diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml
index d84e57333e9..daa47ad0595 100644
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@@ -378,6 +378,15 @@
(#54637)
+
+
+ matrix-synapse has been updated to version 0.99. It will
+ no longer generate a self-signed certificate on first launch
+ and will be the last version to accept self-signed certificates.
+ As such, it is now recommended to use a proper certificate verified by a
+ root CA (for example Let's Encrypt).
+
+
diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix
index 18e13f6ac03..a01e34d7362 100644
--- a/nixos/modules/services/misc/matrix-synapse.nix
+++ b/nixos/modules/services/misc/matrix-synapse.nix
@@ -651,12 +651,16 @@ in {
services.postgresql.enable = mkIf usePostgresql (mkDefault true);
- systemd.services.matrix-synapse = {
+ systemd.services.matrix-synapse =
+ let
+ python = (pkgs.python3.withPackages (ps: with ps; [ (ps.toPythonModule cfg.package) ]));
+ in
+ {
description = "Synapse Matrix homeserver";
after = [ "network.target" "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
- ${cfg.package}/bin/homeserver \
+ ${python.interpreter} -m synapse.app.homeserver \
--config-path ${configFile} \
--keys-directory ${cfg.dataDir} \
--generate-keys
@@ -687,10 +691,11 @@ in {
WorkingDirectory = cfg.dataDir;
PermissionsStartOnly = true;
ExecStart = ''
- ${cfg.package}/bin/homeserver \
+ ${python.interpreter} -m synapse.app.homeserver \
${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) }
--keys-directory ${cfg.dataDir}
'';
+ ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
};
};
diff --git a/nixos/tests/matrix-synapse.nix b/nixos/tests/matrix-synapse.nix
index 8504a7c0d05..882e4b75814 100644
--- a/nixos/tests/matrix-synapse.nix
+++ b/nixos/tests/matrix-synapse.nix
@@ -1,4 +1,32 @@
-import ./make-test.nix ({ pkgs, ... } : {
+import ./make-test.nix ({ pkgs, ... } : let
+
+
+ runWithOpenSSL = file: cmd: pkgs.runCommand file {
+ buildInputs = [ pkgs.openssl ];
+ } cmd;
+
+
+ ca_key = runWithOpenSSL "ca-key.pem" "openssl genrsa -out $out 2048";
+ ca_pem = runWithOpenSSL "ca.pem" ''
+ openssl req \
+ -x509 -new -nodes -key ${ca_key} \
+ -days 10000 -out $out -subj "/CN=snakeoil-ca"
+ '';
+ key = runWithOpenSSL "matrix_key.pem" "openssl genrsa -out $out 2048";
+ csr = runWithOpenSSL "matrix.csr" ''
+ openssl req \
+ -new -key ${key} \
+ -out $out -subj "/CN=localhost" \
+ '';
+ cert = runWithOpenSSL "matrix_cert.pem" ''
+ openssl x509 \
+ -req -in ${csr} \
+ -CA ${ca_pem} -CAkey ${ca_key} \
+ -CAcreateserial -out $out \
+ -days 365
+ '';
+
+in {
name = "matrix-synapse";
meta = with pkgs.stdenv.lib.maintainers; {
@@ -8,23 +36,31 @@ import ./make-test.nix ({ pkgs, ... } : {
nodes = {
# Since 0.33.0, matrix-synapse doesn't allow underscores in server names
serverpostgres = args: {
- services.matrix-synapse.enable = true;
- services.matrix-synapse.database_type = "psycopg2";
+ services.matrix-synapse = {
+ enable = true;
+ database_type = "psycopg2";
+ tls_certificate_path = "${cert}";
+ tls_private_key_path = "${key}";
+ };
};
serversqlite = args: {
- services.matrix-synapse.enable = true;
- services.matrix-synapse.database_type = "sqlite3";
+ services.matrix-synapse = {
+ enable = true;
+ database_type = "sqlite3";
+ tls_certificate_path = "${cert}";
+ tls_private_key_path = "${key}";
+ };
};
};
testScript = ''
startAll;
$serverpostgres->waitForUnit("matrix-synapse.service");
- $serverpostgres->waitUntilSucceeds("curl -Lk https://localhost:8448/");
+ $serverpostgres->waitUntilSucceeds("curl -L --cacert ${ca_pem} https://localhost:8448/");
$serverpostgres->requireActiveUnit("postgresql.service");
$serversqlite->waitForUnit("matrix-synapse.service");
- $serversqlite->waitUntilSucceeds("curl -Lk https://localhost:8448/");
+ $serversqlite->waitUntilSucceeds("curl -L --cacert ${ca_pem} https://localhost:8448/");
$serversqlite->mustSucceed("[ -e /var/lib/matrix-synapse/homeserver.db ]");
'';
diff --git a/pkgs/development/python-modules/pymacaroons-pynacl/default.nix b/pkgs/development/python-modules/pymacaroons-pynacl/default.nix
deleted file mode 100644
index 8bc644252c0..00000000000
--- a/pkgs/development/python-modules/pymacaroons-pynacl/default.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ lib, buildPythonPackage, fetchFromGitHub, pynacl, six }:
-
-buildPythonPackage rec {
- pname = "pymacaroons-pynacl";
- version = "0.9.3";
-
- src = fetchFromGitHub {
- owner = "matrix-org";
- repo = "pymacaroons";
- rev = "v${version}";
- sha256 = "0bykjk01zdndp6gjr30x46blsn0cvxa7j0zh5g8raxwaawchjhii";
- };
-
- propagatedBuildInputs = [ pynacl six ];
-
- # Tests require an old version of hypothesis
- doCheck = false;
-
- meta = with lib; {
- description = "Macaroon library for Python";
- homepage = https://github.com/matrix-org/pymacaroons;
- license = licenses.mit;
- };
-}
diff --git a/pkgs/development/python-modules/pymacaroons/default.nix b/pkgs/development/python-modules/pymacaroons/default.nix
new file mode 100644
index 00000000000..96023c01e1e
--- /dev/null
+++ b/pkgs/development/python-modules/pymacaroons/default.nix
@@ -0,0 +1,25 @@
+{ lib, buildPythonPackage, fetchPypi, six, pynacl }:
+
+buildPythonPackage rec {
+ pname = "pymacaroons";
+ version = "0.13.0";
+
+ src = fetchPypi {
+ inherit pname version;
+ sha256 = "1e6bba42a5f66c245adf38a5a4006a99dcc06a0703786ea636098667d42903b8";
+ };
+
+ propagatedBuildInputs = [
+ six
+ pynacl
+ ];
+
+ # Tests require an old version of hypothesis
+ doCheck = false;
+
+ meta = with lib; {
+ description = "Macaroon library for Python";
+ homepage = https://github.com/ecordell/pymacaroons;
+ license = licenses.mit;
+ };
+}
diff --git a/pkgs/servers/matrix-synapse/default.nix b/pkgs/servers/matrix-synapse/default.nix
index ee52b838aea..e2ee3e55afb 100644
--- a/pkgs/servers/matrix-synapse/default.nix
+++ b/pkgs/servers/matrix-synapse/default.nix
@@ -23,29 +23,24 @@ let
in buildPythonApplication rec {
pname = "matrix-synapse";
- version = "0.34.1.1";
+ version = "0.99.0";
src = fetchPypi {
inherit pname version;
- sha256 = "13jmbcabll3gk0b6yqwfwpc7aymqhpv6iririzskhm4pgbjcp3yk";
+ sha256 = "1xsp60172zvgyjgpjmzz90rj1din8d65ffg73nzid4nd875p45kh";
};
- patches = [
- ./matrix-synapse.patch
- ];
-
propagatedBuildInputs = [
bcrypt
bleach
canonicaljson
daemonize
- dateutil
frozendict
jinja2
jsonschema
lxml
matrix-synapse-ldap3
- msgpack-python
+ msgpack
netaddr
phonenumbers
pillow
@@ -59,8 +54,7 @@ in buildPythonApplication rec {
psutil
psycopg2
pyasn1
- pydenticon
- pymacaroons-pynacl
+ pymacaroons
pynacl
pyopenssl
pysaml2
diff --git a/pkgs/servers/matrix-synapse/matrix-synapse.patch b/pkgs/servers/matrix-synapse/matrix-synapse.patch
deleted file mode 100644
index 288e6ff1624..00000000000
--- a/pkgs/servers/matrix-synapse/matrix-synapse.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff --git a/homeserver b/homeserver
-new file mode 120000
-index 0000000..2f1d413
---- /dev/null
-+++ b/homeserver
-@@ -0,0 +1,1 @@
-+synapse/app/homeserver.py
-\ No newline at end of file
-diff --git a/setup.py b/setup.py
-index b00c2af..c7f6e0a 100755
---- a/setup.py
-+++ b/setup.py
-@@ -92,6 +92,6 @@ setup(
- include_package_data=True,
- zip_safe=False,
- long_description=long_description,
-- scripts=["synctl"] + glob.glob("scripts/*"),
-+ scripts=["synctl", "homeserver"] + glob.glob("scripts/*"),
- cmdclass={'test': TestCommand},
- )
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 5816754c03b..061674d31b2 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -4742,7 +4742,7 @@ in {
pygccxml = callPackage ../development/python-modules/pygccxml {};
- pymacaroons-pynacl = callPackage ../development/python-modules/pymacaroons-pynacl { };
+ pymacaroons = callPackage ../development/python-modules/pymacaroons { };
pynacl = callPackage ../development/python-modules/pynacl { };