From 34a142fc2d67d21ac3c12e7a15dcd429bef33231 Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Tue, 7 Feb 2023 20:01:42 +0100 Subject: [PATCH 01/11] services/matrix: Setup --- hosts/goldberg/configuration.nix | 12 ++- packages/default.nix | 31 ++++++ services/matrix.nix | 159 +++++++++++++++++++++++++++++++ 3 files changed, 201 insertions(+), 1 deletion(-) create mode 100644 services/matrix.nix diff --git a/hosts/goldberg/configuration.nix b/hosts/goldberg/configuration.nix index 874d947..df29403 100644 --- a/hosts/goldberg/configuration.nix +++ b/hosts/goldberg/configuration.nix @@ -1,10 +1,11 @@ -{ lib, pkgs, baseDomain, ... }: { +{ lib, pkgs, config, ... }: { cj.deployment.environment = "dev"; imports = [ ./hardware-config.nix ../../services/mumble.nix ../../services/website.nix + ../../services/matrix.nix ../../services/vaultwarden.nix ../../services/dokuwiki.nix ../../services/freescout.nix @@ -32,4 +33,13 @@ registerPassword = lib.mkForce ""; environmentFile = lib.mkForce null; }; + + # This is specific to every host! + systemd.mounts = [{ + what = "/dev/disk/by-id/scsi-0HC_Volume_27793580"; + where = config.services.matrix-synapse.settings.media_store_path; + type = "ext4"; + options = "discard,nofail,defaults"; + wantedBy = [ "multi-user.target" ]; + }]; } diff --git a/packages/default.nix b/packages/default.nix index 2e475b0..c630964 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -145,4 +145,35 @@ final: prev: installPhase = "mkdir -p $out; cp -R * $out/"; }; }; + + pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [( + pfinal: pprev: { + matrix-synapse-saml-mapper = pfinal.buildPythonPackage { + pname = "matrix-synapse-saml-mapper"; + version = "2020-09-21"; + + postPatch = '' + substituteInPlace setup.py \ + --replace "attr>=0.3.1" "attrs" + ''; + + src = final.fetchFromGitHub { + owner = "chaos-jetzt"; + repo = "matrix-synapse-saml-mapper"; + rev = "1aca2bfc73568a1a25d4e63a52b7a8ea9bdb7272"; + hash = "sha256-mieJ8ECYr0hiniMHSnEbQAi/W9x1lsAMqV12qHtql5E="; + leaveDotGit = true; + }; + + nativeBuildInputs = with pfinal; [ + setuptools-scm + final.git + ]; + propagatedBuildInputs = with pfinal; [ + pysaml2 + attrs + final.matrix-synapse + ]; + }; + })]; } diff --git a/services/matrix.nix b/services/matrix.nix new file mode 100644 index 0000000..c93793e --- /dev/null +++ b/services/matrix.nix @@ -0,0 +1,159 @@ +{ lib, config, pkgs, baseDomain, ... }: let + matrixPort = 8008; + isDev = (builtins.substring 0 3 baseDomain) == "dev"; + synapseDb = config.services.matrix-synapse.settings.database.args; + initSynapseDb = ''CREATE DATABASE "${synapseDb.database}" WITH OWNER "${synapseDb.user}" ENCODING "UTF8" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C";''; +in { + sops.secrets = { + "coturn_static_auth_secret".owner = "turnserver"; + "synapse/signing_key" = { + owner = "matrix-synapse"; + path = config.services.matrix-synapse.settings.signing_key_path; + mode = "0600"; + }; + "synapse/secret_config".owner = "matrix-synapse"; + }; + + services.nginx.virtualHosts = { + "chat.${baseDomain}" = { + enableACME = true; + forceSSL = true; + + root = pkgs.element-web.override { + # Somewhat duplicate of the stuff in website.nix but I am + # not sure if we absolutely need to dedup this, just out of complexity perspective + conf.default_server_config."m.homeserver".base_url = "https://matrix.${baseDomain}/"; + }; + }; + "matrix.${baseDomain}" = { + enableACME = true; + forceSSL = true; + # It's also possible to do a redirect here or something else, this vhost is not + # needed for Matrix. It's recommended though to *not put* element + # here, see also the section about Element. + locations."/".extraConfig = '' + return 404; + ''; + # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash + # *must not* be used here. + locations."/_matrix".proxyPass = "http://[::1]:${toString matrixPort}"; + # Forward requests for e.g. SSO and password-resets. + locations."/_synapse/client".proxyPass = "http://[::1]:${toString matrixPort}"; + }; + }; + + services.postgresql = { + enable = true; + ensureUsers = [ + { name = synapseDb.user; } + ]; + }; + systemd.services.postgresql = { + postStart = '' + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc '${initSynapseDb}' + ''; + }; + + security.acme.certs."turn.${baseDomain}" = { + group = "turnserver"; + reloadServices = [ "coturn.service" ]; + }; + services.coturn = let + sslDir = config.security.acme.certs."turn.${baseDomain}".directory; + in { + enable = true; + cert = "${sslDir}/fullchain.pem"; + pkey = "${sslDir}/key.pem"; + static-auth-secret-file = config.sops.secrets."coturn_static_auth_secret".path; + }; + + # TODO: Use media storage volume on prod + services.matrix-synapse = { + enable = true; + plugins = [ + pkgs.python3Packages.matrix-synapse-saml-mapper + ]; + settings = { + server_name = baseDomain; + public_baseurl = "https://matrix.${baseDomain}"; + allow_public_rooms_over_federation = true; + enable_registration = false; + database = { + name = "psycopg2"; + args.database = "matrix-synapse"; + }; + federation_ip_range_blacklist = [ + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "100.64.0.0/10" + "169.254.0.0/16" + "::1/128" + "fe80::/64" + "fc00::/7" + ]; + + additional_resources."/_matrix/saml2/pick_username".module = "matrix_synapse_saml_mapper.pick_username_resource"; + admin_contact = "mailto:administration@chaos.jetzt"; + url_preview_enabled = true; + media_store_path = "/mnt/synapse_media_store"; + turn_uris = let + turn_base = "turn.${baseDomain}"; + ct = config.services.coturn; + port = builtins.toString ct.listening-port; + tlsPort = builtins.toString ct.tls-listening-port; + in [ + "turn:${turn_base}:${port}?transport=tcp" + "turn:${turn_base}:${port}?transport=udp" + "turns:${turn_base}:${tlsPort}?transport=tcp" + "turns:${turn_base}:${tlsPort}?transport=udp" + ]; + auto_join_rooms = builtins.map (v: "#${v}:${baseDomain}") [ "grosse_halle" "allgemein" ]; + autocreate_auto_join_rooms = true; + enable_metrics = false; + user_directory = { + enabled = true; + search_all_users = true; + }; + saml2_config = { + enabled = true; + sp_config.metadata.remote = [{ + url = "https://sso.chaos.jetzt/auth/realms/${if isDev then "dev" else "chaos-jetzt"}/protocol/saml/descriptor"; + }]; + user_mapping_provider.module = "matrix_synapse_saml_mapper.SamlMappingProvider"; + }; + password_config.enabled = false; + }; + extraConfigFiles = let + format = (pkgs.formats.yaml {}).generate; + in [ + # Contains turn_shared_secret, macaroon_secret_key, and form_secret + config.sops.secrets."synapse/secret_config".path + # For our saml sso stuff we need to have additional_ressouces, but they are not possible with the NixOS module listener + (format "additional_ressources.yaml" { + listeners = [{ + bind_addresses = [ "::1" "127.0.0.1" ]; + port = matrixPort; + type = "http"; + tls = false; + x_forwarded = true; + resources = [{ + names = [ "client" "federation" ]; + compress = false; + }]; + additional_resources."/_matrix/saml2/pick_username".module = "matrix_synapse_saml_mapper.pick_username_resource"; + }]; + }) + ]; + }; + + system.activationScripts."synapse-media-store-mnt".text = '' + mkdir -p ${lib.escapeShellArg config.services.matrix-synapse.settings.media_store_path} + chown matrix-synapse:matrix-synapse ${lib.escapeShellArg config.services.matrix-synapse.settings.media_store_path} + ''; + systemd.services.matrix-synapse = { + unitConfig.RequiresMountsFor = [ config.services.matrix-synapse.settings.media_store_path ]; + serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ]; + }; +} From 49f72f1b899a4bc286436fd81803a2de713ec04b Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Fri, 10 Feb 2023 00:47:54 +0100 Subject: [PATCH 02/11] Add matrix on shirley Secrets not yet added to not brick our matrix if we accidentally deploy --- hosts/shirley/configuration.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/hosts/shirley/configuration.nix b/hosts/shirley/configuration.nix index 47bb276..b8bc2fd 100644 --- a/hosts/shirley/configuration.nix +++ b/hosts/shirley/configuration.nix @@ -1,4 +1,4 @@ -{ pkgs, baseDomain, ... }: { +{ pkgs, config, ... }: { cj.deployment.environment = "prod"; imports = [ @@ -6,6 +6,7 @@ ../../services/mumble.nix ../../services/website.nix ../../services/vaultwarden.nix + ../../services/matrix.nix ../../services/dokuwiki.nix ../../services/freescout.nix ../../services/hedgedoc.nix @@ -27,4 +28,13 @@ ipv6.addresses = [ { address = "2a01:4f8:c0c:83eb::1"; prefixLength = 64; } ]; }; }; + + # This is specific to every host! + systemd.mounts = [{ + what = "/dev/disk/by-id/scsi-0HC_Volume_7628580"; + where = config.services.matrix-synapse.settings.media_store_path; + type = "ext4"; + options = "discard,nofail,defaults"; + wantedBy = [ "multi-user.target" ]; + }]; } From b68e39dc87953a9a80b8dadd1284c2d716c7ab2f Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Wed, 7 Jun 2023 14:28:00 +0200 Subject: [PATCH 03/11] synapse: Add registration secret and reduce logging --- hosts/goldberg/configuration.nix | 2 +- hosts/shirley/configuration.nix | 2 +- secrets/goldberg/secrets.yaml | 7 +++--- secrets/shirley/secrets.yaml | 6 +++-- services/{matrix.nix => matrix/default.nix} | 3 +++ services/matrix/synapse-log_config.yaml | 27 +++++++++++++++++++++ 6 files changed, 40 insertions(+), 7 deletions(-) rename services/{matrix.nix => matrix/default.nix} (96%) create mode 100644 services/matrix/synapse-log_config.yaml diff --git a/hosts/goldberg/configuration.nix b/hosts/goldberg/configuration.nix index df29403..8770551 100644 --- a/hosts/goldberg/configuration.nix +++ b/hosts/goldberg/configuration.nix @@ -5,7 +5,7 @@ ./hardware-config.nix ../../services/mumble.nix ../../services/website.nix - ../../services/matrix.nix + ../../services/matrix ../../services/vaultwarden.nix ../../services/dokuwiki.nix ../../services/freescout.nix diff --git a/hosts/shirley/configuration.nix b/hosts/shirley/configuration.nix index b8bc2fd..a72dcda 100644 --- a/hosts/shirley/configuration.nix +++ b/hosts/shirley/configuration.nix @@ -6,7 +6,7 @@ ../../services/mumble.nix ../../services/website.nix ../../services/vaultwarden.nix - ../../services/matrix.nix + ../../services/matrix ../../services/dokuwiki.nix ../../services/freescout.nix ../../services/hedgedoc.nix diff --git a/secrets/goldberg/secrets.yaml b/secrets/goldberg/secrets.yaml index 332a6d0..83f4d18 100644 --- a/secrets/goldberg/secrets.yaml +++ b/secrets/goldberg/secrets.yaml @@ -1,6 +1,7 @@ coturn_static_auth_secret: ENC[AES256_GCM,data:OH5Qhl+hy1Afs2ARKOuXXSlMVy8LOr+q+hDeWMR8UKR1TKH5Cu4IkIp76T8Sep7Xih8OQyZOBScPaa9ftMUok7P0c5DNmV2xsQyVBy+dp0TokYBRqviFLouqZA+yOkm9nt7/Fx6qZ61cxh8PhnHrBHYR7R/7bxurPjRbXApKw6wwE33lzdCJ1bcA1oASZzYLz61ii9Ema0BqaWNsbvG3np+b86bKFnIgI7JSas07nUIKFTZEDtY/XtIQkEfWvyb5DyisPVEdt0w12ceuHrjFXZFnL/uPOUYnmT6U5Mrd5OBk1HUr2GqQp7wtWtquTL0L4niXCXnmX5tQCk0nb1YBWQ==,iv:/36tKe9d+I1eGFNyZrNtlgnrcguDYG4XegcWZCAGhS4=,tag:dlBd2I3OnD1y+tNL0WhnoQ==,type:str] synapse: signing_key: ENC[AES256_GCM,data:/wXjsAY30plaYptGL3SvS4JyP+UWgX7nzvMlMPepbLG5qplq1Ieo5qNTAugWIhtP8z3DkZBnIgTpOg==,iv:WwPs9XHkoHS70b+2oNjxgDdYsDZrudk/U3UgpTpLD2k=,tag:INce/W/Nxbvxz89AvIG2cg==,type:str] + registration_shared_secret: ENC[AES256_GCM,data:8mo0Dr06uGOZKDCAHo66VOsU/FC6Az1SjEJX2zLQRDEXQAI1DfjxscQO+m/EJZTAYZ2BgRyo0kCuD7bDpx/qMw==,iv:bV+VLsEwNYapYXcA33clf4CHmAvpmHrjSrWWGRR5nxg=,tag:GG+w1MU617UlTjIu5sC9WQ==,type:str] secret_config: ENC[AES256_GCM,data:kSkRKCFy9TtoBfTWSBzQ65XOQ2WXDCsn0Xgwx3Nvd67+MDLmUmds6BMJREm+dZvqbo3VHjdBSYGHcBrodBtEWJ6JTOVXEwyuUqvrlFbnQm71mvVGFPyKJQW+bm6m3qoXj257cnDSBLAt2sxKSYs5Xb5b/vHSTLJFQ88787Z45f5Kd/29I3khIV+XKZsuwIUsPLe0cTVMlfc/yWmzRk+zR0aXXCHP5/GUn5U5o1xIR/Ok/C/PgrB2CXKb/IiGGsgJK4eA4qDUwiLXBghSlztZXkfp9s/UaFq80hVPfqPRy1UOIG2hgJcNAX9A7EkgLKff2xV9FAfr++rDBuReb8fvb9bzsfXq+wa7wh5hGmCjXgl7Ux+p3LlhAAv7SRx2jAUwKEPcu5+RKpYEdyw4fx1y4hsj8psInMOfPMEV/yPkBmJFDMoaZ9rke3se6iGbP/ZNvzZ0TI8HzltwMbA4jsCfoDOQWZMEXiYzhv49F+Uhc1l7PswjY0GIlL8R2zYotrRwxtf2j2n+1l0kxuuj2yc287YJHRRUAQw0UdF46zxLhTRIaNfsQlPM/l134wGoELYjGrKNrJoonAksEKUAUoIHIt0xTuAG6RbqVXVlMsVg6zeRHUaD1AyN6AoMBIoMxDaO4ga+3g3kbHFx6ZNcGV8mWcG6BR7MmwtnOm3e0JFy8t88YDFXHKAfwtS/Cb1etUJalNyJgSq6TL/LTZmD/cUHBprNw5G7DaWKcy4wANCl3Bj7c/MhNOz6XJKYo6LvxvL7qTYHmMhPcjbVQ7ogeIbNMZNXnJyw75sL4fh7fl21HRfaVbHxpH5ajX5X9e/xg2oC/k1azY8clPYNU74igknk4wiKnvWkq9s5nCJA0zxn1F18GvLlH8WuVTwi9tDxnE1ZVBUs6hT7seUY0rR4BxgDPzfsr9NJiWAJ7lfH9e60tIm8mHfT5dmuEPs3lDC3/RVkNtGYNkDOFcmePEeTvOs29DwuV7P6PlnKOI+iHwRjHhv2UfcbXSbt8ZifzqEw+Mx8dSNS5IenXY68M53y5kBDTF/VZ8IYHjtHqDa45q+EnV/NRvpSTKe85K4GkcW7QvzSCuHw2n1XRg2mq3UwRYpk,iv:tQiBocxEJodi4A0iTpe9Z1sJCJSYI7wHBjOEx7Lhx5w=,tag:Kjx+9hJKnBTbw1flRNnE4w==,type:str] murmur: #ENC[AES256_GCM,data:ionYo3rz6G1ZhOmwBDleXPO7/reeF6tpgA==,iv:4iQ1FYTvxyyNaQDPxHErV0fevsnU5p55wT27nOwMStM=,tag:ynCgbQsvX5ow4+vc2Qz8MQ==,type:comment] @@ -9,7 +10,7 @@ dokuwiki: keycloak_key: ENC[AES256_GCM,data:/6+NWA==,iv:61M+OdGx3lCR3uFWmArpYUm9Q4L+pv656V8g257YMTw=,tag:fOESdHA6+bpMMDRbWRFn+A==,type:str] vaultwarden: env: ENC[AES256_GCM,data:mDqHHAjisl0din/q67+zH7NMKLXld9qC0Si6ZREhRStXr6HEFD/QwaGLN86AvUI7sHNf9l4nrgKOht7uXNJrkjuidGsFEEJWkuUOjBRnrtipNKV2YK7giPQXEhH7wTdGeaqxqi4sk90Oq/FoKi2vPkFyNWGOQ5vOXkKKXjjHnbyKIQkIRWya2Dy6IN0CXU8UK0OiQXY3kgEFOyJoqt4sx/HOScHNKkaLb8U+0rpfzxSVyP3oY4o/DFkE51bnd/CNKg3ZK4Ynp/5m7Rs=,iv:aWpDXSp6Ds7cfdw/vfM3I5wcHz0MytnhpIIWEa24LBE=,tag:5YZKo4ZCT57gji8iyBMAiQ==,type:str] -hedgedoc_env: ENC[AES256_GCM,data:MeMyjUNchdUm9gqt7hOZU0xvlZvbUWmgh2iiZjkmb20y9dGt083FbGLNuWLkWd8WFM93dETaOj9WD0mbRK11THXyV61rjrwpBkx2NjCFeHX/JjUe7MzxAhm/7Kn9IFl9As5B++SiD97QxEBpcG0AJDoluXqVpZSIHgG6W5FXSYDgZ+/V8dmfSplF5Nj2cseD5kI=,iv:7l8wNfi9HWc8Ep1Y9bUkdJo+2UQVkTfqW0J3pfPxpNg=,tag:xS+vD73r6rDmeeAB4bstww==,type:str] +hedgedoc_env: ENC[AES256_GCM,data:VHIzmq7P1pqS72HbRXRT3k7n6vyPkzkQFJdveseCAHnzdXlEF0lHr+Up7J6XhfhtQXO3ogV2jkGZpOMY0OuEvhLf2yGkBj3W0ZtG7Kx6Rdcbb5rG7Z6Vb1vpL/aT88QFd3VX23M+FPFyWeYKGOvGRuCela+mUX7jDs2W4jOrYOtEGe3+V08DcvtcCvE2L1NqeDQ=,iv:011/ZRdQlkFQ2TZpzQhfRf/OTawnHFQDockLGlOrkmc=,tag:Y66RIBtyjl5VSo23GU4sNg==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +26,8 @@ sops: QjBmYlNYWlFoWHd0ZFJkWE0xMkpvZzQKJwKap35S2pWGNOtBHe931dRqAQAczbWv /BUEtl900F8YLQCB1/myV0Dk5X9XDlww1yrzw/La3gXANY93Ndu3MA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-24T14:30:13Z" - mac: ENC[AES256_GCM,data:UXYfO7Ezx6jhuElF4ncJ3qcm5e9S4dLnIJ6ieELzmwHZEAIf8HCeovJIuubv9UbQeXg3F+jQzUA7xP8cGcx4fh6WzaXZuq+i/GbF79HCbgtYb8KogC7C/nbi7aFgd6euM84txNpIFlBMmcOAaVAdO+9zM6AxaclPq0Am+I+eG2E=,iv:ObMNbl1fI0yFQraR56rxSxBzv++MMdNY6JOZtPqBl5U=,tag:Nu5GZqWutwWxxORWcfLlVQ==,type:str] + lastmodified: "2023-08-30T11:23:54Z" + mac: ENC[AES256_GCM,data:YG1Te+quE4eFadTJPyHPpJhVbs24bKtGCNS6VNvXK2fwUosd7GngprCIAfCKZ2Jzexjj+71zsfY72n/io952vK4bKoWDzFwE3cr1VJ0QQQ+BEoZjFJYEk4GOrmoEVzfIBqDEFpbOsA7VSvEawRrSeL2RqjHkaF/CNJWZfuH3tD8=,iv:M+t9Qn/Gl4oZwoSX72XeStPpVG3wAX7OKsk3vrJ9wto=,tag:/Tpy/92lUqLMqgIVkpBaFw==,type:str] pgp: - created_at: "2023-07-23T14:01:56Z" enc: |- diff --git a/secrets/shirley/secrets.yaml b/secrets/shirley/secrets.yaml index b8bb5a0..e590715 100644 --- a/secrets/shirley/secrets.yaml +++ b/secrets/shirley/secrets.yaml @@ -2,6 +2,8 @@ murmur: registry_password: ENC[AES256_GCM,data:jgMmirQNhwTQZMyfbbbJku9JDqxtuKepIIpbiloX0qnUnytu1vvjFkGZH5dag/e/EDHszqkALNlUZz7wdlxZn3QDDlv0rQITJtsp,iv:aLIPiHDGC4vNXfNgqR852/jbChv2uu5q0Yy9I4ej5ts=,tag:cy4rs+YCglNKEaq+3arfow==,type:str] dokuwiki: keycloak_key: ENC[AES256_GCM,data:gXCRVg==,iv:BqBPRnD8mIQ97MHfn/KESqe8ABXGaDXEIAGyYcbfXlI=,tag:KhgQX5N3MATmnqXnEIjzBQ==,type:str] +synapse: + registration_shared_secret: ENC[AES256_GCM,data:h6GwLIrOOvCGRpEHvXt8Kw4uFwOKN86qN/pjjobImnkz3H7J/7v3XIneHnRYRHsFRX0XB53iz6VKN+7b+zuMtg==,iv:kg5hpTQH+MTO7Ocblck0yhgsDiXJIme5OGpcaxERiVc=,tag:goRj0JtTLHnz56Ti8Sumgg==,type:str] vaultwarden: env: ENC[AES256_GCM,data:4zeSpiaJQ8v00EBHrS6IU/1KXCEP6EBpkMacW0mf3ygZxSfUL3oQ11sXOu24OOMnTpaZUPJ68rj1jSNgBoVQ7rLttpCHKy62ART2xi0PcSCpDCBLpBocPdpFydQzwFOrMAYpcS6SB/ijy2ZxvfzVQqykcqfLdwdZs3PCys15OSQT269FmFERT25pTW7d6zxE3eY2YhLf1Y+6MjYHffAEv8RqN35UWyAOh8dJU09lbEsUiBRwN3tNhQ0STOsShhxY/ogMZdAHQwvGjo0=,iv:yK9PBOURtOVBBPwuJSpARvb5eXUIhPypEbEYbX2PqRs=,tag:MG7fcBPMg9eMjtD5V+yjBw==,type:str] hedgedoc_env: ENC[AES256_GCM,data:M/UW8QjiiHU/YsSYsYnZbeA+SPAub53E1FAiSvRFTeQeR0d3+t0g0lfn9Wqcok541NjETs7LN4lCrYBR6cH4EqQ9581pj2Fi5KabypA/2DUNTaAjtCbA2RNM/M/1/ka5n8AFNgzXppb/yEQ2xqQfV7IN/d6ClJzfFi+3FoFa3wRwAajvkH+yP8rfTBkQFamQWTQ=,iv:6vOeJHkNnva92GCrhuIj3HtG6z50UBnxRGg97jv2/gk=,tag:eYN4q7/HL0BtPdYLlbaW+A==,type:str] @@ -20,8 +22,8 @@ sops: Z3FXczZaSUVLY2lCcWJaQklXNHBzczAKQev4noy5ValCq65BhvXl1weY2QNsTe6f f4SUmm5NGbTiGaghOLC1Cio3K8ibA0vszVyySNE1khkvcM7JewIXAQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-24T15:00:19Z" - mac: ENC[AES256_GCM,data:TqoMFF2XBc1iA/FnwgEwKdTKneHV6AvvPRVR+E7bkpqHQsxcl/wRLUzfQ5bg3YDviB/kB1KDuS25xQn/ztJKoBn7deWF0+9xz5npStQimNWuzgbTCIQS5hbqahgOejnnGVvJ/zms67ZOOG/Ek8W4eE8DUNMlUlNNIxGD8fkRwYI=,iv:FYW3K/QipSCrk0ZrxUhJANB5CBY4K5af4KhUf7GwuYU=,tag:HeLAe/yCZnDXqNHeUDpylQ==,type:str] + lastmodified: "2023-08-30T11:25:43Z" + mac: ENC[AES256_GCM,data:Yvd2DHOKJJr0hm/nt6nO8RgG4nMUtfBa5M1KPlQYjzul8UVNdX7WvgYwbMlERifiVVirAjCeB0DybvWBozpPcAhPcZ6+8AlUQg77wQt+PgqaVCXvFMBeGFqPNaCi1JPVDjKvAEC/A+mvUDL52JH0c2PCoRCl/W1WXq7TfXRjzis=,iv:k930uOJRCxddz86vCu16SiWHZXSiLD5htVnGd73aIZk=,tag:ouMgLZqZ/e35P1we1mCsVw==,type:str] pgp: - created_at: "2023-07-23T14:01:46Z" enc: |- diff --git a/services/matrix.nix b/services/matrix/default.nix similarity index 96% rename from services/matrix.nix rename to services/matrix/default.nix index c93793e..af4ed76 100644 --- a/services/matrix.nix +++ b/services/matrix/default.nix @@ -12,6 +12,7 @@ in { mode = "0600"; }; "synapse/secret_config".owner = "matrix-synapse"; + "synapse/registration_shared_secret".owner = "matrix-synapse"; }; services.nginx.virtualHosts = { @@ -78,6 +79,8 @@ in { public_baseurl = "https://matrix.${baseDomain}"; allow_public_rooms_over_federation = true; enable_registration = false; + registration_shared_secret_path = config.sops.secrets."synapse/registration_shared_secret".path; + log_config = ./synapse-log_config.yaml; database = { name = "psycopg2"; args.database = "matrix-synapse"; diff --git a/services/matrix/synapse-log_config.yaml b/services/matrix/synapse-log_config.yaml new file mode 100644 index 0000000..91707db --- /dev/null +++ b/services/matrix/synapse-log_config.yaml @@ -0,0 +1,27 @@ +# Based on https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/matrix/synapse-log_config.yaml +# Just with a log-level of notice +version: 1 + +# In systemd's journal, loglevel is implicitly stored, so let's omit it +# from the message text. +formatters: + journal_fmt: + format: '%(name)s: [%(request)s] %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + journal: + class: systemd.journal.JournalHandler + formatter: journal_fmt + filters: [context] + SYSLOG_IDENTIFIER: synapse + +root: + level: WARNING + handlers: [journal] + +disable_existing_loggers: False From 11b87685c3569dcb6d3e8abf052b3b1c97368848 Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Sat, 22 Jul 2023 22:19:28 +0200 Subject: [PATCH 04/11] Apply suggestions from code review --- services/matrix/default.nix | 29 +++++++++++++++---------- services/matrix/synapse-log_config.yaml | 2 +- 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/services/matrix/default.nix b/services/matrix/default.nix index af4ed76..46d20fb 100644 --- a/services/matrix/default.nix +++ b/services/matrix/default.nix @@ -23,7 +23,13 @@ in { root = pkgs.element-web.override { # Somewhat duplicate of the stuff in website.nix but I am # not sure if we absolutely need to dedup this, just out of complexity perspective - conf.default_server_config."m.homeserver".base_url = "https://matrix.${baseDomain}/"; + conf = { + default_server_config."m.homeserver" = { + base_url = "https://matrix.${baseDomain}/"; + server_name = baseDomain; + }; + default_country_code = "DE"; + }; }; }; "matrix.${baseDomain}" = { @@ -97,7 +103,6 @@ in { "fc00::/7" ]; - additional_resources."/_matrix/saml2/pick_username".module = "matrix_synapse_saml_mapper.pick_username_resource"; admin_contact = "mailto:administration@chaos.jetzt"; url_preview_enabled = true; media_store_path = "/mnt/synapse_media_store"; @@ -136,16 +141,16 @@ in { # For our saml sso stuff we need to have additional_ressouces, but they are not possible with the NixOS module listener (format "additional_ressources.yaml" { listeners = [{ - bind_addresses = [ "::1" "127.0.0.1" ]; - port = matrixPort; - type = "http"; - tls = false; - x_forwarded = true; - resources = [{ - names = [ "client" "federation" ]; - compress = false; - }]; - additional_resources."/_matrix/saml2/pick_username".module = "matrix_synapse_saml_mapper.pick_username_resource"; + bind_addresses = [ "::1" "127.0.0.1" ]; + port = matrixPort; + type = "http"; + tls = false; + x_forwarded = true; + resources = [{ + names = [ "client" "federation" ]; + compress = false; + }]; + additional_resources."/_matrix/saml2/pick_username".module = "matrix_synapse_saml_mapper.pick_username_resource"; }]; }) ]; diff --git a/services/matrix/synapse-log_config.yaml b/services/matrix/synapse-log_config.yaml index 91707db..f72b7cf 100644 --- a/services/matrix/synapse-log_config.yaml +++ b/services/matrix/synapse-log_config.yaml @@ -1,5 +1,5 @@ # Based on https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/matrix/synapse-log_config.yaml -# Just with a log-level of notice +# Just with a log-level of warning version: 1 # In systemd's journal, loglevel is implicitly stored, so let's omit it From 3e278c35862db9da12f314eed619274cda2b3865 Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Sat, 12 Aug 2023 12:59:22 +0200 Subject: [PATCH 05/11] matrix-synapse-saml-mapper: No more keepDotGit Since the .git folder can change often (it is not considered stable), it avoids random breakage if we just fix the version for setuptools_scm in place. --- packages/default.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/packages/default.nix b/packages/default.nix index c630964..001abbf 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -148,9 +148,10 @@ final: prev: pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [( pfinal: pprev: { - matrix-synapse-saml-mapper = pfinal.buildPythonPackage { + matrix-synapse-saml-mapper = pfinal.buildPythonPackage rec { pname = "matrix-synapse-saml-mapper"; version = "2020-09-21"; + SETUPTOOLS_SCM_PRETEND_VERSION = "0.1+chaos.jetzt.${builtins.substring 0 6 src.rev}.d${builtins.replaceStrings ["-"] [""] version}"; postPatch = '' substituteInPlace setup.py \ @@ -161,13 +162,11 @@ final: prev: owner = "chaos-jetzt"; repo = "matrix-synapse-saml-mapper"; rev = "1aca2bfc73568a1a25d4e63a52b7a8ea9bdb7272"; - hash = "sha256-mieJ8ECYr0hiniMHSnEbQAi/W9x1lsAMqV12qHtql5E="; - leaveDotGit = true; + hash = "sha256-s2AQ92VQOXg7lxjWZKsM5h+4IWnsnLRbOC2mAmr1nZo="; }; nativeBuildInputs = with pfinal; [ setuptools-scm - final.git ]; propagatedBuildInputs = with pfinal; [ pysaml2 From 30160567685922dd00365f686e51efa9149e9063 Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Sun, 13 Aug 2023 12:31:14 +0200 Subject: [PATCH 06/11] Move prod matrix from shirley to hamilton --- hosts/hamilton/configuration.nix | 12 +++++++++++- hosts/shirley/configuration.nix | 10 ---------- secrets/hamilton/secrets.yaml | 7 ++++--- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/hosts/hamilton/configuration.nix b/hosts/hamilton/configuration.nix index 6116e66..d0dfd65 100644 --- a/hosts/hamilton/configuration.nix +++ b/hosts/hamilton/configuration.nix @@ -1,8 +1,9 @@ -{ pkgs, baseDomain, ... }: { +{ pkgs, baseDomain, config, ... }: { cj.deployment.environment = "prod"; imports = [ ./hardware-config.nix + ../../services/matrix ]; system.stateVersion = "23.05"; @@ -28,4 +29,13 @@ ipv6.addresses = [ { address = "2a01:4f8:1c1e:b564::1"; prefixLength = 64; } ]; }; }; + + # This is specific to every host! + systemd.mounts = [{ + what = "/dev/disk/by-id/scsi-0HC_Volume_7628580"; + where = config.services.matrix-synapse.settings.media_store_path; + type = "ext4"; + options = "discard,nofail,defaults"; + wantedBy = [ "multi-user.target" ]; + }]; } diff --git a/hosts/shirley/configuration.nix b/hosts/shirley/configuration.nix index a72dcda..e54f044 100644 --- a/hosts/shirley/configuration.nix +++ b/hosts/shirley/configuration.nix @@ -6,7 +6,6 @@ ../../services/mumble.nix ../../services/website.nix ../../services/vaultwarden.nix - ../../services/matrix ../../services/dokuwiki.nix ../../services/freescout.nix ../../services/hedgedoc.nix @@ -28,13 +27,4 @@ ipv6.addresses = [ { address = "2a01:4f8:c0c:83eb::1"; prefixLength = 64; } ]; }; }; - - # This is specific to every host! - systemd.mounts = [{ - what = "/dev/disk/by-id/scsi-0HC_Volume_7628580"; - where = config.services.matrix-synapse.settings.media_store_path; - type = "ext4"; - options = "discard,nofail,defaults"; - wantedBy = [ "multi-user.target" ]; - }]; } diff --git a/secrets/hamilton/secrets.yaml b/secrets/hamilton/secrets.yaml index 07c129a..d364e24 100644 --- a/secrets/hamilton/secrets.yaml +++ b/secrets/hamilton/secrets.yaml @@ -1,4 +1,5 @@ -placeholder: ENC[AES256_GCM,data:rzHtxg==,iv:cCQcC7FZJkGC1YIKNdqiTU+7W6YJ8hJlwT5XwdTyu/k=,tag:AfZlrP54Yh6U8l7bwCT3Bg==,type:bool] +synapse: + registration_shared_secret: ENC[AES256_GCM,data:3mcyn8+8bfRQTJf8a6CwfO/v10W1PvM3D6POq52BV49N1KVBSs27aGq6YZFzR0H9vF5qUGXGRzk+zdNk+GK0Lw==,iv:54ZI2SGGXOQstRU0C89sJlWluC0XnxNLqrjt/ad0MzQ=,tag:gD9h+nIOz049GlaRjgX5Aw==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +15,8 @@ sops: aWQ2QW05a1lrbTZZci9VMldpVzNCZFkKCJwEd5TkZaIb2M1E149/NEUB1E5E8gLu YSDnb7eKfx8auWCEVCMiHx6POdpVvwxKnxUWHEnUBIMHhx+Y1MSclg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-12T08:45:36Z" - mac: ENC[AES256_GCM,data:pjGhTGsY7I7AF2Pd2fINT0PzJOWSF6TvE26NTC6xNwJ2fnL+opANJnLkdRpZFw7rXVqGdjvZmtYV/Z4MZTH3n5NRM9cg/sQ1kRLS6LIgGFd0xqxhCE26gArquOSqbWb7BU9vyq9A4XFqi9Jx0yjP9+ywYOjrIuVN7OHDyWsN4sU=,iv:3nSB6qNHq9HRa1YCHDGRopiArXPWob10/ON8Y7rMeKc=,tag:2FElWlRUskM+Z/DlfeAs1w==,type:str] + lastmodified: "2023-08-13T10:27:18Z" + mac: ENC[AES256_GCM,data:BL1UtpKeieAGoexQsOPqoIasANvWjsy+7AaPCeKwev3CUWtPXwwMfsmtkPlQMggEpf5iUjNH74GJBMKKU9SKWhUwxGY7ph5VVYsF0uHlsToKNBK7H8wjtu1Bm8XqRkku/cqCu8/X5ixYx9y3hdKy7UNd8gMHJOkEriA+8J/zZrE=,iv:dE7q8JkxqdnlQcYmwj404mSWLqupxBIiQzIZSAibI+U=,tag:hj2/LhROne6S7YQ4xBMKyA==,type:str] pgp: - created_at: "2023-08-12T09:39:58Z" enc: |- From 1f168fe64615a31de49e5b0699bdb2aa35327484 Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Thu, 31 Aug 2023 22:03:18 +0200 Subject: [PATCH 07/11] Add missing matrix secrets to hamilton --- secrets/hamilton/secrets.yaml | 7 +++++-- services/matrix/default.nix | 8 +++++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/secrets/hamilton/secrets.yaml b/secrets/hamilton/secrets.yaml index d364e24..f396dc4 100644 --- a/secrets/hamilton/secrets.yaml +++ b/secrets/hamilton/secrets.yaml @@ -1,5 +1,8 @@ +coturn_static_auth_secret: ENC[AES256_GCM,data:7m7ymyb7hgN0H4KVujlr8NdkrzanQuOq1nl+ggtqvMxFauBoBLzKDMAOtH19uG7g3phkSGp9QlqD8cStlh0dE5FOiw0UN531Y6zFrZ0+wLgg0IKnqm6fmCjjKec/qsh59wRuE2BOIo1Lb74iRcP2CPPERQHrT5acRiC6SfSOZG8=,iv:KgaxzZWM7bWM+wiUrj7OzFV64JJlmep1EFrVlo0sd1Q=,tag:s7R5P2zWSKyDOOUlC4TTGw==,type:str] synapse: + signing_key: ENC[AES256_GCM,data:WLdNVbGn772vuO9avavFvaHDlq5F1Pl2oxPlkIQC/pK9Q9GmFA2oxUy2QUPdrTfhlL6gJkjwO1JOiA==,iv:IcUQqTeJkASHTa++gXcWBzRP86Em4gm/1N/leMtFvRc=,tag:1zHAh64W/PDWa6BvhowS6w==,type:str] registration_shared_secret: ENC[AES256_GCM,data:3mcyn8+8bfRQTJf8a6CwfO/v10W1PvM3D6POq52BV49N1KVBSs27aGq6YZFzR0H9vF5qUGXGRzk+zdNk+GK0Lw==,iv:54ZI2SGGXOQstRU0C89sJlWluC0XnxNLqrjt/ad0MzQ=,tag:gD9h+nIOz049GlaRjgX5Aw==,type:str] + secret_config: ENC[AES256_GCM,data:2NYKCQxZn2S5HP6h01epylIryfFVdPdm8Mew7b3eDnfrCmJcIS//OGlYaUM76Q574V5LHg86CXDBM1pgl38oxjT7MM1GMYXiYL7ancKUivUnvfcRBYi1ZF+oCJMEwmnx6FuElU3qQ82NnJgv1rSP9mJTkGt+02LTTZR3f/UdvBohmDUYk9jhzRhdX/I9wFR1JV8Dk1PcQ4ysLrCfL0lKvvGdBE3E2C5eRrFSjWAn+ezFYP23KfyNtpDHuKW7TEzlrpZrS1yPsQ9D3tt6K1bypuJX+7zpMpXP443dxs/ZAalL2yyodQysJ3/Sb5kQQXWudEnsXP72Biw26tUVgX6o8iZ9yJEmuZDhAk3PGSmuBeohYnxk8fKIkieIDTM14GEPvEaI,iv:Xemjx/o4v9QlbbI/ZLFnT9F14xTlJ0zDP4hnVvho3wc=,tag:PoE0dVAoU2twuWUqNSUPmg==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +18,8 @@ sops: aWQ2QW05a1lrbTZZci9VMldpVzNCZFkKCJwEd5TkZaIb2M1E149/NEUB1E5E8gLu YSDnb7eKfx8auWCEVCMiHx6POdpVvwxKnxUWHEnUBIMHhx+Y1MSclg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-13T10:27:18Z" - mac: ENC[AES256_GCM,data:BL1UtpKeieAGoexQsOPqoIasANvWjsy+7AaPCeKwev3CUWtPXwwMfsmtkPlQMggEpf5iUjNH74GJBMKKU9SKWhUwxGY7ph5VVYsF0uHlsToKNBK7H8wjtu1Bm8XqRkku/cqCu8/X5ixYx9y3hdKy7UNd8gMHJOkEriA+8J/zZrE=,iv:dE7q8JkxqdnlQcYmwj404mSWLqupxBIiQzIZSAibI+U=,tag:hj2/LhROne6S7YQ4xBMKyA==,type:str] + lastmodified: "2023-08-31T18:55:28Z" + mac: ENC[AES256_GCM,data:Jfqd39+c22Zaib+98DgSku612aU6vhmccurPtV7nQ59dg8/C4vDQ13lfxljzlk8Xe9Lc56qfvhjpdGpDuGH1EB6OFoOvdYRWvn+GofCMRV/ss+BY4LEStMH3cWBerJSC9aUu7ULqqGuzMzfWbXOBVtR5OhqVcD6SRvMufbwoGa0=,iv:FqlSyXQIKPDC3qnsT9ljB2L2ZjRNDelr5RhIUDLW738=,tag:l5qU7y6znrA1p1GB1sQ3MQ==,type:str] pgp: - created_at: "2023-08-12T09:39:58Z" enc: |- diff --git a/services/matrix/default.nix b/services/matrix/default.nix index 46d20fb..7261c1d 100644 --- a/services/matrix/default.nix +++ b/services/matrix/default.nix @@ -46,6 +46,12 @@ in { locations."/_matrix".proxyPass = "http://[::1]:${toString matrixPort}"; # Forward requests for e.g. SSO and password-resets. locations."/_synapse/client".proxyPass = "http://[::1]:${toString matrixPort}"; + # # Allow public access to the synapse admin API + # # The docs advise against leaving this open to just everyone. That's why this currently is commented out + # # if admin things need to be done, it's required to SSH to the server and then direct all admin requests to + # # localhost:8008/_synapse/admin + # # Leaving that in here for when I (e1mo) wonder why calls to the admin API don't work in the future + # locations."/_synapse/admin".proxyPass = "http://[::1]:${toString matrixPort}"; }; }; @@ -102,7 +108,7 @@ in { "fe80::/64" "fc00::/7" ]; - + admin_contact = "mailto:administration@chaos.jetzt"; url_preview_enabled = true; media_store_path = "/mnt/synapse_media_store"; From 9c44d7d0fe5827f656486fb3004ad87f9800dd5d Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Thu, 31 Aug 2023 22:03:41 +0200 Subject: [PATCH 08/11] Fix monitoring firewall rules for hamilton Only relevant until #29 is merged --- services/monitoring/default.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/services/monitoring/default.nix b/services/monitoring/default.nix index 464d0ed..178aa69 100644 --- a/services/monitoring/default.nix +++ b/services/monitoring/default.nix @@ -8,6 +8,11 @@ inherit (lib) escapeRegex; inherit (config.networking) fqdn hostName; + # Absolute hack until https://github.com/chaos-jetzt/chaos-jetzt-nixfiles/pull/29 is merged + # But needed for us to have a working monitoring on our main matrix server (kinda important) + # FIXME: Remove when #29 is merged + monIf = if config.networking.hostName == "hamilton" then "enp7s0" else "ens10"; + # Basically a manual list of (legacy) hosts not yet migrated to NixOS # but on which we'd like to have included in the monitoring. externalTargets = let @@ -124,7 +129,7 @@ in { ]; }; - networking.firewall.interfaces.ens10.allowedTCPPorts = let + networking.firewall.interfaces.${monIf}.allowedTCPPorts = let inherit (config.services) prometheus; ifEnabled = x: lib.optional x.enable x.port; in ( From c054a81b1ca22472beaac40a6a47262e685b4dda Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Thu, 31 Aug 2023 22:12:19 +0200 Subject: [PATCH 09/11] matrix: Fix login redirect loop Maybe/probably a problem with the hostname / IP snypase detected for the request. --- services/matrix/default.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/services/matrix/default.nix b/services/matrix/default.nix index 7261c1d..4a351ff 100644 --- a/services/matrix/default.nix +++ b/services/matrix/default.nix @@ -43,9 +43,15 @@ in { ''; # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash # *must not* be used here. - locations."/_matrix".proxyPass = "http://[::1]:${toString matrixPort}"; + locations."/_matrix" = { + proxyPass = "http://[::1]:${toString matrixPort}"; + recommendedProxySettings = true; + }; # Forward requests for e.g. SSO and password-resets. - locations."/_synapse/client".proxyPass = "http://[::1]:${toString matrixPort}"; + locations."/_synapse/client" = { + proxyPass = "http://[::1]:${toString matrixPort}"; + recommendedProxySettings = true; + }; # # Allow public access to the synapse admin API # # The docs advise against leaving this open to just everyone. That's why this currently is commented out # # if admin things need to be done, it's required to SSH to the server and then direct all admin requests to From 2ba5a98d16bf96c2b95d10bb050dcca4dddcf0da Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Thu, 31 Aug 2023 22:57:04 +0200 Subject: [PATCH 10/11] flake update: Use fixes from improved synapse packaging Close #27 --- flake.lock | 32 ++++++++++++++++---------------- packages/default.nix | 2 +- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/flake.lock b/flake.lock index 61d77ce..b65f44b 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "lastModified": 1692799911, + "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", "owner": "numtide", "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", "type": "github" }, "original": { @@ -27,11 +27,11 @@ ] }, "locked": { - "lastModified": 1686137513, - "narHash": "sha256-u30JB/KsBjF4xWAz4iswdKIAmVGtkahD+VV7sywYCBA=", + "lastModified": 1692954414, + "narHash": "sha256-rl1g3aGG0Nlmae7DCGqvOe+yQAcqTGUxehcMAk6usWQ=", "ref": "main", - "rev": "61db764a7ed44159c1ade3cd9bf9c068de0bdeb8", - "revCount": 20, + "rev": "1594009c5040acd2d0c6b8700ca2cc64808041c4", + "revCount": 23, "type": "git", "url": "https://cyberchaos.dev/e1mo/freescout-nix-flake" }, @@ -43,11 +43,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1689940971, - "narHash": "sha256-397xShPnFqPC59Bmpo3lS+/Aw0yoDRMACGo1+h2VJMo=", + "lastModified": 1693377291, + "narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9ca785644d067445a4aa749902b29ccef61f7476", + "rev": "e7f38be3775bab9659575f192ece011c033655f0", "type": "github" }, "original": { @@ -59,11 +59,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1689473667, - "narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=", + "lastModified": 1693097136, + "narHash": "sha256-fBZSMdBaoZ0INFbyZ5s0DOF7zDNcLsLxgkwdDh3l9Pc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6", + "rev": "9117c4e9dc117a6cd0319cca40f2349ed333669d", "type": "github" }, "original": { @@ -89,11 +89,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1689534977, - "narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=", + "lastModified": 1693404499, + "narHash": "sha256-cx/7yvM/AP+o/3wPJmA9W9F+WHemJk5t+Xcr+Qwkqhg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81", + "rev": "d9c5dc41c4b1f74c77f0dbffd0f3a4ebde447b7a", "type": "github" }, "original": { diff --git a/packages/default.nix b/packages/default.nix index 001abbf..a0388d7 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -171,7 +171,7 @@ final: prev: propagatedBuildInputs = with pfinal; [ pysaml2 attrs - final.matrix-synapse + final.matrix-synapse-unwrapped ]; }; })]; From dcc1f00006e5049c19d936bc2070c8c562a8363f Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Fri, 1 Sep 2023 00:13:49 +0200 Subject: [PATCH 11/11] matrix-synapse-saml-mapper: Hotfix missing res dir --- packages/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/packages/default.nix b/packages/default.nix index a0388d7..6b967fd 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -165,6 +165,14 @@ final: prev: hash = "sha256-s2AQ92VQOXg7lxjWZKsM5h+4IWnsnLRbOC2mAmr1nZo="; }; + # This is absolutely ugly and not nice + # In theory python should pick up the res as data files (manual bdist_wheel does manage to do so) + # but somehow this isn't the case with buildPythonPackage + # FIXME: Make this something more robus and "propper" + postInstall = '' + cp -ar $src/matrix_synapse_saml_mapper/res $out/lib/python*/site-packages/*/ + ''; + nativeBuildInputs = with pfinal; [ setuptools-scm ];