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "federation_rc_window_size" ] "Use settings.rc_federation.window_size instead" )

     

       124
       124
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "key_refresh_interval" ] "Use settings.key_refresh_interval instead" )

     

       125
       125
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "rc_messages_burst_count" ] "Use settings.rc_messages.burst_count instead" )

     

       126
       126
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "rc_messages_per_second" ] "Use settings.rc_messages.per_second instead" )

     

       127
       127
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "recaptcha_private_key" ] "Use settings.recaptcha_private_key instead" )

     

       128
       128
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "recaptcha_public_key" ] "Use settings.recaptcha_public_key instead" )

     

       129
       129
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "redaction_retention_period" ] "Use settings.redaction_retention_period instead" )

     

       130
       130
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "room_prejoin_state" "additional_event_types" ] "Use settings.room_prejoin_state.additional_event_types instead" )

     

       131
       131
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "room_prejoin_state" "disable_default_event_types" ] "Use settings.room_prejoin-state.disable_default_event_types instead" )

     

       132
       132
       +
       

     

       133
       133
       +
           # Options that should be passed via extraConfigFiles, so they are not persisted into the nix store

     

       134
       134
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "macaroon_secret_key" ] "Pass this value via extraConfigFiles instead" )

     

       135
       135
       +
           (mkRemovedOptionModule [ "services" "matrix-synapse" "registration_shared_secret" ] "Pass this value via extraConfigFiles instead" )

     

       136
       136
       +
       

     

       137
       137
       +
         ];

     

       138
       138
       +
       

     

       139
       139
       +
         options = {

     

       140
       140
       +
           services.matrix-synapse = {

     

       141
       141
       +
             enable = mkEnableOption "matrix.org synapse";

     

       142
       142
       +
       

     

       143
       143
       +
             configFile = mkOption {

     

       144
       144
       +
               type = types.str;

     

       145
       145
       +
               readOnly = true;

     

       146
       146
       +
               description = ''

     

       147
       147
       +
                 Path to the configuration file on the target system. Useful to configure e.g. workers

     

       148
       148
       +
                 that also need this.

     

       149
       149
       +
               '';

     

       150
       150
       +
             };

     

       151
       151
       +
       

     

       152
       152
       +
             package = mkOption {

     

       153
       153
       +
               type = types.package;

     

       154
       154
       +
               default = pkgs.matrix-synapse;

     

       155
       155
       +
               defaultText = literalExpression "pkgs.matrix-synapse";

     

       156
       156
       +
               description = ''

     

       157
       157
       +
                 Overridable attribute of the matrix synapse server package to use.

     

       158
       158
       +
               '';

     

       159
       159
       +
             };

     

       160
       160
       +
       

     

       161
       161
       +
             plugins = mkOption {

     

       162
       162
       +
               type = types.listOf types.package;

     

       163
       163
       +
               default = [ ];

     

       164
       164
       +
               example = literalExpression ''

     

       165
       165
       +
                 with config.services.matrix-synapse.package.plugins; [

     

       166
       166
       +
                   matrix-synapse-ldap3

     

       167
       167
       +
                   matrix-synapse-pam

     

       168
       168
       +
                 ];

     

       169
       169
       +
               '';

     

       170
       170
       +
               description = ''

     

       171
       171
       +
                 List of additional Matrix plugins to make available.

     

       172
       172
       +
               '';

     

       173
       173
       +
             };

     

       174
       174
       +
       

     

       175
       175
       +
             withJemalloc = mkOption {

     

       176
       176
       +
               type = types.bool;

     

       177
       177
       +
               default = false;

     

       178
       178
       +
               description = ''

     

       179
       179
       +
                 Whether to preload jemalloc to reduce memory fragmentation and overall usage.

     

       180
       180
       +
               '';

     

       181
       181
       +
             };

     

       182
       182
       +
       

     

       183
       183
       +
             dataDir = mkOption {

     

       184
       184
       +
               type = types.str;

     

       185
       185
       +
               default = "/var/lib/matrix-synapse";

     

       186
       186
       +
               description = ''

     

       187
       187
       +
                 The directory where matrix-synapse stores its stateful data such as

     

       188
       188
       +
                 certificates, media and uploads.

     

       189
       189
       +
               '';

     

       190
       190
       +
             };

     

       191
       191
       +
       

     

       192
       192
       +
             settings = mkOption {

     

       193
       193
       +
               default = {};

     

       194
       194
       +
               description = ''

     

       195
       195
       +
                 The primary synapse configuration. See the

     

       196
       196
       +
                 <link xlink:href="https://github.com/matrix-org/synapse/blob/v${cfg.package.version}/docs/sample_config.yaml">sample configuration</link>

     

       197
       197
       +
                 for possible values.

     

       198
       198
       +
       

     

       199
       199
       +
                 Secrets should be passed in by using the <literal>extraConfigFiles</literal> option.

     

       200
       200
       +
               '';

     

       201
       201
       +
               type = with types; submodule {

     

       202
       202
       +
                 freeformType = format.type;

     

       203
       203
       +
                 options = {

     

       204
       204
       +
                   # This is a reduced set of popular options and defaults

     

       205
       205
       +
                   # Do not add every available option here, they can be specified

     

       206
       206
       +
                   # by the user at their own discretion. This is a freeform type!

     

       207
       207
       +
       

     

       208
       208
       +
                   server_name = mkOption {

     

       209
       209
       +
                     type = types.str;

     

       210
       210
       +
                     example = "example.com";

     

       211
       211
       +
                     default = config.networking.hostName;

     

       212
       212
       +
                     defaultText = literalExpression "config.networking.hostName";

     

       213
       213
       +
                     description = ''

     

       214
       214
       +
                       The domain name of the server, with optional explicit port.

     

       215
       215
       +
                       This is used by remote servers to look up the server address.

     

       216
       216
       +
                       This is also the last part of your UserID.

     

       217
       217
       +
       

     

       218
       218
       +
                       The server_name cannot be changed later so it is important to configure this correctly before you start Synapse.

     

       219
       219
       +
                     '';

     

       220
       220
       +
                   };

     

       221
       221
       +
       

     

       222
       222
       +
                   enable_registration = mkOption {

     

       223
       223
       +
                     type = types.bool;

     

       224
       224
       +
                     default = false;

     

       225
       225
       +
                     description = ''

     

       226
       226
       +
                       Enable registration for new users.

     

       227
       227
       +
                     '';

     

       228
       228
       +
                   };

     

       229
       229
       +
       

     

       230
       230
       +
                   registration_shared_secret = mkOption {

     

       231
       231
       +
                     type = types.nullOr types.str;

     

       232
       232
       +
                     default = null;

     

       233
       233
       +
                     description = ''

     

       234
       234
       +
                       If set, allows registration by anyone who also has the shared

     

       235
       235
       +
                       secret, even if registration is otherwise disabled.

     

       236
       236
       +
       

     

       237
       237
       +
                       Secrets should be passed in via <literal>extraConfigFiles</literal>!

     

       238
       238
       +
                     '';

     

       239
       239
       +
                   };

     

       240
       240
       +
       

     

       241
       241
       +
                   macaroon_secret_key = mkOption {

     

       242
       242
       +
                     type = types.nullOr types.str;

     

       243
       243
       +
                     default = null;

     

       244
       244
       +
                     description = ''

     

       245
       245
       +
                       Secret key for authentication tokens. If none is specified,

     

       246
       246
       +
                       the registration_shared_secret is used, if one is given; otherwise,

     

       247
       247
       +
                       a secret key is derived from the signing key.

     

       248
       248
       +
       

     

       249
       249
       +
                       Secrets should be passed in via <literal>extraConfigFiles</literal>!

     

       250
       250
       +
                     '';

     

       251
       251
       +
                   };

     

       252
       252
       +
       

     

       253
       253
       +
                   enable_metrics = mkOption {

     

       254
       254
       +
                     type = types.bool;

     

       255
       255
       +
                     default = false;

     

       256
       256
       +
                     description = ''

     

       257
       257
       +
                       Enable collection and rendering of performance metrics

     

       258
       258
       +
                     '';

     

       259
       259
       +
                   };

     

       260
       260
       +
       

     

       261
       261
       +
                   report_stats = mkOption {

     

       262
       262
       +
                     type = types.bool;

     

       263
       263
       +
                     default = false;

     

       264
       264
       +
                     description = ''

     

       265
       265
       +
                       Whether or not to report anonymized homeserver usage statistics.

     

       266
       266
       +
                     '';

     

       267
       267
       +
                   };

     

       268
       268
       +
       

     

       269
       269
       +
                   signing_key_path = mkOption {

     

       270
       270
       +
                     type = types.path;

     

       271
       271
       +
                     default = "${cfg.dataDir}/homeserver.signing.key";

     

       272
       272
       +
                     description = ''

     

       273
       273
       +
                       Path to the signing key to sign messages with.

     

       274
       274
       +
                     '';

     

       275
       275
       +
                   };

     

       276
       276
       +
       

     

       277
       277
       +
                   pid_file = mkOption {

     

       278
       278
       +
                     type = types.path;

     

       279
       279
       +
                     default = "/run/matrix-synapse.pid";

     

       280
       280
       +
                     readOnly = true;

     

       281
       281
       +
                     description = ''

     

       282
       282
       +
                       The file to store the PID in.

     

       283
       283
       +
                     '';

     

       284
       284
       +
                   };

     

       285
       285
       +
       

     

       286
       286
       +
                   log_config = mkOption {

     

       287
       287
       +
                     type = types.path;

     

       288
       288
       +
                     default = ./matrix-synapse-log_config.yaml;

     

       289
       289
       +
                     description = ''

     

       290
       290
       +
                       The file that holds the logging configuration.

     

       291
       291
       +
                     '';

     

       292
       292
       +
                   };

     

       293
       293
       +
       

     

       294
       294
       +
                   media_store_path = mkOption {

     

       295
       295
       +
                     type = types.path;

     

       296
       296
       +
                     default = if lib.versionAtLeast config.system.stateVersion "22.05"

     

       297
       297
       +
                       then "${cfg.dataDir}/media_store"

     

       298
       298
       +
                       else "${cfg.dataDir}/media";

     

       299
       299
       +
                     description = ''

     

       300
       300
       +
                       Directory where uploaded images and attachments are stored.

     

       301
       301
       +
                     '';

     

       302
       302
       +
                   };

     

       303
       303
       +
       

     

       304
       304
       +
                   public_baseurl = mkOption {

     

       305
       305
       +
                     type = types.nullOr types.str;

     

       306
       306
       +
                     default = null;

     

       307
       307
       +
                     example = "https://example.com:8448/";

     

       308
       308
       +
                     description = ''

     

       309
       309
       +
                       The public-facing base URL for the client API (not including _matrix/...)

     

       310
       310
       +
                     '';

     

       311
       311
       +
                   };

     

       312
       312
       +
       

     

       313
       313
       +
                   tls_certificate_path = mkOption {

     

       314
       314
       +
                     type = types.nullOr types.str;

     

       315
       315
       +
                     default = null;

     

       316
       316
       +
                     example = "/var/lib/acme/example.com/fullchain.pem";

     

       317
       317
       +
                     description = ''

     

       318
       318
       +
                       PEM encoded X509 certificate for TLS.

     

       319
       319
       +
                       You can replace the self-signed certificate that synapse

     

       320
       320
       +
                       autogenerates on launch with your own SSL certificate + key pair

     

       321
       321
       +
                       if you like.  Any required intermediary certificates can be

     

       322
       322
       +
                       appended after the primary certificate in hierarchical order.

     

       323
       323
       +
                     '';

     

       324
       324
       +
                   };

     

       325
       325
       +
       

     

       326
       326
       +
                   tls_private_key_path = mkOption {

     

       327
       327
       +
                     type = types.nullOr types.str;

     

       328
       328
       +
                     default = null;

     

       329
       329
       +
                     example = "/var/lib/acme/example.com/key.pem";

     

       330
       330
       +
                     description = ''

     

       331
       331
       +
                       PEM encoded private key for TLS. Specify null if synapse is not

     

       332
       332
       +
                       speaking TLS directly.

     

       333
       333
       +
                     '';

     

       334
       334
       +
                   };

     

       335
       335
       +
       

     

       336
       336
       +
                   presence.enabled = mkOption {

     

       337
       337
       +
                     type = types.bool;

     

       338
       338
       +
                     default = true;

     

       339
       339
       +
                     example = false;

     

       340
       340
       +
                     description = ''

     

       341
       341
       +
                       Whether to enable presence tracking.

     

       342
       342
       +
       

     

       343
       343
       +
                       Presence tracking allows users to see the state (e.g online/offline)

     

       344
       344
       +
                       of other local and remote users.

     

       345
       345
       +
                     '';

     

       346
       346
       +
                   };

     

       347
       347
       +
       

     

       348
       348
       +
                   listeners = mkOption {

     

       349
       349
       +
                     type = types.listOf (types.submodule {

     

       350
       350
       +
                       options = {

     

       351
       351
       +
                         port = mkOption {

     

       352
       352
       +
                           type = types.port;

     

       353
       353
       +
                           example = 8448;

     

       354
       354
       +
                           description = ''

     

       355
       355
       +
                             The port to listen for HTTP(S) requests on.

     

       356
       356
       +
                           '';

     

       357
       357
       +
                         };

     

       358
       358
       +
       

     

       359
       359
       +
                         bind_addresses = mkOption {

     

       360
       360
       +
                           type = types.listOf types.str;

     

       361
       361
       +
                           default = [

     

       362
       362
       +
                             "::1"

     

       363
       363
       +
                             "127.0.0.1"

     

       364
       364
       +
                           ];

     

       365
       365
       +
                           example = literalExpression ''

     

       366
       366
       +
                           [

     

       367
       367
       +
                             "::"

     

       368
       368
       +
                             "0.0.0.0"

     

       369
       369
       +
                           ]

     

       370
       370
       +
                           '';

     

       371
       371
       +
                           description = ''

     

       372
       372
       +
                            IP addresses to bind the listener to.

     

       373
       373
       +
                           '';

     

       374
       374
       +
                         };

     

       375
       375
       +
       

     

       376
       376
       +
                         type = mkOption {

     

       377
       377
       +
                           type = types.enum [

     

       378
       378
       +
                             "http"

     

       379
       379
       +
                             "manhole"

     

       380
       380
       +
                             "metrics"

     

       381
       381
       +
                             "replication"

     

       382
       382
       +
                           ];

     

       383
       383
       +
                           default = "http";

     

       384
       384
       +
                           example = "metrics";

     

       385
       385
       +
                           description = ''

     

       386
       386
       +
                             The type of the listener, usually http.

     

       387
       387
       +
                           '';

     

       388
       388
       +
                         };

     

       389
       389
       +
       

     

       390
       390
       +
                         tls = mkOption {

     

       391
       391
       +
                           type = types.bool;

     

       392
       392
       +
                           default = true;

     

       393
       393
       +
                           example = false;

     

       394
       394
       +
                           description = ''

     

       395
       395
       +
                             Whether to enable TLS on the listener socket.

     

       396
       396
       +
                           '';

     

       397
       397
       +
                         };

     

       398
       398
       +
       

     

       399
       399
       +
                         x_forwarded = mkOption {

     

       400
       400
       +
                           type = types.bool;

     

       401
       401
       +
                           default = false;

     

       402
       402
       +
                           example = true;

     

       403
       403
       +
                           description = ''

     

       404
       404
       +
                             Use the X-Forwarded-For (XFF) header as the client IP and not the

     

       405
       405
       +
                             actual client IP.

     

       406
       406
       +
                           '';

     

       407
       407
       +
                         };

     

       408
       408
       +
       

     

       409
       409
       +
                         resources = mkOption {

     

       410
       410
       +
                           type = types.listOf (types.submodule {

     

       411
       411
       +
                             options = {

     

       412
       412
       +
                               names = mkOption {

     

       413
       413
       +
                                 type = types.listOf (types.enum [

     

       414
       414
       +
                                   "client"

     

       415
       415
       +
                                   "consent"

     

       416
       416
       +
                                   "federation"

     

       417
       417
       +
                                   "keys"

     

       418
       418
       +
                                   "media"

     

       419
       419
       +
                                   "metrics"

     

       420
       420
       +
                                   "openid"

     

       421
       421
       +
                                   "replication"

     

       422
       422
       +
                                   "static"

     

       423
       423
       +
                                 ]);

     

       424
       424
       +
                                 description = ''

     

       425
       425
       +
                                   List of resources to host on this listener.

     

       426
       426
       +
                                 '';

     

       427
       427
       +
                                 example = [

     

       428
       428
       +
                                   "client"

     

       429
       429
       +
                                 ];

     

       430
       430
       +
                               };

     

       431
       431
       +
                               compress = mkOption {

     

       432
       432
       +
                                 type = types.bool;

     

       433
       433
       +
                                 description = ''

     

       434
       434
       +
                                   Should synapse compress HTTP responses to clients that support it?

     

       435
       435
       +
                                   This should be disabled if running synapse behind a load balancer

     

       436
       436
       +
                                   that can do automatic compression.

     

       437
       437
       +
                                 '';

     

       438
       438
       +
                               };

     

       439
       439
       +
                             };

     

       440
       440
       +
                           });

     

       441
       441
       +
                           description = ''

     

       442
       442
       +
                             List of HTTP resources to serve on this listener.

     

       443
       443
       +
                           '';

     

       444
       444
       +
                         };

     

       445
       445
       +
                       };

     

       446
       446
       +
                     });

     

       447
       447
       +
                     default = [ {

     

       448
       448
       +
                       port = 8008;

     

       449
       449
       +
                       bind_addresses = [ "127.0.0.1" ];

     

       450
       450
       +
                       type = "http";

     

       451
       451
       +
                       tls = false;

     

       452
       452
       +
                       x_forwarded = true;

     

       453
       453
       +
                       resources = [ {

     

       454
       454
       +
                         names = [ "client" ];

     

       455
       455
       +
                         compress = true;

     

       456
       456
       +
                       } {

     

       457
       457
       +
                         names = [ "federation" ];

     

       458
       458
       +
                         compress = false;

     

       459
       459
       +
                       } ];

     

       460
       460
       +
                     } ];

     

       461
       461
       +
                     description = ''

     

       462
       462
       +
                       List of ports that Synapse should listen on, their purpose and their configuration.

     

       463
       463
       +
                     '';

     

       464
       464
       +
                   };

     

       465
       465
       +
       

     

       466
       466
       +
                   database.name = mkOption {

     

       467
       467
       +
                     type = types.enum [

     

       468
       468
       +
                       "sqlite3"

     

       469
       469
       +
                       "psycopg2"

     

       470
       470
       +
                     ];

     

       471
       471
       +
                     default = if versionAtLeast config.system.stateVersion "18.03"

     

       472
       472
       +
                       then "psycopg2"

     

       473
       473
       +
                       else "sqlite3";

     

       474
       474
       +
                      defaultText = literalExpression ''

     

       475
       475
       +
                       if versionAtLeast config.system.stateVersion "18.03"

     

       476
       476
       +
                       then "psycopg2"

     

       477
       477
       +
                       else "sqlite3"

     

       478
       478
       +
                     '';

     

       479
       479
       +
                     description = ''

     

       480
       480
       +
                       The database engine name. Can be sqlite3 or psycopg2.

     

       481
       481
       +
                     '';

     

       482
       482
       +
                   };

     

       483
       483
       +
       

     

       484
       484
       +
                   database.args.database = mkOption {

     

       485
       485
       +
                     type = types.str;

     

       486
       486
       +
                     default = {

     

       487
       487
       +
                       sqlite3 = "${cfg.dataDir}/homeserver.db";

     

       488
       488
       +
                       psycopg2 = "matrix-synapse";

     

       489
       489
       +
                     }.${cfg.settings.database.name};

     

       490
       490
       +
                     defaultText = literalExpression ''

     

       491
       491
       +
                     {

     

       492
       492
       +
                       sqlite3 = "''${${options.services.matrix-synapse.dataDir}}/homeserver.db";

     

       493
       493
       +
                       psycopg2 = "matrix-synapse";

     

       494
       494
       +
                     }.''${${options.services.matrix-synapse.settings}.database.name};

     

       495
       495
       +
                     '';

     

       496
       496
       +
                     description = ''

     

       497
       497
       +
                       Name of the database when using the psycopg2 backend,

     

       498
       498
       +
                       path to the database location when using sqlite3.

     

       499
       499
       +
                     '';

     

       500
       500
       +
                   };

     

       501
       501
       +
       

     

       502
       502
       +
                   database.args.user = mkOption {

     

       503
       503
       +
                     type = types.nullOr types.str;

     

       504
       504
       +
                     default = {

     

       505
       505
       +
                       sqlite3 = null;

     

       506
       506
       +
                       psycopg2 = "matrix-synapse";

     

       507
       507
       +
                     }.${cfg.settings.database.name};

     

       508
       508
       +
                     description = ''

     

       509
       509
       +
                       Username to connect with psycopg2, set to null

     

       510
       510
       +
                       when using sqlite3.

     

       511
       511
       +
                     '';

     

       512
       512
       +
                   };

     

       513
       513
       +
       

     

       514
       514
       +
                   url_preview_enabled = mkOption {

     

       515
       515
       +
                     type = types.bool;

     

       516
       516
       +
                     default = true;

     

       517
       517
       +
                     example = false;

     

       518
       518
       +
                     description = ''

     

       519
       519
       +
                       Is the preview URL API enabled?  If enabled, you *must* specify an

     

       520
       520
       +
                       explicit url_preview_ip_range_blacklist of IPs that the spider is

     

       521
       521
       +
                       denied from accessing.

     

       522
       522
       +
                     '';

     

       523
       523
       +
                   };

     

       524
       524
       +
       

     

       525
       525
       +
                   url_preview_ip_range_blacklist = mkOption {

     

       526
       526
       +
                     type = types.listOf types.str;

     

       527
       527
       +
                     default = [

     

       528
       528
       +
                       "10.0.0.0/8"

     

       529
       529
       +
                       "100.64.0.0/10"

     

       530
       530
       +
                       "127.0.0.0/8"

     

       531
       531
       +
                       "169.254.0.0/16"

     

       532
       532
       +
                       "172.16.0.0/12"

     

       533
       533
       +
                       "192.0.0.0/24"

     

       534
       534
       +
                       "192.0.2.0/24"

     

       535
       535
       +
                       "192.168.0.0/16"

     

       536
       536
       +
                       "192.88.99.0/24"

     

       537
       537
       +
                       "198.18.0.0/15"

     

       538
       538
       +
                       "198.51.100.0/24"

     

       539
       539
       +
                       "2001:db8::/32"

     

       540
       540
       +
                       "203.0.113.0/24"

     

       541
       541
       +
                       "224.0.0.0/4"

     

       542
       542
       +
                       "::1/128"

     

       543
       543
       +
                       "fc00::/7"

     

       544
       544
       +
                       "fe80::/10"

     

       545
       545
       +
                       "fec0::/10"

     

       546
       546
       +
                       "ff00::/8"

     

       547
       547
       +
                     ];

     

       548
       548
       +
                     description = ''

     

       549
       549
       +
                       List of IP address CIDR ranges that the URL preview spider is denied

     

       550
       550
       +
                       from accessing.

     

       551
       551
       +
                     '';

     

       552
       552
       +
                   };

     

       553
       553
       +
       

     

       554
       554
       +
                   url_preview_ip_range_whitelist = mkOption {

     

       555
       555
       +
                     type = types.listOf types.str;

     

       556
       556
       +
                     default = [];

     

       557
       557
       +
                     description = ''

     

       558
       558
       +
                       List of IP address CIDR ranges that the URL preview spider is allowed

     

       559
       559
       +
                       to access even if they are specified in url_preview_ip_range_blacklist.

     

       560
       560
       +
                     '';

     

       561
       561
       +
                   };

     

       562
       562
       +
       

     

       563
       563
       +
                   url_preview_url_blacklist = mkOption {

     

       564
       564
       +
                     type = types.listOf types.str;

     

       565
       565
       +
                     default = [];

     

       566
       566
       +
                     description = ''

     

       567
       567
       +
                       Optional list of URL matches that the URL preview spider is

     

       568
       568
       +
                       denied from accessing.

     

       569
       569
       +
                     '';

     

       570
       570
       +
                   };

     

       571
       571
       +
       

     

       572
       572
       +
                   max_upload_size = mkOption {

     

       573
       573
       +
                     type = types.str;

     

       574
       574
       +
                     default = "50M";

     

       575
       575
       +
                     example = "100M";

     

       576
       576
       +
                     description = ''

     

       577
       577
       +
                       The largest allowed upload size in bytes

     

       578
       578
       +
                     '';

     

       579
       579
       +
                   };

     

       580
       580
       +
       

     

       581
       581
       +
                   max_image_pixels = mkOption {

     

       582
       582
       +
                     type = types.str;

     

       583
       583
       +
                     default = "32M";

     

       584
       584
       +
                     example = "64M";

     

       585
       585
       +
                     description = ''

     

       586
       586
       +
                       Maximum number of pixels that will be thumbnailed

     

       587
       587
       +
                     '';

     

       588
       588
       +
                   };

     

       589
       589
       +
       

     

       590
       590
       +
                   dynamic_thumbnails = mkOption {

     

       591
       591
       +
                     type = types.bool;

     

       592
       592
       +
                     default = false;

     

       593
       593
       +
                     example = true;

     

       594
       594
       +
                     description = ''

     

       595
       595
       +
                       Whether to generate new thumbnails on the fly to precisely match

     

       596
       596
       +
                       the resolution requested by the client. If true then whenever

     

       597
       597
       +
                       a new resolution is requested by the client the server will

     

       598
       598
       +
                       generate a new thumbnail. If false the server will pick a thumbnail

     

       599
       599
       +
                       from a precalculated list.

     

       600
       600
       +
                     '';

     

       601
       601
       +
                   };

     

       602
       602
       +
       

     

       603
       603
       +
                   turn_uris = mkOption {

     

       604
       604
       +
                     type = types.listOf types.str;

     

       605
       605
       +
                     default = [];

     

       606
       606
       +
                     example = [

     

       607
       607
       +
                       "turn:turn.example.com:3487?transport=udp"

     

       608
       608
       +
                       "turn:turn.example.com:3487?transport=tcp"

     

       609
       609
       +
                       "turns:turn.example.com:5349?transport=udp"

     

       610
       610
       +
                       "turns:turn.example.com:5349?transport=tcp"

     

       611
       611
       +
                     ];

     

       612
       612
       +
                     description = ''

     

       613
       613
       +
                       The public URIs of the TURN server to give to clients

     

       614
       614
       +
                     '';

     

       615
       615
       +
                   };

     

       616
       616
       +
                   turn_shared_secret = mkOption {

     

       617
       617
       +
                     type = types.str;

     

       618
       618
       +
                     default = "";

     

       619
       619
       +
                     example = literalExpression ''

     

       620
       620
       +
                       config.services.coturn.static-auth-secret

     

       621
       621
       +
                     '';

     

       622
       622
       +
                     description = ''

     

       623
       623
       +
                       The shared secret used to compute passwords for the TURN server.

     

       624
       624
       +
       

     

       625
       625
       +
                       Secrets should be passed in via <literal>extraConfigFiles</literal>!

     

       626
       626
       +
                     '';

     

       627
       627
       +
                   };

     

       628
       628
       +
       

     

       629
       629
       +
                   trusted_key_servers = mkOption {

     

       630
       630
       +
                     type = types.listOf (types.submodule {

     

       631
       631
       +
                       options = {

     

       632
       632
       +
                         server_name = mkOption {

     

       633
       633
       +
                           type = types.str;

     

       634
       634
       +
                           example = "matrix.org";

     

       635
       635
       +
                           description = ''

     

       636
       636
       +
                             Hostname of the trusted server.

     

       637
       637
       +
                           '';

     

       638
       638
       +
                         };

     

       639
       639
       +
       

     

       640
       640
       +
                         verify_keys = mkOption {

     

       641
       641
       +
                           type = types.nullOr (types.attrsOf types.str);

     

       642
       642
       +
                           default = null;

     

       643
       643
       +
                           example = literalExpression ''

     

       644
       644
       +
                             {

     

       645
       645
       +
                               "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";

     

       646
       646
       +
                             }

     

       647
       647
       +
                           '';

     

       648
       648
       +
                           description = ''

     

       649
       649
       +
                             Attribute set from key id to base64 encoded public key.

     

       650
       650
       +
       

     

       651
       651
       +
                             If specified synapse will check that the response is signed

     

       652
       652
       +
                             by at least one of the given keys.

     

       653
       653
       +
                           '';

     

       654
       654
       +
                         };

     

       655
       655
       +
                       };

     

       656
       656
       +
                     });

     

       657
       657
       +
                     default = [ {

     

       658
       658
       +
                       server_name = "matrix.org";

     

       659
       659
       +
                       verify_keys = {

     

       660
       660
       +
                         "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";

     

       661
       661
       +
                       };

     

       662
       662
       +
                     } ];

     

       663
       663
       +
                     description = ''

     

       664
       664
       +
                       The trusted servers to download signing keys from.

     

       665
       665
       +
                     '';

     

       666
       666
       +
                   };

     

       667
       667
       +
       

     

       668
       668
       +
                   app_service_config_files = mkOption {

     

       669
       669
       +
                     type = types.listOf types.path;

     

       670
       670
       +
                     default = [ ];

     

       671
       671
       +
                     description = ''

     

       672
       672
       +
                       A list of application service config file to use

     

       673
       673
       +
                     '';

     

       674
       674
       +
                   };

     

       675
       675
       +
       

     

       676
       676
       +
                 };

     

       677
       677
       +
               };

     

       678
       678
       +
             };

     

       679
       679
       +
       

     

       680
       680
       +
             extraConfigFiles = mkOption {

     

       681
       681
       +
               type = types.listOf types.path;

     

       682
       682
       +
               default = [];

     

       683
       683
       +
               description = ''

     

       684
       684
       +
                 Extra config files to include.

     

       685
       685
       +
       

     

       686
       686
       +
                 The configuration files will be included based on the command line

     

       687
       687
       +
                 argument --config-path. This allows to configure secrets without

     

       688
       688
       +
                 having to go through the Nix store, e.g. based on deployment keys if

     

       689
       689
       +
                 NixOps is in use.

     

       690
       690
       +
               '';

     

       691
       691
       +
             };

     

       692
       692
       +
           };

     

       693
       693
       +
         };

     

       694
       694
       +
       

     

       695
       695
       +
         config = mkIf cfg.enable {

     

       696
       696
       +
           assertions = [

     

       697
       697
       +
             { assertion = hasLocalPostgresDB -> config.services.postgresql.enable;

     

       698
       698
       +
               message = ''

     

       699
       699
       +
                 Cannot deploy matrix-synapse with a configuration for a local postgresql database

     

       700
       700
       +
                   and a missing postgresql service. Since 20.03 it's mandatory to manually configure the

     

       701
       701
       +
                   database (please read the thread in https://github.com/NixOS/nixpkgs/pull/80447 for

     

       702
       702
       +
                   further reference).

     

       703
       703
       +
       

     

       704
       704
       +
                   If you

     

       705
       705
       +
                   - try to deploy a fresh synapse, you need to configure the database yourself. An example

     

       706
       706
       +
                     for this can be found in <nixpkgs/nixos/tests/matrix-synapse.nix>

     

       707
       707
       +
                   - update your existing matrix-synapse instance, you simply need to add `services.postgresql.enable = true`

     

       708
       708
       +
                     to your configuration.

     

       709
       709
       +
       

     

       710
       710
       +
                 For further information about this update, please read the release-notes of 20.03 carefully.

     

       711
       711
       +
               '';

     

       712
       712
       +
             }

     

       713
       713
       +
           ];

     

       714
       714
       +
       

     

       715
       715
       +
           services.matrix-synapse.configFile = configFile;

     

       716
       716
       +
       

     

       717
       717
       +
           users.users.matrix-synapse = {

     

       718
       718
       +
             group = "matrix-synapse";

     

       719
       719
       +
             home = cfg.dataDir;

     

       720
       720
       +
             createHome = true;

     

       721
       721
       +
             shell = "${pkgs.bash}/bin/bash";

     

       722
       722
       +
             uid = config.ids.uids.matrix-synapse;

     

       723
       723
       +
           };

     

       724
       724
       +
       

     

       725
       725
       +
           users.groups.matrix-synapse = {

     

       726
       726
       +
             gid = config.ids.gids.matrix-synapse;

     

       727
       727
       +
           };

     

       728
       728
       +
       

     

       729
       729
       +
           systemd.services.matrix-synapse = {

     

       730
       730
       +
             description = "Synapse Matrix homeserver";

     

       731
       731
       +
             after = [ "network.target" ] ++ optional hasLocalPostgresDB "postgresql.service";

     

       732
       732
       +
             wantedBy = [ "multi-user.target" ];

     

       733
       733
       +
             preStart = ''

     

       734
       734
       +
               ${cfg.package}/bin/synapse_homeserver \

     

       735
       735
       +
                 --config-path ${configFile} \

     

       736
       736
       +
                 --keys-directory ${cfg.dataDir} \

     

       737
       737
       +
                 --generate-keys

     

       738
       738
       +
             '';

     

       739
       739
       +
             environment = {

     

       740
       740
       +
               PYTHONPATH = makeSearchPathOutput "lib" cfg.package.python.sitePackages [ pluginsEnv ];

     

       741
       741
       +
             } // optionalAttrs (cfg.withJemalloc) {

     

       742
       742
       +
               LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";

     

       743
       743
       +
             };

     

       744
       744
       +
             serviceConfig = {

     

       745
       745
       +
               Type = "notify";

     

       746
       746
       +
               User = "matrix-synapse";

     

       747
       747
       +
               Group = "matrix-synapse";

     

       748
       748
       +
               WorkingDirectory = cfg.dataDir;

     

       749
       749
       +
               ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" ''

     

       750
       750
       +
                 chown matrix-synapse:matrix-synapse ${cfg.dataDir}/homeserver.signing.key

     

       751
       751
       +
                 chmod 0600 ${cfg.dataDir}/homeserver.signing.key

     

       752
       752
       +
               '')) ];

     

       753
       753
       +
               ExecStart = ''

     

       754
       754
       +
                 ${cfg.package}/bin/synapse_homeserver \

     

       755
       755
       +
                   ${ concatMapStringsSep "\n  " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) }

     

       756
       756
       +
                   --keys-directory ${cfg.dataDir}

     

       757
       757
       +
               '';

     

       758
       758
       +
               ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";

     

       759
       759
       +
               Restart = "on-failure";

     

       760
       760
       +
               UMask = "0077";

     

       761
       761
       +
             };

     

       762
       762
       +
           };

     

       763
       763
       +
       

     

       764
       764
       +
           environment.systemPackages = [ registerNewMatrixUser ];

     

       765
       765
       +
         };

     

       766
       766
       +
       

     

       767
       767
       +
         meta = {

     

       768
       768
       +
           buildDocsInSandbox = false;

     

       769
       769
       +
           doc = ./matrix-synapse.xml;

     

       770
       770
       +
           maintainers = teams.matrix.members;

     

       771
       771
       +
         };

     

       772
       772
       +
       

     

       773
       773
       +
       }

nixos/modules/services/misc/matrix-synapse-log_config.yaml nixos/modules/services/matrix/matrix-synapse-log_config.yaml

-844

nixos/modules/services/misc/matrix-synapse.nix

···

       1
       1
       -
       { config, lib, options, pkgs, ... }:

     

       2
       2
       -
       

     

       3
       3
       -
       with lib;

     

       4
       4
       -
       

     

       5
       5
       -
       let

     

       6
       6
       -
         cfg = config.services.matrix-synapse;

     

       7
       7
       -
         opt = options.services.matrix-synapse;

     

       8
       8
       -
         pg = config.services.postgresql;

     

       9
       9
       -
         usePostgresql = cfg.database_type == "psycopg2";

     

       10
       10
       -
         logConfigFile = pkgs.writeText "log_config.yaml" cfg.logConfig;

     

       11
       11
       -
         mkResource = r: ''{names: ${builtins.toJSON r.names}, compress: ${boolToString r.compress}}'';

     

       12
       12
       -
         mkListener = l: ''{port: ${toString l.port}, bind_address: "${l.bind_address}", type: ${l.type}, tls: ${boolToString l.tls}, x_forwarded: ${boolToString l.x_forwarded}, resources: [${concatStringsSep "," (map mkResource l.resources)}]}'';

     

       13
       13
       -
         pluginsEnv = cfg.package.python.buildEnv.override {

     

       14
       14
       -
           extraLibs = cfg.plugins;

     

       15
       15
       -
         };

     

       16
       16
       -
         configFile = pkgs.writeText "homeserver.yaml" ''

     

       17
       17
       -
       ${optionalString (cfg.tls_certificate_path != null) ''

     

       18
       18
       -
       tls_certificate_path: "${cfg.tls_certificate_path}"

     

       19
       19
       -
       ''}

     

       20
       20
       -
       ${optionalString (cfg.tls_private_key_path != null) ''

     

       21
       21
       -
       tls_private_key_path: "${cfg.tls_private_key_path}"

     

       22
       22
       -
       ''}

     

       23
       23
       -
       ${optionalString (cfg.tls_dh_params_path != null) ''

     

       24
       24
       -
       tls_dh_params_path: "${cfg.tls_dh_params_path}"

     

       25
       25
       -
       ''}

     

       26
       26
       -
       no_tls: ${boolToString cfg.no_tls}

     

       27
       27
       -
       ${optionalString (cfg.bind_port != null) ''

     

       28
       28
       -
       bind_port: ${toString cfg.bind_port}

     

       29
       29
       -
       ''}

     

       30
       30
       -
       ${optionalString (cfg.unsecure_port != null) ''

     

       31
       31
       -
       unsecure_port: ${toString cfg.unsecure_port}

     

       32
       32
       -
       ''}

     

       33
       33
       -
       ${optionalString (cfg.bind_host != null) ''

     

       34
       34
       -
       bind_host: "${cfg.bind_host}"

     

       35
       35
       -
       ''}

     

       36
       36
       -
       server_name: "${cfg.server_name}"

     

       37
       37
       -
       pid_file: "/run/matrix-synapse.pid"

     

       38
       38
       -
       ${optionalString (cfg.public_baseurl != null) ''

     

       39
       39
       -
       public_baseurl: "${cfg.public_baseurl}"

     

       40
       40
       -
       ''}

     

       41
       41
       -
       listeners: [${concatStringsSep "," (map mkListener cfg.listeners)}]

     

       42
       42
       -
       database: {

     

       43
       43
       -
         name: "${cfg.database_type}",

     

       44
       44
       -
         args: {

     

       45
       45
       -
           ${concatStringsSep ",\n    " (

     

       46
       46
       -
             mapAttrsToList (n: v: "\"${n}\": ${builtins.toJSON v}") cfg.database_args

     

       47
       47
       -
           )}

     

       48
       48
       -
         }

     

       49
       49
       -
       }

     

       50
       50
       -
       event_cache_size: "${cfg.event_cache_size}"

     

       51
       51
       -
       verbose: ${cfg.verbose}

     

       52
       52
       -
       log_config: "${logConfigFile}"

     

       53
       53
       -
       rc_messages_per_second: ${cfg.rc_messages_per_second}

     

       54
       54
       -
       rc_message_burst_count: ${cfg.rc_message_burst_count}

     

       55
       55
       -
       federation_rc_window_size: ${cfg.federation_rc_window_size}

     

       56
       56
       -
       federation_rc_sleep_limit: ${cfg.federation_rc_sleep_limit}

     

       57
       57
       -
       federation_rc_sleep_delay: ${cfg.federation_rc_sleep_delay}

     

       58
       58
       -
       federation_rc_reject_limit: ${cfg.federation_rc_reject_limit}

     

       59
       59
       -
       federation_rc_concurrent: ${cfg.federation_rc_concurrent}

     

       60
       60
       -
       media_store_path: "${cfg.dataDir}/media"

     

       61
       61
       -
       uploads_path: "${cfg.dataDir}/uploads"

     

       62
       62
       -
       max_upload_size: "${cfg.max_upload_size}"

     

       63
       63
       -
       max_image_pixels: "${cfg.max_image_pixels}"

     

       64
       64
       -
       dynamic_thumbnails: ${boolToString cfg.dynamic_thumbnails}

     

       65
       65
       -
       url_preview_enabled: ${boolToString cfg.url_preview_enabled}

     

       66
       66
       -
       ${optionalString (cfg.url_preview_enabled == true) ''

     

       67
       67
       -
       url_preview_ip_range_blacklist: ${builtins.toJSON cfg.url_preview_ip_range_blacklist}

     

       68
       68
       -
       url_preview_ip_range_whitelist: ${builtins.toJSON cfg.url_preview_ip_range_whitelist}

     

       69
       69
       -
       url_preview_url_blacklist: ${builtins.toJSON cfg.url_preview_url_blacklist}

     

       70
       70
       -
       ''}

     

       71
       71
       -
       recaptcha_private_key: "${cfg.recaptcha_private_key}"

     

       72
       72
       -
       recaptcha_public_key: "${cfg.recaptcha_public_key}"

     

       73
       73
       -
       enable_registration_captcha: ${boolToString cfg.enable_registration_captcha}

     

       74
       74
       -
       turn_uris: ${builtins.toJSON cfg.turn_uris}

     

       75
       75
       -
       turn_shared_secret: "${cfg.turn_shared_secret}"

     

       76
       76
       -
       enable_registration: ${boolToString cfg.enable_registration}

     

       77
       77
       -
       ${optionalString (cfg.registration_shared_secret != null) ''

     

       78
       78
       -
       registration_shared_secret: "${cfg.registration_shared_secret}"

     

       79
       79
       -
       ''}

     

       80
       80
       -
       recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"

     

       81
       81
       -
       turn_user_lifetime: "${cfg.turn_user_lifetime}"

     

       82
       82
       -
       user_creation_max_duration: ${cfg.user_creation_max_duration}

     

       83
       83
       -
       bcrypt_rounds: ${cfg.bcrypt_rounds}

     

       84
       84
       -
       allow_guest_access: ${boolToString cfg.allow_guest_access}

     

       85
       85
       -
       

     

       86
       86
       -
       account_threepid_delegates:

     

       87
       87
       -
         ${optionalString (cfg.account_threepid_delegates.email != null) "email: ${cfg.account_threepid_delegates.email}"}

     

       88
       88
       -
         ${optionalString (cfg.account_threepid_delegates.msisdn != null) "msisdn: ${cfg.account_threepid_delegates.msisdn}"}

     

       89
       89
       -
       

     

       90
       90
       -
       room_prejoin_state:

     

       91
       91
       -
         disable_default_event_types: ${boolToString cfg.room_prejoin_state.disable_default_event_types}

     

       92
       92
       -
         additional_event_types: ${builtins.toJSON cfg.room_prejoin_state.additional_event_types}

     

       93
       93
       -
       ${optionalString (cfg.macaroon_secret_key != null) ''

     

       94
       94
       -
         macaroon_secret_key: "${cfg.macaroon_secret_key}"

     

       95
       95
       -
       ''}

     

       96
       96
       -
       expire_access_token: ${boolToString cfg.expire_access_token}

     

       97
       97
       -
       enable_metrics: ${boolToString cfg.enable_metrics}

     

       98
       98
       -
       report_stats: ${boolToString cfg.report_stats}

     

       99
       99
       -
       signing_key_path: "${cfg.dataDir}/homeserver.signing.key"

     

       100
       100
       -
       key_refresh_interval: "${cfg.key_refresh_interval}"

     

       101
       101
       -
       perspectives:

     

       102
       102
       -
         servers: {

     

       103
       103
       -
           ${concatStringsSep "},\n" (mapAttrsToList (n: v: ''

     

       104
       104
       -
           "${n}": {

     

       105
       105
       -
             "verify_keys": {

     

       106
       106
       -
               ${concatStringsSep "},\n" (mapAttrsToList (n: v: ''

     

       107
       107
       -
               "${n}": {

     

       108
       108
       -
                 "key": "${v}"

     

       109
       109
       -
               }'') v)}

     

       110
       110
       -
             }

     

       111
       111
       -
           '') cfg.servers)}

     

       112
       112
       -
           }

     

       113
       113
       -
         }

     

       114
       114
       -
       redaction_retention_period: ${toString cfg.redaction_retention_period}

     

       115
       115
       -
       app_service_config_files: ${builtins.toJSON cfg.app_service_config_files}

     

       116
       116
       -
       

     

       117
       117
       -
       ${cfg.extraConfig}

     

       118
       118
       -
       '';

     

       119
       119
       -
       

     

       120
       120
       -
         hasLocalPostgresDB = let args = cfg.database_args; in

     

       121
       121
       -
           usePostgresql && (!(args ? host) || (elem args.host [ "localhost" "127.0.0.1" "::1" ]));

     

       122
       122
       -
       

     

       123
       123
       -
         registerNewMatrixUser =

     

       124
       124
       -
           let

     

       125
       125
       -
             isIpv6 = x: lib.length (lib.splitString ":" x) > 1;

     

       126
       126
       -
             listener =

     

       127
       127
       -
               lib.findFirst (

     

       128
       128
       -
                 listener: lib.any (

     

       129
       129
       -
                   resource: lib.any (

     

       130
       130
       -
                     name: name == "client"

     

       131
       131
       -
                   ) resource.names

     

       132
       132
       -
                 ) listener.resources

     

       133
       133
       -
               ) (lib.last cfg.listeners) cfg.listeners;

     

       134
       134
       -
           in

     

       135
       135
       -
           pkgs.writeShellScriptBin "matrix-synapse-register_new_matrix_user" ''

     

       136
       136
       -
             exec ${cfg.package}/bin/register_new_matrix_user \

     

       137
       137
       -
               $@ \

     

       138
       138
       -
               ${lib.concatMapStringsSep " " (x: "-c ${x}") ([ configFile ] ++ cfg.extraConfigFiles)} \

     

       139
       139
       -
               "${listener.type}://${

     

       140
       140
       -
                 if (isIpv6 listener.bind_address) then

     

       141
       141
       -
                   "[${listener.bind_address}]"

     

       142
       142
       -
                 else

     

       143
       143
       -
                   "${listener.bind_address}"

     

       144
       144
       -
               }:${builtins.toString listener.port}/"

     

       145
       145
       -
           '';

     

       146
       146
       -
       in {

     

       147
       147
       -
         options = {

     

       148
       148
       -
           services.matrix-synapse = {

     

       149
       149
       -
             enable = mkEnableOption "matrix.org synapse";

     

       150
       150
       -
             configFile = mkOption {

     

       151
       151
       -
               type = types.str;

     

       152
       152
       -
               readOnly = true;

     

       153
       153
       -
               description = ''

     

       154
       154
       -
                 Path to the configuration file on the target system. Useful to configure e.g. workers

     

       155
       155
       -
                 that also need this.

     

       156
       156
       -
               '';

     

       157
       157
       -
             };

     

       158
       158
       -
             package = mkOption {

     

       159
       159
       -
               type = types.package;

     

       160
       160
       -
               default = pkgs.matrix-synapse;

     

       161
       161
       -
               defaultText = literalExpression "pkgs.matrix-synapse";

     

       162
       162
       -
               description = ''

     

       163
       163
       -
                 Overridable attribute of the matrix synapse server package to use.

     

       164
       164
       -
               '';

     

       165
       165
       -
             };

     

       166
       166
       -
             plugins = mkOption {

     

       167
       167
       -
               type = types.listOf types.package;

     

       168
       168
       -
               default = [ ];

     

       169
       169
       -
               example = literalExpression ''

     

       170
       170
       -
                 with config.services.matrix-synapse.package.plugins; [

     

       171
       171
       -
                   matrix-synapse-ldap3

     

       172
       172
       -
                   matrix-synapse-pam

     

       173
       173
       -
                 ];

     

       174
       174
       -
               '';

     

       175
       175
       -
               description = ''

     

       176
       176
       -
                 List of additional Matrix plugins to make available.

     

       177
       177
       -
               '';

     

       178
       178
       -
             };

     

       179
       179
       -
             withJemalloc = mkOption {

     

       180
       180
       -
               type = types.bool;

     

       181
       181
       -
               default = false;

     

       182
       182
       -
               description = ''

     

       183
       183
       -
                 Whether to preload jemalloc to reduce memory fragmentation and overall usage.

     

       184
       184
       -
               '';

     

       185
       185
       -
             };

     

       186
       186
       -
             no_tls = mkOption {

     

       187
       187
       -
               type = types.bool;

     

       188
       188
       -
               default = false;

     

       189
       189
       -
               description = ''

     

       190
       190
       -
                 Don't bind to the https port

     

       191
       191
       -
               '';

     

       192
       192
       -
             };

     

       193
       193
       -
             bind_port = mkOption {

     

       194
       194
       -
               type = types.nullOr types.int;

     

       195
       195
       -
               default = null;

     

       196
       196
       -
               example = 8448;

     

       197
       197
       -
               description = ''

     

       198
       198
       -
                 DEPRECATED: Use listeners instead.

     

       199
       199
       -
                 The port to listen for HTTPS requests on.

     

       200
       200
       -
                 For when matrix traffic is sent directly to synapse.

     

       201
       201
       -
               '';

     

       202
       202
       -
             };

     

       203
       203
       -
             unsecure_port = mkOption {

     

       204
       204
       -
               type = types.nullOr types.int;

     

       205
       205
       -
               default = null;

     

       206
       206
       -
               example = 8008;

     

       207
       207
       -
               description = ''

     

       208
       208
       -
                 DEPRECATED: Use listeners instead.

     

       209
       209
       -
                 The port to listen for HTTP requests on.

     

       210
       210
       -
                 For when matrix traffic passes through loadbalancer that unwraps TLS.

     

       211
       211
       -
               '';

     

       212
       212
       -
             };

     

       213
       213
       -
             bind_host = mkOption {

     

       214
       214
       -
               type = types.nullOr types.str;

     

       215
       215
       -
               default = null;

     

       216
       216
       -
               description = ''

     

       217
       217
       -
                 DEPRECATED: Use listeners instead.

     

       218
       218
       -
                 Local interface to listen on.

     

       219
       219
       -
                 The empty string will cause synapse to listen on all interfaces.

     

       220
       220
       -
               '';

     

       221
       221
       -
             };

     

       222
       222
       -
             tls_certificate_path = mkOption {

     

       223
       223
       -
               type = types.nullOr types.str;

     

       224
       224
       -
               default = null;

     

       225
       225
       -
               example = "/var/lib/matrix-synapse/homeserver.tls.crt";

     

       226
       226
       -
               description = ''

     

       227
       227
       -
                 PEM encoded X509 certificate for TLS.

     

       228
       228
       -
                 You can replace the self-signed certificate that synapse

     

       229
       229
       -
                 autogenerates on launch with your own SSL certificate + key pair

     

       230
       230
       -
                 if you like.  Any required intermediary certificates can be

     

       231
       231
       -
                 appended after the primary certificate in hierarchical order.

     

       232
       232
       -
               '';

     

       233
       233
       -
             };

     

       234
       234
       -
             tls_private_key_path = mkOption {

     

       235
       235
       -
               type = types.nullOr types.str;

     

       236
       236
       -
               default = null;

     

       237
       237
       -
               example = "/var/lib/matrix-synapse/homeserver.tls.key";

     

       238
       238
       -
               description = ''

     

       239
       239
       -
                 PEM encoded private key for TLS. Specify null if synapse is not

     

       240
       240
       -
                 speaking TLS directly.

     

       241
       241
       -
               '';

     

       242
       242
       -
             };

     

       243
       243
       -
             tls_dh_params_path = mkOption {

     

       244
       244
       -
               type = types.nullOr types.str;

     

       245
       245
       -
               default = null;

     

       246
       246
       -
               example = "/var/lib/matrix-synapse/homeserver.tls.dh";

     

       247
       247
       -
               description = ''

     

       248
       248
       -
                 PEM dh parameters for ephemeral keys

     

       249
       249
       -
               '';

     

       250
       250
       -
             };

     

       251
       251
       -
             server_name = mkOption {

     

       252
       252
       -
               type = types.str;

     

       253
       253
       -
               example = "example.com";

     

       254
       254
       -
               default = config.networking.hostName;

     

       255
       255
       -
               defaultText = literalExpression "config.networking.hostName";

     

       256
       256
       -
               description = ''

     

       257
       257
       -
                 The domain name of the server, with optional explicit port.

     

       258
       258
       -
                 This is used by remote servers to look up the server address.

     

       259
       259
       -
                 This is also the last part of your UserID.

     

       260
       260
       -
       

     

       261
       261
       -
                 The server_name cannot be changed later so it is important to configure this correctly before you start Synapse.

     

       262
       262
       -
               '';

     

       263
       263
       -
             };

     

       264
       264
       -
             public_baseurl = mkOption {

     

       265
       265
       -
               type = types.nullOr types.str;

     

       266
       266
       -
               default = null;

     

       267
       267
       -
               example = "https://example.com:8448/";

     

       268
       268
       -
               description = ''

     

       269
       269
       -
                 The public-facing base URL for the client API (not including _matrix/...)

     

       270
       270
       -
               '';

     

       271
       271
       -
             };

     

       272
       272
       -
             listeners = mkOption {

     

       273
       273
       -
               type = types.listOf (types.submodule {

     

       274
       274
       -
                 options = {

     

       275
       275
       -
                   port = mkOption {

     

       276
       276
       -
                     type = types.port;

     

       277
       277
       -
                     example = 8448;

     

       278
       278
       -
                     description = ''

     

       279
       279
       -
                       The port to listen for HTTP(S) requests on.

     

       280
       280
       -
                     '';

     

       281
       281
       -
                   };

     

       282
       282
       -
                   bind_address = mkOption {

     

       283
       283
       -
                     type = types.str;

     

       284
       284
       -
                     default = "";

     

       285
       285
       -
                     example = "203.0.113.42";

     

       286
       286
       -
                     description = ''

     

       287
       287
       -
                       Local interface to listen on.

     

       288
       288
       -
                       The empty string will cause synapse to listen on all interfaces.

     

       289
       289
       -
                     '';

     

       290
       290
       -
                   };

     

       291
       291
       -
                   type = mkOption {

     

       292
       292
       -
                     type = types.str;

     

       293
       293
       -
                     default = "http";

     

       294
       294
       -
                     description = ''

     

       295
       295
       -
                       Type of listener.

     

       296
       296
       -
                     '';

     

       297
       297
       -
                   };

     

       298
       298
       -
                   tls = mkOption {

     

       299
       299
       -
                     type = types.bool;

     

       300
       300
       -
                     default = true;

     

       301
       301
       -
                     description = ''

     

       302
       302
       -
                       Whether to listen for HTTPS connections rather than HTTP.

     

       303
       303
       -
                     '';

     

       304
       304
       -
                   };

     

       305
       305
       -
                   x_forwarded = mkOption {

     

       306
       306
       -
                     type = types.bool;

     

       307
       307
       -
                     default = false;

     

       308
       308
       -
                     description = ''

     

       309
       309
       -
                       Use the X-Forwarded-For (XFF) header as the client IP and not the

     

       310
       310
       -
                       actual client IP.

     

       311
       311
       -
                     '';

     

       312
       312
       -
                   };

     

       313
       313
       -
                   resources = mkOption {

     

       314
       314
       -
                     type = types.listOf (types.submodule {

     

       315
       315
       -
                       options = {

     

       316
       316
       -
                         names = mkOption {

     

       317
       317
       -
                           type = types.listOf types.str;

     

       318
       318
       -
                           description = ''

     

       319
       319
       -
                             List of resources to host on this listener.

     

       320
       320
       -
                           '';

     

       321
       321
       -
                           example = ["client" "federation"];

     

       322
       322
       -
                         };

     

       323
       323
       -
                         compress = mkOption {

     

       324
       324
       -
                           type = types.bool;

     

       325
       325
       -
                           description = ''

     

       326
       326
       -
                             Should synapse compress HTTP responses to clients that support it?

     

       327
       327
       -
                             This should be disabled if running synapse behind a load balancer

     

       328
       328
       -
                             that can do automatic compression.

     

       329
       329
       -
                           '';

     

       330
       330
       -
                         };

     

       331
       331
       -
                       };

     

       332
       332
       -
                     });

     

       333
       333
       -
                     description = ''

     

       334
       334
       -
                       List of HTTP resources to serve on this listener.

     

       335
       335
       -
                     '';

     

       336
       336
       -
                   };

     

       337
       337
       -
                 };

     

       338
       338
       -
               });

     

       339
       339
       -
               default = [{

     

       340
       340
       -
                 port = 8448;

     

       341
       341
       -
                 bind_address = "";

     

       342
       342
       -
                 type = "http";

     

       343
       343
       -
                 tls = true;

     

       344
       344
       -
                 x_forwarded = false;

     

       345
       345
       -
                 resources = [

     

       346
       346
       -
                   { names = ["client"]; compress = true; }

     

       347
       347
       -
                   { names = ["federation"]; compress = false; }

     

       348
       348
       -
                 ];

     

       349
       349
       -
               }];

     

       350
       350
       -
               description = ''

     

       351
       351
       -
                 List of ports that Synapse should listen on, their purpose and their configuration.

     

       352
       352
       -
               '';

     

       353
       353
       -
             };

     

       354
       354
       -
             verbose = mkOption {

     

       355
       355
       -
               type = types.str;

     

       356
       356
       -
               default = "0";

     

       357
       357
       -
               description = "Logging verbosity level.";

     

       358
       358
       -
             };

     

       359
       359
       -
             rc_messages_per_second = mkOption {

     

       360
       360
       -
               type = types.str;

     

       361
       361
       -
               default = "0.2";

     

       362
       362
       -
               description = "Number of messages a client can send per second";

     

       363
       363
       -
             };

     

       364
       364
       -
             rc_message_burst_count = mkOption {

     

       365
       365
       -
               type = types.str;

     

       366
       366
       -
               default = "10.0";

     

       367
       367
       -
               description = "Number of message a client can send before being throttled";

     

       368
       368
       -
             };

     

       369
       369
       -
             federation_rc_window_size = mkOption {

     

       370
       370
       -
               type = types.str;

     

       371
       371
       -
               default = "1000";

     

       372
       372
       -
               description = "The federation window size in milliseconds";

     

       373
       373
       -
             };

     

       374
       374
       -
             federation_rc_sleep_limit = mkOption {

     

       375
       375
       -
               type = types.str;

     

       376
       376
       -
               default = "10";

     

       377
       377
       -
               description = ''

     

       378
       378
       -
                 The number of federation requests from a single server in a window

     

       379
       379
       -
                 before the server will delay processing the request.

     

       380
       380
       -
               '';

     

       381
       381
       -
             };

     

       382
       382
       -
             federation_rc_sleep_delay = mkOption {

     

       383
       383
       -
               type = types.str;

     

       384
       384
       -
               default = "500";

     

       385
       385
       -
               description = ''

     

       386
       386
       -
                 The duration in milliseconds to delay processing events from

     

       387
       387
       -
                 remote servers by if they go over the sleep limit.

     

       388
       388
       -
               '';

     

       389
       389
       -
             };

     

       390
       390
       -
             federation_rc_reject_limit = mkOption {

     

       391
       391
       -
               type = types.str;

     

       392
       392
       -
               default = "50";

     

       393
       393
       -
               description = ''

     

       394
       394
       -
                 The maximum number of concurrent federation requests allowed

     

       395
       395
       -
                 from a single server

     

       396
       396
       -
               '';

     

       397
       397
       -
             };

     

       398
       398
       -
             federation_rc_concurrent = mkOption {

     

       399
       399
       -
               type = types.str;

     

       400
       400
       -
               default = "3";

     

       401
       401
       -
               description = "The number of federation requests to concurrently process from a single server";

     

       402
       402
       -
             };

     

       403
       403
       -
             database_type = mkOption {

     

       404
       404
       -
               type = types.enum [ "sqlite3" "psycopg2" ];

     

       405
       405
       -
               default = if versionAtLeast config.system.stateVersion "18.03"

     

       406
       406
       -
                 then "psycopg2"

     

       407
       407
       -
                 else "sqlite3";

     

       408
       408
       -
               defaultText = literalExpression ''

     

       409
       409
       -
                 if versionAtLeast config.system.stateVersion "18.03"

     

       410
       410
       -
                   then "psycopg2"

     

       411
       411
       -
                   else "sqlite3"

     

       412
       412
       -
               '';

     

       413
       413
       -
               description = ''

     

       414
       414
       -
                 The database engine name. Can be sqlite or psycopg2.

     

       415
       415
       -
               '';

     

       416
       416
       -
             };

     

       417
       417
       -
             database_name = mkOption {

     

       418
       418
       -
               type = types.str;

     

       419
       419
       -
               default = "matrix-synapse";

     

       420
       420
       -
               description = "Database name.";

     

       421
       421
       -
             };

     

       422
       422
       -
             database_user = mkOption {

     

       423
       423
       -
               type = types.str;

     

       424
       424
       -
               default = "matrix-synapse";

     

       425
       425
       -
               description = "Database user name.";

     

       426
       426
       -
             };

     

       427
       427
       -
             database_args = mkOption {

     

       428
       428
       -
               type = types.attrs;

     

       429
       429
       -
               default = {

     

       430
       430
       -
                 sqlite3 = { database = "${cfg.dataDir}/homeserver.db"; };

     

       431
       431
       -
                 psycopg2 = {

     

       432
       432
       -
                   user = cfg.database_user;

     

       433
       433
       -
                   database = cfg.database_name;

     

       434
       434
       -
                 };

     

       435
       435
       -
               }.${cfg.database_type};

     

       436
       436
       -
               defaultText = literalDocBook ''

     

       437
       437
       -
                 <variablelist>

     

       438
       438
       -
                   <varlistentry>

     

       439
       439
       -
                     <term>using sqlite3</term>

     

       440
       440
       -
                     <listitem>

     

       441
       441
       -
                       <programlisting>

     

       442
       442
       -
                         { database = "''${config.${opt.dataDir}}/homeserver.db"; }

     

       443
       443
       -
                       </programlisting>

     

       444
       444
       -
                     </listitem>

     

       445
       445
       -
                   </varlistentry>

     

       446
       446
       -
                   <varlistentry>

     

       447
       447
       -
                     <term>using psycopg2</term>

     

       448
       448
       -
                     <listitem>

     

       449
       449
       -
                       <programlisting>

     

       450
       450
       -
                         psycopg2 = {

     

       451
       451
       -
                           user = config.${opt.database_user};

     

       452
       452
       -
                           database = config.${opt.database_name};

     

       453
       453
       -
                         }

     

       454
       454
       -
                       </programlisting>

     

       455
       455
       -
                     </listitem>

     

       456
       456
       -
                   </varlistentry>

     

       457
       457
       -
                 </variablelist>

     

       458
       458
       -
               '';

     

       459
       459
       -
               description = ''

     

       460
       460
       -
                 Arguments to pass to the engine.

     

       461
       461
       -
               '';

     

       462
       462
       -
             };

     

       463
       463
       -
             event_cache_size = mkOption {

     

       464
       464
       -
               type = types.str;

     

       465
       465
       -
               default = "10K";

     

       466
       466
       -
               description = "Number of events to cache in memory.";

     

       467
       467
       -
             };

     

       468
       468
       -
             url_preview_enabled = mkOption {

     

       469
       469
       -
               type = types.bool;

     

       470
       470
       -
               default = false;

     

       471
       471
       -
               description = ''

     

       472
       472
       -
                 Is the preview URL API enabled?  If enabled, you *must* specify an

     

       473
       473
       -
                 explicit url_preview_ip_range_blacklist of IPs that the spider is

     

       474
       474
       -
                 denied from accessing.

     

       475
       475
       -
               '';

     

       476
       476
       -
             };

     

       477
       477
       -
             url_preview_ip_range_blacklist = mkOption {

     

       478
       478
       -
               type = types.listOf types.str;

     

       479
       479
       -
               default = [

     

       480
       480
       -
                 "127.0.0.0/8"

     

       481
       481
       -
                 "10.0.0.0/8"

     

       482
       482
       -
                 "172.16.0.0/12"

     

       483
       483
       -
                 "192.168.0.0/16"

     

       484
       484
       -
                 "100.64.0.0/10"

     

       485
       485
       -
                 "169.254.0.0/16"

     

       486
       486
       -
                 "::1/128"

     

       487
       487
       -
                 "fe80::/64"

     

       488
       488
       -
                 "fc00::/7"

     

       489
       489
       -
               ];

     

       490
       490
       -
               description = ''

     

       491
       491
       -
                 List of IP address CIDR ranges that the URL preview spider is denied

     

       492
       492
       -
                 from accessing.

     

       493
       493
       -
               '';

     

       494
       494
       -
             };

     

       495
       495
       -
             url_preview_ip_range_whitelist = mkOption {

     

       496
       496
       -
               type = types.listOf types.str;

     

       497
       497
       -
               default = [];

     

       498
       498
       -
               description = ''

     

       499
       499
       -
                 List of IP address CIDR ranges that the URL preview spider is allowed

     

       500
       500
       -
                 to access even if they are specified in

     

       501
       501
       -
                 url_preview_ip_range_blacklist.

     

       502
       502
       -
               '';

     

       503
       503
       -
             };

     

       504
       504
       -
             url_preview_url_blacklist = mkOption {

     

       505
       505
       -
               type = types.listOf types.str;

     

       506
       506
       -
               default = [];

     

       507
       507
       -
               description = ''

     

       508
       508
       -
                 Optional list of URL matches that the URL preview spider is

     

       509
       509
       -
                 denied from accessing.

     

       510
       510
       -
               '';

     

       511
       511
       -
             };

     

       512
       512
       -
             recaptcha_private_key = mkOption {

     

       513
       513
       -
               type = types.str;

     

       514
       514
       -
               default = "";

     

       515
       515
       -
               description = ''

     

       516
       516
       -
                 This Home Server's ReCAPTCHA private key.

     

       517
       517
       -
               '';

     

       518
       518
       -
             };

     

       519
       519
       -
             recaptcha_public_key = mkOption {

     

       520
       520
       -
               type = types.str;

     

       521
       521
       -
               default = "";

     

       522
       522
       -
               description = ''

     

       523
       523
       -
                 This Home Server's ReCAPTCHA public key.

     

       524
       524
       -
               '';

     

       525
       525
       -
             };

     

       526
       526
       -
             enable_registration_captcha = mkOption {

     

       527
       527
       -
               type = types.bool;

     

       528
       528
       -
               default = false;

     

       529
       529
       -
               description = ''

     

       530
       530
       -
                 Enables ReCaptcha checks when registering, preventing signup

     

       531
       531
       -
                 unless a captcha is answered. Requires a valid ReCaptcha

     

       532
       532
       -
                 public/private key.

     

       533
       533
       -
               '';

     

       534
       534
       -
             };

     

       535
       535
       -
             turn_uris = mkOption {

     

       536
       536
       -
               type = types.listOf types.str;

     

       537
       537
       -
               default = [];

     

       538
       538
       -
               description = ''

     

       539
       539
       -
                 The public URIs of the TURN server to give to clients

     

       540
       540
       -
               '';

     

       541
       541
       -
             };

     

       542
       542
       -
             turn_shared_secret = mkOption {

     

       543
       543
       -
               type = types.str;

     

       544
       544
       -
               default = "";

     

       545
       545
       -
               description = ''

     

       546
       546
       -
                 The shared secret used to compute passwords for the TURN server

     

       547
       547
       -
               '';

     

       548
       548
       -
             };

     

       549
       549
       -
             turn_user_lifetime = mkOption {

     

       550
       550
       -
               type = types.str;

     

       551
       551
       -
               default = "1h";

     

       552
       552
       -
               description = "How long generated TURN credentials last";

     

       553
       553
       -
             };

     

       554
       554
       -
             enable_registration = mkOption {

     

       555
       555
       -
               type = types.bool;

     

       556
       556
       -
               default = false;

     

       557
       557
       -
               description = ''

     

       558
       558
       -
                 Enable registration for new users.

     

       559
       559
       -
               '';

     

       560
       560
       -
             };

     

       561
       561
       -
             registration_shared_secret = mkOption {

     

       562
       562
       -
               type = types.nullOr types.str;

     

       563
       563
       -
               default = null;

     

       564
       564
       -
               description = ''

     

       565
       565
       -
                 If set, allows registration by anyone who also has the shared

     

       566
       566
       -
                 secret, even if registration is otherwise disabled.

     

       567
       567
       -
               '';

     

       568
       568
       -
             };

     

       569
       569
       -
             enable_metrics = mkOption {

     

       570
       570
       -
               type = types.bool;

     

       571
       571
       -
               default = false;

     

       572
       572
       -
               description = ''

     

       573
       573
       -
                 Enable collection and rendering of performance metrics

     

       574
       574
       -
               '';

     

       575
       575
       -
             };

     

       576
       576
       -
             report_stats = mkOption {

     

       577
       577
       -
               type = types.bool;

     

       578
       578
       -
               default = false;

     

       579
       579
       -
               description = "";

     

       580
       580
       -
             };

     

       581
       581
       -
             servers = mkOption {

     

       582
       582
       -
               type = types.attrsOf (types.attrsOf types.str);

     

       583
       583
       -
               default = {

     

       584
       584
       -
                 "matrix.org" = {

     

       585
       585
       -
                   "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";

     

       586
       586
       -
                 };

     

       587
       587
       -
               };

     

       588
       588
       -
               description = ''

     

       589
       589
       -
                 The trusted servers to download signing keys from.

     

       590
       590
       -
               '';

     

       591
       591
       -
             };

     

       592
       592
       -
             max_upload_size = mkOption {

     

       593
       593
       -
               type = types.str;

     

       594
       594
       -
               default = "10M";

     

       595
       595
       -
               description = "The largest allowed upload size in bytes";

     

       596
       596
       -
             };

     

       597
       597
       -
             max_image_pixels = mkOption {

     

       598
       598
       -
               type = types.str;

     

       599
       599
       -
               default = "32M";

     

       600
       600
       -
               description = "Maximum number of pixels that will be thumbnailed";

     

       601
       601
       -
             };

     

       602
       602
       -
             dynamic_thumbnails = mkOption {

     

       603
       603
       -
               type = types.bool;

     

       604
       604
       -
               default = false;

     

       605
       605
       -
               description = ''

     

       606
       606
       -
                 Whether to generate new thumbnails on the fly to precisely match

     

       607
       607
       -
                 the resolution requested by the client. If true then whenever

     

       608
       608
       -
                 a new resolution is requested by the client the server will

     

       609
       609
       -
                 generate a new thumbnail. If false the server will pick a thumbnail

     

       610
       610
       -
                 from a precalculated list.

     

       611
       611
       -
               '';

     

       612
       612
       -
             };

     

       613
       613
       -
             user_creation_max_duration = mkOption {

     

       614
       614
       -
               type = types.str;

     

       615
       615
       -
               default = "1209600000";

     

       616
       616
       -
               description = ''

     

       617
       617
       -
                 Sets the expiry for the short term user creation in

     

       618
       618
       -
                 milliseconds. The default value is two weeks.

     

       619
       619
       -
               '';

     

       620
       620
       -
             };

     

       621
       621
       -
             bcrypt_rounds = mkOption {

     

       622
       622
       -
               type = types.str;

     

       623
       623
       -
               default = "12";

     

       624
       624
       -
               description = ''

     

       625
       625
       -
                 Set the number of bcrypt rounds used to generate password hash.

     

       626
       626
       -
                 Larger numbers increase the work factor needed to generate the hash.

     

       627
       627
       -
               '';

     

       628
       628
       -
             };

     

       629
       629
       -
             allow_guest_access = mkOption {

     

       630
       630
       -
               type = types.bool;

     

       631
       631
       -
               default = false;

     

       632
       632
       -
               description = ''

     

       633
       633
       -
                 Allows users to register as guests without a password/email/etc, and

     

       634
       634
       -
                 participate in rooms hosted on this server which have been made

     

       635
       635
       -
                 accessible to anonymous users.

     

       636
       636
       -
               '';

     

       637
       637
       -
             };

     

       638
       638
       -
             account_threepid_delegates.email = mkOption {

     

       639
       639
       -
               type = types.nullOr types.str;

     

       640
       640
       -
               default = null;

     

       641
       641
       -
               description = ''

     

       642
       642
       -
                 Delegate email sending to https://example.org

     

       643
       643
       -
               '';

     

       644
       644
       -
             };

     

       645
       645
       -
             account_threepid_delegates.msisdn = mkOption {

     

       646
       646
       -
               type = types.nullOr types.str;

     

       647
       647
       -
               default = null;

     

       648
       648
       -
               description = ''

     

       649
       649
       -
                 Delegate SMS sending to this local process (https://localhost:8090)

     

       650
       650
       -
               '';

     

       651
       651
       -
             };

     

       652
       652
       -
             room_prejoin_state.additional_event_types = mkOption {

     

       653
       653
       -
               default = [];

     

       654
       654
       -
               type = types.listOf types.str;

     

       655
       655
       -
               description = ''

     

       656
       656
       -
                 Additional events to share with users who received an invite.

     

       657
       657
       -
               '';

     

       658
       658
       -
             };

     

       659
       659
       -
             room_prejoin_state.disable_default_event_types = mkOption {

     

       660
       660
       -
               default = false;

     

       661
       661
       -
               type = types.bool;

     

       662
       662
       -
               description = ''

     

       663
       663
       -
                 Whether to disable the default state-event types for users invited to a room.

     

       664
       664
       -
                 These are:

     

       665
       665
       -
       

     

       666
       666
       -
                 <itemizedlist>

     

       667
       667
       -
                 <listitem><para>m.room.join_rules</para></listitem>

     

       668
       668
       -
                 <listitem><para>m.room.canonical_alias</para></listitem>

     

       669
       669
       -
                 <listitem><para>m.room.avatar</para></listitem>

     

       670
       670
       -
                 <listitem><para>m.room.encryption</para></listitem>

     

       671
       671
       -
                 <listitem><para>m.room.name</para></listitem>

     

       672
       672
       -
                 <listitem><para>m.room.create</para></listitem>

     

       673
       673
       -
                 </itemizedlist>

     

       674
       674
       -
               '';

     

       675
       675
       -
             };

     

       676
       676
       -
             macaroon_secret_key = mkOption {

     

       677
       677
       -
               type = types.nullOr types.str;

     

       678
       678
       -
               default = null;

     

       679
       679
       -
               description = ''

     

       680
       680
       -
                 Secret key for authentication tokens

     

       681
       681
       -
               '';

     

       682
       682
       -
             };

     

       683
       683
       -
             expire_access_token = mkOption {

     

       684
       684
       -
               type = types.bool;

     

       685
       685
       -
               default = false;

     

       686
       686
       -
               description = ''

     

       687
       687
       -
                 Whether to enable access token expiration.

     

       688
       688
       -
               '';

     

       689
       689
       -
             };

     

       690
       690
       -
             key_refresh_interval = mkOption {

     

       691
       691
       -
               type = types.str;

     

       692
       692
       -
               default = "1d";

     

       693
       693
       -
               description = ''

     

       694
       694
       -
                 How long key response published by this server is valid for.

     

       695
       695
       -
                 Used to set the valid_until_ts in /key/v2 APIs.

     

       696
       696
       -
                 Determines how quickly servers will query to check which keys

     

       697
       697
       -
                 are still valid.

     

       698
       698
       -
               '';

     

       699
       699
       -
             };

     

       700
       700
       -
             app_service_config_files = mkOption {

     

       701
       701
       -
               type = types.listOf types.path;

     

       702
       702
       -
               default = [ ];

     

       703
       703
       -
               description = ''

     

       704
       704
       -
                 A list of application service config file to use

     

       705
       705
       -
               '';

     

       706
       706
       -
             };

     

       707
       707
       -
             redaction_retention_period = mkOption {

     

       708
       708
       -
               type = types.int;

     

       709
       709
       -
               default = 7;

     

       710
       710
       -
               description = ''

     

       711
       711
       -
                 How long to keep redacted events in unredacted form in the database.

     

       712
       712
       -
               '';

     

       713
       713
       -
             };

     

       714
       714
       -
             extraConfig = mkOption {

     

       715
       715
       -
               type = types.lines;

     

       716
       716
       -
               default = "";

     

       717
       717
       -
               description = ''

     

       718
       718
       -
                 Extra config options for matrix-synapse.

     

       719
       719
       -
               '';

     

       720
       720
       -
             };

     

       721
       721
       -
             extraConfigFiles = mkOption {

     

       722
       722
       -
               type = types.listOf types.path;

     

       723
       723
       -
               default = [];

     

       724
       724
       -
               description = ''

     

       725
       725
       -
                 Extra config files to include.

     

       726
       726
       -
       

     

       727
       727
       -
                 The configuration files will be included based on the command line

     

       728
       728
       -
                 argument --config-path. This allows to configure secrets without

     

       729
       729
       -
                 having to go through the Nix store, e.g. based on deployment keys if

     

       730
       730
       -
                 NixOPS is in use.

     

       731
       731
       -
               '';

     

       732
       732
       -
             };

     

       733
       733
       -
             logConfig = mkOption {

     

       734
       734
       -
               type = types.lines;

     

       735
       735
       -
               default = readFile ./matrix-synapse-log_config.yaml;

     

       736
       736
       -
               description = ''

     

       737
       737
       -
                 A yaml python logging config file

     

       738
       738
       -
               '';

     

       739
       739
       -
             };

     

       740
       740
       -
             dataDir = mkOption {

     

       741
       741
       -
               type = types.str;

     

       742
       742
       -
               default = "/var/lib/matrix-synapse";

     

       743
       743
       -
               description = ''

     

       744
       744
       -
                 The directory where matrix-synapse stores its stateful data such as

     

       745
       745
       -
                 certificates, media and uploads.

     

       746
       746
       -
               '';

     

       747
       747
       -
             };

     

       748
       748
       -
           };

     

       749
       749
       -
         };

     

       750
       750
       -
       

     

       751
       751
       -
         config = mkIf cfg.enable {

     

       752
       752
       -
           assertions = [

     

       753
       753
       -
             { assertion = hasLocalPostgresDB -> config.services.postgresql.enable;

     

       754
       754
       -
               message = ''

     

       755
       755
       -
                 Cannot deploy matrix-synapse with a configuration for a local postgresql database

     

       756
       756
       -
                   and a missing postgresql service. Since 20.03 it's mandatory to manually configure the

     

       757
       757
       -
                   database (please read the thread in https://github.com/NixOS/nixpkgs/pull/80447 for

     

       758
       758
       -
                   further reference).

     

       759
       759
       -
       

     

       760
       760
       -
                   If you

     

       761
       761
       -
                   - try to deploy a fresh synapse, you need to configure the database yourself. An example

     

       762
       762
       -
                     for this can be found in <nixpkgs/nixos/tests/matrix-synapse.nix>

     

       763
       763
       -
                   - update your existing matrix-synapse instance, you simply need to add `services.postgresql.enable = true`

     

       764
       764
       -
                     to your configuration.

     

       765
       765
       -
       

     

       766
       766
       -
                 For further information about this update, please read the release-notes of 20.03 carefully.

     

       767
       767
       -
               '';

     

       768
       768
       -
             }

     

       769
       769
       -
           ];

     

       770
       770
       -
       

     

       771
       771
       -
           services.matrix-synapse.configFile = "${configFile}";

     

       772
       772
       -
       

     

       773
       773
       -
           users.users.matrix-synapse = {

     

       774
       774
       -
             group = "matrix-synapse";

     

       775
       775
       -
             home = cfg.dataDir;

     

       776
       776
       -
             createHome = true;

     

       777
       777
       -
             shell = "${pkgs.bash}/bin/bash";

     

       778
       778
       -
             uid = config.ids.uids.matrix-synapse;

     

       779
       779
       -
           };

     

       780
       780
       -
       

     

       781
       781
       -
           users.groups.matrix-synapse = {

     

       782
       782
       -
             gid = config.ids.gids.matrix-synapse;

     

       783
       783
       -
           };

     

       784
       784
       -
       

     

       785
       785
       -
           systemd.services.matrix-synapse = {

     

       786
       786
       -
             description = "Synapse Matrix homeserver";

     

       787
       787
       -
             after = [ "network.target" ] ++ optional hasLocalPostgresDB "postgresql.service";

     

       788
       788
       -
             wantedBy = [ "multi-user.target" ];

     

       789
       789
       -
             preStart = ''

     

       790
       790
       -
               ${cfg.package}/bin/synapse_homeserver \

     

       791
       791
       -
                 --config-path ${configFile} \

     

       792
       792
       -
                 --keys-directory ${cfg.dataDir} \

     

       793
       793
       -
                 --generate-keys

     

       794
       794
       -
             '';

     

       795
       795
       -
             environment = {

     

       796
       796
       -
               PYTHONPATH = makeSearchPathOutput "lib" cfg.package.python.sitePackages [ pluginsEnv ];

     

       797
       797
       -
             } // optionalAttrs (cfg.withJemalloc) {

     

       798
       798
       -
               LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";

     

       799
       799
       -
             };

     

       800
       800
       -
             serviceConfig = {

     

       801
       801
       -
               Type = "notify";

     

       802
       802
       -
               User = "matrix-synapse";

     

       803
       803
       -
               Group = "matrix-synapse";

     

       804
       804
       -
               WorkingDirectory = cfg.dataDir;

     

       805
       805
       -
               ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" ''

     

       806
       806
       -
                 chown matrix-synapse:matrix-synapse ${cfg.dataDir}/homeserver.signing.key

     

       807
       807
       -
                 chmod 0600 ${cfg.dataDir}/homeserver.signing.key

     

       808
       808
       -
               '')) ];

     

       809
       809
       -
               ExecStart = ''

     

       810
       810
       -
                 ${cfg.package}/bin/synapse_homeserver \

     

       811
       811
       -
                   ${ concatMapStringsSep "\n  " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) }

     

       812
       812
       -
                   --keys-directory ${cfg.dataDir}

     

       813
       813
       -
               '';

     

       814
       814
       -
               ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";

     

       815
       815
       -
               Restart = "on-failure";

     

       816
       816
       -
               UMask = "0077";

     

       817
       817
       -
             };

     

       818
       818
       -
           };

     

       819
       819
       -
       

     

       820
       820
       -
           environment.systemPackages = [ registerNewMatrixUser ];

     

       821
       821
       -
         };

     

       822
       822
       -
       

     

       823
       823
       -
         imports = [

     

       824
       824
       -
           (mkRemovedOptionModule [ "services" "matrix-synapse" "trusted_third_party_id_servers" ] ''

     

       825
       825
       -
             The `trusted_third_party_id_servers` option as been removed in `matrix-synapse` v1.4.0

     

       826
       826
       -
             as the behavior is now obsolete.

     

       827
       827
       -
           '')

     

       828
       828
       -
           (mkRemovedOptionModule [ "services" "matrix-synapse" "create_local_database" ] ''

     

       829
       829
       -
             Database configuration must be done manually. An exemplary setup is demonstrated in

     

       830
       830
       -
             <nixpkgs/nixos/tests/matrix-synapse.nix>

     

       831
       831
       -
           '')

     

       832
       832
       -
           (mkRemovedOptionModule [ "services" "matrix-synapse" "web_client" ] "")

     

       833
       833
       -
           (mkRemovedOptionModule [ "services" "matrix-synapse" "room_invite_state_types" ] ''

     

       834
       834
       -
             You may add additional event types via

     

       835
       835
       -
             `services.matrix-synapse.room_prejoin_state.additional_event_types` and

     

       836
       836
       -
             disable the default events via

     

       837
       837
       -
             `services.matrix-synapse.room_prejoin_state.disable_default_event_types`.

     

       838
       838
       -
           '')

     

       839
       839
       -
         ];

     

       840
       840
       -
       

     

       841
       841
       -
         meta.doc = ./matrix-synapse.xml;

     

       842
       842
       -
         meta.maintainers = teams.matrix.members;

     

       843
       843
       -
       

     

       844
       844
       -
       }

+18 -17

nixos/modules/services/misc/matrix-synapse.xml nixos/modules/services/matrix/matrix-synapse.xml

···

       115
       115
        
         };

     

       116
       116
        
         services.matrix-synapse = {

     

       117
       117
        
           <link linkend="opt-services.matrix-synapse.enable">enable</link> = true;

     

       118
       118
       -
           <link linkend="opt-services.matrix-synapse.server_name">server_name</link> = config.networking.domain;

     

       119
       119
       -
           <link linkend="opt-services.matrix-synapse.listeners">listeners</link> = [

     

       118
       118
       +
           <link linkend="opt-services.matrix-synapse.settings.server_name">server_name</link> = config.networking.domain;

     

       119
       119
       +
           <link linkend="opt-services.matrix-synapse.settings.listeners">listeners</link> = [

     

       120
       120
        
             {

     

       121
       121
       -
               <link linkend="opt-services.matrix-synapse.listeners._.port">port</link> = 8008;

     

       122
       122
       -
               <link linkend="opt-services.matrix-synapse.listeners._.bind_address">bind_address</link> = "::1";

     

       123
       123
       -
               <link linkend="opt-services.matrix-synapse.listeners._.type">type</link> = "http";

     

       124
       124
       -
               <link linkend="opt-services.matrix-synapse.listeners._.tls">tls</link> = false;

     

       125
       125
       -
               <link linkend="opt-services.matrix-synapse.listeners._.x_forwarded">x_forwarded</link> = true;

     

       126
       126
       -
               <link linkend="opt-services.matrix-synapse.listeners._.resources">resources</link> = [

     

       127
       127
       -
                 {

     

       128
       128
       -
                   <link linkend="opt-services.matrix-synapse.listeners._.resources._.names">names</link> = [ "client" "federation" ];

     

       129
       129
       -
                   <link linkend="opt-services.matrix-synapse.listeners._.resources._.compress">compress</link> = false;

     

       130
       130
       -
                 }

     

       131
       131
       -
               ];

     

       121
       121
       +
               <link linkend="opt-services.matrix-synapse.settings.listeners._.port">port</link> = 8008;

     

       122
       122
       +
               <link linkend="opt-services.matrix-synapse.settings.listeners._.bind_addresses">bind_address</link> = [ "::1" ];

     

       123
       123
       +
               <link linkend="opt-services.matrix-synapse.settings.listeners._.type">type</link> = "http";

     

       124
       124
       +
               <link linkend="opt-services.matrix-synapse.settings.listeners._.tls">tls</link> = false;

     

       125
       125
       +
               <link linkend="opt-services.matrix-synapse.settings.listeners._.x_forwarded">x_forwarded</link> = true;

     

       126
       126
       +
               <link linkend="opt-services.matrix-synapse.settings.listeners._.resources">resources</link> = [ {

     

       127
       127
       +
                 <link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.names">names</link> = [ "client" ];

     

       128
       128
       +
                 <link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.compress">compress</link> = true;

     

       129
       129
       +
               } {

     

       130
       130
       +
                 <link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.names">names</link> = [ "federation" ];

     

       131
       131
       +
                 <link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.compress">compress</link> = false;

     

       132
       132
       +
               } ];

     

       132
       133
        
             }

     

       133
       134
        
           ];

     

       134
       135
        
         };

     
···

       151
       152
        
       

     

       152
       153
        
         <para>

     

       153
       154
        
          If you want to run a server with public registration by anybody, you can

     

       154
       154
       -
          then enable <literal><link linkend="opt-services.matrix-synapse.enable_registration">services.matrix-synapse.enable_registration</link> =

     

       155
       155
       +
          then enable <literal><link linkend="opt-services.matrix-synapse.settings.enable_registration">services.matrix-synapse.enable_registration</link> =

     

       155
       156
        
          true;</literal>. Otherwise, or you can generate a registration secret with

     

       156
       157
        
          <command>pwgen -s 64 1</command> and set it with

     

       157
       157
       -
          <option><link linkend="opt-services.matrix-synapse.registration_shared_secret">services.matrix-synapse.registration_shared_secret</link></option>. To

     

       158
       158
       -
          create a new user or admin, run the following after you have set the secret

     

       158
       158
       +
          <option><link linkend="opt-services.matrix-synapse.settings.registration_shared_secret">services.matrix-synapse.registration_shared_secret</link></option>.

     

       159
       159
       +
          To create a new user or admin, run the following after you have set the secret

     

       159
       160
        
          and have rebuilt NixOS:

     

       160
       161
        
       <screen>

     

       161
       162
        
       <prompt>$ </prompt>nix run nixpkgs.matrix-synapse

     
···

       170
       171
        
          <literal>@your-username:example.org</literal>. Note that the registration

     

       171
       172
        
          secret ends up in the nix store and therefore is world-readable by any user

     

       172
       173
        
          on your machine, so it makes sense to only temporarily activate the

     

       173
       173
       -
          <link linkend="opt-services.matrix-synapse.registration_shared_secret">registration_shared_secret</link>

     

       174
       174
       +
          <link linkend="opt-services.matrix-synapse.settings.registration_shared_secret">registration_shared_secret</link>

     

       174
       175
        
          option until a better solution for NixOS is in place.

     

       175
       176
        
         </para>

     

       176
       177
        
        </section>

+23 -19

nixos/tests/matrix-appservice-irc.nix

···

       1
       1
        
       import ./make-test-python.nix ({ pkgs, ... }:

     

       2
       2
        
         let

     

       3
       3
       -
           homeserverUrl = "http://homeserver:8448";

     

       3
       3
       +
           homeserverUrl = "http://homeserver:8008";

     

       4
       4
        
         in

     

       5
       5
        
         {

     

       6
       6
        
           name = "matrix-appservice-irc";

     
···

       14
       14
        
               specialisation.running.configuration = {

     

       15
       15
        
                 services.matrix-synapse = {

     

       16
       16
        
                   enable = true;

     

       17
       17
       -
                   database_type = "sqlite3";

     

       18
       18
       -
                   app_service_config_files = [ "/registration.yml" ];

     

       17
       17
       +
                   settings = {

     

       18
       18
       +
                     database.name = "sqlite3";

     

       19
       19
       +
                     app_service_config_files = [ "/registration.yml" ];

     

       19
       20
        
       

     

       20
       20
       -
                   enable_registration = true;

     

       21
       21
       +
                     enable_registration = true;

     

       21
       22
        
       

     

       22
       22
       -
                   listeners = [

     

       23
       23
       -
                     # The default but tls=false

     

       24
       24
       -
                     {

     

       25
       25
       -
                       "bind_address" = "";

     

       26
       26
       -
                       "port" = 8448;

     

       27
       27
       -
                       "resources" = [

     

       28
       28
       -
                         { "compress" = true; "names" = [ "client" ]; }

     

       29
       29
       -
                         { "compress" = false; "names" = [ "federation" ]; }

     

       23
       23
       +
                     listeners = [ {

     

       24
       24
       +
                       # The default but tls=false

     

       25
       25
       +
                       bind_addresses = [

     

       26
       26
       +
                         "0.0.0.0"

     

       30
       27
        
                       ];

     

       31
       31
       -
                       "tls" = false;

     

       32
       32
       -
                       "type" = "http";

     

       33
       33
       -
                       "x_forwarded" = false;

     

       34
       34
       -
                     }

     

       35
       35
       -
                   ];

     

       28
       28
       +
                       port = 8008;

     

       29
       29
       +
                       resources = [ {

     

       30
       30
       +
                         "compress" = true;

     

       31
       31
       +
                         "names" = [ "client" ];

     

       32
       32
       +
                       } {

     

       33
       33
       +
                         "compress" = false;

     

       34
       34
       +
                         "names" = [ "federation" ];

     

       35
       35
       +
                       } ];

     

       36
       36
       +
                       tls = false;

     

       37
       37
       +
                       type = "http";

     

       38
       38
       +
                     } ];

     

       39
       39
       +
                   };

     

       36
       40
        
                 };

     

       37
       41
        
       

     

       38
       38
       -
                 networking.firewall.allowedTCPPorts = [ 8448 ];

     

       42
       42
       +
                 networking.firewall.allowedTCPPorts = [ 8008 ];

     

       39
       43
        
               };

     

       40
       44
        
             };

     

       41
       45
        
       

     
···

       209
       213
        
                 )

     

       210
       214
        
       

     

       211
       215
        
                 homeserver.wait_for_unit("matrix-synapse.service")

     

       212
       212
       -
                 homeserver.wait_for_open_port(8448)

     

       216
       216
       +
                 homeserver.wait_for_open_port(8008)

     

       213
       217
        
       

     

       214
       218
        
             with subtest("ensure messages can be exchanged"):

     

       215
       219
        
                 client.succeed("do_test ${homeserverUrl} >&2")

+46 -18

nixos/tests/matrix-synapse.nix

···

       33
       33
        
         testUser = "alice";

     

       34
       34
        
         testPassword = "alicealice";

     

       35
       35
        
         testEmail = "alice@example.com";

     

       36
       36
       +
       

     

       37
       37
       +
         listeners = [ {

     

       38
       38
       +
           port = 8448;

     

       39
       39
       +
           bind_addresses = [

     

       40
       40
       +
             "127.0.0.1"

     

       41
       41
       +
             "::1"

     

       42
       42
       +
           ];

     

       43
       43
       +
           type = "http";

     

       44
       44
       +
           tls = true;

     

       45
       45
       +
           x_forwarded = false;

     

       46
       46
       +
           resources = [ {

     

       47
       47
       +
             names = [

     

       48
       48
       +
               "client"

     

       49
       49
       +
             ];

     

       50
       50
       +
             compress = true;

     

       51
       51
       +
           } {

     

       52
       52
       +
             names = [

     

       53
       53
       +
               "federation"

     

       54
       54
       +
             ];

     

       55
       55
       +
             compress = false;

     

       56
       56
       +
           } ];

     

       57
       57
       +
         } ];

     

       58
       58
       +
       

     

       36
       59
        
       in {

     

       37
       60
        
       

     

       38
       61
        
         name = "matrix-synapse";

     
···

       48
       71
        
           {

     

       49
       72
        
             services.matrix-synapse = {

     

       50
       73
        
               enable = true;

     

       51
       51
       -
               database_type = "psycopg2";

     

       52
       52
       -
               tls_certificate_path = "${cert}";

     

       53
       53
       -
               tls_private_key_path = "${key}";

     

       54
       54
       -
               database_args = {

     

       55
       55
       -
                 password = "synapse";

     

       74
       74
       +
               settings = {

     

       75
       75
       +
                 inherit listeners;

     

       76
       76
       +
                 database = {

     

       77
       77
       +
                   name = "psycopg2";

     

       78
       78
       +
                   args.password = "synapse";

     

       79
       79
       +
                 };

     

       80
       80
       +
                 tls_certificate_path = "${cert}";

     

       81
       81
       +
                 tls_private_key_path = "${key}";

     

       82
       82
       +
                 registration_shared_secret = registrationSharedSecret;

     

       83
       83
       +
                 public_baseurl = "https://example.com";

     

       84
       84
       +
                 email = {

     

       85
       85
       +
                   smtp_host = mailerDomain;

     

       86
       86
       +
                   smtp_port = 25;

     

       87
       87
       +
                   require_transport_security = true;

     

       88
       88
       +
                   notif_from = "matrix <matrix@${mailerDomain}>";

     

       89
       89
       +
                   app_name = "Matrix";

     

       90
       90
       +
                 };

     

       56
       91
        
               };

     

       57
       57
       -
               registration_shared_secret = registrationSharedSecret;

     

       58
       58
       -
               public_baseurl = "https://example.com";

     

       59
       59
       -
               extraConfig = ''

     

       60
       60
       -
                 email:

     

       61
       61
       -
                   smtp_host: "${mailerDomain}"

     

       62
       62
       -
                   smtp_port: 25

     

       63
       63
       -
                   require_transport_security: true

     

       64
       64
       -
                   notif_from: "matrix <matrix@${mailerDomain}>"

     

       65
       65
       -
                   app_name: "Matrix"

     

       66
       66
       -
               '';

     

       67
       92
        
             };

     

       68
       93
        
             services.postgresql = {

     

       69
       94
        
               enable = true;

     
···

       165
       190
        
           serversqlite = args: {

     

       166
       191
        
             services.matrix-synapse = {

     

       167
       192
        
               enable = true;

     

       168
       168
       -
               database_type = "sqlite3";

     

       169
       169
       -
               tls_certificate_path = "${cert}";

     

       170
       170
       -
               tls_private_key_path = "${key}";

     

       193
       193
       +
               settings = {

     

       194
       194
       +
                 inherit listeners;

     

       195
       195
       +
                 database.name = "sqlite3";

     

       196
       196
       +
                 tls_certificate_path = "${cert}";

     

       197
       197
       +
                 tls_private_key_path = "${key}";

     

       198
       198
       +
               };

     

       171
       199
        
             };

     

       172
       200
        
           };

     

       173
       201
        
         };

+23 -18

nixos/tests/matrix/mjolnir.nix

···

       38
       38
        
             homeserver = { pkgs, ... }: {

     

       39
       39
        
               services.matrix-synapse = {

     

       40
       40
        
                 enable = true;

     

       41
       41
       -
                 database_type = "sqlite3";

     

       42
       42
       -
                 tls_certificate_path = "${cert}";

     

       43
       43
       -
                 tls_private_key_path = "${key}";

     

       44
       44
       -
                 enable_registration = true;

     

       45
       45
       -
                 registration_shared_secret = "supersecret-registration";

     

       41
       41
       +
                 settings = {

     

       42
       42
       +
                   database.name = "sqlite3";

     

       43
       43
       +
                   tls_certificate_path = "${cert}";

     

       44
       44
       +
                   tls_private_key_path = "${key}";

     

       45
       45
       +
                   enable_registration = true;

     

       46
       46
       +
                   registration_shared_secret = "supersecret-registration";

     

       46
       47
        
       

     

       47
       47
       -
                 listeners = [

     

       48
       48
       -
                   # The default but tls=false

     

       49
       49
       -
                   {

     

       50
       50
       -
                     "bind_address" = "";

     

       51
       51
       -
                     "port" = 8448;

     

       52
       52
       -
                     "resources" = [

     

       53
       53
       -
                       { "compress" = true; "names" = [ "client" "webclient" ]; }

     

       54
       54
       -
                       { "compress" = false; "names" = [ "federation" ]; }

     

       48
       48
       +
                   listeners = [ {

     

       49
       49
       +
                     # The default but tls=false

     

       50
       50
       +
                     bind_addresses = [

     

       51
       51
       +
                       "0.0.0.0"

     

       55
       52
        
                     ];

     

       56
       56
       -
                     "tls" = false;

     

       57
       57
       -
                     "type" = "http";

     

       58
       58
       -
                     "x_forwarded" = false;

     

       59
       59
       -
                   }

     

       60
       60
       -
                 ];

     

       53
       53
       +
                     port = 8448;

     

       54
       54
       +
                     resources = [ {

     

       55
       55
       +
                       compress = true;

     

       56
       56
       +
                       names = [ "client" ];

     

       57
       57
       +
                     } {

     

       58
       58
       +
                       compress = false;

     

       59
       59
       +
                       names = [ "federation" ];

     

       60
       60
       +
                     } ];

     

       61
       61
       +
                     tls = false;

     

       62
       62
       +
                     type = "http";

     

       63
       63
       +
                     x_forwarded = false;

     

       64
       64
       +
                   } ];

     

       65
       65
       +
                 };

     

       61
       66
        
               };

     

       62
       67
        
       

     

       63
       68
        
               networking.firewall.allowedTCPPorts = [ 8448 ];

+26 -3

nixos/tests/matrix/pantalaimon.nix

···

       47
       47
        
       

     

       48
       48
        
             services.matrix-synapse = {

     

       49
       49
        
               enable = true;

     

       50
       50
       -
               database_type = "sqlite3";

     

       51
       51
       -
               tls_certificate_path = "${cert}";

     

       52
       52
       -
               tls_private_key_path = "${key}";

     

       50
       50
       +
               settings = {

     

       51
       51
       +
                 listeners = [ {

     

       52
       52
       +
                   port = 8448;

     

       53
       53
       +
                   bind_addresses = [

     

       54
       54
       +
                     "127.0.0.1"

     

       55
       55
       +
                     "::1"

     

       56
       56
       +
                   ];

     

       57
       57
       +
                   type = "http";

     

       58
       58
       +
                   tls = true;

     

       59
       59
       +
                   x_forwarded = false;

     

       60
       60
       +
                   resources = [ {

     

       61
       61
       +
                     names = [

     

       62
       62
       +
                       "client"

     

       63
       63
       +
                     ];

     

       64
       64
       +
                     compress = true;

     

       65
       65
       +
                   } {

     

       66
       66
       +
                     names = [

     

       67
       67
       +
                       "federation"

     

       68
       68
       +
                     ];

     

       69
       69
       +
                     compress = false;

     

       70
       70
       +
                   } ];

     

       71
       71
       +
                 } ];

     

       72
       72
       +
                 database.name = "sqlite3";

     

       73
       73
       +
                 tls_certificate_path = "${cert}";

     

       74
       74
       +
                 tls_private_key_path = "${key}";

     

       75
       75
       +
               };

     

       53
       76
        
             };

     

       54
       77
        
           };

     

       55
       78