diff options
author | Léo Gaspard <leo@gaspard.io> | 2019-02-07 17:12:04 +0100 |
---|---|---|
committer | Léo Gaspard <leo@gaspard.io> | 2019-02-07 17:12:04 +0100 |
commit | a59a9a7e603f1aa3a1d499dfbc58a6712a244c6c (patch) | |
tree | 062ef89016acc1cf230b4362790254bb8bb5a725 /nixos | |
parent | 6a0d2ff7c1d024914a3570b85f1c88df8930b471 (diff) | |
parent | e088eb34d93b0adcdfd46adf7eb7c35bcde346fc (diff) | |
download | nixpkgs-a59a9a7e603f1aa3a1d499dfbc58a6712a244c6c.tar nixpkgs-a59a9a7e603f1aa3a1d499dfbc58a6712a244c6c.tar.gz nixpkgs-a59a9a7e603f1aa3a1d499dfbc58a6712a244c6c.tar.bz2 nixpkgs-a59a9a7e603f1aa3a1d499dfbc58a6712a244c6c.tar.lz nixpkgs-a59a9a7e603f1aa3a1d499dfbc58a6712a244c6c.tar.xz nixpkgs-a59a9a7e603f1aa3a1d499dfbc58a6712a244c6c.tar.zst nixpkgs-a59a9a7e603f1aa3a1d499dfbc58a6712a244c6c.zip |
Merge branch 'pr-55320'
* pr-55320: nixos/release-notes: mention breaking changes with matrix-synapse update nixos/matrix-synapse: reload service with SIGHUP nixos/tests/matrix-synapse: generate ca and certificates nixos/matrix-synapse: use python to launch synapse pythonPackages.pymacaroons-pynacl: remove unmaintained fork matrix-synapse: 0.34.1.1 -> 0.99.0 pythonPackages.pymacaroons: init at 0.13.0
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1903.xml | 9 | ||||
-rw-r--r-- | nixos/modules/services/misc/matrix-synapse.nix | 11 | ||||
-rw-r--r-- | nixos/tests/matrix-synapse.nix | 50 |
3 files changed, 60 insertions, 10 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index d84e57333e9..daa47ad0595 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -378,6 +378,15 @@ (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/54637">#54637</link>) </para> </listitem> + <listitem> + <para> + <literal>matrix-synapse</literal> has been updated to version 0.99. It will + <link xlink:href="https://github.com/matrix-org/synapse/pull/4509">no longer generate a self-signed certificate on first launch</link> + and will be <link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the last version to accept self-signed certificates</link>. + As such, it is now recommended to use a proper certificate verified by a + root CA (for example Let's Encrypt). + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 18e13f6ac03..a01e34d7362 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -651,12 +651,16 @@ in { services.postgresql.enable = mkIf usePostgresql (mkDefault true); - systemd.services.matrix-synapse = { + systemd.services.matrix-synapse = + let + python = (pkgs.python3.withPackages (ps: with ps; [ (ps.toPythonModule cfg.package) ])); + in + { description = "Synapse Matrix homeserver"; after = [ "network.target" "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; preStart = '' - ${cfg.package}/bin/homeserver \ + ${python.interpreter} -m synapse.app.homeserver \ --config-path ${configFile} \ --keys-directory ${cfg.dataDir} \ --generate-keys @@ -687,10 +691,11 @@ in { WorkingDirectory = cfg.dataDir; PermissionsStartOnly = true; ExecStart = '' - ${cfg.package}/bin/homeserver \ + ${python.interpreter} -m synapse.app.homeserver \ ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) } --keys-directory ${cfg.dataDir} ''; + ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID"; Restart = "on-failure"; }; }; diff --git a/nixos/tests/matrix-synapse.nix b/nixos/tests/matrix-synapse.nix index 8504a7c0d05..882e4b75814 100644 --- a/nixos/tests/matrix-synapse.nix +++ b/nixos/tests/matrix-synapse.nix @@ -1,4 +1,32 @@ -import ./make-test.nix ({ pkgs, ... } : { +import ./make-test.nix ({ pkgs, ... } : let + + + runWithOpenSSL = file: cmd: pkgs.runCommand file { + buildInputs = [ pkgs.openssl ]; + } cmd; + + + ca_key = runWithOpenSSL "ca-key.pem" "openssl genrsa -out $out 2048"; + ca_pem = runWithOpenSSL "ca.pem" '' + openssl req \ + -x509 -new -nodes -key ${ca_key} \ + -days 10000 -out $out -subj "/CN=snakeoil-ca" + ''; + key = runWithOpenSSL "matrix_key.pem" "openssl genrsa -out $out 2048"; + csr = runWithOpenSSL "matrix.csr" '' + openssl req \ + -new -key ${key} \ + -out $out -subj "/CN=localhost" \ + ''; + cert = runWithOpenSSL "matrix_cert.pem" '' + openssl x509 \ + -req -in ${csr} \ + -CA ${ca_pem} -CAkey ${ca_key} \ + -CAcreateserial -out $out \ + -days 365 + ''; + +in { name = "matrix-synapse"; meta = with pkgs.stdenv.lib.maintainers; { @@ -8,23 +36,31 @@ import ./make-test.nix ({ pkgs, ... } : { nodes = { # Since 0.33.0, matrix-synapse doesn't allow underscores in server names serverpostgres = args: { - services.matrix-synapse.enable = true; - services.matrix-synapse.database_type = "psycopg2"; + services.matrix-synapse = { + enable = true; + database_type = "psycopg2"; + tls_certificate_path = "${cert}"; + tls_private_key_path = "${key}"; + }; }; serversqlite = args: { - services.matrix-synapse.enable = true; - services.matrix-synapse.database_type = "sqlite3"; + services.matrix-synapse = { + enable = true; + database_type = "sqlite3"; + tls_certificate_path = "${cert}"; + tls_private_key_path = "${key}"; + }; }; }; testScript = '' startAll; $serverpostgres->waitForUnit("matrix-synapse.service"); - $serverpostgres->waitUntilSucceeds("curl -Lk https://localhost:8448/"); + $serverpostgres->waitUntilSucceeds("curl -L --cacert ${ca_pem} https://localhost:8448/"); $serverpostgres->requireActiveUnit("postgresql.service"); $serversqlite->waitForUnit("matrix-synapse.service"); - $serversqlite->waitUntilSucceeds("curl -Lk https://localhost:8448/"); + $serversqlite->waitUntilSucceeds("curl -L --cacert ${ca_pem} https://localhost:8448/"); $serversqlite->mustSucceed("[ -e /var/lib/matrix-synapse/homeserver.db ]"); ''; |