While network.target only guarantees that network devices have been
created the `network-online.target` allows delaying service startup
until after a configurable network state has been reached.
This should resolve spurious failures, e.g. when synapse tries to load
the discovery information for its OIDC provider from a remote host.
While reviewing other changes related to synapse I rediscovered the
`lib.findFirst (...) (lib.last resources)` hack to find a listener
supporting the `client` resource. We decided to keep it that way for now
a while ago to avoid scope-creep on the RFC42 refactoring[1]. I wanted
to take care of that and forgot about it.
Anyways, I'm pretty sure that this is bogus: to register a user, you
need the `client` API and not a random listener which happens to be the
last one in the list. Also, you need something which serves the `client`
API to have the entire synapse<->messenger interaction working (whereas
`federation` is for synapse<->synapse).
So I decided to error out if no `client` listener is found. A listener
serving `client` can be defined in either the main synapse process or
one of its workers via `services.matrix-synapse.workers`[2].
However it's generally nicer to use assertions for that because then
it's possible to display multiple configuration errors at once and one
doesn't have to chase one `throw` after another. I decided to also error
out when using the result from `findFirst` though because module
assertions aren't thrown necessarily when you evaluate a single config
attribute, e.g. `config.environment.systemPackages` which depends on an
existing client listener because of `registerNewMatrixUser`[3].
While at it I realized that if `settings.instance_map` is wrongly
configured, e.g. by
settings.instance_map = mkForce {
/* no `main` in here */
}
an `attribute ... missing` error will be thrown while evaluating the
worker assertion.
[1] https://github.com/NixOS/nixpkgs/pull/158605#discussion_r815500487
[2] This also means that `registerNewMatrixUser` will still work if you
offload the entire `client` traffic to a worker.
[3] And getting a useful error message is way better for debugging in such a
case than `value is null while a set was expected`.
This should ensure systemd handles starting all services (main and
workers) in a single transaction, thus preserving unit orderings
defined through After= even when not restarting the target.
Actually, it's supposed to be `listOf (attrsOf str)` because each
list-item can match against multiple properties from `urlsplit`[1]. In
fact, `listOf str` breaks URL previews at runtime:
Sep 14 15:03:47 soost synapse[1100355]: synapse.http.server: [GET-116] Failed handle request via 'PreviewUrlResource': <XForwardedForRequest at 0x7f691bd5f730 method='GET' uri='/_matrix/media/r0/preview_url?url=<redacted>' clientproto='HTTP/1.1' site='8448'>
Traceback (most recent call last):
[...]
File "/nix/store/xk5yksbw09p6qwk0maq2cb2in3z6f4gn-matrix-synapse-1.91.2/lib/python3.10/site-packages/synapse/media/url_previewer.py", line 398, in _is_url_blocked
for attrib, pattern in entry.items():
AttributeError: 'str' object has no attribute 'items'
To make sure that people aren't confused when upgrading their configs, I
decided to work with `types.coercedTo` to "pretend" accepting the old
type signature, but then throwing an error explaining what to do (and
rejecting the broken configuration).
[1] https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlsplit
This implements proper merging of user-provided values and default
values for the settings option.
Without this, the user must provide a complete configuration file, as
changing a single setting replaces the entire JSON value, rendering the
default values completely useless. In fact, the bridge won't even start
using the default settings.
The DynamicUser mechanism does not allow share the bridge
registration.yaml file with matrix-synapse in any easy way:
1. the mautrix-whatsapp group under which the service runs is not in
/etc/group, so you can't add matrix-synapse to this.
This makes the group read bit on the file useless as the group is
effectively always empty.
2. It's not possible to use ACLs or copy the file during preStart or
postStart because the commands are executed with low priviledges.
By using a normal (static) user/group the secret can be shared with
synapse as follows:
services.matrix_synapse.settings.app_service_config_files =
[ "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml" ];
users.users.matrix-synapse.extraGroups = [ "mautrix-whatsapp" ];
As suggested by @nickcao this commit moves the defaults back to the
options. Only `homeserver.domain` stays in the config section since the
documentation module does not support referencing attributes of other
modules.
When extending this module, it might be necessary to run something
from the package that's used in `matrix-synapse.service` (e.g. for
workers).
Now this can be trivially done by using
`config.services.matrix-synapse.package`. Previously it was necessary to
reuse the `PYTHONPATH` from the environment of `matrix-synapse.service`,
but that one doesn't exist anymore.
https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.0
* This release drops support for Node 16. The minimum required version is now 18+.
* Moved from NPM to Yarn
https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1
* Fixes for GHSA-vc7j-h8xg-fv5x.
* Fixes for GHSA-3pmj-jqqp-2mj3.
* Fixes for GHSA-c7hh-3v6c-fj4q
* Update matrix-appservice-bridge to 9.0.1
while there was an effort to make this package with `mkYarnPackage`, in the end it
was suggested to just use `stdenv.mkDerivation` instead
nixos/matrix-appservice-irc:
* fix path to config.schema.yml directory stucture of the package changed
* use remarshal instead of python and pyyaml
to convert the config schema from yaml to json
Simplify the SystemcallFilter by employing an explicit allow list, and
an explicit block list.
Node since version 18 requires syscalls in the @pkey group.
Excluding @privileged and @resources is a recommendation in
systemd-analyze.
With this change we allow the user to configure extras, exposed as
optional-dependencies on the matrix-synapse package.
The vertical integration between package, user configuration and
deployment is a huge boon which then allows us to dynamically adapt the
python environment the service runs in, by inspecting the configuration
and autodiscovering certain used extras from config paths.
It appears that newer mautrix-facebook versions default to the appservice name `facebook`. This was breaking our registration and causing mautrix-facebook to fail to start. This changes the name back and makes the registration generated match whatever the setting in the app is.